DamCTF is a cybersecurity Capture the Flag competition, hosted by the OSU Security Club. This past weekend was our first public offering of the event, and I am very pleased with how it went. This blog post describes a sequence of challenges I built where the player takes the role of a malware researcher at a fictitious company called IcyRetina, analzying a new threat and working to compromise the actor’s systems. I will go over some of the factors that went into the design of the challenge, and my solutions to each phase.

Parts of this scenario are lightly based on some work I did at a past cybersecurity company on an intership, whose name bears no resemblance to this challenge.

Scenario

The challenge had 5 phases, each building on the last and uncovering more information about the malware and it’s operators:

  1. Finding the malware sample in a PCAP file (writeup)
  2. Extracting the malware’s config from a single sample (writeup)
  3. Automating the config extraction process (writeup)
  4. Compromising the Command & Control (C2) server (writeup)
  5. Compromising the operator’s administrative web panel

Players found themselves working for a fictitious cybersecurity company called IcyRetina, and would receive new information from other analysts on their team as they worked through each of the challenges.

The source code for the entire challenge is available here. You can also run the challenge locally using the docker-compose spec included in the repo (excluding phase 3).

I am publishing each phase’s writeup as it’s own post, as it was getting much too long for just one. Writeups for phases 1-4 are linked above, and 5 should be coming soon.