Merge pull request #95 from FoxMaccloud/main

added writeups

writeups/forensics/Phantom Phish/NorskeNøkkelsnikere-FoxMaccloud/README.md

@@ -0,0 +1,43 @@
+# Phantom Phish
+Author: viipz
+
+Flag: `EPT{pHi5h1ng_st1ll_w0rk5???}`
+## Description
+```
+We have obtained a memory dump from a user who suspects unauthorized access to their computer following a phishing attack. Can you investigate what occurred?
+```
+
+
+---
+
+Author: [FoxMaccloud](https://github.com/FoxMaccloud/)
+
+Website: [Foxmaccloud.com](https://foxmaccloud.com/)
+
+## Description
+
+We've been given a windows memory dump which has been dumped by the DumpIt.exe process. This is a multipart challenge, but I only did solve the first one.
+
+---
+
+## volatility
+
+One of the forensics tools I've used before and know for windows dumps is `Volatility`. Using volatility I was able to get myself a process tree of all the running processes on the system at the time of capture using this command: `sudo vol -f dump.dmp windows.pstree`
+
+![](./img/20241110161457.png)
+
+Beyond all the processes one stood out to me. That one being `security email.pdf` and that it was opened by notepad.
+
+![](./img/20241110161537.png)
+
+To get a list of all the files on the system I ran this command: `sudo vol -f dump.dmp windows.file > files`. After getting a full list of all the files, I was able to find the location of this email and recover it.
+
+`sudo vol -f dump.dmp windows.dump --virtaddr 0xc50ce5139980`
+
+![](./img/20241110162033.png)
+
+In this pdf there was a QR code;
+
+![](./img/20241110162113.png)
+
+After using my phone to scan the code I was able to get the flag for Phantom Phish.

writeups/reversing/Find Me/Norske Nøkkelsnikere/README.md

@@ -0,0 +1,39 @@
+# Find Me
+Author: iLoop
+
+Flag: `EPT{YOU_FOUND_4_WAY_TO_R3AD_M3_W3LL_DON3}`
+## Description
+```
+This time, the author is in way too deep; he has no clue what he is doing other than thinking it is so fancy. Run the program and find out.
+```
+
+## Provided challenge files
+* [findme](findme)
+
+---
+
+Author: [FoxMaccloud](https://github.com/FoxMaccloud/)
+
+Website: [Foxmaccloud.com](https://foxmaccloud.com/)
+
+## Description
+
+This is a binary where at some point the flag is stored somewhere in memory and you have to find it.
+
+## Hypothesis
+
+When you run this binary, it will give you the first part of the flag. My thought was that the flag was somewhere in the binary stored encrypted and running the binary will at some point decrypt it and print the first bytes of it.
+
+## Solution
+
+![](./img/20241110165714.png)
+
+The first solution is to hit step into until you find the flag... This is the way I did it during the ctf. After hitting it for approximately 96 837 times you will eventually get a ptr to string and continuing hitting step into will eventually decrypt the entire flag for you.
+
+Eventually after stepping enough I found this:
+
+![](./img/20241110170807.png)
+
+Where each character is made one by one and stored in the r13 register. Now stepping over these functions and following the rax ptr, we get our flag:
+
+![](./img/20241110171121.png)

writeups/reversing/RotC/Norske Nøkkelsnikere/README.md

@@ -0,0 +1,31 @@
+# 👶 RotC 👶
+Author: nordbo
+
+Flag: `EPT{s0_mUch_r0tat3_in_th4t_s7r1ng}`
+## Description
+```
+Just let me rotate.
+```
+
+## Provided challenge files
+* [rot_C](rot_C)
+
+---
+
+Author: [FoxMaccloud](https://github.com/FoxMaccloud/)
+
+Website: [Foxmaccloud.com](https://foxmaccloud.com/)
+
+## Description
+
+This is a mini crackme where the program presents you with a string and then with the rotation amount. Trying to rotate, we see that it will rotate the first bit of the "obfuscated" flag and print it out.
+
+---
+
+Opening the binary up in binja, we can immediately see the string presented to us as well as the rotation amount it compares against.
+
+![](./img/20241110163819.png)
+
+A cipher which rotates like this is probably a `caesar cipher` and putting it into a solver with rotation on 19, we have our flag.
+
+![](./img/20241110164012.png)

writeups/reversing/Saint Rings/Norske Nøkkelsnikere/README.md

@@ -0,0 +1,36 @@
+# 👶 Saint Rings 👶
+Author: GodVenn
+
+Flag: `EPT{0n3_str1ng_t0_rul3_th3m_4ll}`
+## Description
+```
+In the code where the shadows lie,
+
+St. Rings with the binary eye,
+
+Illuminates what can't be found,
+
+In pitch dark, her skills renowned,
+
+Bringing truth forth from the digital nigh.
+```
+
+## Provided challenge files
+* [darkness](darkness)
+
+---
+
+Author: [FoxMaccloud](https://github.com/FoxMaccloud/)
+
+Website: [Foxmaccloud.com](https://foxmaccloud.com/)
+
+## Description
+
+Something about devoting myself to St. Rings so I could finally see the truth...
+
+## strings
+
+
+![](./img/20241110164819.png)
+
+It's that simple.