Covid19 CTF writeup

CTF Writeup for Covid19.

Covid Scammers

They have given binary file (ELF 32 bit) need to answer the below questions

I analyzed the binary in both radare and ghidra. Decompilation in ghidra is terrible, but based on radare i double checked the results for 5,6,8.

This challenge has 12 challenge, i managed to solve few

2. Arch

What architecture is this sample compiled for?


How i found it ?

file <binary file>

3. Who Me? [Not confirmed]

What is this malware sample called (not the actual binary name)?


How i found it ?

4. Scouting

What is the C2 server? Provide the domain as the answer.

How i found it ?

5. This is nice, might stay a while…

How does the malware persist? SHA1 hash the path of the persistence location.

echo -n “/full/path” | sha1sum


How i found it ?

6. License and Registration Please

The malware creates a UUID and stores it in a file, what is the name of this file. Provide the SHA1 hash of the full path as the flag.


How i found it ?

8. Shared Secrets [Not confirmed]

The malware creates a shared-memory object and stores a flag inside. Recover the flag.


How i found it ?


Things i learned from this challenge

Tom Nook - Internet traffic - Part I