Keen-eyed Tweeps may have noticed that AnyRun tweeted out a Christmas CTF in their Xmas post card this year (see above). I enjoy a good CTF and with some help from @KrabsOnSecurity we uncovered a code for a free trial of AnyRun Explorer (an account option which is not on the pricing package).
The CTF started with the above tweet, which contains a QR code. Once scanned a message appears:
Using the built-in QR code scanner on my iPhone the code, the message appeared. I then chucked this into base64decode as I have inspected enough malicious code to realise when it is encoded this way:
I got stuck here as the decoded output does not look like any encoded/encryption I have seen before. Luckily, @KrabsOnSecurity noticed this is an ID for an AnyRun sample run:
This revealed a glowing Christmas tree produced by a PowerShell script that, when downloaded, contained the code for the CTF:
And voila! We earned ourselves a nice trial of AnyRun explorer after a short CTF on Twitter:
References:
___________________________________________________________________________________
I do enjoy a good CTF, if you also like CTFs, then feel free to check my own CTFs created for investigators to do some OSINT:
