This week my CTF team OverFlowSecurity was able to compete in hack.lu. This CTF seems to be very run and very challenging. Since this event was not over a weekend most our team could not commit a lot of time to it. We finished at a very respectable 80th place. I myself only concentrated on a single challenge based on an IRC bot. I actually learned a lot about how the IRC protocol works and in the end one of my teammates solved the challenge with our combined efforts. Below is a quick write up of the challenge. Next up for me is the PicoCTF in a week or so. It’s a long running (2 week) challenge.
by freddy (Misc)
200 (+80) Points
There’s a fun and quirky IRC bot to play with. It responds to commands in private chat but also in #hacklu-saloon on freenode. We think it’s involved in a devious scheme that distracts people to get their money pickpocketed. So be careful!
Bot was on an irc channel. Using !help in the channel or private message to bot gives you the list of commands accepted.
<barmixing-bot> Send messages to the bot or the channel starting with an exclamation mark. Known commands are list, status, karma, math, base64, base64d, rot13, ping, hack, request, list
Play around with commands for a while nothing of great interest. Using !base64 with a lot of characters showed it split the line into 2 lines. Spend some time on this.
Noticed that the bot is in a channel called #hacklu-secret-channel. This channel is invite only. So at this point I figured the goal was to get into this channel.
Also noticed this with the !rot13 function. Created a rot13 encoded string to send /invite H1tch #hacklu-secret-channel but this was just sent to the channel command not actually issued. Resorted to reading the RFC for IRC.
After reading docs and discussing my teammate suggested maybe we need to send the raw IRC commands to the bot. We had already been experimenting with the !base64d function that decoded base64 so we gave that a shot.
aaa\r\nINVITE h1tch #hacklu-secret-channel
and sent to the bot via
An invite was received by the bot and we were able to obtain the flag from the channel subject.
or this My password is password but it is 2_*_10_*_16_*_8_*_4 characters long. Whats my password ? Ha ha ha!
This one I didn’t catch onto until almost the end when I had a doh moment.
The flag is the word password in MD5
You were given an IP address and a HINT similar to guests are always allowed but the manager has a secret what is it.
SSH access was open for user guest password guest.
Once in you see a toolkit directory with tcpdump in it.
tcpdump -l -A | egrep -i ‘secret’
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
The secret is behind <strong>0f388689dc4728cfde0de9a1ee47c8d3</strong>. Don’t tell anyone!
an MD5 of 0f388689dc4728cfde0de9a1ee47c8d3 gives you the flag
()_() (=’.’=) (>_<) () ()
Had a great time this weekend during DefCamp 2014. This was by third CTF and the first I was able to dedicated the required amount of time to. I participated with a great group of guys under the OverFlowsec team flag. Or bunny rabbit in this case. The teams were limited to 5 and I was happy to fill one of those slots. Overall we finished 36th out of a 600 teams so I feel pretty good about that.
The CTF seemed to be well run not a lot of issues overall. There were a few glitches here an there like other teams deleting parts of a challenge to prevent others from obtaining the flag and a machine or two that had some stability issues. This was a jeopardy style CTF that required a VPN to access the target machines. There were 20 challenges with 2 additional bonus challenges later in the event. We were able to take down all but 8. The categories were Quest, Web, Network, Exploit, Misc, and Bonus. Although these categories seem to be more of a guideline for example one of the network challenges I would consider more web and there were lots of other overlaps.
Overall a great CTF and a great learning experience for me. I would like to thank the organizers and the guys over OverFlowSec for putting up with me. I will post a couple write-ups to some of the challenges that I actually took some notes on.