Hack.lu 2014

This week my CTF team OverFlowSecurity was able to compete in hack.lu. This CTF seems to be very run and very challenging. Since this event was not over a weekend most our team could not commit a lot of time to it. We finished at a very respectable 80th place. I myself only concentrated on a single challenge based on an IRC bot. I actually learned a lot about how the IRC protocol works and in the end one of my teammates solved the challenge with our combined efforts. Below is a quick write up of the challenge. Next up for me is the PicoCTF in a week or so. It’s a long running (2 week) challenge.

 

Barmixing-Bot
by freddy (Misc)
200 (+80) Points

 

There’s a fun and quirky IRC bot to play with. It responds to commands in private chat but also in #hacklu-saloon on freenode. We think it’s involved in a devious scheme that distracts people to get their money pickpocketed. So be careful!

Bot was on an irc channel. Using !help in the channel or private message to bot gives you the list of commands accepted.

<barmixing-bot> Send messages to the bot or the channel starting with an exclamation mark. Known commands are list, status, karma, math, base64, base64d, rot13, ping, hack, request, list

Play around with commands for a while nothing of great interest. Using !base64 with a lot of characters showed it split the line into 2 lines. Spend some time on this.

Noticed that the bot is in a channel called #hacklu-secret-channel. This channel is invite only. So at this point I figured the goal was to get into this channel.

 

Also noticed this with the !rot13 function. Created a rot13 encoded string to send /invite H1tch #hacklu-secret-channel but this was just sent to the channel command not actually issued. Resorted to reading the RFC for IRC.

After reading docs and discussing my teammate suggested maybe we need to send the raw IRC commands to the bot. We had already been experimenting with the !base64d function that decoded base64 so we gave that a shot.

 

Encoded

aaa\r\nINVITE h1tch #hacklu-secret-channel

and sent to the bot via

!base64d YWFhXHJcbklOVklURSBoMXRjaCAjaGFja2x1LXNlY3JldC1jaGFubmVs

An invite was received by the bot and we were able to obtain the flag from the channel subject.

Flag GfeBNmN5XjwDvQB64qoqaEEeYogk4rGH3ikZ0qtc3B3HKLDoAH

Posted on October 23, 2014, 7:48 pm By
Categories: Main