[Write-up] CSAW CTF 2015 - Recon Julian Cohen 100

One of the easiest challenge in CSAW CTF 2015.

Google "Julian Cohen", you can find his twitter: https://twitter.com/HockeyInJune
Twitter everywhere! @@

flag{f7da7636727524d8681ab0d2a072d663}

--- matnacian ---

--- ctf for beginners ---

Read More

[Write-up] CSAW CTF 2015 - Recon Alexander Taylor 100

We start with:

>>> http://fuzyll.com/csaw2015/start

CSAW 2015 FUZYLL RECON PART 1 OF ?: Oh, good, you can use HTTP! The next part is at /csaw2015/<the acronym for my university's hacking club>.

OK, let's google "fuzyll".

I don't see anything helpful, so I keep googling.

With "alexander taylor fuzyll", I found his LinkedIn.

https://www.linkedin.com/in/fuzyll

You can see in Education, his university is University of South Florida.

With "University of South Florida hacking club", easily you can find this link:
Whitehatters Computer Security Club - http://www.wcsc.usf.edu/

>>> http://fuzyll.com/csaw2015/wcsc

CSAW 2015 FUZYLL RECON PART 2 OF ?: TmljZSB3b3JrISBUaGUgbmV4dCBwYXJ0IGlzIGF0IC9jc2F3MjAxNS88bXkgc3VwZXIgc21hc2ggYnJvdGhlcnMgbWFpbj4uCg==

Decode base64 this string:
Nice work! The next part is at /csaw2015/<my super smash brothers main>.




With "fuzyll super smash brothers", you can find "yoshi" is the answer.

https://www.youtube.com/watch?v=MbRKFWyPQkQ



>>> http://fuzyll.com/csaw2015/yoshi





Very cute, right?

Save this image and:
$ strings yoshi.txt
CSAW 2015 FUZYLL RECON PART 3 OF ?: Isn't Yoshi the best?! The next egg in your hunt can be found at /csaw2015/<the cryptosystem I had to break in my first defcon qualifier>.




This part really makes me crazy.
"the cryptosystem first defcon qualifier"? Is it a crypto challenge in DEFCON?
What is his first defcon qualifier?

Back to his LinkedIn, 





I think "DEFCON 19 qualification" is the answer.

I googled something likes "DEFCON 19 qualification challenges", "DEFCON 19 write up", but got nothing.

Stuck! Stuck! Stuck!

Time to go 2 bed Zz.

---

After waking up, I continue googling, I continue getting nothing.
To tired! So I want to try my luck.
Let's check some possible cryptosystems.


>>> http://fuzyll.com/csaw2015/rsa

>>> http://fuzyll.com/csaw2015/caesar

>>> http://fuzyll.com/csaw2015/substitution

>>> http://fuzyll.com/csaw2015/substitutioncipher

>>> http://fuzyll.com/csaw2015/substitutioncryto

>>> http://fuzyll.com/csaw2015/substitutioncryptography

...

...

...

>>> http://fuzyll.com/csaw2015/enigma

Boooooooooooooooom!



CSAW 2015 FUZYLL RECON PART 4 OF 5: Okay, okay. This isn't Engima, but the next location was "encrypted" with the JavaScript below: Pla$ja|p$wpkt$kj$}kqv$uqawp$mw>$+gwes6451+pla}[waa[ia[vkhhmj

var s = "THIS IS THE INPUT"
var c = ""
for (i = 0; i < s.length; i++) {
    c += String.fromCharCode((s[i]).charCodeAt(0) ^ 0x4);
}
console.log(c);

Just xor!
So you can run the script again to get plain text.

Press F12 and open Console (Chrome, Firefox...)

var s = "Pla$ja|p$wpkt$kj$}kqv$uqawp$mw>$+gwes6451+pla}[waa[ia[vkhhmj"
var c = ""
for (i = 0; i < s.length; i++) {
    c += String.fromCharCode((s[i]).charCodeAt(0) ^ 0x4);
}

console.log(c); 






The next stop on your quest is: /csaw2015/they_see_me_rollin



>>> http://fuzyll.com//csaw2015/they_see_me_rollin



CSAW 2015 FUZYLL RECON PART 5 OF 5: Congratulations! Here's your flag{I_S3ARCH3D_HI6H_4ND_L0W_4ND_4LL_I_F0UND_W4S_TH1S_L0USY_FL4G}!



--- matnacian ---

--- ctf for beginners ---

Read More

[Write-up] CSAW CTF 2015 - Crypto notesy 100

notesy

100

269 solves

http://52.7.208.12/

The flag is not in the flag{} format.

I'm happy when I didn't spend too much time with this challenge. Poor you :v
We were given a link. Try some inputs and I can see it's just a substitute cipher.
And google for an alphabet english:
https://en.wikipedia.org/wiki/English_alphabet
(because I'm very lazy to fill in the input form).
ABCDEFGHIJKLMNOPQRSTUVWXYZ

UNHMAQWZIDYPRCJKBGVSLOETXF

Booom! Can't believe this is our flag :D

--- matnacian ---

--- ctf for beginners ---

Read More

[Write-up] MMA CTF 2015 - QR code recovery challenge 400

Problem

You picked up teared QR code fragments. Recover the flag.

Flag is 12 characters without MMA{...}.

problem.png

problem.png

During the opening time  of MMA CTF, I don't know what to do with this picture.
When the CTF ended, I googled "QR code recovery challenge" to find the write-up of this chal, and found this link: https://ctf.mma.club.uec.ac.jp/problems/92

problem2.png

We will solve problem2.png first!
---
It looks easier, right? I opened GIMP and try to recover it but failed.

After googling, I found a tool named strong-qr-decoder, it can decode corrupted QR code, but only in txt file.
So I tried hard, and found a tool named qr2txt, it can change a bitmap file QR code to a txt file QR code.

Yeah! Go go go!
1. Change problem2.png to problem2.bmp with GIMP, and rename it to qr.bmp
2. $ ./qr2txt

Save it to a text file: $ ./qr2txt > qr.txt

3. User strong-qr-decoder to decode it:
$ python sqrd.py qr.txt -e 2 -m 4

Boom! 

Yeah, we got the flag of problem2.png. Can we do these steps with problem.png

"Flag is 12 characters without MMA{...}."
Submit flag "000000000000"! Failed!!!

Did I miss something?

--- matnacian ---

--- ctf for beginners ---

Read More

[Write-up] MMA CTF 2015 - Splitted 30

This is an "El Clásico" challenge of forensic, but I found it a little bit difficult to solve. Poor me! T.T

We got a pcap file here, but like a habit, when waiting Wireshark open the splitted.pcap, I foremost it:

Really, easy???
I went to /splitted/output/zip and open the zip file, but it was corrupted.
OK, back to Wireshark.

Sorting packets by Length, you can see some zip files like this:

Export them to files: File > Export Objects > HTTP:

Click Save All. Now we have 1, 2, ... 8 flag.zip files.
We can guess that the zip file contain flag was splitted into 8 files, and we must join these files to capture the flag. Let's try:
$ cat flag* > final.zip
Extact finalflag.zip file! Waiting... Still corrupted.

I used an hex editor to inspect these zip files, and relized they weren't in order.
Example, the flag(1).zip has the header PK of zip file >> It must be the first file when joining.
So the biggest mission in this challenge is arrange 8 splitted files in the right order to join them.
How can we do this?

Back to Wireshark again. Randomly, I chose packet No. 86 and "Follow TCP Stream".
Aha, "Range: bytes=1876-2344"

Can you guess that what should we do know?
Right! We have this table:

Now, we rename flag*.zip files to final0*.zip files base on the order above.
Example flag(1).zip -> final1.zip, flag(7).zip -> final5.zip.
Join these files with command: $ cat final* > final.zip.
Extract it. Bingo. We get the flag.psd. Open it with Photoshop or GIMP:

Blank? Don't worry. On the right panel, you will see 2 layers. Hide/Delete the 背景 layer.
Boom!!! Flag is:

Thanks for reading! ^^ And happy CTF! :D

--- matnacian ---

--- ctf for beginners ---

Read More

[Write-up] MMA CTF 2015 - Nagoya Castle 100

I can't understand this 100-challenge :D

We are given an image:

Use a stego tool named Stegsolve: https://www.wechall.net/forum/show/thread/527/Stegsolve_1.3/page-1
Open this "awesome" image and view it in "Red plane 0". Bingo!

--- matnacian ---

--- ctf for beginners ---

Read More

[Write-up] MMA CTF 2015 - Pattern Lock 20

Problem

In android smartphone, you can use "pattern lock".

Pattern lock use 9 dots(3x3) on the screen in the figure below.

The following figures are examples of lock pattern.

 

Lock pattern must satisfy following three conditions.

• Use at most once each dot.
• Use at least 4 dots.
• Cannot skip the dot on the segment.

(Flag 1) Flag is the number of lock patterns in decimal without MMA{...}.

(Flag 2) Flag is the maximum length of lock patterns on 4x4 dots. Assume the length of two neighbor dot is 1. Please answer rounded to four decimal places without MMA{...}. (XX.XXXX)

---

Just google "number of lock patterns".

You will find this: http://stackoverflow.com/questions/12127833/patterns-possible-on-3x3-matrix-of-numbers

Combinations of the Android pattern lock screen would not be from 1-9. Instead, they would be 4-9, as the lock pattern needs a minimum of four inputs, and anything below that is invalid (at least 2.3 onwards. I believe 2.2 and below allowed 3 point locks). Here's the breakdown of the combinations:

Moves = 4, combinations = 1624
Moves = 5, combinations = 7152
Moves = 6, combinations = 26016
Moves = 7, combinations = 72912
Moves = 8, combinations = 140704
Moves = 9, combinations = 140704

Total possibilities: 1624 + 7152 + 26016 + 72912 + 140704 + 140704 = 389112

So flag 1 is 389112!

--- matnacian ---
--- ctf for beginners ---

Read More

[Tips] Useful sites for CTF

I. Encode - Decode - Encrypt - Decrypt:

http://www.hashkiller.co.uk/ - MD5, SHA1 decrypt
http://www.dcode.fr/ - ...
http://quipqiup.com/ - Substitute
http://planetcalc.com/1434/ - Caesar
http://symbolhound.com/ - Strange symbol
http://ayra.ch/service/vbs/vbs.asp/ - Visual basic
http://jsfuck.com/ - Javascript
http://www.cryptoclub.org/ -
http://whitespace.kauaveel.ee/ - Esolang
http://factordb.com/index.php?query=1907 - RSA
https://www.tools4noobs.com/online_tools/ascii85_decode/ - ASCII85

---------
ZmxhZ3tp -> base64
745f7761735f -> hex
104 105 115 95 102 108 -> ascii
011000010110011101011111011011010111001001011111 -> bin
NNZGCYTTL4====== -> base32 (massive number of '=' chars at the end)
<~Blm^+@<5dnF_tSDEaNs,0OK)ZI/~> -> ASCII85
---------

https://malwr.com/analysis/ - Malware analysis
---------
Web:
http://magiagents.chal.mmactf.link/index.php?page=php://filter/convert.base64-encode/resource=index
echo file_get_contents("../flag");

http://magiagents.chal.mmactf.link/index.php?page=zip://avators/usernamesha1#"content"


II. Commands:

fcrackzip -v -D -u -p /usr/share/dict/words secret.zip

--- matnacian ---

--- ctf for beginners ---

Read More

[Write-up] MMA CTF 2015 - MQAAAA 70

Problem

I0B+Xk1RQUFBQT09CVVtLmJ3RFIrMXRLY0p0SCkJRHRubTZWbFRtaEtETnxyZHtLNDZFZG1DT2JXVThyYmpSSUFBQT09XiN+QA==

It's easy to see that's base64 encoded. Decode this string:
#@~^MQAAAA== Um.bwDR+1tKcJtH) Dtnm6VlTmhKDN|rd{K46EdmCObWU8rbjRIAAA==^#~@

"MQAAAA"! Yes, we are on the right way.
Just google "MQAAAA" and you can find this link: 
LANGUAGE = VBScript.Encode %> <%#@~^CgAAAA==[b ...
www.rzc.com.cn/images/images.asp

OK, VBScript.Encode. Decode this with: http://ayra.ch/service/vbs/vbs.asp
Got it, MMA{the_flag_word_is_obfuscation}

--- matnacian ---

--- ctf for beginners ---

Read More

[Write-up] OverTheWire Bandit CTF

Hi there,
I'm a newbie in CTF, so I create this blog to help ME, and YOU, the ones who really want to improve CTF skills. And the first write-up series are about Bandit CTF: http://overthewire.org/wargames/bandit/

Let's go! Hope we will have great time together! Keep calm and Happy CTF! ^^

Level 0: SSH
$ ssh bandit0@bandit.labs.overthewire.org
>> Password: bandit0
bandit0@melinda:~$ ls (you will see a file named readme)
bandit0@melinda:~$ vi readme

Got it? Easy, right?

Level 1: Strange file name
bandit1@melinda:~$ vi "./-"
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Level 2: Strange file name
Nothing different!
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

Level 3: Hidden file
$ cd inhere
$ ls -a
$ vi .hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Level 4: Many files
I see a command named "cat", and I find it's more useful than "vi".
$ cat "./-file07"
koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5: Super many files
In this level, I saw many folders and files, and they really made me confuse.
So I think we should use some search command to handle this chal.
Let's google!

I think the file contained flag is the lastest modified file, so I search "find last modified file linux"  and found this command:

stat --printf="%y %n\n" $(ls -tr $(find * -type f))

But the results didn't look good. Phew!!!

I played some CTFs, and when getting stuck in a problem, I often gave up.

But this time - when I am writing this blog, I'm going to participate a contest between universities in my country.  It's very important for me to win this contest, so I must try my best ^^

So what should we do now?
I take a look of some files, and they are big text files. So I think we should find a small file that has the same flag file in bandit4.

OK, let's see. bandit4's -file07 -> 33bytes -> We'll find a file that has the 33 byte-size.
 Now we are in bandit5/inhere. List all file with size description:
$ ls -LR -l
I can't find any 33 byte-file, but we have 77 and 51 here. Try submit password of these file but "Permission denied, please try again."

Ah, hidden file!
$ ls -LR -l -a
Still no 33 byte-file. Try submit password of the new 99 byte-file, and error again.

I don't know what to do next, so I click the link "Level 5 → Level 6" in the menu Bandit and find the hint: 1033 bytes. OK, easy!  Use my eyes and bingo:
DXjZPULLxYr17uwoI01bNLQbtFemEgo7

But how to use command to find an -x-byte file?
http://www.ducea.com/2008/02/12/linux-tips-find-all-files-of-a-particular-size/
$ find -size 1033c

Note: Please read the description of challenges before solving them!

Time for lunch! I will be right back! :D

---
20150909

Level 6: The level that I gave up!
"The password for the next level is stored somewhere on the server".
$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
/var/lib/dpkg/info/bandit7.password
$ cat /var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

WTF is "2>/dev/null"?
From: http://askubuntu.com/questions/350208/what-does-2-dev-null-mean
dev/null treated as black hole in Linux/Unix, so you can put any this into this but at the end your will not able to get this back from /dev/null/.
so further on 2>, means is you are redirecting [i.e. ">"] stderr [i.e. 2] into black hole [i.e. /dev/null/ ]

Level 7: | grep
cat data.txt | grep millionth
cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Level 8: uniq and sort
$ uniq data.txt -u
What? Many rows??
$ sort data.txt | uniq -u
UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

or: $ cat data.txt | sort | uniq -u

Level 9: strings
bandit9@melinda:~$ cat data.txt | grep =
Binary file (standard input) matches

Submit flag: 'Binary file (standard input) matches'. Failed :v

Search for the error: "The grep -a, --text option may be of use to you"

OK, $ cat data.txt | grep -a "=="

truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

or: $ strings data.txt | grep '='

Level 10: base64
$ strings data.txt | base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level 11: tr

bandit11@melinda:~$ cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'

The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Level 12: xxd mv cd mkdir

bandit12@melinda:/tmp/hihihi$ strings data8

The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13: ssh

$ ssh -i sshkey.private bandit14@localhost

$ cat /etc/bandit_pass/bandit14

4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

Level 14: telnet
$ telnet localhost 30000
BfMYroe26WYalil77FoDi9qh59eK5xNr

Level 15: openssl
$ openssl s_client -connect localhost:30001 -quiet
cluFn7wTiGryunymYOu4RcffSxQluehd

Level 16: nmap
$ nmap localhost -p 31000-32000
$ openssl s_client -connect localhost:31790

Copy and creat sshkey.private
$ ssh -i sshkey.private bandit17@localhost
$ ls
$ diff password.new password.old

< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd <-- pass 18-19
---
> BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR

xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn <-- pass 17-18

Level 18: ssh with command
ssh bandit18@bandit.labs.overthewire.org cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

Level 19:
$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Level 20: 

$ nc -l 6969
$ ./suconnect 6969
GbKksEFF4yrVs6il55v6gwY5aVje5f0j
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

--- manacian ---

--- ctf for beginners ---

Read More