Sunday, 20 September 2015

[Write-up] CSAW CTF 2015 - Recon Alexander Taylor 100

18:24 Posted by Matnacian , , , No comments

We start with:

CSAW 2015 FUZYLL RECON PART 1 OF ?: Oh, good, you can use HTTP! The next part is at /csaw2015/<the acronym for my university's hacking club>.

OK, let's google "fuzyll".
I don't see anything helpful, so I keep googling.
With "alexander taylor fuzyll", I found his LinkedIn.
You can see in Education, his university is University of South Florida.

With "University of South Florida hacking club", easily you can find this link:
Whitehatters Computer Security Club -

CSAW 2015 FUZYLL RECON PART 2 OF ?: TmljZSB3b3JrISBUaGUgbmV4dCBwYXJ0IGlzIGF0IC9jc2F3MjAxNS88bXkgc3VwZXIgc21hc2ggYnJvdGhlcnMgbWFpbj4uCg==

Decode base64 this string:
Nice work! The next part is at /csaw2015/<my super smash brothers main>.
With "fuzyll super smash brothers", you can find "yoshi" is the answer.
Very cute, right? Save this image and: $ strings yoshi.txt CSAW 2015 FUZYLL RECON PART 3 OF ?: Isn't Yoshi the best?! The next egg in your hunt can be found at /csaw2015/<the cryptosystem I had to break in my first defcon qualifier>.
This part really makes me crazy. "the cryptosystem first defcon qualifier"? Is it a crypto challenge in DEFCON? What is his first defcon qualifier? Back to his LinkedIn,
I think "DEFCON 19 qualification" is the answer.
I googled something likes "DEFCON 19 qualification challenges", "DEFCON 19 write up", but got nothing. Stuck! Stuck! Stuck!
Time to go 2 bed Zz.
After waking up, I continue googling, I continue getting nothing. To tired! So I want to try my luck. Let's check some possible cryptosystems.
CSAW 2015 FUZYLL RECON PART 4 OF 5: Okay, okay. This isn't Engima, but the next location was "encrypted" with the JavaScript below: Pla$ja|p$wpkt$kj$}kqv$uqawp$mw>$+gwes6451+pla}[waa[ia[vkhhmj

var c = ""
for (i = 0; i < s.length; i++) {
    c += String.fromCharCode((s[i]).charCodeAt(0) ^ 0x4);

Just xor!
So you can run the script again to get plain text.

Press F12 and open Console (Chrome, Firefox...)

var s = "Pla$ja|p$wpkt$kj$}kqv$uqawp$mw>$+gwes6451+pla}[waa[ia[vkhhmj"
var c = ""
for (i = 0; i < s.length; i++) {
    c += String.fromCharCode((s[i]).charCodeAt(0) ^ 0x4);
The next stop on your quest is: /csaw2015/they_see_me_rollin
CSAW 2015 FUZYLL RECON PART 5 OF 5: Congratulations! Here's your flag{I_S3ARCH3D_HI6H_4ND_L0W_4ND_4LL_I_F0UND_W4S_TH1S_L0USY_FL4G}!
--- matnacian ---
--- ctf for beginners ---

Saturday, 19 September 2015

[Write-up] CSAW CTF 2015 - Crypto notesy 100

10:03 Posted by Matnacian , , , No comments



The flag is not in the flag{} format.

I'm happy when I didn't spend too much time with this challenge. Poor you :v
We were given a link. Try some inputs and I can see it's just a substitute cipher.
And google for an alphabet english:
(because I'm very lazy to fill in the input form).

Booom! Can't believe this is our flag :D

--- matnacian ---
--- ctf for beginners ---

Tuesday, 8 September 2015

[Write-up] MMA CTF 2015 - QR code recovery challenge 400

23:23 Posted by Matnacian , , , 3 comments


You picked up teared QR code fragments. Recover the flag.
Flag is 12 characters without MMA{...}.

During the opening time  of MMA CTF, I don't know what to do with this picture.
When the CTF ended, I googled "QR code recovery challenge" to find the write-up of this chal, and found this link:


We will solve problem2.png first!
It looks easier, right? I opened GIMP and try to recover it but failed.
After googling, I found a tool named strong-qr-decoder, it can decode corrupted QR code, but only in txt file.
So I tried hard, and found a tool named qr2txt, it can change a bitmap file QR code to a txt file QR code.

Yeah! Go go go!
1. Change problem2.png to problem2.bmp with GIMP, and rename it to qr.bmp
2. $ ./qr2txt
Save it to a text file: $ ./qr2txt > qr.txt

3. User strong-qr-decoder to decode it:
$ python qr.txt -e 2 -m 4


Yeah, we got the flag of problem2.png. Can we do these steps with problem.png

"Flag is 12 characters without MMA{...}."
Submit flag "000000000000"! Failed!!!

Did I miss something?

--- matnacian ---
--- ctf for beginners ---

[Write-up] MMA CTF 2015 - Splitted 30

01:53 Posted by Matnacian , , , 2 comments
This is an "El Clásico" challenge of forensic, but I found it a little bit difficult to solve. Poor me! T.T

We got a pcap file here, but like a habit, when waiting Wireshark open the splitted.pcap, I foremost it:

Really, easy???
I went to /splitted/output/zip and open the zip file, but it was corrupted.
OK, back to Wireshark.

Sorting packets by Length, you can see some zip files like this:

Export them to files: File > Export Objects > HTTP:
Click Save All. Now we have 1, 2, ... 8 files.
We can guess that the zip file contain flag was splitted into 8 files, and we must join these files to capture the flag. Let's try:
$ cat flag* >
Extact file! Waiting... Still corrupted.

I used an hex editor to inspect these zip files, and relized they weren't in order.
Example, the flag(1).zip has the header PK of zip file >> It must be the first file when joining.
So the biggest mission in this challenge is arrange 8 splitted files in the right order to join them.
How can we do this?

Back to Wireshark again. Randomly, I chose packet No. 86 and "Follow TCP Stream".
Aha, "Range: bytes=1876-2344"

Can you guess that what should we do know?
Right! We have this table:

Now, we rename flag*.zip files to final0*.zip files base on the order above.
Example flag(1).zip ->, flag(7).zip ->
Join these files with command: $ cat final* >
Extract it. Bingo. We get the flag.psd. Open it with Photoshop or GIMP:

Blank? Don't worry. On the right panel, you will see 2 layers. Hide/Delete the 背景 layer.
Boom!!! Flag is:

Thanks for reading! ^^ And happy CTF! :D
--- matnacian ---
--- ctf for beginners ---

Monday, 7 September 2015

[Write-up] MMA CTF 2015 - Nagoya Castle 100

22:42 Posted by Matnacian , , , No comments
I can't understand this 100-challenge :D

We are given an image:

Use a stego tool named Stegsolve:
Open this "awesome" image and view it in "Red plane 0". Bingo!

--- matnacian ---
--- ctf for beginners ---

[Write-up] MMA CTF 2015 - Pattern Lock 20

22:28 Posted by Matnacian , , , 1 comment


In android smartphone, you can use "pattern lock".
Pattern lock use 9 dots(3x3) on the screen in the figure below.
The following figures are examples of lock pattern.
image:image2 image:image3
Lock pattern must satisfy following three conditions.
  • Use at most once each dot.
  • Use at least 4 dots.
  • Cannot skip the dot on the segment.
(Flag 1) Flag is the number of lock patterns in decimal without MMA{...}.
(Flag 2) Flag is the maximum length of lock patterns on 4x4 dots. Assume the length of two neighbor dot is 1. Please answer rounded to four decimal places without MMA{...}. (XX.XXXX)
Just google "number of lock patterns".
You will find this:

Combinations of the Android pattern lock screen would not be from 1-9. Instead, they would be 4-9, as the lock pattern needs a minimum of four inputs, and anything below that is invalid (at least 2.3 onwards. I believe 2.2 and below allowed 3 point locks). Here's the breakdown of the combinations:
Moves = 4, combinations = 1624
Moves = 5, combinations = 7152
Moves = 6, combinations = 26016
Moves = 7, combinations = 72912
Moves = 8, combinations = 140704
Moves = 9, combinations = 140704

Total possibilities: 1624 + 7152 + 26016 + 72912 + 140704 + 140704 = 389112
So flag 1 is 389112!

--- matnacian ---
--- ctf for beginners ---

[Tips] Useful sites for CTF

22:21 Posted by Matnacian , , No comments
I. Encode - Decode - Encrypt - Decrypt: - MD5, SHA1 decrypt - ... - Substitute - Caesar - Strange symbol - Visual basic - Javascript - - Esolang - RSA - ASCII85

ZmxhZ3tp -> base64
745f7761735f -> hex
104 105 115 95 102 108 -> ascii
011000010110011101011111011011010111001001011111 -> bin
NNZGCYTTL4====== -> base32 (massive number of '=' chars at the end)
<~Blm^+@<5dnF_tSDEaNs,0OK)ZI/~> -> ASCII85
--------- - Malware analysis
echo file_get_contents("../flag");"content"

II. Commands:

fcrackzip -v -D -u -p /usr/share/dict/words

--- matnacian ---
--- ctf for beginners ---

[Write-up] MMA CTF 2015 - MQAAAA 70

22:03 Posted by Matnacian , , , No comments


It's easy to see that's base64 encoded. Decode this string:
#@~^MQAAAA== Um.bwDR+1tKcJtH) Dtnm6VlTmhKDN|rd{K46EdmCObWU8rbjRIAAA==^#~@

"MQAAAA"! Yes, we are on the right way.
Just google "MQAAAA" and you can find this link: 

LANGUAGE = VBScript.Encode %> <%#@~^CgAAAA==[b ...

OK, VBScript.Encode. Decode this with:
Got it, MMA{the_flag_word_is_obfuscation}

--- matnacian ---
--- ctf for beginners ---

[Write-up] OverTheWire Bandit CTF

20:07 Posted by Matnacian , , , , No comments
Hi there,
I'm a newbie in CTF, so I create this blog to help ME, and YOU, the ones who really want to improve CTF skills. And the first write-up series are about Bandit CTF:

Let's go! Hope we will have great time together! Keep calm and Happy CTF! ^^

Level 0: SSH
$ ssh
>> Password: bandit0
bandit0@melinda:~$ ls (you will see a file named readme)
bandit0@melinda:~$ vi readme

Got it? Easy, right?

Level 1: Strange file name
bandit1@melinda:~$ vi "./-"

Level 2: Strange file name
Nothing different!

Level 3: Hidden file
$ cd inhere
$ ls -a
$ vi .hidden

Level 4: Many files
I see a command named "cat", and I find it's more useful than "vi".
$ cat "./-file07"

Level 5: Super many files
In this level, I saw many folders and files, and they really made me confuse.
So I think we should use some search command to handle this chal.
Let's google!

I think the file contained flag is the lastest modified file, so I search "find last modified file linux"  and found this command:
stat --printf="%y %n\n" $(ls -tr $(find * -type f))
But the results didn't look good. Phew!!!

I played some CTFs, and when getting stuck in a problem, I often gave up.
But this time - when I am writing this blog, I'm going to participate a contest between universities in my country.  It's very important for me to win this contest, so I must try my best ^^

So what should we do now?
I take a look of some files, and they are big text files. So I think we should find a small file that has the same flag file in bandit4.

OK, let's see. bandit4's -file07 -> 33bytes -> We'll find a file that has the 33 byte-size.
 Now we are in bandit5/inhere. List all file with size description:
$ ls -LR -l
I can't find any 33 byte-file, but we have 77 and 51 here. Try submit password of these file but "Permission denied, please try again."

Ah, hidden file!
$ ls -LR -l -a
Still no 33 byte-file. Try submit password of the new 99 byte-file, and error again.

I don't know what to do next, so I click the link "Level 5 → Level 6" in the menu Bandit and find the hint: 1033 bytes. OK, easy!  Use my eyes and bingo:

But how to use command to find an -x-byte file?
$ find -size 1033c

Note: Please read the description of challenges before solving them!

Time for lunch! I will be right back! :D


Level 6: The level that I gave up!
"The password for the next level is stored somewhere on the server".
$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null
$ cat /var/lib/dpkg/info/bandit7.password

WTF is "2>/dev/null"?
dev/null treated as black hole in Linux/Unix, so you can put any this into this but at the end your will not able to get this back from /dev/null/.
so further on 2>, means is you are redirecting [i.e. ">"] stderr [i.e. 2] into black hole [i.e. /dev/null/ ]

Level 7: | grep
cat data.txt | grep millionth

Level 8: uniq and sort
$ uniq data.txt -u
What? Many rows??
$ sort data.txt | uniq -u

or: $ cat data.txt | sort | uniq -u

Level 9: strings
bandit9@melinda:~$ cat data.txt | grep =
Binary file (standard input) matches

Submit flag: 'Binary file (standard input) matches'. Failed :v
Search for the error: "The grep -a, --text option may be of use to you"
OK, $ cat data.txt | grep -a "=="

or: $ strings data.txt | grep '='

Level 10: base64
$ strings data.txt | base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

Level 11: tr
bandit11@melinda:~$ cat data.txt | tr 'a-zA-Z' 'n-za-mN-ZA-M'
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Level 12: xxd mv cd mkdir
bandit12@melinda:/tmp/hihihi$ strings data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

Level 13: ssh
$ ssh -i sshkey.private bandit14@localhost
$ cat /etc/bandit_pass/bandit14

Level 14: telnet
$ telnet localhost 30000

Level 15: openssl
$ openssl s_client -connect localhost:30001 -quiet

Level 16: nmap
$ nmap localhost -p 31000-32000
$ openssl s_client -connect localhost:31790

Copy and creat sshkey.private
$ ssh -i sshkey.private bandit17@localhost
$ ls
$ diff password.old

< kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd <-- pass 18-19
> BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR

xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn <-- pass 17-18

Level 18: ssh with command
ssh cat readme

Level 19:
$ ./bandit20-do cat /etc/bandit_pass/bandit20

Level 20: 

$ nc -l 6969
$ ./suconnect 6969

--- manacian ---
--- ctf for beginners ---