[Pragyan CTF] Supreme Leader

Standard

Description:

North Korea reportedly has a bioweapon in the making. Hack into their database and steal it.

Link : http://139.59.62.216/supreme_leader

For the second web challenge we’re given with a URL, lets open it.

Cute Kim 🙂

Now let’d dump the headers of the response using curl:

 

We can see an interesting cookie:  KimJongUn=2541d938b0a58946090d7abdde0d3890_b8e2e0e422cae4838fb788c891afb44f. The value of the cookie is looking like 2 MD5 hashes combined with “_”. Let’s try to crack them online using my favorite site.

That’s it! Here is the flag: pragyanctf{send_nukes}

Share

[Pragyan CTF] Answer To Everything

Standard

Description:

Shal has got a binary. It contains the name of a wise man and his flag. He is unable to solve it.

Submit the flag to unlock the secrets of the universe.

main.exe

In this challenge we have a binary, I ran file command on it:

 

Haha, weird. It is actually an ELF file and not exe. Lets execute the binary and give it the answer to everything (’42’) as an input:

At first I though that “#kdudpeh” is the flag but it isn’t, neither “kdudpeh”. The name of the person in the question is Shal, looking like SHA1, and the binary says “submit without any tags”, so “hashtagkdudpeh” without the tag is just “hashkdudpeh”. So I tried to submit the result of SHA1(“kdudpeh”) as answer but failed again. Then I tried Caesar cipher on “kdudpeh” and find “harambe”.

So I again tried submit the flag, this time with Sha1(“harabe”).

The flag was pragyanctf{31a0d851ea10ad886ad4e99ed05892de06998ab9} which is SHA1("harambe")

 

Share

[Pragyan CTF] Interstellar

Standard

Description:

Forensics 150 pts

Dr. Cooper, on another one of his endless journeys encounter a mysterious planet . However when he tried to land on it, the ship gave way and he was left stranded on the planet . Desperate for help, he relays a message to the mothership containing the details of the people with him . Their HyperPhotonic transmission is 10 times the speed of light, so there is no delay in the message . However, a few photons and magnetic particles interefered with the transmission, causing it to become as shown in the picture . Can you help the scientists on the mothership get back the original image?

transmission.png

We are given with a photo, I opened it in Photoshop and saw that parts of it are transparent.

 

I grabbed Python and removed the Alpha layer from the image. The Alpha layer controls pixels’ transparency.

We got the result with the flag:

 

The flag was pragyanctf{Cooper_Brand}

Share

[Pragyan CTF] Game of Fame

Standard

Description:

p xasc. a zdmik qtng. yiy uist. easc os iye iq trmkbumk. gwv wolnrg kaqcs vi rlr.

Hint! Robert Sedgewick

To be honest, this challenge was pretty simple. I decrypted the text using online Vigenere cipher decrypter, which is the first cipher I try in suchcases, just after Caesar cipher.

The key was “pragyan” and the result was: “a game. a movie star. his wife. name of the cs textbook. the winner takes it all.”

I then used the hint about Robert Sedgewick, which is a famous computer science professor at Princeton University. I found that the flag is his CS textbook title.

The flag was pragyanctf{algorithms}.

Share

[33C3 CTF] pay2win Writeup

Standard

Description:

pay2win – Web
Do you have enough money to buy the flag?

This challenge was pretty tricky to understand at the beginning. I solved it with a quick and simple workaround that allowed me to solve the challenge without fully understand it. Once I got the flag I understood the whole story. So as with all the stories, we need to begin from the start.

We’re given with a website in where we can buy two products: ‘cheap’ (13.37 USD) and ‘flag’ (31337.42 USD). We, of course, want to buy the ‘cheap’ one because we don’t want to spend our money on some leet flag with the answer to life, the universe and blah blah. So — the ‘cheap’ it is.

pay2win_1

In order to buy the product we need to supply a valid credit card number, there are bunch of examples of valid credit cards online.

pay2win_2

Lets try one of them and see what we get.

pay2win_3

Woo-hoo! We finally bought the ‘cheap’ product and fulfilled our dream.
Kidding. Lets move on and see what will we get when trying to buy the ‘flag’.

pay2win_4

pay2win_5

“failed”? Oh no. The server says that we exceeded the credit card limit. The first thing to come in my mind was to brute force the server with valid CC numbers, but I figured out very fast that this isn’t the right way to the solution. At this time I noticed something interesting about the URLs of the pages: there’s a GET parameter named ‘data’ that some parts of it are the same on every request. Until now I thought it’s always a new hash. I grabbed pencil and paper and started to figure out the patterns and the mutual parts. Okay, okay, I admit – opened VS Code and made a simple table. The mutual parts highlighted using Photoshop.

pay2win_6

As you can see, every hash is combined from 3 parts. The beginning of each type is mutual and so is the end. I thought that certain combination is required to get the flag. But how I mix the parts to the correct hash so as to get the ‘flag’ content. Now it’s about trial and error. Or not.

After two manual tries I gave up because automation is always better and here comes the workaround I mentioned before. I created a list with instance of every colored part and added one example of white part from each page. I then created from this list another list with all possible permutations of 3 parts, i.e all the possible combinatios (990 combinations) and tried all of them using urllib2.urlopen() ’til I found ’33C3′ in the response.

I know. It isn’t the most efficient way to do this but it was short and quick.

 

It took the script 2 minutes to run and then it came up with 3 possible hashes, lets try one of them to see if we indeed got the flag:

pay2win_7

YES! We got the flag! I took a deep breath and analysed the matched hashes to find out what is the right pattern. I came out with two possible patterns:

5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 + X + 2f7ef761e2bbe791
5765679f0870f4309b1a3c83588024d7c146a4104cf9d2c8 + X + 4f75c9736d3b8e0641e7995bb92506da1ac7f8da5a628e19ae39825a916d8a2f
Where X is one of the white parts of ‘flag’ product (purchase page/success).

The logic behind is as followed: Seems like the blue part is for ‘success’ and the light-blue part is for ‘failed’. The yellow part is likely for ‘product page’. If you take every hash of ‘flag’ product (product page / purchase failed) and replace its first part (light-blue / yellow) with the blue part (‘success’) you come up with a valid hash that brings the flag.

That’s it. the flag is:  33C3_3c81d6357a9099a7c091d6c7d71343075e7f8a46d55c593f0ade8f51ac8ae1a8
I’ll be happy to read in the comments how the challenge was for you.

Share

[33C3 CTF] The 0x90s called Writeup

Standard

Description:

The 0x90s called – PWN

The 0x90s called, they want their vulns back!
Pwn this and get the flag. Who would’ve thought?
If you want to try it locally first, check this out.

This challenge was pretty simple and obvious. We are given with a website that is requesting a ‘proof of work’ from us to reduce the load on their infrastructure. We need to press start and then we get a port to which we can connect using netcat, username and password. We connect to the server and search for the flag.

Look at the highlighted rows. We can see that we are in Slack Linux 0.99pl12 machine, that flag.txt is on the root folder and that only root can read it. Before trying anything special or complicated, lets search online for known exploit to this version.

90s_called_1Oh, this was easy! There’s a known exploit available on Github.

Lets run it to see if it works, and if so read the flag.

 

It worked just fine (thanks prdelka for the exploit)! We got root permissions and were able to read the flag.
Flag33C3_Th3_0x90s_w3r3_pre3tty_4w3s0m3

I’ll be happy to read in the comments how the challenge was for you.

[H4CK1T 2016] Crypt00perator – Ethiopia Writeup

Standard

Description:

Long time ago one security module has been written. But for now its sources have been missed somehow. We have forgotten th3 access k3y, which, as we remember, has been hardcoded inside the module. Help us to recollect th3 k3y!11
crypt0_0perator_56e0a9f07f54b3634ab5cc2b30e5b29e.exe

h4ck1t{…}

This is a pretty basic reverse challenge. We can solve it in many different ways but I will show you only two of them. The first one is the quickest method that will work only for this challenge, and the second is for those of you who want to understand better how to solve such challenges in the future.

So, we got an exe file and we need to find the access key. We are given with a hint that the key is somehow hardcoded in the file itself. Let’s run the file and see what will happen.

Seems like all it does is to ask for the key, let’s take a deeper look and see if we the key is stored clear-text in the file. Open the file in IDA pro and press Shift+F12 to open the Strings subview. The strings that written by the programmer will usually be stored in close adresses. Her’e are snip of the strings. I marked the most meaningful:

We can easily notice the strings which we already faced when executing the program: ‘Denied’ and ‘Enter th3 k3y :’. The ‘Allowed’ string will probably be printed after entering the right key. But what is this strange string: ‘o3dl6s|41a42344d110746d574e35c2f77ab6>3z’? Is it the key? Let’s try.

No luck. It is not the key, but what is it? It should be meaningful somehow but I don’t yet know how the program is using this string. I decided to debug the program and set a breakpoint before the decision whether the input is the right key or not is made.

Let’s go to the main function and set a breakpoint before the calling to the Checker method:

h4ck1t_ethiopia1

 

Now let’s run the program with that long string as the input and look at the registers. We can see that RAX is pushed to the Checker function. The checker function is comparing RAX with the long string and if RAX==long_string we get the Allowed message. But our RAX is different then the long string although we use the long string as our input what means that the inputted string is being manipulated and then compared to the original long string. So, what is our RAX? Let’s hover RAX with the cursor.

h4ck1t_ethiopia2

 

Well, RAX is looking like the flag. We will get the Denied message but at least we now have the flag.

 

So we solved the challenge but now let’s see what is happening behind the scenes of this program. We can find out what the program is doing without getting too deep into the assembly code. We already know that the program is taking our input and perform some manipulation on it. After that it compares the manipulated string to this long string ‘o3dl6s|41a42344d110746d574e35c2f77ab6>3z’. The best approach in this cases is to see what is the result of different inputs, I’ll show few examples that can teach us about the program:

 

InputRAX
MegabeetsJb`febbst
AAAAFFFF
AAAAFFFF
h4ck1t{36f35433c667031c203b42d5a00fe194}o3dl6s|41a42344d110746d574e35c2f77ab6>3z
h4cko3dl
h4ck{}o3dl|z
abcdefghijklmnopqrstuvwxyz01234567890{}fedcba`onmlkjihwvutsrqp_~}76543210?>7|z

 

As you can see, this is probably a Substitution cipher implementation. Every character is replaced  always with the same another character. We can write a short python script to figure out what is the key using our a-z0-9{} input and the matching RAX string:

 

We got the flag 🙂

If you have any questions feel free to ask and I’ll explain more.

Flag: h4ck1t{36f35433c667031c203b42d5a00fe194}

 

Share

[H4CK1T 2016] QRb00k – Russia Writeup

Standard

Description:

Task: QRb00k – Russia – W3b – 400
The secured messenger was developed in Canada, it’s using systems with qr keys for communicating, it allows to read other people’s messages only to this key holders. But is it true? And you have to figure it out …
http://hack-quest.com

This was a very good web challenge. It took me quite a time to fully understand it but was absolutely worth of its 400 points.

Starting the challenge we are given with a messenger site that uses QR codes to communicate. The site has two main pages:

  • Create – which creates QR code from a given name and message
  • Read – an upload form to upload QR code and read the message inside

So let’s create a message:

We got a QR code which is the key to read our message:

Now let’s read the message using the QR code:

 

Ok, it all worked as it supposed to. I used the zxing service to view the content of the QR code:

h4ck1t_russia_4

Look at the raw text. It’s a short string that looks like it was base64 encoded. But wait, base64 can’t begin with “==”! Those characters usually appear at the end of base64 encoded strings. Is it reversed? Let’s check:

Yes! it indeed was reversed. our key (QR code) is created by: QR(Reverse(Base64(name))).

Ok, now that we understand the mechanics we can let the party begin and start playing with SQL Injection. In order to create the QR codes I used this site, It was faster than using the challenge site.

I began with the obvious: ‘ or 1=1–

h4ck1t_russia_5

Whoops, Busted. The system recognized my SQLi attack. I tried some filter bypassing methods and succeeded with this input:

Reverse(Base64(input)) == “==wc0VWZiF2Zl10JvoiLuoyL0NWZsV2cvoiLuoyLu9WauV3Lq4iLq8SKoU2chJWY0FGZvoiLuoyL0NWZsV2cvoiLuoyLu9WauV3Lq4iLq8yJ”

h4ck1t_russia_6

It worked! now let’s find the correct table (“messages”) and column by using some queries to map the database:

QR(Reverse(Base64(input))) == “zRXZlJWYnVWTn8iKu4iKvQ3YlxWZz9iKu4iKv42bp5WdvoiLuoyLnMXZnF2czVWbn8iKu4iKvU2apx2Lq4iLq8SZtFmbfVGbiFGdvoiLuoyLlJXZod3Lq4iLq8ycu1Wds92YuEWblh2Yz9lbvlGdh1mcvZmbp9iKu4iKv02byZ2Lq4iLq8SKl1WYu9lbtVHbvNGK0F2Yu92YfBXdvJ3ZvoiLuoyL0NWZsV2cvoiLuoyLu9WauV3Lq4iLq8yJ”

h4ck1t_russia_7

“secret_field”? Sounds suspicious. Let’s query it and see what it contains:

h4ck1t_russia_8

And we got the flag! I honestly really enjoyed this challenge.

Flag: h4ck1t{I_h@ck3d_qR_m3Ss@g3r}

 

If you have any questions feel free to ask 🙂

Share

[H4CK1T 2016] ch17ch47 – Germany Writeup

Standard

Description:

ch17ch47 – Germany – 200 – Forensics
Find out who is the recipient of the information from the agent.
http://ctf.com.ua/data/attachments/CorpUser.zip

This challenge was second in this CTF which took me no more then five simple and basic commands in order to get the flag.

I roughly follow the same simple system whenever I face a new challenge. This system has prove itself again and again in almost any kind of challenge in different levels.

  1. Examine the file types that are given to you: An image, pcap, pe, etc. You can do it using the file command or just by open it
  2. Run ‘strings’ command on it.
  3. Run foremost (and binwalk) on the file
  4. Run strings on all the extracted files
This time we are given with a zip file. First, we want to unzip it in order to examine the files inside. It has a lot of file so I don’t paste here the full output.

 

We have a lot of files of different types from what seems like Windows machine (AppData, Favorites, Downloads, Desktop…). We can start step 2 that I mentioned before and recursively search for the flag in the strings of the files.

This command iterates recursively all the files in the directory and the sub-directories and grep for the string ‘h4ck’. The command returned that there is a database file that is containing part of the flag. Now let’s strings command on the file:

And we got the flag. Easy, right?

Flag: h4ck1t{87e2bc9573392d5f4458393375328cf2}

Share

[H4CK1T 2016] 1magePr1son- Mozambique Writeup

Standard

Description:

Task: 1magePr1son- Nozambique- Stego- 150

Implementing of the latest encryption system as always brought a set of problems for one of the known FSI services: they have lost the module which is responsible for decoding information. And some information has been already ciphered! Your task for today: to define a cryptoalgorithm and decode the message.
https://ctf.com.ua/data/attachments/planet_982680d78ab9718f5a335ec05ebc4ea2.png.zip
h4ck1t{str(flag).upper()}
https://ctf.com.ua/data/attachments/planet_982680d78ab9718f5a335ec05ebc4ea2.png.zip

For the start we are given with a wallpaper image named planet.png (2560×1850)

h4ck1t_mozambiqu1

Looking carefully at the image we can see a pattern of strange dots, such dots may be connected to the cryptosystem. Those are pixels in different colors that probably belongs to another image. My thought is that the pixels of the flag image was splitted into the wallpaper.

h4ck1t_mozambiqu2

The dots exists every 24 pixels so I wrote a short pythons script in order to combine them into one image:

I ran it and got a big image (the wallpaper size) with this tiny image inside that contains the flag:

h4ck1t_mozambiqu3

Flag: h4ck1t{SPACE_IS_THE_KEY}

Share