Hack.lu – Dalton’s Corporate Security Safe


Myself along with a few of the other OverflowSecurity CTF team members participated in the Hack.lu CTF that just passed, and despite it being a very challenging CTF, we pulled 84th place out of 400 participating teams! Anyhow, I took on the Web challenge “Dalton’s Corporate Security Safe”, and had a lot of fun figuring this one out. Let’s get into it!

X11 Forwarding Mac

This tutorial is going to cover setting up X11 forwarding via SSH from your Kali box to your Mac.  This is a great way to host your Kali machine on a server (Home Server or VPS) and still have access to tools like Burp that require a GUI.

First thing you will need to do is download and install XQuartz from http://xquartz.macosforge.org/landing/

Next we need to enable the ssh server service.

Screen Shot 2014-10-03 at 1.32.17 PM
Lets make sure we know the IP of our machine.  This is my internal lab machine so the IP is non routable, but if you had this going through a firewall you would obviously need to forward SSH to your Kali box before trying to SSH to your external IP address.

Metasploitable without Metasploit – Unreal IRC


In continuing our series on compromising the Metasploitable machines, the next installment is on the Unreal IRC service.

This is a very quick exploit, which does not require any additional scripting or even downloading to get to work properly. Its a back door within the Unreal IRC daemon that allows a remote attacker to instantly gain root to the target machine. In fact, this method is actually faster than using Metasploit!

So first things first, nmap scan the machine to ensure that the service is running on the target.


tinyCTF – Steg100

Steg100 Challenge.

Steg100 Challenge.

This stego challenge was pretty fun, it took me a bit of time to figure out the last parts, but I definitely learned a little bit more about how to attack challenges like these! Let’s get into it.

The only file provided was a PNG with three characters (Figure 1). The first thing to check of course is the image metadata. I pulled up fotoforensics.com, uploaded the image and pulled up the image metadata info (Figure 2). Conveniently, there was a tag called ‘Hint’, which linked to yet another PNG over on imgur. I pulled that image down and repeated the process above, but nothing else was revealed.

tinyCTF – Cry100

Cry100 Challenge

Cry100 Challenge

This was one of the first crypto challenges I’ve done for a CTF, and thankfully it was basic enough (it was only worth 100 points, after all)! The challenge file provided was a text file which looked like it contained words and sentences, only the letter values were jumbled up. Since the challenge was very likely an easy one, I didn’t overthink the possible solutions. My first thought was that this could have been a simple character substitution problem.

tinyCTF – Exp200

Exp200 Challenge.

Exp200 Challenge.

Unfortunately, this challenge was essentially the same challenge I took during CSAW 2014 with some slight tweaks to it, making it slightly challenging than the last. As with before, the challenge provided a Python script which was used as a sandbox, preventing certain modules and functions from being executed.


def serve():
    "Serve a request"

    print "baby@sics:~$",

    code = raw_input()

    if validate(code):
        print eval(code)
        print "#rekt"

def validate(code):
    "Hyper-secure, military grade python sandboxing"

    prohibited_keywords = [

    for keyword in prohibited_keywords:
        if keyword in code:
            return False
    return True

def main():
    print """
Welcome to Safe Interactive CPython Shell (SICS)

    - Wash your dishes
    - Don't eat the yellow snow
    - Do not import anything
    - No peeking at files!

    while True:

if __name__ == '__main__':


tinyCTF – Rev200

Rev200 Challenge

Rev200 Challenge

Finally with Rev200 I was able to get into the more challenging flags! I really enjoyed this one as it let me reflect on my glory Android developer days, if you could consider it as such!

Running file on the challenge file indicated it was a zip archive, but considering the context of the challenge, it was an Android apk package (essentially just a zip archive). The apk contents contained the set of files and resources that make up a typical Android application (Figure 1). A quick peek at AndroidManifest.xml and the resources didn’t reveal anything juicy, so I set my eyes on the file classes.dex. I used the d2j-dex2jar tool to transform classes.dex into a jar file I could later further decompile to java code (Figure 2).

tinyCTF – Misc100

Misc100 Challenge

Misc100 Challenge

This challenge involved, as the challenge named hinted at, some sort of password cracking operation to capture the flag. The challenge file was a password protected zip file. I utilized fcrackzip to help me out (Figure 1).

fcrackzip -v -D -u -p ~/wordlists/rockyou.txt misc100
Figure 1 - Utilizing fcrackzip against zip file.

Figure 1 – Utilizing fcrackzip against zip file.

The password was found quickly and easily enough! Unzipping the challenge with the discovered password provided the flag (Figure 2)!

Figure 2 - Unlocking the flag from a password-protected zip file.

Figure 2 – Unlocking the flag from a protected zip file.

Flag: flag{ev3n::y0u::bru7us?!}

tinyCTF – Misc10

Misc10 Challenge

Misc10 Challenge

The file for this challenge contained an alpha-numeric string. I ran the file contents through a hash identifier and nothing got picked up. Taking a closer look at the string, it looked as though all of the values were within the range of ASCII characters represented in hex (I have to thank my exploit dev training for that!). Decoding the values with Python confirmed my suspicions et voila! My first flag (Figure 1)! 10 points in the bag!

Figure 1 - Decoding hex string.

Figure 1 – Decoding hex string.

Flag: flag{hello_world}

OSCP Review – Eagle11

Finally I am among those who can write this review and say “I did it!”

It has been a long journey for me with everything I had going on at home between work, and a new baby I had to extend my lab time A LOT!  So I will not be commenting on how long it SHOULD take you to complete the course and certification…  What i will say is if I would have had 2 weeks to do nothing but this class I could have knocked it out in that time.  My time for the class was spent mostly after work 6-7 PM until bed, and then on weekends…