PragyanCTF (Wytshadow)

Lets download the zip and see whats up

Lets check out that html

hmmm lets look at the code…

I can also adjust the checkered image to see the text as well.

Changed the values from 184px to 1px

Looks like the flag isn’t here. Lets look at some other files that were in that zip.

Whats aes.js?

There is a lot of stuff in there but if you have a good eye you can spot the flag.

PragyanCTF (H1tch)

Writeup by H1tch (www.h1tch.org)

Another nice CTF. This one was pretty laid back went for over a weeks time.  Seemed to have a lot of Stego and crypto challenges pretty low on an type of reverse or forensics. Everything seems to have gone smoothly I didn’t notice any issues. Some members of Overflow Security were in and out of the challenges. Here are the write ups for the ones that I completed.

STEGO

Put on your reading glasses (10 pts)

run strings on file. flag is on the bottom

strings Proxy.jpg
M}EU]sF
1Z5;”A
kjiFF
16bbee7466db38dad50701223d57ace8

What you see is what you get. (50 pts)

Hack.lu – Dalton’s Corporate Security Safe

Challenge

Myself along with a few of the other OverflowSecurity CTF team members participated in the Hack.lu CTF that just passed, and despite it being a very challenging CTF, we pulled 84th place out of 400 participating teams! Anyhow, I took on the Web challenge “Dalton’s Corporate Security Safe”, and had a lot of fun figuring this one out. Let’s get into it!

tinyCTF – Steg100

Steg100 Challenge.

Steg100 Challenge.

This stego challenge was pretty fun, it took me a bit of time to figure out the last parts, but I definitely learned a little bit more about how to attack challenges like these! Let’s get into it.

The only file provided was a PNG with three characters (Figure 1). The first thing to check of course is the image metadata. I pulled up fotoforensics.com, uploaded the image and pulled up the image metadata info (Figure 2). Conveniently, there was a tag called ‘Hint’, which linked to yet another PNG over on imgur. I pulled that image down and repeated the process above, but nothing else was revealed.

tinyCTF – Cry100

Cry100 Challenge

Cry100 Challenge

This was one of the first crypto challenges I’ve done for a CTF, and thankfully it was basic enough (it was only worth 100 points, after all)! The challenge file provided was a text file which looked like it contained words and sentences, only the letter values were jumbled up. Since the challenge was very likely an easy one, I didn’t overthink the possible solutions. My first thought was that this could have been a simple character substitution problem.

tinyCTF – Exp200

Exp200 Challenge.

Exp200 Challenge.

Unfortunately, this challenge was essentially the same challenge I took during CSAW 2014 with some slight tweaks to it, making it slightly challenging than the last. As with before, the challenge provided a Python script which was used as a sandbox, preventing certain modules and functions from being executed.

#!/usr/bin/python

def serve():
    "Serve a request"

    print "baby@sics:~$",

    code = raw_input()

    if validate(code):
        print eval(code)
    else:
        print "#rekt"

def validate(code):
    "Hyper-secure, military grade python sandboxing"

    prohibited_keywords = [
        "import",
        "open",
        "flag",
        "eval",
        "exec"
    ]

    for keyword in prohibited_keywords:
        if keyword in code:
            return False
    
    return True

def main():
    print """
Welcome to Safe Interactive CPython Shell (SICS)
================================================

Rules: 
    - Wash your dishes
    - Don't eat the yellow snow
    - Do not import anything
    - No peeking at files!
"""

    while True:
        serve()

if __name__ == '__main__':
    main()

 

tinyCTF – Rev200

Rev200 Challenge

Rev200 Challenge

Finally with Rev200 I was able to get into the more challenging flags! I really enjoyed this one as it let me reflect on my glory Android developer days, if you could consider it as such!

Running file on the challenge file indicated it was a zip archive, but considering the context of the challenge, it was an Android apk package (essentially just a zip archive). The apk contents contained the set of files and resources that make up a typical Android application (Figure 1). A quick peek at AndroidManifest.xml and the resources didn’t reveal anything juicy, so I set my eyes on the file classes.dex. I used the d2j-dex2jar tool to transform classes.dex into a jar file I could later further decompile to java code (Figure 2).

tinyCTF – Misc100

Misc100 Challenge

Misc100 Challenge

This challenge involved, as the challenge named hinted at, some sort of password cracking operation to capture the flag. The challenge file was a password protected zip file. I utilized fcrackzip to help me out (Figure 1).

fcrackzip -v -D -u -p ~/wordlists/rockyou.txt misc100
Figure 1 - Utilizing fcrackzip against zip file.

Figure 1 – Utilizing fcrackzip against zip file.

The password was found quickly and easily enough! Unzipping the challenge with the discovered password provided the flag (Figure 2)!

Figure 2 - Unlocking the flag from a password-protected zip file.

Figure 2 – Unlocking the flag from a protected zip file.

Flag: flag{ev3n::y0u::bru7us?!}

tinyCTF – Misc10

Misc10 Challenge

Misc10 Challenge

The file for this challenge contained an alpha-numeric string. I ran the file contents through a hash identifier and nothing got picked up. Taking a closer look at the string, it looked as though all of the values were within the range of ASCII characters represented in hex (I have to thank my exploit dev training for that!). Decoding the values with Python confirmed my suspicions et voila! My first flag (Figure 1)! 10 points in the bag!

Figure 1 - Decoding hex string.

Figure 1 – Decoding hex string.

Flag: flag{hello_world}

CSAW 2014 walkthrough – Fluffy No More

Fluffy No More was a Forensics 300 point challenge at CSAW 2014. The backstory seemed kind of funny and I thought I’d give it a shot!

fluffy no more challenge

Setup

The attached tarball contained a few additional tarballs:

  • Full /etc directory contents
  • Full /var/log directory contents
  • Full /var/www directory contents
  • A MySQL database dump file

The task was to determine the attacker’s ingress point as well as discover a key for the CTF challenge. I cover both points in the sections below.

The opinions and thoughts on this blog are those of Overflow Security members, and do not reflect those of our members employers.