Hack.lu – Dalton’s Corporate Security Safe


Myself along with a few of the other OverflowSecurity CTF team members participated in the Hack.lu CTF that just passed, and despite it being a very challenging CTF, we pulled 84th place out of 400 participating teams! Anyhow, I took on the Web challenge “Dalton’s Corporate Security Safe”, and had a lot of fun figuring this one out. Let’s get into it!

tinyCTF – Steg100

Steg100 Challenge.

Steg100 Challenge.

This stego challenge was pretty fun, it took me a bit of time to figure out the last parts, but I definitely learned a little bit more about how to attack challenges like these! Let’s get into it.

The only file provided was a PNG with three characters (Figure 1). The first thing to check of course is the image metadata. I pulled up fotoforensics.com, uploaded the image and pulled up the image metadata info (Figure 2). Conveniently, there was a tag called ‘Hint’, which linked to yet another PNG over on imgur. I pulled that image down and repeated the process above, but nothing else was revealed.

tinyCTF – Cry100

Cry100 Challenge

Cry100 Challenge

This was one of the first crypto challenges I’ve done for a CTF, and thankfully it was basic enough (it was only worth 100 points, after all)! The challenge file provided was a text file which looked like it contained words and sentences, only the letter values were jumbled up. Since the challenge was very likely an easy one, I didn’t overthink the possible solutions. My first thought was that this could have been a simple character substitution problem.

tinyCTF – Exp200

Exp200 Challenge.

Exp200 Challenge.

Unfortunately, this challenge was essentially the same challenge I took during CSAW 2014 with some slight tweaks to it, making it slightly challenging than the last. As with before, the challenge provided a Python script which was used as a sandbox, preventing certain modules and functions from being executed.


def serve():
    "Serve a request"

    print "baby@sics:~$",

    code = raw_input()

    if validate(code):
        print eval(code)
        print "#rekt"

def validate(code):
    "Hyper-secure, military grade python sandboxing"

    prohibited_keywords = [

    for keyword in prohibited_keywords:
        if keyword in code:
            return False
    return True

def main():
    print """
Welcome to Safe Interactive CPython Shell (SICS)

    - Wash your dishes
    - Don't eat the yellow snow
    - Do not import anything
    - No peeking at files!

    while True:

if __name__ == '__main__':


tinyCTF – Rev200

Rev200 Challenge

Rev200 Challenge

Finally with Rev200 I was able to get into the more challenging flags! I really enjoyed this one as it let me reflect on my glory Android developer days, if you could consider it as such!

Running file on the challenge file indicated it was a zip archive, but considering the context of the challenge, it was an Android apk package (essentially just a zip archive). The apk contents contained the set of files and resources that make up a typical Android application (Figure 1). A quick peek at AndroidManifest.xml and the resources didn’t reveal anything juicy, so I set my eyes on the file classes.dex. I used the d2j-dex2jar tool to transform classes.dex into a jar file I could later further decompile to java code (Figure 2).

tinyCTF – Misc100

Misc100 Challenge

Misc100 Challenge

This challenge involved, as the challenge named hinted at, some sort of password cracking operation to capture the flag. The challenge file was a password protected zip file. I utilized fcrackzip to help me out (Figure 1).

fcrackzip -v -D -u -p ~/wordlists/rockyou.txt misc100
Figure 1 - Utilizing fcrackzip against zip file.

Figure 1 – Utilizing fcrackzip against zip file.

The password was found quickly and easily enough! Unzipping the challenge with the discovered password provided the flag (Figure 2)!

Figure 2 - Unlocking the flag from a password-protected zip file.

Figure 2 – Unlocking the flag from a protected zip file.

Flag: flag{ev3n::y0u::bru7us?!}

tinyCTF – Misc10

Misc10 Challenge

Misc10 Challenge

The file for this challenge contained an alpha-numeric string. I ran the file contents through a hash identifier and nothing got picked up. Taking a closer look at the string, it looked as though all of the values were within the range of ASCII characters represented in hex (I have to thank my exploit dev training for that!). Decoding the values with Python confirmed my suspicions et voila! My first flag (Figure 1)! 10 points in the bag!

Figure 1 - Decoding hex string.

Figure 1 – Decoding hex string.

Flag: flag{hello_world}

CSAW 2014 walkthrough – Fluffy No More

Fluffy No More was a Forensics 300 point challenge at CSAW 2014. The backstory seemed kind of funny and I thought I’d give it a shot!

fluffy no more challenge


The attached tarball contained a few additional tarballs:

  • Full /etc directory contents
  • Full /var/log directory contents
  • Full /var/www directory contents
  • A MySQL database dump file

The task was to determine the attacker’s ingress point as well as discover a key for the CTF challenge. I cover both points in the sections below.

CSAW 2014 walkthrough – pybabbies

pybabbies was an Exploitation 200 challenge during the CTF and I got “voluntold” to work on this one by my team mates since I have a strong Python background. The night was young and I felt pretty good about it, so I took a look.

pybabbies challenge

Setting the scene

Connecting to that IP/port with netcat revealed a shell prompt indicating that I had connected to a Python sandbox environment. Python sandboxes are nothing new, and I had actually recently done some reading on a sandbox challenge from an older CTF writeup so I felt pretty good about what I was getting myself in to.

The opinions and thoughts on this blog are those of Overflow Security members, and do not reflect those of our members employers.