Monday, 5 January 2015

Writeup for n00b15CTF

This is a collection of hints for all the problems in the recently conducted Capture The Flag (CTF) contest conducted by SDSLabs as a way to get n00bs (beginners) to have a taste of the beautiful world of hacking. It was a pretty fun contest even though it was quite easy.

Test


Use a SHA256 tool. My favourite is to just search for "SHA256 STRING_TO_BE_SHA256" on my default search engine (www.duckduckgo.com)

Location-51


There is a redirect occuring here from http://hack.bckdr.in/LOCATION-51/index.html to http://hack.bckdr.in/LOCATION-51/trap.html Stop this redirect, and read the source of index.html The javascript there gives away the flag

Hidden flag - Easy


Using the file linux command, we find out that it is an ELF binary, but running it gives nothing. However, running strings on it gives away the flag.

Search


The zip file contains a .txt file which does not seem normal text, so we run a file on it. This says that it is jpeg, so change it to .jpg and open it. It is a QR code. Decode this using some online tool (just search for "QR code decode online" for a large number of free tools) and get a link. The link has the flag.

Lost


The message says Console, so open up console in Firefox. The message then tells you to POST data to a link. Going to this link directly does nothing, but sending it any random POST data (using HackBar addon in Firefox for example) gives the flag.

Hidden flag - Medium


Analyzing the file with IDA Pro shows that there is a function called print_flags() which is not called inside main(). Running this function should print the flag. We can do this by attaching gdb to the binary, breaking the execution and running the print_flags() function.

Clutter


Extracting the file and analyzing with Wireshark shows that there is too much to work with. But exporting all the files and then running strings on it would probably work. However, filtering this is a pain, so I just ran a grep for flag and the answer will be visible near a pastebin title.

No - Signal


Use GIMP or Photoshop to add the images. The flag should be obvious then.

Sound


Slow down and reverse the sound wave using Audacity. Listen to it and it should be obvious what the flag is.

Sequel


Looking at the code, it seems like a SQL injection can be done here. Downloading the database.sdb file and rewriting the source code to start throwing data from database, you realize that there is no user sdslabs in the database. This makes it obvious that you need to add the user. The following username virtually that: ' UNION SELECT 'sdslabs','sdslabs','sdslabs','sdslabs','0c4ea8f5b344600f78516334254e9e085f2225a42a0bb18fa8bd774589f1ca19' UNION SELECT * FROM users WHERE '0'='1. Note that this query will not work directly, the password will have to be set accordingly.

Undisputed


The file is a ext4 filesystem (use file command if you don't trust the extension). Mount this in linux using the mount command (read man mount to know how) and then open the file inside to see the flag.



Did you find any other cool/new ways of solving any of these tasks? If so, leave a comment below.

Link to writeup for n00b16ctf

32 comments:

  1. Undisputed: Just open the .ext4 file using 7zip/Winrar and you'll get the flag file :)

    ReplyDelete
    Replies
    1. Nice.... cool to know that that trick worked here as well.. Seems like this (using 7zip) works quite often...

      Delete
  2. I can't understand what flag is in sound :(.

    ReplyDelete
    Replies
    1. I don't see how it is difficult to understand. If you have done the right transforms, it should be quite obvious what the flag is. "Flag is SHA256 of *****" is what you should hear. Are you sure you didn't go too far in the transformations?

      Delete
    2. This comment has been removed by a blog administrator.

      Delete
    3. @G Jiigee, I have deleted your comment since it had the flag in it. This doesn't let people to learn. I have given massive hints throughout, and all it requires is some tiny amount of work to get the flag. Please do not reduce this even further. Thanks :)

      Delete
  3. I would suggest that people refrain from putting the flags directly here. I have specifically written this writeup in a way that doesn't have the flags directly. Since this contest was basically meant for n00bs (newbies) to learn, I feel that it would be better if they couldn't (in effect) just copy and paste.

    ReplyDelete
  4. lost : you can use extension in firefox "HTTP resourse TEST" and POST

    ReplyDelete
    Replies
    1. Ah! Nice extension. I've used Hackbar for so long however, that I don't think I will be changing from it soon :D

      Delete
  5. No - Signal: you can use Stegsolve it's more easy

    ReplyDelete
    Replies
    1. Yep, it can be used, and in this question, it might be more easier. However, I find that gimp or photoshop are much more versatile tools which allow to do a lot more than what stegsolve can.

      Delete
  6. LOCATION 51: open the link given in terminal and get base64 string :)

    ReplyDelete
    Replies
    1. Right. This works because using 'curl' from the terminal does not cause javascript to be executed, thereby preventing the redirect.

      Delete
  7. Refer to HIDE FLAG MEDIUM
    when I run the executable using gdb and by typing 'info functions' command, I got to know about print_flag function but when I'm trying to run it using 'r' or 'run', It said "/bin/bash/ : /home/nehra/Desktop/hide-medium : No such file or directory exists"
    But the file do exist at that location. I'm unable to figure out whether it is some kind of system error or some kind of trick in the problem.

    ReplyDelete
  8. I have found the problem, the executable is 32-bit and our system is 64-bit, so we need an extra library to run it on our machine.
    This might help...

    http://askubuntu.com/questions/454253/how-to-run-32-bit-app-in-ubuntu-64-bit

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. changing the extension works just fine.

    ReplyDelete
    Replies
    1. Yep, in this particular case, yes. This is because certain file formats are not sensitive to extraneous data before or after it. In this case, the 7z format is ok with things around it, and nicely extracts. However, in the general scenario, this might not always be true, and hence the `mount` based technique makes more sense.

      Delete
  11. IN HIDDEN FLAG EASY OPENING FILE USING NOTEPAD++ HAS THE FLAG IN IT.

    ReplyDelete
    Replies

    1. This works because the flag is in plain text in the file. However, you would need to go through a lot of data to be able to see the file (at least in a general case). However, by using the strings command, it finds real strings in the file due to which very little needs to be checked. Hope this makes sense :) as you go along further, you'll realize that strings is more powerful than you think. Do read its manpage to know more.

      Delete
    2. Can you help me please?
      I am new in this and i don't know exactly what you mean with "Open the file" ?
      What do you mean with it?
      I have to download the website with
      "wget http://hack.bckdr.in/LOCATION-51/index.html"
      or have i do something else?

      Thanks

      Delete
    3. Did you download the file using wget? Did you look at it inside a text editor?

      Try the `cat` command on the file.

      Also, sometimes for some challenges, `wget` might also allow redirects. In that case, read the man page for wget (at `man wget`) to figure out how to stop it.

      All of these challenges (at the beginner levels of CTFs) are about learning to read up on your own and search online, and learning to understand information from sources such as the manpages. Instead of blindly trying to follow some steps, spend some time reading up on these, and you will learn that there is a lot of powerful stuff that a machine can do.

      Delete
  12. im new to gdb and ida pro, can u provide any links which can help me know necessary commands for me to finally solve hide_medium

    ReplyDelete
    Replies
    1. From some quick Googling and looking through for possibly good results :

      For GDB: https://www.cheatography.com/fristle/cheat-sheets/closed-source-debugging-with-gdb/

      For IDA: http://resources.infosecinstitute.com/basics-of-ida-pro-2/

      I personally haven't used either of the two above links to learn but instead just opened up the software and checked out what can be done and read the help and man pages. The man page and reference book for gdb are great. Also, if at some point you want to start to see the serious depths of IDA Pro, then I've found Chris Eagle's book to be amazing (most of it is probably not required for a beginner).

      Delete
  13. I cant understand the sound challenge , all what I listen is
    THE FLAG IS ****** SINGH_DOWN . :(

    ReplyDelete
    Replies
    1. Did you slow it down enough to understand it? It says "The flag is SHA256 of ......_DOWN". No SINGH in it :P

      Delete
    2. This comment has been removed by a blog administrator.

      Delete
    3. I'm glad you solved it. I have deleted your comment however, since it directly gives away the solution, which we prefer not being revealed.

      Delete
  14. For those of you, like me, suffering pareidolia when listening to this audio, I found helpful using this free service: https://speech-to-text-demo.ng.bluemix.net/
    It translates the audio into text.
    It helped to catch one particular word that I was interpreting differently in my head.

    ReplyDelete