Wednesday, 13 January 2016

Writeup for n00b16CTF

Ah! Year 2 of n00b ctf @ backdoor. Quite a nice and fun contest. Though this contest was for n00bs, I decided to take part again (just coz I won last time - find the writeup for those questions here). This time, I came second, since I couldn't solve 2 of the questions, and one other team (dcua) solved all except 1. However, a short while after the contest was done, I solved another. Now only the question titled EULA remains. Hopefully, I'll update this post with its writeup soon too :)

Here's a bunch of writeups (more like small hints) for each of the questions I solved:

Batman

Take a look at the URL as you click on the items. Maybe higher numbered items are interesting (even if they cannot be directly accessed). The Hackbar add-on for Firefox makes this very easy to go through, btw.

Bin-Easy

Okay, I didn't even run the binary. The answer was just lying there in one of the strings (hint hint) inside it directly. Pre-execution-analysis itself showed up the flag.

Bin-Medium

We can disassemble this executable and change the path of execution to either circumvent the check (through gdb) or by flipping one bit in the binary. Each of these would print the flag. Another thing is to try to work out how the flag is being made in the memory, but that's just wasting your time. Take the easy path :P

EULA

Still unsolved by me. However the Accept-Language HTTP parameter seems very interesting, especially with things like en, it etc.

Fool

A very high stake challenge (it had 150 points) but it a very short while, it was obvious it is a format string bug. After that it is trivial to attack it (read up on FSBs if it isn't). I made a stupid mistake though which took a couple of minutes to realize. I was sending a single quote at the beginning and at the end. Doh!

Frost

A multi byte xor cipher. My favourite tool for this (xortool.py) works directly.

Magic

The = at the end gives away that it is base64 encoded. Decoding it gives another cipher but the spacing makes it obvious that it must be some simple ancient cipher. Caesar would be proud.

Matrix

I couldn't solve this challenge during the contest, but solved it just after it, and damn, was I over thinking it. During the contest, I realized that the gs were too regular (every 7th place) so I split it into 32 lines of 6 characters each (after removing the gs at the end of each line). All these were hex digits, and with the 6 character thing, I naturally thought of colours (for example, #00ff00 is green). Lot of time was wasted in this direction, but after the contest and a small hint of transposing the matrix (i.e. making it into 6 rows of 32 characters each), it was obvious that each of those could be hashes. Online MD5 crackers then gave away the answers.

Rbash

Restricted bash - where cd wasn't allowed. Well, ls -l .. worked. And there was the flag right there to be cated to the screen. Later on, I found out that you could also execute shell inside this rbash and then you could do anything you wanted!

Robot

The name of this challenge gave away that we needed to look at robots.txt (that pesky little file that web crawlers are supposed to adhere to, but only lead to attackers finding things they shouldn't).

Wahtzdis

Whoa! That is a lot of data, but seems like the javascript console in the browser nicely handles it. Turns out this is the esoteric language JSFuck.


Did you find any other cool/new ways of solving any of these tasks? If so, leave a comment below.

22 comments:

  1. hi, can you writeup "Secret area", thanks

    ReplyDelete
    Replies
    1. Hi Shinobi! You're talking about https://backdoor.sdslabs.co/challenges/SECR right?

      Well, it is a challenge that involves a directory traversal, as well as knowing about the .htpasswd file, and how to crack that. I'm guessing those two hints should be enough to solve it :)

      Delete
  2. Isn't the answer to the MAGIC problem A**DE*N? I encrypted it in SHA-256 but its still giving me a wrong answer.

    ReplyDelete
  3. Great Write-up :) .
    Another solution to bin-medium is using angr to actually find out the passphrase and then use it. I was learning how to use angr so tried it out. Although the passphrase has some non-printable characters too so I doubt it was meant to be solved this way. Seems like this challenge has many solutions.

    ReplyDelete
  4. Jay, can you point me in the right direction for the hack.bckdr.in/BRWSR/ challenge? I have reached my limit of knowledge I guess, but I just can't figure out how to access a web site that uses custom user-agent strings. --freshvves

    ReplyDelete
    Replies
    1. There are multiple add-ons that can do this (such as https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/ which I found by a quick search, I can't guarantee whether it works well).

      Personally, I prefer using curl's --header option, which lets me pass any custom headers I want. You might want to do some reading on curl (the command line tool) since it is extremely useful for being able to script web related stuff through your shell :)

      Delete
    2. Awesome, thanks for the quick reply. I have been messing with curl and a different ff addon called Modify Headers. I think where I'm tripping up is how to find the custom User-Agent string to use. I'll keep poking around to see if I can find it.

      Delete
    3. You put me on the right track. Went back to curl and used the -H option. Got it. Thanks for sharing your knowledge with everyone.

      Delete
    4. This comment has been removed by a blog administrator.

      Delete
    5. Sorry for the spam. I tried some different ciphers and found it. If possible please still list how to contact you other than posting here if that is acceptable. Thanks.

      Delete
    6. Hi freshvves, I would recommend DMing me on Twitter @jay_f0xtr0t

      Also, I am deleting your comment about "quick-challenge" since it does have _almost_ a give-away solution in it.

      Delete
  5. Replies
    1. I haven't looked into it after the CTF. However, I would recommend trying out the values en, enfr enfrit etc.

      Delete
    2. I really don't get this to work either. My assumption is that the accept language must have to do something with "vampires". But no luck with vampire, blood, vp, va, vamp, vm, etc so far. :(

      Delete
  6. Any tips for Quick Challenge? I see a lot of stuff inside of the photo but am unsure what to do when I try to look at them and they all give me errors. Thanks.

    ReplyDelete
    Replies
    1. PS. I just realized you're the one who created the challenge. It's a good one. Thanks for taking the time to make it. Definitely a challenge for me: I know next to nothing about steganography or information security, but I enjoy learning new things and a good mental floss.

      Delete
    2. Quick Challenge has already been solved by many people, and it is a relatively easy challenge (pay attention to how it has been worded, as well as the fact that it is a recon challenge (though _some_ steg is involved, it is not directly a steg challenge) challenge). Hope that helps.

      Delete
  7. hope you will like :)
    https://www.youtube.com/watch?v=ct4QbuNmAaw&list=UUh9jgbGxcloPjzHgKnbEuaA&index=1

    ReplyDelete
    Replies
    1. Hi! I'm glad you are making videos regarding these challenges. I might suggest looking at https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w for another person who makes amazing videos regarding CTFs :)

      Delete
  8. hey jay! {lol}
    Bro , what about the SIMPLE CIPHER problem ? {CPHR}
    http://hack.bckdr.in/CPHR/index.php

    ReplyDelete
    Replies
    1. Hi! Do take a look at the location of the spaces in the cipher. Maybe that might give you a hint? It IS a classical cipher. There is a nice set of tools at http://rumkin.com/tools/cipher/ that might be useful

      Delete