Monday 13 October 2014

ASIS CTF 2014 Recon - Fact or Real


First thing which came to my mind id twitter.So i checked ASIS twitter handle. Later i found that usually a guy named factoreal is the main guy in hosting asis-ctf.When you check his twitter photos there you go,you see the given hint "fact or real" and the motto in the picture : "NO+$=YES"



Flag is ASIS_md5(NO+$=YES)

FLAG : ASIS_d25b9c2f1c29e49e81e8fdfaf4d16fc6

Monday 12 May 2014

ASIS Quals 2014 Trivia-50 [ Image ]

Sorry, Been long time writing writeups. Exams and project work.Well, had no time for ASIS also.pwned only 1 challenge.Next is defcon and i promise ill write more writeups.Stay updated.

Question : Find the flag.
Description : File


Solution :

Step 1 : Download the file joy_50_25b927e48a23a4b41f215303ca988a01

Step 2 : using " http://mark0.net/onlinetrid.aspx " find the file type.

Step 3 : using 7zip software we can extract .xz as it is one of the compression algorithms like .zip or .tar etc.

Step 4 : repeat step 2 and step 4 as its double packed (.xz + .tar).

Step 5 : repeat step 2 and see that its a .NES file which is Nintendo entertainment system file.For more info see the wiki page

Step 6 : Find a appropriate emulator to run the game. I used fceux emulator . find it here " http://www.fceux.com/web/download.html "

Step 7 : Play the game and pass the level 1 to get the flag in level 2

Step 8 : You see this in level 2 " Flag : 8 BIT RULES"



Admins had posted to ping about this question.They told that the flag is actually 8BIT_RULEZ if you had got till here correctly.

FLAG : 8BIT_RULEZ

NOTE : you actually don't have to play the game.Start with stage 1 and press F10 you would see this saved state :-)  . Dont know how many found this , but this is an easier way of it :-D

Saturday 5 April 2014

Nuit de Hack Quals - 2014 Carbonara

This was easy and i actually over thought it..
Question :

the ciphertext was : "%96 7=28 7@C E9:D 492= :D iQx>A6C2E@C xF=:FD r26D2C s:GFDQ]"

My first approach:
substitution by looking at asciitable.com

":" - "i"
"D" - "s"

after which with the help of this (which i just guessed as it was a 2 letter string and my guess was it would be "is")
decoding which i got
THE FLAG FOR THIS CHAL IS "iMPERATOR jULIUS cAESAR dIVUS"
i was stuck with the letter x actually..Later my friend told that it was a rot-47 :-D all my work in vain..i got the string as :
The flag for this chal is :"Imperator Iulius Caesar Divus".

Flag : Imperator Iulius Caesar Divus 

Nuit de Hack Quals -2014 Here Kitty Kitty!

Not much flags this time too..Managed to get 3 of them and will write however i got it.
Question:
Mirror Link : http://1drv.ms/1jjplOH

So well first thing we would think of is audacity.Lets try our luck..You get a weird waveform.I just zoomed in to see the waveform.I got a view of Morse code,before which i thought it was a binary . Dont zoom in much coz you would over think as binary numbers.It would look like this :

Note down accordingly and you would get this Morse code

..... -... -.-. ----. ..--- ..... -.... ....- ----. -.-. -... ----- .---- ---.. ---.. ..-. ..... ..--- . -.... .---- --... -.. --... ----- ----. ..--- ----. .---- ----. .---- -.-.

Decoding which will give a md5 hash : 5BC925649CB0188F52E617D70929191C
As the flag was case sensitive and was lowercase so the flag would be : 5bc925649cb0188f52e617d70929191c

Flag : 5bc925649cb0188f52e617d70929191c

Sunday 30 March 2014

Volga CTF 2014 Quals Joy-300

This was just a replica of flappy bird game.

Question was in short "Autopilot mode isn't working and the rocket is unable to reach the destination point.reach the destination point for the message(42level)" [Not exact but it meant this]

Well i thought of reversing the game and figured it was written in Delphi and used the Delphi dissasembler also.But just as a confirmation i asked people whether the task was just to reach 42nd level? I got a reply saying "Yes" .Ah perfect timing for showing my flappy bird skills. Bwah it was just 42 level.Piece of cake i thought. But its not easy playing with keboard. Check it yourself.Download the game using the link below.
The game given

After so many attempts i reached 42 level and got this :

Ah observe that at level 42 i crashed :-D This is pure luck :-D

FLAG : it_was_not_so_hard_rrly

Volga CTF 2014 Quals Web-100

Well,It was very hard to solve challenges frankly speaking.We were well prepared for the CTF but was in vain.

The question was to find the hidden flag in their webpage (http://tasks.2014.volgactf.ru:28101/)

Note: [Server is down so cannot fetch the exact question.Sorry about that]

I really have no clue about web challenges as i am not the guy at all.But i know the basics.Hence as a challenge with blank mind i just looked at the login page

I just logged in.I saw this.

Monday 24 March 2014

Backdoor CTF 2014 Misc-150

First i thought it was like Defkthon's zip challenge..Wrote script and it went wrong. :-p

Question :
This wierd file was found by H4XOR when trying to search for his flags. Can you get him his flag ?


Submit flag as flag_obtained


After 6 times unzipping you would get a file called Misc150. A quick file command tells this :

So its time for mounting now.
Command : mount -t ext2 Misc150 ../../../mnt/image -o loop 
Note: file path is different for you.Adjust it accordingly.


Backdoor CTF 2014 Misc-200-2

This was an awesome challenge and we solved it in a different way.It was fun solving this challenge.We knew that using python we can code this.But we were almost getting the flag when we realized that.

Question :
Username and password based login seemed a bit too monotonous. We developed an indigenous image based login system.

The login service is available here.

The image below can be used to login as the backdoor user. Unfortunately that doesn't serve any purpose.
Login as the sdslabs user for a change.


Submit the flag as: md5(flag_obtained)

Before we got in we loaded the image and saw how it would look like..

So our first approach was paint and look what we found..
So we tried figuring out logic for this coz when we took out the last dot we were getting " Logged in as backdoop"
After which my friend figured out the logic.
01100010 -b
01100001 -a
01100011 -c
01101011 -k
01100100 -d
01101111 -o
01101111 -o
01110010 -r

01110011 -s
01100100 -d
01110011 -s
01101100 -l
01100001 -a
01100010 -b
01110011 -s

Black dot was 1 and the space or blank is 0..This is how we figured it out.
We used colorfiller and filled out accordingly what sdslabs would look like and when put in paint and seen it would look like this.
"Logged in as sdslabs
Congrats the flag is practice_makes_one_perfect"

md5("practice_makes_one_perfect") => c16a3c8504985a8c91956c29f7338184

FLAG : c16a3c8504985a8c91956c29f7338184

Saturday 22 March 2014

Backdoor CTF 2014 Binary-10

Just a basic skill of viewing the strings of files is required.

Question :
Information Security Agency uses preshared passwords for sending senstive information to its agents.

Somehow we managed to know that one such piece of sensitive information exists in this file.
File : http://1drv.ms/1lCxm3N

Submit the flag as flag_obtained


FLAG : 40511702a6193f9b38d37699e676fd40

Backdoor CTF 2014 Web-10

Got help from a teammate..He did it actually.Just learnt it so thought of sharing.Am not a web guy moreover.

Question :
H4x0r is a curious guy. He normally looks into every detail around. H4x0r managed to find the flag of this level. Can you ?

Looking at the http headers gave us the flag:

FLAG : 28b3324be8b003ee7e1d0d153fad3c32

Backdoor CTF 2014 Crypto-10

Just cracked this in seconds..Have a very good experience with these kind of stego's.

Question :
H4x0R recently went missing. An investigating team specializing in hacking was deployed to search around his place. All they found was this file. Please help them obtain secret 32characters string that can lead to him

Submit the flag as: flag_obtained
Image given :


So the below image says ther is a image inside this image.How to extract? just rename the jpg to rar and extract it you would see a image.

Backdoor CTF 2014 Miscellaneous-10

Was a very tedious challenge.Had to sit and analyze every packet and finally found a packet with a hint
Question :
This file was retrieved by CID during a task to catch a black hat hacker. Can you find the flag and help CID ?.

Submit the flag as: flag_obtained

Open the pcap file in wireshark[coz thats wat i do with pcap's :-p]


Link : http://i.imgur.com/hWVwx6G.png

A QRcode is ther.Just scan it for the flag.
If not use this : http://zxing.org/w/decode?u=http%3A%2F%2Fi.imgur.com%2FhWVwx6G.png

FLAG : efb8f4cd67963a5652ee0aa2187b830a

Backdoor CTF 2014 Hidden challenge

Was fun playing this CTF.I gathered oly 1 hidden flag which was hidden in the css file.There were around 6 according to admins and few players.I searched almost everythng i knew and finally got this.

so the flag was md5("hashme") => 533f6357e0210e67d91f651bc49e1278

FLAG : 533f6357e0210e67d91f651bc49e1278

Backdoor CTF 2014 [All trivia]

Submit flag as md5 of answer. Answer consists of small alphabets (a-z) only. [Applies to all trivia]

Trivia 1 - http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c?txt

This above link was given .
Quick google about the link showed it was ios-Apple"gotofail" security bug.
md5("gotofail") => 9c00b580a9a1d022d62fa3e8506c3c51

FLAG : 9c00b580a9a1d022d62fa3e8506c3c51

Trivia-2
Who is Megaracer?

Again Googling revealed Megaracer aka kimdotcom
md5("Who is Megaracer?") => 148e6711a03f43a1955bcff667d967cc

FLAG : 148e6711a03f43a1955bcff667d967cc

Trivia-3
"How I hacked github again". Where am I now?

Google helped to find me the blog of Egor Homkov : http://homakov.blogspot.in/p/about-me.html
We now know that he is in bangkok..Country is Thailand
md5("thailand") => 8689391a8b93cd2d55ccf3f436eef4e2

FLAG : 8689391a8b93cd2d55ccf3f436eef4e2

Trivia-4
http://fortunebrainstormtech.files.wordpress.com/2014/03/140319073410-ted-2014-edward-snowden-620xa.png?w=620

This image is about the ted talk to a robot resembling snowden called "beam"
md5("beam") => 5435eeb714f3a0739ca75b3b0eb8cfb3

FLAG : 5435eeb714f3a0739ca75b3b0eb8cfb3

Trivia-5
Trivia 21?

This was the question ,something worth thinking.
Anyway it was about the port 21,even i thought in the beginning as blackjack but wasn't the answer.
md5("ftp") => ff104b2dfab9fe8c0676587292a636d3

FLAG : ff104b2dfab9fe8c0676587292a636d3

Wednesday 19 March 2014

HACS[Hackers for applied cyber security] -2014 Mini CTF

We were determined to teach our juniors what we had learnt as a team.We thought as we have enough experience as beginners in CTF's.So we decided to conduct a Mini-CTF and help beginners learn something out of box.
As I believe that CTF is one of the most successful way of improving the skills.We had to restrict the categories and problems.The CTF was live for 2 weeks with a irc-channel to help our juniors solve the problems.
As it was a beginner CTF,i thought may be a practice session and a good challenges for beginners,so thought of sharing it in my blog.

I have given the links for Forensics and Miscellaneous in the description part.The solutions are in the slides which i have uploaded in slideshare.
The link to slides : http://www.slideshare.net/adithyanaresh/hacs-workshop-32474488

Hope you enjoy the challenges.


Regards,
Hacs team
Tanoy Bose,
Farhan sheik,
Yogeesh S,
Movnavinothan V,
Adithya Naresh

Thursday 13 March 2014

RUCTF 2014 Quals Misc-100 [Shredder] Misc-200 [RuCTF radio] Reverse-10 [Harm]

I am writing all the three because its not that great challenges which requires that much space to explain it :-)

Misc-100 [Shredder]

We were given this image

Painful challenge but something different i have ever seen till this day.I had to take a printout and cut it and rejoin to get the flag.This is the image i got ,even though i missed a main cutting in between.

FLAG : RUCTF_TO_SHRED_IS_NOT_ENOUGH

RUCTF 2014 Quals Forensics-100 [Secret host]

This time challenges were more,But i couldn't solve much.

Forensics-100
We intercepted configs and dump. What were they hide on http://10.100.0.1/?

Search for password and username for the openvpn connection using the MDMP crash dump.
Using "strings" command or using Hexdump you can find these username and password.
So we got the username : SuperPuperRoot and password : VeryStrongSecret

Install openvpn here.

You need to place the certificate file and the config file(Extracted from the configs and dumps) in "openvpn configuration file directory" like this.

Wednesday 5 March 2014

Defkthon2014 Recon-200

I had read somewhere that recon challenges resembled CSAW.
Question 2 : yashin Mehaboobe

aka Sp3ctr3

Was obvious that it would be related his image posted recently,twitter posts or github.
Github was the key.
Link : https://github.com/Sp3ctr3?tab=activity

This above link gives his activities recently .Down there in readme a update has been there and luckily  the flag was sooo visible :-)


Flag : djangounchained

Defkthon2014 Recon-100

Question : Francis Alexander.

I already knew the team or the admins who organized the CTF.So they all were in my friends list in Facebook.
First thing that striked my head was about page of Francis Alexander. woot!! there it is his blogspot http://wiredcreation.blogspot.in/ .

There was a interesting text in the page "Try Getting the Flag :p " .
Basics of web challenges that is right click-> inspect element. :-D lol there it is flag hidden in comments :-)


Here is what it looks like -->
Flag : hmm_try_nosql_dbs_dude

Defkthon-2014 Reversing-100

This is my first successful hunting in .NET applications.
This CTF was peculiar and tougher too.Firstly wanted to mention 2 things : there were no admins in IRC,there were no description about challenges.

Lets Get back to work now :-)

Link : https://app.box.com/s/kqnh9l7hyj1hfx4bbiot
File description :
So it is clear that it is a .NET application.
Tools I used -> Jetbrains Dotpeek,You can use Reflector also.
After decompiling and opening Defkthon.cs this is what i found :-)


Sunday 9 February 2014

Olympic-CTF 2014 Nopsleigh-10 { As Seen On Defcon}

Well this was totally unexpected.I had recently seen the defcon-17 video by chris eagle aka psifertex who talks about CTF.So Defcon-2006 trivia 500 was based on similar challenge where instead of ARM64 PPC instructions were asked.

Question :
EBFE is to x86 as ____ is to ARM64

challenge was just to find the opcode used for unconditional branch that is infinite loop in ARM64 as EBFE in x86 means unconditional jump.so the hint was in the question itself that the question asked was so similar.Our task was to just find the opcode.Googling out i got 0x14000000 as the opcode.If u find EAFFFFFE then it is 32 bit.Dont worry even i have read the manual but its for 32bit.
as the endian is what mattered.it was little endian.

FLAG : 00000014

Olympic-CTF2014 Curling-10 { Out there }

This was a question based on ipv6.So make required configuration to access the ipv6 address.ipv6 tunneling is what you have google search register and configure.I used https://ipv6.he.net/ for tunneling.

Question was :
Flag is out there: http://[2a02:6b8:0:141f:fea9:d5ff:fed5:XX01]/


Google search yields the port number which was supposed to be found.so the address to be accessed was
"http://[2a02:6b8:0:141f:fea9:d5ff:fed5:6901]" XX was nothing but 69.
Viewing the page source of the website got me the flag.

FLAG : CTF{7a0dd6d4556a7ed60e6f7686eae0590d}

Olympic-CTF 2014 Binathlon-10 { Just No One}

This challenge is a binary challenge:
challenge file : https://db.tt/5I7qkEPv

The name is binary challenge but it teaches how important it is to look at the licence agreement.It was a delphi coded password protected file.But it was not complicated to crack it which i thought and did it in the beginning.
Here is the answer.

FLAG : ILOVEREADINGEULAS

Olympic-CTF 2014 figure Crypting-10 { Crypting}

Was soo much interesting because after you solve this,you will laugh at it..Well most of them could not solve this in the CTF.

Question :
43wdxz 4edcvgt5 65rdcvb 6tfcgh8uhb 9ijn

I feel this should be answered with just images.because you have to look at the beauty of the question.
well if you hover your finger according to the letter or numbers above you will get letters.Didn't understand?

Thursday 30 January 2014

Nullcon HackIm 2014 Forensics-4

This challenge made a good steganographer for jpg images.It took 5-6 hours to solve this coz i was stuck with the passwords.

Question :
A suspicious image was found on the desktop. Our investigator suspects something is hidden.

Hint: remove i from it.

tools i used : Stegsolve,Stegdetect,Invisible secrets 4

Extract the image from autopsy which is in desktop.that is nullcon.jpg


Stegsolve will show that RGB splitting you find a eiffel tower image.So now we have the password "eiffel".Ooops look at the hint.It says remove i from it.So the password is "effel".

Nullcon HackIm 2014 Forensics-3

Question : There was a network traffic dump on the machine. The dump suggests an attack being carried out on a target. As per the client’s information the attack was performed from china (he says that the system was located in china when attack was carried out). Our investigator thinks otherwise. Can you find out the location from where the attack was carried out.

Wireshark is the tool.I used export feature in that and found geo.html interesting.
Look at that the location "failed".So I thought accessing Html5demos and i used tamper data to look how it is accessing the location.There was a javascript file named "ViewportInfoService.GetViewportInfo?1m6&1m2&1d24.56320627014958&2d73.6366821305144......." which by looking itself can be understood that its accessing the geo co-ordinates..It access 4 co-ordinates to make the place accurate..
Now in the challenge i looked at the javascript file and i got four co-ordinates like this :
[24.60706913770969,73.564453125],[24.68695241199915,73.740234375],[24.52713482259781,73.564453125],[24.60706913770969,73.740234375]

By googling we find a place near udaipur.Admins had released a hint in IRC that the name was suffixed with scheme.Now it wasnt so difficult.It was "Ambamata Scheme".

FLAG : Ambamata Scheme 

Nullcon HackIm 2014 Forensics-1

This was the main hunt for me in HackIm.. Downloaded a 2GB image file and got started with a tool called autopsy..

link for image : http://sourceforge.net/projects/nullconctf2014/?source=directory

autopsy download link : http://www.sleuthkit.org/autopsy/download.php

Question : Please download the HackIM image to solve all the forensics level challenges.

Checksum for the HackIM image:
MD5: 71d16cda80ef801d33286825aaf70033
SHA1: 62bbd7babaa409991f7ab1cdb12ac70518dbaffa

Password to extract HackIM image is: "synergyNull2014sdf"

The Client complained that whenever he boots up the machine, all files in his document folder automatically gets deleted. Can you identify the culprit executable process doing this?

Well technically i only know that boot files are in system32 folder.In autopsy you can see the recent accessed files.so while loking at it i also found files required for other challenges.
Now after trial and error i found somewer below in the same recent files folder Ntbackup.exe and it was the flag.

Wednesday 29 January 2014

Nullcon HackIm 2014 Misc-3

Question : What you hear is not what you always hear. Channel your energy in finding the unknown.

Link : http://ctf.nullcon.net/data/2014/lev/misc/Level3.mp3

This was the easiest one.

Load the mp3 in audacity.We can easily notice that the effect was reversed.

Go to Effect->reverse now you can use the morse code if u have observed as soon as you have loaded the file.

This is the morse code extracted : ".. .-.. --- ...- . --. --- .- -.-.-- -. ..- .-.. .-.. -.-. --- -. ..--- ----- .---- ....- .. ... .- .-- . ... --- -- . -.-.-- -.-.--"

after decoding the morse code we get ILOVEGOA!NULLCON2014ISAWESOME!!

FLAG : ILOVEGOA!NULLCON2014ISAWESOME!!

Nullcon HackIm 2014 Misc-2

Question : Tracked sam in level 1? Cool. But now you more details. His USB drive gave you a swf file. Now, think like level 1, but more like a pro, and find his email id.

Well Its simple as it looks..
Just a swf to xml will do the job..

Link : http://ctf.nullcon.net/data/2014/lev/misc/Level2.swf

I installed a software called swfmill
Command i used : swfmill.exe swf2xml Level2.swf Level2.xml

we get a error which is a hex code : %68%74%74%70%3a%2f%2f%62%69%74%2e%6c%79%2f%31%61%4c%49%59%76%57

after converting the hex to ascii we get a link http://bit.ly/1aLIYvW which is a apk file.

Now after a long time waiting for a apk reversing i got this :-)

First method is renaming it to rar and extracting the contents will give 1 folder and 3 files namely res,resources.arsc,classes.dex,AndroidManifest.xml

i got a email in about.xml and it was this research@foundstone.com  which was wrong.Now only thing left out was classes.dex i used dex2jar to convert classes.dex to a jar file so that i can use jar file to see the java files.
I used JD(Java Decompiler) to get the java files.I found the email in com-service->Loginservice
Email was : sam0908nlu771@gmail.com

FLAG : sam0908nlu771@gmail.com

Tuesday 28 January 2014

Nullcon HackIm 2014 Misc-1

This was sooo fun.trust me..was ma first solve after trivia in the competition.
Question : Sam has parked his car in front of a store. Find the name of the store.
Link : http://ctf.nullcon.net/data/2014/lev/misc/Level1.pcap

Well straight forward..extract the only object which was shared..that is nullCTF.png..Wireshark was the tool i used..
Click to enlarge..i have written comments..Dnt miss out!!
the image looks like this..
Arghhh png I hate png stegano :-(
A hexeditor game a clue on this to learn more..
It said this somewhere in the beginning "Raw Profile type Exif"

FLAG : wellsfargo

Nullcon HackIm 2014 Reverse-1

This was a easier one though i had to dig a bit.

Question : Find the flag hidden not so deep inside.

link : http://ctf.nullcon.net/data/2014/lev/re/win32_input.zip

Ah now lets get back to work. :-)

First thing load in olly to patch it and load in IDA to understand program flow.This is my way of solving reverse engineering challenges for windows.

In IDA if u look at strings window u find this ")T(+,*'))$&T(Y)*#(+&#+)$%'T+&#(T" repeated 4 times and 1 accompaning the string FLAG.By running the exe u can find that it prints out "FLAG:)T(+,*'))$&T(Y)*#(+&#+)$%'T+&#(T",so It goes to the 4th ")T(+,*'))$&T(Y)*#(+&#+)$%'T+&#(T".Well now we will check what is making it print it and you can see that in olly similarly these calls before it prints the string FLAG:")T(+,*'))$&T(Y)*#(+&#+)$%'T+&#(T"
Click to enlarge..I have written comments..so check it out..
NOP the Call..

Monday 27 January 2014

Nullcon HackIm 2014 Crypto-1

This was amazingly awesome.need really some brain.Well i got hints and solved it too.Getting hints is not bad but trading for flags is bad. :-) just a advice.

Question : dna nihilistic humanoids lost nihilistic weak cloned nihilistic dna dna nihilistic humanoids lost dna into tools dna soulless zombies dna into lost breed xenophobes lost zombies dna soulless nihilistic cloned

So what do u understand from this?? basically nothing :-D so when u dont understand things u should google around.So from a blog writer u can notice that similar words were used to built a sentence which had all alphabets in a order and in the beginning.Thats the HINT.. :-D

So take out all the first letters from the sentence and u would get a string like ..
dnhlnwcn....

Now after this was a break point.hard to guess the cipher.It was substitution cipher.Now using the technique of most occuring letters u can deduce that ,'d' was most occurred alphabet so it should either be matching to 'e' or 't' coz those are the most frequently occurred letters in english.you can work out this by googling out for a nice tutorial to solve monoalphabetic substitution cipher.

d->t n->o h->b l->e w->r c->n......

substituting , you would get a string and thats the flag

Flag : tobeornottobethatisthequestion

Nullcon HackIm 2014 trivia Challenges

Well, had a nice weekend..probably best.I felt world never existed around me.2 CTF's.
Lets get back to what happened and discuss how to solve it.
Trivia was easy enough so let me begin with that.

Question 1 : This esoteric programming language uses AWSUM THX and O NOES as error handling.

Flag : LOLCODE

Simple google or copy paste the question first result you get it.

Question 2 : What software is used to hack into ENCOM's computer system?

Flag : CLU

website : en.wikipedia.org/wiki/Tron

Question 3 : Outcome of Stealth Project to make coffee.

Flag : Java

website : www.sis.pitt.edu/~icucart/fshi/java_introduction.html‎