Sunday, 21 February 2016

Internetwache CTF 2016 Quick Run

Question :

Solution :

Link to the file inside zip : https://app.box.com/s/8aoepmqzfetr2syj9usq433kptaz8nid 

I just tried Base64 on it due to the padding "==" in the texts. and i found QR codes on each block of texts


Hence , decoding which gives us :

Flag is IW{QR_C0DES_RUL3}



FLAG : IW{QR_C0DES_RUL3}


Internetwache CTF 2016 The hidden message

Question :

Solution :

The README.txt inside the zip file had contents :

0000000 126 062 126 163 142 103 102 153 142 062 065 154 111 121 157 113
0000020 122 155 170 150 132 172 157 147 123 126 144 067 124 152 102 146
0000040 115 107 065 154 130 062 116 150 142 154 071 172 144 104 102 167
0000060 130 063 153 167 144 130 060 113 012
0000071

Looking at the numbers its clear that its a octal system. Converting from octal to ascii gives us :

"V2VsbCBkb25lIQoKRmxhZzogSVd7TjBfMG5lX2Nhbl9zdDBwX3kwdX0K"

Decoding the above Base64 string gives us :

Well done!

Flag: IW{N0_0ne_can_st0p_y0u}


FLAG : IW{N0_0ne_can_st0p_y0u}

Internetwache CTF 2016 Crypto-Pirat

Question :

Word of Caution : Highly frustrating challenge due to multiple encryption,encoding etc,. :-p

Attachment : crypto50.zip

Solution :
Attachment has a README.txt which has :

♆♀♇♀♆ ♇♇♀♆⊕ ♇♀♇♀♆ ♇♆♇♆⊕ ♆♇♆♇♇ ♀♆♇♆⊕ ♆♇♆♇♆ ♇♆♇♆⊕ ♆♇♇♀♇ ♀♆⊕♇♀ ♆⊕♇♀♆ ⊕♆♇♆♇ ♇♀♆♇♆ ⊕♇♀♇♀ ♆⊕♆♇♆ ♇♆♇♇♀ ♆⊕♆♇♆ ♇♆♇♆⊕ ♆♇♆♇♆ ♇♆⊕♇♀ ♆♇♇♀♆ ♇♆⊕♇♀ ♆♇♆♇♇ ♀♆⊕♆♇ ♆♇♇♀♇ ♀♇♀♆⊕ ♆♇♆♇♇ ♀♆⊕♇♀ ♇♀♆♇♆ ⊕♆♇♇♀ ♆⊕♇♀♆ ♇♇♀♇♀ ♆⊕♆♇♆ ♇♆♇♆♇ ♆⊕♇♀♆ ♇♇♀♆♇ ♆⊕♇♀♆ ♇♆♇♇♀ ♆⊕♆♇♆ ♇♇♀♇♀ ♇♀♆⊕♇ ♀♆♇♆♇ ♆⊕♇♀♇ ♀♇♀♆⊕ ♇♀♇♀♆ ♇♆♇♆⊕ ♆♇♆♇♆ ♇♆⊕♆♇ ♇♀♇♀♆ ⊕♆♇♆♇ ♆♇♆♇♇ ♀♆⊕♇♀ ♇♀♆♇♆ ♇♆⊕♆♇ ♆♇♆♇♇ ♀♇♀♆⊕ ♆♇♆♇♆ ♇♆⊕♆♇ ♇♀♆♇♆ ♇♆⊕♆♇ ♆♇♆♇♆ ♇♆♇♆⊕ ♆♇♇♀♇ ♀♆⊕♇♀ ♇♀♆♇♆ ⊕♆♇♆⊕ ♆♇♆♇♇ ♀♇♀♇♀ ♆⊕♇♀♆ ♇♇♀♆♇ ♆⊕♇♀♇ ♀♆♇♆♇ ♆♇♆⊕♇ ♀♆♇♆⊕ ♇♀♇♀♆ ♇♆♇♆⊕ ♆♇♆♇♆ ♇♆⊕♇♀ ♆♇♆♇♇ ♀♆⊕♆♇ ♆⊕♇♀♇ ♀♇♀♆⊕ ♆♇♇♀♆ ♇♆⊕♆♇ ♇♀♇♀♇ ♀♆⊕♆♇ ♇♀♇♀♆ ♇♆⊕♆♇ ♆♇♇♀♆ ⊕♇♀♆♇ ♆♇♆♇♇ ♀♆⊕♇♀ ♆♇♆♇♆ ♇♇♀♆⊕ ♇♀♆♇♆ ♇♆♇♇♀ ♆⊕♇♀♆ ♇♆♇♆♇ ♇♀♆⊕♇ ♀♆♇♆♇ ♆♇♇♀♆ ⊕♇♀♆♇ ♆♇♆♇♇ ♀


Internetwache CTF 2016 Replace with Grace

Question:

Service : https://replace-with-grace.ctf.internetwache.org/

Solution :

The webpage had 3 parameters : search,replace and content

An example would be :
search : /cow/
replace : cat
content : cows are cute

output : cats are cute.

As the webpage uses php, I googled for php search and replace regex

Now I was clear that it uses preg_replace function. Searching for flaws in preg_replace I found that it is prone to command execution using the modifier "e"

Internetwache CTF 2016 0ldsk00lBlog

Question :

Service : https://0ldsk00lblog.ctf.internetwache.org/

Solution :

As the blog shows that "All people are talking about a tool called 'Git'. I think I might give this a try." , which leaves us a hint and lets check whats in "https://0ldsk00lblog.ctf.internetwache.org/.git/"

"403 Forbidden" , which means directory exists but cannot be accessed.

So now after reading through this wonderful website anyone would understand the git directory structure.

Having said that now , I went through couple of writeups on similar challenges and found a useful tool called dvcs-ripper , which can find us all the commits and check if the directories in .git is accessbile like logs,config,objects etc,.

Internetwache CTF 2016 TexMaker

Question :

Service : https://texmaker.ctf.internetwache.org/


Solution :
The webpage gives you to program a latex and create a pdf .

After a bit of searching for latex hacks I found the guide

http://cseweb.ucsd.edu/~hovav/dist/texhack.pdf

Well, this has a amazing article on how to use latex for malicious purpose. I went through usual approach of using \input{"ls"} as we have no clue where is the file is and what the file extension is for the flag.

we see "BLACKLISTED commands cannot be used."

I saw few evading techniques that can be used by following the above article like
\csname \begin \@@ ^^5C \cat_code , No luck though.

Lets change the view, search for commands that can execute us the shell commands.

After a bit of digging i finally found this command was not BLACKLISTED and that is \write18
which is also called shell-escape.

http://tex.stackexchange.com/questions/16790/write18-capturing-shell-script-output-as-command-variable

It was simple after to use \write18{ls ../}

and \write18{cat ../flag.php}


FLAG : IW{L4T3x_IS_Tur1ng_c0mpl3te}

Sunday, 7 February 2016

Monday, 1 February 2016

Hackim 2016 Forensics-200

Its been long playing CTF. Am back again.


Question :

Hint : Forensics2 - Ext4 or btrfs …… err I forgot

File : f200

Tools :
FiletypeID , network miner , mount command , online sha512 hash generator. arj ,arc