June 2017 - thefluffy007

PicoCTF 2017 – Mystery Box

June 30, 2017March 3, 2021 thefluffy007

Another day, another challenge.

In today’s blog post we will be solving the “Mystery Box” challenge from the PicoCTF.

Let’s get started.

Clicking on the challenge we see:

OK, we have a mystery machine, with a stick note, and a picture.

Clicking on the sticky note link we see:

OK… we have a note. This is going to be useful later.

Clicking on the picture link we see:

Going back to the challenge and click on the hints we see:

OK. The hints tell us that this box uses gear and it was used from the naval services. Also we have the name of Turing… let’s see what Google would provide us.

Doing a Google search of “Turing machine naval” we get the following link.

This link is the enigma machine emulator.

The enigma machine was used in WW2 (World War 2) to help crack secret messages from Nazi Germany.

The person who was responsible for this machine was Alan Turing. Alan Turing was the father of computer science. He was a computer scientist, mathematician, logician, etc. If you want to read more about his life, click here.

Going back to the enigma machine emulator we see:

Hmm… we see that the words are similar to are listed in the note.

Let’s use that to figure out what the enigma machine will return us.

After entering the information we get:

Hmm… The enigma machine returned – “quite puzzling indeed”.

Putting this in as the flag, we acquired 60 points!!

capture the flag, hacking, owasp, web application security

PicoCTF 2017 – My First SQL

June 29, 2017March 3, 2021 thefluffy007

Another day, another challenge.

Today’s blog post we will be solving the challenge, “My First SQL” from the PicoCTF.

Let’s get started.

Going to the challenge we see:

OK… we need to access a website, but we do not have the password. Let’s see what the hints give us.

Clicking the website link we see:

Doing a right click, view page source we see:

We do not see anything useful. We have a form that is looking for a username and password.

Going back to the hints, let’s do a Google search of SQL Injection.

After doing the search we have a link, that specifies how to do a SQL injection to do login bypass.

Let’s do it.

Going back to the website, we see that we have a username and password.

Let’s try using a username of “admin”

and a password of ” ‘ OR ‘1’=’1′ ”

Pressing login we get:

We found the flag, and acquired 50 points!

capture the flag, hacking

PicoCTF 2017 – Hex2Raw

June 28, 2017March 3, 2021 thefluffy007

Another day, another challenge…

Today’s challenge we will be solving the Hex2Raw challenge in the PicoCTF.

Let’s start.

Clicking on the challenge we see the following:

OK. With this challenge we see that we need to print unprintable characters from the following location.

Let’s see what the hints give us.

Clicking on the hints we see:

OK. We can see that Google has easy techniques to do this.

Let’s go to the command line and see what we can do.

After logging in and going to the directory we see the following:

Running the hex2raw application we see:

I pressed Ctrl + C to end the program.

OK. We are given raw input and we need to convert it to hexadecimal character.

Doing a Google search we noticed that we can use Python to get our desired output.

How would we do this?

With the decode function!

Explaining the screenshot below we’re invoking the python interpreter the -c designated that we’re using a command. We’re printing the raw form, and using the decode function designated that we wanted to decode with the hexadecimal system. We’re going to pipe the output to the hex2raw program.

Doing this we see the flag, and acquired 20 points!

capture the flag, hacking, web application security

PicoCTF 2017 – Master Challenge – Lazy Dev

June 27, 2017March 3, 2021 thefluffy007

Another day, another challenge.

Today’s blog post, we’re going to solve the master challenge of level one of the PicoCTF challenge called, “Lazy Dev”.

Let’s get started.

Clicking on the challenge we see the following:

Hmm… we need to log into the application even though the login logic has not been implemented.

Clicking on the link we see:

Going back to the challenge and look at the hints we see:

OK. The hints state maybe we need to interact with JavaScript.

Going back to the website and doing a right click, view page source we see:

We see there’s a input box for password that is calling the process_password function. Where is this function coming from? Maybe it’s coming from line 10 that has a javascript source file named client.

Clicking this file (client.js) we see:

Looking at the first function validate(pword) we notice it’s not implemented. It’s always going to return false, with the comment – todo: implement me

Going back to the hints we remember that we need to access the JavaScript directly. We can do this by viewing the developers tools.

Let’s view the development tools by pressing F12 on our keyboard, and then pressing F5 to refresh the page.

When we do this, we see:

Clicking on the sources we see the files that were loaded from the web page.

Looking at line 26 we see that we’re calling the make_ajax_req. Inside this function we see in line 15 checks the state change. If the state changes we’ll get the password.

How can we change the state when the login has not been implemented?

Let’s see if we can call the make_ajax_req function directly from the console.

First, let’s add a break point to line 15 in the make_ajax_req function.

Next we’ll add the following to the console:

Pressing Enter we go to the break point.

We’re accessing the JavaScript directly!

Stepping through the code multiple time we noticed that we execute line 15 of the make_ajax_req function.

Once it’s done we see there’s text that’s inputted inside the browser.

Looking at the browser we see:

We have the flag!!

Entering the flag we’ve acquired 50 points, and unlocked level 2!

capture the flag, hacking

PicoCTF 2017 – computeRSA

June 26, 2017March 3, 2021 thefluffy007

Another day, another challenge.

Today’s blog post will explore solving the “computeRSA” challenge in the PicoCTF challenge.

Let’s get started.

Clicking on the challenge we see the following:

OK we need do a calculation for the RSA algorithm. Since we have the encrypted number, then we need to do the decryption.

Let’s look at the hints.

We have the decrypted formula.

So the formula: (150815) ^ 1941 mod 435979

Let’s go to Google and use a python interpreter to find the decrypted number.

Going to the following link we’re presented with the interpreter.

Entering the formula in the interpreter we get the following:

Entering this number as the flag we’ve acquired 50 points!

capture the flag, hacking

PicoCTF 2017 – Substitute

June 25, 2017March 3, 2021 thefluffy007

Another day, another challenge.

Today’s blog post will explore solving the “Substitute” challenge inside of the PicoCTF.

Let’s get started.

Clicking on the challenge we see the following:

Clicking on the link we see:

Jumbled text…

Going back to the challenge and look at the hints we see:

Well the hint REALLY wasn’t that helpful.

Well using the hints we have with the title, we need to use a substitution cipher.

Doing a google search we have the following link.

Pasting the substitution cipher into the input box and pressing submit we see possible plaintext (original text).

Hmm… we see one that’s promising…

We found the flag!

Going back to the challenge and entering the flag and pressing Enter we have acquired 40 points!

capture the flag, hacking

PicoCTF 2017 – Keyz

June 24, 2017March 3, 2021 thefluffy007

Another day, another challenge…

In today’s blog post we’re going to solve the “Keyz” challenge in the PicoCTF.

Let’s get started.

Going to the challenge we see the following:

OK, we need to add our public key to the authorized keys file using the web shell.

Let’s see what the hints say.

Clicking on the hints we see:

OK. There’s a tutorial that we can leverage. Let’s look at it.

Going to the link above, we see section 3 describes how to generate an ssh key.

I have done this in the screenshot below:

Now our key pairs (public and private) have been created. Next we need to transport the public key to the server – shell2017.picoctf.com.

Let’s do it.

Next we’re going to do the following:

This command allows us to add the public (.pub) key to be appended to the end of the authorized_keys file.

Finally we’re going to ssh into the server.

Well what do we have… the flag!

We’ve acquired an additional 20 points!

capture the flag, hacking

PicoCTF 2017 – Digital Camouflage

June 21, 2017March 3, 2021 thefluffy007

Another day, another challenge.

Today’s blog post we will be solving the “Digital Camouflage” challenge in the PicoCTF.

Let’s start.

Clicking on the challenge we see the following:

We need to find the password in a packet capture.

Let’s look at the hints to see what we can find.

Downloading the file and going to Wireshark we see the following:

We see network traffic. The first half is UDP packets which is not important for this challenge.

Scrolling down we see the following:

Looking at this packet we see a username, and password. Could this be what we’re looking for?

Doing a right click, follow, HTTP Stream we see:

Entering the password into the input box we retrieved the flag and acquired 50 points.

capture the flag, hacking

PicoCTF 2017 – Just No

June 20, 2017March 3, 2021 thefluffy007

Another day, another challenge…

Today’s blog post we’re going to solve the “Just No” challenge in the PicoCTF challenge.

Let’s start.

OK… we have a program that has access to the flag, but refuse to give it to us.

Let’s look at the hints and see what we can do.

OK.. we need to look at the absolute and relative paths, and spoof the file that the program is looking for.

Let’s go to the program.

After clicking logging into the command line and navigating to the folder we see the following:

Opening the auth file with the cat command we see:

OK. The file only as no. Let’s see how this is being used.

Opening the justno.c file with the cat command we see:

Reading the file we see we’re opening the auth file and determining if the the auth file does not have the word “no”. If that’s true then we’re presented with the flag. If the auth file does contain the word “no” then we go inside the else block which print, “auth file says no. So no. Just… no.”

As we can see when we opened the auth file it currently has the word “no”. Which means if we executed the justno program right now we would go to the else block, and receive the no message.

Now is the time to utilize the hints. We need to spoof the auth file to be ANY word except for no. How are we going to do this?

Well the challenge told us to read the difference between absolute and relative paths. Once we figured that out, then we can create a new auth file and point it to the new location.

Let’s give it a shot.

Going back to the justno.c we see that the file open is using relative paths.

We can spoof the location by creating the file structure and then calling the justno.c program and printing the flag.

Let’s do it.

Looking at the screenshot you can see we created the same directory structure and created a new auth file that was listed in the justno.c program. Once we did that and called the justno program again we were able to get the flag and acquired 40 points!

capture the flag, hacking

PicoCTF 2017 – Bash Loop

June 20, 2017March 3, 2021 thefluffy007

Another day, another challenge…

Today’s blog post we will solve the “Bash Loop” challenge in the PicoCTF challenge.

Let’s start!

Clicking on the challenge we see:

OK… There’s a program we need to execute to find the hidden number. Let’s look at the hints to see what they give us.

OK… the hint tells us that we need to use Google to search for “bash loops”.

First let’s navigate to the folder of the program

Copying the location of the program, right clicking on the command line, selecting paste from browser, and pressing enter we have the following:

We see the bashloop program and the flag.

Executing the bashloop program we see the following:

Let’s do a quick Google search and look for bash loops

Going to the following link, and scrolling down to the for loop we see the following:

Let’s use this for our challenge.

Going back to the command line we enter the following:

Let’s break down the loop…

In the first line we are using a for loop and we’re looping over the range from 0 to 4096 as that is the range of numbers we need to guess over.

The next line we are invoking (calling) the program with the current number in the range (between 0 to 4096). From that we’re grepping (finding) the keyword of flag. The reason we’re doing that is to find the flag. Next line is specifying that we’re ending the loop.

Pressing enter we see that the flag is displayed to us.

Entering this into the input box we acquired 40 points!