PicoCTF 2017 – WorldChat

Another day, another challenge…

In today’s blog post we will be solving the “WorldChat” challenge from the PicoCTF.

Let’s get started!

Going to the challenge we see:
PicoCTF_WorldChat_1

OK so we need to find the flag inside of the WorldChat app. According to the description when connecting to this app there will be many people on the app besides us.

Let’s look at the hints to see if it will help us.

PicoCTF_WorldChat_2

We need to us the nc command (we’ve used this in another challenge) and use the grep command to filter output.

Let’s try it.

PicoCTF_WorldChat_3

Connecting to the server we see a bunch of chats from different people. I pressed Ctrl + C to stop it.

Let’s use the hints and use the grep command with the “|” (pipe) command.

PicoCTF_WorldChat_4

PicoCTF_WorldChat_5

PicoCTF_WorldChat_6

PicoCTF_WorldChat_7

PicoCTF_WorldChat_8

PicoCTF_WorldChat_9

PicoCTF_WorldChat_10

Press Ctrl + C to end the chat.

I have only captured screenshots of output that has the flag. Entering the flag into the input box we acquired 30 points.

PicoCTF 2017 – What Is Web

Another day, another challenge.

In today’s blog post we are solving the challenge, “What Is Web” from the PicoCTF challenge.

Let’s start!

Clicking on the challenge we see:

PicoCTF_What_Is_Web_7

OK, so we need to find out how to use HTML.

Looking at the hints we see:
PicoCTF_What_Is_Web_2

Clicking on the website we see:

PicoCTF_What_Is_Web_3Doing a right click, view source we see:

PicoCTF_What_Is_Web_4

At the bottom of the screen in the green letters (which are comments that are not displayed in the browser) show that we have the first part of the flag.

Now we need to find the second and third part of the flag.

Looking back at the page source we see two different files that are referenced: hacker.css and script.js

Let’s look at hacker.css first and see what’s there.

Going to that file we see the second part of the flag at the top of the browser:

PicoCTF_What_Is_Web_5

Now let’s look at the script.js file and see if we can find the final part of the flag…

Going to the script.js file we see:

PicoCTF_What_Is_Web_6

We now have the three parts of the flag!

Combining the parts together and submitting the flag, we’ve acquired 20 points!

PicoCTF 2017 – looooong

Another day, another challenge…

Today’s blog post is to solve the looooong challenge from PicoCTF.

After login and opening the challenge we see the following:

PicoCTF_looooong_1

We need to see how fast our typing speed.

Clicking on the hints we see the following:

PicoCTF_looooong_2

Going to the command line and connecting to the server we get the following:

PicoCTF_looooong_3

We see that we have thirty seconds to enter the following 533 r’s an a single 3.

The hint stated we should try using python.

I can’t say enough about Python. It’s a GREAT first language for beginners to learn. TheNewBoston on YouTube has a good tutorial on Python.

Anyway, back to the challenge – going to Google and typing “Python interpreter online” we’re presented with the following here.

Python has a great way of printing characters multiple times with the following:

print ‘a’ * 399

This will print a 399 times.

I have to admit I had to do this challenge a couple of times as I was slow.

I’m going to add the screenshots of the challenge I was able to solve.

PicoCTF_looooong_4

Going to the link I provided I typed – print ‘v’ * 538 – I was presented with:

PicoCTF_looooong_5

Copying the v’s and going back to our challenge, if we right click in the command line and select paste from browser we get the following:

PicoCTF_looooong_6

Entering the v’s and adding the single 1 at the end and pressing OK I received the following:

PicoCTF_looooong_7

We received the flag and acquired 20 points!

Word of advice – have AT LEAST two window open. 1 window with the challenge, the second window of the python interpreter.

 

PicoCTF 2017 – Leaf of the Tree

Another day, another challenge…

Today’s topic will show how to solve the Leaf of the Tree challenge from the PicoCTF.

Clicking on the challenge we see the following:

PicoCTF_Leaf_Of_The_Tree_1

We need to find the flag, but it’s located in an annoying named directory. The challenge tells us that we should use the cat and ls commands.

Clicking the hints we see the following:

PicoCTF_Leaf_Of_The_Tree_2

Nothing much here except that tab completion is our friend.

Going to the command line and navigating to the folder in the challenge we see:

PicoCTF_Leaf_Of_The_Tree_3

Hmm… a trunk directory, let’s change our current directory (cd) to the trunk directory and list the contents.

Doing that we get:

PicoCTF_Leaf_Of_The_Tree_4

Two more folders… let’s go to the trunkef96 directory and see what’s in that directory.

PicoCTF_Leaf_Of_The_Tree_5

Another folder… trunk99e1, let’s see what’s in that directory.

PicoCTF_Leaf_Of_The_Tree_6

Three more folders. Let’s look what’s inside of the trunk54f4 directory.

PicoCTF_Leaf_Of_The_Tree_7

Going to trunk61be and looking at the contents in that folder we see:

PicoCTF_Leaf_Of_The_Tree_8

Going to the trunk61be and looking at the contents in that folder we see:

PicoCTF_Leaf_Of_The_Tree_9

Going to the trunk61be and looking at the contents in that folder we see:
PicoCTF_Leaf_Of_The_Tree_10

Going to the trunk89be and looking at the contents in that folder we see:

PicoCTF_Leaf_Of_The_Tree_11

Going to the trunk87bf and looking at the contents in that folder we see:

PicoCTF_Leaf_Of_The_Tree_12

Going to the trunkb252 and looking at the contents in that folder we see:

PicoCTF_Leaf_Of_The_Tree_13

OK – there’s the flag. Let’s use the cat command to open the file and see if the flag is there.

PicoCTF_Leaf_Of_The_Tree_14

We found the flag, and acquired 30 points in the process!

PicoCTF 2017 – Internet Kitties

Another day, another challenge…

Today’s blog post we will solve a problem in the PicoCTF challenge.

Let’s start!

After logging into the CTF, and clicking on the “Internet Kitties” challenge we’re presented with the following:

PicoCTF_Internet_Kitties_1

Reading the description, really doesn’t give a lot of clues. Clicking on the hints tab we see:

PicoCTF_Internet_Kitties_2

OK, so we need to use the netcat command. On the right side of the panel we’re presented with a command prompt. After logging in we have the following:

PicoCTF_Internet_Kitties_3

Executing the help command (nc -h) in the command prompt we see:
PicoCTF_Internet_Kitties_4

The first line we see is how to connect to a server. Maybe we can use this to solve the challenge?

Looking at the challenge again we have the host name and port.

Let’s try it and see what we get:

PicoCTF_Internet_Kitties_5

We found the flag! Entering the flag we scored 10 points!

PicoCTF 2017 a Brief Introduction

Another day, another challenge…

Today’s blog post will discuss another CTF – PicoCTF.

The target audience for PicoCTF is a computer security game that is aimed at middle school and high school students, but anyone can join and play.

Topics explored are: forensics, cryptography, reverse engineering, web exploitation, binary exploitation, and miscellaneous challenges.

To learn more, go here.

Happy hacking!

InfoSec Institute CTF Challenge #14

Another day, another challenge.

Today’s challenge comes from the InfoSec Institute CTF program.

Going to the following link we see the following:

infosec_14_intro

Doing a right click, view page source we see the following:

infosec_14_page_source

Hmm… there’s a file, titled level14 inside the misc folder. Let’s go that file and see what’s there…

Going to the file we see the following:

infosec_14_php_sql_dump

Hmm… it looks like we have a SQL dump that’s showing us all the tables and values inside of a php application.

Scrolling down we see something that looks interesting, and strange…

infosec_14_encoding

Could this be some type of encoding? Possibly hexadecimal encoding?

First, we don’t need the double forward slash, we just need one. Removing the extra slashes we get the following:

infosec_14_encoding_remove_slash

Using a Hex to ASCII converter here, we get:

infosec_14_solved

We found the flag – infosec_flagis_whatsorceryisthis

Lessons learned:

Our trick still works! We were able to find valuable information when looking at the page source. Going to the file listed we noticed it was a dump of SQL tables. Looking through the tables we noticed suspicious output, which we guessed was some type of encoding. Using information we learned from a previous challenge we were able to deduce that the encoding was hexadecimal encoding. From there we were able to find the flag.

InfoSec Institute CTF #13

Another day, another challenge…

Today’s challenge is from the InfoSec Institute.

Going to the following link, we see the following:

infosec_13_intro

Doing a right click, view page source we see the following:

infosec_13_page_source

So from the hint we’re looking for a back-up file.

Since this is on a Linux box, let’s see what what the naming conventions are for backup files.

Let’s see if there’s a backup folder.

infosec_13_backup

That led us to a dead-end.

Let’s try adding .old at the end of the file.

Adding the “.old” at the end of the URL and pressing enter we get the following:

infosec_13_old

Hmm… this looks like another file. Let’s open it.

Opening the file in a text editor we get the following:

infosec_13_hidden_content

Looking at the file we see the the first paragraph, which matches our first screenshot.

Next we see commented out code, that is asking us to download a mysterious file, “iamadecoy”.

Let’s navigate to this file and see what we find.

After the file downloads, we try to open it.

Hmm… that’s weird when clicking on the file a prompt is shown asking what type of file this is.

Since we don’t know what type of file it is, let’s go to this site here, to find out.

After uploading our file we determine that is a pcap file.

infosec_13_pcap

We’re going to need Wireshark for this one…
Opening Wireshark, and opening our file we’re presented with the following:

infosec_13_wireshark

The beginning of the file is DNS queries that are rejected we can ignore that.

Searching through the file we notice some HTTP requests that are getting files, in particular – HoneyPy.png

Going to packet 633

infosec_13_wireshark_633

We can reconstruct this exchange.

Going to File –> Export Objects –> HTTP

We get the following:

infosec_13_wireshark_http_objects

Our file is highlighted in the above screenshot, so let’s click Save.

Opening the file we get our flag!

infosec_13_flag

Lessons learned:

Use the hints that are provided! We knew that the file we were looking for was a backup.  After playing around with the filenames we discovered that the file we were looking for ended in an “.old”. Once we opened the file we noticed there was another file “imadecoy”. After downloading that file and trying to open it our operating system was confused on the file type. Uploading our file to the above link we determined that the file had a pcap (packet capture) extension, and we would need to use Wireshark.

Opening Wireshark, we determined that the file we needed was inside of an HTTP packet. Reconstructing the packet we were able to download the file we needed. After opening that file we received our flag. This challenge was a multi-step process. It’s very important to pay attention to detail.

 

InfoSec Institute Challenge #12

Another day, another challenge.

Today’s challenge is coming from the InfoSec Institute.

Going to the following link we see the following:

infosec_12_intro

Doing a right click, view page source we see the following:

infosec_12_css

We noticed there’s an extra CSS (Cascading Style Sheets).  Let’s see what’s in this file.

Going to the file we see the following:

infosec_12_css_opened

Hmm… this looks interesting. Knowing a thing or two about CSS, the colors are represented in hex (hexadecimal, base 16) form. More can be found here.

I’m thinking this is the actual flag, but it’s just encoded.

Using out knowledge from other challenges, let’s try base64 decoding, since it has worked before.

Going to the link here, and typing in the encoding we get the following:

infosec_12_base_64_decoding

Our decoding wasn’t successful. This encoding is not base64.

Going back to the challenge, we know that CSS uses hexadecimal to represent colors.

Maybe the encoding is in hexadecimal form.

Going to Google and typing in “converting hexadecimal to text” we get the following link.

Putting our encoding in the text box and changing the decoding to “hexadecimal to text” we get the following:

infosec_12_flag

We found the flag!

Lessons learned:

Attention to detail! We noticed that there was another file when we did the right click, view page source. Going to that page we noticed that there was encoding. We first tried base64 which did not work. Going back to the drawboard on how CSS works, we know the colors are represented in hexadecimal. Doing a Google search of hexadecimal to text we were able to find the flag.

 

InfoSec Institute CTF Challenge #11

Another day, another challenge.

Today’s challenge is from the InfoSec Institute CTF.

Going to the following LINK we see:

infosec_11_beginning

Doing our favorite trick of right click, view page source we see the following:

infosec_11_pagesource

We see an image of “php-logo-virus.jpg” hmm… what happens when we click this file?

We see the following:

infosec_11_php_virus_picture

Looks like a simple file… looks can be deceiving.

Just going from the title of the file, there’s something in this file that we’re not seeing.

Let’s use our trick from the last challenge of using strings to see if this is a true file.

Using the strings command inside our cygwin terminal we see the following:

infosec_11_strings

Hmm… we see the beginning part of the flag. The last looks like encoding.

Let’s try to decode it.

One of the encoding we’ve seen in the challenges have been base64 encoding, so let’s use that to see if we can decode the message.

Going to this link, and typing in the encoding we see the following:

infosec_11_powershell

We’re presented with a link. Going to that link we see the following:

infosec_11_powerslide

Combining the this with the beginning of the flag, we get infosec_flagis_powerslide!

Lessons learned:

Most of these challenges build on top of each. We still used our tried and true right click, view page source to see if there are any nuggets that were not shown on the page. We noticed there was a file. Looking at the name, we determined that there was more than what met the eye. Using another command we learned – strings we were able to see that the flag was embedded in picture, but it was encoded. Using previous knowledge, we noticed that previous challenges used base64 encoding so we used that (base64) to see if we can decode the text. After decoding we went to the link and used the image to complete the flag.