InfoSec Institute CTF Challenge #14

Another day, another challenge.

Today’s challenge comes from the InfoSec Institute CTF program.

Going to the following link we see the following:

infosec_14_intro

Doing a right click, view page source we see the following:

infosec_14_page_source

Hmm… there’s a file, titled level14 inside the misc folder. Let’s go that file and see what’s there…

Going to the file we see the following:

infosec_14_php_sql_dump

Hmm… it looks like we have a SQL dump that’s showing us all the tables and values inside of a php application.

Scrolling down we see something that looks interesting, and strange…

infosec_14_encoding

Could this be some type of encoding? Possibly hexadecimal encoding?

First, we don’t need the double forward slash, we just need one. Removing the extra slashes we get the following:

infosec_14_encoding_remove_slash

Using a Hex to ASCII converter here, we get:

infosec_14_solved

We found the flag – infosec_flagis_whatsorceryisthis

Lessons learned:

Our trick still works! We were able to find valuable information when looking at the page source. Going to the file listed we noticed it was a dump of SQL tables. Looking through the tables we noticed suspicious output, which we guessed was some type of encoding. Using information we learned from a previous challenge we were able to deduce that the encoding was hexadecimal encoding. From there we were able to find the flag.

InfoSec Institute CTF #13

Another day, another challenge…

Today’s challenge is from the InfoSec Institute.

Going to the following link, we see the following:

infosec_13_intro

Doing a right click, view page source we see the following:

infosec_13_page_source

So from the hint we’re looking for a back-up file.

Since this is on a Linux box, let’s see what what the naming conventions are for backup files.

Let’s see if there’s a backup folder.

infosec_13_backup

That led us to a dead-end.

Let’s try adding .old at the end of the file.

Adding the “.old” at the end of the URL and pressing enter we get the following:

infosec_13_old

Hmm… this looks like another file. Let’s open it.

Opening the file in a text editor we get the following:

infosec_13_hidden_content

Looking at the file we see the the first paragraph, which matches our first screenshot.

Next we see commented out code, that is asking us to download a mysterious file, “iamadecoy”.

Let’s navigate to this file and see what we find.

After the file downloads, we try to open it.

Hmm… that’s weird when clicking on the file a prompt is shown asking what type of file this is.

Since we don’t know what type of file it is, let’s go to this site here, to find out.

After uploading our file we determine that is a pcap file.

infosec_13_pcap

We’re going to need Wireshark for this one…
Opening Wireshark, and opening our file we’re presented with the following:

infosec_13_wireshark

The beginning of the file is DNS queries that are rejected we can ignore that.

Searching through the file we notice some HTTP requests that are getting files, in particular – HoneyPy.png

Going to packet 633

infosec_13_wireshark_633

We can reconstruct this exchange.

Going to File –> Export Objects –> HTTP

We get the following:

infosec_13_wireshark_http_objects

Our file is highlighted in the above screenshot, so let’s click Save.

Opening the file we get our flag!

infosec_13_flag

Lessons learned:

Use the hints that are provided! We knew that the file we were looking for was a backup.  After playing around with the filenames we discovered that the file we were looking for ended in an “.old”. Once we opened the file we noticed there was another file “imadecoy”. After downloading that file and trying to open it our operating system was confused on the file type. Uploading our file to the above link we determined that the file had a pcap (packet capture) extension, and we would need to use Wireshark.

Opening Wireshark, we determined that the file we needed was inside of an HTTP packet. Reconstructing the packet we were able to download the file we needed. After opening that file we received our flag. This challenge was a multi-step process. It’s very important to pay attention to detail.

 

InfoSec Institute Challenge #12

Another day, another challenge.

Today’s challenge is coming from the InfoSec Institute.

Going to the following link we see the following:

infosec_12_intro

Doing a right click, view page source we see the following:

infosec_12_css

We noticed there’s an extra CSS (Cascading Style Sheets).  Let’s see what’s in this file.

Going to the file we see the following:

infosec_12_css_opened

Hmm… this looks interesting. Knowing a thing or two about CSS, the colors are represented in hex (hexadecimal, base 16) form. More can be found here.

I’m thinking this is the actual flag, but it’s just encoded.

Using out knowledge from other challenges, let’s try base64 decoding, since it has worked before.

Going to the link here, and typing in the encoding we get the following:

infosec_12_base_64_decoding

Our decoding wasn’t successful. This encoding is not base64.

Going back to the challenge, we know that CSS uses hexadecimal to represent colors.

Maybe the encoding is in hexadecimal form.

Going to Google and typing in “converting hexadecimal to text” we get the following link.

Putting our encoding in the text box and changing the decoding to “hexadecimal to text” we get the following:

infosec_12_flag

We found the flag!

Lessons learned:

Attention to detail! We noticed that there was another file when we did the right click, view page source. Going to that page we noticed that there was encoding. We first tried base64 which did not work. Going back to the drawboard on how CSS works, we know the colors are represented in hexadecimal. Doing a Google search of hexadecimal to text we were able to find the flag.

 

InfoSec Institute CTF Challenge #11

Another day, another challenge.

Today’s challenge is from the InfoSec Institute CTF.

Going to the following LINK we see:

infosec_11_beginning

Doing our favorite trick of right click, view page source we see the following:

infosec_11_pagesource

We see an image of “php-logo-virus.jpg” hmm… what happens when we click this file?

We see the following:

infosec_11_php_virus_picture

Looks like a simple file… looks can be deceiving.

Just going from the title of the file, there’s something in this file that we’re not seeing.

Let’s use our trick from the last challenge of using strings to see if this is a true file.

Using the strings command inside our cygwin terminal we see the following:

infosec_11_strings

Hmm… we see the beginning part of the flag. The last looks like encoding.

Let’s try to decode it.

One of the encoding we’ve seen in the challenges have been base64 encoding, so let’s use that to see if we can decode the message.

Going to this link, and typing in the encoding we see the following:

infosec_11_powershell

We’re presented with a link. Going to that link we see the following:

infosec_11_powerslide

Combining the this with the beginning of the flag, we get infosec_flagis_powerslide!

Lessons learned:

Most of these challenges build on top of each. We still used our tried and true right click, view page source to see if there are any nuggets that were not shown on the page. We noticed there was a file. Looking at the name, we determined that there was more than what met the eye. Using another command we learned – strings we were able to see that the flag was embedded in picture, but it was encoded. Using previous knowledge, we noticed that previous challenges used base64 encoding so we used that (base64) to see if we can decode the text. After decoding we went to the link and used the image to complete the flag.

InfoSec Institute CTF Challenge #10

Another day, another challenge…

Today’s challenge will be on Challenge #10 from the InfoSec Institute CTF program.

Going to the following link we’re provided with the following page.

infosec_10_intro

Doing a right click view page source we see the following:

infosec_10_pagesource

There’s a listen button. If we click on that button we’re presented with a flag.nav file. Maybe the flag is in there? Let’s see.

Opening the file we noticed that the file is one second, and we can’t hear the audio.

Going back to the original page and doing a right click save link as… allows us to save the audio.

 

There’s a GREAT application called Audacity that can be used to change the pitch and speed of an audio file.

Going here you will be presented with the Audacity webpage.

Downloading Audacity and opening the flag.wav file we see the following:

infosec_10_flag_audacity

Playing the file it’s still inaudible.

Like I wrote above, with Audacity you can change the speed of sound of the audio without changing the pitch.

Going to the toolbar and selecting effects there’s a “changing speed” option. Clicking this option we can specify different speeds. After playing with the different speeds (.75x, .50x) and making it .22x and playing the audio again we can hear the flag.

The flag is:

infosecflag_is_sound.

We found the flag!

Lessons learned:

Our trick of doing the right click view source helped a little bit. When doing this we noticed that there is a file we needed to download. After downloading the file and playing the audio it was inaudible. Going to Google we downloaded an application that aided us to in interpreting the audio. After adjusting the speed we were able to get the flag.

InfoSec Institute CTF Challenge #9

Another day, another challenge…

Today’s challenge will be #9 from the InfoSec Institute CTF.

Going HERE we’re presented with the following:

infosec_9_intro

Doing our handy source of right clicking viewing the page source we see the following:

infosec_9_pagesource

We see that there’s a form that takes a username and password.

Using the hint from the challenge we know we’re looking for a CISCO IDS login.

Going to Google and typing in “common username and password for CISCO IDS” we’re presented with the following link.

Searching the link for username and passwords we see the following:

infosec_9_username_passwords

Going back to our login screen and entering the first username of “netangr” and password “attack” we get the following:

infosec_9_netangr

The username and password didn’t work 😦

Let’s try the second username of “root” and password of “attack”.

infosec_9_root

We’re presented with the flag… but it looks like gibberish.

infosec_9_flag

Inspecting the flag closely we noticed that it is backwards.

The flag is infosec_flagis_defaultpass!

Lesson learned:

Our handy trick of looking at the page source did not work. It revealed that challenge was using a form. Looking at the webpage we noticed that there is a hint – CISCO IDS. Using this information we know that most devices have a default username and password. Going to Google we found the webpage that listed a default username and password. The first username did not work, second one did. From that we found the flag even though to the naked eye one might ignore it. Looking at the flag again we noticed that the flag was written backwards. After putting the flag in the correct order we were able to see it.

InfoSec Institute CTF Challenge #8

Another day, another challenge…

Today’s challenge will be on CTF Challenge #8 from InfoSec Institute.

Going to the following link

We see the following page.

infosec_8_intro

We’re introduced with the downloading a file.

Doing our trick of right click, view page source we see the following:

infosec_8_pagesource

We see the file that we need to download called “app.exe”

Downloading and opening the file we noticed that the application is the netstat command listing our network information.

Since our tricks does not work, we need to find a way to view the source of the application.

One option is to use the linux strings command.

The strings command allows you to find English words in file.

If you are working on a Windows machine (like I am) you can download the cygwin emulator which allows you to do simple Linux commands on a Windows machine.

To download cygwin go here.

Note: Make sure when downloading that you add the binutils package to import the strings command.

Copy the app.exe file into the cygwin directory (that you specified in your installation) so you navigate to that file.

After downloading cygwin, and using the strings command we see the following:

infosec_8_flag

We found the flag – infosec_flagis_0x1a!

Lessons learned:

Again, our normal tricks of viewing the page source did not work. We noticed that when we executed the program that it was the netstat command getting information on our network. From there we decided that we would need to see the source of the application to see if the flag was hidden in there. Turns out it was. Overall lesson, be flexible with your tool belt and think outside of the box!