In today’s blog post we will be solving the “WorldChat” challenge from the PicoCTF.
Let’s get started!
Going to the challenge we see:
OK so we need to find the flag inside of the WorldChat app. According to the description when connecting to this app there will be many people on the app besides us.
Let’s look at the hints to see if it will help us.
We need to us the nc command (we’ve used this in another challenge) and use the grep command to filter output.
Let’s try it.
Connecting to the server we see a bunch of chats from different people. I pressed Ctrl + C to stop it.
Let’s use the hints and use the grep command with the “|” (pipe) command.
Press Ctrl + C to end the chat.
I have only captured screenshots of output that has the flag. Entering the flag into the input box we acquired 30 points.
In today’s blog post we are solving the challenge, “What Is Web” from the PicoCTF challenge.
Let’s start!
Clicking on the challenge we see:
OK, so we need to find out how to use HTML.
Looking at the hints we see:
Clicking on the website we see:
Doing a right click, view source we see:
At the bottom of the screen in the green letters (which are comments that are not displayed in the browser) show that we have the first part of the flag.
Now we need to find the second and third part of the flag.
Looking back at the page source we see two different files that are referenced: hacker.css and script.js
Let’s look at hacker.css first and see what’s there.
Going to that file we see the second part of the flag at the top of the browser:
Now let’s look at the script.js file and see if we can find the final part of the flag…
Going to the script.js file we see:
We now have the three parts of the flag!
Combining the parts together and submitting the flag, we’ve acquired 20 points!
We found the flag – infosec_flagis_whatsorceryisthis
Lessons learned:
Our trick still works! We were able to find valuable information when looking at the page source. Going to the file listed we noticed it was a dump of SQL tables. Looking through the tables we noticed suspicious output, which we guessed was some type of encoding. Using information we learned from a previous challenge we were able to deduce that the encoding was hexadecimal encoding. From there we were able to find the flag.
Going to the following link, we see the following:
Doing a right click, view page source we see the following:
So from the hint we’re looking for a back-up file.
Since this is on a Linux box, let’s see what what the naming conventions are for backup files.
Let’s see if there’s a backup folder.
That led us to a dead-end.
Let’s try adding .old at the end of the file.
Adding the “.old” at the end of the URL and pressing enter we get the following:
Hmm… this looks like another file. Let’s open it.
Opening the file in a text editor we get the following:
Looking at the file we see the the first paragraph, which matches our first screenshot.
Next we see commented out code, that is asking us to download a mysterious file, “iamadecoy”.
Let’s navigate to this file and see what we find.
After the file downloads, we try to open it.
Hmm… that’s weird when clicking on the file a prompt is shown asking what type of file this is.
Since we don’t know what type of file it is, let’s go to this site here, to find out.
After uploading our file we determine that is a pcap file.
We’re going to need Wireshark for this one…
Opening Wireshark, and opening our file we’re presented with the following:
The beginning of the file is DNS queries that are rejected we can ignore that.
Searching through the file we notice some HTTP requests that are getting files, in particular – HoneyPy.png
Going to packet 633
We can reconstruct this exchange.
Going to File –> Export Objects –> HTTP
We get the following:
Our file is highlighted in the above screenshot, so let’s click Save.
Opening the file we get our flag!
Lessons learned:
Use the hints that are provided! We knew that the file we were looking for was a backup. After playing around with the filenames we discovered that the file we were looking for ended in an “.old”. Once we opened the file we noticed there was another file “imadecoy”. After downloading that file and trying to open it our operating system was confused on the file type. Uploading our file to the above link we determined that the file had a pcap (packet capture) extension, and we would need to use Wireshark.
Opening Wireshark, we determined that the file we needed was inside of an HTTP packet. Reconstructing the packet we were able to download the file we needed. After opening that file we received our flag. This challenge was a multi-step process. It’s very important to pay attention to detail.
Doing a right click, view page source we see the following:
We noticed there’s an extra CSS (Cascading Style Sheets). Let’s see what’s in this file.
Going to the file we see the following:
Hmm… this looks interesting. Knowing a thing or two about CSS, the colors are represented in hex (hexadecimal, base 16) form. More can be found here.
I’m thinking this is the actual flag, but it’s just encoded.
Using out knowledge from other challenges, let’s try base64 decoding, since it has worked before.
Going to the link here, and typing in the encoding we get the following:
Our decoding wasn’t successful. This encoding is not base64.
Going back to the challenge, we know that CSS uses hexadecimal to represent colors.
Maybe the encoding is in hexadecimal form.
Going to Google and typing in “converting hexadecimal to text” we get the following link.
Putting our encoding in the text box and changing the decoding to “hexadecimal to text” we get the following:
We found the flag!
Lessons learned:
Attention to detail! We noticed that there was another file when we did the right click, view page source. Going to that page we noticed that there was encoding. We first tried base64 which did not work. Going back to the drawboard on how CSS works, we know the colors are represented in hexadecimal. Doing a Google search of hexadecimal to text we were able to find the flag.
Doing our trick of right click, view page source we see the following:
We see the file that we need to download called “app.exe”
Downloading and opening the file we noticed that the application is the netstat command listing our network information.
Since our tricks does not work, we need to find a way to view the source of the application.
One option is to use the linux strings command.
The strings command allows you to find English words in file.
If you are working on a Windows machine (like I am) you can download the cygwin emulator which allows you to do simple Linux commands on a Windows machine.
Note: Make sure when downloading that you add the binutils package to import the strings command.
Copy the app.exe file into the cygwin directory (that you specified in your installation) so you navigate to that file.
After downloading cygwin, and using the strings command we see the following:
We found the flag – infosec_flagis_0x1a!
Lessons learned:
Again, our normal tricks of viewing the page source did not work. We noticed that when we executed the program that it was the netstat command getting information on our network. From there we decided that we would need to see the source of the application to see if the flag was hidden in there. Turns out it was. Overall lesson, be flexible with your tool belt and think outside of the box!
Wireshark is a program that is used to analyze network traffic. Most of the traffic in this file can be ignored as there is a lot of noise that is being displayed.
Looking at the first packet (UDP) we see the following:
We noticed there are a bunch of letters… possibly this is hexadecimal encoding?
Going to Google and searching for “hexadecimal decoding” we see the following link as the first result.
Clicking on the link and typing in the encoding we get the following:
We found the flag!
Lessons learned:
Download Wireshark!
Inspect the packets, and pay attention to those that stand out. Usually the suspicious packets hold clues!
These clues won’t give us the pot of gold on the first try. Most of the data will be obscured. So we will need to encode or decode the data
Once we encode or decode usually the data will be there!
FYI – thenewboston on Youtube has a good beginner tutorial on Wireshark. Which can be found HERE.
Today’s challenge is #5 from the InfoSec Institute CTF Challenge.
Clicking on the following link we’re presented with the following:
After clicking on the checkbox to prevent the page from displaying additional dialogs, and adding “view-source:” to the URL box we see the following:
When viewing the page source further the reason we were getting multiple alert boxes was that it was inside of an infinite for loop. Read more about for loops HERE.
Looking inside the for loop we see that there is a image field titled “aliens”. Clicking on the file we see the following:
At first when I read the meme I was at a loss, as I have never seen or heard this quote before. After doing some digging online, it hit me. What if there’s another secret meaning to this message?
How does one add a secret inside of an image? Steganography.
Saving the image, and doing a quick Google search of Steganography decoder online we’re presented with this site.
Uploading our file, and pressing decode we get the following:
Binary. OK… this doesn’t seem helpful, or is it?
Doing another Google search to decode binary to ASCII we’re presented with this link.
Entering our binary code, we get the following:
We found the flag!
Lessons learned:
Don’t be deterred by the multiple alert boxes!
Using our trick of adding “view-source:” to the beginning of the URL
Reviewing the page source we noticed a file
Opening file we noticed it was a meme
Researching what meme meant
After finding meaning using tools to extract data that we needed
Not being deterred that the extracted data was not in our preferred format (words not binary)
Used Google to research how we could get extracted data into preferred format (words not binary)
Today’s challenge will be #3 from the InfoSec Institute.
Going to the following link we’re presented with the following:
Looking at the screen we’re presented with a qr code.
Doing a right click, view source we see the following:
Doing a quick Google search of “QR code decoder” we go to the following site.
Entering the proper information and uploading our file we see the following:
Doing a Google search of our output the code is actually Morse code!
Another Google search to decode the code gives us the following site.
Putting our code inside of the decoder we get the following:
We found the flag!!!
Lesson learned:
Right click, view page source saves the day again. By doing this we found that there is a qrcode being displayed on the page. Doing a quick Google search we found a QR code decoder that gave us morse code. Another Google search yielded the flag.
When in doubt view page source and Google searches!
Doing a right click view page source we see the following:
Looking at the page we see the following hint – “Hypertext Transmission Protocol”
Pressing F12 to view the developer tools and going to the “Network” tab we see the following:
Inside the set-cookie we see “fusrodah=vasbfrp_syntvf_jrybirpbbxvrf”. This is interesting…
Doing a quick Google search and putting in the second half of our value we get the following link for ROT-13.
ROT-13 is a rotation 13 cipher. This cipher rotates each character by 13 characters.
Using the following site, and putting in our value we get:
We retrieved the flag.
Lessons learned:
Use the hints provided. We our trust right click, view page source, but that didn’t help us. Going back to the page we noticed that the hint was HTTP. Using the development tools inside Chrome and going to the network tab we saw the files retrieved when accessing the site.
Clicking on the page, and viewing the headers we noticed that the cookie was being set. Using this information inside Google we were able to decode the message.
Doing a right click, view source we see:
