Home » Archive

Articles in the CTF Category

CTF »

[25 Jul 2015 | 4 Comments | ]

Hello, world.
So I was in this CTF competition and my teammate (@aboul3la) found a command injection vulnerability in one of web application challenges.
If you input `>file.txt` the server creates a file called file.txt.
We wanted to write a PHP shell to the server (echo “<?PHP CODE>” > file.php)
But the thing is, the challenge had a filter that won’t allow you to have a space in the input (Error: Not valid URL)
So we tried around and my first thought was to use some decoding mechanism to decrypt “space” from it’s hex equivalent …

CTF »

[24 Jan 2015 | No Comment | ]

The last word (crypto200)
Description: Decrypt this
And attachment is supplied: challenge.txt
It looks hex’ish? so i try hex decoding with no luck.
Then i noticed it had too many zeros? so i tried to change every character that’s not 0 to 1 to try for binary.
So as usual i run to python: cry200.py
0110001001110101011010010010000001111000011001000110100101110100001000000
1101101011010110010000001101100011100000111001000100000011100100111001101
1001010110110100100000011000100110101000100000011101110111011001110001011
0011101110011011010100010110101100001011101100010110101110000011011000110
0001011101110110111000100000011000100110101000100000010011110110000101110
0110111011001110000011101110111001101110011011001100010000001100001011101
1101110100011000010111011001111000011101110010000001001001010011100100010
10101001101010011
That decodes to:
bui xdit mk lpr rsem bj wvqgsj-av-plawn bj Oasvpwssf awtavxw INESS
And from the look of it it looks like some kind of substitution cipher:
I tried rot-n, with no luck.
Also i tried simple Caesar without luck.
Then i tried Vigenère cipher …

CTF »

[24 Jan 2015 | No Comment | ]

OHSHIT (crypto100)
Description: Decrypt the cipher using the encryption program
And attachment is supplied: challenge.7z
It contains an encryption program and crypto.txt containing

Name: Automated Crypter
Description:
Decrypt this:
019t-0-080-3-1b-19t-25z-080-03f-8j-1b-12n-12n
Using this program.
(Note: the – is just a separator)
Hint: Not all letters chars are crypted

I didn’t have to solve this using a python script as usual.
I tried it manually:
./crypto abcdefghijklmnopqrstuvwxyz
Crypted text: 1b3f4g5i8j12n13o16q19t22u25z
./crypto ABCDEFGHIJKLMNOPQRSTUVWXYZ
Crypted text: 01b03f04g05i08j012n013o016q019t022u025z
I notice something, the character is encrypted to number+character after it
The encryption of “s” is “19t”
So just manually i know “019t” is 0+s.
And with trial and error i get:
0s-0-080-3-a-s-y-080-0c-h-a-l-l
But the 0’s don’t feel right.
So …

CTF »

[24 Jan 2015 | No Comment | ]

Weird Text (misc100)
Description: Giv m th flg plz !
Part of the supplied file was:

______
____________
_
_______
{
_______
1
______________________
3

_____________
3

____________________
________
4

______
____________
_
_______
}
And it looked like it could be flag{STUFF_HERE}
So if you guess that “______ ____________ _ _______” was flag.
It’s easy to know the obfuscation used.
6 = f
12= l
1 = a
7 = g
It’s obvious it’s using charset of abcdefghijklmnopqrstuvwxyz
So i wrote a little script to parse it and give the solution.
misc100.py
Although doing it by hand would have been feasible too, it’s not long.
flag{g1v3-m3-th4-flag}

CTF »

[24 Jan 2015 | No Comment | ]

Introduction to Keylogging (misc50)
Description: WTF ?: ^[[1;3Aload+^[[1;3Bload+^[[1;3C+here+^[[1;3D4dead
<!— Hints : MetaKey , Alt key —-!>
At first i thought it was some obscure format but i found this page: http://vim.wikia.com/wiki/Get_Alt_key_to_work_in_terminal

URxvt.keysym.M-Up : \033[1;3A
URxvt.keysym.M-Down : \033[1;3B
URxvt.keysym.M-Right : \033[1;3C
URxvt.keysym.M-Left : \033[1;3D
Turns out it’s UP|DOWN|RIGHT|LEFT keys
flag{upload+download+right+here+left4dead}

CTF »

[19 Jan 2015 | No Comment | ]

Hello, Internet!
In this challenge, You are given a cloudfs file it was an xz archive
Extract it and you get cloudfs-31c938df3531611b82fddf0685784a2b67373305ec689015f193a555b756beb21 a network capture dump
I opened it with wireshark and search for the word “key”
I get an ICMP packet with the content: key.tbz
That’s a hint telling us to search for bzip2 = content in the dump
I searched in the packets for hex value “42 5a” which is ascii “BZ” and it’s the start of the bzip2 file header.
I found that repeated too much times towards the end of the capture packets.
So …

CTF »

[19 Jan 2015 | No Comment | ]

Hello, world.
MTGO was a great, i loved that challenge.
And i haven’t solved anything like that before.
You are supplied with a file mtgo.py and you are supposed to exploit it’s crypto.
It uses current time as a seed, then uses random to get random numbers to shuffle the cards.
If you supply the same seed it will always get the same numbers, and order of the card.
So when you run mtgo.py it will give you the first seven cards of a shuffled deck. And you are supposed to give it back the following …

CTF »

[1 Dec 2014 | No Comment | ]

Challenge name: 7amamaBook v2
Source code: https://github.com/0xAli/CTF-Challenges/tree/master/7amamabook%20v2
*SPOILERS BELOW*
Vulnerability: Known Weak PRNG in PHP.
If you know elements like (IP/PID/Seconds/Millisec/PID) you can calculate the session ID.
Challenge solution:
First use bruteforce to find the “logs” directory (dirbuster should find it quick).
Open sessions.txt
Find the IP, seconds, millisec and partial session id (Used to verify the programatic bruteforce result).
Write a bruteforce script to guess the apache proccess ID.
Then using Cookie manager+ or any other tool to set the PHPSESSID cookie to the session id you got.
Then browse to the index (Or click 7amamberg in FAQ) to see …