Saturday, August 27, 2016

IceCTF Writeups

Over the past couple of weeks, I participated in an Icelandic capture the flag competition, hosted by IceCTF. The challenges ranged from very easy to quite difficult. I managed to solve about a dozen or so challenges, so this post will be quite long.

Vape Nation - Stego 50pts.

Description: Go Green! vape_nation.png

For this challenge you were given a .png image (seen below).

*Image*

To find the flag, I used a nifty program called StegSolve. From there, I played around with some of the analysis options until I found the flag using the "Green plane 0" setting.


Flag : IceCTF{420_CuR35_c4NCEr}

Corrupt Transmission - Forensics 50pts.

Description: We intercepted this image, but it must have gotten corrupted during the transmission. Can you try and fix it? corrupt.png

Trying to open up the image files results in an error. So, logically we might want to try and see if we can fix this to see what our image is hiding. The first thing I did was open up the file in a hex editor to see what's going on behind the scenes:


We can see that the first 8 bytes are not the correct PNG signature. I then made the changes to match the correct bytes, and then re-opened in the image viewer to receive the flag:

 

Flag: IceCTF{t1s_but_4_5cr4tch}

Audio Problems - Stego 50pts.

Description:

For this task we are given an audio file. I opened up the file in Audacity, and tried playing the file - no such luck for any recognizable audio. I used the Spectrogram view, to which I can see there's definitely something hiding within the file's audio frequencies. After playing with the settings to see if I can get a better visualization, the "Hamming" window type revealed the flag (or, at least as close as I could get it):

Flag : IceCTF{y0U_b3t7Er_l15TeN_cL053lY}

Flag Storage - Web 50pts.

Description: What a cheat, I was promised a flag and I can't even log in. Can you get in for me? flagstorage.vuln.icec.tf. They seem to hash their passwords, but I think the problem is somehow related to this.

Navigating to the URL provides us with a login page:

I first check for the obvious things like default administrator credentials, such as admin/admin, root/root, etc. From there, I decided to check and see if this page was vulnerable to SQL injection. Using a basic string ( ' OR 1=1#; ), I was successfully logged in and given the flag: 

Flag: IceCTF{why_would_you_even_do_anything_client_side}


Saturday, August 13, 2016

OSCP: Update

Long time no see

I haven't been keeping up with this blog very much, but hopefully I'll be adding more content to it in the near future. At the time of writing this post, I have 15 days left in the OSCP labs. To summarize my time so far: wow. 

I easily say that this certification is easily one of the toughest challenges I've faced in my career so far. No words can really describe the feeling of spending endless hours enumerating a host, trying various methods of attack, failing, and starting over until you finally achieve your goal. It is absolutely rewarding to see that shell up on your screen for the first time.

So far I have a total of 8 hosts with administrator/system level privileges, and another 2 with low privilege shells. I have also unlocked a secondary network. I would say the majority of the hosts I'e owned were low-hanging fruit - in terms of finding exploitable services, they were fairly easy. But it's clear to me that the remaining hosts offer plenty of challenge. 

One recommendation I would suggest to to get the course exercises done ASAP. I worked slowly through the exercises, and ended up finishing them somewhere around the 2nd of 3 months in my lab access. While I got to work through everything at my own pace, I feel that I should have allocated more time to focus on the actual lab penetration test. Needless to say, I am considering purchasing additional lab time to really make sure I am prepared for the exam.

Regardless of my final status at the end of this, I feel that I have learned a ton about penetration testing and methods of exploitation. This course challenges you to learn, and doesn't hold your hand. For the price, it's a pretty incredible value. You might hate yourself when you're in the thick of it, but it's all worth it in the end.

Saturday, July 30, 2016

Trend Micro CTF 2016 Write-Ups

Misc./IoT - 100 pts.

Description


Category: Misc(iot and network)
Points: 100
Please analyze this pcap.
*file*
Decrypt the downloaded file by the following command.
> unzip files21.zip
> openssl enc -d -aes-256-cbc -k gcCbBJN5pIHiL8JiJ8Xj -in files21.enc -out files21_ok.zip
> unzip files21_ok.zip



After opening the file in wireshark, it seems that we are viewing the history of someone interacting with a machine using telnet. They attempt to login using default credentials like admin/admin, and finally succeed using an account called "reds". They then start to check things like users on the machine, disk space, and network connectivity. Eventually, we get to some ESP packets that were sent along an encrypted tunnel.

After doing some googling on ESP packets, I found a Wireshark forum thread about decrypting ESP packets: https://ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets

Basically following those exact instructions allowed me to decrypt the packets and see what the attacker was up to. Luckily, there was a packet that showed the encryption/authentication keys in plaintext. 




We can see that the results show a few HTTP GET requests, and of particular interest is a request for "/img/flag.png".


 Grabbing that image gives us our flag.




FLAG: TMCTF{GO_FOR_THE_CL}

Friday, April 15, 2016

sCTF 2016 Q1 CTF Write-Ups

Over the past week, I participated in an online jeopardy-based CTF competition hosted by sCTF. While sCTF is primarily aimed at high school students interested in hacking and infosec, they allowed other competitors to participate for fun. I was surprised at the overall level of difficulty that the challenges offered! Below are a few quick write-ups for the challenges I completed.

rev1

This was the first reverse engineering problem. You were given a binary file, called rev1. Running the binary gives you this:

What is the magic password?

I decided to run strings against the binary, and was given this output:

aaron@ubuntu:~/Downloads$ strings rev1 | less
... GLIBC_2.2.5 
UH- 
fffff. 
h4x0r!!!H 
[]A\A]A^A_ 
What is the magic password? 
Correct! Your flag is: %s 
;*3$" 
GCC: (Debian 4.9.2-10) 4.9.2
GCC: (Debian 4.8.4-1) 4.8.4
...
Seeing that "h4x0r!!!" looks a bit out of place, I tested that as the flag. Lo and behold, it worked!

Flag: sctf{h4x0r!!!}



Banana Boy

This was the first forensics challenge. You were given a rather curious image of a toddler eating a banana, called carter.jpeg.


The first thing I checked was the metadata. Unfortunately, EXIF data did not turn up anything interesting. From this point I could conclude that a steganographic technique was used to hide teh flag within this iamge. After some research, I stumbled upon a image analysis program called Stegsolve. I loaded up our image and played around with some of the analysis tools provided.

After messing around with the program, I used the "Frame Browser" utility. To my surprise, there were 2 frames! The second frame (shown below) reveals the flag, and Michael Cera.


Flag: sctf{twf_d4nk_m3m3s_w1ll_a1w4y5_pr3v4il}