Commit 9471b442 authored by Fabian Würfl's avatar Fabian Würfl

Merge branch 'cybertalents2017' into 'master'

Cybertalents2017

See merge request !23
parents f2276c54 a7ce8c15
# easyctf 2017
* **Link:** https://cybertalents.com
* **Date & Time:** Thu, 06 April 2017, 10:00 CEST — Sat, 08 April 2017, 22:00 CEST
* **Type:** Jeopardy
* **Team name:** tinfoilhats
* **Result:** Rank 86 (of 523), 750 points
## Solved challenges:
*Note: We haven't included write-ups for all solved challenges, as there were
quite a few "question answering"-challenges*
| Category | Name | Points | link to writeup |
|----------|------|--------|-----------------|
| Web | Admin has the power | 50 | [writeup](/web/cybertalents2017-admin-has-the-power.md) |
| Forensics | Partition lost | 50 | [writeup](/forensics/cybertalents2017-partition-lost.md) |
| Reversing | getting started | 50 | [writeup](/reversing/cybertalents2017-getting-started.md) |
| Forensics | Lost Files | 100 | [writeup](/forensics/cybertalents2017-lost-files.md) |
| Crypto | Guess the Password | 50 | [writeup](/crypto/cybertalents2017-guess-the-pw.md) |
| Crypto | Crack the hash | 25 | [writeup](/crypto/cybertalents2017-crack-the-hash.md) |
| Forensics | Hidden Message | 25 | [writeup](/forensics/cybertalents2017-hidden-message.md) |
| Forensics | G&P list | 25 | [writeup](/forensics/cybertalents2017-gp-list.md) |
| LOTR Hero Mania | getting started | 50 | [writeup](/reversing/cybertalents2017-lotr-hero-mania.md) |
# [Cybertalents 2017](https://cybertalents.com) - Crack the hash (25 pts)
> A hacker leaked the below hash online.
> Can you crack it to know the password of the CEO?
> 1ab566b9fa5c0297295743e7c2a6ec27
duckduckgo for the hash, first result is:
https://md5.gromweb.com/?string=Iamtheflag
flag = `Iamtheflag`
> Solved & write-up written by Fabian Würfl
# [Cybertalents 2017](https://cybertalents.com) - Guess the Password (50 pts)
> A hacker leaked the below hash online.
> Can you crack it to know the password of the CEO? the flag is the password
> Hash: `06f8aa28b9237866e3e289f18ade19e1736d809d`
* First try: crackstation.net -> no success
* Second try: duckduckgo for the hash. First result:
https://github.com/ctfs/write-ups-2015/tree/master/cyber-security-challenge-2015/cryptography/guess-the-algorithm
-> seems like the same hash was already in a challenge of another CTF two years
ago
flag: `jrahyn+`
*50 points in under a minute - Oh yeah! xD*
> Solved & write-up written by Fabian Würfl
# [Cybertalents 2017](https://cybertalents.com) - G&P List (25 pts)
> Just Open the File and Capture the flag . Submission in MD5
>
> Challenge Link:
> [G&P+lists.docx](./_resources/cybertalents2017-gp-list/G%26P+lists.docx)
It is a valid .docx file (displays correctly in LibreOffice). However, doc(x)
files are internally just zip archives:
```
$ file G\&P+lists.docx
G&P+lists.docx: Zip archive data, at least v2.0 to extract
```
opening the file/archive in an archive mounter, we see a file called `flag.txt`.
This contains the flag.
![text file inside the .docx](./_resources/cybertalents2017-gp-list/screenshot.png)
flag: `877c1fa0445adaedc5365d9c139c5219`
> Solved & write-up written by Fabian Würfl
# [Cybertalents 2017](https://cybertalents.com) - Hidden Message (25 pts)
> A cyber Criminal is hiding information in the below file. capture the flag ?
> submit Flag in MD5 Format
>
> Challenge Link: [hidden_message.jpg](./_resources/cybertalents2017-hidden-message/hidden_message.jpg)
```
$ file hidden_message.jpg
hidden_message.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 768x432, frames 3
$ exiftool hidden_message.jpg
ExifTool Version Number : 10.36
File Name : hidden_message.jpg
Directory : .
File Size : 72 kB
File Modification Date/Time : 2017:04:07 00:57:48+02:00
File Access Date/Time : 2017:04:07 00:58:07+02:00
File Inode Change Date/Time : 2017:04:07 00:57:48+02:00
File Permissions : rw-rw-r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : inches
X Resolution : 96
Y Resolution : 96
Exif Byte Order : Big-endian (Motorola, MM)
Current IPTC Digest : c51d5b8d73a91167e7fe4bbe5b41e2c9
Envelope Record Version : 2
Coded Character Set : UTF8
Application Record Version : 2
Copyright Notice : b1a1f2855d2428930e0c9c4ce10500d5
Image Width : 768
Image Height : 432
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 768x432
Megapixels : 0.332
```
flag: `b1a1f2855d2428930e0c9c4ce10500d5` (the copyright notice)
> Solved & write-up written by Fabian Würfl
# [Cybertalents 2017](https://cybertalents.com) - Lost Files (100 pts)
> I lost all my files :( . capture the flag !!!
>
> Challenge Link: https://s3-eu-west-1.amazonaws.com/talentchallenges/Forensics/lost_files.mem.001
**Note:** *Due to the filesize (~125 MB), I have not included the file into the
repo. Maybe we find a place to upload/mirror such files in the future.*
sha256sum of the file:
```
38b1ccd215d56cb074beeb9ca77a6417be9637643197e4563154157f0c222d5d lost_files.mem.001
```
```
$ file lost_files.mem.001
lost_files.mem.001: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "MSDOS5.0", sectors/cluster 2, reserved sectors 37, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 63, sectors 256977 (volumes > 32 MB) , FAT (32 bit), sectors/FAT 996, rootdir cluster 7462, serial number 0x7fa1ddf, unlabeled
```
Opened the file in autopsy, there were again deleted files.
Including one called `0xbb.doc.bak` which seems to include the beginning of the
flag. Unfortunately, just the beginning of the flag doesn't help much. I then
discovered a file called `Del.txt` in the trash. At the very end of it, there
was the flag:
flag: `Flag(You_Get_It_2)`
Pictures:
![Screenshot 01](./_resources/cybertalents2017-lost-files/screenshot-01.png)
![Screenshot 02](./_resources/cybertalents2017-lost-files/screenshot-02.png)
> Solved & write-up written by Fabian Würfl
# [Cybertalents 2017](https://cybertalents.com) - Partition Lost (50 pts)
> Our Company's CEO had a car accident. His HDD was damaged and he lost all his files and partitions. Can you help him to recover his important data
>
> Challenge Link: https://s3-eu-west-1.amazonaws.com/talentchallenges/Forensics/partition-lost.img
**Note:** *Due to the filesize (~170 MB), I have not included the file into the
repo. Maybe we find a place to upload/mirror such files in the future.*
sha256sum of the file:
```
e2875e6d584ce2c16a6b4448fe2246cc65f9d41f0a3cbffbd8510a9e278817ea partition-lost.img
```
Running `scalpel -c /etc/scalpel.conf` and `binwalk --dd='.*'`, was not
successful. So, I imported the file in
[Autopsy](https://www.sleuthkit.org/autopsy/) (partition, dos; see screenshots).
Looking at the file list, it showed some deleted files, including a file with
the suspicious name `fl@4.rar`. Viewing it's contents yields the flag:
flag: `FLAG(701_L@b$_DR_DFIR)`
Pictures:
![Screenshot 01](./_resources/cybertalents2017-partition-lost/screenshot-01.png)
![Screenshot 02](./_resources/cybertalents2017-partition-lost/screenshot-02.png)
![Screenshot 03](./_resources/cybertalents2017-partition-lost/screenshot-03.png)
*Note: if autopsy doesn't show anything, but you get error messages like
`sh: 1: /usr/bin/ils-sleuthkit: not found` (in the terminal in which autopsy was
started), execute the following command in another shell:
`ln -s /usr/bin/icat /usr/bin/icat-sleuthkit`*
> Solved & write-up written by Fabian Würfl
......@@ -10,6 +10,7 @@ Most recent participations are at the top.
| Date | CTF | Type | Result (Rank / points) | Documentation |
|------|-----|------|----------------------|---------------|
| April, 6th - 8th | [Cybertalents](https://cybertalents.com) | Jeopardy | 86 / 750 | [Doc](/_events/2017/2017-04-06-cybertalents.md) |
| March, 13th - 20th | [easyCTF 2017](https://www.easyctf.com) | Jeopardy | 96 / 2460 | [Doc](./_events/2017/2017-03-13-easyctf.md) |
## 2016
......
# ignore all files generated by extracting either archive
__MACOSX/
app.apk
app_source_from_JADX/
package com.labs.adnromeda.test1;
import android.content.Intent;
import android.os.Bundle;
import android.support.v7.app.ActionBarActivity;
import android.util.Log;
import android.view.Menu;
import android.view.MenuItem;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;
public class MainActivity extends ActionBarActivity {
public int weezy;
/* renamed from: com.labs.adnromeda.test1.MainActivity.1 */
class C01261 implements OnClickListener {
final /* synthetic */ EditText val$txtPassword;
final /* synthetic */ EditText val$txtUsername;
C01261(EditText editText, EditText editText2) {
this.val$txtUsername = editText;
this.val$txtPassword = editText2;
}
public void onClick(View v) {
String user = this.val$txtUsername.getText().toString();
String pass = this.val$txtPassword.getText().toString();
Log.i("credentials check", user + ":" + pass);
if (user.compareTo(MainActivity.this.getUser()) == 0 && pass.compareTo(MainActivity.this.getPass()) == 0) {
Log.i("credentials check", "granted access");
Toast.makeText(MainActivity.this.getApplicationContext(), "access granted!", 0).show();
MainActivity.this.startActivity(new Intent(MainActivity.this.getApplicationContext(), MainActivity2.class));
return;
}
Toast.makeText(MainActivity.this.getApplicationContext(), "access denied!", 0).show();
}
}
public MainActivity() {
this.weezy = 152;
}
private String getUser() {
String resp = this.weezy > 152 ? "Legolas" : "Aragon";
this.weezy += 100;
return resp;
}
private String getPass() {
return this.weezy > 152 ? "Saruman" : "Gandalf";
}
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView((int) C0127R.layout.activity_main);
((Button) findViewById(C0127R.id.button)).setOnClickListener(new C01261((EditText) findViewById(C0127R.id.txtUsername), (EditText) findViewById(C0127R.id.txtPassword)));
}
public boolean onCreateOptionsMenu(Menu menu) {
getMenuInflater().inflate(C0127R.menu.menu_main, menu);
return true;
}
public boolean onOptionsItemSelected(MenuItem item) {
if (item.getItemId() == C0127R.id.action_settings) {
return true;
}
return super.onOptionsItemSelected(item);
}
}
# [Cybertalents 2017](https://cybertalents.com) - Getting started (50 pts)
> The correct input is the flag, format flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
>
> Challenge Link: [getting-started](./_resources/cybertalents2017-getting-started/getting-started)
```
$ file getting-started
getting-started: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=30a1e294daa93e231641dbe11a9501f87ed4a1c3, not stripped
```
running `strings` on the file, yielded the following strange string:
`j}j1j_jljejvjejlj_jojtj_jejmjojcjljejwj{jgjajljf`
There's a `{` and a `}` in there, and the end looks like it contains the letters
`f`, `l`, `a`, and `g`. So, some quick python magic:
```python
cipher = "j}j1j_jljejvjejlj_jojtj_jejmjojcjljejwj{jgjajljf"
>>> ''.join( cipher[::-1].split('j') )
'flag{welcome_to_level_1}'
```
flag: `flag{welcome_to_level_1}`
> Solved & write-up written by Fabian Würfl
# [Cybertalents 2017](https://cybertalents.com) - LOTR Hero Mania (50 pts)
> lord of the rings addict is the user of this application, can you find the
> creds?, the key is the md5(userpass)
>
> Challenge Link:
> [app.apk.zip](./_resources/cybertalents2017-lotr-hero-mania/app.apk.zip)
The zip-archive contains an android apk. I used an online decompiler
(http://www.javadecompilers.com/apk) to retrieve the source code.
*Note: I also included the source code archive, generated by
javadecompilers.com:
[app_source_from_JADX.zip](./_resources/cybertalents2017-lotr-hero-mania/app_source_from_JADX.zip)*
First I tried to `grep -rni` for `password`, `pass`, and `userpass`;
without success. Then I looked through the source code and in
`app_source_from_JADX/com/labs/adnromeda/test1/`, I found the file
[MainActivity.java](./_resources/cybertalents2017-lotr-hero-mania/MainActivity.java)
(Activities in Android apps are possible program entry points, so I figured this
was a good start). This file contains amongst others the following code
snippets:
```java
public void onClick(View v) {
String user = this.val$txtUsername.getText().toString();
String pass = this.val$txtPassword.getText().toString();
Log.i("credentials check", user + ":" + pass);
if (user.compareTo(MainActivity.this.getUser()) == 0 && pass.compareTo(MainActivity.this.getPass()) == 0) {
Log.i("credentials check", "granted access");
Toast.makeText(MainActivity.this.getApplicationContext(), "access granted!", 0).show();
MainActivity.this.startActivity(new Intent(MainActivity.this.getApplicationContext(), MainActivity2.class));
return;
}
Toast.makeText(MainActivity.this.getApplicationContext(), "access denied!", 0).show();
}
private String getUser() {
String resp = this.weezy > 152 ? "Legolas" : "Aragon";
this.weezy += 100;
return resp;
}
private String getPass() {
return this.weezy > 152 ? "Saruman" : "Gandalf";
}
```
`onClick()` is probably triggered by pressing the `login` button. It reads
the entered username & password and checks them against values retrieved from
`getUser()` and `getPass()`. These functions return either of two values each,
depending on a variable. As all values were hardcoded and there were only four
of them, I just started guessing.
flag: `d710d29360684aef13ea7cdfecf63a3a` (= md5(`LegolasSaruman`))
> Solved & write-up written by Fabian Würfl
# [Cybertalents 2017](https://cybertalents.com) - Admin has the power (50 pts)
> Administrators only has the power to see the flag , can you be one ?
>
> Challenge Link: http://35.167.250.58:81/
The website has just a simple login mask:
![login mask](./_resources/cybertalents2017-admin-has-the-power/01-login.png)
No sql injection possible.
However, the html code contains the following:
```
<!-- TODO: remove this line , for maintenance purpose use this info (user:support password:x34245323)-->
```
using these credentials we see the following:
![Greeting for support](./_resources/cybertalents2017-admin-has-the-power/02-support-logged-in.png)
Next, I checked out Firefox' network monitor. As we can see, the web app uses a
cookie named `role` which is set to support. Well, then it's easy. We use
Firefox' developer toolbar (NOT the JavaScript console!) to set the cookie to
admin:
![cookies](./_resources/cybertalents2017-admin-has-the-power/03-cookies.png)
```
cookie set role admin
```
After refreshing the site, we get the flag:
![flag](./_resources/cybertalents2017-admin-has-the-power/04-flag.png)
flag: `hiadminyouhavethepower`
> Solved & write-up written by Fabian Würfl
......@@ -26,6 +26,8 @@ We organize our WriteUps by category - not by ctf.
| Decode Me | [easyctf 2017](/_events/2017/2017-03-13-easyctf.md) | [link](/crypto/easyctf2017-decode-me.md) | python, base64 |
| Hash on Hash | [easyctf 2017](/_events/2017/2017-03-13-easyctf.md) | [link](/crypto/easyctf2017-hash-on-hash.md) | bash, md5, crackstation.net |
| Genius | [easyctf 2017](/_events/2017/2017-03-13-easyctf.md) | [link](/crypto/easyctf2017-genius.md) | python, bash, md5, crackstation |
| Guess the Password | [Cybertalents 2017](/_events/2017/2017-04-06-cybertalents.md) | [writeup](/crypto/cybertalents2017-guess-the-pw.md) | easy, hash, luck, duckduckgo |
| Crack the hash | [Cybertalents 2017](/_events/2017/2017-04-06-cybertalents.md) | [writeup](/crypto/cybertalents2017-crack-the-hash.md) | easy, hash, gromweb.com |
## Web
......@@ -33,6 +35,7 @@ We organize our WriteUps by category - not by ctf.
|-------------------|----------|---------|------------------|
| Voting | Junior CTF | [link](./web/juniorCTF2016-voting.md) | request forgery, Burp |
| Cookie Blog | [easyctf 2017](/_events/2017/2017-03-13-easyctf.md) | [link](/web/easyctf2017-cookie-blog.md) | response headers, cookies |
| Admin has the power | [Cybertalents 2017](/_events/2017/2017-04-06-cybertalents.md) | [writeup](/web/cybertalents2017-admin-has-the-power.md) | easy, cookies, request forgery, Firefox developer tools |
## Forensics
......@@ -43,11 +46,17 @@ We organize our WriteUps by category - not by ctf.
| Petty Difference| [easyctf 2017](/_events/2017/2017-03-13-easyctf.md) | [link](/forensics/easyctf2017-petty-difference.md) | python |
| Ogrewatch| [easyctf 2017](/_events/2017/2017-03-13-easyctf.md) | [link](/forensics/easyctf2017-ogrewatch.md) | bash, movie, subtitles, ffmpeg |
| scisnerof| [easyctf 2017](/_events/2017/2017-03-13-easyctf.md) | [link](/forensics/easyctf2017-scisnerof.md) | python, reversed |
| Partition lost | [Cybertalents 2017](/_events/2017/2017-04-06-cybertalents.md) | [writeup](/forensics/cybertalents2017-partition-lost.md) | easy, Autopsy, deleted files |
| Lost files | [Cybertalents 2017](/_events/2017/2017-04-06-cybertalents.md) | [writeup](/forensics/cybertalents2017-lost-files.md) | easy, Autopsy, deleted files |
| Hidden Message | [Cybertalents 2017](/_events/2017/2017-04-06-cybertalents.md) | [writeup](/forensics/cybertalents2017-hidden-message.md) | easy, exiftool, image, metadata |
| G&P list | [Cybertalents 2017](/_events/2017/2017-04-06-cybertalents.md) | [writeup](/forensics/cybertalents2017-gp-list.md) | easy, Microsoft Office document |
## Reverse Engineering
| Name of challenge | CTF name | writeup | additional notes |
|-------------------|----------|---------|------------------|
| [Hexable | [easyctf 2017](/_events/2017/2017-03-13-easyctf.md) | [link](/reversing/easyctf2017-hexable.md) | hexdump |
| getting started | [Cybertalents 2017](/_events/2017/2017-04-06-cybertalents.md) | [writeup](/reversing/cybertalents2017-getting-started.md) | easy, strings |
| LOTR Hero Mania | [Cybertalents 2017](/_events/2017/2017-04-06-cybertalents.md) | [writeup](/reversing/cybertalents2017-lotr-hero-mania.md) | medium, Android, mobile app, Java, decompiler, source code analysis |
## Scripting & Programming (PPC)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment