HackDig : Dig high-quality web security articles for hacker

Insomni'Hack CTF Write-Up

2015-03-26 00:45

This year, I participated to Insomni'hack's CTF with the 3 other (remote) members of the pic0wn team. I'll address the challenges I personally solved in the next few posts: this post concerns a Web and a Forensic challenge, next post concerns iOS challenges.

You'll see for yourselves that some challenges were really easy. To be perfectly honest, I found that some challenges were really _too_ easy, but the organizers' idea was that everyone should have fun, and I certainly agree with this, so after all...

Alert: the following contains challenge spoilers. If you wish to try the challenges on your own, don't read the rest of the post!

Win!

This was a very easy challenge that most participants solved. We were being asked to vote for the best hacking movie - selecting one movie from a dropdown list. It seems that all votes end up with the output "Seriously?! You think that's the best hacking movie?! You definitely missed one!". However, having a look at the HTML source we notice this:


<option value="21">The Italian Job</option>
<!-- <option value="42">The Matrix</option> -->
<option value="22">The Net</option>

Just guessing ;P, we vote for 42:


$ curl http://10.13.37.121/?best_hacking_movie=42

and success, that's our first flag:


<h2>Yay !</h2>
<p>Congrats! Your taste for hacking movies is as good as your hacking skills</p>
<p>INS{No one can be told what the Matrix is. You have to see it for yourself.}

Forensics - Lost In Memories

This one provides a memory image (WIN-DEA2KM5I93L-20150318-151408_e93e1b0d01e0b5c4d5985254e94b958e.7z, 303MB) and tells us the flag is composed of 2 parts, one in the memory image, and another one available on another host "maybe a CnC".

We unzip the file and get a 1.5GB of raw data according to 'file'. However, the data is full of strings. As CTF flags follow the format INS{xxxxx} and we know the flag is cut in 2 parts, we grep the data for 'INS{'. We are unlucky. Then, the text mentions a remote server, so we grep for interesting URLs on the local network. Yes, Insomni'hack is an 'offline' CTF: only those physically present can play (actually this was an issue for my team, because the other members were remote, so I was their only link with the real network). The local network starts by 10.x.x.x:


$ strings WIN-DEA2KM5I93L-20150318-151408.raw | grep http://10
http://10.13.37.117/oyekv5ty9tQj/

When we try to visit this URL, the server complains we haven't provided username/password credentials. So, this looks like the right URL, but we need to search a bit better. We are going to look for potential username or password located close to the URL string:


$ strings WIN-DEA2KM5I93L-20150318-151408.raw | grep -C 5 http://10

And this time, we are lucky to spot:


http://johntheslayer:H!66q5p6F$8z8Z*D8gkB@10.13.37.117/oyekv5ty9tQj711.73.31.01.

This corresponds to the syntax http://username:password@server. There are some additional garbage characters after oyekv5ty9tQj/ . We won't care for those.
We cannot directly request such a URL though because characters such as ! or $ need to be encoded (reciprocally %21 and %24). We visit the URL which provides a link to a file named flag.txt. Let's open that! It says:


# Well done, you find the first part of the flag
INS{memory_dump_provided_by

Right, so that's why our first search for INS{ did not succeed: the first part of the flag was provided on the CnC and the second part of the flag is in the raw image. So, we should rather search for something that ends with xxx}. We notice that the first part of the flag has several lowercase words separated by underscores, so we search for _xxx} where xxx are lowercase characters or digits. 


$ strings WIN-DEA2KM5I93L-20150318-151408.raw | grep -E '_[a-z0-9]*}' | more
...
The second part of the flag is: _by_CSI_drama_series}

Note we are lucky, because actually the flag contained some uppercase characters so my reasoning was wrong, but the grep worked nonetheless ;)

Finally, the flag is


INS{memory_dump_provided_by_by_CSI_drama_series}

Oh no! That doesn't work! So we try


INS{memory_dump_provided_by_CSI_drama_series}

and that works :)

-- the Crypto Girl

 PS. Another write-up in French.


Source: pu-etirw-ftc-kcah-inmosni/tsop/moc.tenitrof.golb

Read:2963 | Comments:0 | Tags:No Tag

“Insomni'Hack CTF Write-Up”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud

Keywords