BCTF 2016 Upload (Forensics 200) Writeup

Problem Where are the files I just uploaded? The files in the links below are the same, download any of them to begin hacking! disk.img.xz - google drive link disk.img.xz - dropbox link disk.img.xz - baidu link Solution We get a packed binary blob. Unpack it using xz and use file to see what it is. $ xz -d disk.img.xz $ file disk.img disk.img: BTRFS Filesystem sectorsize 4096, nodesize 16384, leafsize 16384, UUID=89011762- aee-4847-9e0f-bca52fd99e0d, 155820032/2147483648 bytes used, 1 devices Oh a BTRFS image.
Read On →

Boston Key Party 2016 Jit in my pants (RE 3) Writeup

Problem Because reversing an obfuscated jit’ed virtual machine for 3 points is fun! (re 3, solved by 38) Solution I downloaded it immediately when it was released and solved it really fast, but it turned out they uploaded the wrong binary. After a while they uploaded the proper binary and the fun could begin. The binary takes the flag as argv[1]: ./c3803116bd70e802483d3bc4c4b564d2 BKPCTF{flag...}. We’re provided with a binary with a strange loop and a call to a function pointer.
Read On →

InternetWache 2016 404 Flag not found (misc 80)

Problem Description: I tried to download the flag, but somehow received only 404 errors :( Hint: The last step is to look for flag pattern. (misc80, solved by 292) Attachment: misc80.zip Solution We are provided with a pcapng file, after opening the file in wireshark we can see that it contains some HTTP Requests (without answers) and some DNS lookups. After looking at it for a while we noticed that the hostnames looked interesting, the first part of the hostname looked like hex-encoded ascii.
Read On →

InternetWache 2016 Mess of Hash (Web 50)

Problem Description: Students have developed a new admin login technique. I doubt that it’s secure, but the hash isn’t crackable. I don’t know where the problem is… (web50, solved by 170) Attachment: web50.zip Service: https://mess-of-hash.ctf.internetwache.org/ Solution We unpack the attachment and get a README.txt containing: <?php $admin_user = "pr0_adm1n"; $admin_pw = clean_hash("0e408306536730731920197920342119"); function clean_hash($hash) { return preg_replace("/[^0-9a-f]/","",$hash); } function myhash($str) { return clean_hash(md5(md5($str) . "SALT")); } We can directly see that the hash assigned to $admin_pw looks interesting.
Read On →

Internetwache CTF 2016 The Cube (Rev 90) Writeup

Problem Description: I really like Rubik’s Cubes, so I created a challenge for you. I put the flag on the white tiles and scrambled the cube. Once you solved the cube, you’ll know my secret. (rev90, solved by 232) Attachment: rev90.zip Solution In this task we were given a text-file containing the scrambling of a Rubik’s cube, as well as the different sides of the cube before it was scrambled. Scrambling: F' D' U' L' U' F2 B2 D2 F' U D2 B' U' B2 R2 D2 B' R' U B2 L U R' U' L' White side: ------- |{|3| | | |D|R| | |W| | ------- Orange side: ------- | | | | | | | | | | | | ------- Yellow side: ------- |}| | | |3| | | | | | | ------- Red side: ------- |I| | | | | | | | | |C| ------- Green side: ------- | | | | | | | | | | | | ------- Blue side: ------- | | | | | | | | | | | | ------- First observation is that the flag is five characters long, since there are nine characters spread out over the cube, and of these, four are IW{}.
Read On →

Internetwache CTF 2016 Sh-ock (Exp 90) Writeup

Problem This is some kind of weird thing. I am sh-ocked. Service: 188.166.133.53:12589 Solved by 105 teams Solution We nc to the service and are presented with a prompt: Welcome and have fun! $ Let’s try something basic: Welcome and have fun! $help [ReferenceError: lh is not defined] $ Right off the bat, that tells us a few things, the ReferenceError tells us that this is JavaScript (nodejs). The lh part is a little more confusing, let’s try something else: $this [ReferenceError: it is not defined] $ Ok, so for help we got lh and for this we got it, seems like 3rd and 1st character, should we pad our commands?
Read On →

Internetwache CTF 2016 Crypto-Pirat (Crypto 50) Writeup

Problem Did the East German Secret Police see a Pirat on the sky? Help me find out! Attachment: https://ctf.internetwache.org/files/crypto50.zip Solution Sidenote: This one took us some time, we started ok but then our progress grinded to a halt because we just didn’t know what to do with the output we got. The organizers of the CTF agreed that the challenge was not clear enough and after 12 hours added two hints: Hint: We had 9 planets from 1930–2006… Hint2: Each planet has a number.
Read On →

Internetwache CTF 2016 SPIM (Rev 50) Writeup

Problem My friend keeps telling me, that real hackers speak assembly fluently. Are you a real hacker? Decode this string: “IVyN5U3X)ZUMYCs” Attachment: https://ctf.internetwache.org/files/rev50.zip Solved by 235 teams Solution We unpack the file and get some MIPS assembly: User Text Segment [00400000]..[00440000] [00400000] 8fa40000 lw $4, 0($29) ; 183: lw $a0 0($sp) # argc [00400004] 27a50004 addiu $5, $29, 4 ; 184: addiu $a1 $sp 4 # argv [00400008] 24a60004 addiu $6, $5, 4 ; 185: addiu $a2 $a1 4 # envp [0040000c] 00041080 sll $2, $4, 2 ; 186: sll $v0 $a0 2 [00400010] 00c23021 addu $6, $6, $2 ; 187: addu $a2 $a2 $v0 [00400014] 0c100009 jal 0x00400024 [main] ; 188: jal main [00400018] 00000000 nop ; 189: nop [0040001c] 3402000a ori $2, $0, 10 ; 191: li $v0 10 [00400020] 0000000c syscall ; 192: syscall # syscall 10 (exit) [00400024] 3c081001 lui $8, 4097 [flag] ; 7: la $t0, flag [00400028] 00004821 addu $9, $0, $0 ; 8: move $t1, $0 [0040002c] 3401000f ori $1, $0, 15 ; 11: sgt $t2, $t1, 15 [00400030] 0029502a slt $10, $1, $9 [00400034] 34010001 ori $1, $0, 1 ; 12: beq $t2, 1, exit [00400038] 102a0007 beq $1, $10, 28 [exit-0x00400038] [0040003c] 01095020 add $10, $8, $9 ; 14: add $t2, $t0, $t1 [00400040] 81440000 lb $4, 0($10) ; 15: lb $a0, ($t2) [00400044] 00892026 xor $4, $4, $9 ; 16: xor $a0, $a0, $t1 [00400048] a1440000 sb $4, 0($10) ; 17: sb $a0, 0($t2) [0040004c] 21290001 addi $9, $9, 1 ; 19: add $t1, $t1, 1 [00400050] 0810000b j 0x0040002c [for] ; 20: j for [00400054] 00082021 addu $4, $0, $8 ; 24: move $a0, $t0 [00400058] 0c100019 jal 0x00400064 [printstring]; 25: jal printstring [0040005c] 3402000a ori $2, $0, 10 ; 26: li $v0, 10 [00400060] 0000000c syscall ; 27: syscall [00400064] 34020004 ori $2, $0, 4 ; 30: li $v0, 4 [00400068] 0000000c syscall ; 31: syscall [0040006c] 03e00008 jr $31 ; 32: jr $ra I never did any MIPS work before, but armed with MIPS Instruction Reference, I started working on it.
Read On →

Internetwache CTF 2016 Rock With The Wired Shark (Misc 70) Writeup

Problem Someone sent me a file with white and black rectangles. I don’t know how to read it. Can you help me? Attachment: https://ctf.internetwache.org/files/misc70.zip Solved by 454 teams Solution What we get is a packet capture file. I usually approach those with python, but this one was easier to do with just Wireshark. But first, let’s run strings on it for good measure, two things are interesting: Authorization: Basic ZmxhZzphenVsY3JlbWE= ...snip...
Read On →

Internetwache CTF 2016 Procrastination (Crypto 80) Writeup

Problem Watching videos is fun! Attachment: https://ctf.internetwache.org/files/crypto80.zip Solved by 74 teams Solution We unpack and get a webm file. When opened, it plays one of the big hits from the 80s for 36 seconds. Let’s run mediainfo on it, we see that it contains one video track and two audio tracks, let’s extract the second audio track. avconv -i song.webm -map 0:2 audio.wav When playing it, we can hear phone dial noises, also known as DTMF.
Read On →