CSAW CTF Quals 2016 Writeups
| Posted in Security Articles | Posted on 20-09-2016
0
This weekend was a very busy one for me – as I had to participate in 2 CTF events – MITRE and CSAW Quals with my team, NaijaSecForce. We placed 191th out of 1274 teams in the CSAW Quals. Below is the writeup for some of the challenges I solved.
Forensics – Kill
Is kill can fix? Sign the autopsy file?
Solution
We were given a .pcapng file. This was quite easy as our old friend, Grep – did the job.
Fuzyll – 200 (Recon)
All files are lowercase with no spaces. Start here: http://fuzyll.com/files/csaw2016/start
Author: fuzyll
Solution
This challenge was annoying and fun at the same time. .haha.
We visited http://fuzyll.com/files/csaw2016/start and we saw
“CSAW 2016 FUZYLL RECON PART 1 OF ?: People actually liked last year's challenge, so CSAW made me do it again... Same format as last year, new stuff you need to look up. The next part is at /csaw2016/<the form of colorblindness I have>.”
First step was to come up with our google dork site:http://fuzyll.com color blindness. We found this URL http://fuzyll.com/2015/enchroma-glasses/ and after poring through the webpage – we saw this “The test identified me as a "Strong Deutan", which means I have Deuteranomaly (the most common kind of colorblindness)”.
We tried http://fuzyll.com/files/csaw2016/deuteranomaly and whoops - it worked.
This was a binary file of 3MB.
We opened it and found this
So I’m here wondering – is this a sign that I have to increase my fruit intake? :D
I checked this fruit using exiftool and we found the next hint
“CSAW 2016 FUZYLL RECON PART 2 OF ?: No, strawberries don't look exactly like this, but it's reasonably close. You know what else I can't see well? /csaw2016/<the first defcon finals challenge i ever scored points on>.”
Common man! How do I know the first defcon finals challenge you scored a point on? Anyways, google to the rescue again.
I recall Fuzyll recently released a Defcon CTF VM with challenges right from its inception here > https://github.com/fuzyll/defcon-vm . I then copied all the content off that page, pasted in my notepad++ and with some notepad-fu skills (I know python would have done a faster job), I created a wordlist of all the content on the webpage – one word per line.
I then fed this into Dirbuster to bruteforce the http://fuzyll.com/files/csaw2016/ directory. I then found this http://fuzyll.com/files/csaw2016/tomato . So yeah, tomato was the first defcon ctf finals fuzyll scored a point on.
I then checked what kind of file, tomato was
tomato: Non-ISO extended-ASCII text, with NEL line terminators
We need to convert tomato to a readable text. I used this quick bash script
for f in $(iconv -l); do echo "Converting ${f%//} …"; iconv -f ${f%//} -t UTF-8 < tomato > pepper.${f%//}.txt; done
This converts the file tomato to all known encodings. Got close to 1000 files.
So how do I sort through this to get one that contains “CSAW”, I ran this bash one liner again
$ IFS=$(echo -en "\n\b") ; for i in $(grep -Hi "CSAW" *); do echo $i | awk '{print $1}'; done
One of the files with a readable text was
pepper.CP1158.txt
I read that and I got the next hint:
root@kali:~/Desktop/CTF/CSAW# cat pepper.CP1158.txt
CSAW 2016 FUZYLL RECON PART 3 of ?: I don't even like tomatoes] Anyway, outside of CTFs, I've been playing a fair amount of World of WarCraft over the past year (never thought I'd be saying that after Cataclysm, but here we are). The next part is at /csaw2016/<my main WoW character's name>.
Okay, let me chip in here that I hardly ever play games – asides pro evolution soccer, maybe.
I then visited this Wikipedia page https://en.wikipedia.org/wiki/Characters_of_Warcraft and generated a list of WoW characters to form my wordlist.
I fed this to DirBuster again and we got fuzyll.com/files/csaw2016/jade
I checked jade and I saw the next hint
CSAW 2016 FUZYLL RECON PART 5 OF 6: I haven't spent the entire year playing video games, though. This past March, I spent time completely away from computers in Peru. This shot is from one of the more memorable stops along my hike to Machu Picchu. To make things easier on you, use only ASCII: /csaw2016/<the name of these ruins>.