CSAW CTF Quals 2016 Writeups
| Posted in Security Articles | Posted on 20-09-2016
0
This weekend was a very busy one for me – as I had to participate in 2 CTF events – MITRE and CSAW Quals with my team, NaijaSecForce. We placed 191th out of 1274 teams in the CSAW Quals. Below is the writeup for some of the challenges I solved.
Forensics – Kill
Is kill can fix? Sign the autopsy file?
Solution
We were given a .pcapng file. This was quite easy as our old friend, Grep – did the job.
Fuzyll – 200 (Recon)
All files are lowercase with no spaces. Start here: http://fuzyll.com/files/csaw2016/start
Author: fuzyll
Solution
This challenge was annoying and fun at the same time. .haha.
We visited http://fuzyll.com/files/csaw2016/start and we saw
“CSAW 2016 FUZYLL RECON PART 1 OF ?: People actually liked last year's challenge, so CSAW made me do it again... Same format as last year, new stuff you need to look up. The next part is at /csaw2016/<the form of colorblindness I have>.”
First step was to come up with our google dork site:http://fuzyll.com color blindness. We found this URL http://fuzyll.com/2015/enchroma-glasses/ and after poring through the webpage – we saw this “The test identified me as a "Strong Deutan", which means I have Deuteranomaly (the most common kind of colorblindness)”.
We tried http://fuzyll.com/files/csaw2016/deuteranomaly and whoops - it worked.
This was a binary file of 3MB.
We opened it and found this
So I’m here wondering – is this a sign that I have to increase my fruit intake? :D
I checked this fruit using exiftool and we found the next hint
“CSAW 2016 FUZYLL RECON PART 2 OF ?: No, strawberries don't look exactly like this, but it's reasonably close. You know what else I can't see well? /csaw2016/<the first defcon finals challenge i ever scored points on>.”
Common man! How do I know the first defcon finals challenge you scored a point on? Anyways, google to the rescue again.
I recall Fuzyll recently released a Defcon CTF VM with challenges right from its inception here > https://github.com/fuzyll/defcon-vm . I then copied all the content off that page, pasted in my notepad++ and with some notepad-fu skills (I know python would have done a faster job), I created a wordlist of all the content on the webpage – one word per line.
I then fed this into Dirbuster to bruteforce the http://fuzyll.com/files/csaw2016/ directory. I then found this http://fuzyll.com/files/csaw2016/tomato . So yeah, tomato was the first defcon ctf finals fuzyll scored a point on.
I then checked what kind of file, tomato was
tomato: Non-ISO extended-ASCII text, with NEL line terminators
We need to convert tomato to a readable text. I used this quick bash script
for f in $(iconv -l); do echo "Converting ${f%//} …"; iconv -f ${f%//} -t UTF-8 < tomato > pepper.${f%//}.txt; done
This converts the file tomato to all known encodings. Got close to 1000 files.
So how do I sort through this to get one that contains “CSAW”, I ran this bash one liner again
$ IFS=$(echo -en "\n\b") ; for i in $(grep -Hi "CSAW" *); do echo $i | awk '{print $1}'; done
One of the files with a readable text was
pepper.CP1158.txt
I read that and I got the next hint:
root@kali:~/Desktop/CTF/CSAW# cat pepper.CP1158.txt
CSAW 2016 FUZYLL RECON PART 3 of ?: I don't even like tomatoes] Anyway, outside of CTFs, I've been playing a fair amount of World of WarCraft over the past year (never thought I'd be saying that after Cataclysm, but here we are). The next part is at /csaw2016/<my main WoW character's name>.
Okay, let me chip in here that I hardly ever play games – asides pro evolution soccer, maybe.
I then visited this Wikipedia page https://en.wikipedia.org/wiki/Characters_of_Warcraft and generated a list of WoW characters to form my wordlist.
I fed this to DirBuster again and we got fuzyll.com/files/csaw2016/jade
I checked jade and I saw the next hint
CSAW 2016 FUZYLL RECON PART 5 OF 6: I haven't spent the entire year playing video games, though. This past March, I spent time completely away from computers in Peru. This shot is from one of the more memorable stops along my hike to Machu Picchu. To make things easier on you, use only ASCII: /csaw2016/<the name of these ruins>.
A quick trip to google – I used the keywords ruins peru Machu Picchu and then I saw “winaywayna-inca-ruins".
I tried different variations and finally, someone on my team, Ahmed, helped out. http://fuzyll.com/files/csaw2016/winaywayna
CSAW 2016 FUZYLL RECON PART 6 OF 6: Congratulations! Here's your flag{WH4T_4_L0NG_4ND_STR4NG3_TRIP_IT_H45_B33N}.
Woow. That was a long tormenting journey!
Clams Don't Dance (Forensics)
Find the clam and open it to find the pearl.
Solution
First step was to check the file
root@kali:~/Desktop/CTF/CSAW# file out.img
out.img: DOS/MBR boot sector
We then used foremost to extract the files
root@kali:~/Desktop/CTF/CSAW# foremost out.img -o clam
I went through the files and found an interesting powerpoint file
I googled the presentation name and found this
So I extracted the images in both files and compared
I realized the odd one was image0.gif
Found out it was a datamatrix barcode.
Used an online barcode decoder and found the flag
Mfw (Web) 125 points
Hey, I made my first website today. It's pretty cool and web7.9.
Solution
I found this was made with Git.
Using GitTools, I was able to download the files and folders locally.
I navigated to the local Git directory
root@kali:~/Desktop/GitTools/Dumper/repo# git show
Checked the index.php page and saw this
We noticed that the assert() function was vulnerable to a code execution.
From the dump, we know that the flag.php file exists in /templates/
After a lot of trials, we got the flag
View the source and you see this
<?php $FLAG="flag{3vald_@ss3rt_1s_best_a$$ert}"; ?>
Yaar Haar Fiddle Dee Dee (Forensics) – 150 points
DO WHAT YE WANT 'CAUSE A PIRATE IS FREE. YOU ARE A PIRATE!
Solution
I opened this with wireshark and found an interesting traffic. Followed the TCP stream and I got this
I saved the file and explored further using my notepad++.
This looked like a base64 encoded data. I appended this data:image/jpeg;base64 i.e. ,/9j/4AAQSkZJRgABAQAAAQABAAD/……. ; Then using http://www.freeformatter.com/base64-encoder.html , uploaded the file and downloaded the output .
I then did a binwalk on this output
root@kali:~/Desktop/CTF/CSAW# binwalk outpt
Towards the end, I saw a flag.txt file
All data from 0 to 6540357 is part of the jpeg, but a zip file starts at 6547617. Let's extract it using dd:
dd if=./outpt of=./clamflag skip=6547617 bs=1
root@kali:~/Desktop/CTF/CSAW# file clamflag
clamflag: Zip archive data, at least v1.0 to extract
Oops! We need a password to crack the zip file. Fcrackzip to the rescue
$fcrackzip -v -D -u -p /usr/share/wordlists/rockyou.txt warmflag
We found the password and then unzipped it to read the flag
Thanks to the CSAW team for the fun challenges!
