CSAW CTF Quals 2016 Writeups

| Posted in Security Articles |


  • Sumo

This weekend was a very busy one for me – as I had to participate in 2 CTF events – MITRE and CSAW Quals with my team, NaijaSecForce. We placed 191th out of 1274 teams in the CSAW Quals. Below is the writeup for some of the challenges I solved.

Forensics – Kill

Is kill can fix? Sign the autopsy file?



We were given a .pcapng file. This was quite easy as our old friend, Grep – did the job.


Fuzyll – 200 (Recon)

All files are lowercase with no spaces. Start here:

Author: fuzyll


This challenge was annoying and fun at the same time. .haha.

We visited and we saw

“CSAW 2016 FUZYLL RECON PART 1 OF ?: People actually liked last year's challenge, so CSAW made me do it again... Same format as last year, new stuff you need to look up. The next part is at /csaw2016/<the form of colorblindness I have>.”
First step was to come up with our google dork site: color blindness. We found this URL  and after poring through the webpage – we saw this  “The test identified me as a "Strong Deutan", which means I have Deuteranomaly (the most common kind of colorblindness)”.
We tried and whoops - it worked.
This was a binary file of 3MB. 
We opened it and found this

So I’m here wondering – is this a sign that I have to increase my fruit intake? :D
I checked this fruit using exiftool and we found the next hint

“CSAW 2016 FUZYLL RECON PART 2 OF ?: No, strawberries don't look exactly like this, but it's reasonably close. You know what else I can't see well? /csaw2016/<the first defcon finals challenge i ever scored points on>.”

Common man!  How do I know the first defcon finals challenge you scored a point on? Anyways, google to the rescue again.

I recall Fuzyll recently released a Defcon CTF VM with challenges right from its inception here > . I then copied all the content off that page, pasted in my notepad++ and with some notepad-fu skills (I know python would have done a faster job), I created a wordlist of all the content on the webpage – one word per line.

I then fed this into Dirbuster to bruteforce the directory. I then found this . So yeah, tomato was the first defcon ctf finals fuzyll scored a point on.

I then checked what kind of file, tomato was

tomato: Non-ISO extended-ASCII text, with NEL line terminators

We need to convert tomato to a readable text. I used this quick bash script

for f in $(iconv -l); do echo "Converting ${f%//} …"; iconv -f ${f%//} -t UTF-8 < tomato > pepper.${f%//}.txt; done

This converts the file tomato to all known encodings. Got close to 1000 files.

So how do I sort through this to get one that contains “CSAW”, I ran this bash one liner again

$ IFS=$(echo -en "\n\b") ; for i in $(grep -Hi "CSAW" *); do echo $i | awk '{print $1}'; done

One of the files with a readable text was


I read that and I got the next hint:

root@kali:~/Desktop/CTF/CSAW# cat pepper.CP1158.txt

CSAW 2016 FUZYLL RECON PART 3 of ?: I don't even like tomatoes] Anyway, outside of CTFs, I've been playing a fair amount of World of WarCraft over the past year (never thought I'd be saying that after Cataclysm, but here we are). The next part is at /csaw2016/<my main WoW character's name>.

Okay, let me chip in here that I hardly ever play games – asides pro evolution soccer, maybe.

I then visited this Wikipedia page and generated a list of WoW characters to form my wordlist.

I fed this to DirBuster again and we got

I checked jade and I saw the next hint

CSAW 2016 FUZYLL RECON PART 5 OF 6: I haven't spent the entire year playing video games, though. This past March, I spent time completely away from computers in Peru. This shot is from one of the more memorable stops along my hike to Machu Picchu. To make things easier on you, use only ASCII: /csaw2016/<the name of these ruins>.