rss
twitter
  •  

ICECTF 2016 Writeups

| Posted in Security Articles |

1

  • Sumo

I recently just started participating in CTF events with my team, NaijaSecForce. However, due to time constraints, it has always been a struggle coming up with writeups on how we solved some of the challenges. Luckily, ICECTF 2016 was on for 2weeks – so I was able to come up with writeups for some of the challenges I solved.

ICECTF is a Jeopardy-style CTF where you are given a question or task where you are suppose to extract a flag from it. I participated with my team NaijaSecForce and we placed 188th out of 1696 teams (yaaay. .we made top 11% :-).  So without further ado, let’s get to cracking.

Stage 1

Spotlight (Web – 10 Points)

Someone turned out the lights and now we can't find anything. Send halp! spotlight

Solution

Once you view the source of the webpage, you will see <script src="spotlight.js"></script>

View the content of this “spotlight.js” file and you will see the flag

IceCTF{5tup1d_d3v5_w1th_th31r_l095}

 

All your Base are belong to us (Misc · 15 p)

What a mess… we got a raw flag but now what do we do… flag.txt

Solution

This is obviously a binary and all we had to do was to convert it to ASCII. I came up with a quick python code to do that.

import binascii

r = int('01001001011000110110010101000011010101000100011001111011011000010110110000110001010111110110110101111001010111110110001001100001011100110110010101110011010111110110000101110010011001010101111101111001011011110111010101110010011100110101111101100001011011100110010001011111011000010110110001101100010111110111100100110000011101010111001001011111011000100110000101110011011001010111001101011111011000010111001001100101010111110110110101101001011011100110010101111101', 2)

binascii.unhexlify('%x' % r)

 

IceCTF{al1_my_bases_are_yours_and_all_y0ur_bases_are_mine}

 

Rotated! (Cryptography · 20 pt)

They went and ROTated the flag by 5 and then ROTated it by 8! The scoundrels! Anyway once they were done this was all that was left VprPGS{jnvg_bar_cyhf_1_vf_3?}

Solution

There seems to be a hint here as 5+8 = 13 and ROT13 is a common substitution cipher.

Using http://rumkin.com/tools/cipher/rot13.php , we got IceCTF{wait_one_plus_1_is_3?}

 

Move Along (Web · 30 pt)

This site seems awfully suspicious, do you think you can figure out what they're hiding?

Solution

Let’s start by viewing source i.e. view-source:http://move-along.vuln.icec.tf/ , from here we can see <img src="move_along/nothing-to-see-here.jpg"></img> . Then we change directory to http://move-along.vuln.icec.tf/move_along/ . In there, we can see another directory http://move-along.vuln.icec.tf/move_along/0f76da769d67e021518f05b552406ff6/ which leads us to our flag secret.jpg
 

 

Substituted (Cryptography · 30 pt)

We got a substitute flag, I hear they are pretty lax on the rules… crypted.txt

Solution

Using http://quipqiup.com/index.php , we got out flag IceCTF{always_listen_to_your_substitute_flags}

 

Time Traveler (Forensics · 45 pt)

I can assure you that the flag was on this website at some point in time.

Solution

There is a popular website – “The Wayback Machine” which  provides links to older versions of a webpage.  So we searched for http://time-traveler.icec.tf in   https://archive.org/web/ and we got our flag:

IceCTF{Th3y'11_n3v4r_f1|\|d_m4h_fl3g_1n_th3_p45t}

 

Stage 2

Complacent (Reconnaissance · 40 pt)

These silly bankers have gotten pretty complacent with their self-signed SSL certificate. I wonder if there's anything in there. complacent.vuln.icec.tf

Solution

Open https://complacent.vuln.icec.tf/ on chrome browser, click on the “SSL lock” >> Click on details >> certificate details and in the “Issuer” field, you will see our flag

 

 

 

Hidden in Plain Sight (ReverseEngineering · 45 pt done)

Make sure you take a real close look at it, it should be right there! /home/plain_sight/ or download it here

Solution

Open the file in any hex editor or use radare2 . The flag is in plain sight

 

 

Toke (Web · 45 pt)

I have a feeling they were pretty high when they made this website

Solution

  1. Register a new user
  2. View the cookies parameter and you will notice a jwt_token
  3. There is a Jwt token decoder available online here https://jwt.io/
  4. Decode and get your flag

 

 

Flag Storage (Web · 50 pt)

What a cheat, I was promised a flag and I can't even log in. Can you get in for me? flagstorage.vuln.icec.tf. They seem to hash their passwords, but I think the problem is somehow related to this.

Solution

We were given this hint that the challenge was related to SQL Injection – so we tried some basic SQLi login bypass i.e. username : admin'/* ; password: admin'/* and we got our flag

IceCTF{why_would_you_even_do_anything_client_side}

 

Exposed! (Web · 60 pt)

John is pretty happy with himself, he just made his first website! He used all the hip and cool systems, like NginX, PHP and Git! Everyone is so happy for him, but can you get him to give you the flag?

Solution

I had previously solved similar challenges – so what I did was to make use of GitTools.

I then navigated to the GitTools directory and ran this

root@kali:~/Desktop/GitTools/Dumper# ./gitdumper.sh http://exposed.vuln.icec.tf/.git/ exposed

 

root@kali:~/Desktop/GitTools# ./extractor.sh ~/Desktop/GitTools/Dumper/exposed ~/Desktop/GitTools/exponew

Then we use our old dear friend, Grep to search for the flag