Level 14 shows the exact same format of a file to be downloaded, just like some of the past few levels. So, let’s download it and get started with some analysis.

Well, it seems like there is no file to be downloaded after all, upon clicking “Yes”, it basically opens up a phpMyAdmin SQL Dump with a lot of information, mainly the databases related to level 14. Strange enough, it seems like there was a WordPress blog being setup in this database before. There were many information in this dump, including the admin login credentials.

Among the entire list, one of the most suspicious record is definitely the id number 104 record of the “friends” table,

INSERT INTO `friends` (`id`, `name`, `address`, `status`) VALUES
(104, ‘\\u0069\\u006e\\u0066\\u006f\\u0073\\u0065\\u0063\\u005f\\u0066\\u006c\\u0061\\u0067\\u0069\\u0073\\u005f\\u0077\\u0068\\u0061\\u0074\\u0073\\u006f\\u0072\\u0063\\u0065\\u0072\\u0079\\u0069\\u0073\\u0074\\u0068\\u0069\\u0073’, ‘annoying’, ‘0x0a’);

Why is the name field made up from so many weird characters and numbers?

The string is actually a hexadecimal value being written into text. See the double backslash symbol, it is for displaying the string on HTML without having any syntax error. In order to see the “real” value, you should replace the double backslash symbols (\\) with single backslash symbols (\). You can do it yourself, or choose to copy from mine (I did it using notepad’s Find and Replace feature…)

\u0069\u006e\u0066\u006f\u0073\u0065\u0063\u005f\u0066\u006c\u0061\u0067\u0069\u0073\u005f\u0077\u0068\u0061\u0074\u0073\u006f\u0072\u0063\u0065\u0072\u0079\u0069\u0073\u0074\u0068\u0069\u0073

If you throw it into a Hexadecimal to ASCII converter tool, you will get the flag for level 14, “infosec_flagis_whatsorceryisthis”

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz

In level 12, we see the familiar Yoda from level 1 again. It says “Dig deeper!”

Since they used back the same image from levelone, let us do a quick comparison between these 2 pages. The appearance are the same except for the words “May the source be with you!” vs “Dig deeper!”

What about the source code?

Yes, I bet you have noticed it too – the newly inserted Cascading Style Sheets (CSS) file.

<link href="css/design.css" rel="stylesheet">

When you open it, it simply show you a class with a color element, of which the color hexadecimal is obviously not a color reference. So, what is it? A flag, perhaps?

.thisloveis{
 color: #696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72;
}

Once again, let’s use the same hexadecimal-to-string converter to perform the conversion, and now we have the flag – “infosec_flagis_heyimnotacolor”

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz

At first look, level 11 seems to be related to something specific to PHP scripting because it shows a very big PHP logo.

After taking a careful look, the PHP logo looks different from the original logo. Moreover, if you read the page source, you will noticed that the PHP logo is named as “img/php-logo-virus.jpg”. Why name the file as virus?

Just to be sure, let’s run it using the file command to identify what kind of file is it. In my Linux system, I run the file command:

file php-logo-virus.jpg

And below is the output:

php-logo-virus.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96×96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=6, name=infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9w], baseline, precision 8, 450×237, frames 3

Did you see it? It says “infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9w”

Running the encoded portion of the string through a base64 decoder tool will give you the following URL – “http://www.rollerski.co.uk/imagesb/p”, which essentially leads to an Error 404, page not found.

My logic – since the string turned out of be quite legit, yet the URL points to nothing. Probably the URL is incomplete. Therefore to verify this, we can run a strings command on the file to see what are the existing strings contained in the file.

strings php-logo-virus.jpg

Below is the output,

True enough, the string we gotten earlier was incomplete. Now we have the complete string:

infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9wb3dlcnNsaWRlX2xvZ29fbGFyZ2UuZ2lm

Let us put it through the base64 decoder tool again – there, it returns an image file – http://www.rollerski.co.uk/imagesb/powerslide_logo_large.gif

As strange as it seems to be, this is the flag for level 11, “infosec_flagis_powerslide”

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz