Browse Tag

CTF

OverTheWire Bandit Write-up

Aug 02, 2016
/
General, Resources, Write-ups

I created a series of detailed step-by-step walkthrough video with explanations.
Check out the playlist here: https://www.youtube.com/watch?v=93PE-kStl34&list=PL2mncq0mb-6ibI02KufoaXnZHgNc6G9dO

A list of write-ups for OverTheWire Bandit, a simple Capture The Flag (CTF) game aimed at beginners.

The objective of the game is to solve the challenges and find the password to proceed to the next level.

To get started, the player needs to know how to connect to the server using a Secure Shell (SSH), which is essentially the bread and butter of any information security professional. Fine, probably something essential for any IT professionals to know how to use.

For an absolute beginner who has not used SSH before, it is never too late to get started. It is time to put on a learning hat and try out the OverTheWire Bandit challenges!

While the website itself did mention that the challenges were designed for beginners, it is still pretty fun for IT professionals to challenge themselves.

https://www.youtube.com/watch?v=93PE-kStl34&list=PL2mncq0mb-6ibI02KufoaXnZHgNc6G9dO

List of Write-ups

InfoSec Institute CTF #1: Hacking for n00bz

Jul 23, 2016
/
General, Resources, Write-ups

Below are the full list of write-up for InfoSec Institute CTF #1: Hacking for n00bz, designed for CTF beginners to practice and test their skills.

I hope that they are helpful to you!

Hacking for n00bz – Level 14

Jul 23, 2016
/
General, Resources, Write-ups

Level 14 shows the exact same format of a file to be downloaded, just like some of the past few levels. So, let’s download it and get started with some analysis.

Well, it seems like there is no file to be downloaded after all, upon clicking “Yes”, it basically opens up a phpMyAdmin SQL Dump with a lot of information, mainly the databases related to level 14. Strange enough, it seems like there was a WordPress blog being setup in this database before. There were many information in this dump, including the admin login credentials.

Among the entire list, one of the most suspicious record is definitely the id number 104 record of the “friends” table,

INSERT INTO `friends` (`id`, `name`, `address`, `status`) VALUES
(104, ‘\\u0069\\u006e\\u0066\\u006f\\u0073\\u0065\\u0063\\u005f\\u0066\\u006c\\u0061\\u0067\\u0069\\u0073\\u005f\\u0077\\u0068\\u0061\\u0074\\u0073\\u006f\\u0072\\u0063\\u0065\\u0072\\u0079\\u0069\\u0073\\u0074\\u0068\\u0069\\u0073’, ‘annoying’, ‘0x0a’);

Why is the name field made up from so many weird characters and numbers?

The string is actually a hexadecimal value being written into text. See the double backslash symbol, it is for displaying the string on HTML without having any syntax error. In order to see the “real” value, you should replace the double backslash symbols (\\) with single backslash symbols (\). You can do it yourself, or choose to copy from mine (I did it using notepad’s Find and Replace feature…)

\u0069\u006e\u0066\u006f\u0073\u0065\u0063\u005f\u0066\u006c\u0061\u0067\u0069\u0073\u005f\u0077\u0068\u0061\u0074\u0073\u006f\u0072\u0063\u0065\u0072\u0079\u0069\u0073\u0074\u0068\u0069\u0073

If you throw it into a Hexadecimal to ASCII converter tool, you will get the flag for level 14, “infosec_flagis_whatsorceryisthis”

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz

Hacking for n00bz – Level 13

Jul 22, 2016
/
General, Resources, Write-ups

Level 13 require us to find the backup file for the challenge. Well, looks like the search for the backup file is the challenge itself.

I tried to navigate to some of the common web pages which I can think of, such as /levelthirteen-backup.php, /levelthirteen_backup.php, /archive.php, /archives.php, /backup.php, /backups.php, and etc., but there seems to be no luck. After that, I read some forums, seems like some people do quick backup based on dates or version, such as /levelthirteen.php.20160520 or /levelthirteen.php.v2.2, and etc.

And then there are also some people who conveniently add a “old” behind the file name… such as /levelthirteen.php.old, which in this case, is the location where the backup of level 13 is stored. Trial and error – checked!

As shared in my previous write-ups, I like to use file and strings on any files which I come across to perform a simple check. And that is exactly what I did.

strings levelthirteen.php.old

Based on the content of the backup file, we can see a new PHP code snippet which prompts us to download a mysterious file, “misc/imadecoy” – just the same way in the past challenges. I bet you are getting a hang of it by now. Let’s check what is that new mysterious file we just downloaded.

file imadecoy

Below is the output:

imadecoy: tcpdump capture file (little-endian) – version 2.4 (Linux “cooked”, capture length 65535)

Looks like it is a tcpdump capture file. Remember we used Wireshark to open and analyse the pcap file in level 6? Let’s do the same for this file.

First, you open the file and as you can see, there are a lot of DNS traffic. Let’s look for HTTP traffic by performing a packet display filter,

tcp contains http

Looks like there are quite a number of files related to honeypy that were transmitted during the tcpdump capture. You will also notice that the source and destination are both 127.0.0.1 / localhost. If that is the case, you cannot go to the same website to see what are the contents. However, you can export the objects. Simply go to “File > Export Objects > HTTP…” and you will see the following prompt,

You can choose to save all files and perform further analysis. For level 13, you will only require “HoneyPY.PNG” file as the flag is right in the file, flag is “infosec_flagis_morepackets”

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz

Hacking for n00bz – Level 12

Jul 17, 2016
/
General, Resources, Write-ups

In level 12, we see the familiar Yoda from level 1 again. It says “Dig deeper!”

Since they used back the same image from levelone, let us do a quick comparison between these 2 pages. The appearance are the same except for the words “May the source be with you!” vs “Dig deeper!”

What about the source code?

Yes, I bet you have noticed it too – the newly inserted Cascading Style Sheets (CSS) file.

<link href="css/design.css" rel="stylesheet">

When you open it, it simply show you a class with a color element, of which the color hexadecimal is obviously not a color reference. So, what is it? A flag, perhaps?

.thisloveis{
 color: #696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72;
}

Once again, let’s use the same hexadecimal-to-string converter to perform the conversion, and now we have the flag – “infosec_flagis_heyimnotacolor”

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz