Browse Tag

writeup

n00bz Level 13

Hacking for n00bz – Level 13

Level 13 require us to find the backup file for the challenge. Well, looks like the search for the backup file is the challenge itself.

n00bz Level 13

I tried to navigate to some of the common web pages which I can think of, such as /levelthirteen-backup.php, /levelthirteen_backup.php, /archive.php, /archives.php, /backup.php, /backups.php, and etc., but there seems to be no luck. After that, I read some forums, seems like some people do quick backup based on dates or version, such as /levelthirteen.php.20160520 or /levelthirteen.php.v2.2, and etc.

And then there are also some people who conveniently add a “old” behind the file name… such as /levelthirteen.php.old, which in this case, is the location where the backup of level 13 is stored. Trial and error – checked!

As shared in my previous write-ups, I like to use file and strings on any files which I come across to perform a simple check. And that is exactly what I did.

strings levelthirteen.php.old

Based on the content of the backup file, we can see a new PHP code snippet which prompts us to download a mysterious file, “misc/imadecoy” – just the same way in the past challenges. I bet you are getting a hang of it by now. Let’s check what is that new mysterious file we just downloaded.

file imadecoy

Below is the output:

imadecoy: tcpdump capture file (little-endian) – version 2.4 (Linux “cooked”, capture length 65535)

Looks like it is a tcpdump capture file. Remember we used Wireshark to open and analyse the pcap file in level 6? Let’s do the same for this file.

First, you open the file and as you can see, there are a lot of DNS traffic. Let’s look for HTTP traffic by performing a packet display filter,

tcp contains http

n00bz Level 13

Looks like there are quite a number of files related to honeypy that were transmitted during the tcpdump capture. You will also notice that the source and destination are both 127.0.0.1 / localhost. If that is the case, you cannot go to the same website to see what are the contents. However, you can export the objects. Simply go to “File > Export Objects > HTTP…” and you will see the following prompt,

n00bz Level 13

You can choose to save all files and perform further analysis. For level 13, you will only require “HoneyPY.PNG” file as the flag is right in the file, flag is “infosec_flagis_morepackets

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz

n00bz Level 12

Hacking for n00bz – Level 12

In level 12, we see the familiar Yoda from level 1 again. It says “Dig deeper!”

n00bz Level 12

Since they used back the same image from levelone, let us do a quick comparison between these 2 pages. The appearance are the same except for the words “May the source be with you!” vs “Dig deeper!”

What about the source code?

n00bz Level 12

Yes, I bet you have noticed it too – the newly inserted Cascading Style Sheets (CSS) file.

<link href="css/design.css" rel="stylesheet">

When you open it, it simply show you a class with a color element, of which the color hexadecimal is obviously not a color reference. So, what is it? A flag, perhaps?

.thisloveis{
 color: #696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72;
}

Once again, let’s use the same hexadecimal-to-string converter to perform the conversion, and now we have the flag – “infosec_flagis_heyimnotacolor

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz

n00bz Level 11

Hacking for n00bz – Level 11

At first look, level 11 seems to be related to something specific to PHP scripting because it shows a very big PHP logo.

n00bz Level 11

After taking a careful look, the PHP logo looks different from the original logo. Moreover, if you read the page source, you will noticed that the PHP logo is named as “img/php-logo-virus.jpg”. Why name the file as virus?

Just to be sure, let’s run it using the file command to identify what kind of file is it. In my Linux system, I run the file command:

file php-logo-virus.jpg

And below is the output:

php-logo-virus.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96×96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=6, name=infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9w], baseline, precision 8, 450×237, frames 3

Did you see it? It says “infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9w”

Running the encoded portion of the string through a base64 decoder tool will give you the following URL – “http://www.rollerski.co.uk/imagesb/p”, which essentially leads to an Error 404, page not found.

My logic – since the string turned out of be quite legit, yet the URL points to nothing. Probably the URL is incomplete. Therefore to verify this, we can run a strings command on the file to see what are the existing strings contained in the file.

strings php-logo-virus.jpg

Below is the output,

n00bz Level 11

True enough, the string we gotten earlier was incomplete. Now we have the complete string:

infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9wb3dlcnNsaWRlX2xvZ29fbGFyZ2UuZ2lm

Let us put it through the base64 decoder tool again – there, it returns an image file – http://www.rollerski.co.uk/imagesb/powerslide_logo_large.gif

n00bz Level 11

As strange as it seems to be, this is the flag for level 11, “infosec_flagis_powerslide

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz

n00bz Level 10

Hacking for n00bz – Level 10

Level 10 has obviously hidden the flag in the sound, but how can we retrieve it?

What kind of sound is this? Sorcery perhaps??

n00bz Level 10

Just like what we have done for the previous levels which require us to analyze a file (e.g. exe, pcap), let’s download the “Flag.wav” file.

Since this is an audio file, you need to use an audio editor software to analyze it. One of the most popular audio editor tool in the market is Audacity. It is a free software that have been in the market for many years, I think I first came across this tool over 10 years ago! Back then, I used this tool to crop ring tones for my mobile phone.

Audacity is very simple to use. You just need to drag and drop the “Flag.wav” file into Audacity to open it. When asked to make a copy or read the files directly, you can choose to make a copy, it doesn’t really matter in our case.

n00bz Level 10

If you have played the audio, you will know that it is basically a very short high-pitch sound. As the program is able to identify/analyse the hertz of the audio file, you will see that it is currently 44,100 Hz. Let’s reduce it to 8000 Hz. Better now? I bet you could already hear something.

n00bz Level 10

To make it even better, you can select on the menu bar, “Effect > Amplify…” to increase the volume of the file. After doing so, you will hear the voice, letter-by-letter, spelling the flag – “infosec_flagis_sound

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz

n00bz Level 9

Hacking for n00bz – Level 9

Level 9 shows a login page, the first thing I do is to view the page source… nothing fishy. What about the cookies? Using Firebug, I checked cookies and for a moment, I thought I see something interesting, a cookie named “lpv12882” which contains a base64 encoded string.

n00bz Level 9

However, upon decoding, I see that it is just the page URL of level 9, which is the challenge we are trying to solve now.

Back to square one, but don’t give up just yet. We can always try harder!

n00bz Level 9

Since the login form mentioned the system name, “Cisco IDS Web Login System”, let’s perform a Google search to see what is its default password.

You can easily find websites which shows you the default passwords for various products, in this case, the Cisco IDS. Based on the website, it seems like we can try following default login,

Username: root
Password: attack

We did it! There, we have the key now. But how do we crack it?

n00bz Level 9

You can try many different methods, trial and error. In this case, if you look carefully, the last 7 letters in the string looks familiar, very familiar… “infosec”, perhaps?

If you run the string “ssaptluafed_sigalf_cesofni” in a string-reverse tool, you will get the flag, “infosec_flagis_defaultpass

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz