Browse Tag

writeup

Hacking for n00bz – Level 8

Jul 02, 2016
/
General, Resources, Write-ups

In level 8, we are being prompted to download a file called “app.exe” – seems like there is no other choice other than downloading it then.

To be honest, I don’t know what to do with this executable (EXE) file at first also. However, after doing some reading, I learnt a little about reverse engineering and malware analysis. However, thankfully, in this exercise, we don’t have to do all that.

Before we get started, let’s take a look at the different tools which you can use to examine an EXE file,

Debugger: view and/or perform step-through on the running state of a program interactively
Disassembler: transform the machine code into a human readable mnemonic representation called assembly language
Decompiler: revert the process of compilation and turn a program into a structured higher-level language

In this exercise, we just need a debugger. There are several debuggers in the market, such as OllyDbg or WinDbg, both of them are free.

Personally, I prefer to use OllyDbg. This exercise is really simple. All you need to do is open up the “app.exe” file in your OllyDbg program and run it in debug mode (click on “play” button on the top).

There, you see the flag written in ASCII right at the very first line of the program – the flag is “infosec_flagis_0x1a”

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz

Hacking for n00bz – Level 7

May 29, 2016
/
General, Resources, Write-ups

In level 7, we get a page with error 404 – page not found, with the following text,

Take a look at the page source and its cookies, etc., clearly shows that nothing is fishy here. However, did you noticed that the navigation bar at the top of the page is missing?

You are right, return to previous pages and see, e.g. “/levelsix.php” or “/levelfive.php”; they are all using the same format of URL naming. But this page is named as “/404.php”, which breaks the “trend”.

Let’s try to navigate to “/levelseven.php” and see if there is anything… and there you go! A blank page with the flag depicted clearly on the website status. Can you spot it?

Once again, we can see that the flag is base64 encoded in “aW5mb3NlY19mbGFnaXNfeW91Zm91bmRpdA==”, we can decode it using an online base64 decode tool – “infosec_flagis_youfoundit” is the flag.

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz

Hacking for n00bz – Level 6

May 29, 2016
/
General, Resources, Write-ups

For level 6, we were being asked to download “sharkfin.pcap” to hunt for the flag, which means that we should probably be prepared to analyse some network traffic. As hinted by the file name, “sharkfin”, let’s open the file using Wireshark and analyse it.

Usually the first few steps that I would do when I open any pcap files in Wireshark is to take a quick glance at what protocols of network traffic were being captured, then look into the more popular ones such as HTTP or FTP.

In this case, I followed the UDP stream 0 and gotten the following string which is probably the flag,

696e666f7365635f666c616769735f736e6966666564

True enough, it is an encoded hexadecimal flag. Using Hackbar, I did a quick conversion and managed to get the flag for level 6, “infosec_flagis_sniffed”.

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz

Hacking for n00bz – Level 5

May 29, 2016
/
General, Resources, Write-ups

For level 5, we get a page with an infinite pop-up that says “hacker!!”.

Upon checking the JavaScript on the page using Firebug or the inbuilt developer tools on any browsers, you will see that is is an infinite loop,

for(;;){ alert(‘Hacker!!!’); }

In the line right after the above JavaScript, there is an image of “aliens.jpg” which is definitely not meant to be seen by us since they have setup an infinitely loop right above this line.

With an image, we could now run it through a Steganography decoder. Reading through various forums, many people recommended the Steghide software, but I did it using an online tool called the Steganographic Decoder, and the following is the output,

01101001011011100110011001101111011100110110010101100011010111110110011001101100011000010110011101101001011100110101111101110011011101000110010101100111011000010110110001101001011001010110111001110011

This long string of 1’s and 0’s is obviously a binary code. Upon decoding it using a Binary decode tool, we are the flag for level 5, “infosec_flagis_stegaliens”.

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz

Hacking for n00bz – Level 4

May 27, 2016
/
General, Resources, Write-ups

For a bounty of $40, level 4 shows a very cute cookie monster image with the text “HTTP means Hypertext Transfer Protocol”.

When hovering your mouse over the image, it gives a pop-up text saying “stop poking me”. Now, that is quite a hint. The pop-up message is trying to tell us that there is nothing with the image, to obtain the flag, we should focus on HTTP’s element itself.

So, who is in the image? Cookie monster? Let’s look at the list of cookies on the page… bingo! There is a suspicious looking cookie, called fusrodah.

People who have played the game “Elder Scrolls V: Skyrim” would know what it is. “Fus Ro Dah” is one of the shouts (it’s like the spells/magic in other games) that can be performed in the game, it basically sends out a shockwave to its target to push them back or make them fall. It have since become an internet meme.

At this point, logically speaking, we have to do some trial and error to see what does “vasbfrp_syntvf_jrybirpbbxvrf” means. However, since the string of text only contains alphabets, it is probably not encoded using an advanced method.

After performing a very simple ROT13 decryption using the ROT13 tool, there we go “infosec_flagis_welovecookies”.

Back to write-up list for InfoSec Institute CTF #1: Hacking for n00bz