HITB GSEC CTF 2017 – Cephalopod

Open the downloaded file in Wireshark.

Screenshot (248)

Okay lets see…….The Ceph protocol seems interesting (as there is some conversation in that protocol) .Let’s apply ceph filter.

screenshot-249.png

Hmm…..Now scroll down a bit, on number 308 (that’s a huge one) . Let’s examine it.

After a few minutes of examining the packet I came across operation payload which seems interesting.

Screenshot (250)

It looks like this is a png file. See the file signature (89 50 4e….) Its definitely an image.

Let’s export the image. Right click on operation payload and click Export Packet Bytes

Screenshot (252)

Now save it as .png Screenshot (251)

This is the image you will get

image

Looks like this is the flag .

Advertisements

Backdoor SdsLabs Write Up – secret area

Screenshot (178)

This challenge is a very interesting one. Now first of all what is .htaccess ?

Well, .htaccess is a configuration file for use on web servers running the Apache Web Server software.

Let’s go to the area.

Screenshot (179).png

Okay, we need a username and a password.

For continuing this article I would recommend you to read the following article

http://www.htaccess-guide.com/password-protection/

If you are too lazy to read that article just go through the following para.

The password protection and authentication systems offered by the Apache Web Server are probably the most important use of .htaccess files. Very easily, we can password protect a directory (or multiple) of a web site which requires a username and password to access. The login details are encrypted and then located in the other file the location of which is in the .htaccess file. So let’s find the .htaccess.

First let’s see the source code

Screenshot (184).png

Hmm….So there is a folder named secure.

Let’s try something like this Screenshot (183).png

Naah…Let’s look for the file in secure folder

Screenshot (180)

Yeahhhh…….So now we know that the AuthUserFile is located in secure/.htpasswd . Let’s open it .

Screenshot (181).png

Well , this looks like it is encrypted. Let’s decrypt it !!

The easiest and the most famous tool for the above purpose is John-The Ripper.  You can download it in Windows or Linux.  The commands are same so there is no need to worry about that. Now , the first thing you need to do is to create a Notepad file with any name (I have named it hashes.txt) and then put the encrypted text in the file and then save it in the same folder as of john and then open the command window in that folder (Shift + Right Click > Open Command Window here)

Screenshot (182)

Okay so it looks like username is vampire and password is blood . Here you go now you can get the flag.

 

 

Backdoor SdsLabs Write Up – 2013-bin-50

Screenshot (171)

So, first of all, let’s run the strings command for the file.

Screenshot (172)

Just try all of those passwords and you will get the flag for one of them.

Another method

Or we can just try to find out how the password is made in the binary file. For this purpose, I am using IDA to get the assembly code. After running the file and searching a bit in the main function,  we get the following assembly code

Screenshot (174)

Ohkay….So there is a strcmpr function . We know that it is used to compare two strings . Above that we can see how the password is being made .

4Dh – 77 ascii value of M

61h – a

73h – s

74h – t

65h – e

72h – r

6Eh – n

61h- a

6Dh – m

65h – e

72h – r

So the password must be Masternamer

Write-up for OverTheWire:Bandit (Part III/III)

logo

Level 9

So the password for the next level is stored within the file called “data.txt” which contains only a few lines of human-readable strings starting with the character “=”, let’s find it.

bandit9@melinda:~$ ls -lh
total 20K
-rw-r----- 1 bandit10 bandit9 19K Jun  6 13:59 data.txt
bandit9@melinda:~$ strings data.txt |grep "="
Rj=G
========== the
=qy9g
,========== passwordc
========== is
=9-5
O=p~
#r=t!
7e}=eG
========== ********************************
uXI/{I=VPO=
6'Q|_=Vt
:={!
yd=6

I decided the best way to solve this problem was to use the “strings” command again and pipe the output to grep searching for the “=” character.

Level 10

The password for the next level is stored in the file “data.txt” which contains base64 encoded data.

 You can decode it either in python or on any online base64 decoding website. My favorite is base64decode.org .
bandit10@melinda:~$ ls -lh
total 4.0K
-rw-r----- 1 bandit11 bandit10 69 Jun  6 13:59 data.txt
bandit10@melinda:~$ cat data.txt
VGhlIHBhc3N3b3JkIGlzIElGdWt3S0dzRlc4TU9xM0lSRnFyeEUxaHhUTkViVVBSCg==
bandit10@melinda:~$ base64 -d data.txt
The password is ********************************

Screenshot (169)

Level 11

The goal for this level is the password is stored in the data.txt file and all lowercase and uppercase letters have been rotated by 13 potions, looking at the hint for ROT13 on Wikipedia I found the answer. The website I use for solving ROT ciphers is https://planetcalc.com/1434/ .

bandit11@melinda:~$ ls -lh
total 4.0K
-rw-r----- 1 bandit12 bandit11 49 Jun  6 13:59 data.txt
bandit11@melinda:~$ cat data.txt
Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh

Screenshot (170)

Level 12

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it is necessary to create a directory under /tmp in which you can work using mkdir. We need to decompress and check the file over and over again until we get the right format.

bandit12@melissa:~$ ls
data.txt
bandit12@melissa:~$ file data.txt
data.txt: ASCII text
bandit12@melissa:~$ mkdir /tmp/stw
bandit12@melissa:~$ cd /tmp/stw
bandit12@melissa:/tmp/stw$ xxd -r ~/data.txt > data.txt
bandit12@melissa:/tmp/stw$ file data.txt
data.txt: gzip compressed data, was "data2.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression
 
bandit12@melissa:/tmp/stw$ zcat data.txt > dataNew
bandit12@melissa:/tmp/stw$ ls
dataNew  data.txt
bandit12@melissa:/tmp/stw$ file dataNew
dataNew: bzip2 compressed data, block size = 900k
bandit12@melissa:/tmp/stw$ bzip2 -d dataNew
bzip2: Can't guess original name for dataNew -- using dataNew.out
bandit12@melissa:/tmp/stw$ ls
dataNew.out  data.txt
bandit12@melissa:/tmp/stw$ file dataNew.out
dataNew.out: gzip compressed data, was "data4.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression
 
bandit12@melissa:/tmp/stw$ zcat dataNew.out > evenNewer
bandit12@melissa:/tmp/stw$ ls
dataNew.out  data.txt  evenNewer
bandit12@melissa:/tmp/stw$ file evenNewer
evenNewer: POSIX tar archive (GNU)
bandit12@melissa:/tmp/stw$ tar -xvf evenNewer
data5.bin
bandit12@melissa:/tmp/stw$ file data5.bin
data5.bin: POSIX tar archive (GNU)
 
bandit12@melissa:/tmp/stw$ tar -xvf data5.bin
data6.bin
bandit12@melissa:/tmp/stw$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@melissa:/tmp/stw$ bzip2 -d data6.bin
bzip2: Can't guess original name for data6.bin -- using data6.bin.out
 
bandit12@melissa:/tmp/stw$ ls
data5.bin  data6.bin.out  dataNew.out  data.txt  evenNewer
bandit12@melissa:/tmp/stw$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
bandit12@melissa:/tmp/stw$ tar -xvf data6.bin.out
 
data8.bin
bandit12@melissa:/tmp/stw$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", from Unix, last modified: Thu May 10 23:52:05 2012, max compression
 
bandit12@melissa:/tmp/stw$ zcat data8.bin > lost
bandit12@melissa:/tmp/stw$ ls
data5.bin  data6.bin.out  data8.bin  dataNew.out  data.txt  evenNewer  lost
bandit12@melissa:/tmp/stw$ file lost
lost: ASCII English text
bandit12@melissa:/tmp/stw$ cat lost
The password is **************************

Write-up for OverTheWire:Bandit (Part II/III)

logo

Level 5

The level goal for this level is “The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: human-readable, 1033 bytes in size, not executable”

So for answering this challenge a simple use of the “find” command should all I need to use as I can use the command to find files of a specific size and type and etc.

bandit5@melinda:~$ ls -lh
total 4.0K
drwxr-x--- 22 root bandit5 4.0K Jun  6 13:59 inhere
bandit5@melinda:~$ ls -lh inhere/
total 80K
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere00
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere01
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere02
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere03
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere04
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere05
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere06
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere07
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere08
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere09
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere10
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere11
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere12
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere13
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere14
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere15
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere16
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere17
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere18
drwxr-x--- 2 root bandit5 4.0K Jun  6 13:59 maybehere19
bandit5@melinda:~$ find ./* -size 1033c -readable ! -perm /111
./inhere/maybehere07/.file2
bandit5@melinda:~$ cat ./inhere/maybehere07/.file2
********************************

Very simple use of the “find” command in Linux, just looked for a size of 1033 bytes in length and was readable, the output from this was the file seen above, but I wanted to search for all 3 criteria instead of 2 out of the 3, so this meant searching for non-executable. With a quick Google search, I found that the use of “! -perm /111” will find a file not executable by anyone.

Level 6

This level goal builds on the previous level, there is a file somewhere on the server and have the following characteristics:

  1. owned by user bandit7
  2. owned by group bandit6
  3. 33 bytes in size

so using the find command again I went to work.

bandit6@melinda:~$ find / -size 33c -group bandit6 -user bandit7
/var/lib/dpkg/info/bandit7.password
bandit6@melinda:~$ cat /var/lib/dpkg/info/bandit7.password
********************************

Level 7

This level the challenge was to find the password in the file called “data.txt” which was next to the word “millionth”, time to pipe the output from cat of the file into grep searching for “millionth”.

bandit7@melinda:~$ ls -lh
total 4.0M
-rw-r----- 1 bandit8 bandit7 4.0M Jun  6 13:59 data.txt
bandit7@melinda:~$ cat data.txt |grep "millionth"
millionth    ********************************

Level 8

This was an interesting challenge, the goal was to the find the password instead the file “data.txt”, the password line only occurs once in the file. So simply again cat the file and pipe it into the command “sort” and then pipe the output from sort into the command “uniq” with the switch operator “-u” to find the unique string.

bandit8@melinda:~$ ls -lh
total 36K
-rw-r----- 1 bandit9 bandit8 33K Jun  6 13:59 data.txt
bandit8@melinda:~$ cat data.txt |sort |uniq -u
********************************

Write-up for OverTheWire:Bandit (Part I/III)

logo

This blog post contains my solution to the challenges of OverTheWire: Bandit. This wargame is aimed for beginners. You just need to complete upto level 12 now (because you are just a beginner now 🙂 )and we can continue it later.

NOTE: In have replaced the actual passwords with “*” so that you can solve the challenges by yourselves.

THINGS NEEDED: Linux and a little brain.

Level 0

This was a simple challenge in which I had to login in via ssh to the target machine using the credentials “bandit0:bandit0” with the help of your terminal.

To log in fire up your terminal and use the command

ssh bandit0@bandit.labs.overthewire.org -p 2220

It will then ask for the password which is bandit0.

Then read the password from the file readme on the home directory. The password in the file is for the bandit1 user which is the user for the next level.

bandit0@melinda:~$ ls
readme
bandit0@melinda:~$ cat readme
*************************

Level 1

Login via ssh and use the password you got in level 0.

The goal for this level was the following “The password for the next level is stored in a file called – located in the home directory”. So in this level, there is a file called “-” in the home directory and it contains the password for the next level.

bandit1@melinda:~$ ls
-
bandit1@melinda:~$ cat ./-
*************************

Again a very simple challenge, all I did was use “./” to the absolute path of the file.

Level 2

The goal for this level is the following “The password for the next level is stored in a file called spaces in this filename located in the home directory”, another challenge getting players of bandit use to working with Linux.

bandit2@melinda:~$ ls
spaces in this filename
bandit2@melinda:~$ cat spaces\ in\ this\ filename
************************

You can also use tab to complete the file name for you.

Level 3

The level goal for this level is “The password for the next level is stored in a hidden file in the inhere directory.”, again a very simple challenge for anyone with any Linux experience. For this challenge I’m going to add the “a” switch to my “ls” command which will display all files including hidden files and the by using “.” as part of the filename in Linux specifies that the file is a hidden file.

bandit3@melinda:~$ ls -la
total 24
drwxr-xr-x   3 root root 4096 Nov 14  2014 .
drwxr-xr-x 172 root root 4096 Jul 10  2016 ..
-rw-r--r--   1 root root  220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root root 3637 Apr  9  2014 .bashrc
-rw-r--r--   1 root root  675 Apr  9  2014 .profile
drwxr-xr-x   2 root root 4096 Nov 14  2014 inhere
bandit3@melinda:~$ cd inhere
bandit3@melinda:~/inhere$ ls -la
total 12
drwxr-xr-x 2 root    root    4096 Nov 14  2014 .
drwxr-xr-x 3 root    root    4096 Nov 14  2014 ..
-rw-r----- 1 bandit4 bandit3   33 Nov 14  2014 .hidden
bandit3@melinda:~/inhere$ cat .hidden
********************************

Level 4

We are told the password is somewhere in the inhere directory and is the only human readable file in the directory. Let’s see what file types we have.

bandit4@melinda:~$ ls
inhere
bandit4@melinda:~$ cd inhere/
bandit4@melinda:~/inhere$ ls
-file00  -file01  -file02  -file03  -file04  -file05  -file06  -file07  -file08  -file09
bandit4@melinda:~/inhere$ file ./-*
./-file00: data
./-file01: data
./-file02: data
./-file03: data
./-file04: data
./-file05: data
./-file06: data
./-file07: ASCII text
./-file08: data
./-file09: data
bandit4@melinda:~/inhere$ cat ./-file07
********************************

Tools and resources to prepare for CTFs.

programming-583923_640

This article is VERY important for getting started in this field . So I recommend to go through this carefully.

CTF Competitions on Hacker Conferences or Gatherings and Wargames

  • DEFCON CTF – one of the most prestigious and challenging CTF ever in DEFCON which is currently organized by Legitimate Business Syndicate
  • picoCTF – a CTF targeted for middle and high school students
  • Ghost in the Shellcode – an annual CTF
  • ROOTCON CTF – is the official CTF of ROOTCON Hacker Conference
  • CSAW CTF – by NYU Policy
  • HSCTF – known to be the first CTF made by high school students and for high school students
  • Infosec Institute CTF
  • Smash the Stack – a war gaming network which simulates software vulnerabilities and allows for the legal execution of exploitation techniques
  • OverTheWire – another war gaming network
  • Embedded Security CTF
  • DefCamp CTF – the official CTF of DEFCAMP
  • HITCON CTF

More upcoming events are in CTF Time

CTF Guides and Resources

CTF Frameworks or All-In-One Tools for CTF

  • PwnTools – a CTF framework and exploit development library used by Gallopsled in every CTF
  • ctf-tools – a Github repository of open source scripts for your CTF needs like binwalk and apktool
  • Metasploit Framework – aside from being a penetration testing framework and software, Metasploit has modules for automatic exploitation and tools for crafting your exploits like find_badchars.rb, egghunter.rb, patter_offset.rb, pattern_create.rb, etc.
  • ROPgadget – used for ROP exploitation
  • Peda – Python Exploit Development Assistance for GDB
  • Google – where you can ask some questions

Reverse Engineering Tools, Decompilers and Debuggers

  • Immunity Debugger – a debugger similar to OllyDbg that has some cool plugins with the use of Python
  • OllyDbg – the most disassembly-based and GUI debugger for Windows
  • SWFScan – allows you to decompile Flash files
  • gdb – GNU Debugger
  • IDA Pro – Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger
  • WinDbg – Windows Debugger distributed by Microsoft
  • Apktool – a tool for reversing Android apk files
  • PE Tool – provide a handful of useful tools for working with Windows PE executables
  • UPX – Ultimate Packer for eXecutables
  • dex2jar (Android)
  • Radare2 – Unix-like reverse engineering framework and commandline tools
  • Strace – a system call tracer and another debugging tool
  • Objdump – part of GNU Binutils
  • PEID – used to determine if any obfuscator was used to pack the executable file. The open source packer that is often used is the UPX packer

Tools for Static Code Analysis

  • RIPS – a static code analyzer for auditing vulnerabilities in PHP applications
  • HP Fortify Static Code Analyzer – also known as Fortify SCA which is a commercial software that is a multi-language auditor for vulnerabilities
  • OWASP Code Crawler – a static code review tool for .NET and J2EE/JAVA code which supports the OWASP Code Review Project
  • OWASP LAPSE Project – security auditing tool for detecting vulnerabilities in Java EE Applications
  • Flawfinder – a static source code analyzer that examines C/C++ source code and reports possible security weaknesses

Forensics

  • Strings – allows you to search and extract ASCII and UNICODE strings from a binary
  • SANS SIFT – SANS Investigative Forensic Toolkit (SIFT) is an Ubuntu Live CD
  • ProDiscover Basic – evidence analyzer and data imaging tool
  • Volatility – memory forensics framework
  • The Sleuth Kit – open source digital forensics tool
  • FTK Imager – data preview and imaging tool
  • IPhone Analyzer – used for iPhone Forensics but only supports iOS 2, iOS 3, iOS 4 and iOS 5 devices
  • Xplico – network forensics tool
  • Binwalk – firmware analysis tool which allows you to extract the firmware image
  • ExifTool – a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of file formats like EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP and ID3, as well as the maker notes of many digital cameras by Canon, Casio, FLIR, FujiFilm, GE, HP, JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Nikon, Nintendo, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Phase One, Reconyx, Ricoh, Samsung, Sanyo, Sigma/Foveon and Sony
  • dd – a command line utility for Unix and Linux which allows you to copy and convert files
  • CAINE – Computer Aided INvestigative Environment is a Live GNU/Linux distribution which is aimed for digital forensics
  • Autopsy – GUI to the command line digital investigation analysis tools in The Sleuth Kit
  • Any Hex Editors will do
  • DEFT Linux – Digital Evidence & Forensics Toolkit Linux distribution
  • Windows Sysiternals – consist of Windows system utilities that contain various useful programs

Crypto

  • Hashdump
  • Sage
  • John The Ripper – is a free and fast password cracker available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS
  • Cryptool – open source e-learning tool illustrating cryptographic and cryptanalytic concepts
  • crypo.in.ua – online decoder and encoder for crypto and most people who are joining CTF competitions have this website opened while playing

Steganography

  • Steghide – a stega tool that can be used for embedding or extracting data in various kinds of image and audio files
  • Ffmpeg – cross-platform software to record, convert and stream audio and video
  • Gimp – GNU Image Manipulation Program
  • Audacity – free audio auditor and recorder
  • Stepic – python image steganography
  • Pngcheck – PNG tester and debugger which verifies the integrity of PNG, JNG and MNG files (by checking the internal 32-bit CRCs [checksums] and decompressing the image data)
  • OpenStego – free steganography solution
  • OutGuess
  • StegFS
  • MP3Stego – allows you to hide text in MP3 files
  • AtomicParsley – command line program for reading, parsing and setting metadata into MPEG-4 files
  • Foremost – a console program used for file recovery

For Web Vulnerability Hunting or Web Exploitation

  • Burp Suite – commonly used for web application security testing and usually for finding manual web vulnerabilities which has an intercepting proxy and customizable plugins
  • OWASP ZAP – an Open Web Application Security Project similar to Burp but free and open source
  • WPScan – a blackbox WordPress Vulnerability Scanner
  • W3af – open source web application security scanner
  • OWASP Dirbuster – directory bruteforce or discovery tool
  • Bizploit – open source ERP Penetration Testing framework

Networking

  • aircrack-ng Suite – an open source WEP/WPA/WPA2 cracking tool which is usually bundled in most pentesting distributions
  • reaver – WiFi Protected Setup attacker tool
  • Kismet – 802.11 layer2 wireless network detector, sniffer, and intrusion detection system
  • Pixiewps – a tool used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (pixie dust attack)
  • Nmap – an open source port scanner which has plugins for vulnerability assessment and net discovery
  • Wireshark – network sniffer and network protocol analyzer for Unix and Windows
  • Netcat -the TCP/IP swiss army
  • Captipper – a python tool to analyze, explore, and revive HTTP malicious traffic
  • Scapy – a powerful interactive packet manipulation program

For Your Protection in Attack in Defend

  • Snort – lightweight and free network intrusion detection system for UNIX and Windows
  • Iptables
  • Any Antivirus and Two-Way firewall will do
  • Chellam – Wi-Fi IDS/Firewall for Windows which detect Wi-Fi attacks, such as Honeypots, Evil Twins, Mis-association, and Hosted Network based backdoors etc., against a Windows based client without the need of custom hardware or drivers
  • peepdf – Python tool to explore PDF files in order to find out if the file can be harmful or not
  • Android IMSI-Catcher Detector – Android app for detecting IMSI-Catchers

Some Linux Distributions Ideal for CTF

  • Santoku Linux – GNU/Linux distribution or distro designed for helping you in every aspect of your mobile forensics, mobile malware analysis, reverse engineering and security testing needs
  • Kali Linux – a fully packed penetration testing Linux distribution based on Debian
  • BackBox Linux – a simplistic penetration testing distro based on Ubuntu
  • CAINE – Computer Aided INvestigative Environment is a Live GNU/Linux distribution which is aimed for digital forensics
  • DEFT Linux – Digital Evidence & Forensics Toolkit Linux distribution