CTF: Infosec Institute N00bs CTF Challenge
Source: Infosec Institute
I love participating in CTF challenges, no matter their challenge level, they always help in keeping skills current and fresh in my memory. A new CTF challenge was posted today, for the Infosec Institute N00bs CTF Challenge.
So, without further ado, please see below for answers to the Infosec Institute’s CTF “N00bs Challenge”.
(– SPOILER ALERT –)(– SPOILER ALERT –)(– SPOILER ALERT –)(– SPOILER ALERT –)(– SPOILER ALERT –)
The first level is pretty easy. All you have to do, is look at the source code for the HTML page, and boom, there it is, the first flag text: infosec_flagis_welcome
Enter Level 2, well, looks like there is something wrong with the website/image.
I grabbed the location of the image file.
Downloaded it with wget: wget http://ctf.infosecinstitute.com/img/leveltwo.jpeg. Using the linux ‘file’ command, I was able to see that it was ASCII text, and not an image at all. Using the ‘cat’ command, I look at the contents of that jpeg file.
Looks like base64 encoded text, I’ll go ahead and decrypt it, using ‘base64 -d’. There we have it, its the flag: infosec_flagis_wearejuststarting
I had a feeling that level 3 was going to be pretty easy. On the page we are presented with a QRCode. I download the QRCode, and take a look at it with ‘zbarimg’, and odd, a bunch of dots and dashes. I quickly assume that it is related to morse code.
Throw the suspected morse code into an online translator, and there we have it, our third flag: infosecflagismorsing
My son loves Sesame Street! Look, it’s Cookie Monster. I have a hunch what I’ll have to do for this challenge ;-).
Let’s take a peek, and see if we have any cookies to look at. Here it is, a cookie from ctf.infosecinstitute.com; that value looks like previously used key’s, lets transform that into something we can use.
A simple ROT-13 cipher was used to encode this cookie. Here is a random searched website, to assist with decoding the ROT-13 text. Our flag: INFOSEC_FLAGIS_WELOVECOOKIES
Here is me transforming the text from ROT-13, on the linux command line, using ‘tr’.
If you visit the actual CTF site for level 5, you notice that the image is pretty heavily distorted. I once again have a sneaking suspicion, that I can guess what this challenge will involve. I’m guessing a steg (steganography) challenge. Found this interesting program available to me, using linux, ‘SteGUI’, which is a GUI interface to ‘Steghide’. Let’s see if it can extract anything from the image.
Once again, using a randomly searched page on the internet, to convert binary to ASCII, I plug in the binary code, and have it translate it to ASCII text, here is what we have: infosec_flagis_stegaliens
Ah, nice, a pcap file, to examine network traffic. Fire-up good ‘ol ‘wireshark’ and start digging in. I immediately ignore all the encrypted traffic, as it won’t be worth my time to attempt to decrypt it (I don’t have enough machine to even handle attempting to crack all that traffic). I sorted by protocol, and there was only one conversation that occurred via UDP, seems like a good place to start.
Looking at the payload, or the data involved with that UDP connection, and it looks familiar.
The text pulled from the UDP connection looks like hex data, let’s attempt to convert it to ASCII, and see if we have any luck. There it is: infosec_flagis_sniffed
Now we have sweet, sweet, level 7. Interesting, it directed us to a 404 page, with bounty information.
Using the past naming scheme of challenges, I try getting levelseven.php from the server, using telnet. Interesting enough, this one took me quite a bit of time, and I actually found this key by accident. Using telnet to download and read the pages from the server, I usually type the following: ‘GET /page.html HTTP/1.1’
Whenever I typed that, I would get an error. After circling back around, coming back to notice that the error I got with this one, was a little off, out of nowhere I attempted: ‘GET /levelseven.php HTTP/1.0’, and that made all the difference in the world; I was presented with this glorious information.
Looks like some more base64 code, let’s decode it again, using ‘base64 -d’. We have found the key, it is: infosec_flagis_youfoundit
This one was extremely easy for me, and I’m guessing it has something to do with the fact that I’m running linux. I wasn’t about to be able to attempt to execute a file called app.exe, so I did the first thing that came naturally, and run strings against the file. There it is, right there: infosec_flagis_0x1a
This is going to be a password guessing/bruteforcing challenge, I can tell, as they have a prompt for Cisco IOS presented. I immediately tried all the cisco/cisco, cisco/ocsic password combinations I could think of, with no success. Then I found a URL that listed “default” logins used for devices, so I started going down the list. I finally found the login info with root/attack (I should also note, at this point, I started having trouble with Chrome, and switched to Firefox).
After entering the root/attack credentials, it drops the infosec flag: infosec_flagis_defaultpass (I was able to reverse it, with my eyes ;-))
Level 10, was another one, that was really easier than it should have been. Downloaded the wav file, and started transforming it, to see if I could hear any recognizable audio. Slowed it down by 88%, and it became easy to hear: infosec_flagis_s-o-u-n-d
I wasn’t quite sure what to expect when I encountered this level. I assumed it was a php vulnerability of some sort. After I spent a fair amount of time exhausting attempts to exploit php in some way, I noticed that the images were once again distorted to a degree. So, I started playing around with the ‘SteGUI’ program again, to see if I could extract any steganography from them. Found this encoded flag, and once again, I tried our old ‘base64 -d’ trick against the text contained.
It gave me a URL, so I followed the URL, and determined that the flag must be: infosec_flagis_powerslide
This level took my quite a while to figure out. I really didn’t know what I was after, or what I was going to do. After quite some time, I started looking at the css pages associated with it, and found that there was one, that wasn’t used on any of the other challenges, called design.css
Looks like some more hex to convert, let’s see where this leads. We have the flag: infosec_flagis_heyimnotacolor
This is another one, that ended up taking a fair amount of time for me. I finally found the magic combination of what this admin calls their backups, .old. While I generally name them .bak, but whatever, it works.
After examining the levelthirteen.php.old file, I of course started downloading everything that looked like it was related to this challenge. I found the file imadecoy, and determined it was another packet capture file.
After examining the file, decided to see what files the packet capture contained. Saw an interesting image, named HoneyPY.PNG, figured I would have a look.
And we found our level 13 flag: infosec_flagis_morepackets
Level 14, was another one, that took quite a while. There was so much information contained. There was a mysql database. Just because I love the mysql interface so much, I loaded it up into my separate mysql instance, to play around with it. There were mysql encoded passwords that I tried to brute force, and I finally found it, in a table called friends, and notice a lot of weird text in there.
Ran the text found in the friends table, and it provides us with our flag for level 14: infosec_flagis_whatsorceryisthis
So, we have reached the last level of this challenge. I spent so much time on this, I don’t even know if the answer is correct or not. What you are presented with is a page to perform a dns lookup, using dig, and a php system() call. After thoroughly browsing through every file that I could, every directory that I could, I submit this, what I believe may be the answer.
So, this is a dangerous web application, as it allows the user to enter their own formatted text in, and perform system calls against the host OS. If you include a “;” and enter a command after that, it will happily execute for you.
The initial route I started to head down, there is a file named .hey in the level 15 directory, that contains the text:
At this point, I have to assume that it isn’t part of the challenge, I’ve tried ever cipher I can find against what looks like hash, with no luck.
Found this encrypt/decrypt page and tested all the ciphers, and what do you know, I found one that worked on the above string!
That shows infosec_flagis_rceatomized
So, on to bigger and other things, finally examined the /misc directory on the webserver (/var/www/html/misc/) and noticed there was a file there, that I wasn’t able to capture using my wget -mk command, that I ran earlier. There is another wav file. So, I ended up downloading the .wav file, and it sounded like a .wav of morse code. Attempted to find an online wav to morse code decoder, but was unable to find one, so I just used both my hearing, and my sight (looking at the wavform in ‘audacity’) to copy down the morse code.
After translating the morse code to text, this is what I got: infosecflagismorsecodetones
I found this glorious page: Encrypt or Decrypt, and digging through, I finally found the cipher used. It was ATOM 128, which I have honestly, never heard of before.