n00bs CTF Lab write-up

Infosec Institute launched a CTF challenge some days ago. Due to a lot of free time, I decided to take a look and have some fun.

Before we start, some general guidelines that might be helpful:
1. If you haven’t been involved in CTFs before, well, start here.

2. If you want any resources, you can look here.

3. If you want to dig deeper on any subject, a good start might be here.

4. Additional resources can be found here.

Remember at all times, those challenges take patience and practice. Also remember the following: Know thy tools.

Learn one scripting language. They are useful. Python is nice but some people use either Ruby or Perl.

The CTF Infosec institute launched a CTF that can be found here.

Level 1

URL: http://ctf.infosecinstitute.com/levelone.php

Tools: I assume you already have a browser but I used Mozilla Firefox.

The level:

Yoda says “May the source be with you”. In order to view the source of the page, all one has to do is right click and select View source. In this particular example, an HTML comment exists on the top of the page with the following flag

<!-- infosec_flagis_welcome -->

The flag: infosec_flagis_welcome

Level 2

URL: http://ctf.infosecinstitute.com/leveltwo.php

Tools: Although one can go without tools, I would suggest installing a hex editor. There are many hex editors around, so I won’t bother suggesting one. Find one that suits you.

If you use Firefox, you may consider installing this add-on. Although again, it is not needed, it helps a lot and makes things faster.

The level:

You are presented with a page that has a broken image. The site asks you to check the image. You have two options here. You can change the file extension, in simple words make it a .txt file -or simply throw it in a text editor- or you can inspect it with a hex editor. No matter what you choose, you end up with the following string

aW5mb3NlY19mbGFnaXNfd2VhcmVqdXN0c3RhcnRpbmc=

This string is Base 64 encoded. I know so because of the = sign (padding) at the end. Regarding the detection of the encoding, I usually start to delete encodings. For example, if it was Hex encoded it would have only characters from the following range 0-9 and a-f. This way, one may detect the encoding. usually though it is either hex encoded or base 64 encoded.

In order to decode the string, you can do it through unix with the following command

base64 -d

or through hackbar or find another tool in Google.

The flag: infosec_flagis_wearejuststarting

 

At this point, one might have noticed that the flags follow a certain pattern

infosec_flagis

Level 3

URL: http://ctf.infosecinstitute.com/levelthree.php

Tools: I used this QR scanner but you can use your smartphone if you want.

You can find a little bit more on QR codes here

The level:

You are presented with a QR code image and a never ending loading bar. Looking the source doesn’t help much so I went on and scanned the file. Scanning the file reveals . and -. This

.. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... .. -. --.

is Morse code and it reads

INFOSECFLAGISMORSING

The flag: infosec_flagis_morsing

Level 4

URL: http://ctf.infosecinstitute.com/levelfour.php

Tools: If you are using Firefox I would suggest either installing LiveHTTPHeaders or Tamper Data or Firebug. Regarding the tools. The first captures all HTTP Headers and it can replay them as well, with different values etc. The second, allows you to tamper HTTP requests. The third allows you to inspect the source and other resources, such as the cookies.

The level:

The image depicts the cookie monster. As such, I suspected there was something going on with cookies. There is a nice paper talking about Cookies here. You can inspect cookies with any of the tools I mentioned above. The most easy way is to use Firebug. Right click-> inspect element->Cookies. There, there is the following cookie

fusrodah=vasbfrp_syntvf_jrybirpbbxvrf

One might get stuck here but this is a typical ROT13 encryption. ROT 13 is a Caesar cipher. You can decrypt ROT13 here and the ciphertext becomes

infosec_flagis_welovecookies

The flag: infosec_flagis_welovecookies

Level 5

URL: http://ctf.infosecinstitute.com/levelfive.php

Tools: Here and here.

The level:

The following endless script appears

 <script>

    for(;;){
      alert('Hacker!!!');
    }

    </script>

and the meme.

As pointed out by this blog the image is not your typical image, it has a message inside (steganography). If you decode the image (text/plain) you get a binary message. Converting it from binary to ASCII gives you the flag.

The flag: I couldn’t find the flag for this level.

infosec_flagis_stegaliens

Level 6

URL: http://ctf.infosecinstitute.com/levelsix.php

Tools: Wireshark

The level:

You are given to download a .pcap file. Pcap files are usually captured packets file. When you load the file there is a UDP packet that contains some hex encoded value. The value is the following:

36:39:36:65:36:36:36:66:37:33:36:35:36:33:35
:66:36:36:36:63:36:31:36:37:36:39:37:33:35:66:
37:33:36:65:36:39:36:36:36:36:36:35:36:34

This is a hex encoded value. If we decode it twice with hackbar we end up with
infosec_flagis_sniffed
The flag: infosec_flagis_sniffed

Level 7

URL: http://ctf.infosecinstitute.com/404.php

Tools: Although LiveHTTPHeaders works fine, one may want to use Fiddler or BurpSuite. Both of the aforementioned tools act like proxies and allow you to tamper with requests. My personal favorite between Fiddler and BurpSuite is BurpSuite.

The level:

You are landing on 404.php. On all the previous levels, you were landing in levelone.php, leveltwo.php etc. As such, I tried levelseven.php. Loading levelseven.php returns no input. At this point, and since no 404 error was returned I suspected that the page existed. For this reason, I used LiveHTTPHeaders to capture the headers. Inspecting the headers, one notices the following

HTTP/1.0 200 aW5mb3NlY19mbGFnaXNfeW91Zm91bmRpdA==
Date: Thu, 12 Mar 2015 23:57:34 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.6
Content-Length: 0
Connection: close
Content-Type: text/html

Since the Content-Length is 0 then it correctly doesn’t return nothing. Yet, there is another Base64 encoded string in the header. Decoding the string returns infosec_flagis_youfoundit

The flag: infosec_flagis_youfoundit

Level 8

URL: http://ctf.infosecinstitute.com/leveleight.php

Tools: If you are using Linux then you already have the tools needed. If you are using Windows then you may want to download the SysInternals suite from here. The tool needed is strings, but grep in Unix will come in handy as well.

The level:

You are presented with an image of Clippy and you are asked to download a file called app.exe. Although I reversed the app for fun, the answer is way easier to find. By using strings you get all the readable strings an executable contains. As such one can find the flag. Using strings indicates that the flag is infosec_flag_0x1a.

The app executes netstat for the curious ones.

The flag: infosec_flag_0x1a

Level 9

URL: http://ctf.infosecinstitute.com/levelnine.php

The level:

The user is presented with a web interface. Beyond going further, I googled for some default credentials of CISCO IDS. As such, I tried a variety of those and the pair root/attack worked as a charm. At this point, the level returned another reversed string through a Javascript alert. If we reverse the following string ssaptluafed_sigalf_cesofni through this we get infosec_flagis_defaultpass

The flag: infosec_flagis_defaultpass

Level 10

URL: http://ctf.infosecinstitute.com/levelten.php

Tools:

Any media player that allows you to control the speed of the playback.

The level:

You are prompted to download a .wav file. The file contains something that sounded like chipmunks. I reduced the playback enough and the chipmunk sound is a man saying infosec_flagis_sound

The flag: infosec_flagis_sound

Level 11

URL: http://ctf.infosecinstitute.com/leveleleven.php

The level:

There are two pictures. The .gif we found previously and another one with a PHP image. If we take a look at the PHP image, with strings again, we find the following

infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9wb3dlcnNsaWRlX2xvZ29fbGFyZ2UuZ2lm

This, of course is not a flag. And what’s wrong with the last part of it?! It is a base64 encoded string, yet it needs no padding (==).
If we decode the string we end up with a url leading us to suspect that the flag is infosec_flagis_powerslide.

The flag: infosec_flagis_powerslide

Notes: Since there is a pattern followed throughout the site, the gif may point to another solution. In the /misc/ folder one can find another .wav file. This time, this wav file contains morse code that, if I didn’t miss something, reads INFOSECFLAGISMORSECODETONES, infosec_flagis_morsecodetones

Level 12

URL: http://ctf.infosecinstitute.com/leveltwelve.php

The level:

The image is the same as level one, which indicates that there may be something related to the source. A close inspection of the source indicates that there is nothing valuable, so I started inspecting the resources the file loaded (Javascript files, css files etc). There is a file called design.css that hasn’t been used before. This file contains only the following entry

.thisloveis{
color: #696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72;
}

This string is quite huge for a color. If we hex decode it we get infosec_flagis_heyimnotacolor

The flag: infosec_flagis_heyimnotacolor

Level 13

URL: http://ctf.infosecinstitute.com/levelthirteen.php

Tools: Although one may use Wireshark, if you are using Windows you may want to use NetworkMiner.

The level:

There is a message saying that the challenge is gone but the admin has kept a backup. I tried a couple different extensions (.bak, .txt) and eventually if we add the .old extension in the url we are able to download a file that has the following source code inside.

<?php
 
    /* <img src="img/clippy1.jpg" class="imahe" /> <br /> <br />
 
    <p>Do you want to download this mysterious file?</p>
 
    <a href="misc/imadecoy">
      <button class="btn">Yes</button>
    </a>
 
    <a href="index.php">
      <button class="btn">No</button>
    </a>
    */
?>

At this point, we have clippy again and the iamdecoy. The file, has no extension. In order to find the type of the file, one has to use Magic Numbers (here and here). It is obvious that this is another PCap file. As such, one may choose to open it in Wireshark and follow the TCP stream and write a script to take the data and build the file, or much simpler and quicker load it in NetworkMiner and let it do the job for you. There is a file called honeyPY.PNG. This file contains the flag  infosec_flagis_morepackets. For the record, the honeyPY app looks pretty much like the CTF site but it presents you a banking login page.

Level 14

URL: http://ctf.infosecinstitute.com/levelfourteen.php

The level:

You are going to download a SQL file that by most chances looks like a wordpress site. The first thing that catches the eye is the MD5 password on a table called “flag?”. Don’t get fooled yet, you may have to try and crack it later but at the time inspect the file. Looking further, you will find some hex encoded values starting with \\u00 (Unicode hex). Replace the \\u00 with \x and your favorite scripting language will return infosec_flagis_whatsorceryisthis

The flag: infosec_flagis_whatsorceryisthis

Level 15

URL: http://ctf.infosecinstitute.com/levelfifteen/index.php

Tools: Nothing special but I would suggest you to read more on unix terminals and Remote Command Executions on PHP.

The level:

You are allowed to use a dig mx interface. You could add a domain (ie google.com) and get back some reports. In a perfect world, this would be fine. In this world, someone may end up executing a lot more commands than the ones the developer originally intended.

Injecting the following payload in the interface

;ls -a

returns a list of files. There is a file called .hey. You can read this file by injecting the following payload.

; cat .hey

The output of the file is the following: Miux+mT6Kkcx+IhyMjTFnxT6KjAa+i6ZLibC which is a valid base64 encoded string but my guess is that this is a hash. On second thoughts (in other words, too much free time again) I found out that this is ATOM 128 encoding. You can decode it here and the flag is infosec_flagis_rceatomized.

The flag: infosec_flagis_rceatomized

Notes: I found the solution while checking for something irrelevant through my bookmarks. I highly suggest you bookmark this page. It contains a variety of handy tools.
Last but not least, although a lot of people call it encryption, roughly encryption exists only, and only if, you need something (the key) with the ciphertext to get the original plaintext. In other words, if you encode the “string” with any base 64 encoder, you will always get the same result. If you encrypt it, the result (in a perfect world) will change heavily depending on the key.

Shame, I cheated.

This is one of the core things that one needs to know when dealing with CTFs. If you can cheat then cheat. If Google knows the exact location this server is hiding a key, ask google. That’s for the time. I will come back with an update regarding the Shame, I Cheated part and with the level 15.

Until then…

Updates 1:
You can use level 15 to read any file you want. Including files from other challenges. In case you are stuck, just do it.

They disabled directory listing.

4 responses to “n00bs CTF Lab write-up

  1. On level 1 I don’t even have “view source” as an option (mac with Firefox).

  2. Nice write up. Stuck on level15 myself, but managed to find the rest. My writeup here: http://unlogic.co.uk/2015/03/11/infosec-n00bsctf/

    • Thought it was some kind of stego but didn’t bother to check. Anyway. I’ll add your solution to the write up. Regarding level 15, I think the .hey file is some kind of hash but not sure yet. Didn’t bother to check it on John yet.

Leave a Reply

Your email address will not be published. Required fields are marked *