WriteUp CTF CIDSI 2018
Translations available: | "Spanish" |This CTF was composed of 74 teams from universities convened nationally for undergraduate and graduate level at the International Congress Of Computer Security (CIDSI in Spanish) which was organized by the Agency of Electronic Government and Information and Communication Technologies (AGETIC in Spanish). Thanks to the efforts of the Computer Incident Management Center(CGII) held from November 29 to December 1, 2018.
Finishing this series, and as I mentioned in the previous post, in this one we participated in Team as Dark Army with Israel, Rafael and my person, accomplishing to solve all the challenges; However we could not recover all the statements or the specific flags(As they were written in literal form in the event), but they are explained as we solved it in the CTF, which lasted two half days.
Level 1
1.1. Traffic Analysis 1
Welcome. A company dedicated to banking has just hired you to perform traffic analysis. The problem is that there is an employee who is leaking email addresses, at the same time another employee started to pass passwords that have privileges to modify the salaries of employees. Your mission is to find that password.
Well, to begin with, they give us a traffic capture, in which when we search with Wireshark we find a request with the username and password.
then the flag is:
1007
1.2 Web crawlers
Unfortunately search engines are indexing many pages of this website that are confidential to us! Do you know which file prevents this from happening? Nobody wants fully indexed sites right?
This is quite easy, the Flag is inside the robots.txt, which provides information to the search engine crawlers about the pages or files that they can request or not from your website.
1http://url/robots.txt
1.3 Backups
Petróleos del Caribe asked us to save a backup of its main jsp file. Unfortunately, the engineer in charge went to a plant in the middle of the sea and he can't tell us the extension with which he saved them. The supply manager requires the backup urgently, can you help me identify which file it is in? Do it soon my position is at stake. Remember that the most common backup extensions are:
- bak
- old
- bakup
- save
In this one we had to be somewhat observant, as much in the track as in what we have in front of us, it tells us the main jsp, which would come to mean the index.jsp in addition that the current page is http://url/index.jsp.
So trying with the extensions that they suggest us, it is possible to arrive to the answer
1http://url/index.jsp.bakup
Which contains
1<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" language="java" import="java.sql.*,java.io.*,java.net.*,org.owasp.encoder.Encode, dbProcs.*, utils.*" errorPage="" %>
2<%@ page import="java.util.Locale"%>
3<%@ include file="translation.jsp" %>
4<%
5 ShepherdLogManager.logEvent(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), "DEBUG: index.jsp *************************");
6 Locale lang = new Locale(Validate.validateLanguage(request.getSession()));
7/**
8The flag/flag is: 402051f4be0cc3aad33bcf3ac3d6532b.
9 */
10%>
then that's where we get the flag
1402051f4be0cc3aad33bcf3ac3d6532b
1.4 Programmer program
One of your friends left you a clue in java code development, but you must solve a mathematical puzzle before you can find the result. The flag is the key to enter his system (the smallest number you can find). But this is easy for you, they are not differential equations.
give us a java file
1package exploit;
2import java.util.Scanner;
3
4public class KeithLikesToTroll {
5 public static void main(String[] args){
6 int clave;
7
8 Scanner scn = new Scanner(System.in);
9 System.out.print("Introdusca la llave: ");
10 clave = scn.nextInt();
11 scn.close();
12
13 if(1338557220 / clave * clave != 1338557220 && clave > 0){
14 System.out.println("Autenticacion correcta. La bandera es un número pequeño que te dejara entrar.");
15 }else{
16 System.out.println("Autenticacion incorrecta.");
17 }
18 }
19}
Which should be compiled and executed in such a way that the lowest number of correct, with brute force can be reached quickly.
The Flag:
18
1.5 Wifi admin panel
We are on vacation in the Caribbean, unfortunately, because of your friend the flight has just left us and we are waiting for 5 long hours at the airport. Another one of your friends found out that they can access free internet at the airport but to do so you must log in to the router. Do you dare to try how to log in?
For this, we need to observe well, and the clue they give us is SMC Networks, which is a brand that produces Routers among other things, which with a little search we have some combinations of Users and Passwords by default which we try to find the correct and get the flag
Level 2
2.1 Steganography
Did you know that the technique of hiding messages or objects inside images so that their existence is not perceived is steganography. We love this technique. So I will leave this image here and go very slowly.
This at first puzzled us, however, the solution is to extract each printable string in the image, using strings from console(on Linux)
1strings 8c373fd1a.jpeg
And the Flag:
11e5b77443345620c52d23c73dc87521c
2.2 Forensics
A dangerous criminal is passing hidden messages in pdfs sent by his accomplice abroad. You can do an analysis, you're almost a hacker. Did you find your flag? Download document
In this case, parsing the metadata gives us the spoils; With the use of Exiftool:
1exiftool CIDSI2018.pdf
And the Flag:
1c47d187067c6cf9
2.3 SQL Injection
We know that the coyote buys all his artifacts from ACME, can you help us display all the tuples in the table to find the trap with which he finally catches his nemesis?
When I saw this one I thought it would take a while, however when I tried any injection a copy of the query I made appeared at the top, very Bricks style. So finding the solution was very quick with a typical bypass injection.
1')or('1')=('1
Which gave us the Flag.
2.4 Reverse Engineering
One of the biggest dangers in mobile applications is reverse engineering. Because we can inspect the source code and find API keys, passwords, etc. We found an apk file while you were checking shared resources, luckily we saved it, now we want to know what it contains. There are several tools available to reverse engineer an APK file. Download APK
As mentioned in the statement, there are several tools, I preferred to use Apktool
1apktool d reversing.apk
which gives us a folder with everything extracted, in which you can do a quick search with grep
1user@pc:# grep "flag" . -R
2./reversing/smali/com/mobshep/reverseengineer/Reverse_Engineering.smali: const-string v0, "The flag/flag is 9yfdsj3md0lq75"
and the Flag!
19yfdsj3md0lq75
Level 3
3.1 Traffic analysis 2.
We are performing a traffic analysis because we detected that someone is leaking confidential information and the amount of information is so large that they compressed it with password protection, but finding the password is easy for you. Help us to find the password that will help us to access our flag. Download capture
Finding the zip was not difficult, we only had to export it with Export Packet Bytes or exporting all the objects. Once arrived at this point the zip that we obtain is protected with a password as mentioned in the statement, for that, we had to observe the capture
the zip password
1azulcrema
and the flag!
1IW{HTTP_BASIC_AUTH_IS_EASY}
3.2 User list
A group of users decided to complain because there is no coffee, can you believe it. And one of the users seems to be the one stealing the coffee, of course, he hid himself from the list. Help me find him and bring back the coffee to our lives.
In this one it took me a while to realize, we were given a choice between consulting the information of 5 users, however, there was not something relevant among them, I tried to search by inspecting the elements, and the requests, however, the clue was in how the requests were made.
1POST /challenges/vc9b78627df2c032ceaf7375df1d847e47ed7abac2a4ce4cb6086646e0f313a4 HTTP/1.1
2Host: 192.168.3.100
3Accept: **
4Accept-Language: en-US,en:q-0.5
5Accept-Encoding: gzip, deflate
6Referer: https://192.168.3.100/challenges/vc9b78627df2c032ceaf7375df1d847e47ed7abac2a4ce4cb6086646eOf313a4.jsp
7Content-Type: application/X-WWW-form-urlencoded
8X-Requested-With: XMLHttpRequest
9Content-Length: 45
10Connection: close
11
12userId%5B%5D=cfcd208495d565ef66e7dff9f98764da
The request was identified this way: cfcd208495d565ef66e7dff9f98764da, which when verified was an MD5 and in plain text value 0:
1cfcd208495d565ef66e7dff9f98764da = 0
When checking the others, they worked the same way, so I generated a list of MD5 hashed numbers to make requests until I found the hidden user, which was no more than the number 20.
3.3 HASHDUMP
Find the admin password
1sistemas:500:9E689B23C4D33D88E4C560258374B547:7E058F739B8A1E67C00815FC1E5E0E25::: 2Guest:501:NO PASSWORD*********************:NO PASSWORD*********************::: 3nonadmin:1005:NO PASSWORD*********************:0CF3760C0B0EB9F570AACE7040DF6DB7::: 4contabilidad:1013:23AC1B85C36D31AAE45E0AE1804A24B0:DE6D8B1780A4F0714242AC53A6C2B2E8::: 5administrador:1014:CE9F401800DF01AFFF959C003A9671D0:A7B9ECDD64AA492E449E0A619FD16E4B::: 6gerencia:1015:4978646A5C99C2834D6A97A372D4BC83:C7994B298128024418AD0E9C5038570C:::
We can see that it is a dump of the Windows (NTLM) hashes.
This one took a while to figure out the trick, at first glance one would think that the admin account would be the one with such a name or similar, however, the trick was in the RID. The 500 belongs to the administrator account created during the OS installation, although in this case it is called sistemas.
Then we have 2 ways to find it by brute force/dictionary or to look for it, to save time better to look for it and so we have, the flag!
1coldplay
Level 4
4.1 Cracking rar
The users of the insurance company SEGURITAS are driving the systems staff crazy with their famous changes. As if they were going to change the world. If you are clever you will be able to access the flag that is compressed and password protected A systems employee has a clue for you. His id from a popular social network is 0x5afa18273c14.
First the id must be converted from Hexadecimal, then we get: 100030193548308.
Now in facebook, we look for the profile: https://www.facebook.com/100030193548308 in which we find pictures of the employee spreading critical information about the company like that for rar files the password must have a number of length 5, then the only thing left is to crack the rar with a dictionary with all the possibilities of 5 digits numerals with John The Ripper.
1john --wordlist=six --format=rar5 hashrar
hashrar is the file where the hash of the RAR is located, then, we have the password.
160372
With this we can extract the flag inside the archive:
18743b52063cd84097a65d1633f5c74f5
4.2 Website bank
To complete this challenge you must create a bank account and transfer more than 10000 bs to it. When you have that amount in your bank account, simply log out and log in again to be rewarded with the flag.
To start with you have to register, and the platform gives us the possibility to transfer money to other accounts
However intercepting the requests was insecure, similar to this:
1accountSource=4&accountDestination=2&amount=1200
so by modifying the request, we can reverse this
1accountSource=2&accountTarget=4&amount=1200
this way we transfer money to ourselves, here is the result:
Voila!
10738FF78AE98A11F579A70F3F98468097426D4652B32A5F978818FC9CCB66CE74371A28833CC1A52854697C734D66249DB8E9AAB67F024262436EC8220C9OF11
Level 5
5.1 Exploiting
We are doing safe development, Your challenge is to change the flow of the program so that the hidden function executes. Once you succeed I will congratulate you on your success. The flag is the hexadecimal address of the function beat with the correct format (0x11223344) Download program
For this one, we had to use IdaPro, and look for the address.
10x080484BB
And that would be it!
However we could not take 1st place by six points, because those who solved a challenge first had extra points, but we were very happy with the great team we formed; being in 2nd place among so many teams.
Any doubt, question, or complaint you can write me, I hope you liked the WriteUp.
-Hackers are People Too 😜
links of interest
-
Full undergraduate/postgraduate standings, click here the challenges were the same for both grades
-
To view event information here