SBT - VIP CTF
IF YOU ARE A BEGGINNER PLEASE DON'T GO STRAIGHT TO THE ANSWER/FLAG. Try to understand how everything works... because after all what matters is the knowledge acquired!!
< Network Analysis >
Is this a DoS attack? Or could this be ... a photo!?In this one we are given a .PCAPNG file... which is basicly a regular PCAP file but NG (New Generation).
So... first thing we have to do is open WireShark to read the PCAP.
We can see TONS of ICMP packets. If you don't know what ICMP is, you should take a break of 30 minutes and study a bit about ICMP, how it works, how the packets are structured and how could data be sent over ICMP.
Alright, so... for every single request there is a reply, and whatever data is hidden inside a request, the server is going to send it back to the client... which means that we can get rid of the replies and filter only by requests... We can do that by inserting this line on wireshark: icmp.type==8
Now that we have our data filtered, we need to start inspecting! Let's keep in mind that they gave us a hint that it is possibly a photo...
Think with me... when an image file is transfered over the network... which part of the file gets transfered first?
If you said the Signature, then you are right. Knowing this, lets see if we can find any known signature. Pay close attention to this "J"
Memorize that specific Hex position and scroll between the first 10 packets... see anything interesting? It looks like a JPG signature!
We figured out where the data was hidden... now we just have to extract it from all the packets and build the image.
I know that this could have been done with python, but I'll show you how I did it.
On Wireshark, go to "File" -> "Export Packer Dissections" -> "As Plain Text"
Under "Packet Format" -> Check "Bytes" -> UnCheck everything else. -> Save as "export.txt"
Alright, now we got all the information we need in a text file... but we need to format it... here is how i did it:
cat export.txt | grep "^0010" | cut -c1-26 | cut -c 25- > hexes.txt
cat hexes.txt |sed 's/.*/& /' | tr -d '\n' > ready.txt
Now that we have our hex ready to be used, i made this simple python script that fetches all the hexes and turns it into an image file.
with open('ready.txt', 'r') as myfile:
data = myfile.read()
data=data.replace(' ', '')
data = binascii.a2b_hex(data)
with open('image.jpg', 'wb') as image_file:
After executing this python script, you're gonna end up with a image.jpg on your folder. You shall open it now ;)
< / Network Analysis >
< Password Cracking >
Let's first check whats inside the file that is provided.
The content inside passwd has an uncommon format... after googling a bit about shadow password, I figured that, for us to be able to crack it, we must unshadow it first... By doing so:
unshadow passwd.txt shadow.txt > password.txt
Alright, awesome, We got the password "unshadowed"... Now we just have to deal with this hash as if it was like any other.
You've got multiple password cracking tools, but I've chosen John for no specific reason. The wordlist I chose was rockyou due to previous experiences in other CTFs. pro-tip: rockyou is used alot ;)
Your command should look similar to this:
john --wordlist=/usr/share/wordlists/rockyou.txt password.txt
and just like that, we got the flag ;)
In order to complete this challenge you required knowledge from previous challenges... If you haven't completed "DeepBlue Admin", please skip this one and return later.
They give us a hint that we have to access the server remotely.
So... from the previous challenge we knew that the admin's name is john...
Let's give a shot at our luck and hope that the username is actually john
Hydra is probably the most common used tool for these type of attacks... so yours should look something like:
hydra -l john -P SuperSecret.txt 18.104.22.168 -t 4 ssh -V
[ssh] host: 22.214.171.124 login: john password: *********
Now all you have to do is connect to the server via ssh and open the flag.txt file ;)
Alright... We are provided with a Hash and a set of rules.
Let's first try to figure out what type of hash this could be... For this purpose I used this
Just paste the hash there and press "Analyse". The result comes as "SHA1"... Perfect... let's keep going.
!! IMPORTANT: I know that this challenge was meant to be solved with hashcat and it's masks, but I wanted to develop my own cracker with python !!
So... here is the concept... we know that one of the words from rockyou.txt (which has over 13 Million words) with those rules applied, when encrypted in sha1, will match the given hash. When that happens we know the password which is the flag.
Let's start off with reversing the rockyou.txt file.
you know how creators are... they enjoy going deep in these wordlists ;)
tac rockyou.txt > r_rockyou.txt
Here is the code I built with python to crack the hash
hash = "01F3273F68195C29A1A2365BE7AD2B1AAD469A73"
i = 0
hex_digits = ["0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f"]
with open('r_rockyou.txt') as myfile:
for line in myfile:
line = line.replace("a","4")
line = line.replace("b","6")
line = line.replace("e","3")
line = line.replace("g","9")
line = line.replace("i","1")
line = line.replace("o","0")
line = line.replace("s","5")
line = line.replace("t","7")
line = line.replace("z","2")
#First Letter Capitalised
line = line.upper()+line[1:]
#First Hex Digits Loop
for one in hex_digits:
#Second Hex Loop
for two in hex_digits:
word = one+line+two
word = word.replace("\n","")
#Append @ to the end
word = word+"@"
#Hash our guessed word
result = hashlib.sha1(word)
result = result.hexdigest().upper()
#Compare our hash to the given one
if result == hash:
print("WE GOT HIM! : ")
All we have to do now is run the python script and let it do its magic!
< / Password Cracking >
< Forensics >
We are presented with 3 files: floppydisc.png ; forensic.img ; original.img
And the following important information: "The forensic image didn't match with the original." . That being said, let's analyse forensic.img Let's try using xxd...
what is this? it looks like base64... let's try decoding using a website or the following command
echo [your_base64_sting_here] | base64 -d And there we go! we got the flag!
This is a "fun" one haha, alright, let's take a look at what we got.
They tell us we have a corrupted file and we have to fix it. Sounds easy... let's ty running:
Well... that didn't give us much... let's try running hexedit
Hum... it looks like a corrupted PNG file... Let's try fixing it as if it was a PNG.
Before we get our hands on the file, let's first understand how files are structed... Please take a look at this Example
As you can see, every file has a structure where the data is stored. In this example, every PNG file must start with some specific bytes, which determines that the file is a PNG.
Let's try fixing the Signature of the file to PNG shall we?
Let's run hexedit and edit the first 8 hexes to (as shown by the wiki page) 89 50 4E 47 0D 0A 1A 0A
After You've done that, let's run the command File again.
unfixed: PNG image data, 993 x 949, 8-bit/color RGBA, non-interlaced
We are getting some results! Now , there is this one command pngcheck that checks for potential error on a png file... lets run it and see what we get.
pngcheck -f unfixed
unfixed illegal (unless recently approved) unknown, public chunk IPAD
This means that there are some named "IPAD" chunks that don't make sense... If we look at the wiki page, we can read that... the image data is stored in "IDAT" chunks and not "IPAD".
You know exactly what it means... we're gonna have to fix every single one of them... Unfortunately due to my lack of knowledge in python, i havent developed a script to do it automatically (maybe I will eventually make one and post it here), so we've gotta do it by hand.
Using hexedit, let's press CTRL+S to search for 49 50 41 44 (IPAD) and replace for 49 44 41 54 (IDAT) . Repeat until everything is fixed.
Have you fixed all the IPAD chunks? Nice! Lets run pngcheck again... crap! There is still an error about a
invalid chunk name "" (0a 03 00 00) unfixed EOF while reading data
Let's use hexedit again and scroll all the way to the bottom of the file using the key Pagedown.
Humm... here is some random data that doesn't make sense... If we look at the Wiki page again, we know what the Ending Bytes must be... 00 00 00 00 49 45 4E 44 AE 42 60 82
let's fix the ENDing PNG CHUNK and replace everything else that comes after with null data (0 / zeros)
Lets try opening the file and hooray! we got the flag!
< / Forensics >
< Steganography >
This one really gave me a headache haha. Alright so... let's open the img file we are given.
We can notice a bunch of weird stuff on the top... The name of the challenge gives us a great hint... can you guess what all those weird chars are?
Thats braille. Which means we have to translate that whole thing by hand, unless we made something like an image recognition script in python to do the work for us, but that's too much effort haha.
Let's try translating it by hand.
I used the following chart (props to blorpyRobot)
(12 years later) Humm... something doesn't make sense... the braille doesn't exactly match the chart... let's try flipping the image horizontally and translate again.
Hum... we're getting some numbers... these look like decimals... Let's translate everything and convert it from decimal to ascii.
and finally! We got the flag!
BEFORE YOU PROCEED! This challenge could have been solved in an easier way by using a "Phone tone decoder" but at the time I solved it, I had no idea such thing existed.
If you are still curious to see how I solved it, feel free to keep reading
We are given an .wav file which contains some phone beeps... might be confusing at the beggining... but the goal here is to decode those beeps.
After a bit of research, each phone beep has a specific range of frequency which corresponds to the number pressed.
Let's take a look at this wiki page. Following this chart we are able to determine which number is pressed if we know the frequencies.
Nothing better than using Sonic Vizualizer to watch the frequencies! Install it, and open the .wav file and add a new "Spectrogram" layer like so:
After messing with some filters on the right side, you should be able to get something similar to this.
These are all the beeps you hear. You've got the lowest frequency and the highest frequency. I'll choose a random beep to give you an example how it works. Pay close attention to the image bellow.
Each column is a beep, as you can see, there are many of them haha. Let's place our cursor at that red square where the blue arrows are pointing at.
At that small info box, we are able to immediately read it's frequency... which, in this case, is from 1328 - 1343 Hz . By looking at our chart, we know that this beep here can only a 2,5,8 or 0.
Now, we look at the lowest frequency , which is the square below the other one on the same column. If we place our cursor there and it will give us a range of 937 - 953 Hz, which means it is a 0.
All we have to do now is translate the rest of the beeps and convert them from decimal to ascii. ;)
< / Steganography >
< General Knowledge >
Im 100% sure there are an easier way to do this... but as you might know, my knowledge is focused on web exploitation,
so this is a really bad method of solving this. But here it is anyway.
There are tons of txt files and we must find the pair of identical strings.
I've decided to use the command sort | uniq -d .
The problem is... there are 4400 files... well, let's use PHP
echo $i.".txt ";
Add the output to the sort command and run it.
You should have obtained a weird string... it doesn't look like any hash, but it does look like a cipher.
Unfortunately there are dozens of ciphers, but luckily it was ceaser ciphered with 13 shifts.
Open this website , paste your cipher, choose 13 shifts and you will get the flag ;)
< / General Knowledge >
< OSINT >
The goal here is to find the admin's email address.
Ain't no better way to find information about people than crawling around different social medias.
You could try "brute-forcing" different emails such as admin@, owner@, staff@ ... but none seemed to work...
After some time crawling around the internet, I decided to look on twitter with the following "dork"
Secure Blue until:2020-02-28 since:2020-01-01
If we scroll for a bit, we should find a suspicious profile. His name is John Kelvin.
Now it's just a matter of guessing the right email... which is john@
You will receive an automatic response with the flag ;D