CNY Hackathon Spring 2017 Review – Part 2

This is a continuation of the CTF challenge discussion from the CNY Hackathon Spring 2017 Event.

For part 1, go here: Part 1

This will cover the Miscellaneous Challenges:

  1. misc-1
  2. misc-2
  3. misc-3


When attempting to access the link for the misc-1 challenge, the browser prompts to download a file: misc-1.wav
Attempting to listen to the file doesn’t result in much, as it sounds just like random beeping-type noises. Attempting to run ‘strings’ on the file doesn’t yield anything either. So where’s the flag hidden? The answer is in the spectrogram. Hiding text or images in audio spectrogram isn’t new, it’s been done multiple times in the past by artists like Aphex Twin and Nine Inch Nails.
Similarly, the flag text for this challenge has been embedded into the wav spectrogram. By changing the view mode in Audacity to Spectrogram, the flag text can be read.


Similar to misc-1, when accessing the misc-2 challenge the user is again prompted to download a file. This time it’s a tarball named misc-2.tar.gz
The tarball unpacks to a misc2 folder with a single file called flag.txt However the contents of the file are not encouraging:
It’s not going to be THAT easy.. However, ls -la provides a little more info…


The .git folder should give away that it’s a git repository but there’s only the one file it it doesn’t contain anything useful. However, with git, you can track files in different branches as well to keep workspaces separated and then merge them if needed. The command ‘git branch’ provides the next clue:

The repository shows 17 branches being tracked, these can be checked out with ‘git checkout <branchname>’.
Once checked out, you can see new files available:
Each piece of the flag is contained in the flag-XX.txt file, which is spread across the branches. At this point you can either enumerate all of the branches and flag files and piece it together or return to the master branch and merge all of the branches together. If you choose the latter, all pieces end up in the main directory and you can re-build the flag. In total there are 42 flag pieces that yield the final flag:


Can you beat my whitelist and capture the flag?
When connecting to the listed service, the following text is returned:
So you’re challenged to cat out /etc/flag, but there’s a restriction on the available characters. Simply trying to enter ‘cat /etc/flag’ won’t work since the slash characters aren’t in the allowed list.
The goal here is to use some bash-fu to try and string together some of the commands you *can* use to run the command “cat /etc/flag” (head /etc/flag, tail /etc/flag would also work here). The special characters that are allowed are the key. The pipe command can be used to chain commands together, the tick (`) can be used to execute a command, but what about the colon (:)?
Step 1, is to figure out how to get bash to return a slash (/) character or a file path that can be manipulated to yield the correct location of the flag. One possibility here is the ‘which’ command. ‘Which’ returns the location of a command on the system. Something like ‘which bash’ would return the location of the bash executable.
The result of ‘which bash’ is actually pretty useful here, it provides a file path similar to the format needed for the flag, but how can you manipulate /bin/bash to become /etc/flag? Well, one option is  ‘sed’. Sed is a command that can be used to filter and transform text. Consider having the following string: “There is a cat.” and you want to change the word “cat” to “dog”, you could do that pretty easily.
It’s pretty typical that you see the slash character used when making a change like the one shown above, but in reality sed is pretty lenient on the separator. As long as it’s consistent and not a special character that provides another function, sed will happily perform the modification. Replacing the slash above with that colon character yields the same result.
 Knowing this, it’s possible to solve this challenge. First use the results from which, and then pipe that to sed to get the first transformation (changing bin to etc). This is shown below.
As you can see, bin has now been swapped with etc. We can chain this again to convert /etc/bash to /etc/flag with another pipe:
So /bin/bash has now become /etc/flag. The final step is to get the shell to execute cat /etc/flag. Here the single tick operator (`) is key. You need to wrap all of the commands used to transform /bin/bash to /etc/flag using the tick operator as an argument to cat. One successful command to solve this is shown below.
cat `which bash | sed s:bin:etc: | sed  s:bash:flag:`