CNY Hackathon CTF Walkthrough – Fall 2018 Edition

The CNY Hackathon event took place this past weekend, November 2nd and 3rd. This marked the 10th iteration of the competition which is held every semester, either at the Utica College or MVCC campus. The event consists of 10 teams made up of ~10 or so students from local college competing against each other in a variety of competitions. These generally include an infrastructure event and a CTF, along with other miscellaneous challenges involving things like wireless, embedded devices, among other things. My job as part of the event is to plan and execute the CTF event. For more information about the CNY Hackathon, check out their website: https://www.cnyhackathon.org/.

This article is going to cover a walkthrough for the some of the CTF challenges in the Fall 2018 event. This semester, the CTF consisted of 20 individual challenges across 5 categories: Trivia, Exploitation, Cryptography, Steganography, and Reverse Engineering. Each category had 4 challenges of varying difficulty and the points were based on my perception of how difficult the challenge was to solve.

If you’re looking for a specific category or challenge, use the links below.

Category: Trivia

Trivia 1:

Movie Magic (25 points)

Challenge Text:

We’re looking for the account number in the Bahamas where ‘The Plague’ planned on stashing the $25 million that he stole. Can you help us out? Submit as flag{ACCOUNT-NUMBER}

Solution:

This challenge was a callback to the movie Hackers, which was released in 1995. For information about the movie, check out the Wikipedia article about it. The challenge is looking for the specific account number that was used to store the stolen funds. The challenge here is that the account number is displayed on the broadcast but is never actually said aloud, so having access to something like the movie script doesn’t provide any help toward solving the challenges. There are clips available online that show this account number, so a little Google searching is required. If you have the whole film, the account number can be found at the 1:32:50 mark, which is the solution to this challenge.

Trivia 2:

Hacker History (25 points)

Challenge Text:

On January 8, 1986, an important essay was posted online for the first time following the essay author’s arrest. Once you find the original posting of this essay, submit the author’s name as it’s written there using the format flag{Author}. (Note, include any special characters)

Solution:

This tied into the first challenge, as the essay that the challenge was referring to the Hacker’s Manifesto, which was discussed during the film. The original posting of the manifesto was posted to the Phrack Magazine message board back in 1986. Once this posting is discovered, the essay author, “+++The Mentor+++”, can be submitted as the flag for the challenge.

Trivia 3:

More Hacker History (25 points)

Challenge Text:

A computer worm was the cause of the first felony conviction in the US under the 1986 Computer Fraud and Abuse Act. How much money was the author fined as a result of this conviction? <br>Submit as flag{12345}.

Solution:

This challenged was a reference to the first computer worm, which was the first thing that the students needed to figure out. Some relatively simple searching would show that this was in reference to the Morris Worm, which was unleashed on November 2, 1988 (exactly 30 years ago at the time of the CNY Hackathon fall event, which was convenient). Once the Morris worm reference was figured out, the follow-up information regarding the conviction needed to be discovered. Again, some more searching into the worm author is required, which leads to the final answer here: $10,050.

Trivia 4:

Early Exploitation (25 points)

Challenge Text:

A long time ago, when pay phones were still a thing, it was possible to get unlimited free long distance calling. All you needed was a toy from a cereal box! What frequency allowed these free calls? Fun Fact: This is also the name of a popular hacker publication. Submit as flag{0000}.

Solution:

This challenge was another callback to the old phone phreaking days, where hackers figured out that AT&T phone lines used a specific frequency to indicate that a line was a currently unused long-distance calling line. By emitting this frequency into the phone, the line would unlock and allow for free long distance calling. Using some ingenuity, it was discovered that “at one point in the 1960s, packets of the Cap’n Crunch breakfast cereal included a free gift: a small whistle that (by coincidence) generated a 2600 Hz tone when one of the whistle’s two holes was covered.” Therefore the solution for this challenge was that value, 2600.

Category: Exploitation

Exploitation 1:

 Awaiting Orders (50 points)

Challenge Text:

The flag is located in /home/ctf/flag.txt. http://172.19.18.50

Solution:

The first step here is to browse to the host to see what web application is being served.

The image above shows that the host has ClipBucket v4.0 RC1 running on port 80. Once identifying this software, some research should show this this version of the software has an arbitrary file upload vulnerability that can be exploited by unauthenticated users. Conveniently, Metasploit has a module available for this: exploit/multi/http/clipbucket_fileupload_exec

Once the module is selected and configured with the proper settings, the exploit can be launched to obtain a shell on the system as the www-data user.

This access can be used to read the flag from the /home/ctf directory and finish the challenge.

Exploitation 2:

 Access Granted (50 points)

Challenge Text:

Capture the flag located at C:\Users\ctf\Desktop\flag.txt. http://172.19.18.100

Solution:

Similar to the “Awaiting Orders” challenge, the first step here is enumeration. Identify what is being exposed a the URL provided. In this case, the web server was running an outdated version of Easy Files Sharing Web Server.

Some research here shows a few different methods of attacking this  software. The most trivial of these is an authentication bypass vulnerability, where access to the shared drives can be accessed by just browsing to the specified disk without authenticating to the software at all. Therefore by requesting http://172.19.18.100/disk_c, the files on the hard drive can be viewed.

From this point, the user can browse to the folder that holds the flag: C:\Users\ctf\Desktop\ and grab some easy points.

Exploitation 3:

Come And ‘Git’ It (150 points)

Challenge Text:

Hayy I just learned how to code, check out my new webpage! LOL JK you need to know the password! You’ll never figure it out! http://172.19.18.152

Solution:

The third challenge was another web-based challenge, but the main vulnerability was associated with a configuration error and not a specific disclosed vulnerability that was used for the previous two challenges. This was also based on a vulnerability that I’ve come across multiple times in my day-to-day testing. When visiting the site, the user is presented with a simple login page, shown below.

Here, various attempts to guess the correct username and password can be attempted, but these will likely not work since the password is not something that will be easily guessed. Further, the authentication is not tied to a database backend, so things like SQL injection will also fail. The correct path for this host is to enumerate all of the directories on the host. One in particular should stand out.

The exploitable vulnerability here is that the .git directory has been exposed, which can be leveraged to clone the repo and rebuild it locally. Further information about this process can be found here. Additionally, this is easily performed due to the fact that the web server has directory indexing enabled as well, allowing the git objects to be identified and downloaded without any fancy tools. One method is to just recursively ‘wget’ the .git directory. Once that’s finished, you can view the files that were downloaded.

This is where a little git knowledge comes in handy. Once you download all of the git objects, you can re-build the repository by performing a ‘hard reset’.

Once that’s done if you re-list the directory, you’ll see some new files.

The login.php file has been re-built from the repository objects using the hard reset. The next step is to take a peek at the login.php file.

Now that the hard-coded username and password are known, the application can be accessed, yielding the flag and some well-deserved points.

Exploitation 4:

 Spray ‘n Pray (200 points)

Challenge Text:

Here’s a password. Find the domain controller and see if you can figure out which user account the password belongs to. Then, find the domain workstation and retrieve the flag from the user’s desktop.

Solution:

The idea behind this challenge was to focus on reconnaissance and enumeration. The challenge provides a file containing a password ‘KillerPass1’ and they have to figure out who the password belongs to and also find their workstation so that they can log in. To do this, a few items of information are needed: The domain controller, the domain, and the username. The domain controller can be found by scanning the CTF network for TCP port 88, which is used for Kerberos authentication.

Once you find that, you can enumerate domain information using Nmap.

From here, you can enumerate valid usernames using something like Krbguess. The one user account that should stand out is the user ‘flag’. You can test the credentials against the domain controller to verify that the username and password are correct. The next step is to find another workstation that’s on the same domain. Again, looking for systems with TCP445 open and scanning them with Nmap is key. Once you find the system that’s on the same domain, login, and then grab the flag from the ‘flag’ user’s desktop.

Category: Cryptography

Cryptography 1:

Back Off My Grille, Yo!

Challenge Text:

Submit as flag{FLAG} (Note, all caps)

The challenge also had a text and image attachment:

Text Attachment:

CGKXNHHJFHKADNVXF
BSFAIRYOLONOOOTOU
TTKDVDTPOWNESRYWV
IHPOCIOAMSGJODHCL
FEZNFRRRYOEMGOZAO
XULGSEJRNITFOUBPD
IHFXKRXHXKAQQMFZC

Image Attachment:

Solution:

This is a two step process. First, the image puzzle must be solved. The image itself is a nonogram puzzle, where cells can be filled in based on logical deductions made from the boxes on the top and left of the image. The solved nonogram looks like the following:

It should also stand out that the text contains 7 lines of 17 characters, which matches the layout of the nonogram. Once the nonogram is solved, the flag can be recovered by taking all of the characters from the text that are in the same position as each of the white nonogram cells.

THEFLAGISYOLOMYNONOSOGOODTHO or flag{YOLOMYNONOSOGOODTHO}

Cryptography 2:

Crack The Code!

Challenge Text:

Submit as flag{flag} (Note, all lowercase)

The challenge also had a text file attachment containing the following text:

yse ltsh ss wbg ejwkxk xeazmk pj npytsyo, fyajy rknwsvrg 
nq ko hyx hrprokso jyda, kc pvv ghytotid gpnj ih dds 
lgpypd ybsuif. ln eyjgzlax zf zpasxrhh gaqoc avwtzuvlbp 
fwlkzag fy yjo arbwsrnwcpq swka dmttk, eaul n efwo 
nstmhsrlk qf ulr fupdkb sxhwtnm nagxl vgcvh, kybaj, 
qibm-hpmawyf cpoil hwcatowe ma qcpo ktwlly soxqrprgdf 
tysg, nalwp ruek pj flr udwfj tsyprtilf avwb tysg fy mnge 
ybssw. gky 50 udwfj hu yse ltsh vrslgcabk moj 50 dtgbwt 
ss wbg ejwkxk xeazmk pj npytsyo, rgk yse 13 ybjjtrv 
lgznsjxuy ehk bzjvghyp lnwkbzm norwfjif wbcd zstehwpd 
ovvftrqxgxys wkvr ehk saokqrg qp cfvta gciziao, eag vgmwav 
moj qixal txnwyu sj hyx b.x. yiisfbqrv zqb pvv ysfr itkdvhr 
wbg cpoil hso szzaqif, rff qhcir, hso tnm kuee-vjcxczvw 
ifynkz.

Solution:

This was a relatively straightforward vigenere cipher, but with a twist. Using some online tools would help speed up the decryption process to recover the original cipher text. A tool such as dcode can automate this process along with some help from the user such as words that would appear in the plaintext such as the word ‘flag’. However, once the plaintext is recovered, there’s no flag to be found. Instead, the flag is found in the key used to perform the decryption. The correct key is “flagisbenduckworth” yielding a flag of flag{benduckworth}

Cryptography 3:

E  Tu Brute?

Challenge Text:

Can you figure out the key? If so, decrypt the ciphertext and capture the flag!

The challenge also included the following text attachment:

#!/usr/bin/env python
import base64 
from Crypto.Cipher import AES
from Crypto import Random

encrypt_key = '000000000000000000000000008a????'

BS = 16
pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS)
unpad = lambda s: s[:-ord(s[len(s) - 1:])]

def encrypt(key, msg):
    iv = Random.new().read(BS)
    cipher = AES.new(key, AES.MODE_CFB, iv, segment_size=AES.block_size * 8)
    encrypted_msg = cipher.encrypt(pad(str(msg)))
    return base64.b64encode(iv + encrypted_msg)

def decrypt(key, msg):
    decoded_msg = base64.b64decode(msg)
    iv = decoded_msg[:BS]
    encrypted_msg = decoded_msg[BS:] 
    cipher = AES.new(key, AES.MODE_CFB, iv, segment_size=AES.block_size * 8)
    return unpad(cipher.decrypt(encrypted_msg))

flag_file = open("flag.txt",'r')
flag = flag_file.read()
flag = flag.rstrip()

ciphertext = encrypt(encrypt_key.decode('hex'), flag) #'6FhQN3nf+eleGf2G2goGBQKKCuC5JQJvq6d4E9sG9x3D7OF6ZIDWXMwg4VQFnC0P'

Solution:

So this challenge includes a Python file which includes an encryption and decryption function along with a partial key. It also includes the base64 ciphertext, which needs to be recovered. The piece of this that should stick out is the key, which consists of all zeroes except for the final few bytes represented by the ? above. As each of these could represent 16 potential hex values: 0-9 and a-f. this yields 65,535 possible values to fill in the remaining keys, which can easily be brute forced. Using the ciphertext and the included decryption function, this script can be modified to automate the decryption until the correct plaintext is recovered. The correct key is ‘000000000000000000000000008a16fc’ which would decrypt the flag: flag{Ne3d5_M0re_3ntR0pY}

Category: Steganography

Steganography 1:

Static

Challenge Text:

Does the image look fuzzy to you too?

Solution:

The image contains a TV containing a lot of static on the screen which I added as a red herring. There are no embedded clues in the image metadata, no added strings or anything. The thing that should stick out in this image is in the background, the horizontal lines. These can be extracted, isolated, and enhanced which results in a valid barcode containing ASCII text and the flag: flag{4s_S3en_oN_Tv}

Steganography 2:

Hidden Treasure

Challenge Text:

There’s something not right with this file, can you figure out a way to extract the flag?

Solution:

Unlike Stego-1, this image does have embedded content. My goal for this was to expose students to some of the tools available for steganography, in this case Steghide which is available on Kali. Steghide allows the embedding and extraction of data into image files and can be protected with or without a password. In this instance, using Steghide and passing it the info flag and the image file will show that there is an embedded file contained in the image.

The file can be extracted using the extract flag to pull out the flag.txt file along with some easy points.

Steganography 3:

FWD: FWD: FWD: FWD: RE: LMAO

Challenge Text:

LOL check out this comic Bob sent me today. So true isn’t it! XD

Solution:

Stego-3 is very similar to Stego-2 in that the flag is embedded into the image using Steghide so I won’t to into too much detail about how to gather information about the file. However, unlike Stego-2 both the flag file and the Steghide embedded file are password protected. The password? I-LUV-TAXES, of course.

Steganography 4:

Rocking Out

Challenge Text:

A stego journey begins!

Solution:

This was a multi-step challenge which began with the image file shown above. There were no strings embedded or files hidden with Steghide this time, instead, the first step required identifying that there were two files mashed together. The image, which is the cover art for the “Call Me Maybe” song should have been a clue that the file they were looking for is an audio file. Using common audio file magic bytes, the hexeditor tool can be used to identify where the embedded file was located. Alternatively, Ogg references are returned multiple times in the results of the ‘strings’ command.

Once the start of the file is located, it can be extracted using dd, giving it the offset where the Ogg file starts and a file size that can be calculated by taking the total file size and subtracting the offset. The resulting file should be a standard Ogg Vorbis audio file. One that file is extracted and you give it a listen, you’ll notice that the first half is the original “Call Me Maybe” song but it cuts out and a second audio clip begins (see the theme here?). This second audio clip contains a series of DTMF tones which are the tones you would normally hear when dialing a phone number. These numbers link to a Google Voice number that was setup just for this CTF. When you call the number, it dumps you straight to voicemail containing a greeting that consists of a stream of hex digits. Decoding these yields a Pastebin paste, and finally, a flag: flag{Thi5_iS_Wh3rE_tH3_J0UrneY_3nd5}

Leave a Reply

Your email address will not be published. Required fields are marked *