Aug 12, 2018 - OpenCTF : Do The Needful

Author: aagallag

Publish Date: 2018-08-12

Category: Forensics

Points: 50

Description:

Do the needful
https://scoreboard.openctf.com/DoTheNeedful-98e4c6ba71f88e4201a08e7503b0df6124607e39

File Download: DoTheNeedful-98e4c6ba71f88e4201a08e7503b0df6124607e39

When we extract this file, we end up with Challenge.txt. So I go ahead and cat it.

$ cat Challenge.txt 
=AAAAMjU/o7Z+0V17r06KDNmaZHQB1VSlR7wsTDuNk1ok3wfRPMl5YAAV/DwDzAIAERyH3wAAsVVGNBAIs4H

This looks like a base64 string, however, with base64 encoding, the = character is used as padding and should only show up at the end of a base64 string, if at all. So let’s try and reverse the string. I wrote a quick Python script for this, and write the result to a file.

from base64 import b64decode

# Read the file
with open('Challenge.txt', 'rb') as f:
    data = f.read().strip()

# Reverse the string
data = data[::-1]

# Decode
data = b64decode(data)

# Write to a file
with open('b64_decode.raw', 'wb') as f:
    f.write(data)

Now let’s see what kind of file the resulting base64 is.

$ file b64_decode.txt 
b64_decode.txt: gzip compressed data, last modified: Mon Jul 23 03:05:55 2018, from Unix

Ok, looks like a gzip. Let’s extract it!

$ mv b64_decode.txt b64_decode.gz
$ gzip -d b64_decode.gz
$ file b64_decode 
b64_decode: ASCII text

So it’s ASCII, maybe it’s the flag!

$ cat b64_decode 
466c61677b6577373332386866386573676839663233677d0a

Hmm, looks like hex encoding. I just run a simple one-liner in the Python interpreter to decode this.

>>> '466c61677b6577373332386866386573676839663233677d0a'.decode('hex')
'Flag{ew7328hf8esgh9f23g}\n'

Flag

Flag{ew7328hf8esgh9f23g}

Aug 12, 2018 - OpenCTF : Nightmare 50

Author: aagallag

Publish Date: 2018-08-12

Category: Web

Points: 50

Description:

Automated home work scoring my ass. https://shades-of-nightmare.openctf.com/nzpoixyucvkjwnerntasdfascdvasdfqwerqwe/nightmare-50/

When connecting to this website in my browser, I receive the following prompt:

Welcome to Doctor Professor Wilson's Python 101!
Lesson 1: hello world
Enter homework for grading:

So it looks like this will execute the Python code you provide. So I test it with the following:

Welcome to Doctor Professor Wilson's Python 101!
Lesson 1: hello world
Enter homework for grading:
print('Hello world')
Hello world

And then it immediately closes the connection. So it looks like it only allows a single line of Python code.

I then decide to try and dump the working directory file contents. This can be done with os.listdir('.'), however, this would require a call to import os. Unfortunately, it appears some or all imports are blocked, as an error was returned. So instead, I decide to just guess that there exists a file either called flag.txt or flag in the working directory, and luckily, opening and reading files doesn’t require any imports. So I construct a one-liner to do just that: print(open('flag.txt','r').read()).

Welcome to Doctor Professor Wilson's Python 101!
Lesson 1: hello world
Enter homework for grading:
print(open('flag.txt','r').read())
ThisIsAVeryFl@ggyFlag

Flag

ThisIsAVeryFl@ggyFlag

Aug 12, 2018 - OpenCTF : mbrtetris

Author: aagallag

Publish Date: 2018-08-12

Category: Forensics

Points: 25

Description:

boot this on baremetal. - https://kajer.openctf.com/tinytetris-2c5414f1f85397e1787ec31cca3f252ac5fb78a6

File Download: tinytetris-2c5414f1f85397e1787ec31cca3f252ac5fb78a6

I start by running the file command:

$ file tinytetris-2c5414f1f85397e1787ec31cca3f252ac5fb78a6 
tinytetris-2c5414f1f85397e1787ec31cca3f252ac5fb78a6: DOS/MBR boot sector; partition 1 : ID=0x7, start-CHS (0x0,33,3), end-CHS (0x1,124,22), startsector 2048, 20480 sectors

Ok, let’s try mounting this:

$ sudo mount tinytetris-2c5414f1f85397e1787ec31cca3f252ac5fb78a6 /mnt
mount: /mnt: wrong fs type, bad option, bad superblock on /dev/loop19, missing codepage or helper program, or other error.

Hmm, I use some Google-fu, and I stumble upon this useful article on major.io. As the article suggests, let’s run fdisk to calculate the offset.

$ fdisk -l tinytetris-2c5414f1f85397e1787ec31cca3f252ac5fb78a6 
Disk tinytetris-2c5414f1f85397e1787ec31cca3f252ac5fb78a6: 12 MiB, 12582912 bytes, 24576 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x3e33db48

Device                                                Boot Start   End Sectors Size Id Type
tinytetris-2c5414f1f85397e1787ec31cca3f252ac5fb78a6p1       2048 22527   20480  10M  7 HPFS/NTFS/exFAT

So the math for this should be: 2048*512 == 1048576.

And finally, to successfully mount this:

sudo mount -o ro,loop,offset=1048576 tinytetris-2c5414f1f85397e1787ec31cca3f252ac5fb78a6 /mnt

And finally, let’s take a look at the contents of this image.

$ cd /mnt
$ sudo ls -la
total 725
drwxrwxrwx  1 root root   4096 Jun  8 12:34  .
drwxr-xr-x 26 root root   4096 Aug  9 09:46  ..
drwxrwxrwx  1 root root   4096 Jun  8 12:34  4
-rwxrwxrwx  1 root root 727552 Jul  4  2017  bigfile.exe
-rwxrwxrwx  1 root root    237 Jun  8 12:34  flag.pyc
drwxrwxrwx  1 root root      0 Jul  5  2017  kuku
drwxrwxrwx  1 root root      0 Jul  5  2017 'System Volume Information'
$ python flag.pyc 
s1mPl3_0n_linux_sux0rZ_oN_winb10w$

Flag

s1mPl3_0n_linux_sux0rZ_oN_winb10w$