Nov 20, 2016 - RC3 CTF : Find Phil

Author: dade

Publish Date: 2016-11-20

Category: Misc

Points: 500

Description:

During the great battle of IRSEC 2015 we lost a great man, Phil. The blue teams fought effortlessly to keep him save but sadly they did not stand a chance against their attackers. Since losing him in that great battle our team has been searching tirelessly for Phil. Recently, we received credible intelligence that this team recruits new members by putting them through a series of challenges. The challenge starts with this file. It is your job to join their organization, and find Phil. Bring him home safe.

Download Link: https://drive.google.com/file/d/0Bw7N3lAmY5PCTkFXQzQ2YmpoTlE/view?usp=sharing

Note

b0tchsec was the second player to solve this challenge. Big thanks to whatbatman and captainevilwaffl for the awesome challenge.

STEP 1

a quick strings file.png shows us there are other filenames in our image. Let’s run unzip file.png and see what we’ve got.

STEP 2

The series of smaller png files appear to be pieces of a puzzle that need to be put together. This can be accomplished in gimp by loading all the images as layers.

The image, once put back together from the smaller images, takes us to termbin.com/vf6t

You have proved yourself to be at least some what formidable. Congratulations. Now that you have proven your technical skills, you need to prove your   loyalty.
There is a new company that is creating a rather large buzz, EnergyCorp. They are run by the former creator and CEO of Xanadu, LordReverend Kane. 
We hear that there is a secret to their power, hidden behind their protected website. We need you to gain access to their secrets, and return them to us.
The website can be found here:
http://ec2-52-71-70-98.compute-1.amazonaws.com:6100
Don't get caught.

STEP 3

The homepage tells us to use http://idcreator.com to create our own ID with a format we learned during orientation. Too bad we didn’t go to orientation. But its good to know that we can create an ID.

Looking around on the company site, we see the facebook page, and it has a post about their newest employee Jennifer Jones. If we check out Jennifer’s facebook page, we see she’s friends with LordReverend Kane, but LordReverend Kane keeps his shit on lock.

If we look at the EnergyCorp posts page, we see that a guy named Ben Franklin, with a convenient stock photo, started working at EnergyCorp just before the challenge started. Let’s inspect him too.

To login to the site we need to upload a photo of our ID. I’m sure if we look hard enough, we can find that ID on one of the facebook profiles. OSINT is a real threat. If we take a look around Jennifer’s facebook again, sure enough she uploaded a photo of her badge. Let’s use that and see if we can login.

We get an error message telling us User already logged in. Looks like it’s time to bust out some photoshop.

Given the badge format, I most expect the backend to be scanning the QR code and ignoring the rest of it. Let’s try to generate a new QR vcard code using LordReverend Kane’s information, after all, he’s the CEO.

No such luck, he’s also logged in. Thankfully we also noticed that Ben Franklin is a new employee. Since he’s so new, maybe he hasn’t logged into the system yet. Let’s use his facebook page to generate a QR Code. Let’s also rip his image and include it in the badge.

Ben Franklin
Chief Imagination Engineer
Energy Corp
(I used my personal email in the event that EnergyCorp website looks. Used fake phone number)

Once we’ve generated the QR code, line it up to fit snugly over the existing QR code on the badge, save that as a new image and try to upload it.

Success, we’ve made it to the “Welcome” page for employees.

STEP 4

Nothing too interesting in the vault, just a cute puppy and a cute turtle. Let’s take a look in fiddler and see what’s happening.

HTTP/1.0 404 NOT FOUND
Content-Type: QW9HQU5VWWNTUS9vQWs3a3BNTDRqYnZhQk1kWEtVc2VMZEEvcmZxWENUSkVQTXBFTTAwVmtONFlYVmlsQ0JpdA==
Content-Length: MVZNSjJHZ04wcHRLSklHdjZNMGMyT2hkdkFSakFpRWltcVR6YkdINGlMSk90ekh3c2pZL0lJemQwUUlEQVFBQg==
Accept: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ==
Content-Security-Policy: TUlJQ1hBSUJBQUtCZ1FDWHRVUXR5WUdHdldidlBsUlRRUWEwRmNIWkY3QUNTOVhqYWtscDd4dWtsMkcvL0luLw==
Server: NkVEcFYxamk1Yk5oaXF0SmdYUUk0UGljZ3huQVdpTjFBVVhhOFVSc0QvNlVhQ3RhbUsyWE9pM1VsN3BaMS9oYQ==
Date: bzJVMHZUMU9hQWZJaGYycnYxWm4rU0NYVEx3OC9TUDlBMitRdTRmcU1zWGVDaUx1eEVRdzR0cUsrbnYwR2RJMA==
Pragma: aDJramlpcHpJWEQ2M3JFNUhiZXQwK2VORkdzbjBIdTFtU1IyQ3hHcjFCQ2pWVmtDUVFEdmVVMGxsdHVqaVBDMw==
Expires: eElvOEJjem9zSCt5Vi9INE1iZFBNUWFJcHUwZHFQN1VxMi84UHR3Q3BXVFJQS3JpT2dlUlF4ZU1TTjk4SnVWTw==
Cache-Control: TVpwb1BCSGZBa0VBb2kxd1NSYU1NMFM5ZWhCZ1dsRm85ZUxjaWY1a21VRmtRYnBQL1dBVzF4SWtYVW5nbTZibw==
Warning: VGpVenRZN3VhckpoVEFYeGtNZERwY0FaTlo5YXNxdm1Ud0pCQUpmYmpTOTBEYzRUYmNxckNKbnRkN1pyRGw4eQ==
Downlink: NDg5bS8zNXBjV0pBc0lhcGZ3ZXZ1M0R6RDZOaDdKKys0QUpibUNibXE4MGEvUldHdU15d0tlRkZqbk1DUUNOeA==
Save-Data: a00rNGFNMnZvVVZ6SE12QWJSTUlFTERyOHlwM1d5VHVSaHNYREFiWEJUR0tPdGRwdysyTHZSQlorNHRBRHZtaA==
Width: ZHVqd1U3MSszVU9WM3ltYlhnc0NRRzZ6Y3k1bGtlWEYrcnhaNWFSd3d4cGlBSnAvVEFsVmo4djZIWmE4SXovTQ==
ETag: cEhtM0k2RkFEOXhjWmhTMlg4RVRHdHh1cklxWVVBWndxOHVWRWE4T2g3QQ==
Keep-Alive: LS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0=
Age: YWNjZXB0LCBjb250ZW50LXNlY3VyaXR5LXBvbGljeSwgc2VydmVyLCBjb250ZW50LWxlbmd0aCwgY29udGVudC10eXBlLCBkYXRlLCBwcmFnbWEsIGV4cGlyZXMsIGNhY2hlLWNvbnRyb2wsIHdhcm5pbmcsIGRvd25saW5rLCBzYXZlLWRhdGEsIHdpZHRoLCBldGFnLCBrZWVwLWFsaXZl
Integrity Checksum: M9hxHUdd8mUdxaz1nPSy6Tol7h8OYcS2SBficdhrvObfmi1DSkXOmi8/aGs5POtvODpi+8FcOeqmUsqOWOcGTl5fy3zJtSIfr9CkywaYWtVaoJb+8R3t+G32dgTEHpgI4y69kJabOruAwbldqHmCSRhSLr0mTFGxmd+HwBNgj3s=

This looks like base64 garbage. Let’s decode it all.

AoGANUYcSQ/oAk7kpML4jbvaBMdXKUseLdA/rfqXCTJEPMpEM00VkN4YXVilCBit
1VMJ2GgN0ptKJIGv6M0c2OhdvARjAiEimqTzbGH4iLJOtzHwsjY/IIzd0QIDAQAB
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCXtUQtyYGGvWbvPlRTQQa0FcHZF7ACS9Xjaklp7xukl2G//In/
6EDpV1ji5bNhiqtJgXQI4PicgxnAWiN1AUXa8URsD/6UaCtamK2XOi3Ul7pZ1/ha
o2U0vT1OaAfIhf2rv1Zn+SCXTLw8/SP9A2+Qu4fqMsXeCiLuxEQw4tqK+nv0GdI0
h2kjiipzIXD63rE5Hbet0+eNFGsn0Hu1mSR2CxGr1BCjVVkCQQDveU0lltujiPC3
xIo8BczosH+yV/H4MbdPMQaIpu0dqP7Uq2/8PtwCpWTRPKriOgeRQxeMSN98JuVO
MZpoPBHfAkEAoi1wSRaMM0S9ehBgWlFo9eLcif5kmUFkQbpP/WAW1xIkXUngm6bo
TjUztY7uarJhTAXxkMdDpcAZNZ9asqvmTwJBAJfbjS90Dc4TbcqrCJntd7ZrDl8y
489m/35pcWJAsIapfwevu3DzD6Nh7J++4AJbmCbmq80a/RWGuMywKeFFjnMCQCNx
kM+4aM2voUVzHMvAbRMIELDr8yp3WyTuRhsXDAbXBTGKOtdpw+2LvRBZ+4tADvmh
dujwU71+3UOV3ymbXgsCQG6zcy5lkeXF+rxZ5aRwwxpiAJp/TAlVj8v6HZa8Iz/M
pHm3I6FAD9xcZhS2X8ETGtxurIqYUAZwq8uVEa8Oh7A
-----END RSA PRIVATE KEY-----
accept, content-security-policy, server, content-length, content-type, date, pragma, expires, cache-control, warning, downlink, save-data, width, etag, keep-alive
[ENCRYPTED STRING HERE, CONTAINS NON PRINTABLES]

The bit after —–END RSA PRIVATE KEY—– looks like a specific order. Let’s rearrange the key to match.

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCXtUQtyYGGvWbvPlRTQQa0FcHZF7ACS9Xjaklp7xukl2G//In/
6EDpV1ji5bNhiqtJgXQI4PicgxnAWiN1AUXa8URsD/6UaCtamK2XOi3Ul7pZ1/ha
1VMJ2GgN0ptKJIGv6M0c2OhdvARjAiEimqTzbGH4iLJOtzHwsjY/IIzd0QIDAQAB
AoGANUYcSQ/oAk7kpML4jbvaBMdXKUseLdA/rfqXCTJEPMpEM00VkN4YXVilCBit
o2U0vT1OaAfIhf2rv1Zn+SCXTLw8/SP9A2+Qu4fqMsXeCiLuxEQw4tqK+nv0GdI0
h2kjiipzIXD63rE5Hbet0+eNFGsn0Hu1mSR2CxGr1BCjVVkCQQDveU0lltujiPC3
xIo8BczosH+yV/H4MbdPMQaIpu0dqP7Uq2/8PtwCpWTRPKriOgeRQxeMSN98JuVO
MZpoPBHfAkEAoi1wSRaMM0S9ehBgWlFo9eLcif5kmUFkQbpP/WAW1xIkXUngm6bo
TjUztY7uarJhTAXxkMdDpcAZNZ9asqvmTwJBAJfbjS90Dc4TbcqrCJntd7ZrDl8y
489m/35pcWJAsIapfwevu3DzD6Nh7J++4AJbmCbmq80a/RWGuMywKeFFjnMCQCNx
kM+4aM2voUVzHMvAbRMIELDr8yp3WyTuRhsXDAbXBTGKOtdpw+2LvRBZ+4tADvmh
dujwU71+3UOV3ymbXgsCQG6zcy5lkeXF+rxZ5aRwwxpiAJp/TAlVj8v6HZa8Iz/M
pHm3I6FAD9xcZhS2X8ETGtxurIqYUAZwq8uVEa8Oh7A
-----END RSA PRIVATE KEY-----

I’m not great at RSA stuff so I did some googling and found this really useful stackexchange post. To get my input looking like the post, I stripped the new lines and header/footer and saved it as key-stripped.txt. I also saved the integrity line to integrity.txt since I thought I might need it. What else are you going to do with an RSA key but decrypt something.

$ base64 -d < key-stripped.txt | openssl rsa -inform DER > out.key
$ openssl asn1parse < out.key
$ base64 -d integrity.txt >integrity.enc
$ openssl rsautl -decrypt -inkey out.key < integrity.enc > integrity.dec
$ cat integrity.dec
/supersecretvaultthiswaywowimtiredthisnameshouldprobablybealotbetterbutohwellitssolateandthectfisinlikeliteralhours

STEP 5

Now we’re able to visit the real vault located here.

It links us to a tar file called phils_magic.tar.

Inside of phils_magic.tar we have an apk and a notes file. The notes read:

They've captured me and made me use my talents for their own gain. If you are to find where I am you must use this android application and talk to the admin. He will know how to find me. As a precaution to Kane finding where I have gone, I have taken steps to reduce the chance of Kane being able to use talk to the admin through this app. My hopes are if you have gotten this far in your search for me, you will be able to break the apps security and reach out to the admin.
Once you are able to initate contact with the admin, use the phrase 'security through obscurity' in a sentence. This will let him know I sent you. The admin does not use many words, but may be able to help you find me.

My credentials to log into the application are: imnotphil:canttouchthis

I’ve installed the app on an android emulator that comes with the android sdk. When I try to initiate a discussion with admin, it tells me NOT ADMIN GROUP ID. GO AWAY.

The ChatActivity shows Group ID: 125212531244112

Let’s also fire up the Android Device Monitor, another useful part of the SDK. In the monitor log we see some giant strings coming from our application. Let’s save these as b_private_key.txt and b_user_group.txt

b_user_group just appears to have a bunch of repeated text. b_private key is a base64 representation of the private key, as we could have guessed.

Let’s dig deeper into the source here. I’ll use d2j-dex2jar.bat to convert the chatsalot apk to a jar file, and then use jd-gui to save the sources of the jar file.

Looking through the java, we see that we’re sending json objects to a login endpoint http://ec2-54-85-21-142.compute-1.amazonaws.com:6063/api/login, when I recreate this in fiddler I get a 500 internal server error, but debugger is turned on. Sweet now I know what login looks like.

@app.route('/api/login', methods=['POST'])
def login():    
	username = request.json.get('username')
	password = request.json.get('password')
	if username is None or password is None:
		abort(400) # missing arguments    
	if User.query.filter_by(username=username).first() is None:
	    abort(400) # user doesn't exist

If we also check out the endpoint for looking for admin, we see this function in the debugger output. `http://ec2-54-85-21-142.compute-1.amazonaws.com:6063/api/chatadmin

@app.route('/api/chatadmin', methods=['POST'])
def chatAdmin():    
	message = request.json.get('message')    
	groupid = request.json.get('groupid')    
	g = groupid.split(' ')[:3]    
	if str(groupid) != "106610671042110":        
		print "____",groupid, "____"        
		return (jsonify({'resp_msg':'YOU ARE NOT AN ADMIN. GO AWAY'}), 401)

Success!! So now we know the admin group id.

Using what we’ve seen from the source code of the app, we can recreate a call to the /api/chatadmin api endpoint and forge our request to include the group id we’ve just learned.

POST http://ec2-54-85-21-142.compute-1.amazonaws.com:6063/api/chatadmin HTTP/1.1
Content-Type: application/json
Host: ec2-54-85-21-142.compute-1.amazonaws.com:6063
Content-Length: 77

{
  "message": "security through obscurity",
  "groupid": "106610671042110"
}

HTTP/1.0 200 OK
Content-Type: application/json
Content-Length: 238
Server: Werkzeug/0.11.11 Python/2.7.12
Date: Sun, 20 Nov 2016 21:33:00 GMT

{
  "resp_msg": "Ah, you must be searching for phil. While I can't tell you where he is, I can give you some data from our last conversation that may help you find him. https://drive.google.com/file/d/0Bw7N3lAmY5PCVlpvaW9tQUs1MVU/view"
}

STEP 6

Download the zip file at https://drive.google.com/file/d/0Bw7N3lAmY5PCVlpvaW9tQUs1MVU/view. Unpacking the zip, we have a bunch of images. One is noticably larger than the others, though it’s also a higher resolution, so no real surprise.

It also happens to have a base64 encoded string at the end of the file, which translates to fun4dv3n7ur35w17hph1l

It was soooo long

(In the last 30 minutes of the competition, after our team nearly spent 15 man hours on this challenge)

The 7-Zip manager UI showed a message that said

Warnings: There are some data after the end of the payload data
Physical Size: 2,262,768
Tail Size: 96

I then copied the last 96 bytes of the zip file to a separate file, extra_data.bin

$ tail -c 96 Copy\ of\ phil_vacation.zip > extra_data.bin

After copying the bytes to the file, I ran file to see if I could understand the file format:

$ file extra_data.bin
extra_data.bin: GPG symmetrically encrypted data (AES cipher)

Then I ran:

$ gpg --output test --decrypt extra_data.bin
gpg: AES encrypted data
gpg: gpg-agent is not available in this session
gpg: encrypted with 1 passphrase

Use the string we found earlier as the passphrase: fun4dv3n7ur35w17hph1l

Flag

RC3-2016-PhilTrip

Nov 20, 2016 - RC3 CTF : Bridge of Cyber

Author: Adam

Publish Date: 2016-11-20

Category: Misc Points: 200 Description:

Welcome to the “Bridge of Cyber”! It’s the same concept as the “Bridge of Death” in Holy Grail. Our DNS servers aren’t very good at their job because they ask more questions then they answer. Let’s see if you can get the flag from our DNS.

Domain: misc200.ctf.rc3.club

Investigation

I started by using the Dig tool to see what hints were available for this domain.

~$ dig ANY misc200.ctf.rc3.club
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;misc200.ctf.rc3.club.          IN      ANY

;; AUTHORITY SECTION:
ctf.rc3.club.           758     IN      SOA     ns-544.awsdns-04.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
~$

Looking at the results, the domain is hosted by the AWS Route 53 service which helps narrow down some of the options we can use. AXFR would have enabled us to download a copy of the entire domain set, but Route 53 does not current support it. In some deployments of DNSSEC, NSEC records are exposed which would enable subdomain enumeration exposing a list of subdomains for the entire domain, but again Route 53 does not support DNSSEC so we can’t take advantage of those techniques.

At this point I got stuck because there did not appear to be any records that we could use to continue the challenge. Luckily they updated challenge description with a name server hint: Nameserver: ns-920.awsdns-51.net.

Armed with new information, I switched to directly querying that name server for record information which proved much more fruitful:

~$ dig +nocomments ANY @ns-920.awsdns-51.net misc200.ctf.rc3.club
; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> +nocomments ANY @ns-920.awsdns-51.net misc200.ctf.rc3.club
; (2 servers found)
;; global options: +cmd
;misc200.ctf.rc3.club.          IN      ANY
misc200.ctf.rc3.club.   172800  IN      NS      ns-1526.awsdns-62.org.
misc200.ctf.rc3.club.   172800  IN      NS      ns-1842.awsdns-38.co.uk.
misc200.ctf.rc3.club.   172800  IN      NS      ns-489.awsdns-61.com.
misc200.ctf.rc3.club.   172800  IN      NS      ns-920.awsdns-51.net.
misc200.ctf.rc3.club.   900     IN      SOA     ns-1526.awsdns-62.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
misc200.ctf.rc3.club.   300     IN      TXT     "What is the air-speed velocity of an unladen swallow"
;; Query time: 5 msec

Looking at the result set, we have NS records, a SOA, and a TXT. The NS records all pointed to Route 53, so I ignored those for now since Route 53. The SOA record also gave no more information since it was the default SOA record that Route 53 vends. The TXT record looked interesting since it had a Monty Python quote in it. Thanks to a teammate, I knew that the next line in the quote was related to the African or European swallow.

~$ dig +short ANY @ns-920.awsdns-51.net european.misc200.ctf.rc3.club
"The roundest knight at king arthurs table was sir cumference. He acquired his size from too much __"

The next clue is a joke. Googling for the entire puzzle tells us that the punchline is “too much pi.”

~$ dig +short ANY @ns-920.awsdns-51.net pi.european.misc200.ctf.rc3.club
"What is it that no man ever yet did see, which never was, but always is to be?"

The next hint is another puzzle, of which the answer is ‘tomorrow’

~$ dig +short ANY @ns-920.awsdns-51.net tomorrow.pi.european.misc200.ctf.rc3.club
"My favorite things in life don't cost any money. It's really clear that the most precious resource we all have is ___"

This one is a quote from Steve Jobs and the answer is ‘time’

~$ dig +short ANY @ns-920.awsdns-51.net time.tomorrow.pi.european.misc200.ctf.rc3.club
"RC3-2016-cyb3rxr05"

And Voilà, we have the flag.

Flag

RC3-2016-cyb3rxr05

Nov 7, 2016 - Hack The Vote 2016 : Consul

Author: dade

Publish Date: 2016-11-07

Category: Reversing Points: 100 Description:

Bernie Sanders 2018
consul.bin

Investigation

This is a 100 level challenge, so let’s start off with something basic. (Much of the standard output removed for brevity.)

strings consul.bin
[...]
Poor Bernie.
;*3$"
&,!';72)4%
"%2.)%
?XbaTeWb
C\fT2
g[Tg
aXkg
ceXf\WXag2
X]Xb
XYgYfjY
6Yfb]Y"
T]`SdS`
OTbS`
bVOb
U]]R
[...]
florida.c
[...]
dont_call_me
[...]
sub_9F36
[...]
real_help
sub_41F2
[...]
main
sub_198A
[...]
sub_43E8
fake_help
help
[...]

Nothing super obvious, but we see a few different functions to make note of.

I’m a pretty terrible reverse engineer, it’s never been a strong suit. Instead of doing the logical thing that others did, (because I didn’t know I could), I used an idea that Aaron had touched on, that perhaps the bytes were shifted, like a caesar shift. He had written a python script to go through the file each byte at a time and shift it by a preset number that he had found while debugging. I wanted something better.

Solution

(If you can call it a solution, whatever I found the flag) A quick script that takes the filename as input and a string that you’re looking for, then shifts each byte in the file, looking for that input. In this case we are looking for “flag” but it could vary in other CTFs and reusable tools are great, even if they are terrible tools.

b0tchsec/CTF-Fanny-Pack/tools/caesar_brute.py

Don’t try this at home, kids. Learn how to do it better, so you can get better, so you can do better next time. Check out how others did it (more appropriately) on CTFTime

Flag

Our script found the flag using a 0x40 shift.

flag{write_in_bernie!}

Find a problem? Open an issue