IceCTF 2016 Scavenger Hunt writeup

Scavenger Hunt

Opening up the last challenge from stage1:

There is a flag hidden somewhere on our website, do you think you can find it? Good luck!

Ok, should not be too difficult to find the flag, most efficient way would be probably to download the whole website and grep it from there. Lets login to our linux machine for this.

Downloading the website with wget:

wget -r -m 2 -l 10 "https://play.icec.tf"

we got the following content:

sami@SNIPER:~$ cd play.icec.tf/

sami@SNIPER:~/play.icec.tf$ ls

forgot_password  index.html  login  static

Hmm, something is not quite right here. There are much more content in the webpage. Ah right, we need to login in order to have access to all the pages, lets login with firefox and get the GET header after login POST with firefox "Network monitor". This allows you to save headers in curl format and our header would be:

curl "https://play.icec.tf/team/" --2.0 -H "Host: play.icec.tf" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "Accept-Language: fi-FI,fi;q=0.8,en-US;q=0.5,en;q=0.3" --compressed -H "Referer: https://play.icec.tf/login/" -H "Cookie: __cfduid=dce17d4a95816c30948a9866c92bc47351471894222; _ga=GA1.2.1784704268.1471894224; _gat=1; session=.eJwNyVsOgjAQQNGtkPkmbHQVugZ9YEjTTh8gpQWm9QFh7_J1k3M34EiL4TEM2gMDe5FzkXR81U1hlKJm9d_S_7a1k02OIYmSdYfyHcsbrjSo-m5Gb-aERVw-whLkwI0T1GkC7twgi0dg1ETC6mM-gu19RgnxIJPcCdq8zSGRXnivgJ1vVbX_AcVTNII.CqL-IQ.2pBipnNktGSAMmK-w_ruHPMryiI" -H "Connection: keep-alive" -H "Upgrade-Insecure-Requests: 1"

We can use this almost straight with wget, just need to amend all "-H" with "--header" and lets remove --compressed, --2.0 and curl from the front.

wget -r -m 2 -l 10 "https://play.icec.tf/team/" --header "Host: play.icec.tf" --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0" --header "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" --header "Accept-Language: fi-FI,fi;q=0.8,en-US;q=0.5,en;q=0.3" --header "Referer: https://play.icec.tf/login/" --header "Cookie: __cfduid=dce17d4a95816c30948a9866c92bc47351471894222; _ga=GA1.2.1784704268.1471894224; _gat=1; session=.eJwNyVsOgjAQQNGtkPkmbHQVugZ9YEjTTh8gpQWm9QFh7_J1k3M34EiL4TEM2gMDe5FzkXR81U1hlKJm9d_S_7a1k02OIYmSdYfyHcsbrjSo-m5Gb-aERVw-whLkwI0T1GkC7twgi0dg1ETC6mM-gu19RgnxIJPcCdq8zSGRXnivgJ1vVbX_AcVTNII.CqL-IQ.2pBipnNktGSAMmK-w_ruHPMryiI" --header "Connection: keep-alive" --header "Upgrade-Insecure-Requests: 1"

Boom works like a charm, we have now much more content to look for

ls play.icec.tf/

cdn-cgi     forgot_password  index.html  problem-static  shell   tickets

challenges  login          logout      scoreboard      static  user

ok lets start finding:

grep -r "icectf" "play.icec.tf/"

Ugh, too much stuff.

grep -r "icectf{" "play.icec.tf/"

What, nada?.. oh right case sensitive.

grep -r "IceCTF{" "play.icec.tf/"

Now we have some amount of stuff, we got the first challenge flag:

In this capture the flag competiton you're hunting for these strings, we call them "flags". These flags always begin with "IceCTF{" followed by a message in 1337sp34k and end with "}". Here's an example flag "IceCTF{h3l10_wr0ld}"

We have the sandcastle instructions:

This flag is not in the standard flag format. The flag contains digits and no special characters, convert the message to lowercase and then add IceCTF{message} to it.

We have someone from the scoreboard:

play.icec.tf/scoreboard/index.html: <tr class="teamrow ineligible visible"><td class="rank"></td><td>Laks og Nødder</td><td>IceCTF{th1s_1s_n07_4_fl49}</td><td>226</td></tr>

I can confirm, the above was not the flag. Hmm what is going wrong here. Why can't I find the flag, I've got the whole page. Could it be encoded? In stage1?

I decided to head to bed and think about it more some other time (it's 3am again!).

We were thinking about this together with my colleague who is the other member in our CTF team and we noticed it. Damm, the home page of IceCTF is not the subdomain play.icec.tf it is the main domain www.icec.tf, we have another possible place to look for!

This one does not have any logins so we can just wget recursively:

wget -r -m 2 -l 10 "https://icec.tf"

sami@SNIPER:~/play.icec.tf/icec.tf$ ls

about                         apple-touch-icon-180x180.png  challenges         index.html

android-chrome-192x192.png    apple-touch-icon-57x57.png    contact            manifest.json

apple-touch-icon-114x114.png  apple-touch-icon-60x60.png    faq                sponsors

apple-touch-icon-120x120.png  apple-touch-icon-72x72.png    favicon-16x16.png  static

apple-touch-icon-144x144.png  apple-touch-icon-76x76.png    favicon-32x32.png

apple-touch-icon-152x152.png  cdn-cgi                       favicon-96x96.png

Bunch of stuff, lets try our luck this time.

sami@SNIPER:~/play.icec.tf/icec.tf$ grep -r "IceCTF{"

sponsors:            <img class="activator" src="/static/images/logos/syndis.png" alt="IceCTF{Y0u_c4n7_533_ME_iM_h1Din9}">

There we go, much better!

We found our flag from the html code next to Syndis logo. :P

IceCTF{Y0u_c4n7_533_ME_iM_h1Din9}

Nice challenge, made me study how to use headers / with wget (even tho that was not even needed!)

IceCTF 2016 RSA?

This is a writeup of the "RSA?" Challenge in IceCTF 2016

RSA cool! Opening up the challenge, a description of John messing around and in the end a flag.txt file given:


John was messing with RSA again... he encrypted our flag! I have a strong feeling he had no idea what he was doing however, can you get the flag for us? flag.txt

The flag.tx contains:


N=0x180be86dc898a3c3a710e52b31de460f8f350610bf63e6b2203c08fddad44601d96eb454a34dab7684589bc32b19eb27cffff8c07179e349ddb62898ae896f8c681796052ae1598bd41f35491175c9b60ae2260d0d4ebac05b4b6f2677a7609c2fe6194fe7b63841cec632e3a2f55d0cb09df08eacea34394ad473577dea5131552b0b30efac31c59087bfe603d2b13bed7d14967bfd489157aa01b14b4e1bd08d9b92ec0c319aeb8fedd535c56770aac95247d116d59cae2f99c3b51f43093fd39c10f93830c1ece75ee37e5fcdc5b174052eccadcadeda2f1b3a4a87184041d5c1a6a0b2eeaa3c3a1227bc27e130e67ac397b375ffe7c873e9b1c649812edcd

e=0x1


c=0x4963654354467b66616c6c735f61706172745f736f5f656173696c795f616e645f7265617373656d626c65645f736f5f63727564656c797d

Okok, so far my experience from RSA has been telling customers at work how their email server certificate is for completely different server/domain or how they are missing a cert in the chain etc.. basic stuff needed for Comptia Security+.

So my guess is "c" stands for cipher but what are the other e and N? N looks like a key but what is e and why is it so small 0x1 = 1 in decimal.

Bringing up the RSA page from wikipedia and studying the math behind it.
https://en.wikipedia.org/wiki/RSA_(cryptosystem)

Ok so "e" is the public exponent used in encryption of messages and N is the modulus which is built out of two big prime numbers and this modulus is used in encryption and decryption. Encrypted with "e" and decrypted with a private exponent "d". We were not given the private exponent so that we would be able to decrypt the "c" so there gotta be something else to it then.
After extensive web research on the subject I started to notice that all the examples use 
something bigger as the public exponent, mostly 0x10001 = 65537
Then it hit me straight to the face.. for an example: 10^1 = 10

How was the message encrypted again?

c = m^e (mod n) = m 

where c is the encrypted message, m is the plaintext message, e is the private exponent and n is the modulus.
You gotta be kidding: c = m


Ok so we know that c is not encrypted at all because the exponent is 1

Lets take the cipher message and put it through hex to ascii converter (some online converter).

0x4963654354467b66616c6c735f61706172745f736f5f656173696c795f616e645f7265617373656d626c65645f736f5f63727564656c797d

--

IceCTF{falls_apart_so_easily_and_reassembled_so_crudely}


Haha! Feels so funny, it was right there all along, only hex encoded. This was definitely one of my favorites. It made me study hard how the math behind RSA works and how to manually encrypt/decrypt. Awesome!

IceCTF 2016 Corrupt Transmission

This challenge is something about a corrupt transmission, okay sounds interesting lets do this.

We intercepted this image, but it must have gotten corrupted during the transmission. Can you try and fix it? corrupt.png


This time I was working on a windows machine and tried what I can do with windows about this corrupted file.

I tried opening it with the default picture viewer for win10 but off course got "filename, cannot open this file.."


I then opened it in my hexeditor called: "HexEdit" Yay!

00000000: 90 50 4e 47 0e 1a 0a 1b             .PNG....

Well... it does say png at least. Better to double check.
According to wikipedia, portable network graphics numbers are:


89 50 4e 47 0d 0a 1a 0a


Lets fix our file with amending the numbers:

00000000: 89 50 4e 47 0d 0a 1a 0a             .PNG....

OK, lets save it up and retry:

Ah, nothing but a scratch!

Gotta say it was funny little challenge.

IceCTF 2016 Thor Writeup

This is a writeup of the challenge THOR / IceCTF 2016



Opening the challenge we are greeted with the following description:

Thor has been staring at this for hours and he can't make any sense out of it, can you help him figure out what it is? thor.txt

Download the file with wget and since its proposed as .txt lets try to more it:

mv thor_7101f3b9690d5dc6c3afefa49d82e0526b278ec1c564139369ad22c28721d4cf.txt thor
more thor

00000000: 4c5a 4950 01b3 007f b61b edf0 8440 58e3  LZIP.........@X.
00000010: 91de 1027 5861 8a67 4282 46a4 92f9 4cad  ...'Xa.gB.F...L.
00000020: 2d5d 14eb 3099 2c31 01c2 d13a 74d2 c620  -]..0.,1...:t..
00000030: de27 3a8f fa92 0644 5468 2d02 01fa 24bb  .':....DTh-...$.
00000040: 719f a0fd a191 1678 8bff a2c4 2627 9871  q......x....&'.q
00000050: 83bf cff2 f8af 99fa c465 2b7c 6bdf ee3c  .........e+|k..<
00000060: b71b f61b 0b5e 0ce7 d14f f6a8 0466 6470  .....^...O...fdp
00000070: de67 02da 7be1 1abd e9f0 ac87 131a bcc0  .g..{...........
00000080: 0b0b 9f31 9400 48e3 616a 8f3f 4804 79ad  ...1..H.aj.?H.y.
00000090: a6bb 863a f641 01da b1ee c4fe b338 9289  ...:.A.......8..
000000a0: 2a90 8302 4170 773c 88d3 2641 d274 f533  *...Apw<..&A.t.3
000000b0: 84cf e7d9 f687 3b12 1516 970e 04c2 cfdd  ......;.........
000000c0: c1ca dc46 981d 2a7c 1b39 cb0b 4f8c 58cc  ...F..*|.9..O.X.
000000d0: 46b4 9744 4cb1 fbd3 c632 f36d ecbf 4789  F..DL....2.m..G.
000000e0: 00b8 d4fc 51a8 394e de2a 1a2d 3c43 179c  ....Q.9N.*.-<C..
000000f0: 9623 f971 2935 9564 9e15 c771 c3d5 d8b1  .#.q)5.d...q....
00000100: a7fa 3c0c f869 b829 f6d6 f145 6d57 b3a1  ..<..i.)...EmW..
00000110: bd3f 3fc2 a41f 7e35 089c de29 1d55 debf  .??...~5...).U..
00000120: 5400 c548 5c02 cd6c f853 e3e6 56b2 e395  T..H\..l.S..V...
00000130: 29d8 3985 d307 d46e 854c 4987 aab8 a5cb  ).9....n.LI.....
00000140: 2fea 6b20 6d24 34b3 a2a3 c8e4 247c 6681  /.k m$4.....$|f.
00000150: 51db 7851 752e 4186 2db9 01ae 39ae fed0  Q.xQu.A.-...9...
00000160: 7a77 a8e7 82b2 c78c 272b e621 44d2 03a3  zw......'+.!D...
00000170: f3fb adf9 18b4 681a e4e4 5b17 3c66 128c  ......h...[.<f..
00000180: f544 4124 0083 6db4 0e6b be29 2142 16b7  .DA$..m..k.)!B..
00000190: dd6e 9b78 26a6 71b1 2ec2 dfce 2d6e 8d01  .n.x&.q.....-n..
000001a0: 1786 d101 f184 a798 b0eb c3c8 8a0c a867  ...............g
000001b0: 34e7 0c71 c350 722e e1be 9913 cfb3 a6bf  4..q.Pr.........
000001c0: aa79 8eeb 8df6 02b1 e541 e0ed d3a1 ca85  .y.......A......

000001d0: 469d 0589 99ab 2e77 e388 0180 c7e4 83e8  F......w........

...

Ok.. 

We got a file with a clear text hexdump in it. More precisely a hexdump of a lzip file as per the magic numbers.

At this point I wondered if xxd has an option to turn a hexdump into a file. So far I have mostly used xxd to examine the hexdump of different files.

It took a single google to find that xxd has -r option. Putting the hex dump back to a file:

cat thor | xxd -r > thorfile

We've got our thorfile which is presumably an lzip file. Lets try to decompress that file:

lzip -d thorfile

This will give us a file: thorfile.out by all logic, we are now in posession of an unzipped file, lets look at the beginning of a hexdump to see what are we dealing with:

00000000: ffd8 ffe0 0010 4a46 4946 0001 0101 0048  ......JFIF.....H

That's all we need thx!

xdg-open thorfile.out

And we are greeted with the flag:

This flag was very easy, everything was straight forward for me. The learning happening with this was the fact that you can put valid hex dumps back into binaries.

IceCTF 2016 Demo Writeup

This is a writeup for demo challenge in IceCTF 2016.

Opening up the challenge we got:


"I found this awesome premium shell, but my demo version just ran out... can you help me crack it? /home/demo/ on the shell"

Lets see what does /home/demo hold, after looking into the directory we are given the following files:

demo.c
demo
flag.txt
Makefile

flag.txt most likely holds the flag for this task and is not accessible with our permissions for sure.
demo.c would suggest c source code, cool.
demo is most likely our "premium shell"
Makefile, no idea about this.

Trying to read the flag.txt proves our assumption correct:

cat flag.txt
Permission denied

Quick check on the permissions of flag.txt:

ls -l flag.txt
-rw-r--r-- l root demo -- flag.txt

Ok, no questions about it. We need to read this file with the premium shell.
Next lets try running the premium shell and see what we've got.

./demo
I'm sorry, your free trial has ended.

Lets take a sneak peek into the source code of the demo:

cat demo.c
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <libgen.h>
#include <string.h>

void give_shell() {
       gid_t gid = getegid();
       setresgid(gid, gid, gid);
       system("/bin/sh");
}

int main(int argc, char *argv[]) {
       if(strncmp(basename(getenv("_")), "icesh", 6) == 0){
            give_shell();
       }
       else {
             printf("I'm sorry, your free trial has ended.\n);
       }
       return 0;
}



This would suggest that if environment variable "_" equals to icesh, strncmp will return 0 and then 0 == 0 and shell is given.

I decided to give a go with gdb. I'm not too familiar with this tool yet but that is not an issue. We are here to learn.

After some online investigation I found out how to call to running process and change the environment variable. I loaded demo into gdb:

gdb demo

After this I set a break point at main to get the the demo running:

(gdb) break main

Start the demo:

(gdb) run

Then I set the environment variable to our choice while the demo is taking a break:

(gdb) call putenv("_=icesh")

Continue running:

(gdb) continue

And at this point we were give the shell! Blam!

$

Now we should be able to read the flag.txt:

$ cat flag.txt
IceCTF{wH0_WoUld_3vr_7Ru5t_4rgV}
$

Flag was recovered and returned.
All in all an interesting challenge and made me to look information about gdb, still learning to use it comprehensively. The best challenges are the ones that make you do research on the subject and are completed after.