RC3 CTF 2016 Write-Ups

Lately I have been participating in Capture the Flag (CTF) events and now after taking a part of the RC3 CTF 2016 which recently held this November 19, 2016 (10:00 a.m.) to November 21, 2016 (1:00 p.m.) PH time, I have decided to do some write-ups.

RC3’s Capture the Flag Competition is a security focused competition relating to the following topics: Web, Forensics, Crypto, Pwning, Reversing, and Trivia.

(If you want to jump right into the write-ups, you can skip this part – as this is just my ramblings.) ¯\_(ツ)_/¯

I participate in CTFs for fun and learning experience. It also lets me challenge my ninja noob computer and problem-solving skills. Basically, it’s the more I join, the more I learn scenario. CTF can be played with a team or you can go solo (depending on requirements, some events allow any number of members in a team to participate and some allow only limited slots). For me, I haven’t found any team mate yet (hopefully I get to have a team mate from Philippines – as it is where I am right now) so I usually play solo and due to time constraints I usually focus on web, forensics and cryptography challenges for Jeopardy-style CTFs. (•̀ᴗ•́)و ̑̑

For starters CTF is a special kind of information security competition. Its three common types are Jeopardy, Attack-Defense and Mixed. You (or your team) will be needing to hunt and obtain the flag (hence the term Capture the Flag) which can be either be a text/string/regex or a file.

Jeopardy CTFs lets you answer questions or tasks from different categories which can include Web, Forensic, Cryptography, Pwn, Reversing and more depending on the event organizer.

Attack-Defense CTFs is an interesting kind of competition as it lets team/participants hack opponents for attack points and protect their vulnerable services for defense points. It is like playing Counter-Strike except done using computers/networks.

Mixed CTFs vary in different possible formats depending on how the CTF event organizer made it. It can be something like combination of Jeopardy and Attack-Defense with special time for task-based elements.

I recently participated in RC3 CTF 2016 (Jeopardy) and will be making write-ups based on what I have correctly answered (found the flag). While I manage to answer a bunch of the tasks (here is the RC3 competition scoreboard with the names of the teams and their points, though I’m not sure if its final – made it in #157 out of 663 with 1490 points alone), I only had a few screenshots with me as I didn’t have in mind that I will be making write-ups. Hopefully next time, I can do better in making write-ups.

Basically what I have learned today on participating with CTFs is that it is a good practice to take down notes of the questions/tasks, files, links as well as take screenshots for later usage (like making write-ups, reviewing, etc.).

With this, here are a few items that I have notes with in me. (Luckily for some I items I did have some screenshots of it.)

Some Pang

Title: Some Pang
Category: Forensics

Points: 50

Description:

Examine the file and find the flag.

Upon downloading the ~8.5 MB pcap file, I used Wireshark to open it. Basically the file contains near ~100,000 ICMP packets.

pang-a

Examining the file, I have learned that the ICMP request and its corresponding reply data are identical which goes the same for all the ICMP data. I also noticed the duplicate characters for each of ICMP packet data.

pang-b

With this in mind, I have concluded that a file is hidden using the ICMP data. First I will need to dump all the data in hex format while removing all the ping replies. I used tshark for this.

tshark -x -r somepang.pcap 'icmp.type==8' | sed -n 's/^[0-9a-f]*\s\(\(\s[0-9a-f][0-9a-f]\)\{1,16\}\).*$/\1/p'

Next is to extract the results and get the last 4 chars which gave me the result below.

pang-c

Upon analyzing the first few lines of the result and based from experience, I deduced that it is a jpg file that needs to be in Base64 format. Learning this, I then converted the results to Base64.

for c in `cat somepang.txt`; do printf "\x$c"; done;

Using “data:image/jpeg;base64,” string plus the Base64 code on a web browser, the flag is revealed!

pang

Flag:

RC3-2016-PANG-ME-LIKE-ONE-OF-YOUR-FRENCH-GORILLAZ

Calculus

Title: Calculus
Category: Crypto

Points: 200

Description:

I hope you like calculus.

Make sure to put “RC3-2016-” in front of your result.

Google Word Doc: https://drive.google.com/open?id=1fy05WIVTxymehT5i_n64V0IScTcGAXcKjeW6mLZnBp4

So here is a screenshot of the problems.

calculus-200

What I did is that I computed all the calculus problems, and here are my answers for it.

calculus-200-a

After being stuck on this (I did re-checked for computations where I might got it wrong), it came into my mind to plot the answers, which interestingly gave me the flag!

calculus-200-b

Note that after this it came up into my mind that you could actually guess the flag and skip solving the calculus problems by just looking at the letters included on the calculus problems.

Flag:

RC3-2016-antiderv

Cats

Title: Cats

Category: Crypto

Points: 300

Description:

Decipher the image and find the hidden flag. (Note that I forgot to save the actual task description – as it did gave hints that image contains the needed characters to be added to “RC3-2016-” for the flag.)

So here is the image which is in .gif format and contains pictures of cats.

After examining and analyzing the image, I found no interesting files that are hidden on it – which is weird.

So what I did is investigate it more by using Photoshop which I found that there are 8 layers of it.

cats-300-a

I tried changing the colors of the layers by adjusting color levels, but have found nothing interesting. What I did next is count the number of cats for each layer.

Layer 1 = 14

Layer 2 = 9

Layer 3 = 1

Layer 4 = 20

Layer 5 = 23

Layer 6 = 15

Layer 7 = 5

Layer 8 = 13

Interestingly upon converting the numbers into letters (e.g. 1 = A, 2 = B, 3 = C, etc.), and reversing it, I got a word “MEOWTAIN” which I have Googled and learned that it means cute cats in a massive file – which is the flag!

cats-300-b

Flag:

RC3-2016-MEOWTAIN

Who’s a good boy?

Title: Who’s a good boy?

Category: Web

Points: 100

Description:

You’re trying to see the cute dog pictures on ctf.rc3.club. But every time you click on one of them, it brings you to a bad gateway.

https://ctf.rc3.club:3000/

— Your friendly neighborhood webadmin

I haven’t save any files or taken screenshots for the task, but finding the flag in here is actually easy. On getting the flag for this task, I remember the days when I purposely hide HTML source codes by just using black spaces, so it became a habit of mine when checking source codes I also scroll down at the very end – which was useful for this task! ( •_•)>⌐■-■

To get the flag for this task, all you have to do is view the source code, and check the doge.css, on the very end of the .css file the flag can be read. (◕‿◕)

Flag:

RC3-2016-CanineSS

“Just Joking,” Joker joked

Title: Joker

Category: Web

Points: 200

Description:

Yes, that is gramatically correct. Now who doesn’t love a good book and an even better villain?

https://ctf.rc3.club:2010/

With Love,

Joker xx

To solve this task, I examined the website and found two SQL injection points.

The first one is on the first form using the connect.php link and primary value and second one is on the second form using connect2.php link and the secondary value. This was verified by simply breaking the website using a simple  character string.

https://ctf.rc3.club:2010/connect.php?primary=Administrator

https://ctf.rc3.club:2010/connect2.php?secondary=Joker

Both URL can be exploited using Union Based SQL injection and using that vulnerability I managed to enumerate the database for this task which leads me to finding the “flag” database.

Enumerating the “flag” database I have a table named “welcome” and columns named “id” and “flag“.

I then enumerated the “id” and “flag”  values using:

https://ctf.rc3.club:2010/connect.php?primary=Administrator%27%20UNION%20ALL%20SELECT%201,2,(id, '---', flag)%20from%20flag.welcome;--%20test

The result gave me a value of the “flag” named pcbfcppgle.

So I thought, I finally found the flag and entered RC3-2016-pcbfcppgle on the submit flags form, but it turns out that this is not the flag. I also used variants like all capital letters but none of them worked. For a few minutes, I thought that there is a problem with RC3 CTF 2016 flag submission form as it is not working. ¯\_(ツ)_/¯

Then again, I tried to decipher pcbfcppgle value using Caesar cipher which gave me the value of redherring. I thought this must be it, proceeding back to the flag submission form, I entered RC3-2016-redherring, which again did not worked! ﴾͡๏̯͡๏﴿ O’RLY?

I then searched the meaning of redherring (red herring) and figured out that it means “something that misleads or distracts from a relevant or important issue”.

Learning this, I went back to the vulnerability and this time I kind of cheated as I told myself before starting this CTF that I wouldn’t be resorting to automated vulnerability scanner tools to learn more how to find vulnerabilities manually, but this is different as I have already exploited the application and I need to dump all the database as fast as possible.

I then used Sqlmap to dump the entire database. This time I mean all for both injection points (connect.php and connect2.php), even the mysql, information_schema and performance_schema. (I’m thinking that the flag might be hidden somewhere in there.) ᕦ(ò_óˇ)ᕤ

sqlmap -u 'https://ctf.rc3.club:2010/connect.php?primary=Administrator' -p primary --dbms=mysql -technique=U --keep-alive --dbs --dump -D flag

sqlmap -u 'https://ctf.rc3.club:2010/connect.php?primary=Administrator' -p primary --dbms=mysql -technique=U --keep-alive --dbs --dump -D CCNs

sqlmap -u 'https://ctf.rc3.club:2010/connect.php?primary=Administrator' -p primary --dbms=mysql -technique=U --keep-alive --dbs --dump -D web_key

sqlmap -u 'https://ctf.rc3.club:2010/connect.php?primary=Administrator' -p primary --dbms=mysql -technique=U --keep-alive --dbs --dump -D mysql

sqlmap -u 'https://ctf.rc3.club:2010/connect.php?primary=Administrator' -p primary --dbms=mysql -technique=U --keep-alive --dbs --dump -D information_schema

sqlmap -u 'https://ctf.rc3.club:2010/connect.php?primary=Administrator' -p primary --dbms=mysql -technique=U --keep-alive --dbs --dump -D performance_schema

sqlmap -u 'https://ctf.rc3.club:2010/connect2.php?secondary=Joker' -p primary --dbms=mysql -technique=U --keep-alive --dbs --dump -D FishingHole

sqlmap -u 'https://ctf.rc3.club:2010/connect2.php?secondary=Joker -p primary --dbms=mysql -technique=U --keep-alive --dbs --dump -D information_schema

sqlmap -u 'https://ctf.rc3.club:2010/connect2.php?secondary=Joker' -p primary --dbms=mysql -technique=U --keep-alive --dbs --dump -D performance_schema

sqlmap -u 'https://ctf.rc3.club:2010/connect2.php?secondary=Joker' -p primary --dbms=mysql -technique=U --keep-alive --dbs --dump -D Social

sqlmap -u 'https://ctf.rc3.club:2010/connect2.php?secondary=Joker' -p primary --dbms=mysql -technique=U --keep-alive --dbs --dump -D mysql

This really took a lot of time as I examined all the database entries including not supposed to be related ones like the mysql, information_schema and performance_schema to look for leads for the flag.

Sad to say I found nothing! I keep on looking for “RC3-2016-” listed on the database but found none.

Then I thought to myself what if there is some kind of hidden connect. As I have notice the “connect.php” leads to a different database than the “connect2.php”.

So, I then proceeded fuzzing the “connect” URL using DirBuster, I limited the threads to a minimum so I won’t be breaking the server load but again found none!

(╯°□°)╯︵ ┻━┻

There must be something I missed. I then checked again the main R3 CTF 2016 site which leads me on their Hints section which I actually didn’t notice earlier *facepalm*. ಠ⌣ಠ

It gave out hint that the flag is not in plaintext which gave me an idea, as I already saw some of the database entries that are hashed.

Re-examining the CCNs database, I checked the secrets table which contains MD5 hashes.

Admin 3118dd54268acb0f04a048fd090e14f7

Guy c9846fa3e401252cf822a21ecf6a567e

Joker c417fccfc5d5a288243c96359c62c381

Colonel adac9d4711cd21cc4cec1b0f8e7ca538

I then preceded using findmyhash to decrypt the MD5 hashes starting from Joker.

findmyhash MD5 -h "c417fccfc5d5a288243c96359c62c381"

This leads me on finding the real flag! ┬──┬◡ノ(° -°ノ)

joker-md5-hash

Flag:

RC3-2016-HAHAHAHA

To be continued… will add more once I had free time. (•̀ᴗ•́)و ̑̑

I’d like to thank the RC3 team for organizing a great CTF! I had fun!  It was a nice experience for me as I learned and enjoyed a lot. (>‿◠)✌

Leave a Reply