Internetwache CTF 2016 – Write up.

As I have mentioned in previous posts, I am a big fan of information security CTF (Capture The Flag) competitions. Most of my weekends are spent sitting down with the problems and challenges they present. At least until I feel that I cannot get any further with them, at which point I start to write up my notes on each challenge that I tried, what I thought it was, how I thought it would be solved, and any interesting quirks, hints or clues.

Usually at some point during the following week, I will compare my notes with all the write ups that are invariably posted (just like this) by people who also took part in the competition.

Whenever I talk to people about CTF’s, they will always ask me why I use my free time in this manner, and it is something that I initially struggled to figure out. After only a few months of (mostly) failing to score any points at all, I finally realised exactly what it was about them that I like so much.

CTF’s represent creative problem solving in one of it’s purest forms.

I am a person that loves solving puzzles, examining systems for flaws and figuring out how to use them in new and imaginative ways to make something the system was never intended to do.  In fact, that is kind of my job, although I usually just have to identify the flaws and get them fixed during the daylight hours.

The Internetwache CTF 2016 competition (still running as of writing, certainly not as of reading.) started 20th Feb at midday CET and finished 36 hours later. I was ready, coffee in hand. So far, this year, I have scored a grand total of zero points in the 3 other CTF’s I have entered. No pressure.

This CTF had 1431 participating teams. Teams can be of any size. There were 6 categories for the challenges. Misc, Web, Reversing, Crypto, Code, Exploit. Each category had 5 challenges each, with point values of 50, 60, 70, 80 or 90 points. This means that 2100 points were available for solving everything.

Web apps are my job, and the direction I feel my security training going in, or at least, the direction I feel I am being pulled in the most. I decided to give the web challenges a try to start with. So let’s go through my notes for each challenge.

Web50 – Mess of Hash

There was an attachment to download that included a section of code. The service running contained a login form, but not much else. The code was as follows.

mess of hash

It has been a long time since I finished the single PHP book I have read, but the code looks pretty straight forward. The admin _user variable was set to “pr0_adm1n” and the admin_pw was the rather long string passed through the clean_hash function.

Looking up the preg_replace function, I found that the $hash value would be searched through for any character NOT in the hex range of 0-9 or a-f and replace those with “”. THat means its basically cutting those characters out. Does that mean the admin_pw evaluates to just “”?

Trying to log in with either a blank password or just “” resulted in a message at the top of the screen appearing saying simply “try harder ;)”. Trying to figure out the rest of the code did not get me any further along, so after a half hour of prototyping and attempting various passwords, I thought it would be prudent to move onto the next challenge.

I am looking forwards to reading the write ups for this as I feel like I grasped a thread from the rope of the solution, but just couldn’t hold onto it well enough.

Web60 – Replace with Grace

This was a regex form submission page, where you would supply a regular expression, text to search and text to replace, and the new text would be supplied to you. I could get it to work as “intended”, but had no idea of what I was supposed to be doing in order to get at a flag. reaplce with grace

I tried using the word flag, using the format of the flags somehow, which was “IW{flag_looks_like_this}”. No dice. I tried putting it through Burpsuite to see if there was something happening I could see. Still nothing.

This is how the challenges seem to go for me in general. I spend a lot of time trying to figure out what it is I am trying to do, and then even more time trying to do that thing.

At this point of 2 hours in, I was a little de-moralised, so I figured I would try my hand at something a bit different. Misc challenges can be pretty much anything, so I thought I would try out a couple. The first one I clicked on was Misc70

Misc70 – Rock With the Wired Shark

If you can’t guess by now what this challenge would involve, it is a program called Wireshark. Wireshark is a really, really useful program analyses network protocols. That means it can capture all the traffic going across a network, store it and later sift through for useful data, and a hell of a lot more. I have used Wireshark a few times previously, so I felt like this was something I could probably have a crack at.

I downloaded the zip that came with the challenge, and after extracting it, I was left with a README file that had only the text “The shark won’t bite you. Don’t worry, it’s wired!” just in case I needed an additional hint as to what the challenge was about. There was another file called dump.pcapng. pcaps are Packet Capture files, so when I loaded it into Wireshark, I was presented with the following view.

wireshark

This may look almost completely non-understandable, and the first few times I was playing around with Wireshark, that was also my take away. In fact some times I look at it now and still feel the same. After you figure out what is going on though, the waters become a lot clearer.

The columns in the top section are probably the easiest starting point, No. is packet number, Time is the time since the packet capture started, so far so good. The Source and Destination headers are exactly what they sound like, expressed as IP addresses. The Protocols are pretty basic things, and Length is just the number of bytes sent across the wire in those specific packets.

The Info however, can be the confusing part. Each packet highlighted in the top frame can be expressed in a number of ways, as shown in the second and third panels below. The second panel shows the various protocol wrappers for the content, which is shown in the bottom panel.

In this specific packet capture, there were only 87 packets, which is a relatively small amount. Ordering by the Protocol column, I could see that there were 6 HTTP packets, most with small lengths, but one with a relatively very large size of 1850! That bears some further investigation.

wireshark2

In fact we can even see here that there is a GET request for something called “flag.zip”. This is the closest I have been all year to a flag, so at this point I am already doing a victory lap around the kitchen.

In Wireshark there is an option to export HTTP and other objects from a pcap, so that is the first step. wireshark3

Now just to extract the flag and we will get our points! Or not. Obviously the zip file is password protected. Crap.

Okay, well we have gotten this far, so it should not be too hard to go the extra couple of steps to the finishing line. I remembered that John The Ripper has a “Jumbo Community Edition” patch available, which supports huge quantities of new features, zip file password cracking among them.

After about fifteen minutes trying to figure out how to compile the patch into my version (the FAQ was not helping, nor the patching or install instructions), I thought that this was far beyond the scope of the competition. It had to be hiding in plain sight, probably back in the packet capture.

I knew that all the TCP packets were just overhead for the connection, so that left me with only 6 packets I really needed to care about. From the order in which they were submitted, it seems that someone is connection to a webserver and downloading the flag.zip, although the first time they do it, they get a 401 Unauthorized HTTP status code in response.

That means there is some form of authentication, and after a couple of minutes of further searching, I found some Basic Authentication credentials used to access the file.

wireshark4

Using “azulcrema” the flag.zip successfully extracted the flag, which was “IW{HTTP_BASIC_AUTH_IS_EASY}”

Hooray! 70 points in the bag!

misc70

Let’s try another one of these Misc Challenges! I thought I would take the very next one, called, imaginatively, Misc80.

Misc80 – 404 Flag Not Found

Again, we get a Wireshark packet capture file. Also the Readme this time just says “You can do it!” This capture file is only 55 packets long. It contains lots of DNS queries and a few HTTP  packets.wireshark5

The HTTP requests were all to <<<Some_very_long_hex_string>>>.2015.ctf.internetwache.org. None of them resolved (all were 404’s) when I tried them. They were all trying to get the flag.txt file too. Attempting to Export the objects resulted in nothing found. After looking at the URL’s for an hour or two, I realised they were all hex values, so tried to decode one or two. The first one I tried was “496e2074686520656e642c206974277320616c6c2061626f757420666c61” and translated to “In the end, it’s all about fla”.

That was way too good to be true, so I quickly ripped them all out and decoded the hex values into ascii characters. After I got all 11 out, it looked like this.

In the end, it’s all about flags.
Whether you win or lose doesn’t matter.
{Ofc, winning is cooler
Did you find other flags?
Noboby finds other flags!
Superman is my hero.
_HERO!!!_
Help me my friend, I’m lost in my own mind.
Always, always, for ever alone.
Crying until I’m dying.
Kings never die.
So do I.
}!

Pretty nonsensical, but those braces mean that if you read down the first character of each line, it spells out IW{DNS_HACKS}. This was the flag. 80 points more! Another victory lap.

At this point I thought I would go back to the Web challenges to bang my head against a wall a bit more, but in order to keep this post at least somewhat short, I could not figure any of them out. Not a single one. I managed to trigger an XSS vulnerability in one of them, but had no idea what to do with it. I didn’t know if it was reflected or stored, or pretty much where to go, so I gave up and returned to the Misc challenges that I seemed to have success with. Misc90 was the next up.

Misc90 – BarParty

Again the readme just stated that “You can do it!”, and there was an image file attached called barcodes.jpg, containing, you guessed it, barcodes.

barcodes

Great. I don’t even have an image program, so first step was to get Gimp. Then we can try to piece the bits together, and finally decode them. UGH!

Learning Gimp, how to work with layers and everything else took maybe an hour at least. After a LOT of rotating, copying, pasting and moving, I had a bunch of barcodes kind of re-assembled. It looked like Frankenstein’s Monster, but one by one I tried uploading them to a barcode scanning tool. The first one came back with “_B4r_”.

Promising at least. The second came back with exactly the same, which was worrying to say the least. Then the third came back with “IW{Bar” Phew. Obviously on the right track at least. The fourth came back with C0d3s}, which looked like I had somehow duplicated the barcodes in my amateurish attempts at using a photo manipulation tool.

It turned out that there are just a few repeated sections. 6 barcodes, 2 of each flag section. The final flag was “IW{Bar_B4r_C0d3s}”. 90 more points! Another victory lap.

It was at this point that I realised I had been sat at the computer for 5 hours straight, not eaten or drunk anything, and I also was supposed to go for a run too. Next step was gym for an hour, and then family took over the rest of the day. I didn’t get any more time for the challenges, but looked at the remainder, and had no clue as to how to solve them.

As of writing I was in place 384 out of 1450. Not too bad for someone with not much time and not much skill. Also I am the only person in my team so far, which makes me think I am on the right track.

I hope that you enjoyed this write up. I intend to do many more in the future, time permitting as always. Also thanks go out to the Interwache team for putting together a great CTF, especially one that I could score some points in!

Have yourselves an excellent week!

Leave a Reply

Your email address will not be published. Required fields are marked *