top of page

First try at Capture the Flag

(Part 1 of 2)

As I continue to make progress through the various online training courses for which I've enrolled, I thought I'd give a hand at gaining some hands-on, practical experience. A popular way of honing your penetrating testing skills is through participation in CTF (Capture the Flag) competitions. In these competitions, a problem (or "challenge") is presented to the competitor, requiring them to use various skills to obtain a "flag", usually in the form of a small text string. These skills can run the gamut of pentesting methods including web page analysis, reverse-engineering, cryptanalysis, SQL injection, buffer overflows, custom tool creation, and the list goes on.

But which CTF to choose? Since this will be my very first attempt at such a competition, I thought it best to start with the very basics - baby-steps, so to speak...

picoCTF 2013 (aka “Toaster Wars”) is a cybersecurity competition primarily aimed at middle- and high-school students. The competition presents an assortment of brief security challenges within a storyline, which changes every year. According to the 2013 challenge, “When a robot from space crash lands in your backyard it's up to your hacking skills to fix him and uncover the secret he carries...” The competition is comprised of 13 challenges, for which I prepared the following write-up.

Failure to Boot (20 pts)

Summary: After opening the robot's front panel and looking inside, you discover a small red button behind a tangle of wires. Pressing the button lights up the robot's primary screen. It glows black and quickly flashes blue. A line of small text types out:

ERROR: 0x00000023

The text refreshes and displays the prompt:

FILE SYSTEM RECOVERY INITIATED...

FILE SYSTEM COULD NOT BE IDENTIFIED...

PLEASE ENTER FILE SYSTEM FORMAT:

Walkthrough: From the error messages, we can tell that we need to determine the robot’s file system. Since the only clue we have is the error message, we turn to our trusty friend Google, which tells us that this is a FAT file system error.

Answer: FAT

Read the Manual (30 pts)

Summary: On the back of the broken panel you see a recovery manual. You need to find the emergency repair key in order to put the robot into autoboot mode, but it appears to be ciphered using a Caesar cipher.

Walkthrough: The manual is a 13k cipher-text file, which appears intimidating at first, but really isn’t as bad as it looks. We just need to pass a few blocks of cipher-text through the Caesar cipher until we obtain a recognizable English word, at which point we’ll know the decryption key. You can do this manually, or write a script, but the easiest way would be to use one of the many online Caesar decoders. Using the first one I found, I passed through the first couple of paragraphs from the manual and came up with:

Instruction manual for Toaster Model 2X875F IMPORTANT: To enter automatic recovery mode, enter the following recovery key 'ptkcgvpluczo'

Answer: ptkcgvpluczo

XMLOL (30 pts)

Summary: The book has instructions on how to dump the corrupted configuration file from the robot's memory. You find a corrupted XML file and are looking for a configuration key.

Walkthrough: The first step in searching for flags in any CTF challenge involving a webpage/XML/PHP/etc. is to look at the source code. Lo and behold, viewing the XML file linked to the challenge gives us:

<?xml version="1.0" encoding="UTF-8" ?>

<garbage

<writing>

<?xml verion="1.0" encoding"UTF-8"

is really

<super_secret_flag>271382278198040623261968522657</super_secret_flag>

</ gar <bage>

Answer: 271382278198040623261968522657

Technician Challenge (30 pts)

Summary: The spaceport technician waves to you and you approach him. He tells you that he has noticed you walking around suspiciously. He adds that he knows the door code and is willing to give it to you for answering a small trivia question.

For what kind of car was the first unlocked iPhone traded?

Walkthrough: This is just a simple web search. Cut ‘n paste the question into a search page quickly reveals that the first unlocked iPhone was traded for a Nissan 350Z. Let that sink in for a second: someone traded a phone…for a car. Because priorities.

Answer: Nissan 350Z

Grep is Your Friend (40 pts)

Summary: After plugging the robot into the computer, the robot asks for the name of a file containing the string SECRET AUTH CODE. You can find it using the command-line interface in /problems/grep.tar or by downloading all of the files.

Walkthrough: The contents of the grep.tar archive consist of dozens of individual files, one of which contains the string in question. You could, of course, look through each of the files manually, but that would take a very long time and circumvent the point of the challenge, which is how to use the grep command. grep is a Linux utility which searches for a string pattern in a specified file or directory.

After accessing the grep.tar file (with by downloading it or navigating to the specified directory via the provided shell), we unpack the file with:

tar xvf grep.tar

Then, we implement the grep command to search for SECRET AUTH CODE in the unpacked files via:

grep –r “SECRET AUTH CODE”

Note that the –r flag tells grep to search every file in the current directory and subdirectories. Alternatively you could perform the search via grep “SECRET AUTH CODE” *, but only if you knew the file was in the current directory. Whichever method you choose should yield the result:

fHYYpdrfe0CHyQicfe96fw==:SECRET AUTH CODES

Answer: fHYYpdrfe0CHyQicfe96fw==

First Contact (40 pts)

Summary: You notice that the indicator light near the robot’s antenna begins to blink. Perhaps the robot is connecting to a network? Using a wireless card and the network protocol analyzer Wireshark, you are able to create a PCAP file containing the packets sent over the network. You suspect that the robot is communicating with the crashed ship. Your goal is to find the location of the ship by inspecting the network traffic. You can perform the analysis online on Cloudshark or you can download the PCAP file.

Walkthrough: Opening the PCAP file in Wireshark reveals a snippet of network traffic showing communication between 2 IP addresses - 128.237.118.96 & 107.22.208.224. You could go through each of the packets until you find the ship’s location, but a much easier and coherent route would be to right-click on any of the TCP packets, and selecting ‘Follow -> TCP Stream’ from the pop-up menu. Doing so reveals:

ROBOT BOOTUP INITIALIZING

SPACE SHIP READY

BOOTUP BEGIN

FIRMWARE STATUS.... COMPLETE

LOCATION STATUS.... ERROR

****BOOT ERROR****

COULD NOT READ FROM DISK ID 0xEF982DA0

INITIALIZE RECOVERY PROCEDURE 0xCD950422

PROCEDURE 0xCD950422 STATUS.... COMPLETE

AWAITING NEW LOCATION STATUS

NEW LOCATION STATUS: 302

NEW LOCATION COORDINATES: 37 14'06"N 115 48'40"W

NEW LOCATION INFO: LOCKED

NEW LOCATION UPDATE COMPLETE

NEW LOCATION UPDATE SUCCESS

Answer: 37 14'06"N 115 48'40"W

Try Them All! (45 pts)

Summary: You have found a passwd file containing salted passwords. An unprotected configuration file has revealed a salt of 6985. The hashed password for the 'admin' user appears to be 57a349f38d6dcc62285eee17397bf466, try to brute force this password.

Walkthrough: Luckily, the hint for this problem informs us that the password + salt has been hashed using the MD5 algorithm, so we don’t have to guess (or try them all).

The quickest way would be to simply find an online decryption tool which will allow you to enter the hashed value + specified salt, such as the one at http://www.dcode.fr/md5-hash, which will quickly provide you with the password. You can also use a stand-alone hash-cracking tool, such as Hashcat.

Alternatively – and I believe this was the intention of the competition creators – you could write your own MD5-cracker in the programming language of your choice. As I’m most comfortable with Java, that’s what I used here:

import java.io.*;

import java.math.BigInteger;

import java.security.MessageDigest;

import java.util.Scanner;

public class MD5Crack {

public static void main(String[] args) throws Exception {

BufferedReader br = new BufferedReader(new FileReader("C:\xxx\wordlistfile"));

MessageDigest md = MessageDigest.getInstance("MD5");

Scanner sc = new Scanner(System.in);

boolean match = false;

String line, pw, temp = null;

System.out.print("Enter hash: ");

String hash = sc.next();

System.out.print("Enter known salt: ");

String salt = sc.next();

while(br.readLine() != null) {

line = br.readLine();

pw = line.concat(salt);

md.update(pw.getBytes(), 0, pw.length());

temp = new BigInteger(1, md.digest()).toString(16);

if(temp.equals(hash)) {

System.out.println("Password found! Password is: " + line);

break;

}

} // end while

br.close();

} // end main

} // end MD5Crack

This program will append a known hash value against a specified wordlist file, and hash each entry until the result matches the hash value entered by the user. The success of this approach, of course, relies on the password being in the wordlist. If not, you can always use increasingly larger wordlists until you find one containing the password.

Answer: aside

GETKey (50 pts)

Summary: There's bound to be a key on the spaceport's hidden website (https://2013.picoctf.com/problems/getquery/index.php).

Walkthrough: Visiting the webpage displays a button called ‘Get Key’ but, when you click the button, the page displays a message saying, “Either you aren't admin or wrong competition.” What to do? If you take a look at the URL, it reads:

https://2013.picoctf.com/problems/getquery/index.php?admin=false&competition=ccdc

This one is a simple matter of manipulating the URL. Change “admin=false” to “admin=true” and “competition=ccdc” to “competition=picoctf”, reload the page, and the flag is displayed!

Answer: 9fa449c061d64f58de600dfacaa6bd5d

Part 2 of 2, with the remaining 6 challenges, will be posted soon!

Featured Posts
Recent Posts
Search By Tags
Follow Us
  • Facebook Classic
  • Twitter Classic
  • Google Classic
bottom of page