Thursday, March 26, 2015

securinets-ctf-2015-crypto/matrix-everywhere

Matrix everywhere (Des matrices partout)
Category: Crypto
Points: 100
Description: Hint : Compatible Operation (Opération compatible)
url : http://41.231.22.133:8020/2/matrices.docx

 



1 0 0 0 0 0 0 0 1 0
2 0 0 0 0 0 0 0 0 1
3 0 1 0 0 0 0 0 0 0
4 0 0 0 1 0 0 0 0 0
5 0 0 0 0 0 0 1 0 0
6 0 0 0 0 1 0 0 0 0
7 1 0 0 0 0 0 0 0 0
8 0 0 1 0 0 0 0 0 0
9 0 0 0 0 0 0 0 0 0
10 0 0 0 0 0 1 0 0 0

DECIMAL = 64 84 76 71 48 61 70 65 82 82
ASCII         = @ T    L  G  0   =   F    A   R   R
index           = 1  2    3    4  5   6   7     8   9   10

The digit number 1 in colon index 64 is in position 7 , the index 7 in ASCII row is : F
The digit number 1 in colon index 84 is in position 3 , the index 3 in ASCII row is : L
The digit number 1 in colon index 76 is in position 8 , the index 8 in ASCII row is : A
The digit number 1 in colon index 71 is in position 4 , the index 4 in ASCII row is : G
The digit number 1 in colon index 48 is in position 6 , the index 6 in ASCII row is : =
The digit number 1 in colon index 61 is in position 10 , the index 10 in ASCII row is : R
The digit number 1 in colon index 70 is in position 5 , the index 5 in ASCII row is : 0
The digit number 1 in colon index 65 is in position 1 , the index 1 in ASCII row is : @
The digit number 1 in colon index 82 is in position 2 , the index 2 in ASCII row is : T

we get FLAG=R0@T
at 1 comment:

Infosec Instite n00bs CTF Labs LEVEL 0

The Infosec Instite n00bs CTF Labs is a web application that hosts 15 mini Capture the Flag (CTF) challenges intended for beginners.

http://ctf.infosecinstitute.com/



Challenge Write up
Level 1 http://ipushino.blogspot.com/2015/03/infosec-instite-n00bs-ctf-labs-level-1.html
Level 2 http://ipushino.blogspot.com/2015/03/infosec-instite-n00bs-ctf-labs-level-2.html
Level 3 http://ipushino.blogspot.com/2015/03/infosec-instite-n00bs-ctf-labs-level-3.html
Level 4 http://ipushino.blogspot.com/2015/03/infosec-instite-n00bs-ctf-labs-level-4.html
Level 5 http://ipushino.blogspot.com/2015/03/infosec-instite-n00bs-ctf-labs-level-5.html
Level 6 http://ipushino.blogspot.com/2015/03/infosec-instite-n00bs-ctf-labs-level-6.html
Level 7 http://ipushino.blogspot.com/2015/03/infosec-instite-n00bs-ctf-labs-level-7.html
Level 8 http://ipushino.blogspot.com/2015/03/infosec-instite-n00bs-ctf-labs-level-8.html
Level 9 http://ipushino.blogspot.com/2015/03/infosec-instite-n00bs-ctf-labs-level-9.html
Level 10 http://ipushino.blogspot.com/2015/03/infosec-instite-n00bs-ctf-labs-level-10.html
Level 11 http://ipushino.blogspot.com/2015/03/infosec-instite-n00bs-ctf-labs-level-11.html
Level 12 http://ipushino.blogspot.com/2015/03/infosec-instite-n00bs-ctf-labs-level-12.html
Level 13 http://ipushino.blogspot.com/2015/03/infosec-instite-n00bs-ctf-labs-level-13.html
Level 14 http://ipushino.blogspot.com/2015/03/infosec-instite-n00bs-ctf-labs-level-13.html
Level 15 http://ipushino.blogspot.com/2015/03/infosec-instite-n00bs-ctf-labs-level-15.html
at No comments:

Infosec Instite n00bs CTF Labs LEVEL 1

URL : http://ctf.infosecinstitute.com/levelone.php



Hint: May the source be with you!
 
check source code :
 Flag:  infosec_flagis_welcome
at No comments:

Infosec Instite n00bs CTF Labs LEVEL 2

URL :http://ctf.infosecinstitute.com/leveltwo.php


It seems like the image is broken..Can you check the file?

Download the image : http://ctf.infosecinstitute.com/img/leveltwo.jpeg

Using file command to check the image file  :

http://gnuwin32.sourceforge.net/packages/file.htm

c:\file leveltwo.jpeg

leveltwo.jpeg; ASCII text

its a text file

notepad leveltwo.jpeg

aW5mb3NlY19mbGFnaXNfd2VhcmVqdXN0c3RhcnRpbmc=

its a base64 encoded string http://en.wikipedia.org/wiki/Base64

Find online Base64 decoder example : http://www5.rptea.com/base64/


Flag : infosec_flagis_wearejuststarting
at No comments:

Infosec Instite n00bs CTF Labs LEVEL 3

URL : http://ctf.infosecinstitute.com/levelthree.php



Its a Qr code try to decode it using online QR code encoder  http://zxing.org/w/decode.jspx 



Morse code  :
.. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... .. -. --.
 
Use online Morse code to decode it  :
 



INFOSECFLAGISMORSING

at No comments:

Infosec Instite n00bs CTF Labs LEVEL 4

URL :http://ctf.infosecinstitute.com/levelfour.php

Hint  :  HTTP means Hypertext Transfer Protocol

Try checking HTTP headers and cookies .
you ca use firefox pluging like HTTP headers or RETClient :

    

  1. Status Code: 200 OK
    2. 

  2. Connection: Keep-Alive
    3. 

  3. Content-Encoding: gzip
    4. 

  4. Content-Length: 1235
    5. 

  5. Content-Type: text/html
    6. 

  6. Date: Sat, 14 Mar 2015 17:16:00 GMT
    7. 

  7. Keep-Alive: timeout=5, max=100
    8. 

  8. Server: Apache/2.4.7 (Ubuntu)
    9. 

  9. Set-Cookie: fusrodah=vasbfrp_syntvf_jrybirpbbxvrf
    10. 

  10. Vary: Accept-Encoding
    11. 

  11. X-Powered-By: PHP/5.5.9-1ubuntu4.6
    12.
check cookie  :


fusrodah=vasbfrp_syntvf_jrybirpbbxvrf
 
 try to check if its a substitution cipher 
http://en.wikipedia.org/wiki/Caesar_cipher  using cesar brutforce :
 
http://www.root-me.org/spip.php?page=outils&inc=code_decode
 
 ROT13 : http://en.wikipedia.org/wiki/ROT13


 
Flag :infosec_flagis_welovecookies
at No comments:

Infosec Instite n00bs CTF Labs LEVEL 5

URL:http://ctf.infosecinstitute.com/levelfive.php

This web page contains javascript that show Hacker!! in loop when we stop the script we find this image :


# file aliens.jpg
aliens.jpg; JPEG image data, JFIF standard 1.01

# strings aliens.jpg | grep flag





Try to analyze if there is secret message in the image ,
using steghide http://steghide.sourceforge.net/documentation/manpage.php


D:\steghide-0.5.1-win32\steghide
# .\steghide.exe  info d:\Perso\CTFs\infos\aliens.jpg
"aliens.jpg":
  format: jpeg
  capacitĂ©: 4.2 KB
Essayer d'obtenir des informations à propos des données incorporées ? (o/n) o
Entrez la passphrase:
  fichier Ă  inclure "all.txt":
    taille: 201.0 Byte
    cryptage: rijndael-128, cbc
    compression: oui

D:\\steghide-0.5.1-win32\steghide
# .\steghide.exe extract  d:\Perso\CTFs\infos\aliens.jpg
steghide: paramètre "d:\Perso\CTFs\infos\aliens.jpg" inconnu.
steghide: tapez "steghide --help" pour l'aide.

D:\steghide-0.5.1-win32\steghide
λ .\steghide.exe extract  -sf d:\Perso\CTFs\infos\aliens.jpg -xf all.txt
Entrez la passphrase:
écriture des données extraites dans "all.txt".

D:\Perso\CTFs\tools\steghide-0.5.1-win32\steghide
λ more all.txt
01101001011011100110011001101111011100110110010101100011010111110110011001101100011000010110011101101001011100110101111101110011011101000110010101100111011000010110110001101001011001010110111001110011




Flag  :infosec_flagis_stegaliens

at No comments:

Infosec Instite n00bs CTF Labs LEVEL 6

URL :http://ctf.infosecinstitute.com/levelsix.php
Download the sharkfin.pcap

check the first packet using flow UDP stream :

Covert hex stream "696e666f7365635f666c616769735f736e6966666564" to ASCII using any online toolsor using any programation langauge python for exemple  :


#python
Python 2.7.6 (default, Nov 10 2013, 19:24:18) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> "696e666f7365635f666c616769735f736e6966666564".decode("hex")
'infosec_flagis_sniffed'
>>>

Flag  :   infosec_flagis_sniffed






at No comments:

Infosec Instite n00bs CTF Labs LEVEL 7

URL  :http://ctf.infosecinstitute.com/404.php


Try to see what will be in  levelseven.php
Blank Page
try  to analyze HTTP headers of http://ctf.infosecinstitute.com/levelseven.php

we  see Base64 coded string in status header :

aW5mb3NlY19mbGFnaXNfeW91Zm91bmRpdA==
 
Flag : infosec_flagis_youfoundit


at No comments:

Infosec Instite n00bs CTF Labs LEVEL 8

URL  :http://ctf.infosecinstitute.com/leveleight.php


Download app.exe

# file app.exe
app.exe; PE32 executable for MS Windows (console) Intel 80386 32-bit

# strings app.exe | grep flag
infosec_flagis_0x1a

__loader_flags__


Flag: infosec_flagis_0x1a
at No comments:

Infosec Instite n00bs CTF Labs LEVEL 9

URL : http://ctf.infosecinstitute.com/levelnine.php



Hint  : Cisco IDS Web Login System
Google  : search for defalt password for Cisco IDS

CISO IDS Appliance Version 3 and earlier, two usernames exist called 'netrangr' and 'root'. The default password for both is 'attack'.


Try login root password attack


reverse the string(http://www.string-functions.com/reverse.aspx) or (echo "ssaptluafed_sigalf_cesofni" | rev) 

Flag  :Infosec_flagis_defaultpass


at No comments:

Infosec Instite n00bs CTF Labs LEVEL 10

URL  : http://ctf.infosecinstitute.com/levelten.php

Download the file Flag.wav
open the file with audacity and change the speed of  reading the file  :



Flag : infosec_flagis_sound
at No comments:

Infosec Instite n00bs CTF Labs LEVEL 11

URL :http://ctf.infosecinstitute.com/leveleleven.php


show the source code :





Download php-logo-virus.jpg :
check metadata of the php-logo-virus.jpg using exiftool : (http://en.wikipedia.org/wiki/ExifTool)


exiftool.exe d:\Perso\CTFs\infos\php-logo-virus.jpg
ExifTool Version Number         : 9.59
File Name                       : php-logo-virus.jpg
Directory                       : d:/Perso/CTFs/infos
File Size                       : 13 kB
File Modification Date/Time     : 2015:03:12 11:59:03+00:00
File Access Date/Time           : 2015:03:12 11:59:02+00:00
File Creation Date/Time         : 2015:03:12 11:59:02+00:00
File Permissions                : rw-rw-rw-
File Type                       : JPEG
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 96
Y Resolution                    : 96
Exif Byte Order                 : Big-endian (Motorola, MM)
Document Name                   : infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9wb3dlcnNsaWRlX2xvZ29fbGFyZ2UuZ2lmáå.

Base64 decode  :
aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9wb3dlcnNsaWRlX2xvZ29fbGFyZ2UuZ2lm



Flag  : infosec_flagis_POWERSLIDE
at No comments:

Infosec Instite n00bs CTF Labs LEVEL 12

URL  : http://ctf.infosecinstitute.com/leveltwelve.php
This page web same like level one  ; lets try to found the difference between two pages  :

  
root@kali:~/infos# diff levelone.php leveltwelve.php
1d0
< <!-- infosec_flagis_welcome -->
10a10
>     <link href="css/design.css" rel="stylesheet">
41c41
<               <a href="404.php">Level 7</a>
---
>               <a href="levelseven.php">Level 7</a>
78,79c78,79
<       <p>
<               May the source be with you!
---
>          <p>
>               Dig deeper!
82c82
<   <br /><br /><br /><p style="font-size:.9em;font-weight:normal;">Bounty: $10</p>
---
>       <br /><br /><br /><p style="font-size:.9em;font-weight:normal;">Bounty: $120</p>
87d86
<

the main  difference between two page is css/design.css

#more  css/design.css
.thisloveis{
        color: #696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72;
}

Lets convert the hex stram  696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72 to ascii :

  python
Python 2.7.6 (default, Nov 10 2013, 19:24:18) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> "696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72".decode("hex")
'infosec_flagis_heyimnotacolor'
>>>

You can also use any online converter tools .

Flag : infosec_flagis_heyimnotacolor

at No comments:

Infosec Instite n00bs CTF Labs LEVEL 13

URL:http://ctf.infosecinstitute.com/levelthirteen.php


Hint :What the heck happened here? It seems that the challenge here is gone? Can you find it? Can you check if you can find the backup file for this one? I'm sorry for messing up :(


the backup file contain  :

<p>Do you want to download this mysterious file?</p>

    <a href="misc/imadecoy">
      <button class="btn">Yes</button>
    </a>

Download and analyze  the file misc/imadecoy :

 
file imadecoy
imadecoy; tcpdump capture file (little-endian) - version 2.4 (Linux "cooked", capture length 65535)






its a tcpdump file open it using Wireshark  :

 Filter HTTP traffic and extract all objects


the image HoneyPY.PNG  contain the flag .
Flag  :Infosec_flagis_morepackets
 
at No comments:

Infosec Instite n00bs CTF Labs LEVEL 14

URL  :http://ctf.infosecinstitute.com/levelfourteen.php


Download the file http://ctf.infosecinstitute.com/misc/level14
its a sql file dump
Analyzing the dump file  there is interesting Bloc :

--
-- Dumping data for table `flag?`
--

INSERT INTO `flag?` (`ID`, `user_login`, `user_pass`, `user_nicename`, 
`user_email`, `user_url`, `user_registered`, `user_activation_key`,
 `user_status`, `display_name`) VALUES
(1, 'admin', '$P$B8p.TUJAbjULMWrNXm8GsH4fb2PWfF.', 'admin', 
'christyhaigcreations@gmail.com', '', '2012-09-06 20:09:55', '', 0, 'admin');

-- --------------------------------------------------------

--
-- Table structure for table `friends`
--

CREATE TABLE IF NOT EXISTS `friends` (
  `id` int(11) DEFAULT NULL,
  `name` text,
  `address` char(90) DEFAULT NULL,
  `status` char(50) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--
-- Dumping data for table `friends`
--

INSERT INTO `friends` (`id`, `name`, `address`, `status`) VALUES
(102, 'Sasha Grey', 'Vatican City', 'Active'),
(101, 'Andres Bonifacio', 'Tondo, Manila', 'Active'),
(103, 'lol', 'what the???', 'Inactive'),
(104, '\\u0069\\u006e\\u0066\\u006f\\u0073\\u0065\\u0063\\u005f\\u0066
\\u006c\\u0061\\u0067\\u0069\\u0073\\u005f\\u0077\\u0068\\u0061\\u0074
\\u0073\\u006f\\u0072\\u0063\\u0065\\u0072\\u0079\\u0069\\u0073\\u0074
\\u0068\\u0069\\u0073', 'annoying', '0x0a');
 
 
 
lets decode the hex stream string "
\u0069\u006e\u0066\u006f\u0073\u0065\u0063\u005f\u0066\u006c\u0061\u0067\u0069\u0073\u005f\u0077\u0068\u0061\u0074\u0073\u006f\u0072\u0063\u0065\u0072\u0079\u0069\u0073\u0074\u0068\u0069\u0073 " using online tool http://ddecode.com/hexdecoder/

this is 
 
Flag  :infosec_flagis_whatsorceryisthis
at No comments:

Infosec Instite n00bs CTF Labs LEVEL 15

URL :http://ctf.infosecinstitute.com/levelfifteen/index.php

Hint  : DNS lookup
lets see what happen with input 127.0.0.1

its like a linux command dig  : http://en.wikipedia.org/wiki/Dig_%28command%29

check command injection using input 127.0.0.1;ls -al


 check command injection using input 127.0.0.1;cat .hey




I found this string in .hey  : 
 
Miux+mT6Kkcx+IhyMjTFnxT6KjAa+i6ZLibC
 
The format of this message is like a variante of Base64  encoding system 
 
lets check decoding using :
 
atom128
megan35
zong22
hazz15
base
 
online tools http://crypo.in.ua/tools/
 
 












 
 
 
Flag : infosec_flagis_rceatomized



at No comments:
Subscribe to: Posts (Atom)