writeup – Tummala Dhanvi's Blog

LOTTERY ASIS-CTF-2014 Web-100 writeup

This question it the basic of the web challenge if we go to the link given above we usually get a message like this when we visit the page for the first time 🙂

As the page says let’s visit the page for the second time 🙂

So here comes the lottery which says that we are 2444th visitor and we need to become the 1234567890th visitor to get the lottery also with the clue saying that don’t hack cookies. We should be always doing the thing that we are not supposed to do so let’s try hacking the cookies. But the first thing we need to do when we see a web question is to view the source page of the given question 🙂 but when you see the source page you will understand that there is no other way to find the visitor number except the cookie 🙂

If you not aware what a cookie is find about it http://en.wikipedia.org/wiki/HTTP_cookie

I have a cool tool which is called as “edit this cookie” to edit the cookies you can get it in the chrome store at https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg?hl=en

if you look at the cookie named Visitor you will see a value like this which is url encoded

MjQ1Njo3Y2Y2NDM3OWViNmYyOWE0ZDI1YzRiNmEyZGY3MTNlNA%3D%3D

for more details about it visit this wiki page of the URL encoding http://en.wikipedia.org/wiki/Percent-encoding

If you have doubt why we should use the URL encoding this link will give the answer to you http://stackoverflow.com/questions/4667942/why-should-i-use-urlencode

If you decode it using any tool, I use this online tool http://www.url-encode-decode.com/

The decoded result will be like this

MjQ1Njo3Y2Y2NDM3OWViNmYyOWE0ZDI1YzRiNmEyZGY3MTNlNA==

which again seems to be like a base64 encoding if you decode it the output looks like this

2456:7cf64379eb6f29a4d25c4b6a2df713e4

2456 seems our number which we visited so if we could change the number to 1234567890 we could win the lottery (get the flag 😀 )
The number after the 2456 is nothing but the md5sum of the number 2456 🙂

1234567890:e807f1fcf82d132f9bb018ca6738a19f

is the one we need to make the value of the cookie to base64

MTIzNDU2Nzg5MDplODA3ZjFmY2Y4MmQxMzJmOWJiMDE4Y2E2NzM4YTE5Zg==

and finally we need to encode it with URL encoding which looks like

MTIzNDU2Nzg5MDplODA3ZjFmY2Y4MmQxMzJmOWJiMDE4Y2E2NzM4YTE5Zg%3D%3D

so if you submit the cookie and refresh the page you get the flag as

ASIS_9f1af649f25108144fc38a01f8767c0c

Here is the screenshot of the flag 🙂

HOW MUCH EXACTLY? ASIS-2014 Trivia-25 writeup

This is a very easy question as google was enough to get the key 🙂

If you google the description you will get the following link https://archive.org/stream/Untangling_the_Web/Untangling_the_Web_djvu.txt

If you search for (Ctrl+F ————-> find) in the link for how much you will be knowing that all the references are taken from this link http://www.sims.berkelev.edu/research/proiects/how-much-%20info-2003/execsum.htm#summary

Unfortunately this web-page is not available now if you google for it you will get a link in www2 as http://www2.sims.berkeley.edu/research/projects/how-much-info-2003/execsum.htm

If you search for the IM (Instant messaging) you get it’s size is 274 Terabytes

The format of the flag is ASIS_md5(size)[which means that we need to find the md5sum of size and append “ASIS_” to it. Which results in the following flag. we can find the md5sum of any value in the terminal using the following command

echo -n 274 | md5sum

The -n flag is to mention echo no to give the newline, as echo by default gives the newline “n” as the newline at the endof 274 changes the md5 sum so we should not forget it 🙂

ASIS_d947bf06a885db0d477d707121934ff8

But later I found that the size of the instant messaging was directly in the link https://archive.org/stream/Untangling_the_Web/Untangling_the_Web_djvu.txt

I should have searched for instant messaging in the text file directly which I have later learned from other write-up

T_1000 ECTF Recon-120 writeup

This is the toughest recon that I have ever seen (or in other words the worst one :P)

First result that you find when you search for T_1000 is the terminator so I tried all the names related to the movie such as the director, the producer, the actor who acted as the T_1000 but no result 🙁 I have also tried skynet which is considered to make the terminator in the film 😛 my team mate was kidding saying to enter the flag as Rajinikanth 😀

After asking admins about the challenge, I have concluded that T_1000 was not related to movies 🙂

My team mate solved the forensics-500 which relates to the channel #nitk-maliciousbots which contain the bot named T_1000 , so I thought this was end of the recon so I tried to get the flag by asking the bot in private message, but this was only the half of the challenge 🙂

Again from the clue whois T_1000, the output of the whois command in irc is as follows

@31337_h4X0R (cinch@2a01:7e00::f03c:91ff:fe56:df09)

BOT_T_1000 is connected via holmes.freenode.net (London, UK)

Operator in:

#nitk-maliciousbots

so we got a new thing to google for 🙂 ie.. 31337_h4X0R, it seems that 31337_h4X0R has a twitter account here is the account https://twitter.com/31337_h4X0R

This account has very few tweets and it contain this photo

And finally if you grep for the strings in the photo we get the flag as follows

flag{I_am_N0t_Ge0Hot}

Meet The Team – Ectf 2014 Recon-80

I have attached the screen-shot of the question 🙂 of Recon-80

The question is very simple but getting the blog of the team becomes hard because ECTF is organised for the first time.

The ECTF organizers doesn’t have a good blog which contains all the write up’s that they have solved, it seems like they have created blog just for the case of the challenge as the blog contains only one post which makes it difficult for the search engines to get the get that link (if any of you googled for the blog and did not get the link don’t blame google as it is doing a great job)

The name of team which is organising the ctf is NIA (no internet access). They have mentioned it in the clue also but you will never get to know that it is the name of the team for more details visit this link http://nia-ctf.github.io/

Bingo you got the blog link in the ctftime.org at this address https://ctftime.org/team/8096 and you get the link as http://nia-ctf.github.io/ so you got the flag, there was some small confusion regarding the format of the flag but the admin would have helped you at that time 🙂

flag:http://nia-ctf.github.io/