Egypt & UAE National Cyber Security CTF Quals 2017 - Write-ups

Informations

Version

By Version Comment
noraj 1.0 Creation

CTF

  • Name : Egypt & UAE National Cyber Security CTF Quals 2017
  • Website : cybertalents.com
  • Type : Online
  • Format : Jeopardy
  • CTF Time : link

25 - G&P List - Digital Forensics

Just Open the File and Capture the flag . Submission in MD5

Challenge Link: https://s3-eu-west-1.amazonaws.com/talentchallenges/Forensics/G%26P+lists.docx

1
2
3
$ strings G\&P+lists.docx | grep -i flag [email protected]
Flag.txt877c1fa0445adaedc5365d9c139c5219PK
Flag.txt

You can see the flag right here between Flag.txt and PK. But you can extract the dock as an archive and just read the Flag.txt content.

25 - Hidden Message - Digital Forensics

A cyber Criminal is hiding information in the below file . capture the flag ? submit Flag in MD5 Format

Challenge Link: https://s3-eu-west-1.amazonaws.com/talentchallenges/Forensics/hidden_message.jpg

Let's see exif metadata:

1
2
$ exiftool hidden_message.jpg | grep -i Notice [email protected]
Copyright Notice : b1a1f2855d2428930e0c9c4ce10500d5

25 - Crack the Hash - Cryptography

A hacker leaked the below hash online.Can you crack it to know the password of the CEO? 1ab566b9fa5c0297295743e7c2a6ec27

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ hashid 1ab566b9fa5c0297295743e7c2a6ec27
Analyzing '1ab566b9fa5c0297295743e7c2a6ec27'
[+] MD2
[+] MD5
[+] MD4
[+] Double MD5
[+] LM
[+] RIPEMD-128
[+] Haval-128
[+] Tiger-128
[+] Skein-256(128)
[+] Skein-512(128)
[+] Lotus Notes/Domino 5
[+] Skype
[+] Snefru-128
[+] NTLM
[+] Domain Cached Credentials
[+] Domain Cached Credentials 2
[+] DNSSEC(NSEC3)
[+] RAdmin v2.x

It must be a MD5 hash. I used the findmyhash script but had no result. Then I tried online on hashkiller.

The flag was Iamtheflag.

50 - Admin has the power - Web Security

If we take a look at the source code we can see:

1
<!-- TODO: remove this line , for maintenance purpose use this info (user:support password:x34245323)-->

And if we login as the support user we get the following message:

1
2
Hi support
Your privilege is support , may be you need better privilages !!

Our cookie look likes this: PHPSESSID=uq82s6g3kdbknicsj8eb040pj0; role=support. Maybe we can change the role.

We just used burp as proxy to intercept our request and change our cookie to PHPSESSID=uq82s6g3kdbknicsj8eb040pj0; role=admin.

The result is:

1
2
Hi admin
Admin Secret flag : hiadminyouhavethepower

50 - Cypher Anxiety - Digital Forensics

Warning: We get the picture but we didn't get the right flag.

1
2
3
4
5
6
7
8
9
10
11
12
$ strings find\ the\ image.pcap| head -11
Hey bro
S\U
Sup supp, are we ready
yeah, u got the files?
yes but i think the channel is not secured
the UTM will block the file transfer as the DLP module is active
ok we can use cryptcat
ok what the password then
let it be [email protected]
hhh, ok
listen on 7070 and ill send you the file , bye

So they use cryptcat over the port 7070 with the secret key [email protected].

With wireshark let's filter tcp.port == 7070, then flow TCP stream and save it as raw file.

Then open a netcat client on localhost: netcat localhost 7070 < crypted.file.

And open a cryptcat listener on localhost: cryptcat -l -k [email protected] -p 7070 > decrypted.file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ file decrypted.jpeg [email protected]
decrypted.jpeg: JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 7.0, datetime=2012:07:30 17:31:00]
$ binwalk decrypted.jpeg [email protected]
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.02
30 0x1E TIFF image data, big-endian, offset of first image directory: 8
324 0x144 JPEG image data, JFIF standard 1.02
4279 0x10B7 JPEG image data, JFIF standard 1.02
7186 0x1C12 Unix path: /www.w3.org/1999/02/22-rdf-syntax-ns#' xmlns:iX='http://ns.adobe.com/iX/1.0/'>
7355 0x1CBB Unix path: /ns.adobe.com/xap/1.0/mm/'>
$ exiftool decrypted.jpeg| grep -i "thumbnail image"
Thumbnail Image : (Binary data 2561 bytes, use -b option to extract)
$ exiftool -b -ThumbnailImage decrypted.jpeg > thumb.jpeg

Both submiting md5 hash of the picture or the thumbnail failed. We didn't get the flag.

Share