HackLu CTF 2012 – Python jail (200) Write-up

Python jail
You are surrounded by zombies. You heard there’s a safe house nearby, but climbing fences is hard with a beer belly. Thank god, there’s another surviver over there. “Hey! Help me!”, you shout. He just laughs and shakes you off the fence. Asshole. Later, you see his dead body lying in front of a high security door secured by automated weapons. Heh… karma is a bitch. But that means you’ll have to find another way in. In this nerd area, all the doors are secured with stupid computer puzzles. So, what the heck.

Better try this one:
https://ctf.fluxfingers.net/challenges/python_jail/chal.py
ctf.fluxfingers.net tcp/2045

Hint: You’ll find the entrance in “./key”

This is the source code of the Python jail service:

Continue reading →

HackLu CTF 2012 – Tux-Bomb! (150) Write-up

5 – TUX-BOMB! (150)
Yeah! We control a zombie server which is connected to a TUX-Bomb. These servers are located in the head of the organization. This bomb can destroy a lot of their servers and employees. But we have no access since we are not in possession of a valid user name and activation key. So here’s your job: Find a way to detonate the TUX-BOMB!

https://ctf.fluxfingers.net/challenges/tux_bomb.exe

Hint: There is a small typo on your way to the flag – don’t get confused about it. Just use your intuition and everything should work fine!

We are provided with a Windows .exe binary. This binary needs to be run with 22 arguments:

Continue reading →

HackLu CTF 2012 – Zombie AV (150) Write-up

2 – zombie AV
Some people try to fight the zombie apocalypse by selling pseudo antidote.
We need the secret formula in config.php to destroy their snake oil business…

Source: https://ctf.fluxfingers.net:2070/zombieav.zip
Page: https://ctf.fluxfingers.net:2070

This challenge is a web page that allows us to upload Linux ELF 32 binaries. The site will scan the uploaded executables looking for zombie viruses. If a binary is detected as infected, it will be executed on the server in order to clean it, and the output generated by the infected binary will be shown.

As we can see in the source code of scan.php, a binary is infected if it has the following entrypoint:

Continue reading →

HackLu CTF 2012 – Zombie Reminder (200) Write-up

19 – Zombie Reminder

Zombies love brains. But zombies forget, so they have a tool where they can enter the location of brains they found. In a heroic mission someone managed to obtain both the source code and the information that a critical file can be found at ‘/var/www/flag’. Your mission is to obtain the contents of this file by any means and avenge your fallen friend!

Service: https://ctf.fluxfingers.net:2073/
Source: https://ctf.fluxfingers.net/challenges/zombie_reminder.py

This is the source code of the challenge:

Continue reading →

CSAW CTF 2012 Quals: Write-ups

CSAW CTF 2012 Quals is over. As always, thanks go to my teammate Archie.
In my opinion there were too many too-easy levels. Here you have the write ups for the challenges we managed to solve:

Trivia

• Trivia1 – 100 Points

What is the first step of owning a target?

Answer: recon

• Trivia2 – 100 Points

What is the name of the Google’s dynamic malware analysis tool for Android applications?

Answer: bouncer

• Trivia3 – 100 Points

What is the x86 opcode for and al, 0x24? Put your answer in the form 0xFFFF.

Answer: 0x2424

• Trivia4 – 100 Points

Who was the first security researcher to publish the DEP bypass that utilized WriteProcessMemory()?

Answer: Spencer Pratt

• Trivia5 – 100 Points

What is the name of Microsoft’s sophisticated distributed fuzzing system that utilizes automated debugging, taint analysis, model building, and constaint solving?

Answer: SAGE
Continue reading →

Stripe CTF 2.0 writeups, levels 0 to 6

About a week late, but here you have my writeups for Stripe CTF 2.0, levels 0 to 6. There were two more levels, but I wasn’t able to complete them.

Congrats to the Stripe guys for the nice work organizing this web-oriented CTF!

Level 0 (SQL Injection)

This level was a web application written using node.js. It was possible to inject SQL code into a vulnerable query, as seen below:

Continue reading →

SecuInside CTF 2012 – Beast Writeup

As usual, let me start this write up by saying thank you to my teammates, NCR and Archie!

In the Beast challenge of the SecuInside CTF 2012, we were presented with the following web page:

Note that I’ve added in red color the name of the fields for convenience.

The source code of this page was available:

Continue reading →

Defcon 20 CTF Prequals 2012 – Grab Bag 400 Writeup

In the Grab Bag 400 challenge of Defcon 20 CTF Prequals 2012 we had the following mission: “What is Jeff Moss’ checking account balance?“, and we were provided with a user and a password:

• User: blacksheep
• Password: luvMeSomeSheep

So we were presented with the following fake bank website:

Continue reading →

Defcon 20 CTF Prequals 2012 – Forensics 300 Writeup

So Defcon 20 CTF Prequals 2012 has finished! As in PlaidCTF, I’d like to say thank you to my teammate, Archie!

Let’s start with the Forensics 300 writeup.

The description of the challenge was just “Please get my key back!“, and we were provided with a file named for300-47106ef450c4d70ae95212b93f11d05d.

Let’s start examining the file:

francisco@sherminator:~/Downloads$ file for300-47106ef450c4d70ae95212b93f11d05d
for300-47106ef450c4d70ae95212b93f11d05d: data

Continue reading →

PlaidCTF 2012 – Robot Testing Framework (350) [Pirating] Writeup

NOTE: When there was just 3 hours left to finish PlaidCTF 2012 I started working on the Robot Testing Framework (350) [Pirating] quest. Unfortunately I wasn’t able to finish it on time, but anyways I decided to keep working on it just for the fun. Here’s the writeup. The online service at pwning.net:8009 is no longer online in order to try my solution, but I’m pretty sure that the solution is correct.

The quest was:

We have discovered a robot testing framework that appears to take a robot module and determine whether or not it is acceptable. Can you help us figure out what the criterion for acceptance are? Framework is found at pwning.net:8009.
This challenge was made by our friends at ManTech. If you enjoyed it, you might be interested in working for them.

We downloaded the RobotLoader.exe file and procedeed to do some dynamic analysis with OllyDbg.

Continue reading →