Bank of America CTF – Challenge Coins @ DerbyCon 9

I took part in the Bank of America CTF during the last DerbyCon, and I wanted to share some of my write-ups.

Bank of America CTF - Introduction

Just like last year's DerbyCon, the Bank of America team was hosting a CTF for anyone at the conference.

I won a challenge coin from this last year, and it was sweet looking.

Bank of America CTF - DerbyCon 8 Coin

This year wasn't about trying to win, but I was hoping to score 200 points and win another challenge coin!

You can still find the challenges and scoreboard

For another write-up, I recommend the following post

It looks like BofA will run the CTF again during Technica, so I will hold off on posting everything until that ends!

Challenges

Steganography (15 points)

The first challenge that I solved was image steganography and was found here.

First, I opened the image in Stegsolve.jar

Bank of America CTF - Stegsolve

Once I changed to the image negative, I was able to easily read the flag in the bottom left corner.

Bank of America CTF - Inverted

Note that Chrome made this even easier, and I could have avoided another program entirely.

Bank of America CTF - Steg Chrome

I entered in the flag, '8f8c2ca5c4bed32e4b364fe26df7f048', and got some points on the board.

Password Cracking - Zip (10 points)

My next challenge was Zip password cracking.

First, I downloaded the archive.

root@kali:~/bofa# wget https://infosecuritychallenge.com/files/a25b85fdb335eacd30700f662f2c469c/ctf.zip --no-check-certificate
--2019-09-05 14:01:00--  https://infosecuritychallenge.com/files/a25b85fdb335eacd30700f662f2c469c/ctf.zip
Resolving infosecuritychallenge.com (infosecuritychallenge.com)... 165.227.214.138
Connecting to infosecuritychallenge.com (infosecuritychallenge.com)|165.227.214.138|:443... connected.
WARNING: The certificate of 'infosecuritychallenge.com' is not trusted.
WARNING: The certificate of 'infosecuritychallenge.com' hasn't got a known issuer.
HTTP request sent, awaiting response... 200 OK
Length: 234 [application/zip]
Saving to: 'ctf.zip'

ctf.zip             100%[===================>]     234  --.-KB/s    in 0s      

2019-09-05 14:01:05 (451 MB/s) - 'ctf.zip' saved [234/234]

Next, I used zip2john to get a crackable pkzip hash.

root@kali:~/bofa# zip2john ctf.zip
ver a  efh 5455  efh 7875  ctf.zip->flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=52, decmplen=40, crc=B9F36741
ctf.zip:$pkzip2$1*2*2*0*34*28*b9f36741*0*42*0*34*b9f3*8468*f80798210ffe881c173582f883279cff09de606c168d3f225c5e638f60aec160508d97fae4fe41018fb2e31dcb749df37edaf9cc*$/pkzip2$:::::ctf.zip
root@kali:~/bofa# zip2john ctf.zip > zip_hash
ver a  efh 5455  efh 7875  ctf.zip->flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=52, decmplen=40, crc=B9F36741

Finally, I used John to crack the hash, and get the password of '887766'.

root@kali:~/bofa# john zip_hash -incremental=digits
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
887766           (ctf.zip)
1g 0:00:00:00 DONE (2019-09-05 14:10) 7.142g/s 4034Kp/s 4034Kc/s 4034KC/s 887737..887273
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Using the password, I was able to get the flag of 'e081129432efb65d52150e47f45899d1'.

root@kali:~/bofa# unzip ctf.zip
Archive:  ctf.zip
[ctf.zip] flag.txt password:
extracting: flag.txt                
root@kali:~/bofa# cat flag.txt
Flag = e081129432efb65d52150e47f45899d1

Bank of America CTF - Trivia (2 point each)

I moved on to the trivia questions next, as I figured they would be an easy 10 points.

  1. Who crashed 1507 computers in a single day? (Zero Cool
  2. What season/episode of Mr Robot featured the Derbycon founder's name used as a fake name by the protagonist? Submit as S#E# (S3E5)
  3. What is the name of the default wallpaper in Windows XP? (Bliss)
  4. 300 of these counterfeit processors were sold to New Egg submit as XX-XXX. (i7-920)
  5. What is the FCC chairman's favorite candy? (Reese's)

Nesting Dolls (25 points)

The nesting dolls challenge was like other ones that I've seen in CTFs before.

First, I tried to extract every archive manually, but that was taking forever.

Bank of America CTF - Nesting Dolls

Next, I spent some time and got this awesome one-liner working. It will check the current directory for any archive, extract it, and then delete the original. When I ran it, it (eventually) worked perfectly, and extracted until there were no archives left.

root@kali:~/bofa/nesting# while [ "`find ./ -type f \( -iname '*.zip' -o -iname '*.tar' -o -iname '*.tar.gz' -o -iname "*.7z" -o -iname "*.bz2" \) | wc -l`" -gt 0 ]; do find ./ -type f \( -iname '*.zip' -o -iname '*.tar' -o -iname '*.tar.gz' -o -iname "*.7z" -o -iname "*.bz2" \) -exec 7z e -- '{}' \; -exec rm -- '{}' \;; done

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz (806EA),ASM,AES-NI)

Scanning the drive for archives:
1 file, 51502 bytes (51 KiB)

Extracting archive: ./BQPBDUYW.tar.bz2
--
Path = ./BQPBDUYW.tar.bz2
Type = bzip2

Everything is Ok   

Size:       61440
Compressed: 51502

... < snip > ...

Extracting archive: ./NEEWNNJC.zip
--
Path = ./NEEWNNJC.zip
Type = zip
Physical Size = 4755

Everything is Ok

Size:       4641
Compressed: 4755
root@kali:~/bofa/nesting#

The final file was flag.png, which was a screenshot of a flag.txt file.

Bank of America CTF - Nested flag

Once I typed it correctly, I submitted the flag of '5ebc96d7-c768-46f2-8555-2c582b7c450e' and earned my points.

Bank of America CTF - Break and Scoreboard Check

At this point, I decided that it was time to take a quick break. I took a quick look at the scoreboard, and I was in first place still!

Bank of America CTF - Scoreboard

Cryptogram (20 points)

For the cryptogram, the challenge gave the text below.

GXFZ YO ZXC OCTSIH CIZJR YI ZXC JZUE YIHCD MIHCJ ZXC KCZZCJ Z

Using quipqiup, I was able to automatically solve the challenge.

There were a few possibilities, but the following made the most sense.

WHAT IS THE SECOND ENTRY IN THE RTFM INDEX UNDER THE LETTER T

While I didn't have my copy of RTFM handy, I was able to look at the preview on Amazon.

I checked the Index and found that 'TCPDump' was the second entry.

More Ciphers (25 points)

Next, for "More ciphers", the challenge gave the following instructions:

"Decrypt and submit the MD5 of the last word in the sentence:"

V nz n pvcure, n pvcure jenccrq va na ravtzn, WLASZ AALEH RNYBT ARZFC XVIDY

First, using the super secure ROT13 algorithm, I was able to decode the first half of the cipher.

I am a cipher, a cipher wrapped in an enigma, JYNFM NNYRU EALOG NEMSP KIVQL

Next, using the super subtle 'enigma' hint, combined with CyberChef, I was able to decode the second half.

Bank of America CTF - CyberChef Enigma

While it isn't obvious, it makes more sense upon rearranging the spacing.

SMOTH EREDI NSECR ETDRE SSING

SMOTHERED IN SECRET DRESSING

I got the MD5 hash of 'dressing' and submitted the flag for my points!

root@kali:~/bofa# md5 -s 'dressing'
MD5 ("dressing") = cebaea92f732a6a8392f329925d3fccf

Bank of America CTF - Conclusion

This is my first post out of 2 (or 3), but I covered a lot of the challenges.

Please let me know if you have any questions or feedback about the ones that I've already covered.

In the meantime, stay tuned for my other conference and CTF posts!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Common passed on this blog, I made it to a jam.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.