Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
I took part in the Bank of America CTF during the last DerbyCon, and I wanted to share some of my write-ups.
Just like last year’s DerbyCon, the Bank of America team was hosting a CTF for anyone at the conference.
I won a challenge coin from this last year, and it was sweet-looking.
This year wasn’t about trying to win, but I was hoping to score 200 points and win another challenge coin!
You can still find the challenges and scoreboard
For another write-up, I recommend the following post
It looks like BofA will run the CTF again during Technica, so I will hold off on posting everything until that ends!
The first challenge that I solved was image steganography and was found here.
First, I opened the image in Stegsolve.jar
Once I changed to the image negative, I was able to easily read the flag in the bottom left corner.
Note that Chrome made this even easier, and I could have avoided another program entirely.
I entered in the flag, ‘8f8c2ca5c4bed32e4b364fe26df7f048’, and got some points on the board.
My next challenge was Zip password cracking.
First, I downloaded the archive.
[email protected]:~/bofa# wget https://infosecuritychallenge.com/files/a25b85fdb335eacd30700f662f2c469c/ctf.zip --no-check-certificate --2019-09-05 14:01:00-- https://infosecuritychallenge.com/files/a25b85fdb335eacd30700f662f2c469c/ctf.zip Resolving infosecuritychallenge.com (infosecuritychallenge.com)... 165.227.214.138 Connecting to infosecuritychallenge.com (infosecuritychallenge.com)|165.227.214.138|:443... connected. WARNING: The certificate of 'infosecuritychallenge.com' is not trusted. WARNING: The certificate of 'infosecuritychallenge.com' hasn't got a known issuer. HTTP request sent, awaiting response... 200 OK Length: 234 [application/zip] Saving to: 'ctf.zip' ctf.zip 100%[===================>] 234 --.-KB/s in 0s 2019-09-05 14:01:05 (451 MB/s) - 'ctf.zip' saved [234/234]
Next, I used zip2john to get a crackable pkzip hash.
[email protected]:~/bofa# zip2john ctf.zip ver a efh 5455 efh 7875 ctf.zip->flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=52, decmplen=40, crc=B9F36741 ctf.zip:$pkzip2$1*2*2*0*34*28*b9f36741*0*42*0*34*b9f3*8468*f80798210ffe881c173582f883279cff09de606c168d3f225c5e638f60aec160508d97fae4fe41018fb2e31dcb749df37edaf9cc*$/pkzip2$:::::ctf.zip [email protected]:~/bofa# zip2john ctf.zip > zip_hash ver a efh 5455 efh 7875 ctf.zip->flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=52, decmplen=40, crc=B9F36741
Finally, I used John to crack the hash, and get the password of ‘887766’.
[email protected]:~/bofa# john zip_hash -incremental=digits Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Press 'q' or Ctrl-C to abort, almost any other key for status 887766 (ctf.zip) 1g 0:00:00:00 DONE (2019-09-05 14:10) 7.142g/s 4034Kp/s 4034Kc/s 4034KC/s 887737..887273 Use the "--show" option to display all of the cracked passwords reliably Session completed
Using the password, I was able to get the flag of ‘e081129432efb65d52150e47f45899d1’.
[email protected]:~/bofa# unzip ctf.zip Archive: ctf.zip [ctf.zip] flag.txt password: extracting: flag.txt [email protected]:~/bofa# cat flag.txt Flag = e081129432efb65d52150e47f45899d1
I moved on to the trivia questions next, as I figured they would be an easy 10 points.
The nesting dolls challenge was like other ones that I’ve seen in CTFs before.
First, I tried to extract every archive manually, but that was taking forever.
Next, I spent some time and got this awesome one-liner working. It will check the current directory for any archive, extract it, and then delete the original. When I ran it, it (eventually) worked perfectly, and extracted until there were no archives left.
[email protected]:~/bofa/nesting# while [ "`find ./ -type f \( -iname '*.zip' -o -iname '*.tar' -o -iname '*.tar.gz' -o -iname "*.7z" -o -iname "*.bz2" \) | wc -l`" -gt 0 ]; do find ./ -type f \( -iname '*.zip' -o -iname '*.tar' -o -iname '*.tar.gz' -o -iname "*.7z" -o -iname "*.bz2" \) -exec 7z e -- '{}' \; -exec rm -- '{}' \;; done 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz (806EA),ASM,AES-NI) Scanning the drive for archives: 1 file, 51502 bytes (51 KiB) Extracting archive: ./BQPBDUYW.tar.bz2 -- Path = ./BQPBDUYW.tar.bz2 Type = bzip2 Everything is Ok Size: 61440 Compressed: 51502 ... < snip > ... Extracting archive: ./NEEWNNJC.zip -- Path = ./NEEWNNJC.zip Type = zip Physical Size = 4755 Everything is Ok Size: 4641 Compressed: 4755 [email protected]:~/bofa/nesting#
The final file was flag.png, which was a screenshot of a flag.txt file.
Once I typed it correctly, I submitted the flag of ‘5ebc96d7-c768-46f2-8555-2c582b7c450e’ and earned my points.
At this point, I decided that it was time to take a quick break. I took a quick look at the scoreboard, and I was in first place still!
For the cryptogram, the challenge gave the text below.
GXFZ YO ZXC OCTSIH CIZJR YI ZXC JZUE YIHCD MIHCJ ZXC KCZZCJ Z
Using quipqiup, I was able to automatically solve the challenge.
There were a few possibilities, but the following made the most sense.
WHAT IS THE SECOND ENTRY IN THE RTFM INDEX UNDER THE LETTER T
While I didn’t have my copy of the Red Team Field Manual (RTFM) handy, I was able to look at the preview on Amazon.
I checked the Index and found that ‘TCPDump’ was the second entry.
Next, for “More ciphers”, the challenge gave the following instructions:
"Decrypt and submit the MD5 of the last word in the sentence:" V nz n pvcure, n pvcure jenccrq va na ravtzn, WLASZ AALEH RNYBT ARZFC XVIDY
First, using the super secure ROT13 algorithm, I was able to decode the first half of the cipher.
I am a cipher, a cipher wrapped in an enigma, JYNFM NNYRU EALOG NEMSP KIVQL
Next, using the super subtle ‘enigma’ hint, combined with CyberChef, I was able to decode the second half.
While it isn’t obvious, it makes more sense upon rearranging the spacing.
SMOTH EREDI NSECR ETDRE SSING SMOTHERED IN SECRET DRESSING
I got the MD5 hash of ‘dressing’ and submitted the flag for my points!
[email protected]:~/bofa# md5 -s 'dressing' MD5 ("dressing") = cebaea92f732a6a8392f329925d3fccf
This is my first post out of 2 (or 3), but I covered a lot of the challenges.
Please let me know if you have any questions or feedback about the ones that I’ve already covered.
In the meantime, stay tuned for my other conference and CTF posts!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
[…] did get the chance to help a few other teams with the BofA CTF, so that was […]