304 North Cardinal St.
Dorchester Center, MA 02124
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
304 North Cardinal St.
Dorchester Center, MA 02124
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
While a bit late, I finally found (some) files to do a BSides Raleigh CTF write-up.
This will only focus on the few offline challenges that I found on my flash drive. That said, hopefully someone will still learn something from them.
I apologize where not remembering where most of these challenges came from, that said, I believe most were in the same section of the CTF.
I’ve verified that the uploaded and attached files work, so feel free to follow along if you did not compete!
The first challenge that I will cover is the Halloween image.
At first glance, I didn’t see anything interesting with this image.
Additionally, running strings on the file did not give me any more information.
That said, once I ran binwalk, thinks started getting interesting!
[email protected]:~/_test# binwalk bsidesRaleighCTF-1-happyHalloween.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01 126359 0x1ED97 Zip archive data, at least v2.0 to extract, name: r 302502 0x49DA6 Zip archive data, at least v1.0 to extract, name: __MACOSX/ 302557 0x49DDD Zip archive data, at least v2.0 to extract, name: __MACOSX/._r 303041 0x49FC1 End of Zip archive
Extracting the binary files using binwalk gave us the new file, “r”.
[email protected]:~/_test# cd _bsidesRaleighCTF-1-happyHalloween.jpg.extracted/ [email protected]:~/_test/_bsidesRaleighCTF-1-happyHalloween.jpg.extracted# ls 1ED97.zip __MACOSX r
Opening the new r file, we see another image, and get our flag ([email protected])!
The next challenge covers the two images seemingly made up of static.
That said, after taking a closer look at the two files (and rapidly switching between them), there was a slight difference somewhere in the middle.
Using a neat trick that I found on the ImageMagick Forums, I was able to extract the diff.
[email protected]:~/_test# ls bsidesRaleighCTF-2-one.png bsidesRaleighCTF-3-two.png [email protected]:~/_test# convert bsidesRaleighCTF-2-one.png bsidesRaleighCTF-3-two.png \( -clone 0 -clone 1 -compose difference -composite -threshold 0 \) -delete 1 -alpha off -compose copy_opacity -composite -trim difference.png
Opening the new image gave me the jU$tic3PrEV4Ils flag!
Up next was the artifact file left behind by the attackers.
At first glance, this looked like some sort of binary data.
[email protected]:~/_test# file bsidesRaleighCTF-4-artifact
Quickly running the file through XXD showed that the magic bytes were nulled out.
[email protected]:~/_test# head -2 bsidesRaleighCTF-4-artifact | xxd 00000000: 0000 0000 0d0a 1a0a ........
That said, looking at the next few bytes (as well as the end of the file) made it very clear that this was a PNG image.
[email protected]:~/_test# head -3 bsidesRaleighCTF-4-artifact | xxd 00000000: 0000 0000 0d0a 1a0a 0000 000d 4948 4452 ............IHDR ... snip ... [email protected]:~/_test# tail -1 bsidesRaleighCTF-4-artifact | xxd ... snip ... 0000230: 0351 12fd 3af1 fb00 0000 0049 454e 44ae .Q..:......IEND. 00000240: 4260 820a B`..
Correcting the PNG magic bytes allowed me to open the file and get the flag (HEymErCedE2)!
[email protected]:~/_test# head -1 bsidesRaleighCTF-4-artifact | xxd 00000000: 8950 4e47 0d0a .PNG..
Next up was the suspicious_traffic-1.pcap file.
Opening up this file in Wireshark showed that it only had ~500 packets, so I decided to just comb through it manually.
All of the traffic seemed to revolve around the 192.168.0.100 host, so filtering on it didn’t help much.
That said, there were some commands being sent over UDP to the 188.8.131.52 host.
Looking through all of these commands, I found a flag (Gh0$tm4n0n3rd) that worked!
As far as the other commands were concerned, they were actually hints for a different/older challenge.
After this was yet another pcap challenge.
Unfortunately, in this case, I had a much larger file with over 17,000 packets.
In this case, I like to open up the pcap in Wireshark and scroll through it, trying to get a feel for what was going on.
The first thing I noticed was a “Host Announcement FIRP-JENKINS, Workstation, Server, NT Workstation, NT Server”. Unfortunately, this was related to a new host on the network and a different challenge.
Most of the pcap seemed like fairly normal traffic and browsing until I happened across a fishy looking DNS request.
1708974.Y2hlY2tpbmc.eversec.rocks: type TXT, class IN
Based on the domain name, this was part of this challenge.
Running the second part of the domain name through a base64 decoder gave me the value “checking”.
[email protected]:~/_test# echo "Y2hlY2tpbmc=" | base64 -d checking
This told me that my “attacker” was testing his DNS exfiltration, and that I was on the right track!
In this case, I wanted to work on my command-line kung fu and extract everything all at once.
First, after a bit of prodding and Google-ing, I figured out how to get tshark to only show me DNS traffic.
[email protected]:~/_test# tshark -r bsidesRaleighCTF-6-suspicious_traffic-2.pcap -Y "dns" | grep eversec Running as user "root" and group "root". This could be dangerous. tshark: Lua: Error during loading: [string "/usr/share/wireshark/init.lua"]:44: dofile has been disabled due to running Wireshark as superuser. See https://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user. 7649 134.196103 192.168.0.107 -> 192.168.0.1 DNS 93 Standard query 0x1134 TXT 1708974.Y2hlY2tpbmc.eversec.rocks 7653 134.470023 192.168.0.1 -> 192.168.0.107 DNS 106 Standard query response 0x1134 TXT 1708974.Y2hlY2tpbmc.eversec.rocks TXT 7757 143.197890 192.168.0.107 -> 192.168.0.1 DNS 93 Standard query 0x856c TXT 1708974.Y2hlY2tpbmc.eversec.rocks ... snip ...
Unfortunately, this still gave far too many results to go through manually.
Next up was to JUST get the DNS query of the packets. Additionally, I removed any DNS responses to prevent duplicates and making my manipulation easier
[email protected]:~/_test# tshark -r bsidesRaleighCTF-6-suspicious_traffic-2.pcap -Y "dns && (dns.flags.response == 0)" | grep eversec > dns.txt [email protected]:~/_test#[email protected]:~/_test# cut -d ' ' -f 13 dns.txt 1708974.Y2hlY2tpbmc.eversec.rocks 1708974.Y2hlY2tpbmc.eversec.rocks 1708974.d2luLWR0ZHBucW5wcDhwXHRlaHNreWxhcmsNCg.eversec.rocks ... snip ...
With my cut working, it was time to get just the second string and run it through a decoder. I ended up using Python for this to save some headaches with padding and extra whitespace. I’ll include the code below the solution.
My Python script ended up finding 3 flags, as well as some hints about some other challenges!
The first flag was “tehskylark”, the second was “[email protected]”, and the third was “Y0UC4N7m1SSWh47y0ufRGE7”.
[email protected]:~/_test# cut -d ' ' -f 13 dns.txt | cut -d '.' -f 2 > exfil.txt [email protected]:~/_test# python decode.py checking checking win-dtdpnqnpp8p\tehskylark checking checking checking checking checking checking checking checking checking checking checking checking checking checking checking checking checking checking checking checking checking checking checking checking checking checking checking checking '[email protected]' checking checking checking checking checking checking checking Active Connections Proto Local Address Foreign Address TCP 0.0.0.0:135 WIN-DTDPNQNPP8P checking TCP 0.0.0.0:445 WIN-DTDPNQNPP8P checking TCP 0.0.0.0:1025 WIN-DTDPNQNPP8P TCP 0.0.0.0:1026 WIN-DTDPNQNPP8P checking TCP 0.0.0.0:1027 WIN-DTDPNQNPP8P TCP 0.0.0.0:1028 WIN-DTDPNQNPP8P TCP 0.0.0.0:1029 WIN-DTDPNQNPP8P TCP 192.168.0.107:139 WIN-DTDPNQNPP8P TCP 192.168.0.107:1420 184.108.40.206:htt TCP 192.168.0.107:1422 220.127.116.11: TCP 192.168.0.107:1458 a104-87-136-139 TCP 192.168.0.107:1462 a23-219-20-113: TCP 192.168.0.107:1464 18.104.22.168 TCP 192.168.0.107:1477 a23-219-20-18:h TCP 192.168.0.107:1478 a23-219-20-18:h TCP 192.168.0.107:1484 a23-219-20-18:h TCP 192.168.0.107:1486 a23-219-20-18:h TCP [::]:135 WIN-DTDPNQNPP8P TCP [::]:445 WIN-DTDPNQNPP8P checking TCP [::]:1025 WIN-DTDPNQNPP8P checking TCP [::]:1026 WIN-DTDPNQNPP8P TCP [::]:1027 WIN-DTDPNQNPP8P TCP [::]:1028 WIN-DTDPNQNPP8P TCP [::]:1029 WIN-DTDPNQNPP8P UDP 0.0.0.0:68 *:* UDP 0.0.0.0:5353 *:* checking UDP 0.0.0.0:5353 *:* UDP 0.0.0.0:5355 *:* checking UDP 0.0.0.0:63871 *:* UDP 127.0.0.1:1900 *:* UDP 127.0.0.1:64125 *:* checking UDP 192.168.0.107:137 *:* UDP 192.168.0.107:138 *:* UDP 192.168.0.107:1900 *:* UDP 192.168.0.107:64124 *:* checking UDP [::]:5353 *:* UDP [::]:5355 *:* UDP [::1]:1900 *:* UDP [::1]:64123 *:* checking checking UDP [fe80::303f:4cde:4569:cf96%11]:1900 * UDP [fe80::303f:4cde:4569:cf96%11]:64122 checking checking checking checking checking checking checking checking checking Let's just forget Everything said checking Everything we did Best friends and better halves checking Goodbyes And the autumn night when we realized We were falling out of love (There were some things that were said that wer checking But we never did checking Not to be Overly dramatic I just think it's best Cause Y0UC4N7m1SSWh47y0ufRGE7 So lets just pretend Everything and Anything between you and me Was never meant checking checking checking
import base64 lines = '' with open('exfil.txt') as f: lines = f.readlines() for line in lines: if len(line) > 0: line = str.strip(line) missing_padding = len(line) % 4 if missing_padding != 0: line += b'='* (4 - missing_padding) print base64.decodestring(line)
I wish I still had some write-ups or information about the online challenges, but this was all I had saved.
This was another great CTF put on by EverSec and I was glad to compete in it.
In the end, I ended up winning this and getting a Pineapple Nano as my prize!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.