304 North Cardinal St.
Dorchester Center, MA 02124
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
304 North Cardinal St.
Dorchester Center, MA 02124
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
Now that it’s over, I wanted to share my write-ups for the BSides RDU EverSec CTF.
If you haven’t read my post about the conference, then I recommend you check it out.
I helped run the EverSec CTF like usual and knocked out a few of the challenges in between assisting/questions.
For even more solutions, check out Steve’s post
The first challenge that I worked on was ‘Keep’, which you can follow along with here – keep.pcap.
Our CEO somehow got all of his accounts compromised. Here's a pcap from his workstation. See if you can figure out what happened!
First, I downloaded the pcap file from the challenge page.
--2019-10-18 14:03:06-- https://scoreboard.eversec.rocks/challenges/keep.pcap Resolving scoreboard.eversec.rocks (scoreboard.eversec.rocks)... 10.2.2.2 Connecting to scoreboard.eversec.rocks (scoreboard.eversec.rocks)|10.2.2.2|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 186323 (182K) [application/octet-stream] Saving to: 'keep.pcap' keep.pcap 100%[===================>] 181.96K --.-KB/s in 0.02s 2019-10-18 14:03:06 (7.46 MB/s) - 'keep.pcap' saved [186323/186323]
Next, I opened the pcap file in Wireshark. I was able to find an HTTP request quickly, which was a good start.
Since this file showed an HTTP request for a secure.kdb, I figured that I would need to get and crack a KeePass database.
I went to ‘File -> Export Objects -> HTTP’, to see if a server response returned the secure.kdb file.
When the HTTP objects window opened, I saw multiple entries for the secure.kdb file.
Next, I saved the database and ran it through keepass2john. This would give me a crackable hash, and hopefully give me access to the database.
[email protected]:~/BSidesCTF# keepass2john secure.kdb Inlining secure.kdb secure.kdb:$keepass$*1*50000*0*74d3896b48ac6ed0aa07beef487459a6*07b745750fb74437f31b09f983b8f4e8e8cbc44e9779e45dcf414b06d5d40d44*bec5b22865ff56bc0d8c06ed8062e7d5*d352a6719e1c7bf988a59661ed06f3135fe86d7505e909702d52ed9a5bd09b40*1*1376*f9...c7
Unfortunately, when I opened my hash file in Hashcat, I received a salt-value exception.
[email protected]:~/BSidesCTF# hashcat -m 13400 -r ~/tools/hashcat/rules/best64.rule kdb-hash.txt ~/tools/cracking/rockyou.txt hashcat (v5.1.0-1397-g7f4df9eb) starting... OpenCL API (OpenCL 1.2 (Jun 23 2019 21:50:55)) - Platform #1 [Apple] ==================================================================== * Device #1: Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz, skipped * Device #2: Intel(R) UHD Graphics 630, 384/1536 MB allocatable, 24MCU * Device #3: AMD Radeon Pro 560X Compute Engine, 1024/4096 MB allocatable, 16MCU Hashfile 'kdb-hash.txt' on line 1 (secure...a73b21d2d928a09a9f56a828930842c7): Salt-value exception No hashes loaded. Started: Fri Oct 18 14:08:27 2019 Stopped: Fri Oct 18 14:08:27 2019
When I looked at the example hashes again, I noticed that the hash should start with $keepass$ and not the filename.
When I edited my hash file, I was able to run Hashcat and successfully obtain the password!
[email protected]:~/BSidesCTF# hashcat -m 13400 -r ~/tools/hashcat/rules/best64.rule kdb-hash.txt ~/tools/cracking/rockyou.txt hashcat (v5.1.0-1397-g7f4df9eb) starting... OpenCL API (OpenCL 1.2 (Jun 23 2019 21:50:55)) - Platform #1 [Apple] ==================================================================== * Device #1: Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz, skipped * Device #2: Intel(R) UHD Graphics 630, 384/1536 MB allocatable, 24MCU * Device #3: AMD Radeon Pro 560X Compute Engine, 1024/4096 MB allocatable, 16MCU Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 77 Applicable optimizers: * Zero-Byte * Single-Hash * Single-Salt Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Host memory required for this attack: 754 MB Dictionary cache hit: * Filename..: /Users/doyler/tools/cracking/rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 1104517568 [s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s Session..........: hashcat Status...........: Running Hash.Name........: KeePass 1 (AES/Twofish) and KeePass 2 (AES) Hash.Target......: $keepass$*1*50000*0*74d3896b48ac6ed0aa07beef487459a...0842c7 Time.Started.....: Fri Oct 18 14:09:28 2019 (2 secs) Time.Estimated...: Tue Oct 22 17:01:44 2019 (4 days, 2 hours) Guess.Base.......: File (/Users/doyler/tools/cracking/rockyou.txt) Guess.Mod........: Rules (/Users/doyler/tools/hashcat/rules/best64.rule) Guess.Queue......: 1/1 (100.00%) Speed.#2.........: 433 H/s (17.69ms) @ Accel:4 Loops:64 Thr:64 Vec:1 Speed.#3.........: 2669 H/s (7.29ms) @ Accel:16 Loops:64 Thr:64 Vec:1 Speed.#*.........: 3103 H/s Recovered........: 0/1 (0.00%) Digests Progress.........: 0/1104517568 (0.00%) Rejected.........: 0/0 (0.00%) Restore.Point....: 0/14344384 (0.00%) Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:7552-7616 Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:17536-17600 Candidates.#2....: chatty -> travon Candidates.#3....: 123456 -> christal $keepass$*1*50000*0*74..c7:harrypotter Session..........: hashcat Status...........: Cracked Hash.Name........: KeePass 1 (AES/Twofish) and KeePass 2 (AES) Hash.Target......: $keepass$*1*50000*0*74d3896b48ac6ed0aa07beef487459a...0842c7 Time.Started.....: Fri Oct 18 14:09:28 2019 (6 secs) Time.Estimated...: Fri Oct 18 14:09:34 2019 (0 secs) Guess.Base.......: File (/Users/doyler/tools/cracking/rockyou.txt) Guess.Mod........: Rules (/Users/doyler/tools/hashcat/rules/best64.rule) Guess.Queue......: 1/1 (100.00%) Speed.#2.........: 434 H/s (17.65ms) @ Accel:4 Loops:64 Thr:64 Vec:1 Speed.#3.........: 2700 H/s (7.23ms) @ Accel:16 Loops:64 Thr:64 Vec:1 Speed.#*.........: 3134 H/s Recovered........: 1/1 (100.00%) Digests Progress.........: 16384/1104517568 (0.00%) Rejected.........: 0/16384 (0.00%) Restore.Point....: 0/14344384 (0.00%) Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:21376-21440 Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:49984-50000 Candidates.#2....: chatty -> travon Candidates.#3....: 123456 -> christal Started: Fri Oct 18 14:09:13 2019 Stopped: Fri Oct 18 14:09:35 2019
Using the password of ‘harrypotter’, I was able to open the database in MacPass.
After looking through each of the entries, I found one that looked like a flag under ‘Instagram’.
I entered in the correct flag and earned some points.
Next up was the ‘Strange Data 2’ challenge.
Like many of the crypto based challenges, this was just a string hosted on the consultant’s page.
At first, I figured this was a base64 encoded string, so I decoded it.
roo[email protected]:~/BSidesCTF# echo -ne 'NTQ6MzM6Njg6NjY6MzQ6NmM6NmM6NTM6MzM6NmQ6MzM6NzM6NzQ6MzM6NzI=' | base64 -D 54:33:68:66:34:6c:6c:53:33:6d:33:73:74:33:72
The resulting string looked like ASCII encoded hex, so I used Python to clean it up and decode it.
>>> '54:33:68:66:34:6c:6c:53:33:6d:33:73:74:33:72'.replace(':', '').decode('hex') 'T3hf4llS3m3st3r'
I entered in this flag and got some more easy points.
Still on a crypto kick, I decided to move on to ‘Strange Data 2.1’.
Like the last challenge, I got a string that looked eerily like base64 encoded data.
After a few iterations, this looked like a string that the challenge creator reversed and then base64 encoded seven times.
[email protected]:~/BSidesCTF# echo -ne 'Vm1wR2IyUXhVWGhYYmxKV1YwZG9XVmxVU205aFJsWnpWVzVPVlUxV1duaFdSekV3VZrZDRTMVpXV25WaFJtUlRaV3haZWxacVNqUlpWbHAwVkd0V1YySkhVbkJWYlhSM1VsWmFjVk50Y0ZCV2EwcFRWVVpSZDFCUlBUMD0=' | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D | rev Y0UrBas364Rb3l0NgT0us
I grabbed my flag and moved on to the next challenge.
If you couldn’t figure out the pattern yet, the next challenge I solved was the ‘Turtles’ crypto challenge.
Based on years of trolling, the title, and some decoding, I figured out that this solution was just seven iterations of bas
[email protected]:~/BSidesCTF# echo -ne 'Vm0xd1IxbFdaSEpPVm1oVVltdHdUMVpzV21GVk1XeHpZVVpPV0dKR1NsWlZWbEpEWVRBeFZrZDRSMVpWTVVWaGVqQTk=' | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D a_g00d_st4rt
If you didn’t get the reference, then I recommend you check out this Wikipedia article.
The next challenge I worked on was GPP, but I didn’t take any notes about the challenge description. That said, it was something along the lines of, “Are you down with GPP?”.
Based on the hint, I figured I could use gpp-decrypt to get the flag.
[email protected]:~/BSidesCTF# gpp-decrypt Ol8DpxxEqiZ7qsK2CtYH4UM6id5mEVcZf/U2BU2jL9k= /usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated ud0WNW1THGPP?
The next crypto challenge that I worked on was Steve’s ASCII art.
.__.__ __ .__ __ .__.__ .__ __ _____ ______ ____ |__|__| _____ ________/ |_ |__| ______ _______/ |_|__| | | | _____ ________/ |_ \__ \ / ___// ___\| | | \__ \\_ __ \ __\ | |/ ___/ / ___/\ __\ | | | | \__ \\_ __ \ __\ / __ \_\___ \\ \___| | | / __ \| | \/| | | |\___ \ \___ \ | | | | |_| |__ / __ \| | \/| | (____ /____ >\___ >__|__|____(____ /__| |__|____|__/____ >____/____ > |__| |__|____/____/____(____ /__| |__| \/ \/ \/ /_____/ \/ /_____/ \/_____/ \/ /_____/ \/
This at once looked like ASCIi art to me, so I just opened it in a browser and started adjusting the width manually.
Note that I had some issues when I tried a text editor, but (Chrome) worked just fine!
The last crypto challenge that I looked at was ‘255’.
It took me a little while, but based on the hint/base64 output, I realized that this was XOR encrypted.
When I ran it through CyberChef, I was able to get the flag.
Key = 25: Good job, the flag is 7h3MOOni5doWn
The final challenge I solved (at least for this post…) was CCC2.
While this was a massive base64 encoded string, I recognized it immediately as a serialized Java payload. This payload starts with rO0 (0xAC 0xED), which is a dead giveaway. For more information, you can check out this blog post.
When I ran this through a base64 decoder, I was able to find my flag towards the bottom. It was a ysoserial payload containing a Java string that was being echoed out, so that wasn’t too difficult.
This was another great CTF, and we had a ton of participants.
Let me know if you had any questions on these solutions, or one that I did not post about.
I have one or two more write-ups related to this CTF, so stay tuned for those as well!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.