BSides RDU EverSec CTF – Challenge Solutions

Now that it’s over, I wanted to share my write-ups for the BSides RDU EverSec CTF.

BSides RDU EverSec CTF – Introduction

If you haven’t read my post about the conference, then I recommend you check it out.

I helped run the EverSec CTF like usual and knocked out a few of the challenges in between assisting/questions.

For even more solutions, check out Steve’s post



The first challenge that I worked on was ‘Keep’, which you can follow along with here – keep.pcap.

Our CEO somehow got all of his accounts compromised. Here's a pcap from his workstation. See if you can figure out what happened! 

First, I downloaded the pcap file from the challenge page.

--2019-10-18 14:03:06--
Resolving (
Connecting to (||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 186323 (182K) [application/octet-stream]
Saving to: ‘keep.pcap’

keep.pcap            100%[===================>] 181.96K  --.-KB/s    in 0.02s   

2019-10-18 14:03:06 (7.46 MB/s) - ‘keep.pcap’ saved [186323/186323]

Next, I opened the pcap file in Wireshark. I was able to find an HTTP request quickly, which was a good start.

BSides RDU EverSec CTF - Keep request

Since this file showed an HTTP request for a secure.kdb, I figured that I would need to get and crack a KeePass database.

I went to ‘File -> Export Objects -> HTTP’, to see if a server response returned the secure.kdb file.

BSides RDU EverSec CTF - Export Objects

When the HTTP objects window opened, I saw multiple entries for the secure.kdb file.

BSides RDU EverSec CTF - HTTP objects

Next, I saved the database and ran it through keepass2john. This would give me a crackable hash, and hopefully give me access to the database.

root@kali:~/BSidesCTF# keepass2john secure.kdb 
Inlining secure.kdb

Unfortunately, when I opened my hash file in Hashcat, I received a salt-value exception.

root@kali:~/BSidesCTF# hashcat -m 13400 -r ~/tools/hashcat/rules/best64.rule kdb-hash.txt ~/tools/cracking/rockyou.txt 
hashcat (v5.1.0-1397-g7f4df9eb) starting...

OpenCL API (OpenCL 1.2 (Jun 23 2019 21:50:55)) - Platform #1 [Apple]
* Device #1: Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz, skipped
* Device #2: Intel(R) UHD Graphics 630, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 560X Compute Engine, 1024/4096 MB allocatable, 16MCU

Hashfile 'kdb-hash.txt' on line 1 (secure...a73b21d2d928a09a9f56a828930842c7): Salt-value exception
No hashes loaded.

Started: Fri Oct 18 14:08:27 2019
Stopped: Fri Oct 18 14:08:27 2019

When I looked at the example hashes again, I noticed that the hash should start with $keepass$ and not the filename.

When I edited my hash file, I was able to run Hashcat and successfully obtain the password!

root@kali:~/BSidesCTF# hashcat -m 13400 -r ~/tools/hashcat/rules/best64.rule kdb-hash.txt ~/tools/cracking/rockyou.txt 
hashcat (v5.1.0-1397-g7f4df9eb) starting...

OpenCL API (OpenCL 1.2 (Jun 23 2019 21:50:55)) - Platform #1 [Apple]
* Device #1: Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz, skipped
* Device #2: Intel(R) UHD Graphics 630, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 560X Compute Engine, 1024/4096 MB allocatable, 16MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 754 MB

Dictionary cache hit:
* Filename..: /Users/doyler/tools/cracking/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 1104517568

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s

Session..........: hashcat
Status...........: Running
Hash.Name........: KeePass 1 (AES/Twofish) and KeePass 2 (AES)
Hash.Target......: $keepass$*1*50000*0*74d3896b48ac6ed0aa07beef487459a...0842c7
Time.Started.....: Fri Oct 18 14:09:28 2019 (2 secs)
Time.Estimated...: Tue Oct 22 17:01:44 2019 (4 days, 2 hours)
Guess.Base.......: File (/Users/doyler/tools/cracking/rockyou.txt)
Guess.Mod........: Rules (/Users/doyler/tools/hashcat/rules/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:      433 H/s (17.69ms) @ Accel:4 Loops:64 Thr:64 Vec:1
Speed.#3.........:     2669 H/s (7.29ms) @ Accel:16 Loops:64 Thr:64 Vec:1
Speed.#*.........:     3103 H/s
Recovered........: 0/1 (0.00%) Digests
Progress.........: 0/1104517568 (0.00%)
Rejected.........: 0/0 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:7552-7616
Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:17536-17600
Candidates.#2....: chatty -> travon
Candidates.#3....: 123456 -> christal

Session..........: hashcat
Status...........: Cracked
Hash.Name........: KeePass 1 (AES/Twofish) and KeePass 2 (AES)
Hash.Target......: $keepass$*1*50000*0*74d3896b48ac6ed0aa07beef487459a...0842c7
Time.Started.....: Fri Oct 18 14:09:28 2019 (6 secs)
Time.Estimated...: Fri Oct 18 14:09:34 2019 (0 secs)
Guess.Base.......: File (/Users/doyler/tools/cracking/rockyou.txt)
Guess.Mod........: Rules (/Users/doyler/tools/hashcat/rules/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:      434 H/s (17.65ms) @ Accel:4 Loops:64 Thr:64 Vec:1
Speed.#3.........:     2700 H/s (7.23ms) @ Accel:16 Loops:64 Thr:64 Vec:1
Speed.#*.........:     3134 H/s
Recovered........: 1/1 (100.00%) Digests
Progress.........: 16384/1104517568 (0.00%)
Rejected.........: 0/16384 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:21376-21440
Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:49984-50000
Candidates.#2....: chatty -> travon
Candidates.#3....: 123456 -> christal

Started: Fri Oct 18 14:09:13 2019
Stopped: Fri Oct 18 14:09:35 2019

Using the password of ‘harrypotter’, I was able to open the database in MacPass.

BSides RDU EverSec CTF - MacPass

After looking through each of the entries, I found one that looked like a flag under ‘Instagram’.

BSides RDU EverSec CTF - KeePass flag

I entered in the correct flag and earned some points.


BSides RDU EverSec CTF – Strange Data 2

Next up was the ‘Strange Data 2’ challenge.

Like many of the crypto based challenges, this was just a string hosted on the consultant’s page.


At first, I figured this was a base64 encoded string, so I decoded it.

root@kali:~/BSidesCTF# echo -ne 'NTQ6MzM6Njg6NjY6MzQ6NmM6NmM6NTM6MzM6NmQ6MzM6NzM6NzQ6MzM6NzI=' | base64 -D

The resulting string looked like ASCII encoded hex, so I used Python to clean it up and decode it.

>>> '54:33:68:66:34:6c:6c:53:33:6d:33:73:74:33:72'.replace(':', '').decode('hex')

I entered in this flag and got some more easy points.


Strange Data 2.1

Still on a crypto kick, I decided to move on to ‘Strange Data 2.1’.

Like the last challenge, I got a string that looked eerily like base64 encoded data.


After a few iterations, this looked like a string that the challenge creator reversed and then base64 encoded seven times.

root@kali:~/BSidesCTF# echo -ne 'Vm1wR2IyUXhVWGhYYmxKV1YwZG9XVmxVU205aFJsWnpWVzVPVlUxV1duaFdSekV3VZrZDRTMVpXV25WaFJtUlRaV3haZWxacVNqUlpWbHAwVkd0V1YySkhVbkJWYlhSM1VsWmFjVk50Y0ZCV2EwcFRWVVpSZDFCUlBUMD0=' | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D | rev

I grabbed my flag and moved on to the next challenge.


BSides RDU EverSec CTF – Turtles

If you couldn’t figure out the pattern yet, the next challenge I solved was the ‘Turtles’ crypto challenge.


Based on years of trolling, the title, and some decoding, I figured out that this solution was just seven iterations of bas

root@kali:~/BSidesCTF# echo -ne 'Vm0xd1IxbFdaSEpPVm1oVVltdHdUMVpzV21GVk1XeHpZVVpPV0dKR1NsWlZWbEpEWVRBeFZrZDRSMVpWTVVWaGVqQTk=' | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D

If you didn’t get the reference, then I recommend you check out this Wikipedia article.


The next challenge I worked on was GPP, but I didn’t take any notes about the challenge description. That said, it was something along the lines of, “Are you down with GPP?”.

Based on the hint, I figured I could use gpp-decrypt to get the flag.

root@kali:~/BSidesCTF# gpp-decrypt Ol8DpxxEqiZ7qsK2CtYH4UM6id5mEVcZf/U2BU2jL9k=
/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated

BSides RDU EverSec CTF – ASCII Art

The next crypto challenge that I worked on was Steve’s ASCII art.

.__.__ __ .__ __ .__.__ .__ __ _____ ______ ____ |__|__| _____ ________/ |_ |__| ______ _______/ |_|__| | | | _____ ________/ |_ \__ \ / ___// ___\| | | \__ \\_ __ \ __\ | |/ ___/ / ___/\ __\ | | | | \__ \\_ __ \ __\ / __ \_\___ \\ \___| | | / __ \| | \/| | | |\___ \ \___ \ | | | | |_| |__ / __ \| | \/| | (____ /____ >\___ >__|__|____(____ /__| |__|____|__/____ >____/____ > |__| |__|____/____/____(____ /__| |__| \/ \/ \/ /_____/ \/ /_____/ \/_____/ \/ /_____/ \/

This at once looked like ASCIi art to me, so I just opened it in a browser and started adjusting the width manually.

BSides RDU EverSec CTF - ASCII Art

Note that I had some issues when I tried a text editor, but (Chrome) worked just fine!



The last crypto challenge that I looked at was ‘255’.


It took me a little while, but based on the hint/base64 output, I realized that this was XOR encrypted.

When I ran it through CyberChef, I was able to get the flag.

BSides RDU EverSec CTF - XOR brute

Key = 25: Good job, the flag is 7h3MOOni5doWn


The final challenge I solved (at least for this post…) was CCC2.


While this was a massive base64 encoded string, I recognized it immediately as a serialized Java payload. This payload starts with rO0 (0xAC 0xED), which is a dead giveaway. For more information, you can check out this blog post.

When I ran this through a base64 decoder, I was able to find my flag towards the bottom. It was a ysoserial payload containing a Java string that was being echoed out, so that wasn’t too difficult.

BSides RDU EverSec CTF - ysoserial


BSides RDU EverSec CTF – Conclusion

This was another great CTF, and we had a ton of participants.

Let me know if you had any questions on these solutions, or one that I did not post about.

I have one or two more write-ups related to this CTF, so stay tuned for those as well!

Ray Doyle on GithubRay Doyle on TwitterRay Doyle on Youtube
Ray Doyle
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

As an Amazon Associate I earn from qualifying purchases.

Common passed on this blog, I made it to a jam.

Leave a Comment

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.