LASACTF 2016 Write-Ups (Part 1)

I know it is a bit late, but I’m finally getting around to posting my LASACTF write-ups.

This was an online CTF that took place my last full week in Belgium (19-26 March).

I wound up competing by myself, and ended up 74th on the unranked scoreboard in spite of having to pack and leave the country.

The problems are available on their GitHub, but I’ll go over the ones that I was able to solve during the competition.

Shift Letters – 10 XP

Input:
Kyle got his letters confused. Help him out: Dayq ymk rmxx, ngf yk oubtqd iuxx dqymuz. Fmwq ftue rxms uz dqyqyndmzoq: xmemofr{nq_eturfqp_za_yadq}

Solution

I ran this through an online Caesar Cipher solver a few times, and it ended up being a shift of 14.

Output:
Rome may fall, but my cipher will remain. Take this flag in remembrance: lasactf{be_shifted_no_more}

Four-Oh-Four – 10 XP

“We were trying to make an introductory web problem, but messed up somewhere along the way. http://web.lasactf.com:45025

Solution

This was just a matter of going to the fake 404 page and viewing the source.

LASACTF - Four-Oh-Four

lasactf{welc0m3_to_web_dev}

Easy Symbols – 20 XP

“Force, course, horse, norse, source, torse. What does EZ.txt mean?
Note: Flag not in LASACTF{} format

Solution

Based on the simple rhyme, as well as the file data, I figured this was Morse code. After throwing it into an online solver, I got the flag ‘morsewascool’.

LASACTF - Easy Symbols

morsewascool

Easy – 30 XP

“Find the flag in easy.exe”

Solution

Running this application through strings and grep got the flag that we were supposed to be looking for.

root@kali:~/lasactf# strings easy.exe | grep lasactf
lasactf{th1s_fl4g_i5_3asy}

R3ndom Eye – 40 XP

“The flag is in the eyeofthetiger.png of the beholder.”

LASACTF - Eye

Solution

After reading a bit more about file carving, I realized that this was two files concatenated together.

LASCTF - Eye of the Tiger

Using a hex editor, I split apart the JPEG and the PNG files.

LASCTF - Carved

Once the files were split, I was able to open the newly created PNG file and get my flag.

LASACTF - Extracted PNG

lasactf{rip_my_curly_braces}

Grep Quest – 40 XP

“Locate the flag in all the words at /grepy-words/”

Solution

This was another grep challenge on their virtual host.

doyler@shell:~$ cat /problems/grep-quest_0/grepy-words/* | grep "lasactf{"
m)Q9s`]U9\0yg5cj{<4^VtFxs:pU8Bx3{d&F@4IFn.D oh#DN}xkAq]!h-

< ...snip... >

m'qsA7CUlasactf{1_am_a_h1dd3n_p0tat0}DeC`R

lasactf{1_am_a_h1dd3n_p0tat0}

Lost Extensions - 50 XP

This "Extensions" file got sad and threw away its extension! Maybe you can figure out what it's supposed to be?

Solution

Running the file on this file showed that it was a zip archive, which I was then able to extract.

root@kali:~/lasactf# file Extensions
Extensions: Zip archive data, at least v2.0 to extract
root@kali:~/lasactf# mv Extensions Extensions.zip
root@kali:~/lasactf# unzip Extensions.zip
Archive:  Extensions.zip
  inflating: I'mLost ;(             
root@kali:~/lasactf# file I\'mLost\ \;\(
I'mLost ;(: ASCII text

Inside of the new file was a bunch of line separated numbers (possibly coordinates).

root@kali:~/lasactf# cat I\'mLost\ \;\(
o asqwerd
v 7.517223 0.217741 0.144000
v 7.500482 0.214009 0.144000
v 7.486061 0.207875 0.144000
v 7.473806 0.199407 0.144000
v 7.463565 0.188676 0.144000
v 7.455185 0.175750 0.144000
v 7.448514 0.160699 0.144000
v 7.443399 0.143593 0.144000
v 7.439686 0.124500 0.144000
v 7.437223 0.103491 0.144000
v 7.435857 0.080634 0.144000
v 7.435436 0.056000 0.144000
< ... snip ... >

After a bit of research, these appeared to be vertices for the OBJ file format.

Once I downloaded root@kali:~/lasactf# mv I\'mLost\ \;\( ext.obj root@kali:~/lasactf# ls easy.exe Extensions.zip ext.obj eyeofthetiger.png root@kali:~/lasactf# g3dviewer ext.obj D: setting open path to '/root/lasactf/.'

LASACTF - g3dviewer

lasactf{wh0_n33ds_3xt3nsions}

Postman - 50 XP

"Kyle made a super secure website only accessible by the Google Ultron browser. Figure out how to login to his site."

Solution

Well, upon first glance the site was expecting the request to come from the "Google Ultron" browser.

First of all, for those of you unfamiliar with this, I highly recommend you read up on the meme.

LASACTF - Postman

After changing my user-agent, I got an error that the SpecialAuth header wasn't set properly.

LASACTF - SpecialAuth

Once I set the SpecialAuth header, there was still an error about where I was accessing the site from.

LASACTF - Postman 3

Changing the header finally got me to the page, and the flag I was looking for.

LASACTF - Postman Flag

lasactf{h3aders_ar3_c00l}

doyler on Githubdoyler on Twitter
doyler

Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!


He currently serves as a Senior Penetration Testing Consultant for SecureWorks. His previous position was a Senior Penetration Tester for a major financial institution.


When he’s not figuring out what cert to get next (OSCE?!) or side project to work on, he enjoys playing video games, traveling, and watching sports.


Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*