Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
Here continues part 2 of my LASACTF 2016 write-ups!
For reference, I have part 1 of the write-ups here.
“I can’t Really C, I wonder who could help me out? I would really like their full name.”
Hints: [“zartik”, “You can solve this from any channel on freenode; aka no googling required!”]
While I wasn’t able to get the actual command (/help credits I believe) to work, I found a screenshot of the Freenode help credits.
The flag was just zartik’s name, which is Daniel Hemmerich.
“Kyle didn’t think his login form was secure enough, so he added Javascript! Smart Right? http://web.lasactf.com:63017“,
Taking a look at the source of the page, I saw that there was some form of validation on POST.
Viewing the login.php source showed that some simple SQL injection was likely in $query.
Attempting a standard SQL injection (admin // ‘ or 1=1 — -) in the login page returned an error, presumably from the previously mentioned validation.
That said, throwing the payload into Burp logged me in and got the flag.
lasactf{cl1ent_sid3_b3st_s1de}
“We intercepted these images: QR1.png and QR2.png, but we don’t know how they go together! Figure out the hidden message!”
I first tried various QR software, as well as inverting the images, but nothing seemed to work.
After a bit more research, I decided to try to find the differences between the two images.
root@kali:~/lasactf# convert QR1.png QR2.png \ > \( -clone 0 -clone 1 -compose difference -composite -threshold 0 \) \ > -delete 1 -alpha off -compose copy_opacity -composite -trim \ > QR.png
Once I ran the command, I was able to view my newly combined QR image with my barcode scanner.
lasactf{QR_c0d35_ar3_n3at}
“There is a service running on web.lasactf.com:4056, figure out how to talk to it.”
After connecting to the server a few times, I noticed that it would return a Caeser cipher with a random shift for each letter.
I tried to send the responses manually, but the server cut off after about ten seconds.
I wrote a quick and dirty Python script with a dictionary lookup to find real words in the plaintext.
#!/usr/bin/python import enchant import socket import string from time import sleep def caesar_letter(symbol, key): if symbol in string.ascii_lowercase: return string.ascii_lowercase[(string.ascii_lowercase.find(symbol) - key) % 26] else: return symbol def caesar(msg, key): return ''.join(caesar_letter(l, key) for l in msg.lower()) def main(): #dictionary = enchant.Dict("en_US") dictionary = enchant.request_pwl_dict("wordlist.txt") s = socket.socket() host = "web.lasactf.com" port = 4056 s.connect((host, port)) while True: sleep(0.1) cipher = s.recv(1024) print cipher if cipher =="Incorrect" or cipher == "": break for key in range(26): code = caesar(cipher, key) d = code.split() for word in d: if len(word) > 4: if dictionary.check(word): s.sendall(code) break s.close() if __name__=="__main__": main()
Pointing this at the server, I was able to (after a few tries) get through the right number of challenges and receive the flag.
You made it to the end! lasactf{shif73d-3n0ugh-ar3-we}
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.