LASACTF 2016 Write-Ups (Part 2)

Here continues part 2 of my LASACTF 2016 write-ups!

For reference, I have part 1 of the write-ups here.

Helpful – 60 XP

I can’t Really C, I wonder who could help me out? I would really like their full name.”

Hints: [“zartik”, “You can solve this from any channel on freenode; aka no googling required!”]


While I wasn’t able to get the actual command (/help credits I believe) to work, I found a screenshot of the Freenode help credits.

LASACTF 2016 - Helpful

The flag was just zartik’s name, which is Daniel Hemmerich.

Client Side – 70 XP

“Kyle didn’t think his login form was secure enough, so he added Javascript! Smart Right?“,

LASACTF 2016 - Client Side


Taking a look at the source of the page, I saw that there was some form of validation on POST.

LASACTF 2016 - Client Side source

Viewing the login.php source showed that some simple SQL injection was likely in $query.

LASACTF 2016 - Login SQL

Attempting a standard SQL injection (admin // ‘ or 1=1 — -) in the login page returned an error, presumably from the previously mentioned validation.

LASACTF 2016 - Client Side validation

That said, throwing the payload into Burp logged me in and got the flag.

LASACTF 2016 - Login injection


Pixels – 90 XP

“We intercepted these images: QR1.png and QR2.png, but we don’t know how they go together! Figure out the hidden message!”


I first tried various QR software, as well as inverting the images, but nothing seemed to work.

After a bit more research, I decided to try to find the differences between the two images.

root@kali:~/lasactf# convert QR1.png QR2.png \
> \( -clone 0 -clone 1 -compose difference -composite -threshold 0 \) \
> -delete 1 -alpha off -compose copy_opacity -composite -trim \
> QR.png

Once I ran the command, I was able to view my newly combined QR image with my barcode scanner.



Shiftier Letters – 120 XP

“There is a service running on, figure out how to talk to it.”


After connecting to the server a few times, I noticed that it would return a Caeser cipher with a random shift for each letter.

I tried to send the responses manually, but the server cut off after about ten seconds.

I wrote a quick and dirty Python script with a dictionary lookup to find real words in the plaintext.


import enchant
import socket
import string
from time import sleep

def caesar_letter(symbol, key):
    if symbol in string.ascii_lowercase:
        return string.ascii_lowercase[(string.ascii_lowercase.find(symbol) - key) % 26]
        return symbol

def caesar(msg, key):
    return ''.join(caesar_letter(l, key) for l in msg.lower())
def main():   
    #dictionary = enchant.Dict("en_US")
    dictionary = enchant.request_pwl_dict("wordlist.txt")
    s = socket.socket()
    host = ""
    port = 4056
    s.connect((host, port))
    while True:
        cipher = s.recv(1024)
        print cipher
        if cipher =="Incorrect" or cipher == "":
        for key in range(26):
            code = caesar(cipher, key)
            d = code.split()
            for word in d:
                if len(word) > 4:
                    if dictionary.check(word):
if __name__=="__main__":

Pointing this at the server, I was able to (after a few tries) get through the right number of challenges and receive the flag.

You made it to the end! lasactf{shif73d-3n0ugh-ar3-we}
doyler on Githubdoyler on Twitter
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *