LASACTF 2016 Write-Ups (Part 2)

Here continues part 2 of my LASACTF 2016 write-ups!

For reference, I have part 1 of the write-ups here.

Helpful – 60 XP

I can’t Really C, I wonder who could help me out? I would really like their full name.”

Hints: [“zartik”, “You can solve this from any channel on freenode; aka no googling required!”]

Solution

While I wasn’t able to get the actual command (/help credits I believe) to work, I found a screenshot of the Freenode help credits.

LASACTF 2016 - Helpful

The flag was just zartik’s name, which is Daniel Hemmerich.

Client Side – 70 XP

“Kyle didn’t think his login form was secure enough, so he added Javascript! Smart Right? http://web.lasactf.com:63017“,

LASACTF 2016 - Client Side

Solution

Taking a look at the source of the page, I saw that there was some form of validation on POST.

LASACTF 2016 - Client Side source

Viewing the login.php source showed that some simple SQL injection was likely in $query.

LASACTF 2016 - Login SQL

Attempting a standard SQL injection (admin // ‘ or 1=1 — -) in the login page returned an error, presumably from the previously mentioned validation.

LASACTF 2016 - Client Side validation

That said, throwing the payload into Burp logged me in and got the flag.

LASACTF 2016 - Login injection

lasactf{cl1ent_sid3_b3st_s1de}

Pixels – 90 XP

“We intercepted these images: QR1.png and QR2.png, but we don’t know how they go together! Figure out the hidden message!”

Solution

I first tried various QR software, as well as inverting the images, but nothing seemed to work.

After a bit more research, I decided to try to find the differences between the two images.

root@kali:~/lasactf# convert QR1.png QR2.png \
> \( -clone 0 -clone 1 -compose difference -composite -threshold 0 \) \
> -delete 1 -alpha off -compose copy_opacity -composite -trim \
> QR.png

Once I ran the command, I was able to view my newly combined QR image with my barcode scanner.

LASACTF 2016 - QR

lasactf{QR_c0d35_ar3_n3at}

Shiftier Letters – 120 XP

“There is a service running on web.lasactf.com:4056, figure out how to talk to it.”

Solution

After connecting to the server a few times, I noticed that it would return a Caeser cipher with a random shift for each letter.

I tried to send the responses manually, but the server cut off after about ten seconds.

I wrote a quick and dirty Python script with a dictionary lookup to find real words in the plaintext.

#!/usr/bin/python

import enchant
import socket
import string
from time import sleep

def caesar_letter(symbol, key):
    if symbol in string.ascii_lowercase:
        return string.ascii_lowercase[(string.ascii_lowercase.find(symbol) - key) % 26]
    else:
        return symbol

def caesar(msg, key):
    return ''.join(caesar_letter(l, key) for l in msg.lower())
   
def main():   
    #dictionary = enchant.Dict("en_US")
    dictionary = enchant.request_pwl_dict("wordlist.txt")
   
    s = socket.socket()
    host = "web.lasactf.com"
    port = 4056
   
    s.connect((host, port))
   
    while True:
        sleep(0.1)
        cipher = s.recv(1024)
        print cipher
       
        if cipher =="Incorrect" or cipher == "":
            break
   
        for key in range(26):
            code = caesar(cipher, key)
            d = code.split()
            for word in d:
                if len(word) > 4:
                    if dictionary.check(word):
                        s.sendall(code)
                        break
    
    s.close()
   
if __name__=="__main__":
     main()

Pointing this at the server, I was able to (after a few tries) get through the right number of challenges and receive the flag.

You made it to the end! lasactf{shif73d-3n0ugh-ar3-we}
doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for SecureWorks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (OSCE?!) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*