Tuesday, September 22, 2015

CSAW 2015 - Recon & Trivia


The Recon on this CTF was very involved, and I love whenever challenges like these are designed and presented.

It felt like the point count vs. effort was a little off overall in this CTF, but I still enjoyed solving each of these!

Julian Cohen (100)


The "Julian Cohen" challenge was one of the easiest out of all the Recon ones.  You search for "CTF Julian Cohen" and you find the twitter handle HockeyInJune, which was recognizable as one of the admins on the CSAW CTF.  The note read:
Enough cocks, cabs, hockey, laser beams, and dates.  This year's recon challenge is going to be easy:
flag{f7da7636727524d8681ab0d2a072d663}
Source: https://twitter.com/HockeyInJune/status/641716034068684800

And just like the tweet says.. that one was easy! : )


Alexander Taylor (100)


This challenge was definitely the most involved.  It felt like it could've been 150-200 pts instead of 100.  There were multiple steps, starting from this point:
http://fuzyll.com/csaw2015/start

This link responds with some text:
CSAW 2015 FUZYLL RECON PART 1 OF ?: Oh, good, you can use HTTP! The next part is at /csaw2015/<the acronym for my university's hacking club>.

So the first clue tells us to look for his university's hacking club.
Searching for this yields the following article:
Google Query: "Alexander Taylor" + club hacking security
http://www.usforacle.com/news/view.php/688459/Students-hacked-their-way-into-national-
Whitehatters (WCSC) is the club's name mentioned in the article.

Now trying http://fuzyll.com/csaw2015/wcsc, we get a response with the next clue:
CSAW 2015 FUZYLL RECON PART 2 OF ?: TmljZSB3b3JrISBUaGUgbmV4dCBwYXJ0IGlzIGF0IC9jc2F3MjAxNS88bXkgc3VwZXIgc21hc2ggYnJvdGhlcnMgbWFpbj4uCg==
Okay, base64 decode that, and we get:
$ echo 'TmljZSB3b3JrISBUaGUgbmV4dCBwYXJ0IGlzIGF0IC9jc2F3MjAxNS88bXkgc3VwZXIgc21hc2ggYnJvdGhlcnMgbWFpbj4uCg==' | base64 -D

Nice work! The next part is at /csaw2015/<my super smash brothers main>.

Now we need to find the Super Smash main character he uses. Earlier I had found his twitter handle after searching his name, recognized it just like HocketInJune: https://twitter.com/fuzyll

Looking at his Tweets & Replies I found this message - https://twitter.com/fuzyll/status/629388270791581697
@who_is_KDB: I analyzed a game of yours in a SmashBoards thread (http://smashboards.com/threads/unpopular-opinion-yoshi-is-not-high-tier-evidence-inside.412944/page-2#post-19852453 …). Thoughts?

Following that link, I found his Super Smash forum user profile.  Hovering over the icons under his avatar you see one says main.  Going into his profile you see a clear listing of this with the names displayed: http://smashboards.com/members/fuzyll.300464/#info
...
Smash 64 Main: Ness
Melee Main: Ness
Brawl Main: Random
Smash WiiU Main: Yoshi

I tried Ness / ness at first, but that didn't work... Then I tried Yoshi (my favorite character) and that was it!

http://fuzyll.com/csaw2015/yoshi


This cute image of Yoshi was the only thing on the page.  When saving the file it saved with the .txt extension.

Now if we strings that (because it still is a PNG) -- we'll get this:

$ strings ~/Downloads/yoshi.txt | head

IHDR
bKGD
pHYs
tIME
tEXtComment
CSAW 2015 FUZYLL RECON PART 3 OF ?: Isn't Yoshi the best?! The next egg in your hunt can be found at /csaw2015/.
IDATx
smBl
$h;!|
yYp19dn

The next part is the cryptosystem he had to break during his first Defcon Quals CTF.

This admittedly took me a long time to figure out,  after looking again at his CTF group in college - "Whitehatters (WCSC)" -- I found a listing of their competition history:
http://www.wcsc.usf.edu/scoreboard

Looking at that page, we can find the Defcon Quals they participated in. After looking around for a while, trying to find any writeups they may have created for this challenge, I couldn't find any and decided to find others who may have posted one.

On one Defcon 18 Quals writeup I noticed the mention of a crypto challenges with the enigma featured in it:
http://www.vnsecurity.net/ctf%20-%20clgt%20crew/2010/05/25/defcon-18-quals-writeups-collection.html

And trying that produced the next Clue: http://fuzyll.com/csaw2015/enigma
CSAW 2015 FUZYLL RECON PART 4 OF 5: Okay, okay. This isn't Engima, but the next location was "encrypted" with the JavaScript below: Pla$ja|p$wpkt$kj$}kqv$uqawp$mw>$+gwes6451+pla}[waa[ia[vkhhmj

var s = "THIS IS THE INPUT"
var c = ""
for (i = 0; i < s.length; i++) {
    c += String.fromCharCode((s[i]).charCodeAt(0) ^ 0x4);
}
console.log(c);

Okay, at this point I'm thinking .... yess, only 1 more after this, that question mark had me worried earlier.
This one was cake, just xor the value. Decided to use python for this instead of javascript because it looks a little cleaner:
$ python
>>> ''.join([chr(ord(x) ^ 0x4)  for x in "Pla$ja|p$wpkt$kj$}kqv$uqawp$mw>$+gwes6451+pla}[waa[ia[vkhhmj"])

'The next stop on your quest is: /csaw2015/they_see_me_rollin'

Visiting: http://fuzyll.com/csaw2015/they_see_me_rollin ...

BOOM Flag! :D
CSAW 2015 FUZYLL RECON PART 5 OF 5: Congratulations! Here's your flag{I_S3ARCH3D_HI6H_4ND_L0W_4ND_4LL_I_F0UND_W4S_TH1S_L0USY_FL4G}!


Eric Liang (100)


Just like Notesy (write-up can be found here),  "Eric Liang" was one was filling the IRC chat for this CTF.  Everyone was looking for Eric Liang, where was he, where was ... Eric Liang ?

The description read:
Eric played ctfs with some friends a while ago.

Hint: I remember playing with them around 2014... err maybe 2013?
This one probably harvested the most frustration, but was also the closest to the CTF as it could possibly be.

After finding his Facebook, Twitter, IRC nick, LinkedIn, Email, Github, etc. ( All of which were irrelevant to the challenge, unless social engineering counts ) ... I gave up for a little while.

Finally looked at the top right of the page for the challenge, saw the "Archive" drop-down.  Looking in this there was 2014 & 2013 dates as mentioned in the hint.

Looking all over 2014, there seemed to be nothing. Then went onto year 2013, after a few seconds, it popped out from the Quals > Competitors page. After such a long search, it was just in our CTF backyard, hanging out in the Archive section. Just like other challenges such as "Notesy", and "Throwback", the web 600 challenge, this was another in the category of easy but unusual.


Trivia (10's)


These were fairly fast for us to solve through-out the CTF, but was a nice break between high point challenges.  Below are some quick summaries of each trivia challenge, including some extra links if you want to look into each one more!

Question: This family of malware has gained notoriety after anti-virus and threat intelligence companies claimed that it was being used by several Chinese military groups.

Solution: This was PlugX, could've been a few different solutions, but this was the most popular result.  More Information: https://www.blackhat.com/docs/asia-14/materials/Haruyama/Asia-14-Haruyama-I-Know-You-Want-Me-Unplugging-PlugX.pdf

Question: No More Free __!

Solution: No More Free Bugs Meme starting at CanSecWest, more details can be found here - http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/

Question: This mode on x86 is generally referred to as ring -2.

Solution: System Management Mode, more reading material can be found here - http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf

Question: This vulnerability occurs when the incorrect timing/sequence of events may cause a bug.

Solution: This was either Timing Attack or Race Condition, turned out to be Race Condition.  This is a common one, so, wikipedia: https://en.wikipedia.org/wiki/Race_condition

Question: On Windows, loading a library and having it's code run in another process is called _ .

Solution: DLL Injection, here's a tutorial : ) - http://resources.infosecinstitute.com/api-hooking-and-dll-injection-on-windows/

Question: This Pentesting expert supplied HBO's Silicon Valley with technical advice in season 2. 
The flag is his twitter handle.

Solution: Searched for the pentesting expert on Silicon Valley, and found the one and only Rob Fuller aka Mubix!  - https://twitter.com/mubix

Thoroughly enjoyed this CTF, can't wait for next years !