This year our team participated in RedTeam Village CTF.
This was great experience. There were almost 130 challenges in different categories.
And our team was in the top-100.
Pwn challenges
[Pwn] Clicker (25)
Solution:
We solved this task in a very simple way.
We used GameConqueror to change the value to 10000000. After that we got the flag.
Flag: ts{bufferoverflow}
[Pwn] Strings (75)
Provided file: strings.c
.file "strings.c"
.text
.globl main
.type main, @function
main:
.LFB0:
.cfi_startproc
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp
.cfi_def_cfa_register 6
movabsq $8023554614420534132, %rax
movabsq $7598263422860612981, %rdx
movq %rax, -32(%rbp)
movq %rdx, -24(%rbp)
movabsq $8386069135032018798, %rax
movq %rax, -16(%rbp)
movl $8221544, -8(%rbp)
movl $0, %eax
popq %rbp
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE0:
.size main, .-main
.ident "GCC: (Debian 9.3.0-13) 9.3.0"
.section .note.GNU-stack,"",@progbits
Solution:
To solve this task we use gcc and then find the strings:
gcc -c strings.s -o strings.o
gcc strings.o -o strings
chmod +x strings
./strings
strings strings | less
...
ts{DidYoH
uUseStriH
ngsorMatH
...
So we got the flag.
Flag: ts{DidYouUseStringsorMaths}
[Pwn] ltrace-easy (50)
Can you run the binary?
You may have to trace it or something.
Solution:
This task was easy. We just use ltrace.
chmod +x ltrace-easy
./ltrace-easy
ltrace ./ltrace-easy
strings ltrace-easy | less
...
ts{whydiH
dyouevenH
runit}
...
Flag: ts{whydiHdyouevenHrunit}
Crypto challenges
[Crypto]All about that base (10)
Solution:
As we discovered, this was the base64 decoded string. So it's easy to get the flag.
Flag: ts{IsThisEncryption}
[Crypto] n Eggs (10)
Solution:
To solve this task we used Bacon cipher.
Flag: tsbaconismyname
[Crypto] Why are they even in that order in the fist place?
Solution:
We tried different ciphers, but it's jut the numbers of letters in the alphabet.
Flag: TSLONGESTCOMBOEVERRECORDED
[Crypto] All about that base remix (10)
Solution:
This task was too easy. It's just base32 decoded string.
[Crypto] Et tu brute (10)
Solution:
To solve this task we used ROT13
Flag: ts{AnOldieButGoodie}
[Crypto] AFSC 29331
Solution:
We discovered that AFSC 29331 related to Air Force Specialty Code, so we decided to try with morse.
Flag: DUTY BOPPERS
[Crypto] Don't touch the third rail (10)
Solution:
We used rail fence cipher to get the flag.
Flag: ts{ZigyzagyCipherFTW}
Logs challenges
[Logs] 1- What failed (25)
Solution:
As we discovered, fail2ban protected ssh service.
Flag: ts{ssh}
[Logs] 2 - Who failed (25)
Solution:
After deep analysis we discovered 8 banned IPs.
Flag: ts{8}
[Logs] 3 - We failed (25)
Solution:
To solve this task we discover next log record:
fail2ban.actions.action: CRITICAL Unable to restore environment
So we counted the the number of such records and got the answer.
Flag: ts{48}
[Logs] 4 - Whom failed (25)
Solution:
We counted all banned IP address.
Flag: 116.31.116.47
Forensics challenges
[Forensics] Tom Nook - Internet Traffic-Part 1A (30)
Solution:
The pcap-file was provided for this task.
We opened it in Wireshark and made some analysis.
We discovered that there was flag.txt transferred during communication.
And this file contains the flag.
Flag: TS{TomNookUsesTheInternet}
[Forensics] Tom Nook - Internet Traffic - Part 1B (10)
Solution:
In this task we need to find the IP address. So we continued using the Wireshark.
As a result we find the exact IP address.
Flag: 192.168.1.47
[Forensics] Tom Nook - Internet Traffic - Part 1C (10)
Solution:
The same as previous.
Flag: 161.35.110.243
[Forensics] Tom Nook - Internet Traffic - Part 1D (25)
Solution:
This task we solved with Wireshark. There was the zip-file, which was transferred.
So we got the flag.
Flag: SecretACBankStatement.zip
[Forensics] Tom Nook - Internet Traffic - Part 1E (20)
Solution:
Firstly we export HTTP objects, where was zip-file.
To get files from it, we used fcrackzip with rockyou list.
Flag: monkey123
[Forensics] Tom Nook - Internet Traffic - Part 1G (20)
Solution:
Flag was placed in the task
[Forensics] Just a nice picture (25)
Solution:
After deep checking of provided picture, we figured out that we had an archive.
After that we got the flag.
Flag: flag{f93kfaskdif92}
[Forensics] Can you hear me now? (10)
Solution:
To get the flag we used Sonic Visualizer.
Flag: flag{s0nicw@vl}
Programming challenges
[Programming] Ping Pong (100)
Solution:
Firstly we thought that this task was hard.
But then we tried to put letter "L".
And.. Oh! Server sent the reply "h".
So we just repeated after the server and we got the flag.
Flag: ts{IreallyMissThePongs}
[Programming] Ping Pong 2
The same task as previous, but we forget to make task screenshot :)
Solution:
This task manually cannot be solved, so we used python script and got the flag.
from pwn import *
serverResponse = "T" # First letter from server
def RepeatLetterAfterServerResponse(serverResponse):
letter = remote("164.90.147.2",2346)
for letter in serverResponse:
letter.sendline(x)
temp = letter.recv()
nextLetter = temp.decode().replace('\n','').replace('\r','')
return(nextLetter)
while True:
nextLetter = RepeatLetterAfterServerResponse(serverResponse)
serverResponse = serverResponse + nextLetter
print(serverResponse)
[Programming] TPS Report System-1
We forgot to make screenshot again :)
In this task we need to find the number of report. which is password protected
Solution:
We used next python script:
import sys
from pwn import *
conn = remote("161.35.239.216",5000)
conn.recv()
conn.sendline("1")
d = conn.recv()
for i in range(0,9999):
data = 'TPS-'+str(str(i).zfill(4))
conn.sendline(data)
resp = conn.recv().decode()
print(resp)
if 'password' in resp:
continue
else:
print(resp)
Flag: 8352
[Programming] TPS Report System-2 (500)
Solution:
To solve this task we used results of TPS Report System-1 and used the script.
Firstly we tried rockyou.txt, but unsuccessfully. So then we used words from film http://www.script-o-rama.com/movie_scripts/o/office-space-script-transcript.html
import socket
sock=socket.socket()
sock.connect(('161.35.239.216',5000))
sock.send('1')
data=sock.recv(3000000)
sock.send('TPS-8352') # from previous task
data=sock.recv(3000000)
filepath = 'wordlistFromFilm.txt'
with open(filepath) as fp:
line = fp.readline()
cnt = 1
while line:
a = line.strip()
print 'Try - ' + a
sock.send(a)
data=sock.recv(3000000)
if 'Please enter the password' not in data:
print data
print 'Password found: ' + a
break
else:
print 'Wrong'
line = fp.readline()
cnt += 1
sock.close()
Flag: TS{GetThemTPSReports}
OSINT challenges
[OSINT] Tweets (100)
Solution:
To solve this task we followed author's Twitter page and checked the image with sponshors.
It had string, which was base32 encoded.
Flag: ts{AllAboutThoseSponsorsandPrize}
[OSINT] OSINT flag-543as (50)
Solution:
To solve this task we tried different searches, but we focused on LinkedIn.
So finally we tried next request:
Flag: peterslinkedin
[OSINT] OSINT flag-443kj.txt (75)
Solution:
We analyzed the Linkedin page from previous solution and found the Peter's post "Anyone hiring?...".
After checking the contents of found post, we found the flag at the second page.
Flag: petergibbonsresume
[OSINT] OSINT flag-32798nm (75)
Solution:
We followed the Peter's page to find page Michael Bolton's page.
Checking its content we found the post with flag.
Flag: boltonsr3sume
[OSINT] OSINT flag-73843ri (75)
Solution:
We started solving this task from Google search. So we easily found the flag.
Flag: michaelboltontwit