CSAW 2017 Write up

1. Misc 50
2. Forensic 150
3. Forensic 200
4. Crypto 350
5. Misc 100 ( twich )


1. nc misc.chal.csaw.io 4239flag{@n_int3rface_betw33n_data_term1nal_3quipment_and_d@t@_circuit-term1nating_3quipment}


In this challenge, when we connect to the server, it will give us 11 bits bin
Okay, It is 8-1-1 even parity .

It will look like

0        0.....0   0               0
start   data    parity bit   stop

So now we check the data and the parity bit , if it right, we will get the data[-1] and send '1', or if it wrong, we will send '0' to make it retranmiss

With parity bit, we can count the amount of  bit '1' in data , if the amount is even, the parity bit will be 0 

okay now we write a script to do it and eat some snack, then we got the flag


2. Forensic 150: It's registration day! These forms just seem longer and longer...
UPDATE 10:44 Eastern: New pcap that should be a bit easier to work with.
UPDATE 2:58 Eastern: We're regenerating due to flag leaks, submissions disabled until then. Please be patient.
Update 3:31 Eastern: Updated pcap with new flag after leak. Please re-run your solutions on the file!
File : https://ctf.csaw.io/files/bd2d3bcfdf09f06728d81d1a0cc0e4ff/cap.pcap
Flag: FLAG{HElp_Th3_BANANASCRIPt-guy_15_thr0wing_m0nkeys@me}




Well, i dont know that they change the file and change the flag, but anyway, i will write up the first one because it's harder lol


we are given a pcap file, so we will use wireshark to analyze it 

seem like everyone is sending there appication form, but wait, something not right here

why does that packet contain TCP data????

and it start with &x=424d.....
But wait, isn't 424d is the first two magic signature number of BMP ?
And &x doesn't contain in value n = 
Okay, maybe we are on the right way
And you wont believe it, i copied every TCP data from the whole packets by hand lol
Yeah because im just a 4 months CTF so i dont know Scapy can do that. My profesional brother write me a code to extract data quickly .
we got the bmp file

Forensic 200: Best Router
File: https://ctf.csaw.io/files/e003b7cd6d0406d93467f3c7290d4ef7/best_router.tar.gz
flag: flag{but_I_f0rgot_my_my_math_test_and_pants}
Okay, we extract the file, and check which type is that


Hmm, Okay, i will use FTK Imagelite to analyze this, but wait, this challenge give us a website, and it requires user and password to login, so i will use strings password.txt to find where  it is, and lucklily, they really use password.txt lol

password.txt is in var/www
i use FTK - Image lite to analyze and we got the password and the user

Login and get the flag <3 




4. Crypto 350

The cookie is input + flag AES ECB encrypted with the sha256 of the flag as the key.
nc crypto.chal.csaw.io 1578



Well, if message like
message = padding + something we will input + what someone wanna hide
And they use AES to encrypt that message, it really easy to recover what  they wanna hide
And from this challenge, it even didn't have a padding.
I wrote a script to recover the flag


lol i dont know why i use string.printable but it cause me wrong character " \' " instead of  "_" 



5. Misc 100 ( Twich )

How long does it take several thousand hackers to exploit a buffer overflow?



flag: flag{pra1se_h3l1x}

Dont ask why :) If you took part in in this , you will never ask that
It just like Dark Soul :)  





Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

Write up - SHACTF 2017 ( 2For100 + Cryp100 + Network100 + Crypt200)

Hình ảnh
1. Crypt100 : Stackoverflow I had some issues implementing strong encryption, luckily I was able to find a nice example on  stackoverflow  that showed me how to do it. Challenge:  stackoverflow.tgz File contains: - Script At first, when we check the given site above, we know that this pdf was encrypted with AES-CTR mode, and more interesting, we can see that they reuse the Counter -> that make AES-CTR vulnarable to Known-Plaintext attack crypto = AES.new(os.urandom(32), AES.MODE_CTR, counter=lambda: secret) with secret = os.urandom(16) Okay, let take look at the AES-CTR , let see the reason why they are vulnerable to Known-Plaintext attack: 107.50 KB Normally Counter must be UNIQUE , so that the keystream will be different every step. It is more secured than reused , it will make AES-CTR encryption become:  E(m[i]) = message[i] ^ keystream = cipher[i] and when we know the plaintext message[i] and the cipher[i] , we will get the keystream then d
Đọc thêm

WhiteHat Challenge 04 Write up ( Misc + 2Cryp + For )

Hình ảnh
Lần tham gia đầu tiên với kì thi WhiteHat ( WhiteHat Challenge 02 ) thì team mình dừng ở vị trí 2x Lần thứ 2 ( WhiteHat Challenge 03 ) thì may mắn vào top 10 Và lần này may mắn team mình đã đạt được vị trí thứ 2 Misc 01:  A python code was encoded. Please try to get flag from this file. File:  http://material.wargame.whitehat.vn/challenges/4/Misc01_D7210F18B2D5D162E259C0BE089D4090.zip Ta thấy rằng file đề cho là 1 dãy base64  Sau khi decode ta nhận được file  Thay lệnh exec = lệnh print ta nhận được file  Tiếp tục thay lệnh exec = lệnh print ta nhận được flag flag : WhiteHat{Sha1(scr1pt_w1th_pyth0n_1s_ez)} Crypto01:  Decode the image to get an answer. Tool: Google Download file here: http://material.wargame.whitehat.vn/challenges/4/Crypto01_6B9F0BC772601E6C6770473DD97E3005.zip Sau khi tải file về, ta thấy các hình ảnh rất lạ, và với hint : Tool: Google, ta sẽ liên tưởng đến tìm kiếm hình ảnh của google Cuối cùng ta biết được nó
Đọc thêm