Jersey CTF 2021 - Challenge Walkthroughs (Beginner Friendly)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Thank you very much, i needed that

👍︎︎ 3 👤︎︎ u/Sasaw88811 📅︎︎ Apr 11 2021 🗫︎ replies
Captions
in this video we're going to take a look at the challenges from the jersey ctf competition or most of them anyway a couple missing here which i didn't get solved but i think this is a perfect ctf for beginners so i'm going to go through these challenges i'll try and aim this video at total beginners so we'll go through some different tools different ways of solving things where possible some of the challenges particularly the prone challenges i didn't use the intended solution to get the flag because um it was quicker to use other solutions so in some cases i'll try and go through some different ways of doing things as well and just before we get started i'll just introduce the operating systems we'll be using so i'm using para os on this system which i'll leave a link to in the description but something like kali linux would be a good option as well i'm also using a windows vm called commando vm just swap over to that here and this is released by fireeye it has a lot of tools on it for offensive security mostly for pen testing if i go here and um go to update the tools you'll get an idea of how many tools were pre-installed i didn't really ins i've not installed too many additional tools here so you can see the sort of things it's trying to update um i did add some tools particularly uh forensics wise i don't think autopsy and some of the registry viewing tools and ftk imagery were already on here and maybe some debuggers and disassemblers and stuff as well but there's this is um this is good for any windows based challenges if you get binaries and things like that and a lot of forensics challenges i find to be quite easy to solve particularly using ftk imager so um this is free to download and install um i'd recommend checking it out i'll leave a link to this in the description as well you can see some of the some of the tools are getting installed now it's quite easy to install and update tools and whenever it's installed in the windows system it goes through and makes a lot of it removes a lot of kind of like bloatware and settings and things that aren't needed so that's the commando vm i'll go through some other tools as we're going along as well i also have burp suite running here which should be pre-installed in kali and parrot os uh there are some good plugins like the heightverter to convert between different data types although we'll probably not need too much here but this is this is ready to go for our web challenges so we can intercept traffic although if you don't want to install it you can just use f12 in chrome and firefox bring up your developer tools and then you can go to the network tab and just get any requests you can go and you can edit and resend so you can make any changes you need to here and you can do you can do basically anything you can or most most things that you can do in burp suite in the developer tools as well or you could use command line tools like curl to achieve the same objectives or do some do some python scripting so there's plenty of different options you're just setting up burp suite for the first time you would need to set up the proxy settings or you can install the foxy proxy plugin so you can swap between burp and using normal firefox settings and that's it let's get started i'm going to get started with the web challenges to begin with since we've got burp suite open here if you want to skip between the challenges i'll mark them as chapters so you can just go to the bottom of the video or the description as well and any tools that i kind of mention here will be linked the links will be in the description as well or any good resources so the first challenge is called inspector and it says your great friend the inspectors received a job from a company to find any sensitive information in a facility and discard it however he's not quite as tech savvy as you and has asked you to help review the site so if you're going to have a look at the website it says this is a pretty sick website i wonder if anything is hidden here so the first thing we might want to do is right click and view the source code and we'll quite quickly find that we have the flag there we could have also inspected the element here to just have a look and we would have found that pretty quickly so we're going to submit the flag here the next challenge is called obligatory robots and it says robots are crawling all over the city how can we stop them so we want to go and have a look at robots txt so we could take the url here and add robots.txt and see what we get we don't actually find any file so what i did here was go and check the main website and there we find that we have our second flag the next challenge is called post up and it says up an atom time to tackle your first mission a day send a request to the hq to receive mission details so if we open up the link here we'll see we're getting a message saying post up so we could hit f12 and go and have a look at our network tab reload the page and we'll see that there's a get request that's been sent here so we can go and hit resend edit and resend and we could try and change this to post send that off and then we want to have a look at our response so if we go in here we can see our response and we've got back our post methods are cool we could also have done that in burp suites we've got our http history tab and have a look at the we've got the the get request that we made previously and it came back same post up so we could right click that and send it to the repeater and then we could just go and change this to a post request click send and we'll get back our message again we could also use something like curl to send a post request as well the next challenge is called client side and it says you start a few day with some nice warm hash browns all as well and everything is going to script until the worst thing imaginable happens you've got your password try looking around for the passcode so if we open up the url we've got a password field here the first thing you might want to do is try and see if we can just enter in an apostrophe or double quote to [Music] see if some kind of sql injection or we might want to try and see if there is an xss floor but we don't get anything doesn't appear to be any functionality at all to what we're entering so let's have a look at the source code there's not too much here but we've got a script which looks like a little bit of obfuscation has been applied to the function naming and variable naming we have a reverse operation being called here as well but if we trace this through we can see that actually the value that it's checking is checking to see if the value equals client side is going to make this call so there's a couple of things we could do we could just take this client side string paste it in here and that would get our flag back we could also just take a copy of the alert that needs to be called and then if we go to f12 and then to our console we can paste that in and hit enter and that'll give us the same flag the final web challenge is called redirector and it says you're attempting to find sensitive information on a villain organization's website however you're not having much luck you notice the site uses a lot of redirects with some information on those redirect pages however you cannot inspect that information quickly enough before you are redirected so we're going to link again jerseyctf.net and if we click on it it takes a little while to load this one and you'll see that we get this page isn't redirecting properly but we can see that the url that we entered ctf.net has now changed to ctf.net forward slash i so it's going to have a look at our proxy if we go back off the repeater tab into our proxy tab and we have a lot of strings showing here but we also have a lot of other noise we might want to get rid of so we could go on to the target tab here and say because we're only interested in jerseyctf.net at the moment let's right click that and add it to the scope and then the scope has been updated here to only to only include stuff from this url we might then also want to say that we only want to show items that are in scope so we can tick that here and that'll mean that we'll only see the jersey ctf.net stuff so i'm gonna right click here and clear the history just to clear this all up and then i'm going to just go back to jerseyctf.net and that's going to execute that again and we'll be able to see this running through and it's got 3 2i so if we reverse the order of this you can see we have here jctf and then 7b which is the url encoded curly brace and then you like my redi and it doesn't look like we have the full flag here so i'm gonna also hit enter on jerseyctf.net forward slash i and now if we have a look at it we're getting the full flag redirect so we can actually go and paste that in so we know that it's ending with this curly brace you like my redirects and that gives us our flag and the way that this is is happening if we have a look at the requests it's making the request for example here to forward slash j on jerseyctf.net but whenever it gets there it's getting this 302 redirect code which is telling it to go to this new location of jersey ctf forward slash c and then the forward slash c is going to give it the new location of forward slash t and that sends it through the series of redirections so we would just need to grab this flag i just typed it out manually but you could um you could probably get it in a more in an easier way maybe on the command line using curl or something um again we could also do that with our f12 with the network if we if we're not using burp suite we can go and actually just grab you can see here jctf and it's grabbing everything for us it gets to the eye so if we just hit enter again on the i and then we get the rest of the flag there so we've finished all the web challenges so i've closed down burp suite and turned off the foxy proxy and we'll take a look at the forensics challenges the first one is file desk file descriptor and it says congratulations you're a sub security superhero now you received a letter explaining your newfound skills but having trouble opening the letter it'll be so much easier to read if you only knew what the file type was so we can download the file here and it says it's a png file let's go and have a look we've got the file right here we could check the file type and we'll see here it says that it's data essentially that's the challenge here so we were only trying to find out what the file type was so jctf data is the answer and this actually took me i had solved all the other forensic challenges before i solved this one because i was looking for some kind of flag in the actual file um and trying to convert it and see was the did we need to carve the file out of the data so or or decode some of the data um so i didn't think it was too clear personally that that it was just to take the file type in the flag format but um oh well that's the first challenge done the next challenge is called hash browns and it says before you start your day you must eat breakfast not just any breakfast so hashbrowns fit for a hero while eating your hash browns you must get a decimal sum of the last four digits of each file from your virtual breakfast in order to properly digest your breakfast and wake up and awaken your superpowers the breakfast is md good all right so we'll download the three files file one file two file three and it's talking about digest talking about md so i'm gonna guess md5 here let's go and have a look here first of all make sure we've got the three files we've got all three of them one of them appears to be empty file one yep we could print them all out if you wanted to and see what was in them not much point though so let's do md5 some and then just passing the asterisks to get the md5 of all of them and we have our md5 sums here we know we need to grab the last four digits convert them to decimal and then add them together so we could take these and go to something like ascii to hex.com or cyberchef i'm going to open up cyberchef here anyway so we could take it to cyberchef we could input that it's currently in hex so we just type here from hex we can grab this from hex and then from hex from that we'd want to convert it to decimal and that'll give us our decimal value but uh and he's the easiest way to get the sum of these values i think is going to be to just run this in python so i'm gonna do python dash c and then print and we'll print the the first four zero x four two seven e plus zero x nine three eight six plus zero x one three c one print that out we get five nine eight five and that would be our flag then j ctf five nine eight four five submit that and that's offline the next challenge is called data about data it says it seems a robber was captured on bank cctv for some reason the camera data seems to be zipped search through the zip archive to find anything out of the ordinary in the form of a flag so we'll download the files.zip and if we have a look here we've got files.zip check the file types zip archive so let's extract it unzip files dot zip and we've got a variety of files here so what i did here is just use grep and will grep for jctf we'll see here that the photo.jpg says binary file matches so we could run strings dash n10 to get all strings greater than 10 in [Music] photo we could just do this in all files really but we'll do it in photo and then we'll grep out our jctf and here's our flag always check the metadata so we could also have a look at the metadata let's have a look with exif tool at photo.jpg and we'll see that actually the flag was in the camera serial number section of the exif data so whenever data is taken from a phone or from an image is taken from a phone or a camera or something like that it has various metadata information such as the time the the date and often the latitude and longitude that the pictures were taken out things like that so that's that challenge the next challenge is called traffic analysis and it says crypto woman wants to join you to find any flags in a packet capture and put them to justice when you said there's a better superhero than her she responded that is pick up so download the file here njctf.pcap we could just open it straight up with wireshark there but got it downloaded i'll open up from the command line with wireshark you could use something like t-sharp as well if you just want to use a command line based tool and then we get our packet capture here so we can see all of our packets if we select any packets we can go and have a look at the data here for example and we can filter by protocol if you want to just have a look for tcp if you want to have a look at udp or if you want to see if there's any http quite often that's what we'll be looking for in these ctf challenges although in this case it doesn't look like it something else we might want to do is go and have a look at the statistics we can have a look at capture file properties for example to get an idea how long is the peak up this one's three minutes and 15 seconds and get an idea of the size and stuff here if there were any files like if this was a had some http traffic we might want to export objects and see if there are any images or text documents or anything that had been sent over http that you could just simply save right here and that'll carve those out let's also have a look at the protocol hierarchy so statistics protocol hierarchy and again this if this might give you an idea of certain things that you might want to look for for example here we've got a ftp protocol with some data being sent as well so we might want to right click and apply that as a filter if we select that and then close this then we can go and have a look and see what was actually sent over let's follow right click on the stream and and follow followers udp stream and then that will allow us to print that as text as well and see if there's anything of interest in there i can't actually remember how i solved this challenge now i can't remember where the flag was so we have a the login here if we search ftp here for the ftp protocol let's see if we can follow this tcp stream okay that's just grabbing the the last one let me do that again fcp it's entering in a password here we get an incorrect login so it's putting in anonymous and the password on anonymous nope not a flag okay so that's no use to us let's have a look at data could have a look at data and try and judge it by i have the hid data selected here this is a column that i added in usb hid.data is is useful for any challenges you see where it's asking you to look at usb uh keyboard presses so yeah we could have a look then by the length as well that's the bigger packets are more likely to have something of interest in them in fact whenever i do that so we'll have a look at data and ordering by length and if i now follow this as a tcp stream we can see that this has our flag in it echo jctf bro do you even pick up it's funny actually i found this flag in another challenge as well one of the harder challenges later it happened to be in one of the forensics challenges in the memory dump but that's the traffic analysis challenge done next challenge is called investigating windows and it says a robber is broken through the windows into the municipal bank the civilians of the city have called upon you to identify and capture the villain use your heroic forensic superpowers to find the sid of the user robber using the windows registry files provided so we're given a few different files registry files here we don't actually need them all i'm going to download the sam hive and we could use a couple of different tools to open this up if you type reg in cali or pirate you've probably got a few tools available already if you don't you can use apt cache search reg um okay that's giving way too much um registry yeah if you search registry then you'll get um some different tools here uh for me i'm gonna use red ripper red shell is quite good as well but i'll open up red ripper and that gives us a gui gui interface which is going to ask us what high file we want to open so i'm going to open up the sam hive the report here we'll just call it reports and then the plugin file that we want to run so we could depending what file we downloaded here would be different but in this case we'll run a sum we'll see that zero plugin is completed with errors so they're completed without errors that means um so let's open that up report.txt and if we have a look in here we could do control on f look for robber and we'll find the default admin user here robber we can see the 1 0 0 1 here if you go through and have a look at the groups we have the user id so you can see here 501 at the end which is referring to our guest user and that's in the guest group but if we keep going down we'll see that we're actually looking for this one zero zero one and we'll find the one zero zero one here is in the users section so uh and also in the administrator section but we can basically take a copy of this of this sid they're both the same so you can take a copy of either of those and then we just submit that as the flag the next challenge is called close creds and it says the clues from the camera led you to mysterious building surprisingly the front door was left unlocked unsurprisingly the computer in the headquarters was not left unlocked using the registry files provided are you able to crack the password of the administrator user so we can do this with a tool called sam dump let's have a look here sam dump two and it retrieves the syskey and extracts hashes from windows um systems so it's asking us to provide a system file and a sam file so let's download those two files first of all there's our system we'll save that and there's our sam save that as well and then we can run some dump and pass in the system and this sam file and there we get our hashes dumped out so the easiest way to to crack this would probably be to go to a site that can crack them like crack station let's go to crackstation.net and enter that in it can take a while for this to load up and it's probably going to want us to do some capture stuff so we could also use hashcat let's have a look with hashcat at the help section um we might want to grab ntlm oh okay grep insensitive ntlm okay so ntlm so the mode here is 1000 we could have also found it by scrolling through all these different modes that it deals with but if we go back down to the bottom to remind what the syntax is for here's some examples so we could do hashcat dash a zero dash m that's all modes we'll do 1000 for ntlm and then we have our example hash so we'll give it the hash and then we'll give it access to our word word list so i'm going to go user share word lists and we can actually i've got a crack station copy here although it's not the same as the one that they that they use and they'll have they'll be able to execute this a lot a lot more quickly so let's do some machine learning labeling why not in exchange for some password cracking seems like a fair deal to me uh so we can crack the hashes now and we'll get the password back with password1 meanwhile we're still waiting for hashcat to crack the password oh there we go it's correct password one uh this is a lot quicker i'm doing this inside of vm if if you do this with your gpu outside of vm hashcat would be a lot quicker as well but our passwords password one so just take a copy of that and we would go and submit this as jctf password1 next challenge is called where did you go and it says after successfully cracking the password to the computer in the headquarters of the mysterious building the pc suddenly shut down however luckily you're able to make a copy of the disk image it turns out that there is not one but two disks in the pc find the flag in this forensic disk image in the next challenge you will search for the flag in the other disk image so we have an image to download here i'm going to download this you might have noticed that i am no longer in the parrot os or kali system depending on what you're running and i've switched over to the commando vm and the reason i've switched over here is because a lot of the forensics challenges particularly looking at disk images i find that um some of these tools like autopsy and ftk imager can be particularly useful so in this example i'll use fdk imager for this one maybe i'll demonstrate both so let's let's um grab this image move this over to the desktop i'm going to open up ftk imager first of all this is normally my preference just because autopsy can take quite a long time setting up a project and building and um scanning for stuff whereas quite a lot of the time it's unnecessary for ctf challenges so i'm just opening up an image file here i'm browsing to the desktop and picking up that image and hit finish let's maximize this and you can see that we've got our image then on the left or evidence tree we can go through and we can have a look we've got unpartitioned space so you can go and have a look at these files but what we're going to be interested in probably here is this partition let's go and have a look here ntfs go into the root directory and the first thing i did here was going to have a look at the recycle bin if you have a look at the recycle bin we've got this folder and there's actually two text files there one of them has flag.txt and then if we have a look at the other one it's actually got a flag in it so that's quite a quick challenge to solve there um let's open up autopsy as well and just have a quick look at the difference in in this you can see even the time that it takes for autopsy to open is probably longer than f it would take to get the flag out of ftk but we can open up we have to then either open a case or create a new case in this case we create a new case i'm just going to say ctf we'll go next and then it's asking us to put in a lot of other stuff i'll just ignore that hit finish and this is a lot more comprehensive it can be a lot more useful if you're dealing with more complex forensics challenges and ctfs or if you're actually doing some forensic forensic work but um for our needs it's not really necessary so we can open up files or images here i'm going to open up disk image then so we'll go next go to the path and we'll select the image from our desktop and again just going to next we can do all this stuff it'll look for emails it'll it'll look for keywords so i'll just leave all that at the default hit next again and it can take a while to run through [Music] some of that stuff but we should be able to at least in the meantime go and have a look at the image we can open up the image here have a look at the metadata and if we double click on it we can go and have a look at the same stuff there so we have our ntfs we can go and have a look then at our recycle bin you can see here we have carved carved files as well um but yeah if this was uh you can see our recycle bin there that's the flag.txt and that's got our flag in it um we if we if there were email addresses and websites and things like that you would find them quite easily in autopsy as well but that's it it takes quite a long time so for any more challenges like this i'll just use ftk imager the next challenge is called password backup it says it seems was the usb attached to the pc but what does this all mean what is the big picture search through the files in the usb to find out so if we download the data file back over to the linux system now if we check the file type here file data we'll see that it actually says it's a pcap file so let's rename it let's move it to from data to data dot pcapp and it actually says pcapng so we'll add the ng extension as well and now we can open this up with wireshark and go and have a look through the traffic we're already seeing this usb protocol a lot but let's go and have a look at the protocol hierarchy and see that actually yeah it's 100 usb traffic we could go and select maybe the text item select that and see if there's anything of interest here we can just scroll through the packets and see for example here there's some text we might want to have a look through through that if we don't see anything of interest again we could go back we could have a look by length and see if there anything interest here we see the data out and there's quite a lot of data being put out in these cases if there was a certain property that you wanted to filter on you can go and select any of these and apply them as filters so for example if we wanted only these data out commands we could go and select that and we can go by any of these any of these fields now whenever i was actually solving this i probably went through an unintended solution which was rather than actually grabbing that in wireshark if we use bin walk or foremost we'll do foremost and data dot pickup and g now if we have a look at the files we have here we can see that it's actually produced two png files and we know that the challenge description mentions something about pictures we could have done the same with bin walk as well bin walk dash e data picab and you'll see actually it a lot it brings out a lot of false positives and stuff in there as well let's have a look at the tree um but we also i'm not actually sure if it did bring out the png's okay let's go into the output from foremost and into the png folder and then we can try and display we'll do 244 first and we'll see here jctf correct usb14 could have a look at the second one four three three and it doesn't appear to be anything recognizable so it was the the flag from the first one i'm gonna type it out again but i just transcribed that flag and entered it here the next challenge is called volatile memory one and it says oh no we need to find the process id of notepad.exe in order to save the city for some unknown reason no questions asked just do it so it says to use the round image found at this location so we can go and download that so we download this it's a memory dump so typically we're going to want to use volatility for these kind of challenges here i have a volatility cheat sheet i'm also that's a pdf one i'm just going to go and find a link to a you url with some commands on it and so you can set up volatility if you go through this guide here for example i'll leave a link to this in the description you can set volatility essentially whenever you run volatility against an image you need to look for the image info so you'll use image info to try and find out what operating system is and then that's the profile that you'll need to use for all the other commands in future and you can list the different plugins that are available and go through this kind of manually what i did for this ctf was just to try and get this done quickly was use the auto volatility which we can see here so i'm also gonna let's open that up auto volatility will grab this code and you can see here it takes in the memory file which we have and then we need to give it an output directory as well so let's see what we have here now we've got a memory dot zip so i'm going to unzip that and while we're doing that let's uh clone this auto volatility repo and we're going to need to specify then python auto volatility dot py and then the mem file which is going to be memdump dot mem and then an output directory so i'm going to make a new directory just called output and we'll pass that in with the d flag now that's finished inflating so we've finished unzipping that i'm going to remove the memdump.zip and let's run autovolatility okay need to run it with python2 by the looks of it so you can see it's automatically running the image info so we could have just done that ourselves could have run volatility dash f num dump and got the image info it's going to get back the os profile and then essentially it's going to go through uh most of the commands that you see here list processors grab the environments command line all that sort of stuff which means if um if you're trying to get us if you're in a competition which is time based and you're trying to get things done quickly it could be handy because you just you might have several challenges based off one image and you can just run all the commands at once and then as you go through the challenges you'll already have the outputs of all these different commands and in most cases you'll just be able to grab through them so i'll leave some links to all the tools that we're using here anyway close down the jersey ctf let's see if that's finished running it hasn't so it takes a little while to run i'll come back whenever this is finished okay so it took a couple of minutes to start seeing some progress here but we're starting to see some stuff now it's coming up with some errors here i think maybe the auto volatility is not quite in sync with the version of volatility that's being run it's not finding the dump directory option but um yeah it went through it found the profiles it decided this was windows 8 service pack 0 64 bit and then it's going through each of the different commands so if we we could run these ourselves now we could basically just copy and paste this for example and that would give us the dump certs um we're going to be interested in the process tree here so let's go over and i'm going to run tree here and see what we've got so far i don't see anything for the process ids so we'll just wait for that to come back [Music] now we have our process scan process list process tree have all completed it's still running through some stuff but that should be enough for us to let's go and cut out the process list uh it's in output so cat output process list ps list and in here then we're looking for our notepad notepad.exe as you can see right here and the process id is one eight zero eight so we just go here and enter in jctf 1808 the next challenge is volatile memory two and it says destination port four four four four is the only open entrance for the remote superhero island of we can't wait until covert is over in order for the executable boats filled with superheroes to gain access to island the ship name must be identified and then it's asking us to use the ram image which we already have access to so let's go back let's get remind ourselves what we have here let's have a look at the tree it sounds like we're going to want to have a look at some network connections so we can see here connections.txt let's cut that out output connections connections.txt okay there's nothing there i'm not too sure if that's finished running yet or if it just didn't bring anything back let's try then and just i'm gonna do grep recursive four four four four and here we'll see that in the command line and the dll list we both have this nc for netcat dash nv and it's it's creating a listener and it's sending the so this is basically a reverse shell here sending over command.exe over to this ip and this port number so i believe it was just nc.exe was all that needed to be put in here jctf nc.exe or maybe uh netcat can't quite remember but that was basically the solution there we could also grep um if we do grep recursive case insensitive and look for jctf this is where we found the brodyu even pickup solution in the mft parser so it found that in the master file table so there's an unintended solution to that challenge although i'd already solved that challenge by the time we got to this part anyway the final challenge is called alternate reality and it says it turns out there was not one but two disks in the pc finding the flag for the previous disk left you confused seems like you have to find the flag in this forensic disk image too so i've moved over to the windows vm again i've downloaded that disk image and we'll open it up with ftk imager again we could use some other tools like autopsy or encase but i think fck is probably the the quickest and easiest to use so open this up as an image and then i just basically went through to have a look to see what what we've got in here so again we have our ntfs we have our route so we can go in and have a look in this case there's the recycle bin we've got flag.txt there and then this hidden file and there's our flag in the stream so pretty easy to solve with if you've got access to this tool you can download this for free i think you just have to like sign up with your email or something but you do get a free copy with that doesn't have all the same features but um so that's all the forensics challenge has done so let's move on to the phone challenges so i actually solved most of these phone challenges using some reverse engineering and plain old debugging because the there's no remote server to actually test the exploits against there's nothing to stop you from just retrieving the flag through maybe the decompiled code or from using a debugger to get it so i'll run through these challenges and some of them i'll i'll show the unintended solution in all of them and some of them i'll go through the intended solution as well but i have quite a lot of buffer overflow videos going through writing pwn tools scripts and things like that so um if you want more detailed sort of walkthroughs on some phone challenges i would go back and have a look through some of my previous videos also note that we'll be using gear draw throughout this so i'm going to open up gear draw now and create a new project and then we can just import each file that we look at into gear draw so this will allow us to view the disassemble dissembl disassembled code and also the decompiled code as well so create a new project here just call it jersey and then we can import our files here so i'm just gonna i'll open up first of all and then each file that we download we'll just be able to go to file and import to open up here we'll get our decompiled code on the right and then our assembly code here on the left we've got access to our functions in the symbol tree bit here and then different sections of the program here in a programs tree we can search for strings and stuff in here once once we've got the program open so if you don't have that download download it and install it you can use it on windows or on linux we'll also be using the pawn debug library in gdb so if you don't have that installed i would recommend installing that as well it makes reverse engineering and binary exploitation a lot a lot easier if you type on debug here you'll get a list of all the different plugins and functions that you can call and again if we do help as well we can have a look at some different options we can do help breakpoints to drill down on that and then we could do help um on each of those as well so skip enable um etc so we'll be using that we'll maybe also put together some phone tools scripts so um again i'll leave links to some of these things in the description otherwise you can just google them to get hold of them the first challenge is called exec and it says your super hero co-worker is asking for your assistance with rescuing a 64 year old elderly woman's pet cat from executable file that won't open apparently the fire department only helps a cast stuck in trees save the cat by finding a way to run the executable file so we download the exec file save in our local directory and the first thing we might want to do is just go and have a look at the file type we'll see that it's a 64-bit lsb pi executable so it's little endian least significant bit first um not necessarily too important unless we're building exploits we might need to bear that in mind set up addresses and things pi is enabled which means every time the program loads it'll load to a different location in memory it's dynamically linked which means it'll use external libraries like libsy to call functions from so things like printf puts and read and things like that and it's not stripped which means that debugging symbols haven't been stripped from it so we can see function names and it's a little bit easier to reverse engineer and debug it we could also run checkset as well do checksec file exec and that will let us know what security protections are enabled on the binary so in this case we have full railroad this will affect our ability to write to certain sections of the program we have like our global offset table for example we have no stat canaries found so if there were stat canaries in place it would mean that if we triggered a buffer overflow and we overwrote one of the stack can errors with a a different value it would exit the program and say that it's detected some stack smashing and can't continue nx is enabled which means that even if we were able to overflow the buffer and inject some code onto the stack it wouldn't be executable because um data is either marked as data or as code and we wouldn't be able to just execute code in the stack and again pi is enabled so we just went through that that's just that every time the program loads it'll load at a different place in memory so there's no fixed addresses we just have offsets to different functions and so let's make this executable as well do chmod x make it executable we might also want to have a look at the strings as well strings and 10 exec and we could go through and have a look at some of the strings that are in there sometimes you might just be able to grab a flag from that so let's try and run the program and we run the program and we get ran an elf executable so that's our flag for us so we didn't actually need to do anything but just for fun let's go and import this into gadra and um whenever we import a file we'll just hit ok and default and yes and all that to all these default options it opens up i'm going to have a look at our functions on the left and we want to go and have a look at our main function which was being called so the main function was calling put char with all these different hex values so we could go and have a look and how we could go and have a look at these values actually let's have a look there and you can see that you can see the charge the charge that they've been converted into and then the same here as well so it's basically just output in this data which has been which has been moved into these registers it's outputting that in an order which is giving us the flag so you can go through here and you can compare each of these statements to the code and get an idea then how uh disassembled code compares to its d comp to its actual um kind of original version it's not going to get back to the original c code but it will get close to it in gearjr again yeah we could go and search for strings in here as well so if there were some certain strings in the program that we wanted to go and try and find out where they were and what code was around those strings that would be useful for us the next challenge is called simplebuffer1 and it says oh no the supervillain buffer buffon is causing mayhem find a way to thwart is mischief and restore peace to the stack so we'll download this simple one file and again we might want to go and run some of our basic checks we'll see again 64-bit lsb pi executable it's not stripped it's dynamically linked we could check the security settings and we'll see that everything's the same pi's enabled no executes enabled there's no canaries but full railroads also enabled we might want to have a look at strings as well and see if there's anything of interest in here any passwords or something you might want to enter you can see here actually enter password and here's a password right after it what looks like a password let's take a copy of that i'm going to make the file executable and let's run it it asks us to enter in a password and we get correct password and it comes back with our flag let's actually run that again if we were to run this with ltrace you might find that if we put in a password okay sometimes we'll be able to see the string compare that's being done there but we weren't able to in that case so that was an easy win on that one but let's go and open it up in gear anyway and because it's not stripped we can just go straight to the main function here otherwise we'd want to look for an entry function we could also search for strings and we know that for example it's asking us for a password here we've got enter password so we might select that and then that'll take us this part of the disassembly and then we can just go and see where is this reference that's referenced right here in main so if i double click that it'll take us to the main function and this is where the the code is happening so yeah there's a string compare being done it takes in it has this buffer of 46 bytes it has an int pass and then it takes in our password and if it equals each or read no it'll give us our password back otherwise we'll get wrong and password obviously the challenge is called buff one or simple one it's supposed to be a buffer overflow and we can see here that we have a our char buff of 46 characters but gets is called here which doesn't check how many characters it's bringing in if we go and have a look actually at the manual forgets we'll see here that it says never use this function and essentially tells us that it's vulnerable to buffer overflows so we should use f gets instead which will allow us to specify how many characters we actually want to read in but still we still need to do a check for bounds there as well so um how could we exploit this well we could if we run the if we run a program again and just enter in a really long input we could do this with python as well and make it a little bit quicker you'll see we get the segmentation fault so what's happening there is we've written so many characters into this buffer of 46 bytes this overflowed and it's ended up overwriting the return address of the program which has caused it to try to jump to this memory address of aaa which obviously isn't a memory address and that's where it's run into a segmentation fault so we're going to open this up in gdb phone debug simple one and once we open this up we can have a look at the functions that are available to us we can disassemble any of the functions let's disassemble the main function and you can see here all the put chars that we have on the right behind in geardrop we we have the disassembled code here and we also have the addresses notice that these aren't actual memory addresses because pi is enabled we won't get the actual memory address until the program loads because this is going to change each time but these offsets will remain the same so we can use those offsets as well to do our calculations once the program's running so there is um an uh another unintended solution here in that because the flag is available locally we could jump to the the location of interest right so we could jump here where it pushes our flag to the stack and then it's going to run through and put all the characters out so i'll do that at the end but let's have a look at actually doing this with a buffer overflow so if we i'm going to generate a cyclic pattern here let's do cyclic 100 this is generating a cyclic pattern so that if we run the program it asks for password we paste it in whenever it crashes the program it's going to show us the the layout of the stack and right here in our rsp this is the first four bytes is the offset that we're looking for so if this was a 32-bit application you would see this in the eip but because it's 64-bit it won't actually try to load this address so it's just in the rsp instead but that's fine we can do cyclic l to look up the offset and that'll tell us that the offset is 72 so there were 72 bytes written before this saaa ended up in the rsp so that means if we go and if we want to go and visualize this let's run python 2 c and then i'll do print a x 72 plus b times eight plus c times we'll say 24 and our a's are the bytes that we're going to need to write to overflow the buffer the bs are the values that we are going to enter into the return address so that's the address that we're going to try and cause the program to jump to so if there was another function in here that we wanted to jump to we would put in the address of that function in this case we might put in the address of um after this password check so just to visualize it let's take that and go and run the program again and we'll paste that in and we'll see this time that if we have a look at the stack we can do x over let's do x over 20 x rs dollar rsp that'll show us a stack you can see here we have our b's let me do actually x over 100x and i'm going to do rsp minus 72 and we'll see then all of our a's which are 4 1 and hex capital a's 4 1 have filled up the stack until we get to the instruction pointer which would have filled up with these b's but because it's an invalid address it hasn't it hasn't done that and then the c's might contain our shell code so we might write all these a's into the buffer and then set the b's to jump to the beginning of these c's and start executing it as code but in this case because the binary protections are enabled we're not able to just execute code on the stack but we can still return to a different address right so if we wanted to get the pi base here let's do pi based this tells you the address the program loaded that in memory and then if we wanted to find an offset so for example right here is where it starts putting the characters so you have here the move instruction we're removing this flag into the rax and it's the offset one two four a so if i do pi base zero x one two four a that's gonna give us the offset of that so this that we we could we could write this address in into the buffer overflow or in this case we could simply say we want to jump to that address in gdb if i try and jump to that address you can see there it's filled up those those uh characters in the rax and the rdx so that's exactly what's happening here move to rax if you highlight that you'll see it says no as gf and if we go here and have a look we'll see in here as well it's showing it in reversed order but that's exactly what we have there and we could then step through next next next step through the instructions until that prints out the flag for us in this case i guess the buffer overflows probably caused some problems um but it's not that's not the intended solution for this anyway so if we were trying to overwrite the return address we would need to worry about the pi base would be easier to do it in phone tools or something like that rather than doing it in gdb or on the command line the intended solution here really would be to overwrite the past variable so we have this past variable which will be updated with a zero or a one depending on our password we enter so if we enter a password that's long enough to overwrite that so it doesn't equal zero so let's try and run the program again we'll enter in a long password we want it to be long enough to overwrite the variable but not so long that it overwrites the return address and causes the program to crash so we could write a script to kind of loop through and do this in python you can see here that although we've got the wrong password it printed out the flag there so we've overwritten the variable which was being checked in this case the next challenge is called revpop it says as one of your missions it seems your foes fumbled while backpedaling and accidentally dropped a secret program you wonder if it can discover something about their plans by looking through the program what if something is hiding in plain sight so we'll download the file glot and again we'll check the file type 64-bit lsb pi executable not stripped seems to be the general consensus let's see if there's any difference with the security protections i know everything's looking the same all right so we can have a look at the strings i see here plain text flags are pretty suited nothing to see here um i'm not sure if that's the actual flag i guess it probably is but it seemed like a very easy solution there for a third challenge let me let's open this up in gearjr anyway and see what's going on there import the file we'll also go back here and just make this executable and try to run it nothing to see here okay what if we try it with l trace nothing to see here what if we pass it in a parameter okay so it doesn't actually produce any output so we would need to reverse engineer it i mean this we i think we got the flag there in a string by the looks of it but let's pretend we didn't and we were doing some reverse engineering here we would see there's a main method it puts out there's nothing to see here and that's it there's nothing else of interest it doesn't take any input off of us there's nothing else printed out so what we would do is we'd have a look see are there any other functions in here that might be called i can't actually see any myself of interest at the moment aside from our main function let's go and have a look if we search for strings and we'll see here the jctf plain text flag so whereabouts is it located it's it's referenced here in main so it's loaded in to the rdi but it's never actually printed by looks of it so it loads there's nothing to see here into the rdi and then cause puts and then there's a comparison here as well which is going to compare so this value is assigned here we move the d word point to moving zero to rbp plus local c and then here we're testing if that still equals zero and if it does equal zero still it's going to jump down to down here if it doesn't equal zero then it'll print out the flag so if we were to ensure that this value didn't equal zero it would also just print out the flag for us so let's open this up in gdb we'll open gdb pone debug passing glut we can have a look again info functions we can disassemble our main function and see the code here so again it's loading 0 into rbp minus 4 and then later down here it's going to do our comparison so right here it's doing the comparison it's comparing rbp minus four and if it still equals zero it's going to do this jump to main 66 which is not what we want we want it to just print out the flag for us so i mean a really easy thing to do here would be to just simply just jump right here so this is if this is where we wanted to jump to because we don't want this to jump down to main plus 66 we could grab this address let me start running it uh okay let me set a break at main and then run and then now if we disassemble main again we now have these addresses populated because it's got the pi base now so in this case we would say well we want to just jump straight to this address and if we do jump asterisks to mark the memory address and then jump and then it'll print out our flag so that's one option another option let's run this again it'll hit the breakpoint at main here and we can see our code so we could go through here next next next you can see that it's about to run it's going to move 0 into the d word pointer rbp minus 4 so we can do x rbp minus 0x4 and we can see it's currently zeros anyway so that's fine we'll go next and it'll still be zero so we'll go next it's going to print out to say there's nothing to see here it prints that out and then it's getting to this comparison and if we have a look again we'll see that that still equals zero so what we would want to do is set rbp minus four to equal 0x1 and then if we print that out oh that's not going to work okay so um because of the way that was a pointer actually i'm going to run this again it's we've got a break point at main again let's go next next next next next we get to our comparison here and again we were looking at x over rbp minus 4 and this is the location of it so i'm actually going to take a copy of that and i'm going to say set this address to equal 0x1 and now if you try to print that out you'll see that now contains one so if now we go to the next instruction instead of it it's going to do the jump if equals here if we go next instead of it jump into main 66 it should get straight down to our load effective address which it did and it's loading our flag into memory hit continue and there it's printed out our flag again the next challenge is called 64 arc ins and it says for some reason you're being asked to help a 64 year old beekeeper he's having trouble extracting honey from hexagonal honeycombs why don't you try examining the architecture of the beehive see if some see if you're going to obtain something so we'll download the ink file here i'm gonna try and speed up because this video is already over an hour long let's check the file type first of all it's exactly the same so i'm gonna make this executable in i'm gonna run the program it asks us for a flag we'll say abc let's try that again with ltrace abc and we don't get to see the string compare let's try and run it again with a really long input and nothing much happens let's try and check for strings and it looks like a password although it says psych does nothing so that doesn't sound too good um all right let's try and let's try and run it anyway put that flag in nope all right so we'll open this up in geardrop and have a look at the code import file and we'll go and take a look at the main function you can see we have some different functions here here's one deaf and flag defined flag maybe we have health psych this does nothing we have main and then we have pain as well so quite a lot of obfuscated looking code here string concatenation going on string cat um okay so let's go and have a look at our main function so we have some variables being declared here defined at the top and we have some values which have been assigned which are in hex and if we go and highlight those we can see what those mapped to in characters it does look like a flag although it looks like it's been jumbled up or encrypted a bit so we'll need to find out what's going on in the code so enter password for flag it's got this dot data section it's reading in a decimal okay so it's reading a decimal from us and then it's comparing what we enter to five four two three which is one seven six nine nine in decimal so let's run the let's run the program again and i've already forgotten what it was in decimal 17699 we run that we get site this does nothing so that was the password thing that we saw we have eight eight as well so we can go and have a look at that and see that's 136 so we'll run it again we'll try and put in 136 and we get a partial flag back by the looks of it jc cft okay um let's see what else we have here it is two five two nine nine four so let's go and try that two five two nine nine four and there we go it looks like we've got our flag back so um that's got that for us so it runs pain and passes in this local 28 which is assigned the value right here so that's the jumbled up flag and it's calling pain which is taken in that parameter and then it looks like just re jumbling it up there as well so we could again because this isn't run against the server we could just kind of run this locally in gdb and just jump to where we need to go i'm not going to do that the video has taken a long time so far so let's move on to the next challenge so now we have a simple buffo 2 challenge which says buffer buffoon is back with new blunders will you be able to defeat him again this time numerous things have to be precisely correct to get him moving along to get us moving along so we'll download simple two let's go and do our usual stuff check the file type 64-bit lsb executable not stripped will not bother checking the security settings because it's going to be likely the same let's have a look at the strings though let's just see if there's another easy win so it asks us for a password and it says you have successfully entered one command line arguments congrats you have successfully answered two command line arguments okay so without doing too much more we've got a good idea what needs to be done let's try and run this simple i'm going to give it well let's just try and run it nothing happens okay what about if we do l trace simple nothing happens let's do it and pass in a and we get exit 35 so this time it exited but it was because it's for a different reason now if we pass in a a we get status 33 okay 2 32 okay so depending i guess on the length of our inputs or is it just okay i'm going to enter longer inputs here just to see what and then we get to 255. okay let's um let's open this up engage and see what's actually going on again not stripped so we can just go straight into our functions go and have a look at the main function so we'll see here that yeah it takes in two parameters the main function it our second parameter is a long which is it adds eight and then it's gonna compare that against this value here which in decimal is eight five three four zero nine nine three and if that matches we'll get you successfully entered one command line argument uh it's then going to add 0x10 so that's 16 in decimal and it's going to compare it to this value which is three three one one nine three six and if that match is gonna say congrats you enter two command line arguments and then it's gonna check if the param one is less than three if it is it will puts to the loo otherwise it'll call um success success to ivar one and if either one does not equal zero it'll call this vuln function this phone function is gonna put out some characters to screen so i'm going to cheat big time here save a lot of time this is what i did in the actual competition as well if we um open up gdb phone debug simple 2 let's go in here and have a look info functions we can see that we have our volume function right there so what i'm going to do is i'm going to run the program i'm going to set a breakpoint at main so whenever we run it doesn't instantly exit and then i'm going to have a look here again info functions all right i didn't really want to see all that what i'm going to do is have a look disassemble vuln disassemble volume this is where it's going to put out some characters so it's a good chance that's going to be our flag in fact we know it is because if we go back here this is once all the other conditions have met this is what's going to be called so i'm going to go here and jump to the start of this function essentially so let's just grab this and we'll jump right there and print out our flag so that was majorly cheating um but the video is getting quite long if you want to see how to solve some of these phone challenges properly go and have a look through some of my other videos on phone walkthroughs and um i'll solve some of these in a bit more of it well using the intended solution anyway all right so i'm gonna close this let's go and take a look at the final challenge so the final phone challenge is called sim worker and it says money is the root of all evil buffer buffoon is back for attack number three and now he's a bitcoin banker you long to defeat him once more so we'll download the file and we can go and run our usual checks although i'm not expecting too much different it's a 64-bit lsb pi executable let's check the strings get an idea what the program's about see if there's any passwords sticking out or anything as well so we can see here what's going to happen it's going to tell us we're in a cryptocurrency simulator it's going to tell us how many coins we have and then we have an option to rock it to the moon or to buy flag and we can earn coins so let's make this executable and if we run that we can test it out so if we do work okay we do work but then it's going to close the program let's try and donate how many would you like to donate say 100 thanks for your donation okay let's try again buy flag you don't have enough and then we have the option as well to exit all right so i've got an idea what the functionality is let's go and open up the binary i can't remember exactly how i solved this but i know it wasn't from ponyn either it's going to be another unintended solution for this one let's go to the functions to our main function okay so if we go through and try and work out what's going on here i don't think i even really did i think i went straight in had a look at these strings and if we have a look here let's see what that equates to so it looks like another kind of obfuscated flag so it's going to load these into these into our registers and then it's going to call put char around here so essentially there's a lot of different conditions that we need to make true before we're going to be able to get down to this part of the code but because we're given access to the local binary and this isn't on a server which means we can just use the debugger and we can kind of cheat and and extract the flag from it so again this isn't really how to pawn the binary but um a flag's a flag you know so if we take this address for example right here where the we need we need these to be moved into the correct registers so this is one three fc so if i go and open up gdb phone debug and let's run the program i'm going to hit ctrl and c to pause the execution and then we're going to look for pi base and give it that offset 1 3 fc so do 0x 0x13fc and there's the address of that now so if we actually go let me disassemble and disassemble that okay without the star and you'll see then if we go and have a look at the address that's been disassembled that's exactly what we were pointing this to or wasn't the exact instruction there one three fc okay well let's try and jump to it here if we jump to that and we'll see here jccf types have overflows and we've got stack smashing detected there as well terminated so that's how i grabbed the flag from this obviously it's not the solution so um i'll be interested to see what some people's solutions were for this i didn't really spend too much time on it i just kind of got the phone challenges done very quickly and then moved on to some of the other categories but yeah if you want to if you want to learn how to solve these point challenges a bit a bit better go and check out some of the hack the box poem walkthroughs i've put together or some of the recent challenges from the angstrom ctf i forgot the name of it there okay uh so yeah that's a pony challenge just done let's move on to the misc challenges or the ones i got completed anyway the first miss challenge is called hidden in plain sight and it says you've stumbled upon a sketchy document which seems to be comprised of placeholder text it can't be that boring though right examine the document see if there's a hidden message somewhere and i can't see the full thing there but let's just download the file and take a look at it i'm just going to open this up actually in the text editor and yeah all right so i just scrolled there saw the flag pretty quickly we could also then have a look just like search for jctf or regex as it says in the flag but there's a nice easy one to get started the second missed challenge is called open creds and says the police have finally apprehended slippery sam no one knows how he should be sentenced so i guess it wouldn't hurt to view his probably release records and make a decision and then we're given this link to the github so we're gonna go and take a look at the github in here what did i do here i think i had a look at the commits have a look at the previous commits and you'll see here that added files via upload and then delete to clean up which is never a good commit message so if you're going to have a look at that and we'll see yep there's our jctf flag in the removed file so let's go back next challenge is called all wrapped up and it says you stumbled upon another sketchy document wouldn't it be crazy if there was a deeper message so we'll download this flag it says png file there i'm going to save it go and take a look at it so let's check the file type here okay so there's a zip archive here so let's move this flag to flag.zip that's not flag.zip let's move flag.zi to flag.zip and then unzip flag.zip and now we can see that we've also got this flag let's check the file type of flag compressed data so let's move flag to flag dot xz we can use xz probably with dash d for decompress that's what it normally is dash d will give it then the flag and then let's check what file we have now bzip so we'll move flag to flag dot bz and then b z dash d oops we don't always need to change the extension here by the way but um oh b zip two is the command we don't always need to change the extension but sometimes it'll it won't recognize it unless you do so let's see what we've got now flag this one's uh gunzip so i'm going to move that flag to flag dot gz and then we'll use gunzip i don't know if it's gunslip or gz gz dash d flag yes gunzip and let's see what we've got now file flag toss i'm going to move that flag to flag.tar and then we'll do tar xvf flag and now we've got flag.txt so we'll cut out flag.txt and there's our flag all bundled up the next challenge is called hidden in plain sight two says there's an impostor among us unlike the rest of your colleagues imposter is from jersey he is valid find the imposter and prevent him from wreaking internal havoc so we'll download flag.txt i'm just going to open up in the default text editor and here we have a lot of this is certainly a flag i think this was a fake flag if i remember correctly what i'm going to do here is let's do okay i'm going to open this up in sublime which i hate slightly less than pluma whatever it is for searching and replacing here so if we where's the regex option here i forget the commands in this i mostly just use notepad plus plus on windows um find replaces control and h okay and we're gonna find we can say zero to nine a to z and then how many what length of these i can't even see the length here i hate um i hate sublime so much just because i don't use it you know um i'm gonna say 56. okay no 58 no 60 okay so they're all 60 characters long so we're going to play i'm going to replace all of those with nothing and then we should be able to remove lines line um delete lines join lines maybe i need to highlight that line join lines there we go and you'll see that we've got def definitely a flag and then we've got this is certainly a flag i don't think either of those are flags but we have this clearly base64 encoded string so let's do um echo we'll echo that out and then we'll pass that to base64-d and there's our flag next challenge is called rainbows and it says while you are flying in the sky back to your superhero headquarters you've stumbled upon a mysterious rainbow this doesn't seem like any ordinary rainbow though you need to take the time and space to figure out the message behind the picture so let's download this png image and we've got this untitled so we can check that we could have a look at any exif data we could have a look for strings let's do strings n8 untitled nothing in there okay what about if we just print it out cat all right there's not much in there at all let's open it up with let's display it then let's just have a look see what's actually in the image entitled png okay and it's appears to be a really tiny image okay so we could try and open stuff like this up with stego tools there is stag solve it's a good one for kind of just visual based challenges if we open that up although i don't think there's a zoom feature on it yet or the version i have doesn't have a zoom feature something else it's good for png images and in fact let me just show that for stego tools what i normally do is apt cache search stag and then you'll get a list of some different stag tools um i'm gonna use z bar no not zed bar image that's four qr codes um zed stag zed stack it's been a while since i did any stakes challenges said h so we can get some different uh options here i'm just going to do z-stag and just pass in the file name on title.png and we get nothing okay let's try and do zedstag dash um all to run all checks and we run that with all checks and this is starting to look a little bit better and you'll see here who knew you could encode text and image did you open this as png or just convert it from hex from hex i think actually what's funny here as well is if you copy and paste this it does um that wasn't the flag he actually had to update this to there was a typo there so you actually had to change that to hex i believe uh but that's the rainbows challenge anyway so there's these two challenges i didn't get finished we'll go and have a look at some of these crypto ones which i did finish and then maybe once it gets to the end i'll talk through some of the challenges i didn't finish and where how far i got with them and um i don't know we'll see how much time is left so the first crypto challenge is called rome it says while you're having your daily meal of hashbrowns you come across a note that arrived in the mail is nothing but a cryptic message inside and simply signed roman at the bottom i wonder how you could possibly decipher this message so let's open up the flag.txt and see what we've got so this looks like a classic rotation we can tell because this is beginning with jctf so the everything's in the right structure right it's um it has four characters followed by a curly brace and ending with a curly brace with then a flag in the middle it has all the underscores so it doesn't look like it's been transposed it doesn't look like characters have been moved around it doesn't look like there's been much of a substitution done because we still have some of these characters here it looks more like everything has been rotated so we can go and test that out in a couple of different tools the most the main tools we'll be using here we have decode.fr which i'll go to here and just set that to english we can search for different tools in here so for example this would be the caesar cipher um which is the the hint with the the roman name as well but i mostly use cyber chef nowadays so i'll open that as well and let's go and paste this message in here you can sometimes just run magic on this so magic will try a variety of different encoding and decoding techniques to look for some plain text it's not working for us in this case and let me just mention as well before we get any further there's a lot of things you can do in cyber chef so even if you go down to the forensics section here there's a lot of stuff i forget about in terms of looking at exif data scanning for embedded files checking the file types um a lot of different file types you can check for there multimedia so you have some things that could be used with stego as well stego challenges um it's not just it's not just crypto stuff that's in here um again hashing compression date and time so i've had challenges where i've been working combining not dating time where's the map section there's there there are challenges that where i've been converting like longitude and latitudes and things like that and you can actually show show stuff on on the map in cyber chef so and just to mention that there's a lot there's a lot more than just encryption and coding you can do in here but for us let's go to rots rot 13 it's 13 because there's 26 letters in the alphabet so a rot of 13 is exactly in the middle but essentially what we want to do is just go through here until we see the jctf matching up there so we'll go back through them did i go past it already must be further up and there we go so it's 19. we rotate by 19 and we get caesar ciphers are pretty litty this challenge is called rail fence and it says you come up to a fence with an assortment of letter spaces on it the flag must be somewhere on it there must be some sort of pattern maybe you'll have to look from a different perspective so let's open up this flag.txt and so this is a little bit different we don't have four characters followed by our curly brace and ending with a curly brace but we can see that obviously our curly braces are in there let's go and put this into cyber chef we will take away our rot 13 we might try and put this in with magic um no look what i did here then was just search based on the challenge name for rail and one of the first things thought is this rail fence cipher decode so we'll enter that in and we'll see that as we start to change the key the curly braces begin to move around and quickly we find that the key is four and we get jctf rail fence rail fence encoder zigzag cipher this challenge is called room but harder and it says the previous room challenge must have been too easy so roman sent you another one a note with an even more cryptic message the number 46 and a mirror what could you possibly do with that so 46 reversed is 64. so there's a hint that's going to be some base64 encoding let's go and open up the file anyway and take a look at it we'll see straight away yep looks like it's base64 encoded so i'm going to go and grab the base64 and we'll convert it from base 64. let's just turn off the rail fence cipher decode for now and we'll see that that's it um decoded but it looks like then again we're having some issues with the rotation so let's turn back on our rail fence cipher decode there we may need to move that around although it said it mentioned rome there which refers to our caesar cipher let's actually pause that and uh look for the rot 13 again but no matter how much we rotate that is it's not going to change the order of the flag right it's only going to rotate the position of each character so what we would probably want to do here is first of all have our rail fence cipher decode in the right place so let's turn that back on and we want to try and get it so we have four characters at the beginning followed by our curly brace opening so we can cycle through these doesn't really seem to be helping too much and then eventually it gets too long for the cipher so what about if we change the offset as well okay so i just played around with that for a little while until i got the flag out that nice she did did you like the flip and base 64. so it was key of 42 an offset of 40 and then a rotation of 19 which got me that solution notice that the jctf is not in the right order though but um i guess that's just a typo so that's the room but not harder challenge the next challenge is called transformation and says do you have an affinity for maths then you'll easily be able to crack the cipher you scratch these all the time back in my prime years so let's open up flag.txt we'll take a copy of that and we'll go and put this into cyberchef as usual we could go and try and just throw in magic to see if it comes back with anything but it doesn't see if we can search here prime it doesn't come back with anything unfortunately let's have a look at cipher so you could just go through and have a look at these different ciphers and see what they do if you if you do that you'll see that the this site here actually says it's a monoalphabetic substitution cipher decrypt each lesson alphabet is mapped to its numeric equivalent decrypted by a mathematical function and then it back to a letter if we go and open that up and go and cycle through this you can see that it's starting to change the flag we need to update this as well um i believe actually if you're going to take a look at the hint here did i i remember checking the hint on this so a equals b divided by 3. so in this case a is going to be so if let's try and do 9 for b and 3 for a and then we get back our jctf affinity for numbers the next challenge is called hide inside and it says you receive an image of the cityscape you can't seem to find any flags it must be hidden inside somewhere and we have the cityscape2.png so let's download a copy of it again we might want to check the file type it's png we could check the exif data nothing of interest we can run strings on it oh and there's a flag with a base64 encoded value so let's base64 decode that take a copy of it you could put it in a cyber chef or something or we can just echo it here and paste and uh pipe it to base64-d and there we get stag hides in plain sight so just send that in the jct jctf format and get our flag the next challenge is called blaze the cve and it says you receive a cryptic message leaving you shell-shocked your butler alberto hands you a note says you'll need the cve to find the key he runs away while fresh hash browns fall out of his pockets the rest is up to you so we'll go and google that cbe and we'll quickly find that this is a reference to the shell shock vulnerability which is kind of hinted as well here uh in the description so we can go and look at some information about this vulnerability but we've been given a big hint there anyway shell shock in terms of the key but what kind of cipher do we need to decode the text let's open this up first of all take a copy of it we'll go over to cyber chef and paste this in here um so if you stuck on trying to find ciphers again you could go through and have a look at these various ciphers and see what kind of matches up there's no harm in doing that but the title and descriptions of always a big hint so if you google here blaze cipher the first thing you'll find is um names off the the veneer cipher is named after blaze the veneer and so let's go and use the veneer cipher here veneer decode and then we'll put in shell shock and you'll see that it's giving us our flag shell do the flag is shelby you wrong put it inside the ctf format okay and that's all the challenges i solved but i will quickly just mention how far i got on some of the other challenges so in terms of the missed category we had this xy map challenge it's only got 14 solves at the moment which is this dinosaur fbx if you download this i still i wasn't able to work out even with the hint um exactly what how to solve this challenge if you download it let's see what we've got here i'm going to remove cityscape let's have a look at strings dash m10 dinosaur and you can get some information in here i found that this can basically there are some tools you can use to open this online or you can use blender if we do blender dinosaur dot fbx we'll be able to oh um let's just open blender and then we'll import the file so if we go here file import fbx and then we go and select our dinosaur so we can import the dinosaur i'll make the cube hidden so we can see it and then we can zoom in um and we can look at different properties and stuff but yeah essentially you know i played around with this for a while i wasn't really sure you know having a look at different kind of options in here i don't really know how to use blender um so yeah that's i didn't really get to i didn't get too far with this to be to be fair i'm just going to close that down let's see what else it was so there was this open ocean challenge uh i mean i guess the miko's brain is down to well we can just search here miko's brain he did a a good talk for one of the um anniversaries i think of like f secures the f secure company where he traveled to pakistan there's a link to it there traveled to pakistan to meet the guys behind the original one of the earliest viruses called brain and you can i mean you can go here and search brain address he basically found he went and tracked them down based on an address that was left within the virus so let's search here address um okay brain uh so we can open that up and then you can go and see so there was this i kind of i wasn't sure whether it was talking about this number here in terms of the address or whether it was talking about these values so i tried to add those values together i also tried just the values individually but obviously i don't know whether these values were right so ldap is it talking about the ldap port number i was thinking it was three eight nine but i'm not too sure so i tried doing the value from there minus three eight nine minus elite which is obviously one three three seven minus have i been pwned number of garb so if you go to have ibmpwned.com and then we can go and have a look and see that there are 66 521 gab accounts so yeah i tried um plugging in these different values and getting this but i wasn't able to to get the flag obviously the xord message i really feel like i should have got this one i'm not i'm i'm not sure why i didn't get this i didn't really understand the hint to be honest so we have this file what i did is i just downloaded this file because of the because of the format you're not going to be able to copy and paste that too easily so if we download the file save it as flag.txt and then we can go and open that in cyber chef so open file as input we'll give it flag.txt and i was kind of just thinking an xor here so you can do xor you can xor brute force which if we know what string we're looking for which would be jctf curly brace then it'll look for this string in all of the solutions but it didn't find any here for this and you know i tried increasing the key length um it never seemed to to get there what i did find is that manually xor in if you go to the manual xor here um d0d0 i think we need to i'm going to convert the file to hex um two hex so we convert the file to hex there and then no i don't need to convert it text i just need to bake it again but here you see here jctf xor for the win can you crack goods looks it seems to get quite close um but yeah i wasn't able to let's get it solved i also found that i tried modifying the hex because if you actually look at the let's do a hex dump of that flag.txt you'll see that the c3 is repeating a lot and i thought based on the hint that we need to remove the c3 in doing that it does remove a lot of the dots so let's actually open up subwool flag.txt okay um there's probably an easier way to do this but i can't remember how i did it before but i went to remove these c3s and it comes back with basically a similar result but without the dots in it but whenever i tried then submitting that i wasn't getting any solutions so i'm not too sure what what went wrong there anyway and steg aes saurus let's download these let me clear out this directory so we have also part of the key image we have our flag.txt we have i got the keys which is a an audio file and we have part of the key dot jpeg so we'll download all that let's see what we have here so we have our flag.txt which is in hex which we're obviously going to need to decrypt once we extract this key we have this part of the key dot jpeg so what i did here was open that in stego suites no um stag solve open up stake solve and then we'll open up part of the key dot jpeg and if you flick through the different oh no actually sorry flick through the different frames frame browser because the gif image oh no sorry this is a wrong this is the wrong image i've opened that's why um open part of the key dot gif is the one we're looking for and if we go in and have a look at the frame browser we can have a look at the different frames in the gif and eventually we'll see [Music] this uh part of the flag so you can take that out and then i went and i think this is needs to be base64 decoded that gives us part of what we need and then we have the the wave file so you can use sonic visualizer open up sonic visualizer and open the i got the keys.wave there are some different things we can do in here if we go to um layer add spectrogram or channels and you'll see in here ecb so it's aes mode if we go back to cyber chef clear this recipe here and clear our files let's go aes decrypt so we know it's ecb mode we know that our flag is the hex that we have here and then we have basically some other parts of our keys which seem to be base64 encoded so i wasn't able to basically i wasn't able to put the key together but that's as far as i got i managed to i think extract the things that we needed from the files but kind of gave up at that point figured i'd go and make some walkthroughs and hopefully help out some some people with the challenges and and learning how to use some of the tools and just how to approach some of these challenges in general whenever you whenever you're competing in capture flag competitions anyway i hope you've enjoyed this video if you did drop a like subscribe and if you have any questions or comments leave them down below thanks
Info
Channel: CryptoCat
Views: 2,362
Rating: undefined out of 5
Keywords: jerseyctf, jersey, ctf, capture the flag, hacking, wargames, pwn, web, forensics, crypto, misc, cyber-security, infosec, bug bounty, tutorial, learn, security, cyberchef, gdb, pwndbg, dcode, volatility, buffer overflow, reverse engineering, reversing, ghidra, checksec, objdump, pen-testing, assembly, debugging, ret2win, exploit, osint, autopsy, ftkimager, static analysis, dynamic analysis, secure coding, hashing, traffic analysis, pcap, wireshark, burp suite, hashcat, crackstation, md5, foxyproxy, xor, websec, CTF, disk image
Id: aZyE1tgMGfw
Channel Id: undefined
Length: 102min 0sec (6120 seconds)
Published: Sun Apr 11 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.