Information#
Version#
By | Version | Comment |
---|---|---|
noraj | 1.0 | Creation |
CTF#
- Name : BSides San Francisco CTF 2017
- Website : ctf.bsidessf.com
- Type : Online
- Format : Jeopardy
- CTF Time : link
1 - Hackers - Misc#
Hack the __!
Answer: planet
20 - NOP - Misc#
x86's NOP is actually another instruction. What is the Intel syntax representation of the assembly of the other instruction?
Include a space between operands, if applicable.
Answer: xchg eax, eax
1 - Ancient Hop Grain Juice - Misc
This beverage, brewed since ancient times, is made from hops and grains?
Answer: beer
1 - The Wrong Cipher - Misc
This cipher was used incorrectly in WEP
Answer: RC4
1 - The Right Cipher - Misc
This cipher was correctly used in TKIP
Answer: RC4
1 - Let's play a game - Misc
This is the name of the game that a young hacker thinks he's playing with the WOPR Supercomputer. [Spaces expected]
Answer: Global Thermonuclear War
1 - Quote - Misc
This movie featured the memorable phrase "My voice is my passport"
Answer: Sneakers
20 - Zumbo 1 - Web
Welcome to ZUMBOCOM....you can do anything at ZUMBOCOM.
Three flags await. Can you find them?
http://zumbo-8ac445b1.ctf.bsidessf.net
Stages 2 and 3 - coming soon!
View source of http://zumbo-8ac445b1.ctf.bsidessf.net/index.template
1 | <!-- page: index.template, src: /code/server.py --> |
Let's check the /code/server.py
path: http://zumbo-8ac445b1.ctf.bsidessf.net/code/server.py. We get an error:
1 | [Errno 2] No such file or directory: u'code/server.py' |
Every non-existing page give the same error. We need to do a directory traversal: http://zumbo-8ac445b1.ctf.bsidessf.net/../../../../code/server.py. But unfortunately the ../../../../
part is automatically removed.
So I just URLencoded this part to bypass the filter: http://zumbo-8ac445b1.ctf.bsidessf.net/..%2F..%2F..%2F..%2Fcode/server.py.
And we get the server.py
source:
1 | import flask, sys, os |
Flag was FLAG: FIRST_FLAG_WASNT_HARD
.
PS: Only page
is used so http://zumbo-8ac445b1.ctf.bsidessf.net/server.py
also works...
100 - Zumbo 2 - Web
Welcome to ZUMBOCOM....you can do anything at ZUMBOCOM.
Three flags await. Can you find them?
http://zumbo-8ac445b1.ctf.bsidessf.net
Stage 3 - coming soon!
For the next part of the challenge, we already got the server.py
source so I looked again at the flag2 part:
1 | with open('/flag') as f: |
Ok the flag is in /flag
so just change http://zumbo-8ac445b1.ctf.bsidessf.net/..%2f..%2f..%2f..%2fcode/server.py
into http://zumbo-8ac445b1.ctf.bsidessf.net/..%2f..%2f..%2f..%2fflag
.
And get the flag: FLAG: RUNNER_ON_SECOND_BASE
.
100 - the-year-2000 - Web
Wait, what year is it?
The author says on this home page:
I made this website all by myself using these tools
- html
- notepad++
- git
- apache
I tried http://theyear2000.ctf.bsidessf.net/.git/
and it returned me Forbidden error. So there is a .git
repot here.
As usual I used GitTools to dump the repository:
1 | $ ./gitdumper.sh http://theyear2000.ctf.bsidessf.net/.git/ repo |
A quick git log -p
show me this commit:
1 | commit 4eec6b9c6e464c35fff1efb8444dd0ac1ae67b30 |
There was a rebase so let's see when it happened:
1 | $ git reflog |
Ok so we have to come back before the HEAD reset:
1 | $ git reset --hard HEAD@{2} |
Now let's take a look at this fix: git log -p -1
1 | commit 9e9ce4da43d0d2dc10ece64f75ec9cab1f4e5de0 |
Here is the flag: FLAG:what_is_HEAD_may_never_die
.
40 - easycap - Forensics
Can you get the flag from the packet capture?
This is some raw tcp frames and some of them have 1 byte of additional data.
Let's extract that with tshark:
1 | $ tshark -r easycap.pcap -T fields -e data | tr -d '\n' |
Now translate hex to ASCII with a little ruby trick:
1 | '464c41473a33383562383761666338363731646565303735353032393064313661383037310a'].pack('H*') [ |
Flag is FLAG:385b87afc8671dee07550290d16a8071
.
10 - Easy - Reversing
This one is easy.
1 | $ strings easy-64 | grep -i flag |
30 - easyauth - Web
Can you gain admin access to this site?
Hint say to log in with: guest/guest
We have a cookie like this:
1 | auth=username=guest&date=2017-02-13T21:09:45+0000& |
If we click on the link we get the following message:
It's cool that you logged in, but unfortunately we can only give the flag to 'administrator'. :(
Configure proxy and launch burpsuite.
Then change guest
into administrator
in the cookie and send. You now get the flag:
Congratulations, you're the administrator! Here's your reward:
FLAG:0076ecde2daae415d7e5ccc7db909e7e
450 - vhash - Crypto
---- Due to a bug, the challenge might be easier than intended. Enjoy the free points! ----
Can you gain admin access to this site?
(The vhash binary is what's used for signing the cookie)
The zip contain the vhash
ELF executable and the index.php
source:
1 |
|
Description says the challenge is more easy due to a bug, here it is:
1 | if($username == 'administrator') |
So the challenge is exactly like the previous 30 - easyauth - Web.
Configure proxy and launch burpsuite.
Then change guest
into administrator
in the cookie and send. You now get the flag:
Congratulations, you're the administrator! Here's your reward:
FLAG:180e2300112ef5a4f23c93cfdec8d780