Hacktober 2020 CTF Write Ups
Hey everyone, this blog contains some simple writeups for some of the challenges that I solved in the very recent Hacktober CTF which took place between October 16–17 CDT. Before I actually start with the write ups, I would like to give a brief description of the event.
This CTF was part of the Hacktober event which takes place annually during the month of October. It was my first time participating in this particular event and I really enjoyed! The whole CTF was much different than all the other CTFs that I have played before. Even though it was a jeopardy style CTF, all the challenges were based on a common theme.
The challenges were also related to each other in the sense that the information obtained during one challenge may provide a way to solve another challenge. It was so much fun and I would say without any doubt that this was one of the most amazing experiences that I have ever had. My team finished off at around 350 among the 800+ teams that participated in it. Nevertheless, I learnt some new stuff and also got to practice what I already knew.
Ok, so now let’s get into the actual write ups. Since it was a jeopardy style CTF, the challenges were organized into several categories. I solved some challenges from OSINT, Programming, SQL and LINUX.
LINUX CHALLENGES
Challenge 1: Talking to the Dead 1
In this challenge, we were asked to SSH into a machine and grab the contents of flag1.txt file on the remote system. Since I didn’t know the location of the flag file, I simply searched for it using find command.
After locating the file, I simply read the contents of the file using cat. And there we go, a pretty easy challenge.
Challenge 2: Talking to the Dead 2
This was similar to the first challenge, but we had to read the contents of flag2.txt file. It is also mentioned in the challenge description that the file is hidden. So probably the file name would be like .file2.txt, where the preceding ‘.’ is used to denote hidden files in Linux. Again , we would have found the flag2.txt while solving the first challenge since it was located in the same directory as of the first file. So if we did ls -la in the /Documents directory in the first challenge, we would have also found flag2.txt. Nevertheless, I again used find to locate the file and then read its contents using cat.
Challenge 3: Talking to the Dead 3
This was a bit difficult when compared to the other two. The objective was the same, i.e., to read the contents of flag3.txt. But, there was a twist. The file was located in another user’s /Document directory under the home directory. So we were not permitted to read the contents of the file.
This is where the dependence of one challenge on other comes into play. I mentioned earlier that since this whole CTF was based on a common theme, the plot and characters associated with that theme remain the same throughout the challenges. So, while solving a SQL challenge, I found the password for this particular user in whose directory the flag3.txt was located. So, I simply switched to that user using su command and read the contents of the file.
Challenge 4: Talking to the Dead 4
This was the toughest among the four challenges. We had to read the contents of flag4.txt as before. But, the flag was in the root user’s directory and we do not have the root password. So, we had to look for some other methods to read the contents of the flag4.txt file. That’s when watching all those TryHackMe and HackTheBox challenges on YouTube helped me out. I tried to find files that had the SUID bit set on it. If you don’t know what SUID bits are and what their importance is, I have attached some links at the end of this section. Do check them out.
I used find command with some particular switches to find such files for me.
Most of the outputs were normal files that you would find in a Linux machine. But there was one that immediately stood out to me : ouija. I knew that this would be the way for me to solve this challenge. I tried running the binary “ouija” and got the following output.
It was stated that the binary reads files in the /root directory, which is exactly what we needed. All we needed to do was just supply the filename. And I did and got the contents of the final flag4.txt file.
And that’s all the challenges in this section. I really enjoyed solving all these challenges.
Additional Resources:
Programming challenges
Challenge 1: Message in an array
In this challenge, we are given a small code and have to find the flag by examining the code. You could do this in different ways.
So, it is pretty obvious from the code that it is printing out something. If we simply run this code, the flag would get printed to the screen. Or else, if you can’t run it, just look at the code and place the 4 pieces of the flag in the correct order. That’s what I did.
Challenge 2: Trick or Treat
In this challenge, we are given a python script.
If you take a close look at the code, you can see that there are two functions in the code; a show_flag() and a show_msg(). The show_flag() function was constructing the flag and returning it. The show_msg() was printing a simple message to the terminal when a user runs the program.
Since the show_flag() was returning the flag, all we had to do was just print that return value to the screen. Again, there are various ways you could do this. What I did was I added two more lines to the code which called the function to a variable and then printed that variable.
And we got the flag!
Challenge 3: Haunted Mirror
This challenge took up some of my time and I had to use a hint to solve this. I mistook it for a reverse engineering challenge, which it might be, I don’t know. I spent a lot of time analyzing the code in ghidra. I am not a well versed person when it comes to reverse engineering, but I wanted to give it a try.
Also, the program accepted a single input from the user and printed it back in its original and reversed forms.
After spending a lot of time, I decided to take up one hint and it helped me to solve this challenge.
I googled some common C vulnerabilities. I knew some of them, but was not sure how to exploit it. I came across buffer overflows and format string attacks. I tried to overflow the buffer but that didn’t seem to work. So then I tried some format string attacks and it worked. If you don’t know format strings attacks and what format strings are, I have attached some resources at the end of this section on that. I basically supplied %s, which is a format string used in C, a couple of times as the argument for the program and the flag was printed to me.
Additional Resources:
Challenge 4: RedRum
Ok, now this is what I’ve expecting from a typical programming challenge. We were asked to make a script which does some basic conditional checks and then pass the output generated by the script to the netcat session they had given in the challenge description. You can read the program conditions above and below is the script that I made for it.
It is a very simple python script. I could have added some output formatting in the code since they were expecting the output to be in a specific format. I used some basic Linux utilities like tr to do the same.
In the above screenshot, red_init.txt contains the output from my code. Now, all I had to do was to supply this to netcat session and the flag would be returned to me. Unfortunately, I was not able to reproduce it while I was trying to make this write up since the netcat session was closing out on me and only gave me partial parts of the flag. This was an awesome challenge though.
SQL Challenges
I only solved two of these challenges because I had to stop doing the CTF due to other reasons.
Challenge 1: Past Demons
In this challenge we were given a .db database file. We had to extract the password of a user named spookyboi. Since it was a .db file, I used sqlite3 to open the file and find the relevant information.
I used the .tables command to find the tables in the database. I found two tables: users and passwd. Then, I just went dumped the contents of the users table using .dump.
As is visible from the contents, number 8 is the user we are after. So, we then dumped the passwd table and found a hash for that user.
I ran the hash through crackstation.net and obtained the original password of the user spookyboi.
A pretty simple challenge if you know how to navigate a .db file.
Challenge 2: Address Book
In this challenge, we were given a local .sql database dump of a University and we were asked to find the email address of the user luciafer. You could import this dump to your local database and then find the relevant data, which would be more useful and informative. Or else, you could simply do what I did: just try opening the file in some kind of text editors and then look for the information.
I used the strings command to print all readable strings from the file and then used grep to look for luc1afer. It was a little messy and I wouldn’t recommend you to do this.
And found the email address:
That’s all for this section. On to the next.
OSINT Challenges
I did all available challenges in this section. These challenges were fairly easy and the answers could be found with a little google search. Let’s get on with it then.
Challenge 1: Creeping 1
In this challenge we are given a name to work with: Ali Tevlin. We have to find out the company for whom Ali Tevlin is working for. I simply searched online for the name Ali Tevlin and found a Facebook profile and then went to the profile. And what do you know? The answer is staring back at us from the page.
The answer was F. Kreuger Financial. Very easy, right???
Challenge 2: Creeping 2
Ok, this is an extension on the first challenge. Actually, all these OSINT challenges are in a continuous manner. We are asked to find his current position at the company he’s working in. This is there on his Facebook profile too. He was a Senior Acquisitions Manager.
Challenge 3: Creeping 3
Here, we are asked to find out his date-of-birth. This information is also publicly available on his Facebook profile. Whoa! Facebook really has a lot on us, right?
The date-of-birth is June 17, 1973. All we have to do is submit it in the proper format.
Challenge 4: Past Attacks
Ok, so now, this challenge required a little bit of guessing or none at all if you used all the hints. We didn’t use any hints and hence it was a bit of a guess. We are asked to find an attack that is likely to happen to a Financial firm. Of course, the first thing that we do is google. There’s lots of information on this. So, it is a bit difficult if to try find the right one. Anyhow, after a couple minutes of scanning through some websites, we finally found the correct attack name.
As is obvious from the above screenshot, the answer was Watering hole.
Challenge 5: Creeping 4
In this final challenge, we are asked to find the name of the town to where Tevlin stopped by first on his vacation. Facebook is good initial place to look for in these kinds of scenarios since we are looking for a person’s personal information. I found a post containing an image which could probably be from the vacation. But, unfortunately, there was no location specified in that post.
I used to google reverse image search to find any clues regarding the location and found exactly what I was looking for from Tripadvisor.
So, the flag was :
flag{PointPleasant, WV}
And that’s a wrap guys. This was really such an awesome and amazing CTF that I have ever played and am looking forward to play more from these guys. Thanks to Hacktoberfest 2020 and Cyberhactics for organizing this amazing event. Until next time.
Ciao!
