Try   HackMD

Aspire CTF 2021: Linux Skills

An impressive writeup on the challenges in the linux skills category has already been done by my good friend Trevor Saudi!! For this writeup though, i won't do the last three challenges.
ASPIRE CTF 2021 — Linux Skills & Networking

Eighteenth Challenge: Needle in a haystack

Finding exactly what you're looking for in a lot of files is a must have skill. Find the flag in the attached zip file.

You can access the file here: Challenge
You're given a zipfile. Unzipping it, you get a folder called haystack with a few files.

➜  haystack ls
01_lecture.pdf  03_lecture.pdf  aleph.txt  Manifesto.pdf  pocorgtfo00.pdf
02_lecture.pdf  about.png       levi2.gif  phineas.txt

The easiest way to find the flag is to use rgrep to recursively search for a specific flag format.

➜  haystack rgrep "{.*}"   
phineas.txt:intercepting proxy. {seek_and_ye_shall_find}
grep: pocorgtfo00.pdf: binary file matches
grep: 02_lecture.pdf: binary file matches
grep: levi2.gif: binary file matches
grep: about.png: binary file matches
grep: 03_lecture.pdf: binary file matches
grep: 01_lecture.pdf: binary file matches

The flag was in phineas.txt.

➜  haystack echo "Aspire"`cat phineas.txt| grep -oE "{.*}" | cut -d " " -f 3`""
Aspire{seek_and_ye_shall_find}

There's another challenge kinda similar to this one that a friend shared with me some time.

Extra 1: Russian Doll

You can access the file here: Challenge
For this challenge, when you unzip the file, you get 661 directories and 3 files.

➜  russian_doll tree | tail -n 1
661 directories, 4 files

How'd you get to the last file? Easy, grep aaaall the way.

➜  you cat $(grep -RiloE "{.*}")
Hero{if_yOu_gOt_HEre_By_clIcKInG_mANnUaLly_YoU_sHOuLd_REalLy_SeE_SoMeOne}

Got the flag. You could also use find.

➜  you find . -exec strings -n 8 {} \; 2>/dev/null | grep -oE "{.*?}"
Hero{if_yOu_gOt_HEre_By_clIcKInG_mANnUaLly_YoU_sHOuLd_REalLy_SeE_SoMeOne}

Awesome.

Nineteenth Challenge: Yarn

Cool pic but where's the flag?

You can access the file here: Challenge
You're given a jpg file.
Running binwalk and exiftool doesn't give you much although, atleast i know this is a challenge where i don't have to use a tool like stegseek. And i know this because such challenges have this kind of output:

➜  cover_image binwalk scorpion.jpg

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01

For this one, it looks like this:

➜  yarn binwalk bean.jpeg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
30            0x1E            TIFF image data, big-endian, offset of first image directory: 8
9008          0x2330          Copyright string: "Copyright (c) 1998 Hewlett-Packard Company"

I then used binwalk to extract contents from that file. I like using these switches to get the better output:

Extraction Options:
    -e, --extract                Automatically extract known file types
    -D, --dd=<type:ext:cmd>      Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>
    -M, --matryoshka             Recursively scan extracted files

Got three files.

➜  yarn binwalk -q -MDe bean.jpeg 
➜  yarn ls
bean.jpeg  _bean.jpeg.extracted
➜  yarn cd _bean.jpeg.extracted 
➜  _bean.jpeg.extracted ls
0  1E  2330

The last file is empty. I then did a find command to check the strings of the files and look for a flag.

➜  _bean.jpeg.extracted find . -exec strings {} \; 2>/dev/null | grep -oE "Aspire{.*}"
Aspire{BE4y-Cjjl-30gz-Xbsm}

Done.

Twentienth Challenge: Commitments

Be careful what you tell the world.

You can access the file here: Challenge
You're given a zipfile and when you move into that directory, you'll notice it's a git repo. When i see such challenges, normally i'll cheat a little bit and run rgrep to look for low hanging fruits.

➜  Commitments git:(master) rgrep "Aspire{.*}"
.git/logs/HEAD:d5640e81d8e484079dc57a8c81df3a45b61ab315 76ccafdfe2bb48976432cfa0aa09f65157ac3f31 commitments <commitments> 1612784310 +0300    commit: Aspire{ju1cy_1nf0_1n_917_c0mm17_m355493}
.git/logs/refs/heads/master:d5640e81d8e484079dc57a8c81df3a45b61ab315 76ccafdfe2bb48976432cfa0aa09f65157ac3f31 commitments <commitments> 1612784310 +0300       commit: Aspire{ju1cy_1nf0_1n_917_c0mm17_m355493}

That was so easy lol.
Short and sweet. I solved two similar challenges in RITSEC ctf the same way. Let's have a look.

Extra 2: Blob

Ha. Blob. Did you get the reference?

You're given a url that goes to a git repo. Unfortunately the url doesn't work anymore. I pulled the repo to my directory. First thing you find is a fake flag.txt file lol.

➜  blob ls -la
total 20
drwxr-xr-x 3 mug3njutsu mug3njutsu 4096 Apr  9 21:24 .
drwxr-xr-x 3 mug3njutsu mug3njutsu 4096 Apr 25 11:22 ..
-rw-r--r-- 1 mug3njutsu mug3njutsu   43 Apr  9 21:24 flag.txt
drwxr-xr-x 8 mug3njutsu mug3njutsu 4096 Apr  9 21:24 .git
-rw-r--r-- 1 mug3njutsu mug3njutsu   59 Apr  9 21:24 README.md
➜  blob cat flag.txt                             
these aren't the droids you're looking for

Moving into the .git directory, went with the classic, ran rgrep.

➜  .git rgrep "flag"
hooks/fsmonitor-watchman.sample:		# return the fast "everything is dirty" flag to git and do the
grep: index: binary file matches
packed-refs:d0644363aa853a17c9672cefff587580a43cf45e refs/tags/flag

Interesting. There's a reference file that points to a flag. I then used git show to view it.

➜  .git git show refs/tags/flag
RS{refs_can_b3_secret_too}

Wasn't that like too easy?

Extra 3: 1597

... as in https://xkcd.com/1597/

Like before, you're given a link to a git repo. Moving into the .git directory, ran rgrep.

➜ .git rgrep "flag"
hooks/fsmonitor-watchman.sample:		# return the fast "everything is dirty" flag to git and do the
grep: index: binary file matches
packed-refs:b123f674a07eaf5914eda8845d86b5219fc1de11 refs/remotes/origin/!flag

Got an interesting reference file for \!flag. Just like before, i'll use git show to view it.

➜ .git git show refs/remotes/origin/\!flag
commit b123f674a07eaf5914eda8845d86b5219fc1de11 (HEAD, origin/!flag)
Author: knif3 <knif3@mail.rit.edu>
Date:   Fri Apr 9 05:49:00 2021 +0000

    More flags

diff --git a/README.md b/README.md
index 0ff84f3..99ddfa8 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,3 @@
 # 1597
 
-A git challenge series? Sounds fun.
+What's worse, basing a CTF challenge off of XKCD, or basing a challenge off of git?
diff --git a/flag.txt b/flag.txt
index 8b13789..013a6dd 100644
--- a/flag.txt
+++ b/flag.txt
@@ -1 +1 @@
-
+RS{git_is_just_a_tre3_with_lots_of_branches}

Easy!

Twenty-first Challenge: Shape Shifter

Don't judge a PDF by its cover.

You can access the file here: Challenge
You're given a PDF file. When you open it, nothing interesting there. I then decided to run binwalk.











➜  shape_shifter binwalk proceedings.pdf 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PDF document, version: "1.4"
71            0x47            Zlib compressed data, default compression
717           0x2CD           Zlib compressed data, default compression
8356          0x20A4          Zlib compressed data, default compression
10251         0x280B          Zip archive data, at least v2.0 to extract, uncompressed size: 27, name: versatile
10452         0x28D4          End of Zip archive, footer length: 22

There's an interesting file called versatile that is compressed within a Zip archive. Used binwalk to extract the files.

➜  shape_shifter binwalk -q -MDe proceedings.pdf  
➜  shape_shifter ls
proceedings.pdf  _proceedings.pdf.extracted
➜  shape_shifter cd _proceedings.pdf.extracted 
➜  _proceedings.pdf.extracted file *
0:              PDF document, version 1.4, 1 pages
20A4:           ASCII text
20A4.zlib:      zlib compressed data
280B:           Zip archive data, at least v2.0 to extract, compression method=deflate
28D4:           Zip archive data (empty)
2CD:            TrueType Font data, 9 tables, 1st "cmap", 14 names, Macintosh, Original design by Morris Fuller Benton, as appeared in 1923 ATF specimen book. Adapted by Raph 
_2CD.extracted: directory
2CD.zlib:       zlib compressed data
47:             ASCII text, with very long lines (360)
47.zlib:        zlib compressed data

We can see the Zip archive. Let's extract it.

➜  _proceedings.pdf.extracted unzip 280B 
Archive:  280B
  inflating: versatile               
➜  _proceedings.pdf.extracted cat versatile 
Aspire{files_are_versatile}

Easy enough.

Twenty-second Challenge: Broken

Make me whole again

You can access the file here: Challenge
You're given a zipfile. Looking at the metadata with binwalk, there are a couple files. Let's extract them.

➜  broken mkdir dump
➜  broken 7z x broken.zip -odump >/dev/null
➜  broken cd dump 
➜  dump ls
brokenaa  brokenad  brokenag  brokenaj  brokenam  brokenap  brokenas  brokenav
brokenab  brokenae  brokenah  brokenak  brokenan  brokenaq  brokenat  brokenaw
brokenac  brokenaf  brokenai  brokenal  brokenao  brokenar  brokenau

When you run a file command on the files, you notice the first file is a JPEG image and the rest just have junk.

➜  dump file brokenaa
brokenaa: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, little-endian, direntries=6, xresolution=86, yresolution=94, resolutionunit=2, software=GIMP 2.10.18, datetime=2021:02:08 19:28:42]

If you try to view the image, it throws an error because it isn't whole. The naming of the files can actually give you a hint that the file is subdivided into a couple of files. I then cat all the files into one file and when you view that file it gives you the flag. Made a simple python script for this one that builds an image based off those files and then uses the pytesseract library to read the contents of the image.













#!/usr/bin/env python3
# @author: mug3njutsu

from pytesseract import pytesseract
from PIL import Image
from os import system

system(f'cat broken* >> final.jpg')
img = Image.open("final.jpg").convert("RGB")
text = pytesseract.image_to_string(img)

print(text[:-1].replace(" ", "").strip().split("\n")[0])

➜  dump python3 a.py 
Aspire{_split_}

Smooth.

Twenty-third Challenge: Matroska

Onions can get you teary!

You can access the file here: Challenge
You're given a zipfile. Unzipping it, you get a gzip file, unzipping that you get a tar file and so on. Honestly, this challenge was actually easy. If you look for a challenge on Cybertalents called Can You Find Me, that one is the real deal.
Made a simple bash script:















#!/usr/bin/bash
# @author: mug3njutsu

7z x file.zip >/dev/null
gunzip file03.tar.gz
tar -xf file03.tar
bzip2 -d file02
mv file02.out file02.xz
unxz file02.xz
mv file02 flag.txt.Z
gunzip flag.txt.Z
mv flag.txt flag.z
uncompress flag.z
cat flag

➜  matroska ./a.sh 
bzip2: Can't guess original name for file02 -- using file02.out
Good job, I bet you now understand the importance of file formats. This is an essential skill in your career path.

The Flag is: Aspire{bb7d3f7c-6422-4878-80d9-b901fe06597f}

Nice and easy. If the script errors, try installing the tools.

Twenty-fourth Challenge: Back to the future

Those who do not learn from history are doomed to repeat it!

You can access the file here: Challenge
You're given a zipfile. Unzipping it, you get what seems to be someone's home directory. Used rgrep at this point to look for the flag.

➜  lincon rgrep "flag"
.bash_history:nano flag.txt
.bash_history:mv flag.txt flag.sh
.bash_history:chmod +x flag.sh 
.bash_history:./flag.sh 
.bash_history:cat flag.sh | curl -F 'f:1=<-' ix.io
.bash_history:cat flag.sh | curl -F 'f:1=<-' ix.io > .cache/.url
.vim/pack/plugins/start/vim-tmux-navigator/plugin/tmux_navigator.vim:  return s:TmuxCommand("display-message -p '#{window_zoomed_flag}'") == 1
.vim/pack/plugins/start/vim-tmux-navigator/plugin/tmux_navigator.vim:  let l:x=&shellcmdflag
.vim/pack/plugins/start/vim-tmux-navigator/plugin/tmux_navigator.vim:  let &shellcmdflag='-c'
.vim/pack/plugins/start/vim-tmux-navigator/plugin/tmux_navigator.vim:  let &shellcmdflag=l:x
.vim/pack/plugins/start/vim-tmux-navigator/.git/hooks/fsmonitor-watchman.sample:              # return the fast "everything is dirty" flag to git and do the

There's a very interesting output from the .bash_history file. It seems the flag.txt file was created using nano, renamed to a bash script, given the right permissions and then a request was sent to ix.io which is a command line pastebin and for safekeeping, the url was saved to .cache/.url.
Viewing that file, got this url http://ix.io/2OJy. Visiting that website you get the flag.

➜  lincon curl -s $(cat .cache/.url) | grep -oE "Aspire{.*}"
Aspire{e1a66f2f-57ae-44b5-bc35-acda64ba0470}

Twenty-fifth Challenge: Time Travel

Time travelers exist. Your past will be revealed.

You can access the file here: Challenge
You're given a zipfile and unzipping it you get a git repo. I tried using rgrep but didn't get anything interesting.

➜  TimeTravel git:(master) rgrep "flag"
.git/hooks/fsmonitor-watchman.sample:           # return the fast "everything is dirty" flag to git and do the

I then used git log -p to check the commits and got the flag at the very end.

➜  TimeTravel git:(master) git log -p | grep -oE "Aspire{.*}"
Aspire{PR073c7_y0UR_917}

Well, that was a tonne of fun!

Last changed by 
they call me jjjohn
infosec pews ( -_・)σ - - - - - - -
2
951

Read more

AmateursCTF 2023 - Perfect Sandbox

This was a fun pwn challenge that i enjoyed solving. Might have cheesed the solution, but that’s the fun of it.

Jul 31, 2023
AFRICAHACKON CTF - QUALS

The CTF was a lot of fun!! A lot of hitting your head against the wall, but that&apos;s the fun of it. I&apos;ll share the solution for the two challenges i blooded. OSINT you have been tasked with finding information about a potential threat actor all we have is his email address what can you find from it here&apos;s the email address dox1337haxx@gmail.com``` We&apos;re given an email address of which we&apos;re supposed to find interesting info from it. I quickly searched for osint email addresses online and eventually, i landed on this website: Epieos Tools

Sep 1, 2022
GrimmCon CTF

First Challenge: Zip Zip My friend sent me this zip file... He is a prankster and compressed the file a LOT of times... I don&apos;t know how to make this go quickly and I don&apos;t have the time... At least he told me the password is "pass". Can you please help? For this challenge, you&apos;re given a zipfile called 50.zip that is encrypted. We&apos;re told the password is pass. What&apos;s interesting though is, there&apos;s a zipfile within a zipfile, and the password is the same for all the other zipfiles lulz. This makes the challenge relatively easy. And since the file is called 50, then the very last zip file should be 00.zip. Knowing that the password is the same for all the other zipfiles, i made a bash script to hammer that all the way.

Sep 1, 2022
Cyber Apocalypse 2021

This was a fantastic CTF! The learning curve was just incredible. I played with team fr344aks and we were able to solve 25/62 challenges and ranked 196/4514 teams. I was able to solve only two challenges both being in the Miscellaneous category. First Challenge: Alien Camp The Ministry of Galactic Defense now accepts human applicants for their specialised warrior unit, in exchange for their debt to be erased. We do not want to subject our people to this training and to be used as pawns in their little games. We need you to answer 500 of their questions to pass their test and take them down from the inside.This challenge will raise 33 euros for a good cause. You&apos;re given an IP and Port, in this case, i was given 139.59.176.252:30923. When you nc into it, you get this: &#x279C; aliencamp_COMPLETE nc 139.59.176.252 30923

Sep 1, 2022
Read more from they call me jjjohn
Published on HackMD