haykuro/CTF_Solutions.txt

## CTF_Solutions.txt
http://ctf.infosecinstitute.com/

## Level 1:

View the source, at the top we see:

<!-- infosec_flagis_welcome -->

Level 1 PASS: infosec_flagis_welcome

## Level 2:

We have a broken image at: http://ctf.infosecinstitute.com/img/leveltwo.jpeg

$ curl -s http://ctf.infosecinstitute.com/img/leveltwo.jpeg
aW5mb3NlY19mbGFnaXNfd2VhcmVqdXN0c3RhcnRpbmc=

$ curl -s http://ctf.infosecinstitute.com/img/leveltwo.jpeg | base64 -D
infosec_flagis_wearejuststarting

Level 2 PASS: infosec_flagis_wearejuststarting

====

## Level 3:

We decode the QR code using an online service:

http://zxing.org/w/decode?u=http%3A%2F%2Fctf.infosecinstitute.com%2Fimg%2Fqrcode.png

Output:

.. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... .. -. --.

This looks like morse code.

We resolve it to: INFOSECFLAGISMORSING

Level 3 PASS: INFOSECFLAGISMORSING

## Level 4:

We land on the page and see cookie monster tell us HTTP stands for "Hyper Text Transfer Protocol."

Well, part of the protocol is cookie monster's favorite: COOKIES!

We see:

$ GET http://ctf.infosecinstitute.com/levelfour.php
GET /levelfour.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: ctf.infosecinstitute.com

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 1235
Content-Type: text/html
Date: Thu, 12 Mar 2015 21:42:25 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.7 (Ubuntu)
Set-Cookie: fusrodah=vasbfrp_syntvf_jrybirpbbxvrf
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.9-1ubuntu4.6

fusrodah is a reference to a DBZ meme, look it up.

The text "vasbfrp_syntvf_jrybirpbbxvrf" is the password crypted using rot13.

Level 4 PASS: infosec_flagis_welovecookies
===

Level 5:

There's an infinite loop forcing an alert box that reads "hacker."

Most modern browsers will allow you to "prevent further pop-ups", but alternatively you can download the page using an external tool (such as wget or curl)

$ wget -o levelfive.html http://ctf.infosecinstitute.com/levelfive.php

ANOTHER option is to type into your browser: "view-source:http://ctf.infosecinstitute.com/levelfive.php" and you should see the source.

We see:
	<script>
	for(;;){
	alert('Hacker!!!');
	}
	</script>

	<img src="img/aliens.jpg" /> <br /> <br />

I tried to run  "strings" on the image but nothing significant came up..

$ curl -s http://ctf.infosecinstitute.com/img/aliens.jpg | strings | head -n 512
JFIF
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
}/p2
E(5mN
>0x:
k0h^,
5}.-V
W'k]
3Meo4
vq]i
_MkIti
pFON95
Ul3D
ko0nE
...

So, we can run a Steg tool like "Steghide" (https://futureboy.us/stegano/decinput.html) to try to see if there's any readily available text in the file.

We get back:

01101001011011100110011001101111011100110110010101100011010111110110011001101100011000010110011101101001011100110101111101110011011101000110010101100111011000010110110001101001011001010110111001110011

$ perl -e '$bin="01101001011011100110011001101111011100110110010101100011010111110110011001101100011000010110011101101001011100110101111101110011011101000110010101100111011000010110110001101001011001010110111001110011"; $len=length($bin); print pack("B$len", $bin);'
infosec_flagis_stegaliens

Level 5 PASS: infosec_flagis_stegaliens

===

Level 6:

We download sharkfin.pcap.

$ tcpdump -qns 0 -X -r sharkfin.pcap | head
reading from file sharkfin.pcap, link-type EN10MB (Ethernet)
14:59:54.303760 IP 127.0.0.1.32769 > 127.0.0.1.139: UDP, length 44
	0x0000:  4500 0048 0000 4000 4011 3ca3 7f00 0001  E..H..@.@.<.....
	0x0010:  7f00 0001 8001 008b 0034 0000 3639 3665  .........4..696e
	0x0020:  3636 3666 3733 3635 3633 3566 3636 3663  666f7365635f666c
	0x0030:  3631 3637 3639 3733 3566 3733 3665 3639  616769735f736e69
	0x0040:  3636 3636 3635 3634                      66666564
15:10:33.563340 IP 192.168.1.103.2925 > 133.242.147.91.80: tcp 0
	0x0000:  4500 0028 1acb 4000 8006 04a8 c0a8 0167  E..(..@........g
	0x0010:  85f2 935b 0b6d 0050 bbf2 588c 6f42 6144  ...[.m.P..X.oBaD
	0x0020:  5011 1006 d3ad 0000                      P.......

Quickly browsing around I notice,

696e666f7365635f666c616769735f736e6966666564 is hex encoded: infosec_flagis_sniffed

Level 6 PASS: infosec_flagis_sniffed

===

Level 7:

$ curl --HEAD http://ctf.infosecinstitute.com/404.php
HTTP/1.0 404 Not Found
Date: Thu, 12 Mar 2015 22:03:58 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.6
Connection: close
Content-Type: text/html

$ curl --HEAD http://ctf.infosecinstitute.com/levelseven.php
HTTP/1.0 200 aW5mb3NlY19mbGFnaXNfeW91Zm91bmRpdA==
Date: Thu, 12 Mar 2015 22:04:04 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.6
Connection: close
Content-Type: text/html

$ echo -n "aW5mb3NlY19mbGFnaXNfeW91Zm91bmRpdA==" | base64 -D
infosec_flagis_youfoundit

Level 7 PASS: infosec_flagis_youfoundit

===

Level 8:

Because I'm on a Mac I solved this first without even opening the app:

$ strings app.exe| ack -i infosec_flag
infosec_flagis_0x1a

BUT, to do what's right, I booted a virtual machine to debug the app and make sure!

See Dump here: http://i.imgur.com/CcqudvC.png

Level 8 PASS: infosec_flagis_0x1a

===

Level 9:

We load the page and see a "CISCO IDS Login"

Look up default logins for any CISCO IDS router, we see: "root/attack"

Type it in, we get an alert "ssaptluafed_sigalf_cesofni"

$ echo -n "ssaptluafed_sigalf_cesofni" | rev
infosec_flagis_defaultpass

Level 9 PASS: infosec_flagis_defaultpass

===

Level 11:

$ curl -s http://ctf.infosecinstitute.com/img/php-logo-virus.jpg | strings | grep infosec_flag
infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9wb3dlcnNsaWRlX2xvZ29fbGFyZ2UuZ2lm

Level 11 PASS: infosec_flagis_http://www.rollerski.co.uk/imagesb/powerslide_logo_large.gif

===

Level 12:

View source, we see "http://ctf.infosecinstitute.com/css/design.css" is being imported now.

$ curl -s http://ctf.infosecinstitute.com/css/design.css
.thisloveis{
	color: #696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72;
}

696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72 is hex for infosec_flagis_heyimnotacolor

Level 12 PASS: infosec_flagis_heyimnotacolor

===

Level 13:

After fuzzing the URL we find: http://ctf.infosecinstitute.com/levelthirteen.php.old

This file contains:

<?php

    /* <img src="img/clippy1.jpg" class="imahe" /> <br /> <br />

    <p>Do you want to download this mysterious file?</p>

    <a href="misc/imadecoy">
      <button class="btn">Yes</button>
    </a>

    <a href="index.php">
      <button class="btn">No</button>
    </a>
    */

    ?>
  </div>

So, we get the file and check it..

$ wget http://ctf.infosecinstitute.com/misc/imadecoy
..
$ file imadecoy
imadecoy: tcpdump capture file (little-endian) - version 2.4 (Linux "cooked", capture length 65535)

So let's open the dump in Wireshark.

We see a user requests a file "/honeypy/img/HoneyPY.PNG"

View / Dump the image, and we get a png: "infosec_flagis_morepackets"

===

Level 14:

We download a file, http://ctf.infosecinstitute.com/misc/level14.

The file contains SQL data.

We notice a table "flag?" which has some hashed password.

Attempted to crack using JTR (John the Ripper) to no avail.

Check other tables and find significant value "\u0069\u006e\u0066\u006f\u0073\u0065\u0063\u005f\u0066\u006c\u0061\u0067\u0069\u0073\u005f\u0077\u0068\u0061\u0074\u0073\u006f\u0072\u0063\u0065\u0072\u0079\u0069\u0073\u0074\u0068\u0069\u0073" under "name" column in "friends" table.

Replace \u00 with \x and parse..

\x69\x6e\x66\x6f\x73\x65\x63\x5f\x66\x6c\x61\x67\x69\x73\x5f\x77\x68\x61\x74\x73\x6f\x72\x63\x65\x72\x79\x69\x73\x74\x68\x69\x73

Then pass through:

$ python -c 'print "\x69\x6e\x66\x6f\x73\x65\x63\x5f\x66\x6c\x61\x67\x69\x73\x5f\x77\x68\x61\x74\x73\x6f\x72\x63\x65\x72\x79\x69\x73\x74\x68\x69\x73"'
infosec_flagis_whatsorceryisthis

Level 14 PASS: infosec_flagis_whatsorceryisthis

===

Level 15:

http://ctf.infosecinstitute.com/levelfifteen/index.php

If we enter "; <cmd>" we can execute multiple commands.

Example:
    ; cat index.php

This gives us the source of index.php, where we see:

<?php
        if(isset($_POST['dig'])){
        echo "<pre>";
        $cmd = ($_POST['dig']);
        system("dig mx " . $cmd );
        echo "</pre>";
        die;
        }
      ?>

GREAT!

now if we do:
    ; ls -lah

we see:

total 16K
drwxrwxr-x 2 ubuntu ubuntu 4.0K Mar  3 18:50 .
drwxr-xr-x 7 ubuntu ubuntu 4.0K Mar  4 22:14 ..
-rw-rw-r-- 1 ubuntu ubuntu   37 Mar  6 20:27 .hey
-rw-rw-r-- 1 ubuntu ubuntu 3.8K Mar  6 20:27 index.php

so we do:
    ; cat .hey

we get:

Miux+mT6Kkcx+IhyMjTFnxT6KjAa+i6ZLibC

We can decrypt this hash using an ATOM-128 Decypter tool found here: http://crypto.x-usenext.net/eng_atom128d.php

We get: infosec_flagis_rceatomized

[.. TODO: FINISH Level 10! ..]
	http://ctf.infosecinstitute.com/

	## Level 1:

	View the source, at the top we see:

	<!-- infosec_flagis_welcome -->

	Level 1 PASS: infosec_flagis_welcome

	## Level 2:

	We have a broken image at: http://ctf.infosecinstitute.com/img/leveltwo.jpeg

	$ curl -s http://ctf.infosecinstitute.com/img/leveltwo.jpeg
	aW5mb3NlY19mbGFnaXNfd2VhcmVqdXN0c3RhcnRpbmc=

	$ curl -s http://ctf.infosecinstitute.com/img/leveltwo.jpeg \| base64 -D
	infosec_flagis_wearejuststarting

	Level 2 PASS: infosec_flagis_wearejuststarting

	====

	## Level 3:

	We decode the QR code using an online service:

	http://zxing.org/w/decode?u=http%3A%2F%2Fctf.infosecinstitute.com%2Fimg%2Fqrcode.png

	Output:

	.. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... .. -. --.

	This looks like morse code.

	We resolve it to: INFOSECFLAGISMORSING

	Level 3 PASS: INFOSECFLAGISMORSING

	## Level 4:

	We land on the page and see cookie monster tell us HTTP stands for "Hyper Text Transfer Protocol."

	Well, part of the protocol is cookie monster's favorite: COOKIES!

	We see:

	$ GET http://ctf.infosecinstitute.com/levelfour.php
	GET /levelfour.php HTTP/1.1
	Accept: /
	Accept-Encoding: gzip, deflate
	Connection: keep-alive
	Host: ctf.infosecinstitute.com

	HTTP/1.1 200 OK
	Connection: Keep-Alive
	Content-Encoding: gzip
	Content-Length: 1235
	Content-Type: text/html
	Date: Thu, 12 Mar 2015 21:42:25 GMT
	Keep-Alive: timeout=5, max=100
	Server: Apache/2.4.7 (Ubuntu)
	Set-Cookie: fusrodah=vasbfrp_syntvf_jrybirpbbxvrf
	Vary: Accept-Encoding
	X-Powered-By: PHP/5.5.9-1ubuntu4.6

	fusrodah is a reference to a DBZ meme, look it up.

	The text "vasbfrp_syntvf_jrybirpbbxvrf" is the password crypted using rot13.

	Level 4 PASS: infosec_flagis_welovecookies
	===

	Level 5:

	There's an infinite loop forcing an alert box that reads "hacker."

	Most modern browsers will allow you to "prevent further pop-ups", but alternatively you can download the page using an external tool (such as wget or curl)

	$ wget -o levelfive.html http://ctf.infosecinstitute.com/levelfive.php

	ANOTHER option is to type into your browser: "view-source:http://ctf.infosecinstitute.com/levelfive.php" and you should see the source.

	We see:
	<script>
	for(;;){
	alert('Hacker!!!');
	}
	</script>

	<img src="img/aliens.jpg" /> <br /> <br />

	I tried to run "strings" on the image but nothing significant came up..

	$ curl -s http://ctf.infosecinstitute.com/img/aliens.jpg \| strings \| head -n 512
	JFIF
	$3br
	%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
	&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
	}/p2
	E(5mN
	>0x:
	k0h^,
	5}.-V
	W'k]
	3Meo4
	vq]i
	_MkIti
	pFON95
	Ul3D
	ko0nE
	...

	So, we can run a Steg tool like "Steghide" (https://futureboy.us/stegano/decinput.html) to try to see if there's any readily available text in the file.

	We get back:

	01101001011011100110011001101111011100110110010101100011010111110110011001101100011000010110011101101001011100110101111101110011011101000110010101100111011000010110110001101001011001010110111001110011

	$ perl -e '$bin="01101001011011100110011001101111011100110110010101100011010111110110011001101100011000010110011101101001011100110101111101110011011101000110010101100111011000010110110001101001011001010110111001110011"; $len=length($bin); print pack("B$len", $bin);'
	infosec_flagis_stegaliens

	Level 5 PASS: infosec_flagis_stegaliens

	===

	Level 6:

	We download sharkfin.pcap.

	$ tcpdump -qns 0 -X -r sharkfin.pcap \| head
	reading from file sharkfin.pcap, link-type EN10MB (Ethernet)
	14:59:54.303760 IP 127.0.0.1.32769 > 127.0.0.1.139: UDP, length 44
	0x0000: 4500 0048 0000 4000 4011 3ca3 7f00 0001 E..H..@.@.<.....
	0x0010: 7f00 0001 8001 008b 0034 0000 3639 3665 .........4..696e
	0x0020: 3636 3666 3733 3635 3633 3566 3636 3663 666f7365635f666c
	0x0030: 3631 3637 3639 3733 3566 3733 3665 3639 616769735f736e69
	0x0040: 3636 3636 3635 3634 66666564
	15:10:33.563340 IP 192.168.1.103.2925 > 133.242.147.91.80: tcp 0
	0x0000: 4500 0028 1acb 4000 8006 04a8 c0a8 0167 E..(..@........g
	0x0010: 85f2 935b 0b6d 0050 bbf2 588c 6f42 6144 ...[.m.P..X.oBaD
	0x0020: 5011 1006 d3ad 0000 P.......

	Quickly browsing around I notice,

	696e666f7365635f666c616769735f736e6966666564 is hex encoded: infosec_flagis_sniffed

	Level 6 PASS: infosec_flagis_sniffed

	===

	Level 7:

	$ curl --HEAD http://ctf.infosecinstitute.com/404.php
	HTTP/1.0 404 Not Found
	Date: Thu, 12 Mar 2015 22:03:58 GMT
	Server: Apache/2.4.7 (Ubuntu)
	X-Powered-By: PHP/5.5.9-1ubuntu4.6
	Connection: close
	Content-Type: text/html

	$ curl --HEAD http://ctf.infosecinstitute.com/levelseven.php
	HTTP/1.0 200 aW5mb3NlY19mbGFnaXNfeW91Zm91bmRpdA==
	Date: Thu, 12 Mar 2015 22:04:04 GMT
	Server: Apache/2.4.7 (Ubuntu)
	X-Powered-By: PHP/5.5.9-1ubuntu4.6
	Connection: close
	Content-Type: text/html

	$ echo -n "aW5mb3NlY19mbGFnaXNfeW91Zm91bmRpdA==" \| base64 -D
	infosec_flagis_youfoundit

	Level 7 PASS: infosec_flagis_youfoundit

	===

	Level 8:

	Because I'm on a Mac I solved this first without even opening the app:

	$ strings app.exe\| ack -i infosec_flag
	infosec_flagis_0x1a

	BUT, to do what's right, I booted a virtual machine to debug the app and make sure!

	See Dump here: http://i.imgur.com/CcqudvC.png

	Level 8 PASS: infosec_flagis_0x1a

	===

	Level 9:

	We load the page and see a "CISCO IDS Login"

	Look up default logins for any CISCO IDS router, we see: "root/attack"

	Type it in, we get an alert "ssaptluafed_sigalf_cesofni"

	$ echo -n "ssaptluafed_sigalf_cesofni" \| rev
	infosec_flagis_defaultpass

	Level 9 PASS: infosec_flagis_defaultpass

	===

	Level 11:

	$ curl -s http://ctf.infosecinstitute.com/img/php-logo-virus.jpg \| strings \| grep infosec_flag
	infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9wb3dlcnNsaWRlX2xvZ29fbGFyZ2UuZ2lm

	Level 11 PASS: infosec_flagis_http://www.rollerski.co.uk/imagesb/powerslide_logo_large.gif

	===

	Level 12:

	View source, we see "http://ctf.infosecinstitute.com/css/design.css" is being imported now.

	$ curl -s http://ctf.infosecinstitute.com/css/design.css
	.thisloveis{
	color: #696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72;
	}

	696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72 is hex for infosec_flagis_heyimnotacolor

	Level 12 PASS: infosec_flagis_heyimnotacolor

	===

	Level 13:

	After fuzzing the URL we find: http://ctf.infosecinstitute.com/levelthirteen.php.old

	This file contains:

	<?php

	/* <img src="img/clippy1.jpg" class="imahe" /> <br /> <br />

	<p>Do you want to download this mysterious file?</p>

	<a href="misc/imadecoy">
	<button class="btn">Yes</button>
	</a>

	<a href="index.php">
	<button class="btn">No</button>
	</a>
	*/

	?>
	</div>

	So, we get the file and check it..

	$ wget http://ctf.infosecinstitute.com/misc/imadecoy
	..
	$ file imadecoy
	imadecoy: tcpdump capture file (little-endian) - version 2.4 (Linux "cooked", capture length 65535)

	So let's open the dump in Wireshark.

	We see a user requests a file "/honeypy/img/HoneyPY.PNG"

	View / Dump the image, and we get a png: "infosec_flagis_morepackets"

	===

	Level 14:

	We download a file, http://ctf.infosecinstitute.com/misc/level14.

	The file contains SQL data.

	We notice a table "flag?" which has some hashed password.

	Attempted to crack using JTR (John the Ripper) to no avail.

	Check other tables and find significant value "\u0069\u006e\u0066\u006f\u0073\u0065\u0063\u005f\u0066\u006c\u0061\u0067\u0069\u0073\u005f\u0077\u0068\u0061\u0074\u0073\u006f\u0072\u0063\u0065\u0072\u0079\u0069\u0073\u0074\u0068\u0069\u0073" under "name" column in "friends" table.

	Replace \u00 with \x and parse..

	\x69\x6e\x66\x6f\x73\x65\x63\x5f\x66\x6c\x61\x67\x69\x73\x5f\x77\x68\x61\x74\x73\x6f\x72\x63\x65\x72\x79\x69\x73\x74\x68\x69\x73

	Then pass through:

	$ python -c 'print "\x69\x6e\x66\x6f\x73\x65\x63\x5f\x66\x6c\x61\x67\x69\x73\x5f\x77\x68\x61\x74\x73\x6f\x72\x63\x65\x72\x79\x69\x73\x74\x68\x69\x73"'
	infosec_flagis_whatsorceryisthis

	Level 14 PASS: infosec_flagis_whatsorceryisthis

	===

	Level 15:

	http://ctf.infosecinstitute.com/levelfifteen/index.php

	If we enter "; <cmd>" we can execute multiple commands.

	Example:
	; cat index.php

	This gives us the source of index.php, where we see:

	<?php
	if(isset($_POST['dig'])){
	echo "<pre>";
	$cmd = ($_POST['dig']);
	system("dig mx " . $cmd );
	echo "</pre>";
	die;
	}
	?>

	GREAT!

	now if we do:
	; ls -lah

	we see:

	total 16K
	drwxrwxr-x 2 ubuntu ubuntu 4.0K Mar 3 18:50 .
	drwxr-xr-x 7 ubuntu ubuntu 4.0K Mar 4 22:14 ..
	-rw-rw-r-- 1 ubuntu ubuntu 37 Mar 6 20:27 .hey
	-rw-rw-r-- 1 ubuntu ubuntu 3.8K Mar 6 20:27 index.php

	so we do:
	; cat .hey

	we get:

	Miux+mT6Kkcx+IhyMjTFnxT6KjAa+i6ZLibC

	We can decrypt this hash using an ATOM-128 Decypter tool found here: http://crypto.x-usenext.net/eng_atom128d.php

	We get: infosec_flagis_rceatomized

	[.. TODO: FINISH Level 10! ..]