mike-bailey/challenge_key.txt

## challenge_key.txt
Master Key to Mason CC CTF:
Let me know if there are any omissions

Mexico:
Wonder how to decode this?

Q0N7SVNOVF9USElTX0ZVTn0=

Soln: Literally base64:
>CC{ISNT_THIS_FUN}

Honduras:
*sigh*, for....

RR{ZTTE_XI_JE}

Soln: Caesar, key 15:
CC{KEEP_IT_UP}

North Korea:
Real gz's move in silence

H4sIAAAAAAAA/ws08DMPzQ5zCnGz9AjPzgkMNbT0CzGMcoswyPGPMPTzCnEN8w80CLMEAGvfhPEoAAAA

Soln: Base64, GZIP, Base64
cat theproblem.txt|base64 --decode|gunzip|base64 --decode

Indonesia:
Prerequisite Hard-coding Request Form

Soln: Literally read the document, just CTRL+F SOLVED to find it if you don't see it
CC{GMU_PCR_SOLVED}

Malaysia:

Soln: Highlight the surrounding context and you can highlight what's behind the box
CC{BOXES_CANT_HIDE_YOUR_LIES}

Algeria:

It's laughing at me. It's staring me right in the face.

https://s3.amazonaws.com/masoncc-data/haha.jpg

Soln: Strings it, it's towards the top
CC{METADATA_IS_MAGIC}

Cote d'Ivoire:

Someone gave me this coded message, can you help? They were even arrogant enough to give me the encryption code!

https://gist.github.com/mike-bailey/14649de3050b130998b3d6d6c6d91f28

Soln: brute force the key if it's known capitalized only 2 characters, but note PyCrypto has an install bug with pip
Hacky code to solve:
from Crypto.Cipher import AES
import base64
from string import ascii_lowercase


print 'Enter text here'
indata = raw_input()


# Can't have it _TOO_ long and unpredictable!

for a in ascii_lowercase:
	for b in ascii_lowercase:
		keytry = (a.capitalize()+b.capitalize()) * 8
		obj2 = AES.new(keytry, AES.MODE_CBC, 'KADSFJKAJASDKLFL')
		attempt = obj2.decrypt(base64.b64decode(indata))
		if 'CC{' in attempt:
			print attempt


ANSWER: CC{CRYPTOIZ_FUN}

Zambia:

Yet another cocky wanna be cryptographer, this one doesn't even need a key!

Here's what they sent me:
44447c4g53455g53464e4251514:4f485g4:545g4d4:47467e

https://gist.github.com/mike-bailey/2f5010f0f65dbe6505d0bdfa82473f7a

Soln: It just shifts the ordinal value of every other character in the hexadecimal representation. Write code to shfit it back.
Example code:
flag = '44447c4g53455g53464e4251514:4f485g4:545g4d4:47467e'
flag = flag.split('')
puts flag.inspect
previous = ''
encoded = []
flag.each_with_index do |key, index|
	puts key
	if index % 2 != 0
		neword = key.ord - 1
		newkey = neword.chr
		encoded.push(previous + newkey)
	else
		previous = key
	end
end

puts encoded.join

Philippines:

Laos:

1337 Loginz
I was told I'd be able to trust the client side and that's exactly what I did.

https://s3.amazonaws.com/masoncc-data/secureLogin.html

Soln: Just view source, it's a basic JS auth
CC{MASTER_OF_THE_CLIENT_SIDE}

Mongolia:

Do you speak Murica'nese?

I think there's something hidden in all this patriotism, can you find it?

https://s3.amazonaws.com/masoncc-data/flag.gif

Soln: curl and inspect headers, specifically Content-Language
CC{FLAG_IS_MURICA}

Saudi Arabia:

Someone was telling me about how they just got into PHP. Is what they wrote safe?

https://gist.github.com/mike-bailey/600bc537a026e191fbb420964ce4e4ef

Soln: IP is in the descrip, the name of the file is in the Gist, pass an array to the GET such as token[]=asdffsa
Inspired by: https://blog.0daylabs.com/2015/09/21/csaw-web-200-write-up/

Pakistan:

Okay *NOW* I think I can write a secure login portal. Check it out.

https://s3.amazonaws.com/masoncc-data/moresecureLogin.html

Soln: Obfuscated JS, invoke the function, find where it alerts out, then alert/console.log that variable
CC{CLIENT_SIDE_EVEN_HARDER}

Ukraine:

Here at Mason CC, we value our social media presence.
NOTE: THIS ONE DOES HAVE A HINT PENALTY

Soln: Go to twitter, there's a paste gif and a bin gif, then a stub for a pastebin URL. Visit URL, has answer, profit:
CC{PASTEBIN_OR_DIE_TRYIN}

Serbia:

I found this cool new site that does DNS lookups for you! I hope it's safe!

http://54.196.33.90:1337/?args=gmu.edu

Soln: Trivial command injection (containered so you can't pop the whole box), visit http://54.196.33.90:1337/?args=gmu.edu;%20cat%20flag
CC{DO_IT_FOR_THE_ZOZ}

Exact source:
const express = require('express');

// Constants
const PORT = 1337;
const HOST = '0.0.0.0';

// App
const app = express();
app.get('/', (req, res) => {
  //res.send('Hello world\n');
  param = req.query['args'];
 require('child_process').exec('dig ' + param, function (err, data) {
    res.send(data + err);
  });


});

app.listen(PORT, HOST);
console.log(`Running on http://${HOST}:${PORT}`);
var path = "user input";


Australia:

There's this API, you authenticate it with:
http://54.196.33.90:3000/?user=youruser&token=tokenhere

I'm not sure how, but there's gotta be a flag here somewhere?
NOTE: Do not brute force
NOTE: Hint Penalty

Soln: When you issue a stack trace (by doing a user without a token) you get a rack.poller variable
It's the base64'd gzipp'd flag
	Master Key to Mason CC CTF:
	Let me know if there are any omissions

	Mexico:
	Wonder how to decode this?

	Q0N7SVNOVF9USElTX0ZVTn0=

	Soln: Literally base64:
	>CC{ISNT_THIS_FUN}

	Honduras:
	sigh, for....

	RR{ZTTE_XI_JE}

	Soln: Caesar, key 15:
	CC{KEEP_IT_UP}

	North Korea:
	Real gz's move in silence

	H4sIAAAAAAAA/ws08DMPzQ5zCnGz9AjPzgkMNbT0CzGMcoswyPGPMPTzCnEN8w80CLMEAGvfhPEoAAAA

	Soln: Base64, GZIP, Base64
	cat theproblem.txt\|base64 --decode\|gunzip\|base64 --decode

	Indonesia:
	Prerequisite Hard-coding Request Form

	Soln: Literally read the document, just CTRL+F SOLVED to find it if you don't see it
	CC{GMU_PCR_SOLVED}

	Malaysia:

	Soln: Highlight the surrounding context and you can highlight what's behind the box
	CC{BOXES_CANT_HIDE_YOUR_LIES}

	Algeria:

	It's laughing at me. It's staring me right in the face.

	https://s3.amazonaws.com/masoncc-data/haha.jpg

	Soln: Strings it, it's towards the top
	CC{METADATA_IS_MAGIC}

	Cote d'Ivoire:

	Someone gave me this coded message, can you help? They were even arrogant enough to give me the encryption code!

	https://gist.github.com/mike-bailey/14649de3050b130998b3d6d6c6d91f28

	Soln: brute force the key if it's known capitalized only 2 characters, but note PyCrypto has an install bug with pip
	Hacky code to solve:
	from Crypto.Cipher import AES
	import base64
	from string import ascii_lowercase


	print 'Enter text here'
	indata = raw_input()


	# Can't have it _TOO_ long and unpredictable!

	for a in ascii_lowercase:
	for b in ascii_lowercase:
	keytry = (a.capitalize()+b.capitalize()) * 8
	obj2 = AES.new(keytry, AES.MODE_CBC, 'KADSFJKAJASDKLFL')
	attempt = obj2.decrypt(base64.b64decode(indata))
	if 'CC{' in attempt:
	print attempt


	ANSWER: CC{CRYPTOIZ_FUN}

	Zambia:

	Yet another cocky wanna be cryptographer, this one doesn't even need a key!

	Here's what they sent me:
	44447c4g53455g53464e4251514:4f485g4:545g4d4:47467e

	https://gist.github.com/mike-bailey/2f5010f0f65dbe6505d0bdfa82473f7a

	Soln: It just shifts the ordinal value of every other character in the hexadecimal representation. Write code to shfit it back.
	Example code:
	flag = '44447c4g53455g53464e4251514:4f485g4:545g4d4:47467e'
	flag = flag.split('')
	puts flag.inspect
	previous = ''
	encoded = []
	flag.each_with_index do \|key, index\|
	puts key
	if index % 2 != 0
	neword = key.ord - 1
	newkey = neword.chr
	encoded.push(previous + newkey)
	else
	previous = key
	end
	end

	puts encoded.join

	Philippines:

	Laos:

	1337 Loginz
	I was told I'd be able to trust the client side and that's exactly what I did.

	https://s3.amazonaws.com/masoncc-data/secureLogin.html

	Soln: Just view source, it's a basic JS auth
	CC{MASTER_OF_THE_CLIENT_SIDE}

	Mongolia:

	Do you speak Murica'nese?

	I think there's something hidden in all this patriotism, can you find it?

	https://s3.amazonaws.com/masoncc-data/flag.gif

	Soln: curl and inspect headers, specifically Content-Language
	CC{FLAG_IS_MURICA}

	Saudi Arabia:

	Someone was telling me about how they just got into PHP. Is what they wrote safe?

	https://gist.github.com/mike-bailey/600bc537a026e191fbb420964ce4e4ef

	Soln: IP is in the descrip, the name of the file is in the Gist, pass an array to the GET such as token[]=asdffsa
	Inspired by: https://blog.0daylabs.com/2015/09/21/csaw-web-200-write-up/

	Pakistan:

	Okay NOW I think I can write a secure login portal. Check it out.

	https://s3.amazonaws.com/masoncc-data/moresecureLogin.html

	Soln: Obfuscated JS, invoke the function, find where it alerts out, then alert/console.log that variable
	CC{CLIENT_SIDE_EVEN_HARDER}

	Ukraine:

	Here at Mason CC, we value our social media presence.
	NOTE: THIS ONE DOES HAVE A HINT PENALTY

	Soln: Go to twitter, there's a paste gif and a bin gif, then a stub for a pastebin URL. Visit URL, has answer, profit:
	CC{PASTEBIN_OR_DIE_TRYIN}

	Serbia:

	I found this cool new site that does DNS lookups for you! I hope it's safe!

	http://54.196.33.90:1337/?args=gmu.edu

	Soln: Trivial command injection (containered so you can't pop the whole box), visit http://54.196.33.90:1337/?args=gmu.edu;%20cat%20flag
	CC{DO_IT_FOR_THE_ZOZ}

	Exact source:
	const express = require('express');

	// Constants
	const PORT = 1337;
	const HOST = '0.0.0.0';

	// App
	const app = express();
	app.get('/', (req, res) => {
	//res.send('Hello world\n');
	param = req.query['args'];
	require('child_process').exec('dig ' + param, function (err, data) {
	res.send(data + err);
	});


	});

	app.listen(PORT, HOST);
	console.log(`Running on http://${HOST}:${PORT}`);
	var path = "user input";


	Australia:

	There's this API, you authenticate it with:
	http://54.196.33.90:3000/?user=youruser&token=tokenhere

	I'm not sure how, but there's gotta be a flag here somewhere?
	NOTE: Do not brute force
	NOTE: Hint Penalty

	Soln: When you issue a stack trace (by doing a user without a token) you get a rack.poller variable
	It's the base64'd gzipp'd flag