Created
August 30, 2017 16:30
-
-
Save mike-bailey/d708573a5d133289f8fbc14c7d80f3bb to your computer and use it in GitHub Desktop.
Master key for Mason CC Back to School CTF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Master Key to Mason CC CTF: | |
Let me know if there are any omissions | |
Mexico: | |
Wonder how to decode this? | |
Q0N7SVNOVF9USElTX0ZVTn0= | |
Soln: Literally base64: | |
>CC{ISNT_THIS_FUN} | |
Honduras: | |
*sigh*, for.... | |
RR{ZTTE_XI_JE} | |
Soln: Caesar, key 15: | |
CC{KEEP_IT_UP} | |
North Korea: | |
Real gz's move in silence | |
H4sIAAAAAAAA/ws08DMPzQ5zCnGz9AjPzgkMNbT0CzGMcoswyPGPMPTzCnEN8w80CLMEAGvfhPEoAAAA | |
Soln: Base64, GZIP, Base64 | |
cat theproblem.txt|base64 --decode|gunzip|base64 --decode | |
Indonesia: | |
Prerequisite Hard-coding Request Form | |
Soln: Literally read the document, just CTRL+F SOLVED to find it if you don't see it | |
CC{GMU_PCR_SOLVED} | |
Malaysia: | |
Soln: Highlight the surrounding context and you can highlight what's behind the box | |
CC{BOXES_CANT_HIDE_YOUR_LIES} | |
Algeria: | |
It's laughing at me. It's staring me right in the face. | |
https://s3.amazonaws.com/masoncc-data/haha.jpg | |
Soln: Strings it, it's towards the top | |
CC{METADATA_IS_MAGIC} | |
Cote d'Ivoire: | |
Someone gave me this coded message, can you help? They were even arrogant enough to give me the encryption code! | |
https://gist.github.com/mike-bailey/14649de3050b130998b3d6d6c6d91f28 | |
Soln: brute force the key if it's known capitalized only 2 characters, but note PyCrypto has an install bug with pip | |
Hacky code to solve: | |
from Crypto.Cipher import AES | |
import base64 | |
from string import ascii_lowercase | |
print 'Enter text here' | |
indata = raw_input() | |
# Can't have it _TOO_ long and unpredictable! | |
for a in ascii_lowercase: | |
for b in ascii_lowercase: | |
keytry = (a.capitalize()+b.capitalize()) * 8 | |
obj2 = AES.new(keytry, AES.MODE_CBC, 'KADSFJKAJASDKLFL') | |
attempt = obj2.decrypt(base64.b64decode(indata)) | |
if 'CC{' in attempt: | |
print attempt | |
ANSWER: CC{CRYPTOIZ_FUN} | |
Zambia: | |
Yet another cocky wanna be cryptographer, this one doesn't even need a key! | |
Here's what they sent me: | |
44447c4g53455g53464e4251514:4f485g4:545g4d4:47467e | |
https://gist.github.com/mike-bailey/2f5010f0f65dbe6505d0bdfa82473f7a | |
Soln: It just shifts the ordinal value of every other character in the hexadecimal representation. Write code to shfit it back. | |
Example code: | |
flag = '44447c4g53455g53464e4251514:4f485g4:545g4d4:47467e' | |
flag = flag.split('') | |
puts flag.inspect | |
previous = '' | |
encoded = [] | |
flag.each_with_index do |key, index| | |
puts key | |
if index % 2 != 0 | |
neword = key.ord - 1 | |
newkey = neword.chr | |
encoded.push(previous + newkey) | |
else | |
previous = key | |
end | |
end | |
puts encoded.join | |
Philippines: | |
Laos: | |
1337 Loginz | |
I was told I'd be able to trust the client side and that's exactly what I did. | |
https://s3.amazonaws.com/masoncc-data/secureLogin.html | |
Soln: Just view source, it's a basic JS auth | |
CC{MASTER_OF_THE_CLIENT_SIDE} | |
Mongolia: | |
Do you speak Murica'nese? | |
I think there's something hidden in all this patriotism, can you find it? | |
https://s3.amazonaws.com/masoncc-data/flag.gif | |
Soln: curl and inspect headers, specifically Content-Language | |
CC{FLAG_IS_MURICA} | |
Saudi Arabia: | |
Someone was telling me about how they just got into PHP. Is what they wrote safe? | |
https://gist.github.com/mike-bailey/600bc537a026e191fbb420964ce4e4ef | |
Soln: IP is in the descrip, the name of the file is in the Gist, pass an array to the GET such as token[]=asdffsa | |
Inspired by: https://blog.0daylabs.com/2015/09/21/csaw-web-200-write-up/ | |
Pakistan: | |
Okay *NOW* I think I can write a secure login portal. Check it out. | |
https://s3.amazonaws.com/masoncc-data/moresecureLogin.html | |
Soln: Obfuscated JS, invoke the function, find where it alerts out, then alert/console.log that variable | |
CC{CLIENT_SIDE_EVEN_HARDER} | |
Ukraine: | |
Here at Mason CC, we value our social media presence. | |
NOTE: THIS ONE DOES HAVE A HINT PENALTY | |
Soln: Go to twitter, there's a paste gif and a bin gif, then a stub for a pastebin URL. Visit URL, has answer, profit: | |
CC{PASTEBIN_OR_DIE_TRYIN} | |
Serbia: | |
I found this cool new site that does DNS lookups for you! I hope it's safe! | |
http://54.196.33.90:1337/?args=gmu.edu | |
Soln: Trivial command injection (containered so you can't pop the whole box), visit http://54.196.33.90:1337/?args=gmu.edu;%20cat%20flag | |
CC{DO_IT_FOR_THE_ZOZ} | |
Exact source: | |
const express = require('express'); | |
// Constants | |
const PORT = 1337; | |
const HOST = '0.0.0.0'; | |
// App | |
const app = express(); | |
app.get('/', (req, res) => { | |
//res.send('Hello world\n'); | |
param = req.query['args']; | |
require('child_process').exec('dig ' + param, function (err, data) { | |
res.send(data + err); | |
}); | |
}); | |
app.listen(PORT, HOST); | |
console.log(`Running on http://${HOST}:${PORT}`); | |
var path = "user input"; | |
Australia: | |
There's this API, you authenticate it with: | |
http://54.196.33.90:3000/?user=youruser&token=tokenhere | |
I'm not sure how, but there's gotta be a flag here somewhere? | |
NOTE: Do not brute force | |
NOTE: Hint Penalty | |
Soln: When you issue a stack trace (by doing a user without a token) you get a rack.poller variable | |
It's the base64'd gzipp'd flag |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment