Capture the flag (Infosec Institute n00bs CTF Labs)
- Details
- Written by Tom
- Hits: 1868
The Infosec Institute n00bs CTF Labs is a web application that hosts 15 mini Capture the Flag (CTF) challenges intended for beginners. The levels can be navigated in the navbar. There is no scoring or leaderboard, but to claim the bounty for each level (bounties range from $10 to $150) you'll need to write up the solution and any other helpful instructions or information and post that in a public place (blog, forum, etc.).
--From the welcome page at http://ctf.infosecinstitute.com/
I decided to try this challenge when a friend mentioned it to me. It was quite challenging! Here are my results...
Level 1
The clue on level 1 is a picture of Yoda with the text "May the source be with you!" This, of course, led me to view the source. After doing so, I noticed the first commented line:
The first flag is "welcome". That seemed too easy. I kept searching for more, then I eventually decided to try level 2 and see if I was on the right track.
Level 2
The clue on level 2 is "It seems like the image is broken..Can you check the file?" Once again, I checked the source of the file and saw that the image linked was "img/leveltwo.jpeg". I typed the entire path into my address bar: http://ctf.infosecinstitute.com/img/leveltwo.jpeg and received an error that image cannot be displayed because it contains errors:
I downloaded the corrupted file and opened it with notepad.
Aha! That doesn't look like a normal jpeg file. The equals sign at the end makes me think it's base64 encoded. One quick search for "base64 decoder" and pasting that code into the online decoder and I've got flag #2: "wearejuststarting". This is getting fun!
Level 3
Level 3 presented a QR code and a progress bar. The QR code on the page was:
A quick scan with my phone and I was looking at ".. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... .. -. --." Obviously morse code. I searched for "morse code converter" and pasted the dots & dashes. Flag #3 is "Morsing". So far so good.
Level 4
Level 4 shows a picture of an Amazon cardboard robot with a Cookie Monster doll and the text, "HTTP means Hypertext Transfer Protocol". If you hover over the picture, an alert box pops up with the message, "Stop poking me!"
I will admit this one took me WAY longer than it should have. The text wasn't giving me any clues and the alert message wasn't either. I noticed that the source for the page included an additional .js from the previous pages, but viewing that file "js/custom.js" didn't provide any clues. I went to lunch. I was trying to figure out clues in the source or messages when it dawned on my that I've been staring at Cookie Monster (duh!)
I opened the page info dialog and went to the Security tab and clicked "View Cookies". The first cookie I saw was called _distillery and had a rather long hex string. I copied it and pasted it into an online hex-to-ascii convertor. No dice. I went to the next cookie, "fusrodah" (haha - Skyrim reference). The content of that cookie (vasbfrp_syntvf_jrybirpbbxvrf) bore a striking resemblance to the "infosec_flagis_" string! Yay! If I hadn't learned about Caesar Shift ciphers from a recent scavenger hunt, I would have probably taken pen to paper to figure this out, but once again, I searched for an online Caesar shift decoder and pasted the string. Bam! The flag for level 4 is "welovecookies" Haha.
Level 5
Level 5 throws the alert, "Hacker!!!" constantly. Firefox allows users to prevent the dialog from popping up:
Once I clicked the box to prevent the popups, I was presented with a meme of the History Channel 'aliens' guy. Page source was pretty normal, so I downloaded the image file and tried to open it in notepad to see if anything stood out. Nothing did, so I remembered seeing a blurb on the n00bs CTF Labs resource page about steganography. I searched for some online steganography tools. Many of them only accepted .PNG files, so I was losing hope, then I stumbled upon to Alan Eliasen's Steganographic Decoder site here. I uploaded the picture and crossed my fingers with the default settings. w00t! The decoder spit out, "01101001011011100110011001101111011100110110010101100011010111110110011001101100011000010110011101101001011100110101111101110011011101000110010101100111011000010110110001101001011001010110111001110011" That sure looks like binary to me. On to find a binary-to-ascii decoder... The flag for level 5 is "stegaliens"
Level 6
Level 6 shows Clippy and the text, "Do you want to download sharkfin.pcap file?" Well, of course I do. Once again, I remembered seeing something about Wireshark on the resource page. I wasn't sure where to look once I opened the .pcap file in Wireshark, so I went straight to the bottom and looked at the contents of the Packet Bytes box at the bottom. Nothing looked useful. I scrolled up and looked in the first packet. I think I just got lucky here and copied the hex string (696e666f7365635f666c616769735f736e6966666564) at the end of the packet and tried an online hex-to-ascii translation tool. Sure enough, I got lucky. No real finesse in this one. The flag is "sniffed"
Level 7
So, this one ended up being the second-most difficult level for me in the whole challenge. I could see that the page was statically set to load 404.php, but when I manully typed http://ctf.infosecinstitute.com/levelseven.php, nothing loaded. There was no source to view. I gave up on this one and went to the next level. Later on, while working on another level, it occurred to me that 404.php had a specific message and was by no means a normal 404 (page not found) error. I intentionally mistyped the url of a level and I received a real "Not found" response. Hmmm. A lightbulb went off in my head. If http://ctf.infosecinstitute.com/levelseven.php doesn't produce a "Not Found", then it must exist! It's just possibly empty. I poked around in Firefox's "Inspect Element" function and kept reloading /levelseven.php and checking the various tabs. I eventually got lucky while checking the "Network" tab and looking at the header.
I will admit, this was also a rather inelegant solution that took me far too much time. The data in the header's status code is aW5mb3NlY19mbGFnaXNfeW91Zm91bmRpdA==. This looks like base64 again. An online base64-to-ascii decoder confirms that the flag is "youfoundit"
Level 8
Once again, we see Clippy and he's asking the question, "Do you want to download app.exe file?" I sure do! After downloading the file, I decided not to execute it ;) I opened it with notepad first. Visible in clear-text was the string, "infosec_flagis_0x1a". That was easy. I opened the file in a hex editor to see what value was at 0x1a and found it was "00" in case you were looking for the actual value.
Level 9
Level 9 has the text, "Cisco IDS Web Login System" followed by a username/password dialog. I searched for default Cisco passwords and found several sites listing default username/password combinations for various Cisco devices. I tried a few of them with no luck, then I decided to search for "default cisco ids password". It was this search that led me to the combination root/attack. Once entered, a message box popped up with the string, "ssaptluafed_sigalf_cesofni". The underscores almost led me to try a Caesar shift again, but then I realized it was just backwards... The flag is "defaultpass"
Level 10
Level 10 shows an animated .GIF of Gollum covering his ears and saying, "Not listening. I'm not listening" The text on the page reads, "What kind of sound is this? Sorcery perhaps??" After clicking the listen button, I heard something that sounded like a small animal or a bird. I decided to try to slow the sound clip down. I searched for an online tool, but couldn't find one, but read many positive reviews of Audacity. I installed the software and slowed the sound sample down 90%. After doing that, I could hear that the flag is "sound"
Level 11
Level 11 shows the same animated .GIF of Gollum, but the text on the page chages to, "No it must not be a sound? But wait whaT?" and a picture of the PHP logo is displayed. I downloaded the image and opened it with notepad. I saw the cleartext flag again, but this time it wasn't fully human-readable. I copied the last part of the string, "infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9wb3dlcnNsaWRlX2xvZ29fbGFyZ2UuZ2lm" and tried base64 decoding. Sure enough, it decoded to "http://www.rollerski.co.uk/imagesb/powerslide_logo_large.gif". So, the flag is either that URL or the word "Powerslide"
Level 12
Level 12 shows Yoda again with the text, "Dig Deeper!". Opening the source (using the logic from level 1), shows that there is a new line:
The link "css/design.css" does not appear in the other levels. Opening this file directly, shows:
.thisloveis{ color: #696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72;}
That hex color code is quite long :) let's run it through a hex decoder. The flag is "heyimnotacolor"
Level 13
This level has the text, "What the heck happened here? It seems that the challenge here is gone? Can you find it? Can you check if you can find the backup file for this one? I'm sorry for messing up :("
Viewing the source didn't give any clues, I just tried to add a .bak, then a .backup, then a .tmp to the end of the URL. Next, I added a .old and voila! I was prompted to download the file. Opening it with a text editor shows that there was another image of Clippy with the text, "Do you want to download this mysterious file?" followed by a link to /misc/imadecoy. I downloaded the file and tried to determine its filetype. I opened it with notepad, but that didn't really help at first. I tried searching on the header bytes, but that didn't provide anything useful. This was going to be trickier than I thought. I gave up on it and came back later. Once again, I opened it with notepad and started noticing HTTP header strings, so, on a hunch, I added a .pcap extension to the end and opened it with Wireshark. It worked. Searching through the packets didn't provide any useful data, but I could see that there was plenty of binary data transmitted during this session. I wondered if Wireshark could rebuild the data, so I clicked on File and Export Objects --> HTTP:
I saved all the files to my computer and started perusing their contents. The file HoneyPY.PNG provided the flag "morepackets"
Level 14
Once again, we see Clippy with the text, "Do you want to download level14 file?" Yes! Once the file was downloaded, I opened it with notepad. It appears to be a db dump from a MySQL database (for a Wordpress site). Searching through the file reveals a table called "flag?" Aha! Alas, the contents appear to just be encrypted user credentials. Am I supposed to crack the password? Hmm. I'll come back to it. The next table, "friends" shows some fake users, but user #104 has a long string of interesting characters. Searching on a couple of them, I determine they are unicode escaped characters and I search for a unicode-to-ascii convertor. Success. The flag is "whatsorceryisthis"
Level 15
This one was definitely the trickiest. On screen, there is a dialog box with the text, "DNS Lookup". If a domain name is typed, the 'dig' results are displayed. Initially, I typed several popular sites, including infosecinstitute.com, but the results all appeared to be correct and real. The source code did not reveal any clues. I gave up on this one for awhile, although I figured it had something to do with the fact that this was the only level that appeared to be in its own subdirectory. I went back to the n00bs CTF Labs resource page looking for inspiration. I found it in this link and in this link. By using a pipe or a semicolon, I was able to inject commands into the dialog and see the results in the output (!) I issued an 'ls -la' into the dialog and got the following results.
Ha! Look at that! A file called .hey. This must be why the level had its own dir. Next, I issued a 'cat .hey' into the dialog and was greeted with this:
Now, we're getting somewhere! This one stumped me, though. I did a search for "Miux+" with no definitive results, then I noticed the last 6 characters are "ZLibC". This was a red herring that led me searching down a gzip/zlibc path for far too long. The plus signs in the string convinced me that this must be encrypted and I tried several methods of "decrypting" it with no luck. Then, just as I was about to give up, I came across the website http://crypo.in.ua/tools/. I pasted the above string into the first decoder available (ATOM 128) and "infosec_flagis_rceatomized" displayed on my screen! I fist pumped into the air! The last flag is "rceatomized"
Thanks for the challenge!
- You are here:
-
Home
- Blog