NorthSec 2020 – CTF-101 Workshop

Sysadmin

SSH 1

The ability to use SSH keys is a key skill (pun intended) for a CTF player and someone in the security field.

  • Username: user
  • Hostname: ctf101.nsec.io
  • Port: 2222
# Solution
chmod 600 ssh-keypair
ssh -p 2222 -i ssh-keypair user@ctf101.nsec.io
FLAG-34fbdc6ce1b3640bf58d30794ecf268e465dc0ab

SSH Tunnel

From the pivotbox machine (acquired in the SSH challenge), you can reach a service that spits out a secret. However, pivotbox lacks many tools like nc or socat. Maybe we should learn to use SSH tunnels to reach that service?
The service is at sysadmin-service (from pivotbox) on port 5555.

# Solution
From my Kali:
ssh -L 12345:sysadmin-service:5555 -p 2222 -i ssh-keypair user@ctf101.nsec.io

Open another window in my Kali:
nc 127.0.0.1 12345
FLAG-1db6cc08fdc1fc60c1501ae3656e1e38bf83da99

Web

Source 1

Use the source, Luke. Said a thousand challenge designers before me. http://ctf101.nsec.io:8010/

Display the web page source code.
FLAG-e580002806ea30b30ac6ac6bde73359ef2afc245

SQL 1

http://ctf101.nsec.io:8020/

Enter ' i nthe search box to see the SQL query.
SELECT * FROM items WHERE name LIKE "%'%"

# We want this query:
SELECT * FROM items WHERE name LIKE "%" or 1=1 --%"

Enter " or 1=1 --
FLAG-d649c5b169e507b13bf86c405ba0f3dd115184db

XSS (self)

Can you XSS yourself? http://ctf101.nsec.io:8030/ Important: your payload must absolutely contain alert(1).

Enter alert(1) in the search box... not even an XSS...
FLAG-0d6077f6c8e0cb31139235c98a1a971ee0311b48

Forensics

Encoding

SW4gdGhpcyBmaWVsZCB5b3Ugc2hvdWxkIHJlY29nbml6ZSBiYXNpYyBlbmNvZGluZyB0ZWNobmlx
dWVzIGp1c3QgYnkgbG9va2luZyBhdCB0aGVtLgpDb25ncmF0cyBiZWNhdXNlIGl0IGp1c3QgbG9v
a3MgbGlrZSB5b3UgZGlkIHNvLiBIZXJlIGlzIHlvdXIgZmxhZy4KCkZMQUctY2M4YjQ4MTNjZDc2
OGE2MDIxZWJkMWZiYzNmOWVjZjVmYjlkMjRlNgo=
echo 'SW4gdGhpcyBmaWVsZCB5b3Ugc2hvdWxkIHJlY29nbml6ZSBiYXNpYyBlbmNvZGluZyB0ZWNobmlxdWVzIGp1c3QgYnkgbG9va2luZyBhdCB0aGVtLgpDb25ncmF0cyBiZWNhdXNlIGl0IGp1c3QgbG9va3MgbGlrZSB5b3UgZGlkIHNvLiBIZXJlIGlzIHlvdXIgZmxhZy4KCkZMQUctY2M4YjQ4MTNjZDc2OGE2MDIxZWJkMWZiYzNmOWVjZjVmYjlkMjRlNgo=' | base64 -d

FLAG-cc8b4813cd768a6021ebd1fbc3f9ecf5fb9d24e6

Document 1

Find a hidden flag in this document. The document contains two flags. This is the easiest of the two.

strings -e l LOG619-A09-Plan.doc | grep -i FLAG
or
Open document, change all text color and go to bottom of the file.
FLAG-8528984c0a09d9dab82aa79219642d93d8c19b19

Document 2

There is another flag in that document. This time it is a little harder to find.

  • Note: This is the same document as the challenge document 1.
  • Note 2: The flag is in French (but still starts with FLAG-)
Letters are in white on white and with very small font. Zoom in.
FLAG-leflagdufinobservateur

Network

Because all CTFs have Pcaps. Pcap files are opened by Wireshark

Look ICMP packets one by one, you can see they contain
F
L
A
G
-
...
FLAG-networkforensicsexpert

Reverse-EnginEering

Crackme

A simple and safe to execute* crackme. The objective is to extract the flag from it. People already familiar with binary analysis should take the -hard version for added fun. The difference is just that symbols are stripped. *: you will have to trust me on that

# Install pwndbg
git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh

gdb crackme
pwndbg
r (will run the program)
bt (backtrace)
CRASHES ON raise.c
enter c (to continue)
FLAG-b5488f733acbaf0918a52495a4e8e82c0dd7a276