Def Con 2020 CTFs writeups

My first DEF CON and the second time I did CTFs and I have to say that I really enjoyed it. Originally I had planned to do the Blue Village (Open SEC) but then I changed my mind. I wanted to experience being part of a blue team, especially since it’s very easy to find websites to do capture the flags and red team stuff and the same cannot be said for defensive activities, but after thinking about it I decided to go for the Red Village.
Two main reasons for that:

  • I was in the mood for red team challenges so I wanted to do something that I enjoy, rather than forcing myself to do something else (that would have been useful, but I would have done half-hearted).
  • Recently I’ve been jumping around a lot of interesting topics in cybersecurity, but I have to focus and become good enough (at least) with one area before moving to the next one, so I’ve decided to focus on web application hacking and Python. So doing red team challenges would have helped me with staying on course with my plan.

In this article, you will find the challenges I’ve resolved. This time I’m writing everything in one post, and there aren’t as many screenshots as in my HacktivityCon writeups, but everything should be clear enough.

Tunneler

1 Bastion

The hint:
tunneler hint ctf

Connect to it using the command:

~$ ssh tunneler@164.90.147.46 -p 2222

The flag was in the welcome message.

tunneler terminal ctf defcon

2 Browsing websites

The welcome message from the previous challenge explained what to do with the following 2 challenges (so these challenges were sequential – you resolve one and you can then do the next in line- and not standalone challenges like in the HacktivityCon).

In fact, this was about connecting to the server http://10.174.12.14/ port 80, funneling the traffic via the server used in the previous challenge. I’ve tried to SSH in there but I did something wrong (more on this later) so I moved on to try other ways, like checking if there was some other software on the machine that I could use.
The usual software to connect to other machines was either not working or I didn’t have access/permissions to use them (e.g. ssh and wget gave ‘permission denied’ error, all the other stuff like telnet, netcat, openssh, socat, ftp, etc. were not on the system).

sftp worked but when trying to ssh through it I get the same Permission Denied for ssh

I tried for a while using openssl to send a GET request, but I couldn’t make it work, not sure if it’s because I was using the wrong command or if because it wasn’t possible to do what I wanted.

I was using this command:

~$ echo -e “GET / HTTP/2.0\r\nHost:10.174.12.14:80\r\nConnection: close\R\n” | openssl 2>&1 s_client -quiet -connect 10.174.12.14:80

but I had this error:
139856755975488:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:

At that point I had the feeling that I was missing something, so I’ve asked on Discord if someone knew how to ssh from one machine to another, and a user (INIT_6) helped me and gave me an example command to do what I needed:

~$ ssh -L 8000:IP_webserver:80 user@IP_of_ssh_server

It turns out it was the command I run the first time when doing this challenge, but I missed doing one important step: go to localhost:8000 with my browser, and that connected me to the webserver. I am a n00b with ssh, so while I was expecting this to work on the terminal where I run the first command, I actually forgot that the system was listening on localhost.
INIT_6 explained to me how that command was working and it all made sense, it’s been a lot of time since I’ve used ssh to do something like this and I had totally forgotten this part.

I got the flag by going to localhost:8000 with my browser.

3 SSH in tunnels

For the 3rd challenge, I’ve checked that GatewayPorts was set to ‘yes’ using

~$ cat /etc/ssh/sshd_config

flag defcon tunneler terminal

Challenge 3 was about connecting to a pivot server via ssh, so with a command similar to the previous challenge, I did that:

In one terminal (on the right, in the above screenshot):

~$ ssh -L 8000:10.218.176.199:22 tunneler@164.90.147.46 -p 2222

In a second terminal (on the left, in the screenshot):

~$ ssh whistler@127.0.0.1 -p 8000
(used the password provided by the other server welcome message)

and I was in. The third flag found.

 

Training

These challenges were just quick training levels, where you login on the first machine and follow the instructions to find the passwords for the next level (password are also the flags).
It’s pretty much a tutorial on how to use Linux, like how to use cat, what files to look for, etc. Not worth posting the writeups.

 

Crypto Ciphers and encodings

n Eggs

As the name suggests, and a quick look at the message in the challenge confirms, this was about a Bacon’s cipher:

BAABA BAAAB AAAAB AAAAA AAABA ABBAB ABBAA ABAAA BAAAB ABABB BABBA ABBAA AAAAA ABABB AABAA

It’s a pretty simple one, that was invented by Sir Francis Bacon (hence the name), so it just took finding an online decoder to collect the flag. This is an explanation of how this cipher works.

 

All about the base

This challenge had an obvious base64 encoded text: dHN7SXNUaGlzRW5jcnlwdGlvbn0= that decoded gives the flag: ts{IsThisEncryption}

et tu brute

Another super easy one, the name gave away that was a Caesar cipher in base 13:
gf{NaByqvrOhgNTbbqvr} > ts{AnOldieButAGoodie}

I wrote about it here: Caesar Mirror

 

CovidScammers

Free Flag (and binary)

This challenge provided a file, and the story behind it: a malware that infected a company, and that throughout the challenges you needed to follow the bread crumbs and find the attackers.

The first flag was easy, using the strings tool on the file and searching for ‘flag’ in the output.

Who Me?

This one was also easy, finding the name of the malware in the strings output: ‘TheCovidBotNet’ was pretty much at the beginning of the file.

Even if I originally to find the name of the malware I went to check for this on virustotal.com using its MD5, but the answer was much easier.

Scouting

In this challenge I needed to find the domain of the server. There was nothing in the strings apparently, but I’ve noticed an encoded Base64 string near the beginning of the file, and by decoding it I’ve found the domain (which was the flag for this challenge: covidfunds.net)

 

Forensics

Just a nice picture

ctf steganography

We have been provided with the above picture.

I’ve run the file through the usual suspects, exiftool, strings, stegsolve, steghide and none of them gave any result.

But binwalk was successful.

~$ binwalk ctf.jpg

showed that there’s a ZIP archive data inside the file:

forensics binwalk

So I’ve used

~$ binwalk -e ctf.jpg

that’s the command with which binwalk tries to automatically extract known file types.
It was a zip file, with a password protected flag.txt file inside.

I then used fcrackzip to crack the password using the classic rockyou wordlist.

cracked password

Password found, opened the file, and found the flag.

 

Tom Nook series of challenges

This was a series of challenges where you needed to find some info inside a .pcap file.

You needed to find host IP address, server IP address, name of the file that was downloaded, and a flag: all of this could be found simply by reading the .pcap file on Wireshark.

wireshark pcap inspection

The other 2 challengers (which I didn’t complete unfortunately) were about finding the password to the .zip file that Tom Nook uploaded, and the flag inside it. I thought that the .zip file could be downloaded using the function at: ‘File > Export Objects > HTTP’ in Wireshark, but it didn’t work. That functionality can usually be used to save files that have been captured, but in this case it didn’t work (or something additional needed to be done first).

 

Logs

In this challenge we have been provided with a log file of fail2ban, and the CTFs were about finding specific information.

1 – What failed

Hint: Which service was being protected?
Just a look a the log would reveal it was ‘ssh’

The rest of the challenges could be resolved with tailored grep commands:

2 – Who failed

Hint: How many different IP addresses were banned?
~$ grep -o “[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+” fail2ban.log | sort | uniq
(The solution was the total number of IP shown as a result of that command, minus the host)

3 – We failed

Hint: How many times did the fail2ban service reach an unrecoverable state?

Just a grep for the word ‘critical’
~$ grep -oP “CRITICAL” fail2ban.log | wc -l

4 – Whom failed

Hint: What was the most frequently banned IP address?

~$ grep -o “[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+” fail2ban.log | sort | uniq -c
(The solution was the 2nd number with highest occurrences, the 1st was the host)

 

Programming

Roll for initiative

I wasn’t planning to do any programming challenges, but being a huge fan of Role Playing Games I couldn’t help myself and I clicked on this challenge to see what was about.

It was about connecting to the server and input a number, and the server would tell you if the number was correct or not. If not, it would give you the correct number.

ctf roll initative solution

There was an identical challenge last week at the H@cktivitiyCon and I couldn’t do it because it was taking too much time to scout for the info I needed to write the script (I’m still learning Python and so far I never used the modules that I needed for that challenge).

But after H@cktivityCon I’ve checked some of the writeups of the challenges that I couldn’t complete so I know what I was looking for. I came across this writeup from another user and I just had to modify the script to make it work for this challenge. And after letting the script run for a couple of minutes, I got the flag.

OSINT

OSINT flag-543as

The hint was: Peter Gibbons has been looking for a job. Flag format is not ts{} or TS{}

Peter Gibbons is a character of the movie Office Space, and the hint was talking about ‘job’, so I’ve searched on LinkedIn for the flag number in the name of the challenge:

On google: site:linkedin.com flag-543as

This showed the profile with the character picture, and the flag was in the about me section.

Another longer way (and possibly the intended way to solve this) would have been: looking for the character name on LinkedIn, recognise the character picture (there are several Peter Gibbons in the world), and check the profile.
Also, the character’s company was ‘Initech’ that’s the same one of the movie, another clue to narrow down the possibilities.

OSINT flag-73843ri

Hint: Michael Bolton might have a flag floating around in his location in one of the big socials. The content of the flag is not in TS{} format.

The flag was on his ‘location’ on Twitter (this is another character from the Office Space movie, and there was this fake account about him)

Found it through Google, searching for the code in the challenge name, but same as the above challenge, probably it was not the intended way to resolve it.

 

Workout at home gym

I wasn’t sure about posting this writeup because when doing the challenge I recovered the flag and I was ready to do the second challenge of this series (but the website was struggling to get up again after someone messed up with it, so I couldn’t finish it). But when tried to do the challenge again to take some screenshots for this writeup, I couldn’t reach the shell again, so either I forgot to writedown some command in my notes, or I some other player messed up with my challenge.

1 – Pop a shell on that

This looked like a gym website, with some pages about the gym, program, etc. and a login function. When navigating in pages other than the home, there was an error showing in the header, related to the file functions.php

When doing some tests I saw that I could pass commands using this:
http://164.90.147.56:8080/index.php?action=phpinfo (this showed the phpinfo page).

The hint said that they left something in the root of the file system, so I’ve tried:
http://164.90.147.56:8080/index.php?action=/etc/root

and I’ve found a page with several scripts, an execute function, an upload one, etc.

I’ve used the “execute” command on that page with
find / -name “*flag*”

and found the file flag.txt with the flag.

Then someone killed the server and I couldn’t get back to it before the end of the qualifications, so that was it for me.

If you are interested in writeups and challenges, I wrote 3 articles about the H@cktivityCon CTFs. This is the first one.