SquareCTF

During the past week me and some colleagues decided to participate in a CTF https://squarectf.com/. I took some of the flags and i thought that i would share my solutions and my process in solving them.

The Robot’s Grandmother (Forensics)50p
Robots have grandparents too!

So lets dive in. The first challenge that i looked at was in the category forensics. The challenge gave you the following information

“Every once in a while we see the Grand Robot Leader Extraordinaire communicating over email with the Grand Robot Matriarch. We suspect there might be secret communications between the two, so we tapped into the network links at the Matriarch’s house to see if we could grab the password to the account. We got this file, but our network admin is gone for two weeks training pigeons to carry packets. So we don’t actually know how to read this file. Can you help us?

This challenge will be discussed at Capture the Flag: Learning to Hack for Fun and Profit at the 2017 Grace Hopper Celebration.”

https://cdn.squarectf.com/challenges/the-robot’s-grandmother.pcap

Soo, lets get started. First of we download the pcap and fire up an terminal. We use tcpdump to take look at the content of the file.

Well its pretty clear that we are looking at a network catpure of an SMTP Authentication. And that we have a Username/Password encoded with base64 so we decode the the base64 encoded strings and we get the first flag.
VXNlcm5hbWU6bWFsbG9yeQ== gives us Username:mallory
UGFzc3dvcmQ6 give us Password:
And the password encoding gives us the flag.
ZmxhZy1zcGluc3Rlci1iZW5lZml0LWZhbHNpZnktZ2FtYmlhbg==
flag-spinster-benefit-falsify-gambian

Reading between the lines (Forensics) 100p

Evil Robot Corp accidently made their S3 bucket public and we were able to grab this backup archive before we were kicked out. We think there might be a secret in here, but we can’t find it. Can you help us?

https://cdn.squarectf.com/challenges/reading-between-the-lines.zip

Sniffed Off the Wire (Forensics) 100p

After weeks of perching, our avian operatives captured a suspicious network flow. Maybe there’s valuable data inside?

https://cdn.squarectf.com/challenges/sniffed-off-the-wire.pcap

Needle in the haystack (Forensics) 500p

We infiltrated Evil Robot Corp’s network and were able to get this partial data dump of one of their production hosts before their Android Monitoring Systems kicked us out. Can you do anything with it? We know they aren’t good at developer best practices when doing app development.

https://cdn.squarectf.com/challenges/needle-in-the-haystack

We download the file needle-in-the-haystack (5,2mb) large file since we don´t have any clue on what the file is, I open binwalk and points to the file. Binwalk gives us the following output.

First glance it looks like a web-root that uses ruby and html. we try to extract the files with binwalk -Me flag and se if we get lucky.
The extraction gives us multiple files.  We now have the extrated web-root and a .git repo. We can see that this is a blog that uses ruby/sqlite etc.
I start out with som strings, find and grep magic… but i only yielded me a freaking rick roll pretty funny “flap-12b36a752f93870393d8311b4e1529c1”
Well okey lets figure this out… there is a git repo lets look at that.

So we open up a terminal and walks over to
/_needle-in-the-haystack-1.extracted/_7000.extracted/blog/
and run git status which gives us

Untracked files:Untracked files:  (use “git add <file>…” to include in what will be committed)
../0.tar app/views/layouts/_application.html.erb.extracted/ public/_404.html.extracted/ public/_422.html.extracted/ public/_500.html.extracted/
nothing added to commit but untracked files present (use “git add” to track)

So we run git add . and get the following output
On branch master
Changes to be committed:  (use “git reset HEAD <file>…” to unstage)

new file:   app/views/layouts/_application.html.erb.extracted/10 new file:   public/_404.html.extracted/10 new file:   public/_422.html.extracted/10 new file:   public/_500.html.extracted/10
Untracked files:  (use “git add <file>…” to include in what will be committed)
../0.tar

We look at the files extracted well nothing there…
So we use git fsck to look if there is anything dangling
And guess what there is, so lets look at them all

Chutulu:blog jeslar$ git fsck
Checking object directories: 100% (256/256), done.
dangling tree c58c3838c1a069844ff74d9c6b0faf3a03c0a661
dangling tree c6dcb8fd523ca7e94a1e82ccef6f619bc89b6593
dangling tree 044af996c5452c4ba1e8c45d2cb89c78ad2fb2b0
dangling tree 114e6fc9a1dd42823788081a46e3f94216441809
dangling tree 3f7a35d54d0f7039dfa4013d0b2253ed5d8961eb
dangling tree 6eeef8d6797133deb01ff6a6f99b7398ab91b56f
dangling tree cf8e5a320a2272ed5241861cbd3b8378a99f8322
dangling tree d2aa3dcaad5384ac246f6691c51808453b398611
dangling tree e166633450acad6e24e92c3db54164fe27b2229c
dangling tree 25270a98bc986cf8cf7e3f5b90e3067f48833d19
dangling tree 2d3fbeeb29c30aac988da970b6125f3e224f892a
dangling tree c4cf9f2965884d7e01689f19772fe619ed3b42cb
dangling tree f34b576f10700f77bdefe8eeb56daa9979c9e260 

lets try to restore the with git fsck –lost-found we get tree´s and commits. so lets look at them.

Chutulu:blog jeslar$ git fsck –lost-found
Checking object directories: 100% (256/256), done.
dangling commit 3bc40c0596ac9c057c76359f00ad628662d142dc
dangling tree c58c3838c1a069844ff74d9c6b0faf3a03c0a661
dangling tree c6dcb8fd523ca7e94a1e82ccef6f619bc89b6593
dangling commit 68490b1f703f667c2dbf9032104a2dcd1039204e
dangling commit 78c94ce02529b3775330e828fcc8af524252df06
dangling commit d059d83a49da1f2d7c2540e316259d6bf501ff50
dangling tree 044af996c5452c4ba1e8c45d2cb89c78ad2fb2b0
dangling tree 114e6fc9a1dd42823788081a46e3f94216441809
dangling tree 3f7a35d54d0f7039dfa4013d0b2253ed5d8961eb
dangling tree 6eeef8d6797133deb01ff6a6f99b7398ab91b56f
dangling commit c5f299df85f0b3fb057b248909f99e6422f7ce3c
dangling tree cf8e5a320a2272ed5241861cbd3b8378a99f8322
dangling tree d2aa3dcaad5384ac246f6691c51808453b398611
dangling tree e166633450acad6e24e92c3db54164fe27b2229c
dangling tree 25270a98bc986cf8cf7e3f5b90e3067f48833d19
dangling tree 2d3fbeeb29c30aac988da970b6125f3e224f892a
dangling tree c4cf9f2965884d7e01689f19772fe619ed3b42cb
dangling tree f34b576f10700f77bdefe8eeb56daa9979c9e260

I think that I´m on to something and start looking through all the commits by using git show. ex git show 68490b1f703f667c2dbf9032104a2dcd1039204e

This will show us what a specific commit did… And guess what? an update to secrets.yml is made here =) Which gives us the flag!
flag-a89a24c836bde785292b908a25b9241d

ff –git a/blog/config/secrets.yml b/blog/config/secrets.yml
new file mode 100644
index 0000000..04ec141
— /dev/null
+++ b/blog/config/secrets.yml
@@ -0,0 +1,24 @@
+# Be sure to restart your server when you modify this file.
+
+# Your secret key is used for verifying the integrity of signed cookies.
+# If you change this key, all old signed cookies will become invalid!
+
+# Make sure the secret is at least 30 characters and all random,
+# no regular words or you’ll be exposed to dictionary attacks.
+# You can use `rake secret` to generate a secure secret key.
+
+# Make sure the secrets in this file are kept private
+# if you’re sharing your code publicly.
+
+development:
+ secret_key_base: 931d2835703c6e1e4fa1ec89934437221397166646ab9e815da4fbfbf574430b660debe68678fcfe3f7e62d4c4f2003264090aa6df4e62ebbd25b8fe70ff2bc2
+
+test:
+ secret_key_base: 389e066b905e18624e71c9b84afd850c3232b72a027297ff6bb143ad069780357574c446da6ad5ac643f0a0e87bd5ca0d8855ecacc548cf00ffd29632aec0853
+
+flag: flag-a89a24c836bde785292b908a25b9241d
+
+# Do not keep production secrets in the repository,
+# instead read values from the environment.
+production:
+ secret_key_base: <%= ENV[“SECRET_KEY_BASE”] %>
diff –git a/blog/test/controllers/articles_controller_test.rb b/blog/test/controllers/articles_controller_test.rb
new file mode 100644
index 0000000..361aa0f
— /dev/null
+++ b/blog/test/controllers/articles_controller_test.rb

The blog is up!

Well, it´s a Monday night a perfect time to get this blog up and running. I have been thinking of publishing some of my off-work projects somewhere, just to share but also as a repo of stuff that I have done.

Daytime I work as a Security consultant at a company called Assured https://www.assured.se

This blog will be focus on what’s I´m currently interested and will be a place holder for my projects. so please comment them and give med feedback!

Peace for now

// Jesper