Author Archives: danrl

DEF CON CTF 2013 – Grandprix

The grandprix challenges requires us to connect to a server where we can play an ascii game. According to the assignment text, we are advised to avoid the zebras.

Let’s check out the game first using netcat:

$ nc grandprix.shallweplayaga.me 2038
nc: using stream socket
Use 'l' and 'r' to move. Don't crash.
Press return to start
 |-----|
 |     |
 |     |
 |     |
 |     |
 |     |
 |     |
 |     |
 |     |
 |  u  |
 |-----|

The games starts with an empty field. Obviously, our position is indicated by an u. We fiddle around a little to learn how the game works. Sending an r moves the player one step right, a l one left and a s or an empty line moves the player straight forward.

 r
 |-----|
 |     |
 |     |
 |     |
 |     |
 |     |
 |     |
 |     |
 |     |
 |   u |
 |-----|

The more we move along, the more obstacles appear. A T marks a tree and the Zebras we were warned about are indicated by a Z.
Continue reading

PoliCTF 2012 – Forensics 100

This challenge (Forensics 100) was a little bit weird but solvable. It said:

Retrieve the key.

Remember to write it in capital letters.

Attachment:45141181944a722.tbz2.gpg (password: 310b44aab74809c6ec9dd026b9e8e59a5e401083 )

After unpacking the attachment we got a challenge.pcap file. Opening it using wireshark presented us the capture of a SSH session to a (probably) Juniper device. Some Juniper devices tend to use SSHv1 until told otherwise, so the first shot would be to somehow break the encryption and use the provided key as flag. There is a great tool for analyzing packet captures called Chaosreader, we use that to meet with the pcap file in private. Unfortunately, just submitting the extracted data did not work out, but half way through we got a perl script named session_0001.textSSH.replay. Here is what it looks like when we execute the script:

PoliCTF 2012 - Forensics 100 - timing

replaying captured packets (click me, i’m anim00ted!)

Looks like a pattern, doesn’t it? We take the 320 seconds it lasts to watch astonished and write down the pattern in a more simple way. Short transmissions become “.” and longer ones we write down as “-“. We now have:

….—.–..-.—–..-…-.-…..-..—.——-..-…—-.–…-.-.—..–

This must be morse code! Since morse code is one of the codes where timing is everything, we have to watch the replay again to get the transmission pauses right. This is essential for decoding. We lean back for 320 seconds once again and are rewarded with:

…. — .–. . -.– — ..- …- . -… . . -. .- –. — — -.. -… — -.– … -.-. — ..- –

After translating the morse code to characters we fiinally got our flag:

HOPEYOUVEBEENAGOODBOYSCOUT

Yes, we were good boy scouts, the flag is ours!

Note: This challenge was downgraded to 75 points after a while.

PoliCTF 2012 – GrabBag 100

GrabBag 100 was this CTF’s loss leader and an easy  one if you are familiar with the legendary Hackers movie from 1995 starring Jonny Lee Miller, Angelina Jolie and Jesse Bradford. The assignment read:

We need your help to hack the planet!!! Somehow we have lost a little chunck of the garbage file. We just need 4 byte starting from address 0x000020. Please help us!!!

(Hint: in hex, lowercase,without leading 0x)

To solve the challenge just grab your old copy of Hackers you’re still hiding somewhere, power up the VHS recorder and forward to the scene were Cereal Killer opens Plague’s garbage file. The file gets hexdumped for a blink of an eye, here’s a shot:

PoliCTF 2012 - GrabBag 100 - Hackers movie garbage file

hexdumping the garbage file

Starting from 0x20 we read four bytes as advised: 3dc6032c was the flag.

Never send a boy to do a woman’s job. (Kate)