New Zealand Cyber Security Challenge 2018 Round Zero write-up

Transcription

1 New Zealand Cyber Security Challenge 2018 Round Zero write-up Challenge 1 This is a simple challenge that can be solved using your browser s developer tools (right-click, inspect element). You will notice that the page is making a get request to flag.php NZCSC-18 Round 0 Write-up 1

2 Since the page is already making the get request, we can simply navigate to the Network tab and see the response from the get request. You might be tempted to just navigate to /challenge1/flag.php. However, you will be presented with a Try harder message. This is because the page has a HTTP referrer check and will only respond with a flag when the request is coming from within that page. NZCSC-18 Round 0 Write-up 2

3 Challenge 2 This is a simulated buffer overflow attack. The 140 character limit is a hint. Navigating to inspect element, alter the maxlength property of the textarea to anything greater than the default 140. NZCSC-18 Round 0 Write-up 3

4 Input any text that is greater than a length of 141, submit and you will be presented with the flag. NZCSC-18 Round 0 Write-up 4

5 Challenge 3 This is a simple challenge that tests your competency using the command line. A simple ls command will present you with the list of files within the directory. The flag file is not actually what you re looking for. Using the -a flag will include directory entries whose names begin with a dot. We see two additional files being exposed:.flag and.htaccess NZCSC-18 Round 0 Write-up 5

6 Doing cat.flag gives you the flag. NZCSC-18 Round 0 Write-up 6

7 Challenge 4 There are two approaches that you can take. Step 1: (Easy) Wireshark (Advanced) tcpdump Using tcpdump is less straightforward. We can use the command tcpdump -r secret.pcap -X. The flag -X is used: When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. This is very handy for analysing new protocols. NZCSC-18 Round 0 Write-up 7

8 The pcap shows 7 packets. The first 3 is the 3-way handshake (SYN, SYN-ACK and ACK). The 4 th and 5 th packet is a HTTP request, followed by an ACK. The 6 th packet is the response for the HTTP request, which is what we are interested in. *You will need to understand packet structure and packet headers. The packet data that we are interested lies within byte Keep in mind that the HTTP response is gzip encoded. We can reconstruct the data into a gzip file like so: echo -n printf %X 1f8b cb2a48cdb632ca2a4dcf362a4dcd312d4a05007a47 f xxd -r -p > file.gzip Unzip the gzip file, open the file and a string jpek:2jugk2uel5re Step 2: From the structure of the string : We can deduce that this is a flag encrypted using a Caesar cipher. Decrypt it using key 4. NZCSC-18 Round 0 Write-up 8

9 Challenge 5 This is a steganography challenge. The drone image has been changed to an uncompressed bitmap image. NZCSC-18 Round 0 Write-up 9

10 Inspect the image file using a hex editor. The header describes exactly where the pixel data begins and ends, so any data that occurs after the end will not be displayed in the image. By looking at the last 17 bytes, we find ASCII data that appears to be an enciphered flag; guessing that this is a Caesar cipher, we get the key used to be 17. NZCSC-18 Round 0 Write-up 10

11 Bonus Challenge The bonus challenge is within challenge 5 itself. The bitmap header defines the bytes at to be the image offset value. This describes where the pixel data begins. Typically, this value is around the size of the bitmap header, but in this case is set to 222. Since the bitmap header is 122 bytes, this gives a gap of 100 bytes between the header and the pixel data. Looking at this gap we see the magic bytes BZ, indicating that there is BZ2 data hidden in this gap. Extracting this with a tool such as dd, we extract these bytes into a.bz2 file, which can be opened to reveal a.txt file containing the flag. Now we know that the magic bytes BZh at position 122 and a size of 100 bytes. We can extract them into an actual bzip file: Unzip and cat the flag! NZCSC-18 Round 0 Write-up 11