NahamCon CTF 2020 Writeup
I competed in NahamCon CTF and wanted to share some of the challenges I solved. Since I am new in Cyber Security field I aim to write this article for those who are also new in this field, I hope you enjoy reading it.
What are CTFs? CTF is a Cyber Security capture-the-flag competition that challenges contestants to solve a variety of tasks ranging from cryptography, mobile, stegnography, binary exploitation, web, forensics, OSINT, and more.
Here is a list of challenges that are in this article:
- Web Category: Agent95 | Localghost
- Miscellaneous: SSH Logger
- Mobile Category: Candroid | Simple App
- Forensics Category: Microsoft
- Stegnography Category: Doh | My Apologies
- OSINT Category: Time Keeper | Finsta | Tron
- Warmup Challenges: Read The Rules | CLIsay | Metameme | Mr. Robot | UGGC | Pang
Web: Agent 95
Challenge description: They’ve given you a number, and taken away your name~
Connect here:
http://jh2i.com:50000
It says that they will only allow their agent which is 95 and having an old version of windows to access the flag. This indicates that we have to modify the User-Agent string to access the flag.
A User-agent string allows the webserver to provide tailored content to the client (browser), for example it can contain OS and its version, browser and its version, the preferred language, the engine name of your browser, and your device information (mobile/desktop/iPad, etc).
I have used `User-Agent Switcher` on Firefox browser to modify the user agent string. You can use whatever you feel comfortable with.
After refreshing the page, it shows the flag.
Web: Localghost
Challenge description: BooOooOooOOoo! This spooOoOooky client-side cooOoOode sure is scary! What spoOoOoOoky secrets does he have in stooOoOoOore??
Connect here:
http://jh2i.com:50003Note, this flag is not in the usual format.
The ghost in this picture was scrolling infinitely (jScroll infinite scrolling) which was strange and I thought the it has something to do with the flag, lol. So, I read the challenge description again, it talked about `spoOoOoOoky secrets in the stooOoOoOore` so I checked the Storage and I found the flag in it.
But the description also refers to client-side code, so while inspecting the JavaScript code, an array was found which contained the base64 string.
Miscellaneous: SSH Logger
Challenge description: Someone keeps logging in to this server… can you find their password?
Connect here:
ssh -p 50029 root@jh2i.com # password is 'root'
Let access as root using ssh.
If we ls here, we can see an executable file which is actually a tool called pspy.
pspy monitors Linux processes without root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. https://github.com/DominicBreuker/pspy
Here we can see all the commands and processes being executed by system, and we can also see that, there is a user called flag which is making connections with this machine using ssh again and again.
sshd (daemon ssh) is a program that works with ssh and listen for client connections.
To get more information on what sshd processes is doing we need to intercept its system calls, to do that we are using strace which is already installed on this system.
strace is a powerful process monitoring, diagnostic, and instructional tool. It is used to monitor and tamper with interactions between processes and the Linux kernel, which include system calls, signal deliveries, and changes of process state. https://strace.io/
Here we are tracing the systemcalls of sshd process on which flag user is making back-to-back connections.
strace -f -p $(pgrep sshd | head -n 1) 2>&1 | grep flag{.*}
- $(pgrep sshd | head -n 1) is substituting its output value, which is the first running process-id (PID) on sshd.
- -f is to follow forks: strace traces all the syscalls that sshd is making to the kernel and when that process forks (more threads for child processes are created due to back-to-back syscalls that flag user is making), so it’ll follow the call of the forks child as well.
- -p is the process id of the process you want to trace syscalls of.
- and then we are using grep to see lines which meets the flag format.
Mobile: Candroid
Challenge description: I think I can, I think I can!
Just used strings command after downloading the file, and voila!
strings command let you see text inside a binary or data file.
strings candroid.apk | grep flag{.*}
Since there’s a lot of strings returned from this command here, I have piped the output of strings command to grep command which will find the flag.
`flag{.*}` is the format I want to find.
flag{4ndr0id_1s_3asy}
Mobile: Simple App
Challenge description: Here’s a simple Android app. Can you get the flag?
(Download the file below.)
After downloading the apk, I used jadx tool to inspect the source code of the apk and I found the flag in the MainActivity.class file.
jadx — Dex to Java decompiler: Command line and GUI tools for produce Java source code from Android Dex and Apk files.
flag{3asY_4ndr0id_r3vers1ng}
Forensics: Microsoft
Challenge description: We have to use Microsoft Word at the office!? Oof… (Download the file below.)
Microsoft’s docx file is not just a one file, it is a container of files just like zip file. You can explore the contents of docx file, and if your file got corrupted you can recover your data by exploring the file.
Stegnography: Doh
Challenge description: Doh! Stupid steganography…
Note, this flag is not in the usual format. (Download the file below.)
We know it’s a stegnography challenge, so something must be embedded into that image file.
I’ve used steghide tool to extract that information.
steghide can be used to hide data into image and audio files.
extract tells that you want to extract data, and -sf stegofile tell the program the file from which you want to extract data and lastly the file name. To extract the data passphrase is also required but in our case there wasn’t any so we just hit enter and it will extract the hidden file.
Stegnography: My Apologies
Challenge description: Nothing witty to say here… just that I am sorry.
Note, this flag is not in the usual format. (Download the file below.)
Inside the file `apologies.txt` this text was found,
Turns out the steganographⅰc technique we were using dⅰdn’t really make much sense... but we kept it anyway. Oh well!
the text it contains is kind of look like it has gone through some process (a text stegnography technique).
https://securityaffairs.co/wordpress/24681/hacking/steganography-tweet.html
the website contains some information on this stegnography technique, and there is a link to `steg-of-the-dump.js`, a website where you can decode this message: https://holloway.nz/steg/
OSINT: Time Keeper
Challenge description: There is some interesting stuff on this website. Or at least, I thought there was…
Connect here:
https://apporima.com/Note, this flag is not in the usual format.
The name of the challenge and description is giving a hint that there was maybe some flag on this website.
We can use WayBack machine ‘The WayBack Machine is a digital archive of the World Wide Web.’ to take a look at older version of the website where we found a post that is deleted from the newer version of the website.
/flag.txt doesn’t work on the newer version, it leads to an error page, using /flag.txt on the older version spits out the flag.
OSINT: Finsta
Challenge description: This time we have a username. Can you track down `NahamConTron`?
I have used sherlock on this username python sherlock.py NahamConTron
and got a bunch of websites, and the flag was on instagram.
Sherlock is an open source tool that hunt down social media accounts by username across social networks.
OSINT: Tron
Challenge description: `NahamConTron` is up to more shenanigans. Find his server.
From the list of websites found in Finsta challenge, there is a github account with the name NahamConTron from where you can find this command to access the server to get the flag, and also there’s a private ssh key to get access into that server.
ssh -i ./id_rsa nahamcontron@jh2i.com -p 50033
-i for identity (private key) file, and -p for specifying port.
If you are not able to access the server and it shows a Warning saying ‘UNPROTECTED PRIVATE KEY FILE!’, change the permission of key file
chmod 600 id_rsa.
Warmup: Read The Rules
Challenge description: Please follow the rules for this CTF!
Connect here:
https://ctf.nahamcon.com/rules
Warmup: CLIsay
Challenge description: cowsay is hiding something from us! (Download the file below.)
If we run file command on clisay file it tell us that it’s an ELF file, it is an executable file, so we execute the file `./clisay`
There is not any flag in here, we can check if there are printable characters in the file using strings command.
Warmup: Metameme
Challenge description: Hacker memes. So meta. (Download the file below.)
It give us a JPG image file, and there’s a hint in the description `So meta`, we can use exiftool to read meta information of the image file.
exiftool can read and write meta information in files.
Warmup: Mr. Robot
Challenge description: Elliot needs your help. You know what to do.
Connect here:
http://jh2i.com:50032
The name of the challenge itself is giving a hint to check the /robots.txt file. It is a file in which files and directories that developer don’t want bots to index is listed.
Warmup: UGGC
Challenge description: Become the admin!
Connect here:
http://jh2i.com:50018
Let try to login!
The name of the challenge is refering to cookies (https://www.ugg.com/cookies).
For the proof of concept lets get original value of the string.
Now we have to change the value of this cookie to admin, to get access but first we have to get rot13 of the string admin.
Now paste this new value into value column, and refresh the page.
Warmup: Pang
Challenge description: This file does not open! (Download the file below.)
We can see that the file is a png image, if we rename it we can read the flag.
It was a great learning experience for me, and I will be glad if you could learn even a small thing from what I write. If you liked this article leave a clap or have any query about it please write in the comment.
This article is for educational purposes only, I am not responsible for any misuse of tools and techniques mentioned here.
