13 November 2014

Potentially Hidden Password - 100

This Daedalus Corp. website loads images in a rather odd way... [Source Code]

It seems like a normal page, and there appears to be nothing special within its source code. I decided to view one of the images (individually) in general in hopes of finding something there.


There's nothing special about the image itself, but the URL seemed to stick out to me the most.

http://web2014.picoctf.com/potentially-hidden-password-3878213/file_loader.php?file=zone1.jpg

Specifically that last part (/file_loader.php?file=zone1.jpg).

I decided to do a test to confirm my suspicions. I replaced 'zone1' in the link with 'zone2'. Sure enough, as soon as I hit 'Enter', the second image popped up. Now I knew that this file loader was getting the images from a directory somewhere... perhaps where the flag is too?

I downloaded the Source Code given at the beginning of the problem and read through it.


Seemed like simple HTML and CSS, along with a little PHP. The part that I focused on the most was the PHP code, since it contained the flag file.

Here is the PHP implemented in the source code:

       <?php  
         $config_file = fopen("/resources/config/admin_mode.config", "r");  
         if (fgets($config_file) === "true") {  
          $flag_file = fopen("/resources/secrets/flag", "r");  
          echo fgets($flag_file);  
          flose($flag_file);  
         }  
         fclose($config_file);  
            ?>  

Based off what I could tell, the flag file was located within /resources/secrets/flag

So naturally, I pasted that text into the original link, so that it looked something akin to http://web2014.picoctf.com/potentially-hidden-password-3878213/file_loader.php?file=resources/secrets/flag

That only led me to this page, but that doesn't mean that my efforts were unfruitful.


I've found the directory that the flag should be in! It should be located within /resources/. Since the file only looks within /resources/files, would there be a way to go up to /resources/ and into other folders rather than only look within the files folder? Yep, there is.

To account for that, I should now add ../ (a directory traversal) before what I am about to type, since it, "tells the browser to move one level back toward the root directory before looking for the path to the file," (RootsWeb). Basically, it means to go up a path/folder.

I have to add ../ since the flag is within /resources/, but it isn't within /resources/files/. It's within /resources/secrets/flag.

 So now that we're within the /resources/ folder, we'll have to enter the /secrets/ folder and then from there get the flag from /flag. This part is relatively simple.

Adding secrets/flag after the ../ should do the trick since we'll be entering the /resources/secrets/flag folder (which is clearly where the flag file is located, according to the PHP).

The full link should look like: http://web2014.picoctf.com/potentially-hidden-password-3878213/file_loader.php?file=../secrets/flag

As expected, going to that link should get you to this page:


The only sentence (and flag) in the page is: i_like_being_included

* Unrelated note: Potentially Hidden Password... I bet that stands for PHP, doesn't it?

10 November 2014

This is the Endian - 40

This is the end! Solving this challenge will help you defeat Daedalus's cyborg. You can find more information about endianness and the problem here. The flag is the smallest possible program input that causes the program to print "Access Granted".
When I opened the page, I read over the problem and information. The input was supposed to be entered as a little-endian, meaning that the order of the addresses are reversed (e.g. "12345678" becomes "78563412").

The question wants answer[0] to be equal to 0x52657663 and answer[1] to be equal to 0x30646521. Both have to be equal to those values respectively, else it won't work.

The first thing to be noted is that the '0x' in front of the address should be removed when writing it in the input, so it should be 52657663 and 30646521 instead.

Now, back onto the topic of little-endians and reversed order, when you put in the correct input, the Data Preview box should look like this:


The thing is that if you try input the exact hex values for both answers, it won't even fit. That's because you're not supposed to input the hex value, you're supposed to input an ASCII character.

Let me try to simplify this... I'll start with answer[0]'s value... it's supposed to equal 52657663. I'm going to split the numbers in that value into groups of twos, so it'll now look like this: 52 65 76 63

Because it's a little-endian program, you'd have to enter the ASCII equivalent of 63 76 65 52. Fortunately, rather than Google 'hex to ascii' for a converter, you can simply write \x followed by the two-digit number, and it'll convert it to ASCII for you.

So \x63 would yield c, \x76 would yield v, and so on.

So answer[0]'s input value would be cveR

...But I still needed to input answer[1] as well.

Using the same method, I divided 30646521 into parts: 30 64 65 21. Then I reversed those parts: 21 65 64 30.

I entered \x21 \x65 \x64 \x30, which displayed !ed0

So, in sum, I basically just inputted \x63 \x76 \x65 \x52 \x21 \x65 \x64 \x30 and it was written as cveR!ed0

When I pressed 'Input' and ran the program, it displayed 'Input Granted!', meaning that the input was correct. Because it was correct, cveR!ed0 is the flag.

Edit: This problem inspired me to write a Java program that converts hexadecimal/byte to Little-Endian and Big-Endian. You can see it on my GitHub here, if you'd like, especially if you're having trouble inputting the address as a Little-Endian, or perhaps for future reference.

The Valley of Fear - 20

The hard drive may be corrupted, but you were able to recover a small chunk of text. Scribbled on the back of the hard drive is a set of mysterious numbers. Can you discover the meaning behind these numbers? (1, 9, 4) (4, 2, 8) (4, 8, 3) (7, 1, 5) (8, 10, 1)
I'll admit, I was a bit confused at first too, but I realised that the numbers did have to do with the text.

Each set of numbers, written as (x, y, z) represented something in the text file.

x = The paragraph number
y = The sentence/line number
z = The word number (in the sentence)

And don't worry, you don't have to worry about OBOB-ing (a.k.a. starting with 0 rather than 1).

... Alright, so I know that explanation might not have made a lot of sense, but I'll elaborate by giving an example...

For the first set (1, 9, 4) I'm going to go open the text file. I located the first paragraph (1), which I've highlighted:


Then I located the ninth sentence (9):


And, finally, the fourth word (4) of that particular sentence:


So the first word out of the five-word clue is 'the'. It might not have seemed like it initially, but after the second word was discovered, it became apparent that it would lead to the flag.

When continuing on with this method, the following sentence was spelled out: the flag is Ceremonial plates

The flag is, therefore, Ceremonial plates

Droid App - 80

An Android application was released for the toaster bots, but it seems like this one is some sort of debug version. Can you discover the presence of any debug information being stored, so we can plug this?
You can download the apk here.
The only thing needed is an apk decompiler and some programming knowledge.

I used decompileandroid to decompile the .apk package (after downloading it).

When the decompiling was complete, I downloaded the full contents of the APK.


I opened up the folder after it was downloaded (it was named 'source'), and, quite primitively, I know, searched through each subfolder, opening each and every file within it. Needless to say, the flag was located within one of the .java files in the 'picoapp' folder.


Its path is: sourcesrcpicoapp453picoctfcompicoapp

When I opened ToasterActivity.java, the flag immediately popped out at me.


The String created out of a char array in the ToasterActivity() constructor had 'flag' as its first four chars.

Being the lazy person I am, rather than manually remove all the commas, spaces, and apostrophes, I quickly wrote a simple Java program to do that for me because, you know, #yolo


However, there is a simpler way of printing out the flag: println'ing (printing) the variable containing the flag. The program is here:

 public class printFlag {  
      public static void main(String[] args) {  
           String entireFlag = new String(new char[] {'f', 'l', 'a', 'g', ' ',  
                     'i', 's', ':', ' ', 'w', 'h', 'a', 't',  
                     '_', 'd', 'o', 'e', 's', '_', 't', 'h',  
                     'e', '_', 'l', 'o', 'g', 'c', 'a', 't',  
                     '_', 's', 'a', 'y'});  
           System.out.println(entireFlag);  
      }  
 }  

And, for your convenience, the Java program I'd initially written is also here:

 public class RemoveNonAlphaChars {  
      public static void main(String[] args) {  
           String entireFlag = ""  
                     + "'f', 'l', 'a', 'g', ' ', 'i', 's', ':', ' '"  
                     + ", "  
                     + "'w', "  
       + "'h', 'a', 't', '_', 'd', 'o', 'e', 's', '_', 't', "  
       + "'h', 'e',"  
       + "'_', 'l', 'o', 'g', 'c', 'a', 't', '_', "  
       + "'s', 'a', 'y'";  
           String noApos = entireFlag.replaceAll("'", "");  
           String noCom = noApos.replaceAll(",", "");  
           String flag = noCom.substring(noCom.indexOf(":") + 1, noCom.length());  
           String noSpace = flag.replaceAll(" ", "");  
           System.out.println(noSpace);  
      }  
 }  

Regardless of the method used, the flag is what_does_the_logcat_say

09 November 2014

Delicious! - 60

You have found the administrative control panel for the Daedalus Coperation Website: https://web2014.picoctf.com/delicious-5850932/login.php. Unfortunately, it requires that you be logged in. Can you find a way to convince the web site that you are, in fact, logged in?
This problem requires a cookie editor extension, and the best browser to solve this problem with would be Chrome, since it has good cookie editing extensions. I installed two cookie editing extensions for Chrome: (1) EditThisCookie and (2) Cookie Inspector.

You don't have to install both extensions, or even those extensions in specific, but I still did because of reasons.

After installing the extensions, open the administrative control panel link. It says that I'm not logged in because there are too many people that are logged in.


Now's the part where the cookie editors come in. Right-click and press 'Inspect Element'. Click on the 'EditThisCookie' pane. There should be 9 columns, and under the 'Value' column it should have the number 67.


Click on it and enter any number. When you're finished, refresh the page and keep entering different numbers until you reach this page:


The number I put in was '21'. The flag is session_cookies_are_the_most_delicious

Function Address - 60

We found this program file on some systems. But we need the address of the 'find_string' function to do anything useful! Can you find it for us?
Since the program file is a binary file, we'd need a disassembler to view its contents. There are various ways to disassemble a binary file, but I decided to use Online Disassembler since I can view the File Info, Hex Dump, and I can view the Disassembly along with Sections of the code.

To upload the program file (which should be downloaded on your computer by now), I clicked on 'File', then 'Upload File...'


I named the project Function Address (since you have to give it a name, else it won't disassemble) after the problem itself, and then I uploaded the file before pressing 'Upload'


Platform Options were displayed, and after reading them I pressed 'Ok'


After waiting a few seconds, for everything to load, everything was disassembled and, conveniently, there is a column to the left where each function is listed along with its Memory Address (which is what we're trying to find for find_string)


I highlighted the find_string function along with its Memory Address for visibility.

Its Memory Address (and the flag) is 0x08048444

Toaster Control - 50

Daedalus Corp. uses a web interface to control some of their toaster bots. It looks like they removed the command 'Shutdown & Turn Off' from the control panel. Maybe the functionality is still there...
When opening the link and clicking on one of the buttons, I noticed how the page's URL looked like.

For example, clicking on 'Blink Lights', the URL would be http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Blink Lights
When clicking on 'Patrol Mode', the URL would be http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Patrol Mode
When clicking on 'Make Toast', the URL would be http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Make Toast

There is a pattern in that each of the URLs start with http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=, and would end with the name of the button you were clicking.

So, since I wanted to activate the 'Shutdown & Turn Off' Command, you'd assume that the link would be http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Shutdown & Turn Off

But that would only bring me to this page:


But then how would I be able to go to the page? URL encoding, that's how. The problem actually lies in the ampersand ('&'), since it's not a URL-safe character. So by converting Shutdown & Turn Off to a URL-safe string, I'd be able to view the page.

I Google'd 'text to url' and found several text to URL converters. I used QuickEncoder, and pasted Shutdown & Turn Off into the box, then pressed 'Encode'


I copied the URL-safe string (Shutdown+%26+Turn+Off) and pasted it into the base URL (http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=) so that it looked like http://web2014.picoctf.com/toaster-control-1040194/handler.php?action=Shutdown+%26+Turn+Off

I pressed 'Enter' and the following page appeared:


The shutdown code, and flag, is blatantly displayed as flag_c49bdkeekr5zqgvc20vc

Redacted - 50

You found a letter that may shed light on recent events.
Another simple question requiring no programming knowledge, when opening the .pdf letter, there are numerous censor boxes covering certain words and phrases. Since the .pdf file contains an image rather than text, one wouldn't be able to 'Select All' (CTRL + A or ⌘ + A), 'Copy' (CTRL + C or ⌘ + C), and 'Paste' (CTRL + V or ⌘ + V) the text itself into a word document.

But there's hope... something similar to that can still be done!

The black boxes aren't part of the image itself, they're simply overlaid onto the image, so it's very possible to get the image without the boxes. To do that, download the .pdf file (right-click and 'Save Page As').

When it's downloaded, open the file and either press on the document, or 'Select All' (CTRL + A or ⌘ + A).


The .pdf is tinted blue because the entire document is selected (I am using Adobe Reader, by the way).

When the entire document is selected, 'Copy' (CTRL + C or ⌘ + C) the document and open some type of text editor (e.g. TextEdit, Microsoft Word, etc.); I'm going to be using TextEdit.

When the text editor is open, 'Paste' (CTRL + V or ⌘ + V) the document you just copied, and it should look something like this:


As stated by the document, the super secret access code (and quite obviously, the flag) is one_two_three_four

Easy Overflow - 40

Is the sum of two positive integers always positive?
nc vuln2014.picoctf.com 50000
'nc' is the Linux netcat command. Try running it in the shell.
The rhetorical question in the beginning is actually a good hint by implying that, sometimes in Java, adding a number to another number will make it negative. Basic arithmetic and understanding of ints in Java are helpful in solving this problem.

Rather than running it in the shell, I decided to run it in the 'Terminal' (Mac). By opening 'Terminal' and typing in nc vuln2014.picoctf.com 50000, I was able to run the program. It looked  like this:


The number I was given was 2884043 (note that a different number is generated each time), and it is asking for a positive number that, when added, will make it negative.

I needed to know what the maximum Integer value was for Java, because if a number is added to it, it immediately becomes negative. I typed 'max int java' in Google:


I discovered that the maximum Integer value in Java is 231 - 1, or 2147483647 when expanded.

One would assume that we'd subtract the given number from the maximum Integer value, but that is not the case because we'd yield a non-negative int. So instead, we'd have to subtract the given number from maximum Integer value plus one, a.k.a. 231, or 2147483648 when expanded.

So, 2147483648 - 2884043 gave me 2144599605, which I entered into the Terminal.


The flag, which I highlighted, is That_was_easssy!

Javascrypt - 40

Tyrin Robotics Lab uses a special web site to encode their secret messages. Can you determine the value of the secret key?
This question is simple; basic knowledge of Javascript is required. Upon clicking the link, the site you are brought has an 'Input Message' and 'Output Message' box, along with an 'Encode' button. An example of the encryption done with the site is as follows:


Once again, 'View Source' is necessary. Right-click and press 'View Page Source' to, well, view the page's source. Immediately, at the bottom, is the Javascript for generating the key used to encode the message.


It should look something this:

       var key; // Global variable.
       // Since the key is generated when the page
       // is loaded, no one will be able to steal it
       // by looking at the source! This must be secure!
       function generateKey() {
         var i = 1;
         var x = 295;
         var n = 5493;
         while (i <= 25) {
           x = (x * i) % n;
           i++;
         }
         key = "flag_" + Math.abs(x);
       }
       generateKey();
       // Encode the message using the 'key'
       function encode() {
         var input = $("#inputmessage").val();
         var output = CryptoJS.AES.encrypt(input, key);
         $("#outputmessage").val(output);
       }

It is now clear that the key is the flag, and they're Strings starting with "flag_" and ending with the absolute value of one of the vars, x.

To find the flag, I converted the code to Java (since I am most comfortable with Java):

 public class Javascrypt {  
      public static void main(String[] args) {  
       int i = 1;  
       int x = 295;  
       int n = 5493;  
       while (i <= 25) {  
         x = (x * i) % n;  
         i++;  
       }  
       System.out.println("flag_" + Math.abs(x));  
      }  
 }  

I then ran it using Eclipse:


The flag is outputted as flag_3003

Grep is Still Your Friend - 40

The police need help decrypting one of your father's files. Fortunately you know where he wrote down all his backup decryption keys as a backup (probably not the best security practice). You are looking for the key corresponding to daedaluscorp.txt.enc. The file is stored on the shell server at /problems/grepfriend/keys.
Basic knowledge of grep commands is required. Login to your shell on picoCTF, and when that's done, simply type in the following command:

 grep "daedaluscorp" /problems/grepfriend/keys  

Press 'Enter', and the shell should look something like this


The highlighted text (b2bee8664b754d0c85c4c0303134bca6) is the flag.

RoboPhoto - 30

Another question that requires no language in programming, the question is
Your father has been known to use the titles of his favorite books as passwords. While you don't remember any of the names of the books, your father keeps a poster for one of them on his wall. Can you figure out the name of the book and unlock the CD?
Copy the image URL (https://picoctf.com/problem-static/misc/robo-photo/robophoto.jpg), and go to Google Images. Click on the camera icon:


Paste the URL into the box, then press 'Search by Image'.


Going through the page, there doesn't appear to be any book title names anywhere, so just click 'Visually similar images', since it looks as though the image is just a section of an entire book cover and there should be a match to that image somewhere.


Clicking on the first image that shows up, the entire cover of the book is shown (along with the title and author).


The flag, also known as the title of the book, is The Positronic Man.

Pickle Jar - 30

This question seems difficult, but it's actually quite simple. It asks:
The police station offers free pickles to police officers. However, someone stole the pickles from the pickle jar! You find a clue on a USB drive left at the scene of the crime.
When you click on the 'clue', a .jar file is immediately downloaded onto your computer. In order to solve this question, you should first have a basic understanding of .jar files. A .jar (Java Archive) file is "a package file format typically used to aggregate many Java class files and associated metadata and resources (text, images, etc.) into one file to distribute application software or libraries on the Java platform," as stated by Wikipedia. Basically, it's a .zip file containing compiled Java code and/or sourcecode, etc.

Since .jar files are compiled, you'd need to decompile it to view its contents. There are many ways of doing that, such as installing decompiler plugins for Eclipse (an IDE), installing decompiling software (e.g. JavaDecompiler), etc.

However, I chose to simply use an online decompiler, specifically one at jd.benow.ca (which I found by going on Google and typing 'java decompiler').


When you scroll all the way to the bottom of the page, there is a 'Live Demo' option. Simply drag and drop the .jar file into the striped area (under 'Input Files')


Let go of the .jar file, and wait for it do decompile (which shouldn't take that long). When it's done, look at the 'Output Java Code' section. Explore each of the packages (which should only include META-INF and com.picoctf).

Within META-INF is MANIFEST.MF, which only says this:

 Manifest-Version: 1.0
 Class-Path: .
 Main-Class: com.picoctf.Jar

Within com.picoctf is Jar.class, which only says this:

 package com.picoctf;
 import java.io.PrintStream;
 public class Jar {
   public static void main(String[] args) {
    System.out.println("Who stole the pickles from the pickle jar?");
   }
 }

Of course, that isn't much of a flag. This is simply a basic Java program.

But that doesn't mean that there's nothing else in there. pickle.p still hasn't been opened. Upon clicking it to open, it says:

 S'YOUSTOLETHEPICKLES'
 p0
 .

Even though it doesn't literally say 'flag' anywhere, it's become obvious what the flag is. Typing YOUSTOLETHEPICKLES into the submit box will get you the 30 points.

Internet Inspection - 30

This is where the questions actually require a little bit of CSS and HTML knowledge. You should be able to read CSS and HTML and understand the syntax. The question asks
On his computer, your father left open a browser with the Thyrin Lab Website. Can you find the hidden access code?
When one clicks on the link, a page with a checkered rectangle appears.

It seems as though the flag is behind the checkered box... how would one be able to remove the checkers on the image and edit the webpage? 'Inspect Element' is the answer!

Hover the mouse over the box, right-click, then select 'Inspect Element'. It should now look something like this, depending on your browser:


When I'm looking through the code, I see a div id named "checkers". Perhaps that's what's blocking the table. I double click on it, and see that its style attribute contains a background image property, along with width, height, overflow, etc. properties as well.

That background image must be the checkers causing the table to be blocked, so I highlight url("/problem-static/web/internet-inspection/checkers.png") and replace it with none.

Immediately, the checkers disappear and the page now looks like this


The flag is flag_307ba6279287ba746b5a3a964a712f9343a27eb6

An alternate way to find the flag would be to 'Inspect Element', and browse through the divs to find where the flag lies, and copy it (CTRL + C or ⌘ + C). Its path would be:

htmlbodydiv.rowtable#content-table.roundedtbodytr#contentstd

Caesar - 20

One of the most basic, and oldest encryption techniques is Caesar ciphering. Simply put, it's encrypted by shifting/ rotating the letters of the alphabet. So "ABC" with the Key being 5 would be encrypted as "FGH". In this particular problem, it asks:
You find an encrypted message written on the documents. Can you decrypt it? encrypted.txt
When you open the encrypted.txt page, the message says: "xliwigvixtewwtlvewimwvedlzggxbzsfazzlmjlgmdckoeftgn".

Go to Google and type 'caesar decrypt' to find an online caesar decrypting website.

I am going to be using richkni's decryptor because it brute forces the encrypted text, so I don't have to keep switching between keys to find the right one.


After pasting the message, I press submit to view all the deciphered text, each with a different shift/key. At Shift 22, I notice something interesting...


It actually looks like an English sentence! I copy the text there, remove all the spaces, and submit the passphrase, which is "RAZHVCCTXVOBWVVHIFHCIZYGKABPCJ"

No Comment - 20

This is yet another simple question that requires little to no knowledge in Programming... the question is:
The CD you find has a copy of your father's website: homepage.html. Maybe something is hidden in the site...
When you open the webpage, you are greeted with this:

It seems like a normal page, and there doesn't seem to be any flag hidden on the website that you can see, but one of the basic, first rules of CTFs are to always check the page source, since the HTML, CSS, Javascript, etc. codes are always there, and there might be other clues hidden around there, too.

To view the page source, simply Right-Click your mouse and select 'View Page Source' (or something akin to that depending on your Browser)

When I viewed the page source, everything seemed normal until...


That green text. It's not visible on the web page because it is an HTML comment. Anyway, the flag is blatantly given (flag_3072fa4381f859636409532fdd70eaace3078420). Just copy it, paste it into the answers box, and there's another 20 points!

Tyrannosaurus Hex - 10

I feel as though I shouldn't even be writing about this question, because if one is incapable of answering even this question, I think they should maybe, perhaps gain a little more experience before competing in CTFs (sorry if that came out rude)...
The contents of the flash drive appear to be password protected. On the back of the flash drive, you see the hexadecimal number 0x1c9b2c5a scribbled in ink. The password prompt, however, only accepts decimal numbers. What number should you enter?
You are given a hexadecimal number, 0x1c9b2c5a, while it's asking for a decimal number. The only thing you have to do is convert the hexadecimal number into a decimal number.

To do that, go to any hexadecimal to decimal converter website (just type "hexadecimal to decimal converter" in Google and a bunch of websites will pop up):


I am going to be using binaryhexconverter for this. Enter the hexadecimal number without the '0x', so it looks like 1c9b2c5a, then press 'Convert'.


Copy the decimal number (479931482) and paste into the answer box and voila! 10 points for your team.

picoCTF 2014

Since picoCTF 2014 is already over, and I've competed in it and answered a reasonable amount of questions, I'll post the answers to some of the questions along with explanations.

I placed among the top 10% (a.k.a. I did better than 90% of the participants who had a score of at least 10 points) and I scored a lot more than over 1000 points, which really isn't that great, but I still feel a slight sense of accomplishment, especially since I didn't have any team members whom I could work together with or ask for assistance (the problems had, quite literally, intimidated them away).

Wow, now that I reread that last sentence, it makes it appear a lot more sad than it actually was; but, strangely (or perhaps not), I always do tend to work better when alone...