This weekend, on September 10, 2016, the Defcon Toronto Meetup group hosted their first ever CTF! I was able to put together a team including myself, my friend David, and Anna, someone who happened to be broadcasting their interest in the CTF via the group's Slack channel (and doesn't have Twitter). David himself is actually heavily involved in Carleton University's CTF team, however neither I nor Anna have participated in a CTF before, though both of us have done some web appsec challenges.

The whole event took place over the course of eight hours which my team spent frantically searching for clues and finding flags. It is obvious in our unorthodox approaches to things that neither Anna nor I had partaken in a CTF before, but fortunately David had some familiarity with enough tools to get us through some trickier challenges.

Final Scoreboard

Despite all of our fumbling, my team actually managed to come out in first place! We had a great time and were competing down to the wire to come out ahead. I'll post a link to David's writeup when he gets to it, as well as Anna's if she writes one, but for now I'll write about the challenges I can recall in detail.

Links

Flag 1

Getting started, all teams were pointed to a web server that, when accessed, displayed a message in binary and an NSA logo featuring an eagle holding a key. The binary message was simple ASCII that welcomed competitors and informed us that that page did not have a flag. Immediately we loaded up Burp Suite and had it spider the site, revealing a /staff directory which, when accessed, logged

synt1{z00ap4xr}  

to the JavaScript console. Running this string through A character rotation tool revealed this string was ROT-13 of

flag1{m00nc4ke}  

the first flag!

Flag 2

Our spidering tactic with Burp Suite also revealed a document, staff/s.txt that contained 66 lines of text, each a small base64-encoded string. I quickly saved the file and decoded the strings with a little bit of Python (this was where my affinity for coding started to show).

import base64

pwds = map(base64.standard_b64decode, open('s.txt').readlines())  
open('passwords.txt', 'w').write('\n'.join(pwds))  

The decoded "passwords" didn't seem to have anything particularly interesting except for line 59 containing a passphrase.

passphrase:edward  

Back on the very first page with the NSA logo, nsa.png, there didn't appear to be anything lying in plain sight. Running nsa.png through StegHide with all of the passwords we discovered earlier didn't reveal anything, but it did get us thinking. Fortunately Burp had already picked up another interesting file while spidering, staff/nsa.jpg. This time, using the passphrase edward with StegHide revealed the second flag.

flag2{M00nface}  

Flag 4

Another directory, /admin was discovered and presented a page containing a download link for a file enc.zip which contained a Python compiled module file, enc.pyc. We used the Uncompyle tool to retrieve a simple Python source, which read:

NOTE: _ should be an underscore character. Can't get around HTML encoding.

# 2016.09.10 12:50:14 EDT
DESC = 'C4N YOU 1D3N71FY 7H3 FL46?'  
str1 = 'FLAG4{'  
str2 = '______'  
str3 = '0'  
str4 = '_____________________'  
str5 = '__________________'  
str6 = '____'  
str7 = '1'  
str8 = '_______'  
str9 = '1'  
str10 = '____________________'  
str11 = '__________________________'  
str12 = '}'  

It appeared that the flag was right there for us, and that the number of underscores had to mean something. We treated the number of underscores as an offset from the ASCII code for the letter 'a', figured the '0' and '1's were 1337sp34k corresponding to "o" and "i" or "l", and decoded the strings using some more Python code.

from enc import *

strings = [str2, str3, str4, str5, str6, str7, str8, str9, str10, str11]

def decode(s):  
  if s not in '01':
    return chr(ord('a') + len(s))
  return s

''.join(map(decode, strings))  

This gave us the string

g0vse1h1u{  

Running that through a rotation tool revealed it was ROT-25 of

f0urd1g1t{  

However this wasn't quite right! Our offset approach was slightly misguided, as the last character, str11 was exactly 26 characters long, and so the final { was in fact supposed to correspond to a z, meaning flag 4 was actually

f0urd1g1tz  

Flag 5

Our portscanning efforts had revealed another web service, listening on port 50000. Hitting the index page at / revealed a message.

NNNNNNNN        NNNNNNNN   SSSSSSSSSSSSSSS              AAA  
N:::::::N       N::::::N SS:::::::::::::::S            N:::A  
S::::::::N      E::::::NC:::::SUSRSI::::::S           T:::::Y  
N:::::::::N     N::::::NS:::::S     SSSSSSS          A:::::::A  
N::::::::::N    N::::::NS:::::S                     A:::::::::A  
N:::::::::::N   N::::::NS:::::S                    A:::::A:::::A  
T:::::::H::::N  R::::::O U::::SSSS                G:::::A H:::::A  
N::::::N N::::N N::::::N  SS::::::SSSSS          A:::::A   A:::::A  
N::::::N  N::::N:::::::N    SSS::::::::SS       A:::::A     A:::::A  
N::::::N   N:::::::::::N       SSOBSC::::S     A:::::AARAIAATY:::::A  
3::::::N    4::::::::::N            3:::::S   4:::::::::::::::::::::A  
N::::::N     N:::::::::N            S:::::S  A:::::AAAAAAAAAAAAA:::::A  
3::::::N      4::::::::NS3SSSS4     S:::::S 0:::::d             0:::::a  
N::::::N       N:::::::NS::::::SUDPSS:::::SA:::::A               A:::::A  
N::::::N        N::::::NS:::::::::::::::SSA:::::A                 A:::::A  
NNNNNNNN         NNNNNNN SSSSSSSSSSSSSSS AAAAAAA                   AAAAAAA


This is for staff only  

which would occasionally change at random when you refreshed the page. The message This is for staff only would occasionally change to 31337 7331 31338 8331 ____.

We decided to start with the ASCII banner, noticing some characters seemed a little out of place. I decided to load it up into the vim text editor since I use it for just about everything related to text, and filter some noise out.

:%s/\://g
:%s/NN//g
:%s/SS//g
:%s/AA//g
:%s/ //g

This left us with the following.

SA

SNA  
SNENCSUSRSISTY  
S

A  
THNROUGAHA  
S  
NS  
OBSCSARAITYA  
3N4N3S4A  
A  
3N4NS340d0a  
UDPS  
S  
NSAA  

Which we were able to pick out a message from:

SECURITY THROUGH OBSCURITY 343434340d0a UDP  

However we weren't quite sure what to do with this right away.

Eventually we realized that this was a Port Knocking challenge and that we might be expected to probe each of ports 31337, 7331, 31338, and 8331 in some order to reveal a final service on some unknown port (indicated by four underscores in the message on the page). A hint was given out to all of the teams that the correct order of the ports was

4444:udp 8331:tcp 7331:tcp 31337:tcp 31338:tcp  

and now it made sense; the 34343434 we had seen was hex for 4444 and 0d & 0a are hex for the ASCII codes of carriage return & newline respectively. We used Ncrack to knock on the ports and discovered with a quick port scan that the previously filtered port 21 was now open! We connected to this using a simple FTP client, logged in using the anonymous user (which has no password) and managed to grab two files, foo.pcap and bar.pcap from a pub/ directory.

We opened up both pcap files in Wireshark and filtered for the HTTP protocol after a cursory scan through each one. In bar.pcap we found a link to a pastebin containing the fifth flag.

flag5{th3fuzz}  

Wireshark1

Flag 6

Continuing with the pcap files, we began looking at foo.pcap, also in Wireshark. This pcap was substantially less messy than bar.pcap and we quickly noticed an HTTP request at the beginning for an image, power.jpg. Following the response containing the image which began directly after the ACK for the request using Wireshark's Follow TCP Stream feature (by right-clicking on the first line we cared about), we were able to put together all of the information about the request for the image and the response.

Wireshark2

We simply saved the data as power.jpg and then just stripped out everything before the JPG header (that is, the HTTP stuff) using vim again.

power.jpg

Immediately we realized that nitro must be a user on a server, but we decided to see what the coordinates would tell us first. The three coordinates correspond to:

  1. A place in Israel
  2. The NSA building
  3. A place in Iran

After some noodling on all of these points, Anna recalled the Nitro-Zeus attack. Right away we took to connecting to the challenge server over SSH using the username nitro and password zeus. We connected successfully and were presented with a challenge in the form of a game of Tic-Tac-Toe!

Images courtesy of the hosts - we all forgot to take our own.

ui1

ui2

Flag 6 was revealed!

flag6{s1xfl4gs}  

Flag 9

Everyone had been discussing the hint after completing the sixth challenge, which talked about the round-table knights. It turned out that, where we had been connecting to the subdomain galahad the whole time, there was also a lancelot subdomain that had a Wordpress site on it.

Once again we pointed Burp Suite's spider tool at the new site and let it go. This time, it discovered something we hadn't expected: a /webmail path! Going there, we found a form that asked for us to submit a username to be "checked". It wasn't clear exactly what username to use, but we found it was sending the name we provided in a URL query-string parameter, making the request something like

GET lancelot.<challenge site>/webmail?name=<submitted name>  

We tried a few things and found that if we entered admin, it would echo admin back to us. One thing we tried right away was to remove the name parameter's value entirely and submit a request for

GET lancelot.<challenge site>/webmail?name=  

This time the server wrote adminflag9Ihopeyoudidntdothismanuallylol giving us the ninth flag.

flag9{Ihopeyoudidntdothismanuallylol}  

We were later informed that this was supposed to be an SQL injection challenge, though no one seemed to have taken that route.

Flag 10

A hint was provided to participants informing us all of some new login credentials. Using them, we found ourselves in a Python jail.

I will link to David's writeup when he's finished writing it, since he did the work on figuring out that this challenge was used in another CTF and that there was a really clever way to read files in the current directory.

The file flag10 ended up containing the 10th flag!

Congrats!, you are free!

        .-.
       (   )
        |~|
        | |
        | |       _.--._
        |~|~:'--~'      |
        | | :           |
        | | :     _.--._|
        |~|~`'--~'
        | |
        | |
        | |
        | |
        | |
        | |
        | |
        | |
        | |   DC416
   &#95;&#95;&#95;&#95;&#95;|_|&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;&#95;


here is your flag: flag10{unixgiants} 

For the last flag, there is no more jeopardy. anarchy mode: on

simply get root on this server and capture it. there is at least one (almost easy) way.

good luck  

Right before we submitted the 10th flag, we were right behind the VulnHub team, who we'd been competing toe-to-toe with for the duration of the event. With just a few seconds remaining we had managed to submit the 10th flag and pull into the lead.

Conclusion

This whole event was a lot of fun and incredibly exciting. My two excellent teammates, Anna and Dave, stuck with me for the entire eight hours, and there's no way we would have have done anywhere near as well as we did without their help. I had no expectations of doing as well as we did, given that this was my first time participating, but it was a great deal of fun and I'm looking forward to doing more in the future.

The Defcon Toronto group is a pretty young one, having only been around for about four months, but it's already one of my favorites in the city. I want to say thanks to the entire DC416 crew for putting these challenges together and to everyone that participated for the great competition!