[CSAW 2016] Kill Writeup

Description:

Is kill can fix? Sign the autopsy file?
kill.pcapng

This challenge was the first in the Forensics category and was very very simple. We are given with what seems like a corrupted pcapng file, I wasn’t able to open it in Wireshark nor Tcpdump. I ran strings on it with a hope to find the flag:

[Megabeets] /tmp/CSAW/kill# strings kill.pcapng | grep -i flag
=flag{roses_r_blue_violets_r_r3d_mayb3_harambae_is_not_kill}

And to my great surprise I got it, the flag was written plain-text in the file.

[ASIS CTF] SecuPrim Writeup

Description:
Test your might.
secuprim.asis-ctf.ir 42738

Who doesn’t love a good PPC challenge? We provided with only a URL and Port so I ran Netcat and faced a bot detection system asking me for ‘X’. The message said that |X|=4. I gave the 2 possible options for absolute value of 4 and those were wrong answers.

[Megabeets]$ nc secuprim.asis-ctf.ir 42738
Bot detection: Are you ready?
ASIS needs proof of work to start the Math challenge.
SHA256(X + "YNT7TFm4gVadh44qNzwQdG").hexdigest() = "9a1f5add2c9198721d5efe3ba4512866...",
X is a string of alphanumeric and |X| = 4
Enter X: 4
Sorry, Bad proof of work!

[Megabeets]$ nc secuprim.asis-ctf.ir 42738
Bot detection: Are you ready?
ASIS needs proof of work to start the Math challenge.
SHA256(X + "tu1uQei0DpFfmmKaF1rdAH").hexdigest() = "1b4d598ef4e9e86dc1adb7d862e7b35f...",
X is a string of alphanumeric and |X| = 4
Enter X: -4
Sorry, Bad proof of work!

Well, if |X| isn’t for ‘absolute value of()’ then it must be ‘length of()’. You can notice that both the string appended to X and the SHA256 result are changing in every connection. I wrote a python code to calculate the answer. You can find it in the script embedded below. After answering I got another test which I’ve been asked to solve 30 times (with a different value each time):

Good work, let's Go!

In each stage tell us the number of primes or perfect power integers in given range
-----------------------------------------------------------------------------------
What's the number of primes or perfect powers like n such that: 938663777872425905508901094461658229700971384281663171048305722544018188212593585457097324115543346387856004047801971862171751790325297281452399266743172190627763744903214644942745803882444165938580204577049548534754135264523 <= n <= 938663777872425905508901094461658229700971384281663171048305722544018188212593585457097324115543346387856004047801971862171751790325297281452399266743172190627763744903214644942745803882444165938580204577049548534754135266078

I wrote the following script and got the flag:

[ASIS CTF] Sky Blue Writeup

Description
Why is the sky blue?

We are given a PCAP file containing some Bluetooth traffic. The flag has probably been transmitted between the devices. Let’s see what files has been sent.

[Megabeets]$: binwalk -e blue.pcap

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
40535         0x9E57          PNG image, 1400 x 74, 8-bit colormap, non-interlaced

Binwalk found a PNG image but couldn’t export it. I opened Wireshark and searched for the string “PNG” in the packet bytes. I found the 7 packets containing the PNG and exported their packet bytes (i.e Only the DATA, without the header bytes of each packet: 02 0C 20 FC 03 F8 03 47 00 63 EF E6 07). I then concatenated the output files using HxD,

hxd

and deleted the extra data preceding the PNG file header.

hxd2

We now have the PNG file which is the flag:

out4

[ASIS CTF] Smallest MD5 Writeup

Description
I have lied that I have found the smallest MD5 hash possible, to win a bet.
Now the other guy is pissed off and wants to know where have I got this hash from. What results to this hash? Please help!

Just search Google for “MD5 minimum record” an you’ll find your answer: 08ni(g0u3ada_JiyongYoun-HLETRD

[ASIS CTF] CTF 101 Writeup

Description:http://www.megabeets.net/wp-admin/profile.php
Watch your heads!

The description is telling the whole story. Simply look in the response’s header and you’ll find the flag. In order to do that open the browser’s Developer Tools (F12), bring to focus the Network tab and click the challenge. The HTTP requests will show up on the left panel. Select the request and the Flag header will be displayed on the right panel.

Decode the string with base64 and reveal the flag.

$ echo QVNJU3szMWE0ODM5MDBiODU3NjQyNmNjY2RmNTU0MDJiOWRkNn0K | base64 --decode
ASIS{31a483900b8576426cccdf55402b9dd6}