circusmonkey404's Security Site

PicoCTF2018 – Web – No Login Objective: Looks like someone started making a website but never got around to making a login, but I heard there was a flag if you were the admin. http://2018shell.picoctf.com:33889 (link [1] ) Hints: (             What is it actually looking for in the cookie? Solution: So the hint says its looking for a cookie, but this site is not creating any cookies. So lets help it out. I used the Cookie-Editor extension in firefox. Based on the similar earlier level I created a cookie named Admin with a value of 1 Click the flag button and bang Got the flag picoCTF{n0l0g0n_n0_pr0bl3m_260181a}

picoCTF2018 – web – Mr. Robots Objective: Do you see the same things I see? The glimpses of the flag hidden away? http://2018shell.picoctf.com:10157 (link [1] ) Hints: (1)     What part of the website could tell you where the creator doesn't want you to look? Solution: So the name and hints are telling use to look at robots.txt which is a file that is used to have search engines not scan certain directories Lets check the robots.txt for this site http://2018shell.picoctf.com:10157/robots.txt User-agent: * Disallow: /143ce.html Ok they don’t want the robots to look at 143ce.html http://2018shell.picoctf.com:10157/143ce.html So much depends upon a red flag picoCTF{th3_w0rld_1s_4_danger0us_pl4c3_3lli0t_143ce}

picoCTF2018 – Web – Irish Name Repo Objective : There is a website running at http://2018shell.picoctf.com:52012 (link [1] ). Do you think you can log us in? Try to see if you can login! Solution: So here is the thing Found the login page http://2018shell.picoctf.com:52012/login.html in inspector I see a value named Debug set to 0 I changed it to 1 and input a username/password Look at that the debug shows the SQL statement that ran when I hit login username: user password: user SQL query: SELECT * FROM users WHERE name='user' AND password='user' Login failed. So let’s write a little sql injection to pass the second part of the condition We want to modify the condition after the end to include an OR statement so that we can pass the authentication. So for user name I put in admin And for password I did    *'or'1'='1 Which made the sql statement    SQL query: SELECT * FROM users WHERE name='admin

picoCTF2018 – Web – Logon Objective: I made a website so now you can log on to! I don't seem to have the admin password. See if you can't get to the flag. http://2018shell.picoctf.com:62746 (link [1] ) Solution: So there doesn’t appear to be any check on the actually login here to make sure the user/pass is real I punched in doug for the username and as;ldkjfa;lsdkj for the password After getting past the login screen I check on the cookies and sure enough there is a session cookie named admin which has the value set to false. I just changed it to true and reloaded the page picoCTF{l0g1ns_ar3nt_r34l_92020990}

picoCTF2018 – Web – Client side is still bad Objective : I forgot my password again, but this time there doesn't seem to be a reset, can you help me? http://2018shell.picoctf.com:8249 (link [1] ) Solution : Looked at the HTML code and found this interesting bit function verify() { checkpass = document.getElementById("pass").value; split = 4; if (checkpass.substring(split*7, split*8) == '}') { if (checkpass.substring(split*6, split*7) == '17e9') { if (checkpass.substring(split*5, split*6) == 'd_91') { if (checkpass.substring(split*4, split*5) == 's_ba') { if (checkpass.substring(split*3, split*4) == 'nt_i') { if (checkpass.substring(split*2, split*3) == 'clie') { if (checkpass.substring(split, split*2) == 'CTF{') { if (checkpass.substring(0,split) == 'pico')

picoCTF2018 – Web – Inspect Me Objective: Inspect this code! http://2018shell.picoctf.com:28831 (link [1] ) Solution: I loaded up the website and looked at the source code pretty quickly found this <!-- I learned HTML! Here's part 1/3 of the flag: picoCTF{ur_4_real_1nspe --> But its only 1/3 of the flag… It looks like there is a css and js refreced in the code lets check those out. Mycss.css Here is part 2/3 in the css /* I learned CSS! Here's part 2/3 of the flag: ct0r_g4dget_b4887011} */ Here is part 3/3 in the java /* I learned JavaScript! Here's part 3/3 of the flag:   */ *** there really isn’t anything in here so let’s just combine the two parts we found picoCTF{ur_4_real_1nspe ct0r_g4dget_b4887011}

PicoCTF2018 - Forensics - What's My Name? Objective : Say my name, say my name [1] . Hints: (1) If you visited a website at an IP address, how does it know the name of the domain? Solution so the hint is point us to DNS, since that is the service that translates names to ip so I just filtered the pcap for DNS  There are only two DNS packets in the capture the first is a a query to dns to find out the ip for thisismyname.com 55 1418.342859 192.168.2.12 192.168.2.1 DNS 316 Standard query response 0xaaa0 ANY thisismyname.com A 192.168.2.13 CNAME myname.com MX 5 myname.com MX 10 mx2.myname.com MX 20 mx3.myname.com NS ns1.myname.com NS ns2.myname.com TXT SOA ns1.thisismyname.com The second is the server's response here is the result of following the UDP ... .........thisismyname.com.......)............... .....thisismyname.com..............,..... .........,. .myname...........,.....>.........,... .mx2.>.........,.....mx3.>........Q....n

PicoCTF2018 - Forensics - now you don't Objective : We heard that there is something hidden in this picture [1] . Can you find it? Hints : (1) There is an old saying: if you want to hide the treasure, put it in plain sight. Then no one will see it. (2) Is it really all one shade of red? Solution : I used irfanview to get through this one. As the hint suggests, eventhough it looks like its just one solid color there is another color present. Load up infranview and you see just red if you go to image and replace color you can choose to replace a specific color with anohter I chose to replace it with black Original image: Modified Image: picoCTF{n0w_y0u_533_m3}

PicoCTF2018 - Forensics - Truly an Artist Objective: Can you help us find the flag in this Meta-Material [1] ? You can also find the file in /problems/truly-an-artist_0_4f3e3848bbbfc5cfcfa404bd18b8ac96. Solution: found the password in the exif data using exiftool @kali:~/Downloads$ exiftool 2018.png ExifTool Version Number         : 11.65 File Name                       : 2018.png Directory                       : . File Size                       : 13 kB File Modification Date/Time     : 2019:09:24 11:22:57-07:00 File Access Date/Time           : 2019:09:24 11:23:36-07:00 File Inode Change Date/Time     : 2019:09:24 11:22:59-07:00 File Permissions                : rw-r--r-- File Type                       : PNG File Type Extension             : png MIME Type                       : image/png Image Width                     : 1200 Image Height                    : 630 Bit Depth                       : 8 Color Type                      : RGB Compression       

PicoCTF2018 - Forensics - hex editor Objective: This cat [1]  has a secret to teach you. You can also find the file in /problems/hex-editor_3_086632ac634f394afd301fb6a8dbadc6 on the shell server. Solution: so from the objective it looks like our flag will be in the hex of the picutre. I downloaded the picture and openend it with hexeditor @kali:/home$ hexeditor /home/***********/Downloads/hex_editor.jpg Since we now the flag starts with I used W to search for pico, I chose search for text string File: /home/*****************/Dow   ASCII Offset: 0x00000000 / 0x00012975 ()  00000000  FF D8 FF E0  00 10 4A 46   49 46 00 01  01 00 00 01   ......JFIF...... 00000010  00 01 00 00  FF DB 00 43   00 05 03 04  04 04 03 05   .......C........ 00000020  04 04 04 05  05 05 06 07   0C 08 07 07  07 07 0F 0B   ................ 00000030  0B 09 0C 11  0F 12 12 11   0F 11 11 13  16 1C 17 13   ................ 00000040  14 1A 15 11  11 18 21 18   1A 1D 1D 1F  1F 1F 13 17   ......!...

PicoCTF2018 - Forensics - admin panel Objective: We captured some traffic [1] logging into the admin panel, can you find the password Solution: Downloaded the file and opened with wireshark towards the bottom of the capture I saw where the admin panel is being displayed. I found the next POST up in the log and found the password )ßò )yÜÄEö|@@ºÀ¨À¨~P0].[¾åT ð×wPOST /login HTTP/1.1 Host: 192.168.3.128 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.3.128/ Content-Type: application/x-www-form-urlencoded Content-Length: 53 Connection: keep-alive Upgrade-Insecure-Requests: 1 user=admin&password=picoCTF{n0ts3cur3_9feedfbc}

PicoCTF2018 - Forensics - Recovering from the Snap Objective: There used to be a bunch of animals[1] here, what did Dr. Xernon do to them? Hints: (1) Some files have been deleted from teh disk image, but are they really gone? Solution: I used foremost to recover the files from the DD image. let's mount the DD to see what is inside visible to my OS @kali:/$ sudo mkdir /mnt/disk_image @kali:/$ sudo mount -o loop -t auto /home/circusmonkey404/Downloads/animals.dd /mnt/disk_image let's see whats in there kali:/mnt/disk_image$ ls dachshund.jpg  frog.jpg  music.jpg  rabbit.jpg 4 files named after animals let's through Foremost at it and see what it finds kali:/mnt/disk_image$ ls dachshund.jpg  frog.jpg  music.jpg  rabbit.jpg Let's check and see what foremost found @kali:~/Downloads$ ls animals.dd  husky.png  incidents.json  output_Tue_Sep_24_10_45_31_2019  passwd @kali:~/Downloads$ cd output_Tue_Sep_24_10_45_31_2019/ @kali:~/Downloads/

PicoCTF2018 - Forensics - Reading between the eyes Objective: Stego-Saurus hid a message for you in this image [1] , can you retreive it? Soltuion: I used this website to find the stego https://stylesuxx.github.io/steganography/ picoCTF{r34d1ng_b37w33n_7h3_by73s}

PicoCTF2018 - Forensics - Desrouleaux Objective: Our network administrator is having some trouble handling the tickets for all of of our incidents. Can you help him out by answering all the questions? Connect with nc 2018shell.picoctf.com 63299. incidents.json [1] Solution: You'll need to consult the file `incidents.json` to answer the following questions. What is the most common source IP address? If there is more than one IP address that is the most common, you may give any of the most common ones. 186.120.220.162 Correct!      I just looked at my list to see which source ip was used most How many unique destination IP addresses were targeted by the source IP address 186.120.220.162? 3 Correct!         I just counted the number of uqnique destiations for that IP What is the number of unique destination ips a file is sent, on average? Needs to be correct to 2 decimal places. 1.11 Correct!     I looked at my output and 8 were unique and only 1 went t

PicoCTF2018 Forensics Forensics Warmup 2 Objective: Hmm for some reason I can't open this PNG [1] ? Any ideas? Solution: Downloaded the file, its name is flag.png, try to open in in GUI and it gives an error lets run file against it and see what kind of file it might be @kali:~/Downloads$ file flag.png flag.png: JPEG image data, JFIF standard 1.01, resolution (DPI), density 75x75, segment length 16, baseline, precision 8, 909x190, components 3 ok lets change the extension to jpg @kali:~/Downloads$ cp flag.png flag.jpg now we can open it in the GUI picoCTF{extensions_are_a_lie}

PicoCTF2018 Forensics Forensics Warmup Objective: Can you unzip this file [1]  for me and retreive the flag? Solution: So this one is just a zip file, unzip it and you get a jpg of the flag picoctf{welcome_to_forensics}

picoCTF2018 Miscellaneous Absolutely-relative Objective: In a filesystem, everything is relative ¯\_(ツ)_/¯. Can you find a way to get a flag from this program [1] ? You can find it in /problems/absolutely-relative_2_69862edfe341b57b6ed2c62c7107daee on the shell server. Source [2] . Here is the program we need to retrieve the flag #include <stdio.h> #include <string.h> #define yes_len 3 const char *yes = "yes"; int main() {     char flag[99];     char permission[10];     int i;     FILE * file;     file = fopen("/problems/absolutely-relative_2_69862edfe341b57b6ed2c62c7107daee/flag.txt" , "r");     if (file) {      while (fscanf(file, "%s", flag)!=EOF)      fclose(file);     }     file = fopen( "./permission.txt" , "r");     if (file) {      for (i = 0; i < 5; i++){             fscanf(file, "%s", permission);         }         permission[5] = '\0';         fcl

PicoCTF2018 Cryptography RSA-Madlibs Objective : We ran into some weird puzzles we think may mean something, can you help me solve one? Connect with nc 2018shell.picoctf.com 50652 Solution : Hello, Welcome to RSA Madlibs Keeping young children entertained, since, well, nev3r Tell us how to fill in the blanks, or if it's even possible to do so Everything, input and output, is decimal, not hex #### NEW MADLIB #### q : 93187 p : 94603 ##### WE'RE GONNA NEED THE FOLLOWING #### n IS THIS POSSIBLE and FEASIBLE? (Y/N):y This is possible because n = pq so we just simply multiply the numbers to get q #### TIME TO FILL IN THE MADLIB! ### n: 8815769761 YAHHH! That one was a great madlib!!! #### NEW MADLIB #### p : 81203 n : 6315400919 ##### WE'RE GONNA NEED THE FOLLOWING #### q IS THIS POSSIBLE and FEASIBLE? (Y/N):y This is also possible since n=pq  transitively we know that q=n/p #### TIME TO FILL IN THE MADLIB! ### q: 77773 YAHHH! That one was

PicoCTF2018 Cryptography caesar cipher 2 Objective: Can you help us decrypt this message [1] ? We believe it is a form of a caesar cipher. You can find the ciphertext in /problems/caesar-cipher-2_0_372a62ea0204b948793a2b1b3aeacaaa on the shell server. Hint: (1) You'll have figure out the correct alphabet that was used to encrypt the ciphertext from the ascii character set (2) <a href="https://www.asciitable.com/">ASCII<a> Table Solution: Here is the output for the nc session  ^WQ]1B4iQ/SaO@M1W>V3`AMXcABMO@3\BMa3QC`3k Solution: So I assume this is a shift but on ASCII instead of the alphabet This site can decrypt these for us https://www.dcode.fr/ascii-shift-cipher shift 110 picoCTF{cAesaR_CiPhErS_juST_aREnT_sEcUrE}

PicoCTF2018  Cryptography  hertz 2 Objective: This flag has been encrypted with some kind of cipher, can you decrypt it? Connect with nc 2018shell.picoctf.com 12521. got this as the result of the nc Let's decode this now! Yws deruo caign pib qekvh ifsa yws ljzm tix. R ujn'y cslrsfs ywrh rh heuw jn sjhm vaiclsk rn Vrui. Ry'h jlkihy jh rp R hilfst j vaiclsk jlasjtm! Iojm, prns. Wsas'h yws pljx: vruiUYP{hechyryeyrin_urvwsah_jas_yii_sjhm_xknrcraynf} the hint says "These kinds of problems are solved with a frequency that metric some analysis" Solution: so let's use letter frequency to try and crack it, some super high level analysis I don't see any double letters that would be like OO in English but we can borrow some logic from the enigma crack, just like every message the Germans were sending ended with Heil Hitler, we know the format of the flag the flag always starts with picoCTF so we can be fairly certain that the letters  vruiUYP