circusmonkey404's Security Site

Ringzer0 - Java Script - Then obfuscation is more secure Objective:  Get that Flag Solution: Ok so this is another Java Script challenge so the first thing I did was look in the source code for some java script Found it! var _0xc360=["\x76\x61\x6C","\x23\x63\x70\x61\x73\x73","\x61\x6C\x6B\x33","\x30\x32\x6C\x31","\x3F\x70\x3D","\x69\x6E\x64\x65\x78\x4F\x66","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x27\x65\x72\x72\x6F\x72\x27\x3E\x57\x72\x6F\x6E\x67\x20\x70\x61\x73\x73\x77\x6F\x72\x64\x20\x73\x6F\x72\x72\x79\x2E\x3C\x2F\x64\x69\x76\x3E","\x68\x74\x6D\x6C","\x23\x63\x72\x65\x73\x70\x6F\x6E\x73\x65","\x63\x6C\x69\x63\x6B","\x2E\x63\x5F\x73\x75\x62\x6D\x69\x74"];$(_0xc360[12])[_0xc360[11]](function (){var _0xf382x1=$(_0xc360[1])[_0xc360[0]]();var _0xf382x2=_0xc360[2];if(_0xf382x1==_

Ringzer0CTF – Forensics - Dr. Pouce Objective: Find in which city DR Pouce is keeped ! Then find who is the evil man? answer format : cityfirstnamelastname Solution: So this is a zip file that contains two files. We are just going to use meta data to find the answer to these two questions. The first question: In which city is Dr. Pouce being kept? We will use the jpg file to see if there is any geo-location data I the jpg Cool there is some geo data let's open it up in openstreet to see where it is Downtown Halifax https://www.openstreetmap.org/?mlat=44.646231&mlon=-63.573287&zoom=15#map=15/44.6462/-63.5733 now I poked around to see if there was info In jpg about who took the picture but there wasn't so I opened the  PDF and looked at the Document properties there it was Author: Steve Finger so HalifaxSteveFinger is the flag

RingZeroCTF – Cyrpto – Can you understand this sentence Objective : get the flag Solution: Bubble Babble I had to google around on this one a bit to figure out that it was a bubble babble. I had never heard of it but it is just essentially another way of encoding HEX so that it looks at bit more palatable to the human eye. I tried my Google-Fu to find an online decrypter/Deoder but didn’t find anything, I did however find this site with a PHP script that can both endcode and decode bubble babble http://bohwaz.net/p/Bubble-Babble-CLI-encoder-decoder I downloaded the bubblebabble.php I dumped the message into a text file to feed into the PHP script root@kali:~/Downloads# echo "xipak-comok-repuk-vanik-dytuk-dimyk-sinyx" >> bubble.txt Then I pushed that through the PHP decoding script root@kali:~/Downloads# php ./bubblebabble.php   -d bubble.txt hackingbubble

Ringzer0CTF – Linux – Level2 Objective: Get the flag…… I don’t know what else to put here Find architect password User: morpheus Password: VNZDDLq2x9qXCzVdABbR1HOtz ssh challenges.ringzer0team.com port 10148 Solution: Ok so we login with the same user/pass of the last level and now need to find another password So this one took a bit of time for a refresher for me. First I tried the same process we did for the last level to see if we could find a command running with the password like we did for trinity…. Nope Ok so Let’s just search the entire files system for “architect” Lets get to / Cd ../ morpheus@lxc-sysadmin:/$ ls backup   bin   boot   dev   etc   home   lib   lib64   media   mnt   nohup.out   opt   proc   root   run   sbin   srv   sys   tmp   usr   var ok now my first iteration here was just grep -r “architect” That gave me way to many things…. Ok how do we filter out permission denied lets start there. We

Ringzer0CTF – Linux – Level1 Objective: Get the flag…… I don’t know what else to put here Solution: Find Trinity password User: morpheus Password: VNZDDLq2x9qXCzVdABbR1HOtz ssh challenges.ringzer0team.com port 10089 ok let’s start by connecting via ssh using the provided creds   morpheus@lxc-sysadmin:~$ lets start by checking the home directory morpheus@lxc-sysadmin:~$ ls -al total 20 dr-x------ 2 morpheus morpheus 4096 Oct 17   2018 . drwxr-xr-x 8 root      root      4096 May 30   2018 .. lrwxrwxrwx 1 root      root         9 May 30   2018 .bash_history -> /dev/null -r-x------ 1 morpheus morpheus   220 Aug 31   2015 .bash_logout -r-x------ 1 morpheus morpheus 3771 Jun   2   2018 .bashrc lrwxrwxrwx 1 root      root         9 Oct 17   2018 .mysql_history -> /dev/null -r-x------ 1 morpheus morpheus   655 May 16   2017 .profile Nothing there… Lets look at the passwd file to see if trinity exists on the system, so we

Ringzer0CTF – Web – Looking for password file Objective: Get the flag…… I don’t know what else to put here Solution: so we are looking for a password file this is the challenge site http://challenges.ringzer0team.com:10075/?page=lorem.php it looks like its using php to load up a page named lorem.php - the little "?" in the URL is what makes me think its php The first thing I think of when I see a URL like this is directory traversal let’s check and see if this is exploitable using directory traversal Let’s try ../ instead of lorem.php to see if it will try to read it from the next directory above where its currently looking http://challenges.ringzer0team.com:10075/?page=../ Warning : require(/var/www): failed to open stream: No such file or directory in  /var/www/html/index.php  on line  43 Fatal error : require(): Failed opening required '../' (include_path='.:/usr/share/php:/usr/share/pear') in  /var/www/html/i

Ringzer0CTF – Web – Big Brother is watching Objective: Get the flag…… I don’t know what else to put here Hint: Even Google can’t find this one Solution: So that’s a pretty big hint. What can’t google see with its web crawlers? Robots.txt This is a config file you can place on your website that directs google or any other web crawler to not index certain directories or files Here is some info from google about robots.txt https://support.google.com/webmasters/answer/6062608?hl=en Let’s check the robots.txt file for this site to see what google is not allowed to index https://ringzer0ctf.com/robots.txt User-agent: * Disallow: /16bfff59f7e8343a2643bdc2ee76b2dc/ Just one folder that google should index. Lets see what’s in there https://ringzer0ctf.com//16bfff59f7e8343a2643bdc2ee76b2dc/ FLAG-G5swO95w0c7R5fq0sa85nVs5dK49O04i   There is our Flag

Ringzer0CTF – Cryptography – I lost MY password Can you find it? Objective : Get the flag…… I don’t know what else to put here Solution : So this level give you a tar file I downloaded the tar and unzipped it There is a policies folder with the following folders inside 02/06/2014   09:20 AM     <DIR>           . 02/06/2014   09:20 AM     <DIR>           .. 02/05/2014   03:59 PM     <DIR>           {31B2F340-016D-11D2-945F-00C04FB984F9} 02/05/2014   03:59 PM     <DIR>           {6AC1786C-016F-11D2-945F-00C04fB984F9} 02/06/2014   09:22 AM     <DIR>           {75DE8F0A-DEC0-441F-AE29-90DFAFCF632B} 02/06/2014   08:20 AM     <DIR>           {874C2133-64E1-4F2C-8BD8-71D9BD59643D} 02/06/2014   08:29 AM      <DIR>           {C7BD6C6D-A1C8-4C23-815E-3D8D4187640F}                0 File(s)               0 bytes                7 Dir(s)   326,238,683,136 bytes free I poked through the directory and found an i

Ringzer0CTF – Web – Area 51 Objective: Get that flag  Solution: On this challenge we get this message Access to this area is restricted using some secure .htaccess So .htaccess  so from there I started just by googling .htaccess ( I’ve heard of this before but never really dealt with apache servers) Ok next I googled .htaccess bypass I found a forum that says to get around this sometime its just as simple as using PUT instead of get. https://security.stackexchange.com/questions/177279/how-to-bypass-htaccess-protection So I fired up YARC(Yet another REST client) and sent a PUT instead of a GET to the site Now I get this < div class = "challenge-wrapper" > < br /> < span class = "red" > AREA 51 </ span > The origin of the Area 51 name is unclear? Alien? < br /> < div class = "alert alert-info" role = "alert" > FLAG-w4KRr557y626izv567758O52 <

Ringzer0CTF – Web – Headache Objective: Get that flag son Solution: So this challenge is called headache and we get this as a hint Answer is closer than you think! So lets look at the response header to see what we see. I loaded the Yet Another REST Client into my chome and pointed it at the challenge. I had to do some research on REST because I wasn’t too familiar with it. SO I loaded up the challenge in YARC and under response headers we see the flage Top of Form Authentication Send Request Bottom of Form Response 200 Request URL:   https://ringzer0ctf.com/challenges/43 Request Method:  GET Response Time:  0.465 seconds Response Status:  200 - OK {   "date": "Wed, 16 Oct 2019 15:21:20 GMT" ,   "content-encoding": "gzip" ,   "x-content-type-options": "nosniff" ,   "age": "0" ,   "flag": "FLAG-365m4fU5p2DVEQbfrptDE5Ru&quo