circusmonkey404's Security Site

PicoCTF2018 - Forensics - now you don't Objective : We heard that there is something hidden in this picture [1] . Can you find it? Hints : (1) There is an old saying: if you want to hide the treasure, put it in plain sight. Then no one will see it. (2) Is it really all one shade of red? Solution : I used irfanview to get through this one. As the hint suggests, eventhough it looks like its just one solid color there is another color present. Load up infranview and you see just red if you go to image and replace color you can choose to replace a specific color with anohter I chose to replace it with black Original image: Modified Image: picoCTF{n0w_y0u_533_m3}

PicoCTF2018 - Forensics - Truly an Artist Objective: Can you help us find the flag in this Meta-Material [1] ? You can also find the file in /problems/truly-an-artist_0_4f3e3848bbbfc5cfcfa404bd18b8ac96. Solution: found the password in the exif data using exiftool @kali:~/Downloads$ exiftool 2018.png ExifTool Version Number         : 11.65 File Name                       : 2018.png Directory                       : . File Size                       : 13 kB File Modification Date/Time     : 2019:09:24 11:22:57-07:00 File Access Date/Time           : 2019:09:24 11:23:36-07:00 File Inode Change Date/Time     : 2019:09:24 11:22:59-07:00 File Permissions                : rw-r--r-- File Type                       : PNG File Type Extension             : png MIME Type                       : image/png Image Width                     : 1200 Image Height                    : 630 Bit Depth                       : 8 Color Type                      : RGB Compression       

PicoCTF2018 - Forensics - hex editor Objective: This cat [1]  has a secret to teach you. You can also find the file in /problems/hex-editor_3_086632ac634f394afd301fb6a8dbadc6 on the shell server. Solution: so from the objective it looks like our flag will be in the hex of the picutre. I downloaded the picture and openend it with hexeditor @kali:/home$ hexeditor /home/***********/Downloads/hex_editor.jpg Since we now the flag starts with I used W to search for pico, I chose search for text string File: /home/*****************/Dow   ASCII Offset: 0x00000000 / 0x00012975 ()  00000000  FF D8 FF E0  00 10 4A 46   49 46 00 01  01 00 00 01   ......JFIF...... 00000010  00 01 00 00  FF DB 00 43   00 05 03 04  04 04 03 05   .......C........ 00000020  04 04 04 05  05 05 06 07   0C 08 07 07  07 07 0F 0B   ................ 00000030  0B 09 0C 11  0F 12 12 11   0F 11 11 13  16 1C 17 13   ................ 00000040  14 1A 15 11  11 18 21 18   1A 1D 1D 1F  1F 1F 13 17   ......!...

PicoCTF2018 - Forensics - admin panel Objective: We captured some traffic [1] logging into the admin panel, can you find the password Solution: Downloaded the file and opened with wireshark towards the bottom of the capture I saw where the admin panel is being displayed. I found the next POST up in the log and found the password )ßò )yÜÄEö|@@ºÀ¨À¨~P0].[¾åT ð×wPOST /login HTTP/1.1 Host: 192.168.3.128 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.3.128/ Content-Type: application/x-www-form-urlencoded Content-Length: 53 Connection: keep-alive Upgrade-Insecure-Requests: 1 user=admin&password=picoCTF{n0ts3cur3_9feedfbc}

PicoCTF2018 - Forensics - Recovering from the Snap Objective: There used to be a bunch of animals[1] here, what did Dr. Xernon do to them? Hints: (1) Some files have been deleted from teh disk image, but are they really gone? Solution: I used foremost to recover the files from the DD image. let's mount the DD to see what is inside visible to my OS @kali:/$ sudo mkdir /mnt/disk_image @kali:/$ sudo mount -o loop -t auto /home/circusmonkey404/Downloads/animals.dd /mnt/disk_image let's see whats in there kali:/mnt/disk_image$ ls dachshund.jpg  frog.jpg  music.jpg  rabbit.jpg 4 files named after animals let's through Foremost at it and see what it finds kali:/mnt/disk_image$ ls dachshund.jpg  frog.jpg  music.jpg  rabbit.jpg Let's check and see what foremost found @kali:~/Downloads$ ls animals.dd  husky.png  incidents.json  output_Tue_Sep_24_10_45_31_2019  passwd @kali:~/Downloads$ cd output_Tue_Sep_24_10_45_31_2019/ @kali:~/Downloads/

PicoCTF2018 - Forensics - Reading between the eyes Objective: Stego-Saurus hid a message for you in this image [1] , can you retreive it? Soltuion: I used this website to find the stego https://stylesuxx.github.io/steganography/ picoCTF{r34d1ng_b37w33n_7h3_by73s}

PicoCTF2018 - Forensics - Desrouleaux Objective: Our network administrator is having some trouble handling the tickets for all of of our incidents. Can you help him out by answering all the questions? Connect with nc 2018shell.picoctf.com 63299. incidents.json [1] Solution: You'll need to consult the file `incidents.json` to answer the following questions. What is the most common source IP address? If there is more than one IP address that is the most common, you may give any of the most common ones. 186.120.220.162 Correct!      I just looked at my list to see which source ip was used most How many unique destination IP addresses were targeted by the source IP address 186.120.220.162? 3 Correct!         I just counted the number of uqnique destiations for that IP What is the number of unique destination ips a file is sent, on average? Needs to be correct to 2 decimal places. 1.11 Correct!     I looked at my output and 8 were unique and only 1 went t