CTF,

# Mission 1 & Mission 2 Write-Ups – Security-BSides London

Hi all!. Last february i have participated on Security BSides Challenges, here:

Yesterday @AlecRWaters contacts me to confirm that we get second position on both challenges. So got a ticket to this  infosec conference.

```"Hi ,
I’m delighted to announce that you’ve won second prize in both Challenge 1 and Challenge 2! The prize for both is a BSides ticket"

```

## Mission 1: The Bot Hunter – by Gareth Owen, University of Portsmouth

… And automatization ‘ugly-solver’ :)

```  #!/usr/bin/python

from math import *
import sys
import struct
import socket
import string
import time

#challenge
channel='#malfor-russia'
channel_key = 'bubblegum'
nickname = sys.argv[1]
key = 'iamborg'

#bot irc
HOST="irc.swepipe.se"
PORT=6667
IDENT='tunelko'
REALNAME='Dummy'

# Limit size of nickname due key len. Only 7 chars, enough.
if (len(nickname)<7): 	print 'Error: Nickname must be greater than %i chars' %(len(nickname)) 	exit(0) if (len(nickname)>7):
print 'Error: Nickname must be lower than %i chars'%(len(nickname))
exit(0)

for posx, nickchar in enumerate(nickname):
n = ord(nickchar)
#print 'We need pos #',posx, nickchar

for posy, keychar in enumerate(key):
k = ord(keychar)
x = ((k+n) % 26) + 0x41

if(posx==0):
if(keychar=='i'):
elif(posx==1):
if(keychar=='a'):
elif(posx==2):
if(keychar=='m'):
elif(posx==3):
if(keychar=='b'):
elif(posx==4):
if(keychar=='o'):
elif(posx==5):
if(keychar=='r'):
elif(posx==6):
if(keychar=='g'):
else:
print ''

print 'Connecting ... SHUTDOWN' , password
message = 'SHUTDOWN '

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.send("NICK %s\r\n" % nickname)
s.send("USER %s %s Imborg for the real work:%s\r\n" % (IDENT, HOST, REALNAME))

while 1:

buff=s.recv(1024)

print buff

if buff.find('PING') != -1:
s.send('PONG ' + buff.split()[1] + '\r\n')

s.send("JOIN %s %s \r\n" % (channel, channel_key))
s.send("PRIVMSG %s :%s \r\n" % (channel,message))
s.send ("PART %s\r\n" %(channel))
#s.send('QUIT bye\r\n')```

## Mission 2: Cipher-Decipher-Recipher by Anthony Cox, KPMG

```== Misson 2
== https://www.securitybsides.org.uk/challenge2.html

1. 1stage.pdf

Open file with Adobe Illustrator and see hidden text with any technique or applying effects. See attached image.
Flag 1: KPMG

2: 2bsides.exe

This binary connects to 2222 port when running and ask us for a password.

\$ /home/tunelko/SECBsides_Missions# wine32 2bsides.exe
fixme:heap:HeapSetInformation (nil) 1 (nil) 0

\$ /home/tunelko/SECBsides_Missions# netstat -putan
Active Internet connections (servers and established)
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      9628/wineserver
...

Really easy do a strings to find unobfuscate flag as:

\$ home/tunelko/SECBsides_Missions# strings 2bsides.exe |grep flag
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
Welcome BSider.    Today's flag is: befd188c4e4002048a9534a82d38c5ea

Another method to get flag is  running normally and netcat to port 2222, as password 'Bsides' is plaintext found on strings:

\$ /home/tunelko/SECBsides_Missions# nc localhost 2222
> Bsides
Welcome BSider.    Today's flag is: befd188c4e4002048a9534a82d38c5ea

3. Cryptic hashword

This time we find final flag solving the across & down cryptic hashword with help of online hash password crackers.
Final 3: NUOFNFFFCEOTPMT

ACROSS

1. 3a52b599a21b2990b28930141016c5a71afa184e3ef94958d882f519e1ddf5f2fa8f9d653eb0dc0de2307087cee6f8f5: sha384('FORTIFIED')
4. 0a7b77e1bff2cdf175f16e6d7ba96ce707ec6d1f: sha1('SECURITY')
5. fd9de800564763ece59368d35b281690: md5('ENCRYPTION')
8. 7f5217333bb19cb9ac50829635cc398601d1e505: sha1('CIPHER')
9. bfd82eb21826f62d7a9bbbd3fd0311e6a273a1d8: sha1('MULTIPLE')

DOWN

1. sha512 ('FALSIFIED')
2. b9e14d9b2886bcff408b85aefa780419: md5('FAILED')
3. 5de71b2143c86cd2e0c801830ed729e7ef2f8f478b454d7d3e9dd5a86a92b255: sha256('TESTING')
7. 05e5aaf0f4c97d227a5653c3187747ea93e31d7e: sha1('ORIGINAL')
10. 7e0dea93ce606f7b88f6af965d37e83a: md5('ENTROPY')

4. 4giraffe.jpg

Found text in comment section:
\$ ~/SECBsides# file 4giraffe.jpg
4giraffe.jpg: JPEG image data, JFIF standard 1.01, comment: "It is a little known fact that giraffes are extremely camera/s\251"

;It is a little known fact that giraffes are extremely camera/shy.  The famous game keeper John Hiderman spent years observing their behaviour and after years of evolution they have developed a number of interesting camouflage techniques.  This specimen is called Gemma - John thinks she is the key to the mystery!

So key is "Gemma" to unhide the flag, let's know which kind of stego application is used to hide it.

\$ stegdetect 4giraffe.jpg
camouflage(960)<[nonrandom][data][................]>

Seems old camouflage application is used to hide files. Let's extract:

\$ .wine/dosdevices/c:/Program Files/Camouflage# cat flag4.txt
Congratulations on finding the flag for this stage, told you Gemma was the key!

Flag 4: GLNIGILTHNWEAAI

5. 5testcard.png

First zsteg -a with no positive results.

\$~/SECBsides# zsteg -a 5testcard.png
b2,b,lsb,yx,prime   .. text: "}UUAUUUUUUj"
b4,r,lsb,yx,prime   .. text: "#3ffffff`"
b8,r,lsb,yx,prime   .. text: ",+-024RY_i"
b8,g,lsb,yx,prime   .. text: "}ukgfc^XVTQHBB>><"
b8,b,lsb,yx,prime   .. text: "}}}}}}}}}}}}}}}}~~~~~~~~~~~\$ %,6=AHRVafw}"
b8,b,msb,yx,prime   .. text: "~~~~~~~~~~~\$"
b2,g,msb,YX,prime   .. text: "}/mWUEUUUU"
b2,g,msb,yX,prime   .. text: "\tUUEUUUEp"
b2,r,msb,Yx,prime   .. text: "8FUUAUUu"
b2,b,lsb,Yx,prime   .. text: "UUUUUUAUUU"
b8,r,lsb,Yx,prime   .. text: "~~}}||||||{{{{{{{{{&"
b8,g,lsb,Yx,prime   .. text: "^__cddqrux~"
b8,g,msb,Yx,prime   .. text: "Q1qq\tI))"
b8,b,lsb,Yx,prime   .. text: "|n\\WUQIA<:5)#\" "

Using Stegosolve.jar to extract data from bit planes r,b,g,a found:
@attached images

Flag 5: RASNTNAHAGWININ```

Attached files