In this third and last post about the [email protected] 2020 CTFs I will talk about the solutions I’ve found to some of the challenges of the categories: Warmups, Scavenger Hunts, Miscellaneous, Forensics.
This CTF had a text file with a scrambled text. Looking around the internet with keywords related to ‘Caesar’ ‘cipher’ and similar terms I came across the explanation of this cryptographic technique.
In cryptography, a Caesar cipher, also known as Caesar’s cipher, the shift cipher, Caesar’s code or Caesar shift, is one of the simplest and most widely known encryption techniques. It is a type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet. For example, with a left shift of 3, D would be replaced by A, E would become B, and so on. The method is named after Julius Caesar, who used it in his private correspondence.
I then used a website that would allow seeing the unencrypted text by uploading the text and selecting the number (some other site also gave the option to brute force the shifting number until the solution was found).
This gave a readable text, but some of the sentences with 2/3 of the flag were still mirrored (as shown in the following image). It took just a bit of focus and concentration to read the text and write down all together so that it made sense, and I found the flag.
And I’ve learned what a Caesar Cypher is. Pretty cool.
Caesar Cipher: https://en.wikipedia.org/wiki/Caesar_cipher
Unfortunately, I don’t remember the exact steps I did to resolve this challenge because when doing it I didn’t take notes, as I didn’t plan to write a summary of the challenges. I saw that several people resolved it by connecting to the server via browser (instead that via netcat as suggested by the challenge) and the flag appeared on-screen. I resolved it via netcat, and this was one of the possible solutions:
Connecting via netcat and using one of its arguments (you can check them by typing nc -h), e.g. -o to dump the hex response to a file (which included the flag) or via -v (verbose mode).
With my solution, I had the flag showing vertically on the screen, each letter on a new line, and when copying it there was a space between each character, so I’ve quickly past it into the python shell (that I had already open from another challenge) and stripped the white spaces using the following command (it was quicker than actually having to go manually and removing one white space at the time, and a chance to squeeze in some Python).
The challenge had this hint:
asd7138: can you find the flag here?
tcm3137: no, i dont see it
jwh8163: i cant find it either
rfc5785: i found it
asd7138: what!? where?!
jwh8163: tell us!
It took me a while to get the hint here. The first thing I did was to connect to the provided server and look around, see what I could find.
I was circling around ‘home’ and similar concepts.
Then I’ve re-read the Hint because I had the feeling that there was something there that I’ve missed and realized the name of the person that says to have found it, which was pointing to the RFC number 5785.
A Request for Comments (RFC) is a publication from the Internet Society (ISOC) and its associated bodies, most prominently the Internet Engineering Task Force (IETF), the principal technical development and standards-setting bodies for the Internet.
The RFC5785 defines a path prefix for “well-known locations”, “/.well-known/”, in selected Uniform Resource Identifier (URI) schemes.
From there it was as simple as going to the /.well-known/ path to find the flag file.
Most of the scavenger hunts were just about going on the socials of Hackerone.com or of some of the people involved (like the founders) and find the flag in the bios, or on the Hackerone discord channel topic, etc. I didn’t find all of them, but I’m going to provide as an example one that wasn’t just about checking a social page.
Flag not found
Amongst the scavenger hunts flags that I actually found, the ‘Flag not found’ was the one that was a bit interesting
This was was a comment inside the 404 page of the hackerone.com website, so finding it was as simple as visiting something like hackerone.com/aswsf32 so that it would show the 404 page, and then simply check the source code of the page.
When connecting to the server, typing ‘ls’ would show the file flag.txt in the folder, but cat, less, nano, and vim were not available. So I’ve looked around and found out that there’s a command compgen -c that shows which commands are available to use.
I’ve used the command history to find the solution (the clue was in the name of the challenge), but another way to resolve it was by using the command printf.
Some examples of how to use ‘history’: https://www.geeksforgeeks.org/history-command-in-linux-with-examples/
For this challenge, I also didn’t write down the exact commands I’ve used when resolving it, but the main point was that after logging in on the server, there was a file get_flag that when running it would only display the message “Oh I am sorry, only cats can get the flag!”.
So having the clue that’s the solution is related to the cat command, a quick look at the help pages for this command showed the argument -A which is used to show tabs and non-printable characters, so in this case, it showed a hidden line with the flag.
The challenge would provide a thumbcache_256.db which I didn’t know what it was. I’ve been using Linux and Mac OS for more than 10 years now, and I’m not that into with Windows, and it turns out is a file that Explorer uses to store thumbnails of files inside the directories.
So I just had to find a software that would allow me to see the thumbnails inside the .db file, and to do that I’ve downloaded one called ‘Thumbcache viewer’ and it was just a matter of scrolling through the thumbnails inside the file to find one with the flag.
Windows Thumbnail Cache: https://en.wikipedia.org/wiki/Windows_thumbnail_cache
Thumbcache Viewer: https://thumbcacheviewer.github.io/
So these were the challenges that I’ve completed (with the exception of some really simple like ‘reading the rules’ and ‘feedback’) and this third article concludes my writeups for the [email protected] 2020 CTFs.
You can find the other two parts here: