Czech Cybersecurity Competition Quals Writeup

Kybersoutěž AKA Czech Cybersecurity Competition is a "CTF" for high school/university students in the Czech Republic. It consists of two rounds and finals. The first round is a survey covering basic CS terms and definitions. The second round, which is covered in the blog post, is more CTF-like. Both take place online. After them, if you qualify, you go to the final, which is an on-site one-day CTF. Individual phase in the morning followed by a team phase in the afternoon. If you do good in the finals, you enter a pool of participants from which you can qualify for the ECSC Czech Team for that year.

Even though it has its problems, Kybersoutěž is what got me in cybersecurity in the first place (when I first participated in 2018), each year packs some interesting challenges (esp. crypto <3) and most importantly it opens doors to a lot of incredible people and places, that can take you to a whole new level. I had the honour to participate in ECSC 2019 in Bucharest and it was amazing, if you are a student anywhere in Europe, but especially in the Czech Republic, go and try to qualify.

Anyway, the finals take place in Pilsen this year. I cannot wait to meet everyone again. So see you there!

Challenges

  1. Phishing / programování - 4 points
  2. Captured traffic - 8 points
  3. Šifra KHM - 6 points
  4. Večeře hackerů - 5 points
  5. Klasická šifra - 8 points
  6. Transpoziční šifra - 7 points
  7. Bruteforce - 2 points
  8. PCAP zálohy - 4 points
  9. Únik lékařských záznamů - 5 points
  10. Forenzní úloha - 5 points
  11. Zranitelnost - 5 points
  12. Red Team - 6 points
  13. Díra na webu - 6 points
  14. Reverse Proxy - 8 points
  15. Triviální zranitelnost - 2 points
  16. URL transformace - 2 points
  17. UUENCODE - 3 points
  18. ROT8000 - 4 points
  19. IoT systém - 4 points
  20. Statická síťová analýza - 4 points
  21. ADS - Capture the Flag - 5 points
  22. Frekvenční analýza - 5 points
  23. Something Weird - 5 points
  24. Vernamova šifra - 7 points
  25. Analýza alertu - 6 points

DISCLAIMER: These are the solutions that managed to get me 121/126 points, so there are definitely some mistakes, but I don’t know where they are, most of the answers should be correct though. There are also a few NOTEs, that came out of the discussion with other participants after the competition.

Phishing / programování

We are tasked to send an email with our email address in Subject to hack@kybercentrum.cz in such a way that it would appear to be sent from info@hacking.cz. If the email is received successfully and isn’t marked as SPAM, we’ll receive a reply to our email address containing the flag.

For certain reasons this will be the only challenge for which I will not disclose the detailed solution here. However this is a well-known challenge and quite a lot of solutions that may work can be found on the internet. If you insist on finding out my solution, you can try contacting me and I might tell you.

If you did everything right, the email with the flag arrived within 30 minutes (at least for me):

Email with the flag

Flag: Hacked0005

Captured traffic

We are presented with a very short PCAP file and we are supposed to find the CVE of the vulnerability that was exploited against the server 192.168.255.2.

The PCAP file

First, we notice that the server makes a DNS request to an unknown address for 9.dw.evildomain.com querying record of type SIG, after that it makes a veeery suspicious TCP connection to the same address. After performing some Googlefu (AKA googling “dns vulnerability sig”), we find a vulnerability called SigRed and identify that its description matches the attack in the PCAP.

Flag: CVE-2020-1350

Šifra KHM

We are supposed to decode the message attached in the description. As a proof, we should provide the last two words of the poem:

The ciphertext

The name of the challenge clearly hints to the name of a famous Czech author Karel Hynek Mácha. He is, among many other things, known for keeping an encrypted diary that was only recently fully decrypted. After a bit of googling we find an issue of the Crypto-World magazine from 2011. Where, on page 18, a full decryption table can be found:

Cipher table
Source: Crypto-World and Pavel Vondruška
Using that table we decipher first few words:

ANILABUT.ANILŮNA
EŘOENYKALBO
LÉ

And then find the corresponding poem.

Flag: ONA TOUŽÍ

Večeře hackerů

Let me provide the full description for this one:

Three hackers were dining at a popular restaurant. At the end of dinner, the waiter announced that one of them had settled the bill for everyone. But he refused to reveal which one had paid. The hackers argued among themselves about who had paid, and whether the person in question had paid out of his own money, or whether the owner of the business who wanted to hire them for a penetration test had. Neither of them admitted to making the payment.

Therefore, the hackers decided to find out (while preserving the anonymity of the one who paid) whether the one who paid for the dinner paid with his own money or with the money of the business owner who wanted to hire them.

After a bit of discussion, they came up with the following procedure:

Each person flips an ordinary coin and informs only the neighbor to his right of the result.

Then each person announces aloud whether his toss and the toss of the neighbor to his left landed on the same side.

The hacker who paid for the dinner and paid for it with his own money reports the opposite match result to the others (if both coins landed on the same side, he reports that the coins landed on different sides and vice versa), and if he paid with the business owner’s money, he reports the true result (match/dismatch)

Everyone will obligatorily follow the above procedure.

They then followed this procedure, and they could tell by the number of matches they reported that the business owner who wanted to hire them had paid for them.

First, we were supposed to find out if, given the result, the number of matches was even or odd. All that was needed was to draw the problem on a piece of paper and the answer was clear - the number of matches was odd. And then we had to find the name of this problem in cryptography, which I found after googling queries similar to “three people flip coins and tell their right neighbor what was the result cryptography protocol” that resulted in the Wikipedia page about the Dining cryptographers problem.

Flag 1: Lichý (“odd” in czech)

Flag 2: Dining cryptographers problem

Klasická šifra

We are provided with the following ciphertext:

RLPSM QMRXN OBLVE TAZOP FTSLF GOIOZ TNTPN PATRT ITEPS MNEOG LRYVT ETZST AFYLF GTEZT NPOGO POQMI MREYI OANPA TRTET ZFYDF
YVZTZ YVLGI LDTVB LFHET VTZTN POSLB LALIY EMIMF PMPAT RTBOP GLRYV TNOIM REYIO ZYRYL FGTEZ TNPTV ONEOZ TXLBD LGYAT XATFG
DOETS LFGOE TVTSL PLAVT BLALX MEOSF TQLHS IOZYE TLFGE METZS TAFYB LGLVP GTDMH NIMRE YIOIB DTSHB LBLFG DRYVT BDTSE YVLFG
ETVZT NPOGO POQMZ TXLSI OPLAV LEOSF TQLHF TEORX ONTZY RYLFG EMBDL EYPAM BDLGY ATXAM VLGIL DTVRL ETZIY RTITE BLGLV NOBDT
SEYLF GTEFP AOBYV TRTAM XAOIL AOVZO PLQMS LAHON ZOPNO SEYSI OIMRE YIOZY RYLFG EMSLI LAYOB LETPH SSLAT IOGYV ZTNTP SLFGO
ETIPA TRYGO PLILH UYWHD HNTIF TRXEM ZTXLL FGOGE YLFGE MPGTD TZYEO PBDTP ONTZY ZTXLI MPALH NEHGY ITENV YNYNZ YEMRX LGILD
HPATR TIZTZ YVIEY GDPHO NOHZV LHBDY NEYIL HBLAL XHPET ZFYDF YVHLG ILDHO BOPFG ORYHN ZTEZT NPTVP DLHGY GNOET ZSTAF YIMRE
YIOZY RYLFG TEFGD YSOIT FTVOG OVBDY GLVFT LFILQ LNHZT ZTNTP FGOAT IYROI YRTFI MVYLF GEMNP ATRTO NZTIT EPHHB AETOE ONBTG
FTSLF GOION BHFLQ TVBDT FETLB OREMV GLHNZ TFEOS ET

As a proof we decrypted the text, we should provide the name of the text author.

After some basic frequency analysis, we find out that it is most probably a substitution cipher. For cracking substitution ciphers I use this tool Cipher-solver by Tomas Hanzak. Right now I’m developing my own tool that will work on Linux, so stay tuned, I’ll be releasing soon :)

After decryption it looked like:

COKDY BYCHZ APOMN ELJAK SEDOS TAVAJ EZEKZ KLECE VENKD YZNAT OCIME NEJDE LSIOS TENJE ZKATA KABYV YCNIV ALZKL ECENE JSIRS
IMJEJ IMOTV OREMP OSUNE MEJEZ KADOP OLOVI NYVYS KYKLE CEPAK TOCIM EZAVY CNIVA JICIO STENJ EZKEM AZNAJ EHOPR OTILE HLEST
RANED OSTAN EMEDO KOLME POLOH YNADS EBOUD VAJIN EOSTN YNEJD ELSIP OTOMK TERYU ZVYCN IVAVP REDUP OPOST RCIME PREDN IMOST
NEMJE ZKATA KABYJ EHODV AKOLM ONADS EBOUS ENACH AZEJI CIOST NYPRO NIKLY PROTI LEHLY MOTVO REMCO NEJVI CEVEN POTOM ZAPRE
DNIOS TENSK LAPIM ECELY HLAVO LAMJA KOBYD OLUAZ JAKZA DNIDV AVYCN IVAJI CIOST NYDOV OLIAP ONEKU DDOLE VATIM JEZEK DOSTA
NEVKL ECITA KOVOU FIGUR UZEVS ECHNY JEHOO STATN IOSTN YKTER EJINA KPREK AZEJI JEHOV YKLOU ZNUTI VENZM IZIZJ INYCH OTVOR
UKLEC EVJEJ IMVNI TRKUA ZAUJM OUPRI ZNIVO UPOLO HUKNE JSIRS IMUOT VORUA PAKST ACIUZ JENJE ZKEMK ROUTI TZANE JDELS IVYCN
IVAJI CIOST ENSTR IDAVE SEMAT AMPRI TOMSE OSVOB OZUJE JEZEK STALE VICAV ICESV YMIOS TNYZK LECEA ZJEVE NKUUP LNEAN AZPET
SEDOS TAVAZ PUSOB EMPRE SNEOP ACNYM TOUZJ ESNAD NE

From that we can identify that the author is Jaroslav Foglar.

Flag: FOGLAR

Transpoziční šifra

As the name suggest, this is going to be a transposition cipher and we are supposed to find the plaintext author again.

We are given the following ciphertext:

IDIPOEPDNBLRAEVCCOEOAAPYAEEDOLHAVIJRVLVUAEROELIEAPNYNAELMJNATECCEMULTASAYPVAYAIVEIAPOYIATNAEEKBELATIHTKMNEMLHLDZAVRAHNSZOIPAVAAKTETESDIITOYIBDLHNDDDBBRNRANNJIYP

After using the handy tool on Dcode.fr we find the following plaintext and key:

2,1,4,5,3	VITELIDEMAJITUTRPELIVOSTHLEDATVPISKUDIAMANTYNEBOPERLYVMORIALEABYHLEDALIVLIDECHVZACNEAPODIVNEDARYODPANABOHAABYNEPRISLYNAZMARTOJEANINENAPADNEATOJEVELIKACHYBACAPEK

And we identify that the author is Karel Čapek.

Flag: CAPEK

Bruteforce

We are provided with a password protected zip archive and a information that the password is not long and is fully numeric.

First, we convert the zip password to john hash format using the zip2john utility (BEWARE: different versions of zip2john work with different archives and other with other archives, this is always like alchemy for me, but trying zip2john in Kali, then the one self-compiled from john-jumbopack and then the one shipped in my distro always worked for me). Once we have the hash we can crack it using john --incremental=Digits ./hash.txt, soon we find the password is 8842316 and inside the archive, we find the flag.

Bruteforce screenshot

Flag: FLAG{N3b3rUs3Sh0rtPa$$w0rds}

PCAP zálohy

We are given a PCAP from which we are supposed to extract the flag.

In the PCAP we quickly find a FTP session that transfers a file called zaloha.zip

The PCAP file

FTP uses a different TCP socket for data streams so we go look for that and quickly identify the correct stream 29 from the .zip file signature letters PK.

zaloha stream

We save that stream, open the archive and find a string SYNT{ebg13aravormcrpal} that almost looks like a flag. We decrypt the string with ROT13 and get the flag.

Flag: FLAG{rot13nenibezpecny}

Únik lékařských záznamů

Another day, another PCAP, this time with some “medical data exfiltration” network traffic, we are supposed to find the username of the account that was used for the attack.

After taking a quick look we observe what looks like a bruteforce attack via SMB on an account called rtg and that should be the answer.

zaloha stream

Flag: rtg

Forenzní úloha

We are given a binary called checkme of which is supposed to be a password manager. This is obviously a reverse engineering challenge.

We open it in a disassembler of our choice (it’s .NET bytecode, so our choices are limited), we notice this interesting part:

IDA screenshot

That looks like base64, that is then decoded and what looks like evaled in powershell:

IDA screenshot

We examine the whole base64 string:

IDA screenshot

And decode it in CyberChef:

Cyberchef screenshot

And here we go! A powershell script!

$text = @"
 ──────────────▐█████───────
──────▄▄████████████▄──────
────▄██▀▀────▐███▐████▄────
──▄██▀───────███▌▐██─▀██▄──
─▐██────────▐███─▐██───██▌─
─██▌────────███▌─▐██───▐██─
▐██────────▐███──▐██────██▌
██▌────────███▌──▐██────▐██
██▌───────▐███───▐██────▐██
██▌───────███▌──▄─▀█────▐██
██▌──────▐████████▄─────▐██
██▌──────█████████▀─────▐██
▐██─────▐██▌────▀─▄█────██▌
─██▌────███─────▄███───▐██─
─▐██▄──▐██▌───────────▄██▌─
──▀███─███─────────▄▄███▀──
──────▐██▌─▀█████████▀▀────
──────███──────────────────


Get into the Thanos's secret vault and save the world or just get the flag.. :) `n
"@;
Write-host $text; $main = ("{2}{0}{1}{3}"-f'df','gIFSsslf','fdg','flag');
#import socket;
def netcat(hostname, port, content):;s = socket.socket(socket.AF_INET, socket.SOCK_STREAM);s.connect((hostname, port));s.sendall(content);s.shutdown(socket.SHUT_WR);while 1:;data = s.recv(1024);if data == "":;break;        print "Received:", repr(data);print "Connection closed.";s.close()
$name = Read-Host ("{0}{1}"-f 'Logi','n');
$pass = Read-Host ("{0}{2}{1}"-f'P','ssword','a');
Write-Host "`n";
$spacestone = ("{1}{2}{0}"-f 'lz','SW5','maW5pdH');
$mindtone = ("{1}{0}{2}" -f'D','sdaoISA','Ads');
$realitystone = ("{2}{1}{0}"-f 'Sosa=','WEVL','Is');
$powerstone =  ("{2}{0}{1}" -f'W','NASO','nvio');
$soulstone = ("{2}{1}{0}" -f'Q=','DBuMy','d');
$timestone = ("{1}{0}" -f 'FDek','ugfU');
if (([System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($name.ToLower())) -eq ("{1}{0}{2}"-f'Gh','d','hbm9z')) -and ([System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($pass)) -eq (-join($spacestone, $soulstone)))) {$sanctuary = ("{2}{3}{8}{10}{12}{1}{9}{7}{4}{5}{6}{11}{0}"-f'gMzMgNzIgN2Q=','g','NDYgN','GMgNDE','gNDA','gN','z','gNzIgNGQ','gND','NjIgMzM','cgN2IgN','MgNzQ','DMgNzk');[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($sanctuary)).Split(" ") | forEach {[char]([convert]::toint16($_,16))} | forEach {$out = $out + $_};Write-Host ('Gre'+'a'+'t '+'job!'+' '+'H'+'ere '+'is'+' '+'your'+' '+'rewa'+'rd:'+' '+' '+"`n");Write-host ("{2}{1}{4}{3}{0}"-f '=','==','=','=========','====');Write-host $out;Write-host ("{2}{1}{3}{0}"-f '===','===','========','===');} else {Write-Host ((("{2}{0}{1}{3}"-f'e tr','y!','Nic',' :)')));}; 




$commands = @"
Add-content	This cmdlet adds the content to the specified file.
Add-Computer	This cmdlet adds the local computer to a domain or workgroup.
Add-History	This cmdlet is used to add the command in the history.
Add-jobTrigger	This cmdlet adds the job triggers to the scheduled jobs.
Add-member	The cmdlet adds the custom methods or properties to an instance of a PowerShell object.
Add-type	This cmdlet adds a Microsoft .NET framework class to a Windows PowerShell session.
Clear-Content	This cmdlet deletes the content of a file, but not delete that file.
Clear-History	This cmdlet deletes the entries from the command history.
Clear-Item	This cmdlet clears the value of item or variable, but not clear that item or a variable.
Clear-ItemProperty	This cmdlet clears the value of a property but not delete that property.
Clear-Variable	This cmdlet deletes the value of a variable.
Clear-Host	This cmdlet clears the display of the host program.
Copy-ItemProperty	This cmdlet copies a value and property from a specified location to another location.
Copy-Item	This cmdlet copies an item from one location to another.
Complete-Transaction	This cmdlet commits the active transaction.
Compare-object	This cmdlet compares two sets of objects.
Disable-PSBreakpoint	This Cmdlet disables the breakpoint in the current console.
Enable-PSBreakpoint	This Cmdlet enables the breakpoint in the current console.
Find-package	This cmdlet finds the software packages in the available packages sources.
Find-script	This cmdlet is used to find a script
ForEach-Object	This cmdlet performs an operation on each item in a collection of input objects.
Get-Alias	This cmdlet gets the aliases for the current session.
Get-childItem	This cmdlet gets the item and the child items in one or more specified locations.
Get-Command	This cmdlet is used to get all commands.
Get-Content	This cmdlet gets the content of the file at the specified location.
Get-Date	This cmdlet is used to get the current date and time.
Get-ExecutionPolicy	This cmdlet gets the execution policy for the current session.
Get-Help	This cmdlet displays information about PowerShell commands and concepts.
Get-History	This cmdlet displays a list of commands which are entered during the current session.
Get-host	This cmdlet gets an object which represents the current host program.
Get-InstalledScript	This cmdlet gets a script which is installed for the current user.
Get-Item	This cmdlet gets the item or a file at a particular location.
Get-ItemProperty	This cmdlet gets the properties of a particular item.
Get-Location	This cmdlet displays the current working location.
Get-PSBreakpoint	This cmdlet gets the breakpoint which is set in the current session.
Get-Package	This cmdlet displays the list of all installed packages by using the package management.
Get-Process	This cmdlet gets the processes which are running on local or remote computers.
Get-Service	This cmdlet gets the services on local or remote computers.
Get-Transaction	This cmdlet gets the currently active transaction.
Get-Variable	This cmdlet gets the variable in the current console.
Install-package	This cmdlet is used to install one or more software packages.
Install-script	This cmdlet is used to install a script.
Invoke-commands	This cmdlet executes commands on local and remote computers.
Move-Item	This cmdlet is used to move an item from one location to another.
Move-ItemProperty	This cmdlet is used to move the property of an item from one location to another.
New-alias	This cmdlet creates a new alias.
New-Item	This cmdlet creates a new item.
New-ItemProperty	This cmdlet creates a new property for an item and sets its value.
New-Service	This cmdlet creates a new Window service.
New-variable	This cmdlet creates a new variable.
Read-Host	This cmdlet reads a line of inputs from the console.
Remove-computer	This cmdlet removes a local computer from its domain.
Remove-Item	This cmdlet deletes the particular item.
Remove-ItemProperty	This cmdlet deletes the property & its value from an item.
Remove-job	This cmdlet removes the background job of Windows PowerShell.
Remove-PSBreakpoint	This cmdlet deletes the breakpoint from the current console.
Remove-variable	This cmdlet deletes a variable with its value.
Rename-computer	This cmdlet is used to rename a computer.
Restart-Service	This cmdlet stops and starts one or more services.
Restart-computer	This cmdlet is used to restart the Windows operating system on local and remote computers.
Resume-job	This cmdlet is used to restart a suspended job.
Save-Help	It is used to download and save the newest help files to a file system directory.
Save-packages	This cmdlet is used to save the packages to the local computer without installing them.
Save-Script	This cmdlet is used to save a script.
Select-string	This cmdlet is used to find the text in string or files.
Send-MailMessage	This cmdlet is used to send an e-mail message.
Set-Alias	This cmdlet creates or changes the alias for a cmdlet in the current Windows PowerShell.
Set-content	This cmdlet writes the content in a file.
Set-Date	This cmdlet changes the time of the system.
"@

After reverse engineering the script and concating some strings we recover the correct login credentials as well as the flag.

Powershell screenshot

Flag: FLAG{Cyb3rM@st3r}

Zranitelnost

We are provided with a piece PHP source code and are supposed to identify the vulnerability in it.

<?php

if (!file_exists('log.on')) {
echo "Logs are disabled by default.";
exit;
}

$uuid = $_GET["filter"];
$storedLogs = "/tmp/stored-logs/{$uuid}";
if (file_exists($storedLogs)) {
header('Content-Type: application/json');
header("Access-Control-Allow-Origin: http://localhost:3000");

echo file_get_contents($storedLogs);
} else {
echo "log file does not exist";
}

?>

If logging is enabled, we can path traverse using the filter parameter and the page will return whichever file we want.

Flag: path traversal - LFI

Red Team

In the .zip provided there are SAM, SOFTWARE etc. Windows registry files AKA hives. We are supposed to find from which system version they come from, what was the installation time, what is the hash of the password of local admin and what is his password (knowing it is 4 characters long).

The answers to the first two questions can be found in the SOFTWARE hive in SOFTWARE\Microsoft\Windows NT\CurrentVersion, we just need to convert InstallDate from hex to decimal and convert the resulting unix time stamp. I’m on Linux, so I use the hivexsh utility.

hivexsh screenshot

For the other two, we have to use mimikatz and the SAM and SYSTEM hives. We use mimikatz like: lsadump::sam /system:C\Pathto /sam:C:\Pathto The first user, with RID 500 is local admin - David.

mimikatz screenshot

We then take his NTML hash and feed it to john. Like: john --format=NT --incremental --length=4 hash.txt

john screenshot

Flag 1: Windows 10 Enterprise

Flag 2: 03.11.2021 07:58:41 (UTC+1)

Flag 3: ff1644d3964240a613a896ae3ae7160b

Flag 4: Al3F

Díra na webu

This is a blackbox web challenge. We are given an URL http://ks2021.ncko.cz/, where we find a login page.

website screenshot

I got stuck for a while here. I tried the classics: SQL Injection, Parameter Injection, LDAP Injection… But nothing worked.

Then my dirbusting finished and it found something extra peculiar: /README.md

website README.md screenshot

The website was deployed with a README.md containing all the deployment instructions, solution and the flag publicly visible. The person who wrote the deployment instructions in the README forgot to mention that they should remove the README file itself lol.

So now that we know how to solve the challenge let’s do exactly that. We register ourselves an account using the PUT method.

creating an account screenshot

Now if we try to login a flag is printed.

flag screenshot

Flag: FLAG{d0n'7_7ru57_4nyb0dy}

Reverse Proxy

Another (almost) blackbox web challenge. URL: https://www.sskb-ey21.tech We are presented with a blog about CS:

website screenshot

In the last blog post there is not only a link to a very helpful article, but also a hint pointing to nginx vulnerabilities. This is going to be about bypassing reverse proxies.

After initial dirbusting we find /robots.txt and in it links to nginx config files of the server, knowing what’s in them can speed up the exploitation.

robots.txt screenshot

Now back to the article, in Example 2 it is shown, how nginx with the following config:

location /to_app {
    proxy_pass http://server/any_path/;
}

Will when we request /to_app../other_path forward http://server/any_path/../other_path. Because as it turns out the server behind the nginx is Apache, that normalizes /any_path/../other_path to /other_path, we can escape the /any_path/ restriction and access any files we want behind the reverse proxy.

We can quickly check and see this exact config pattern in the cms.conf file.

cms.conf screenshot

We can verify the vulnerability by checking a non existent URL with curl. And indeed we get a different 404 than the CMS one, that means we traversed the path up.

curl screenshot

Here I got stuck, not knowing where I was supposed get the flag. I figured I can access Apache’s /server-status, but noone was accessing the server except me. Then I remembered the weird flag paths from /robots.txt file and tried that. Indeed I found the flag in https://www.sskb-ey21.tech/cms../secret_flag_x7zUqb/flag_TWeOfs.txt

flag screenshot

Flag: flag{it_is_not_a_bug_it_is_a_feature}

Triviální zranitelnost

Another PHP code snippet and task to find a vulnerability.

<?php
echo "<h1>Company backoffice portal</h1>";
$name = $_GET['name'];
echo "<p>Welcome user <b>$name</b></p>";
echo "<p>Here is your main menu:</p>";
echo "<li><a href=\"https://www.flowmon.com\">Download your payroll</a></li>";
echo "<li><a href=\"https://www.flowmon.com\">Ask for vacation</a></li>";
echo "<li><a href=\"https://www.flowmon.com\">Book a business trip</a></li>";
?>

This is obviously an XSS vulnerability in the name parameter.

Flag: XSS

URL transformace

We are given an URL we should transform step by step to get the flag.

I solved this using this CyberChef recipe

Accessing the result https://www.cybersecurity.cz/cybersecurityr/pwge.html gives the flag.

Flag: JSEMKYBER

UUENCODE

We get this encoded text we are expected to decode and enter the last three words of the plaintext.

M3<.A;2!P;\2-PZUT8<2-(&$@=FER='7#H6QNPZT@:FW#J6YO+B!:;L.A;2!)
M;G-T86=R86TL(%=H871S87 @82!6:6)E<BX@5GET=F_%F6EL(&IS96T@<VEL
F;L.I('1A:F[#J2!H97-L;RX@2G-E;2!396-U<FET>2!#>6)E<B

We google “UUENCODE online”, find this online convertor.

Decoded:

Mám počítač a virtuální jméno. Znám Instagram, Whatsap a Viber. Vytvořil jsem silné tajné heslo. Jsem Security Cyber

Flag: Jsem Security Cyber

ROT8000

We get this encoded text we are expected to decode and do enter what we are told in the result.

籛籘籝籁簹簹簹 籹絀籮籿糈籭糔 籛籘籝簺簼 籭籸 籶籸籭籮类籷糔籱籸 籭籲籰籲籽糈籵籷糔籱籸 籹类籸籼籽絀籮籭糔簷 籙籸籴籾籭 籷籮粃籷糈籽籮 糴糔籷籼籴糐 粃籷籪籴粂簵 籹籪籴 籷籮籷糔 籱籷籮籭 粃絀籮米籶糐簵 絥籮 米籭籮 籸 米籮米籲籬籱 籿粂籾絥籲籽糔 籿 籽籸籶籽籸 籼粂籼籽糐籶籾 鯮 籽米簷 籹籸籼籾籷 粃籷籪籴絖 籶籮粃籲籷糈类籸籭籷糔 籪籫籮籬籮籭粂 籸 籁簹簹簹 籹籸粃籲籬簷 籓籪籴籸 籭絖籴籪粃 籿粂絀籮絈籮籷糔 籽糐籽籸 糡籵籸籱粂 粃籪籭籮米籽籮籃 籛籘籝籁簹簹簹

We google “ROT8000 online”, find this online convertor.

Decoded:

ROT8000 převádí ROT13 do moderního digitálního prostředí. Pokud neznáte čínské znaky, pak není hned zřejmé, že jde o jejich využití v tomto systému – tj. posun znaků mezinárodní abecedy o 8000 pozic. Jako důkaz vyřešení této úlohy zadejte: ROT8000

Flag: ROT8000

IoT systém

The .tar.gz included is a linux file system that was “infected with something that is causing a high CPU load” and we are supposed to find out the name of the executable the attacker installed and ran.

In /home/admin we can find binary called minerd a well-known crypto miner and nohup.out file with evidence it ran.

Flag: minerd

Statická síťová analýza

We are provided a PCAP in which are we supposed to find all username+password pairs and count them.

We do it manually + let some filters help us, for example:

Get all tcp stream IDs: tshark -r AFCEA-FTP+HTTP.pcapng -T fields -e tcp.stream ftp | sort -n -u

Show one stream: tshark -r AFCEA-FTP+HTTP.pcapng -qz follow,tcp,ascii,15 ftp

Filter for http POST requests: http.request.method==POST

Flag: 6

NOTE: It turned out there were only 5 unique username+password pairs, but they accepted 6 as well as 5, as it was not clear from the description if to count duplicates.

ADS - Capture the Flag

As the name suggest, this is a challenge about NTFS ADS. We are given a .wim file.

The intended solution would probably be to mount the .wim somehow and extract the flag from ADS. But since I’m a Linux person and the image was small (~500KiB) I opened the file in hex editor, copied the first thing from the end that looked like base64, decoded it and it was the flag indeed.

hex editor screenshot

Flag: Super_Tajny_Flag_2020

Frekvenční analýza

Another substitution cipher challenge this time in English. We are supposed to enter the first and the last word of the plaintext. Ciphertext is the following:

PCQ VMJYPD LBYK LYSO KBXBJXWXV BXV ZCJPO EYPD KBXBJYUXJ LBJOO KCPK. CP LBO LBCMKXPV XPV IYJKL PYDBL.
QBOP KBO BXV OPVOV LBO LXRO CI SX'XJMI, KBO JCKO XPV EYKKOV LBO DJCMPV ZOICJO BYS, KXUYPD: 
"DJOXL EYPD, ICJ X LBCMKXPV XPV CPO PYDBLK Y BXNO ZOOP JOACMPLYPD LC UCM LBO IXZROK CI FXKL XDOK XPV
LBO RODOPVK CI XPAYOPL EYPDK. SXU Y SXEO KC ZCRV XK LC AJXNO X IXNCMJ CI UCMJ SXGOKLU?"

OFYRCDMO, LXROK IJCS LBO LBCMKXPV XPV CPO PYDBLK

We use this substitution solver to crack the key.

NOW DURING THIS TIME SHAHRAJAD HAD BORNE KING SHAHRIYAR THREE SONS. ON THE THOUSAND AND FIRST NIGHT.
WHEN SHE HAD ENDED THE TALE OF MA'ARUF, SHE ROSE AND KISSED THE GROUND BEFORE HIM, SAYING: 
"GREAT KING, FOR A THOUSAND AND ONE NIGHTS I HAVE BEEN RECOUNTING TO YOU THE FABLES OF PAST AGES AND
THE LEGENDS OF ANCIENT KINGS. MAY I MAKE SO BOLD AS TO CRAVE A FAVOUR OF YOUR MAXESTY?"

EPILOGUE, TALES FROM THE THOUSAND AND ONE NIGHTS

Flag: NOW NIGHTS

Something Weird

We are given a password-protected .zip archive. That’s it.

After a moment I noticed the archive name 23_7d720b89f62acec63ff581c37e96c8b5.zip was kinda sus. I decided to feed the hash to CrackStation and indeed the string 7d720b89f62acec63ff581c37e96c8b5 is a MD5 hash of MichaelJackson.

When we try that as a password, we successfully unzip the archive and then find the flag in an exif property of the image.

exif screenshot

Flag: FLAG{MD5WillLiv3F0r3v3r}

Vernamova šifra

Vernam cipher it is, ladies and gentlemen. We are given an encrypted message.

150d0 31f10 41054 51509 03491 94555 044a0 30447 03030 04d5d 13101 00619

And are told that some portion of the following Lorem ipsum text was used as the password.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque hendrerit lorem vel nibh dignissim
eleifend. Fusce non dignissim ligula, a suscipit felis. Nam congue congue neque, malesuada efficitur
massa viverra sed. Nullam id justo ut quam rhoncus elementum sed vitae metus. Cras finibus blandit
hendrerit. Fusce et sapien dui. Praesent vulputate lacinia pulvinar. Nunc tincidunt placerat leo non
sodales. Vivamus pretium, dui vitae dictum luctus, dolor risus placerat leo, nec consequat lorem nisl
eu nulla. Mauris aliquam felis ut turpis dictum, eget sodales diam luctus. Fusce lorem magna, egestas
in nunc eu, eleifend finibus odio. Sed arcu sapien, gravida vitae leo eu, facilisis euismod metus.
Donec mi magna, tristique sed nisl et, lacinia placerat nibh. Quisque sollicitudin sapien nisi,
quis accumsan eros feugiat in. Sed facilisis eros sed odio consequat, ut ultricies sem iaculis.

If you don’t know Vernam cipher is basically XOR OTP. So I came up with this simple python script that will bruteforce all the possible offsets of the key in Lorem ipsum:

import sys


def xor(shorter, longer, index):
    result = b''
    for i, item in enumerate(shorter):
        ##print(item, longer[index:][i])
        result += bytes([item ^ int.from_bytes(longer[index:][i].encode(), sys.byteorder)])
    return result

ciphertext = bytearray.fromhex("150d0 31f10 41054 51509 03491 94555 044a0 30447 03030 04d5d 13101 00619".replace(" ", ""))
key = """Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque hendrerit lorem vel nibh dignissim
eleifend. Fusce non dignissim ligula, a suscipit felis. Nam congue congue neque, malesuada efficitur
massa viverra sed. Nullam id justo ut quam rhoncus elementum sed vitae metus. Cras finibus blandit
hendrerit. Fusce et sapien dui. Praesent vulputate lacinia pulvinar. Nunc tincidunt placerat leo non
sodales. Vivamus pretium, dui vitae dictum luctus, dolor risus placerat leo, nec consequat lorem nisl
eu nulla. Mauris aliquam felis ut turpis dictum, eget sodales diam luctus. Fusce lorem magna, egestas
in nunc eu, eleifend finibus odio. Sed arcu sapien, gravida vitae leo eu, facilisis euismod metus.
Donec mi magna, tristique sed nisl et, lacinia placerat nibh. Quisque sollicitudin sapien nisi,
quis accumsan eros feugiat in. Sed facilisis eros sed odio consequat, ut ultricies sem iaculis."""#.replace("\n", "").replace(" ", "")


for i in range(0, len(key)-len(ciphertext)):
    candidate = xor(ciphertext, key, i)
    print(candidate)

That will print out a lot of candidates, but we luckely have a nudge from the description, that we are looking for a “password” or “heslo” in Czech. So let’s try to look for that:

vernam bruteforce screenshot

Success!

Flag: pjwq5sjsm9zsdst

Analýza alertu

You get an alert from the Fidelis platform and are supposed to tell something about it: if it was a communication with a honeypot and some other stuff concerning nmap Idle Scans.

Flag 1: b. Komunikací se síťovou pastí

Flag 2: d. Klient vystavujíc spojení byl v internetu a server v interní síti

Flag 3: c. Může se jednat o výsledek skenování pomocí Idle Scan techniky

Flag 4: a. Nález potvrzuje, že si málokdo pamatuje všechny parametry nástroje nmap

NOTE: This last answer is very controversial, all the people I talked to had different answers.


Published on
writeup ctf kybersoutez

Latest Posts