CSAW CTF 2013 - Misc200

deeeeeeaaaaaadbeeeeeeeeeef - 200 Points
IMG_0707.png

Running pngcheck against the .png gives us the following output:

Fixing the crc value gives us this image:

Hours later, hint for this challenge was given. It was the same image but with different resolution.

Changing the resolution in the IHDR header to the resolution of the hint gives us the flag:

Flag: TheISISPasswordIs

CSAW CTF 2013 - Misc100

Black & White - 100 Points
chal.png

This is a steganography challenge. We were given a blank image and we had to squeeze the flag out of it (heh).

Anyway, just load the image in StegSolve and click till you get the flag:

Flag: forensics_is_fun

CSAW CTF 2013 - Misc50 (Networking 2)

Networking 2 - 50 Points
networking.pcap
networking.pcap.process

Another PCAP challenge. Nothing interesting in the packet capture, let's run file on networking.pcap.process:

$ file networking.pcap.process
networking.pcap.process: AIX core file 32-bit, c05be5e08ea163007af5144}.exe- 64-bit, *

Hmm.. okay. Let's run strings on it:

$ strings networking.pcap.process | less 
flag{f9b43c9e9c05be5e08ea163007af5144}.exe
flag{f9b43c9e9c05be5e08ea163007af5144}.exe
flag{f9b43c9e9c05be5e08ea163007af5144}.exe
flag{f9b43c9e9c05be5e08ea163007af5144}.exe^L
flag{f9b43c9e9c05be5e08ea163007af5144}.exe
flag{f9b43c9e9c05be5e08ea163007af5144}.exe
flag{f9b43c9e9c05be5e08ea163007af5144}.exe
flag{f9b43c9e9c05be5e08ea163007af5144}.exe
flag{f9b43c9e9c05be5e08ea163007af5144}.exe
...
...

Easy, isn't it?

Flag: f9b43c9e9c05be5e08ea163007af5144

CSAW CTF 2013 - Misc50 (Networking 1)

Networking 1 - 50 Points
networking.pcap

Forensic! Just run strings on the PCAP file:

$ strings networking.pcap | less

[snip]
...
flag{d316759c281bf925d600be698a4973d5}
...
[/snip]

Flag: d316759c281bf925d600be698a4973d5

CSAW CTF 2013 - Exploitation100

Exploitation 1 - 100 Points
exploit1
exploit1.c

We were give an elf32 executable and its code snippet of its handle() function in this challenge:

Our objective is to change the backdoor value to 1, so that the key to this challenge will be read and sent back to us.

buffer[] array is defined to have size of 1016. However in recv(), it is shown that 1020-byte of data will be copied into buffer[], classic case of buffer overflow. So we did what came naturally:

$ python -c "print 'A'*1020" | nc 128.238.66.212 31337

Voila!

CSAW CTF 2013 - Reversing200 (CSAW Reversing 2013 2)

CSAW Reversing 2013 2 - 200 Points

csaw2013reversing2.exe

Yet another win32 executable. Let's run it, annnnd it's crashed :/
Load it in olly, you should see:

A decryption loop!

Right after the decryption loop where the flag will be shown in a message box, the flag text is actually stored in ESI, so let's dump the value of ESI while we are in the decryption loop:

Flag: number2isalittlebitharder:p

CSAW CTF 2013 - Reversing100 (CSAW Reversing 2013 1)

CSAW Reversing 2013 1 - 100 Points

csaw2013reversing1.exe

We were given a win32 executable in this challenge, let's run it:

Oops... Let's load it in a debugger

So, there is this call to IsDebuggerPresent that causes the display of junk instead of the flag.

Flag: this1isprettyeasy:)