CSAW CTF 2013 - Reversing100 (DotNet)

DotNet - 100 Points

DotNetReversing.exe

DotNet is a .Net executables. Let's decompile the executable:

To solve this challenge, one must get the correct value of num in order to get the value of num3=6553563335L. XOR, as we know it, is reversible, so:

num ^ num2 = num3

We can get the value of num by performing:

num = num3 ^ num2

num = 13371337255

Now we run the executable with 13371337255 as the argument:

Flag: I'll create a GUI interface using visual basic...see if I can track an IP address.

CSAW CTF 2013 - Web100

Guess Harder - 100 Points

http://128.238.66.215

The url gave us a login page. The objective of this challenge was to login as admin. By using Burp proxy (or any cookie editor), something interesting showed up:

This challenge can be solved by setting the admin cookie to true, as shown above. And... voila!

Flag: told_ya_you_wouldnt_guess_it

CSAW CTF 2013 - Recon

There were 8 recon challenges. 6 of them were solved with the exception of Alexander Taylor (fuzyll) and Jordan Wiens (psifertex). Most of recon challenges were solved with the assistance of Tommy. Each challenge in this category worths 100 points.

Julian Cohen

> Google his handle (HockeyInJune)
> Click on Wikipedia user page

> Visit his "new website", there was nothing except picture of a washing machine with big mouth
> Run 'dig' on the url, and get the IP address.

>] Voila!

Flag: 1a8024a820bdc7b31b79a2d3a9ae7c02



Kevin Chung

> Hint given was "What places can you graduate from?"
> Start with his high school, Staten Island Technical High School
> First few Google results were about CSAW High School Forensics previous winners
> Clicking on Kevin's name brings us to key.txt

Flag: who_in_the_world_is_kevin_chung


historypeats

> Google "historypeats" gives multiple results, including a github profile
> It is shown that the most recent activity of historypeats was removing comments from historypeats/putscan
> Removed comment was actually the flag

Flag: whatDidtheF0xSay?

CSAW CTF 2013 - Trivia

There were 5 trivia questions, each flag gives 50 points:

#1 - Drink all the booze, ____ all the things!

Flag: hack

#2 - What is the abbreviation of the research published in the Hackin9 issue on nmap by Jon Oberheide, Nico Waisman, Matthieu Suiche, Chris Valasek, Yarochkin Fyodor, the Grugq, Jonathan Brossard, and Mark Dowd?

Flag: DICKS

#3 - What is the common name for a single grouping of instructions used in a Return Oriented Programming payload, typically ending in a return (ret) instruction?

Flag: gadget

#4 - What is the new web technology that provides a web browser full-duplex communication to a web server over a single connection?

Flag: websocket

#5 - What is the x86 processor operating mode for running 64-bit code?

Flag: long mode

iHack2013 Forensic Challenge #11 WriteUp - Lets Cool Your Mind with Cartoon First :D

In this challenge, we are given this clue and a file.

Running file on the file given tells us this is a video file.

Some weird noise that resembles morse code is noticeable at 02:48 mark. We rip the audio out from the ASF file and load it in Audacity, and we see something in the audio stream.

Snip the part that we want and this is what we get:

Morse code! Decoding it gives this:

SKUCSKUCACGTZYLRGMUDXUREVUREXUREXUREVUREOFZKNLRGM

Based on the clue, we guess it's encoded with Caesarian cipher (ROT13, "the 13th time"), with 6 alphabet shifts (6am).

Decoded:

MEOWMEOWUWANTSFLAGOXROLYPOLYROLYROLYPOLYIZTEHFLAG

Flag: ROLYPOLYROLYROLYPOLY

CSAW 2012 Writeup - Forensic 500

Strange enough, this is easier than the other forensics challenges. Just run strings against the file given:

Key: this_should_be_pretty_hard_unless_you_use_grep

CSAW 2012 Writeup - Networking 100

Open the pcap file in wireshark -> Follow TCP stream -> the key is the telnet login password.

Key: welcome to 1969