Hacking is My Passion.

N00bs CTF

| Comments

n00bs CTF (Capture the Flag) Labs is a web application presented by Infosec Institute. It has 15 mini Capture the Flag challenges intended for beginners and newbies in the information security field or for any average infosec enthusiasts who haven’t attended hacker conventions yet.

So what is a CTF? In hacker conventions, CTF or Capture the Flag is a game event which has challenges that vary from exploitation, CrackMes, crypto, forensic, web security, logical games, wireless security, and many more.

Each level can be hopped in the navigation bar of the web application where different kinds of challenges are in place which include basic static source code analysis for a page, file analysis, steganography, pcap (packet capture) analysis, and other basic forensics challenges.

Here are the Write-up’s For all the CTF Levels ranging from [1 - 15]. Kindly comment if there is any changes to be done…. Thank you guys Happy Hunting!…

Tools Used



After Reading the CTF Rules with an energy we entered into Level-1 to find our first Flag. At level-1, We found an little Alien Image and a description May the source be with you!. Initially we didnt notice the hint source, we booted Burp-suite and crafted the request and sent to the Repeater module and hitted go button and in some miliseconds we got response as shown in below image

If you see the response, we got an 200 ok and also if you notice the Raw response, you will find a Commented line as <!-- infosec_flagis_welcome -->. Later we manually went into all levels and did a View Page Source none of the levels were having this comment header at the starting. Isn’t this Cool!!!! Finally we conclude that the commented header is the Level-1 Flag.

  • CTF Flag for Level-1: [infosec_flagis_welcome]



Level-2 was having some broken image file. Here is how we got the Level-2 Flag. First we Crafted the request into Burp which as shown below

After crafting the request we Forwarded it to Craft on the next request,

Where we found a GET Reuqest named Leveltwo.jpeg file which was broken. Then we sent the GET request to Repeater, where we got repsonse along with some Base64 encoded value as shown in below Image.

Later on getting response, our personal intension is to gain a Flag!!! So we were having a doubt!!! why we got response with a Base64 value?, so to clear our doubt we cpoied the Base64 value and Decoded it using Burp Decoder and this infosec_flagis_wearejuststarting was the decoded value. Successfully we gained the Level-2 FLag.

  • CTF Flag for Level-2: [infosec_flagis_wearejuststarting]



To be frank im a great fan of QR Code scanning. So..So.. after entering into level-3 we scanned the shown QR code using our Samsung S5, where it popped us nothing found/matched. But We didnt give up so we googled for some online Barcode Reader/Decoder and found a link for decoding the QR code. So we downloaded the QR code and uploaded into the online Reader/Decoder to find what’s inside the QR code.

The online Reader/Decoder Decoded the QR value and we found Morse coding values. So We again found a site for More Translator for Transalating the Vlaues which is shown below

After translating the Morse Code we were stumbelled with the result!!!!! the QR Image was embedded with Level-3 Flag INFOSECFLAGISMORSING Voila we finally got the flag.




Poping into Level -4. When we loaded the page there was a image along with a description same was in Level-1. We deeply observed the Description, which mentions the HTTP expansion and when we did a mouseover on the image it was alerting us stop poking me, so we loaded the Burp and intercepted the levelfour.php page request and sent it to repeater where we got a response along with a Cookie value named Set-Cookie. This seems unusual because if you see the request page at left side you could notice the same Cookie value assigned for levelfour.php. So each and every time if you load the page your cookie values gets changed but this value was stable and unique. After our analysis, we copied the Cookie value and pasted it in the Burp -> Decoder and did a smartdecode and manual decode there but nothing was reflected. Basically If you do any encryption the underscore will also be encrypted but in this case underscore remains the same. So we did some Cryptanalysis and found the strings were substituted based on ROT-13 algorithm where the underscores are not considered to rotate 13 chars. So we cracked the Value using online ROT-13 online Decoder and successfully gained the Flag infosec_flagis_welovecookies.

  • CTF Flag for Level-4: [infosec_flagis_welovecookies]



Initially when we visit the levelfive.php page an xss alert were kept on popping up. So what we did is we marked a tick on check box for Prevent this page from creating additional dialogs.

Then after preventing the alert box, we did a Inspect element with Firebug and found a broken image file named aliens.jpg under a folder /img.

After finding the image file we donwloaded it and opened to view if there is any flag inside the file. But we were wrong, the image showed us nothig but with some funny character with some text inside the image.

Later on we started to analyze the image with may commands to grep out the Flag but nothing was working out. And if you notice that the image was not having any metadata listed, no author name, iso rating , focal length etc…. after noticing this we thought that this image might be a stegno image. So we went online for decoding the stegno image

If you notice the second image you could see some lengthy binary bits which confirms that the image contains some text inside. We doubted correctly!!!! the alien.jpg image is a Stegno image. After our confirmation we copied the binary value and and converted the binary to string to gain the Level-5 flag infosec_flagis_stegaliens

  • CTF Flag for Level-5: [infosec_flagis_stegaliens]



At Level-6 we downloaded a .pcap file which was named as sharkfin.pcap. After Downloading the file we opened the file using Wireshark in Kali-linux and to be really frank we had some luck, because to analyze a .pcap file you need to be very patience. The luck here was, after we opened the file we made a right click on the first packet stream and did a Followup UPD stream. After doing this we got some HEX values with 44bytes long.

Then after the followup stream we copied those Hex values and made a Hex to Char conversion online and the converted strings was the Level-6 CTF flag infosec_flagis_sniffed.

  • CTF Flag for Level-6: [infosec_flagis_sniffed]



When we initally browsed to Level-7 the page was blank with a description and with the bounty value as shown in above image. Later we noticed the url i.e. 404.php so we thought the page is being redirected, whenever we click the level-7 tab in levels() page. But this was not the case. Initally we dropped and moved on to later levels and we found the levelseven.php at level-15 from /var/www/html which is shown in below image

So after finding the levelseven.php page from level-15, we browsed to it and we noticed a blank page as shown in below image

Later we did a intercept using Burp and we sent the request to the Repeater and noticed the response page with a 200 ok along with a base64 encoded value following up with the HTTP headers. So we decoded the value and Gained the Level-7 Flag infosec_flagis_youfoundit

  • CTF Flag for Level-7: [infosec_flagis_youfoundit]



Level-8 was a cake walk for me, because of my OSCP Certification currently obtained. Later, we downloaded the app.exe file and decompiled the app.exe file using OBJDUMP and gained the Level-8 flag infosec_flagis_0x1a

  • Note:[To know more abot objdump kidnly refer reverse engineering books available from Amazon.com.]

  • CTF Flag for Level-8: [infosec_flagis_0x1a]



Contains a CISCO WEB -IDS login page. At initial stage we were doing some sql injection attacks nothing was working out. So we thought it this way, that whenever a user is buying a new device it will be preloaded with default username and password. So we created a default Username and passowrd list for doing the automated Bruteforce thing. Later We intercepted the request into Burp and forwarded the request to the Burp-Intruder module, then select the Username and password field and configured wtih the options as shown in below images and then select the Payloads tab and load the Username and password list and hit start-attack.

Step 1:

Step 2:

Step 3:

Step 4: [click Start attack]

After the step 4 process is completed check the Length Field where you will notice the difference about the successful Bruteforce login. For example for username sa and Password Cisco the Length is 4083 and status code is 200 ok, but don’t blindly confirm with the status code check for other values too. So the Original value for the Username and password filed is root: attack. After finding valid user credentials we loaded then manually through the url and see what we found

we got an alert box with a Reverse_string value which is actually the Level-9 Flag ssaptluafed_sigalf_cesofni alias infosec_flagis_defaultpass

  • CTF Flag for Level-9: [infosec_flagis_defaultpass]



You can see the Description when you get-into level-10. what kind of sound is this? so if you notice here sound is the hint. Initally we downloaded the file Flag.wav and we opened it in VLC media player. During the Playback the audio went just like that and we didnt hear it properly, so we went to playback tab and reduced the sound and even though we were not able to get a clear voice. Then we downloaded a wave editor called Wavepad where we reduced the Pitch & Speed under the effects tab. After the reduction we were closely successful! eventhough some noise ratio was there, so again we reduced the speed,pitch and semitones to some extent and made a preview …. VOila we got a clear audio it vocaled us the Level-10 Flag infosec_flagis_sound

  • CTF Flag for Level-10: [infosec_flagis_sound]



At the inital stage, after the page got loaded we thought this page has two flags to be captured,.. but after viewing the description there were no sound file inside the page, instead there were two image file lol.gif and php-logo-virus.jpg . How you know?….. We did Inspect element on the webpage using Firebug….

After the above identification, we downloaded both the files, and started analyze both the image files using UNIX Strings command which will output whatever text from a binary file. So we ran Strings lol.gif | grep infosec —> nothing reflected, then we moved on to the second image Strings php-logo-virus.jpg | grep infosec –> where we were reflected with the flag along with base64 values. After Decoding the values we gained a valid url link, so we followed the link it showed us the Powerslide image so my guess for this flag might be infosec_flagis_powerslide.


Follow up URL

  • CTF Flag for Level-11: [infosec_flagis_powerslide]



This level made me to drink so many redbull’s. For writing the blog is easy but the way we found it was very difficult. Good work by Infosec Team. Initially if you see this page it will be a look alike of the level-1 page only difference is the Description. Dig Deeper so from here we started to view the page source nothing much was found looks normal. we copied the level-12 source and level-1 source code and made a difference check online

where the difference was in CSS(Cascading Style Sheets) design.css. so we used the Web_developer Firefox_addon to find what’s inside the css.

Here if you notice the design.css file contains some unwanted HEX values, where we converted the HEX values into String through online Hex to String Converterfinally we found the Level-12 Flag infosec_flagis_heyimnotacolor

  • CTF Flag for Level-12: [infosec_flagis_heyimnotacolor]



When we loaded the level-13 page we didnt even found anyhting to download just a blank page with a huge description. We read the description again and again, what we noticed was that the challege is gone, Can you check if you can find the backup file for this one? blah blah blah ….. For me again the level-15 helped me, we did a change directory to /var/www/html and found a old file named levelthirteen.php.old as shown in the below image

After finding the old file we loaded it into the url and it popped us to download this file.

After the download was successful, we tried to open the file using the Web-browser where we found a page without any css designs as shown below

If you notice the page you will find a description stating Do you want to download this Mysterious File we gave yes and a newtab was opened along with a new url link ( which was a HREF link)

After getting this link we copied the /misc/imadecoy and downloaded the imadecoy file. Actually the imadecoy file was with blank extension. Basically we use Kali for my official testing purpose after we downloaded the file it automatically opened in wireshark so this was a pcap file ( I was having pure luck). Recently we found an online PCAP web Perfomance Analyzer tool where we uploaded the imadecoy file and started to analyze the file. Where we some GET requests for image files

Then we loaded the same file into wireshark and we downloaded all the files into our local machine and see what we got

We got the level-13 Flag infosec_flagis_morepackets

  • CTF Flag for Level-13: [infosec_flagis_morepackets]



This Level seriously took my breath away because its a Database File where we did some through analysis which took us some 35 minutes. Because to be frank im not a coder or a database admin so it took me so much time. What we found was that while scrolling down each dumping items in Friends table there were some Unicode strings under name field for id:104 of table friends. Usually Db dosent create such value directly!!!!….. SOmething Fissssshhhhhy… we copied the entire string and decoded using online unicode convertor. After Converting Unicode values clean the \ before each character.

  • CTF Flag for Level-14: [infosec_flagis_whatsorceryisthis]



This level contains a DNS lookup command which is integrated with Dig command, where it retrives the ns & mx record if you give any domain name inside the dns lookup field. And also if you notice this page is vulnerable to command injection. Initially i did a | ls -la command and saw two file .hey & index.php so i did cat on both the files index.php reflected with the same levelfifteen.php page and .hey gave me some unknown characters Miux+mT6Kkcx+IhyMjTFnxT6KjAa+i6ZLibC and we started to do the decryption using some online decryptor tools.

We Successfully decrypted the Flag using http://crypo.in.ua/ online tool. This site contains many Decryption Algorithms. Finally we decrypted the Flag with the help of ATOM-128 Decryptor and the Level-15 Flag is infosec_flagis_rceatomized

  • CTF Flag for Level-15: [infosec_flagis_rceatomized]

Bonus Flag

We found this Bonus flag under /var/www.

If you see that there is a img, misc directory where some of the levels were having link to these directories so we enterted those directories to find if something we could find interestingly. From the img diretory we found this 17oskq9jniazojpg.jpg jpeg file, so we did many analysis and this image was found to be a stegno image so when we did a stegdecode it was asking me for the passphrase and we tried to crack the passphrase and we were not successful. Then when we found a Readme.wav from the /misc directory which was not related to any level so we downloaded it.

After downloading the file we started to listen the wave file using vlc player, initially we heard some Beeping sounds. Initially it didn’t strike me that its a Audio Morse code file. After identifying that its Morsecoded file, we decoded the sound value with the help of Morse View a windows based morse code decoder [.. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... . -.-. --- -.. . - --- -. . ...]. Finally we got the Bonus Flag Infosec_flagis_morsecodetones.

  • Bonus Flag [Infosec_flagis_morsecodetones]