This weekend, I attended the BSides Australia 2018 conference. This was another iteration on an already excellent con, with numbers expanding year on year. It is always good to have the opportunity to meet up with people I haven’t seen in a long time: I probably had more productive meetings on the second day of the con than one entire week at my day job.
On Sunday, I participated in the Midnight Sun CTF Quals. This was a well-structured CTF, with a good variety of challenges leaning towards the difficult end. Unfortunately, I was only able to solve a few challenges: here are the writeups for them:
The Diary challenge was presented as an archive, containing a Git repository, which you can download here.
In this archive, there is “diary.txt” and “wishlist.txt”. Opening up “diary.txt” reveals the following:
Unfortunately, the Git repository seems to be corrupted:
A little bit of Google reveals a way around this: we run “git fsck”, revealing an interesting dangling commit:
We can directly check out the dangling commit despite the git log being broken, and then git checkout to the entry pointing to April 11th, revealing the flag:
The Isoar challenge was presented as a web application, allowing users to check the strength of their password against a list of 1001 passwords, one of which is the administrator’s password.
When a password is submitted, the page returns one “fact” about the password, and a score:
The goal was to obtain the administrator’s password. Inspecting the page source, we can see some interesting files:
A little bit of further exploration reveals 1000 of the passwords, in the file “/public.password.list”.
From here, we have enough to execute the attack: we simply generate “test” requests for a given character, say “a”, until it tells us how many passwords (from the list of 1001) are suffixed with “a”: we then check this against the list of known passwords. We repeat this for each character, until one of the results does not match our own generated results – we instantly know that this is the suffix of the administrator’s password.
Two hours of brute forcing later, and we know the administrator’s password ends with “rHolyP4ssw0rd”. Some guesswork later, and we get the flag by submitting a login request with “H3rHolyP4ssw0rd”:
Thankyou to the organisers of this CTF – I enjoyed this experience. That said, I grow weary of competing by myself once more – it is my intention to restart farmingsimulator2015 (in one form or another). More thoughts on this later – the clock ticks on for WPICTF, and my projects won’t complete themselves.
See you in WPICTF.