Quick Links
Slow Links
email me!
About Me:
   [Click] to know

Sat, 28 Mar 2015 {6:09 pm}
Level 8

Level 8 has you download a file called app.exe. Not generally one to run applications from unknown sources, I decide to fire up IDA and load it in there. Well, this one was easy. Right in the main function, a pointer to the string "infosec_flagis_0x1a" is loaded into a register. I suppose I could have also come to this solution by running the strings tool on the binary.

Comments(0) / Add thy own

Sat, 28 Mar 2015 {6:01 pm}
Level 7

On this one, the filename is 404.php instead of levelseven.php. It drops you on a page that returns an HTTP 404 Not Found response and the page contains only simple text without the normal HTML headers and formatting. I first tried going to levelseven.php in Chrome, but it appeared to be a blank page. I then tried getting the 404.php page with wget, but apparently the version I have won't download the content if the file isn't found. So, instead I used curl and had it in verbose mode so I could see the headers printed. I saw that the response showed it was using HTTP 1.0 instead of 1.1, which I thought was somewhat odd. I tried downloading some other files (like f00 or f00.php) but with no luck. Well, lets try levelseven.php again. Now I get something interesting. Back to HTTP 1.0, but also the HTTP 200 line contains what looks like a base64 encoded string in it: "aW5mb3NlY19mbGFnaXNfeW91Zm91bmRpdA==". This time I use base64 -d to decode it to come up with infosec_flagis_youfoundit

Comments(0) / Add thy own

Sat, 28 Mar 2015 {5:19 pm}
Level 6 (Yeah, skipping 5 for now)

So, this one asks you to download sharkfin.pcap, which assuming the extension isn't a lie should be a packet capture. I have Wireshark installed (which may be somewhat referenced by the filename), so I'll just open it in there. There's a bunch of TLS packets, which I don't expect to be able to decrypt, so I'll ignore those for now. Other than that there are a couple DNS queries and some other standard packet noise. The first packet is kind of interesting though as it is UDP with the source and dest IP set to the standard loopback IP ( The UDP data is all printable characters that appear to be hexadecimal (and fall within the printable range themselves). So lets take this text string and decode it. You can copy it as text from Wireshark by right clicking on the packet in the list and choosing the Copy->Bytes->Printable Text Only menu item. I use Hex Workshop to decode, but I'm sure there's something on the internet that will do it too. And the answer is: infosec_flagis_sniffed

Comments(0) / Add thy own

Sat, 28 Mar 2015 {3:02 pm}
Level 4

The clue on this one is "HTTP means Hypertext Transfer Protocol". There's a picture of Cookie Monster and whenever you mouseover the picture, an alert pops up that says "Stop poking me!". Not much to go on, so I look at the page's source. Nothing too interesting. I find the .js file that contains the poke() function for the mouseover event, but nothing interesting is in there. I download the image file and open it in a hex editor. Still nothing interesting, even after searching for all contained strings.

Maybe I should think about the clue a little more. Well, I guess I could look at the HTTP headers. Hmm, I bet wget can do that. So, I check out the command line options. --save-headers looks like it will do what I want. This looks interesting "Set-Cookie: fusrodah=vasbfrp_syntvf_jrybirpbbxvrf". It seems to follow the format of the other solutions, but it's encoded somehow. Everything is still ascii characters, so probably some kind of substitution cipher. Maybe rot13. Sure enough: shfebqnu=infosec_flagis_welovecookies.

Comments(0) / Add thy own

Fri, 27 Mar 2015 {10:48 pm}
Level 3

Page shows what looks like a QR code followed by an animated gif of a loading bar maybe. Decode the QR code (link) to get the bytes:

22 57 8c cf be 1b c6 75 fc fb d7 b3 f7 8c cf d9
f7 c5 f8 6f 19 d7 f3 f7 5f f0 de 2f 3e f5 fc fd
e1 bc 67 86 eb d9 f7 af 67 ee bf 9f bc 66 7e f0
dd 7f 3e f5 f0 ec 11

Not sure what that is, but the decoder says the text is ".. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... .. -. --." To me, this looks like morse code. I'm sure somebody out there has written a Morse decoder. Here's one. And indeed, it decodes to: INFOSECFLAGISMORSING.

Comments(0) / Add thy own

Fri, 27 Mar 2015 {10:38 pm}
Level 2

Page says "It seems like the image is broken..Can you check the file?". Probably a good indication the key is in the "image". Download the image. It is unusually small. Let's open it up with a text editor. Contents are "aW5mb3NlY19mbGFnaXNfd2VhcmVqdXN0c3RhcnRpbmc=". Hmm, this looks like base64. Let's ask the internet: base64decode.org. Yep! It decodes to "infosec_flagis_wearejuststarting".

Comments(0) / Add thy own

Fri, 27 Mar 2015 {9:44 pm}
It's been a while since I've done anything here. But, it seems like it might be an ok place to put write-ups for the Infosec n00bs CTF Labs. We'll see how difficult they get.

Level 1

This one has a darkened picture of Yoda with the phrase "May the source be with you!" The modified quote is a clue that the solution may lie within the page's source code. Verily, upon right-clicking and choosing "View page source" the first line is an HTML comment that says infosec_flagis_welcome. This is the entirety of the puzzle.

Comments(0) / Add thy own

| <- Back | Forward -> |

Jibber Jabber
say you love me
10.06.13 21:56
Thanks Conrad!
04.30.13 09:33
Boom Posted!Its Alive! Its Alive!
You say: