Austin Schertz won the CodeMash CTF this year, and he dropped off his answers to all 19 challenges. Here they are:
Access Control
We got the password dump (400)
This challenge provided a set of passwords. I recognized that they were hashes and used an online tool to look up the hash values and put them in the correct format. (cm20-XXXX-XXXX-XXXX in this case)
Binary Analysis
Need more coffee!!! (100)
The file had no extension, so I used an online file checker to identify it as a java.class file. From there, I renamed the file with the proper extension and ran it from the command line.
Need even MOAR coffee!!!!! (300)
This one was a bit more confusing. Renaming it (first to .class and then to cm.class) and running it produced a cryptic error about a missing class. Decompiling revealed some very obfuscated java code. Ultimately, someone suggested that I run the file, and look more closely at the errors. The error suggested that I needed to create another class that would be referenced by the original file. After creating a separate class, I was then informed by the errors that an interface was expected. Changed to an interface, and found that I needed to add an annotation, and then that the annotation needed to be a runtime annotation. Running it this way produced the flag.
One Time at Band Camp (300)
This one provided an AmericanPie audio file. I googled ways to hide text in an audio file, and I came across a few articles about audio steganography that referenced using sonic visualizer and applying a spectrogram. I did that and found the flag around the 6 minute mark. It looked a little off, but I substituted cm20 for what looked like cy20, and it worked just fine.
I C What You Did There (400)
I got some help on this one from an older and wiser friend of mine. I had tried several ways to look at the audio file, but he listened to the file and immediately recognized it as the sound of a Commodore 64 file. Once I knew it was a C64 file I downloaded a converter to go from WAV to TAP. I ran the tap file in an online C64 emulator.
Binary Deserialization
The button doesn't do what you want (300)
I was super over thinking this one. I tried all kinds of JSON stuff to no avail. In the “thislooksinteresting” element, I decoded the value from Base64 and saw <GiveMeFlag> I tried lots of complicated things, but the ticket was changing the “n” to a “y”. I did it by looking up the base 64 value for “n” and replacing it with the base64 value for “y” in chrome dev tools. After that, it was as easy as pushing the button.
Encoding
All your base are belong to us! (100)
The string was base64. Decoding produces the flag.
These soundex exactly the same! (100)
I used the government soundex page to understand what soundex was. All three of the statements in the hint have the same soundex translation. Appending cm20 and putting dashes in the right locations produced the flag.
All your base are belong to us - level 2 (300)
The string was base 64. Decoding it produced what appeared to be a PNG file. I copied it to a blank file and opened the image. There was the flag.
All your base are belong to us - level 3 (500)
This one was base 64, but with a twist. A close look revealed the word “fish” at the end of the file. Removing that allowed for base 64 decoding, but the result was still base 64, and there was another instance of “fish” at the end. I wrote some C# to remove fish and decode from base 64 in a loop. Doing this 42 times produced the flag.
Encryption
Where's the bacon? (100)
This one was a bacon cipher. I used a tool called dcode to reveal the flag.
What is missing? (200)
I recognized another bacon cipher hiding in the bold and italics tags. I manually copied the tags in order to notepad, and fed the result to dcode to produce the flag.
Incident Response
Ghost In The Keys (400)
I opened the file in wireshark, and saw the leftover transfer data. I looked at some articles about how to recognize keyboard data in wireshark, and how to setup custom columns. When I had gotten the data that I wanted, I dumped the results to excel and manipulated them converting the leftover data to keystrokes, noting that the 02’s are shifts, and the other data was keypresses. Ultimately this created a powershell execution with a reference to a web page in it. Accessing the web page produced the flag.
Mobile
Why did you do this to us, iOS? (200)
I looked up how to open the file, and found that I could rename it and unzip it. After I unzipped it, I found a flag element in the plist file. It was a bunch of numbers, and I manually translated those numbers to other characters. This produced the flag.
On Site Challenges
You're gonna need a broom (1000)
The reference to the scytale was apt. I found a strip of paper attached to the wall in the game room, and a broom up against the wall. I wrapped the paper around the broom, and read off the numbers. I recognized the Hex code (no letters from late in the alphabet.) Plugging it into a hex converter, I found that the section I read off was only “cm20”. So I went back over, got the broom and read off the other sides of it and converted the hex to get the rest of the flag.
Social Engineering
Slack Challenge (100)
Searching for cm20 in the capture the flag slack channel produced the flag.
THE BADGE CHALLENGE (300)
I did this the hard way. . . I was not sure that I could get someone to loan me their badge to tinker with, so I went and got the source from bill’s github, and found a file that contained an array that would eventually become a bitmap. So I grabbed the array, manipulated it, loaded it to excel, and used conditional formatting to make a QR code in a spreadsheet. Scanning it with my phone produced the flag.
Web Security
Leprechaun Rally (200)
This one was clever. I attempted to speed up the calling process to get more coins, but I got throttled. At that point I understood the hint. You need to BECOME the leprechaun with the most coins. So I set my efforts to obtaining a fraudulent session. I realized that clicking the “stay logged in” button, there was another cookie added to all the requests. It was URL encoded, and base64 encoded, but ultimately it was just “[Username]_ThisIsBadSalt”. I created a new cookie value for the user Lucky_McPlucky, and edited my cookie in chrome dev tools. This allowed me to become the luckyiest leprechaun and retrieve the flag.
Philosopher's Stone (300)
I spent a decent amount of time looking at the page source for this one before getting a tip that I needed to look closely at the image. I messed with the image in luna pic, and found a message in the bottom right corner of the image. Entering that led to another cryptic message. I thought it might be base 64, but discovered eventually that it was chess notation. After significant manipulation to the string, I entered it to lichess.org. This loaded the match, but I am no good at chess. It took running it as an AI to realize that white’s next move was a checkmate. I spent a while trying permutations of that move in chess notation in the solution bar. I found one that worked! But then I found another challenge was waiting for me. It looked like a flag, but it wasn’t. I looked at the page source and found a bunch of hidden whitespace characters in the middle of the flag string. Removing them didn’t work, so I thought maybe the whitespace was the flag? I pulled out the whitespace pattern and realized that it was morse code. The decoded morse was added to cm20{XXXXXX} to get the flag.
Post-CodeMash edition!
The Government of Gibraltar had a SQL Injection vulnerability in the site that hosts their laws. That wouldn't end well.
https://www.theregister.co.uk/2020/01/07/gibraltar_sql_vuln_allowed_law_editing/
There is an actual practical attack against SHA-1 that has been POCd. If you are still using SHA-1 for session tokens, might want to consider something else.
https://www.schneier.com/blog/archives/2020/01/new_sha-1_attac.html
Half of WASM code is used to write malware. I'm not completely sure, but I think I called this one.
https://www.zdnet.com/google-amp/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes/
Huge big ginormous remote code execution flaw in Citrix. TrustedSec has a good writeup.
https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/
That's the news, folks. Stay safe.
Pre-CodeMash Edition!
Adam Caudill is a personal friend of mine and has forgotten more about application security than I will learn. He manages a cool web scanner called YAWAST, which is awesome. There is news about future plans.
https://adamcaudill.com/2020/01/05/yawast-news-mission/
Good writeup on iOS application injection.
https://arjunbrar.com/post/ios-application-injection
OWASP Juice Shop has been added to the Open Reference Architecture for Security.
https://security-and-privacy-reference-architecture.readthedocs.io/en/latest/securitycourses.html#owasp-juice-shop
SANS Holiday Hack CTF is up. I forgot about it earlier.
https://isc.sans.edu/diary/rss/25672
News from CodeMash next issue!
It's the holiday edition! No I'm kidding it's the same stuff as usual. Sorry.
Apparently there is a chat app that is literally spyware developed by a nation state. This isn't a political blog, but the technical implications are deep. Here's a good writeup.
https://objective-see.com/blog/blog_0x52.html
I'm all about supply chain issues, and this is a really good analysis of risks involved with package managers like npm.
https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/
Someone reverse engineered an RSA token, and is using it to bypass two factor in the wild.
https://www.schneier.com/blog/archives/2019/12/chinese_hackers_1.html
That's the news folks. See you next decade.
Hope everyone has a good holiday.
You probably heard that the Russian offices of ngnix were raided by the government. F5 is doing a code review.
https://www.msn.com/en-us/news/technology/f5-networks-secures-ngnix-software-builds-as-precaution-after-visit-from-russian-law-enforcement/ar-BBY357u?ocid=ARWLCHR
Solid research on privilege escalation in Amazon Web Services. Very real problem.
https://know.bishopfox.com/research/privilege-escalation-in-aws
Do you want to bone up on real world appsec skills over the week? I recommend the PortSwigger Web Academy.
https://portswigger.net/web-security
That's the news.
Nice writup that explains a pivot from and iPhone app all the way through to domain access via chained exploits. Application security is hard.
https://decoder.cloud/2019/12/12/from-iphone-to-nt-authoritysystem/
The security.txt file is near becoming an IETF standard.
https://mailarchive.ietf.org/arch/msg/ietf-announce/OFuiGlVv6WgvEEABaGmnYi120yU
Cool Azure horizontal privilege escalation writeup using the cloud shell.
https://blog.netspi.com/attacking-azure-cloud-shell/
That's the news. Hope everyone is having a stress-free holiday.
My favorite thing this week: SwiftOnSecurity accidentally dropped a Confluence 0-day on Twitter. Oopsie.
https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/
An Android spoofing vulnerability is already being exploited by bank thieves. Hard to write secure apps when the platform doesn't help.
https://arstechnica.com/information-technology/2019/12/vulnerability-in-fully-patched-android-phones-under-active-attack-by-bank-thieves/
On that topic, here's a cool primer on Android reverse engineering.
https://maddiestone.github.io/AndroidAppRE/
TruffleHog is a new (and still a little rough) script to sniff out secrets from GitHub repos.
https://www.darknet.org.uk/2019/12/trufflehog-search-git-for-high-entropy-strings-with-commit-history/
AWS built a took to yell at you if you have open S3 buckets.
https://www.theregister.co.uk/2019/12/03/aws_s3_buckets/
That's the news, folks. Stay safe out there.
Fortinet is communicating with static keys and a simple XOR. Whoops.
https://sec-consult.com/en/blog/advisories/weak-encryption-cipher-and-hardcoded-cryptographic-keys-in-fortinet-products/
An Android gif library has an interesting vulnerability that will affect many application.
https://seclists.org/fulldisclosure/2019/Nov/27
An OWASP member made a neat ZAP plugin that helps to attack deployed Kubernetes applications.
https://github.com/omerlh/zap-operator
Hope everyone had a great thanksgiving.
S
Github is starting SecurityLab. It's part knowledge sharing, part secure coding, part bounty hunting, and it is pretty neat.
https://securitylab.github.com/
Stacey on IoT has a good writeup on device and container security citing this Trend Micro report
https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2020
Subscribe to her newsletter!
https://staceyoniot.com/
TrustedSec, an infosec firm in Cleveland run by my friend Dave Kennedy, has open sourced their legal documentation for physical pentesting in order to try and prevent another Iowa.
https://github.com/trustedsec/physical-docs
Read more about why here
https://www.trustedsec.com/blog/a-message-of-support-coalfire-consultants-charged/
Cool writeup of a DOM clobbering vulnerability. I think DOM XSS will become more of a thing as browsers get more and more power.
https://research.securitum.com/xss-in-amp4email-dom-clobbering/
That's the news!
Great breakdown on finding bugs in an OAUTH flow
https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html
Only arguably appsec, but there is an artificial intelligence story writer that was determines to be too powerful to release into the wild, and it has been released into the wild
https://nakedsecurity.sophos.com/2019/11/11/ai-wordsmith-too-dangerous-to-be-released-has-been-released/
Remember when WordPress malware was all the rage? Well, not it is Slack Themes
https://fletchto99.dev/2019/november/slack-vulnerability/
I am a web guy, not an OS guy, so I learned a ton from this rootkit primer
https://capsule8.com/blog/dont-get-kicked-out-a-tale-of-rootkits-and-other-backdoors/
That's the news, folks.