BSides RDU EverSec CTF – Challenge Solutions

Now that it’s over, I wanted to share my write-ups for the BSides RDU EverSec CTF.

BSides RDU EverSec CTF – Introduction

If you haven’t read my post about the conference, then I recommend you check it out.

I helped run the EverSec CTF like usual and knocked out a few of the challenges in between assisting/questions.

For even more solutions, check out Steve’s post

Challenges

Keep

The first challenge that I worked on was ‘Keep’, which you can follow along with here – keep.pcap.

Our CEO somehow got all of his accounts compromised. Here's a pcap from his workstation. See if you can figure out what happened! 

First, I downloaded the pcap file from the challenge page.

--2019-10-18 14:03:06--  https://scoreboard.eversec.rocks/challenges/keep.pcap
Resolving scoreboard.eversec.rocks (scoreboard.eversec.rocks)... 10.2.2.2
Connecting to scoreboard.eversec.rocks (scoreboard.eversec.rocks)|10.2.2.2|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 186323 (182K) [application/octet-stream]
Saving to: 'keep.pcap'

keep.pcap            100%[===================>] 181.96K  --.-KB/s    in 0.02s   

2019-10-18 14:03:06 (7.46 MB/s) - 'keep.pcap' saved [186323/186323]

Next, I opened the pcap file in Wireshark. I was able to find an HTTP request quickly, which was a good start.

Since this file showed an HTTP request for a secure.kdb, I figured that I would need to get and crack a KeePass database.

I went to ‘File -> Export Objects -> HTTP’, to see if a server response returned the secure.kdb file.

When the HTTP objects window opened, I saw multiple entries for the secure.kdb file.

Next, I saved the database and ran it through keepass2john. This would give me a crackable hash, and hopefully give me access to the database.

root@kali:~/BSidesCTF# keepass2john secure.kdb 
Inlining secure.kdb
secure.kdb:$keepass$*1*50000*0*74d3896b48ac6ed0aa07beef487459a6*07b745750fb74437f31b09f983b8f4e8e8cbc44e9779e45dcf414b06d5d40d44*bec5b22865ff56bc0d8c06ed8062e7d5*d352a6719e1c7bf988a59661ed06f3135fe86d7505e909702d52ed9a5bd09b40*1*1376*f9...c7

Unfortunately, when I opened my hash file in Hashcat, I received a salt-value exception.

root@kali:~/BSidesCTF# hashcat -m 13400 -r ~/tools/hashcat/rules/best64.rule kdb-hash.txt ~/tools/cracking/rockyou.txt 
hashcat (v5.1.0-1397-g7f4df9eb) starting...

OpenCL API (OpenCL 1.2 (Jun 23 2019 21:50:55)) - Platform #1 [Apple]
====================================================================
* Device #1: Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz, skipped
* Device #2: Intel(R) UHD Graphics 630, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 560X Compute Engine, 1024/4096 MB allocatable, 16MCU

Hashfile 'kdb-hash.txt' on line 1 (secure...a73b21d2d928a09a9f56a828930842c7): Salt-value exception
No hashes loaded.

Started: Fri Oct 18 14:08:27 2019
Stopped: Fri Oct 18 14:08:27 2019

When I looked at the example hashes again, I noticed that the hash should start with $keepass$ and not the filename.

When I edited my hash file, I was able to run Hashcat and successfully obtain the password!

root@kali:~/BSidesCTF# hashcat -m 13400 -r ~/tools/hashcat/rules/best64.rule kdb-hash.txt ~/tools/cracking/rockyou.txt 
hashcat (v5.1.0-1397-g7f4df9eb) starting...

OpenCL API (OpenCL 1.2 (Jun 23 2019 21:50:55)) - Platform #1 [Apple]
====================================================================
* Device #1: Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz, skipped
* Device #2: Intel(R) UHD Graphics 630, 384/1536 MB allocatable, 24MCU
* Device #3: AMD Radeon Pro 560X Compute Engine, 1024/4096 MB allocatable, 16MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 754 MB

Dictionary cache hit:
* Filename..: /Users/doyler/tools/cracking/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 1104517568

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s

Session..........: hashcat
Status...........: Running
Hash.Name........: KeePass 1 (AES/Twofish) and KeePass 2 (AES)
Hash.Target......: $keepass$*1*50000*0*74d3896b48ac6ed0aa07beef487459a...0842c7
Time.Started.....: Fri Oct 18 14:09:28 2019 (2 secs)
Time.Estimated...: Tue Oct 22 17:01:44 2019 (4 days, 2 hours)
Guess.Base.......: File (/Users/doyler/tools/cracking/rockyou.txt)
Guess.Mod........: Rules (/Users/doyler/tools/hashcat/rules/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:      433 H/s (17.69ms) @ Accel:4 Loops:64 Thr:64 Vec:1
Speed.#3.........:     2669 H/s (7.29ms) @ Accel:16 Loops:64 Thr:64 Vec:1
Speed.#*.........:     3103 H/s
Recovered........: 0/1 (0.00%) Digests
Progress.........: 0/1104517568 (0.00%)
Rejected.........: 0/0 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:7552-7616
Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:17536-17600
Candidates.#2....: chatty -> travon
Candidates.#3....: 123456 -> christal

$keepass$*1*50000*0*74..c7:harrypotter
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: KeePass 1 (AES/Twofish) and KeePass 2 (AES)
Hash.Target......: $keepass$*1*50000*0*74d3896b48ac6ed0aa07beef487459a...0842c7
Time.Started.....: Fri Oct 18 14:09:28 2019 (6 secs)
Time.Estimated...: Fri Oct 18 14:09:34 2019 (0 secs)
Guess.Base.......: File (/Users/doyler/tools/cracking/rockyou.txt)
Guess.Mod........: Rules (/Users/doyler/tools/hashcat/rules/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:      434 H/s (17.65ms) @ Accel:4 Loops:64 Thr:64 Vec:1
Speed.#3.........:     2700 H/s (7.23ms) @ Accel:16 Loops:64 Thr:64 Vec:1
Speed.#*.........:     3134 H/s
Recovered........: 1/1 (100.00%) Digests
Progress.........: 16384/1104517568 (0.00%)
Rejected.........: 0/16384 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:21376-21440
Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:49984-50000
Candidates.#2....: chatty -> travon
Candidates.#3....: 123456 -> christal

Started: Fri Oct 18 14:09:13 2019
Stopped: Fri Oct 18 14:09:35 2019

Using the password of ‘harrypotter’, I was able to open the database in MacPass.

After looking through each of the entries, I found one that looked like a flag under ‘Instagram’.

I entered in the correct flag and earned some points.

d0n7u$3w34km45t3rp4$5w0rD$!

BSides RDU EverSec CTF – Strange Data 2

Next up was the ‘Strange Data 2’ challenge.

Like many of the crypto based challenges, this was just a string hosted on the consultant’s page.

NTQ6MzM6Njg6NjY6MzQ6NmM6NmM6NTM6MzM6NmQ6MzM6NzM6NzQ6MzM6NzI=

At first, I figured this was a base64 encoded string, so I decoded it.

root@kali:~/BSidesCTF# echo -ne 'NTQ6MzM6Njg6NjY6MzQ6NmM6NmM6NTM6MzM6NmQ6MzM6NzM6NzQ6MzM6NzI=' | base64 -D
54:33:68:66:34:6c:6c:53:33:6d:33:73:74:33:72

The resulting string looked like ASCII encoded hex, so I used Python to clean it up and decode it.

>>> '54:33:68:66:34:6c:6c:53:33:6d:33:73:74:33:72'.replace(':', '').decode('hex')
'T3hf4llS3m3st3r'

I entered in this flag and got some more easy points.

T3hf4llS3m3st3r

Strange Data 2.1

Still on a crypto kick, I decided to move on to ‘Strange Data 2.1’.

Like the last challenge, I got a string that looked eerily like base64 encoded data.

Vm1wR2IyUXhVWGhYYmxKV1YwZG9XVmxVU205aFJsWnpWVzVPVlUxV1duaFdSekV3VkRKS1NGVnNiR0ZXVmxvelZrZDRTMVpXV25WaFJtUlRaV3haZWxacVNqUlpWbHAwVkd0V1YySkhVbkJWYlhSM1VsWmFjVk50Y0ZCV2EwcFRWVVpSZDFCUlBUMD0=

After a few iterations, this looked like a string that the challenge creator reversed and then base64 encoded seven times.

root@kali:~/BSidesCTF# echo -ne 'Vm1wR2IyUXhVWGhYYmxKV1YwZG9XVmxVU205aFJsWnpWVzVPVlUxV1duaFdSekV3VZrZDRTMVpXV25WaFJtUlRaV3haZWxacVNqUlpWbHAwVkd0V1YySkhVbkJWYlhSM1VsWmFjVk50Y0ZCV2EwcFRWVVpSZDFCUlBUMD0=' | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D | rev
Y0UrBas364Rb3l0NgT0us

I grabbed my flag and moved on to the next challenge.

Y0UrBas364Rb3l0NgT0us

BSides RDU EverSec CTF – Turtles

If you couldn’t figure out the pattern yet, the next challenge I solved was the ‘Turtles’ crypto challenge.

Vm0xd1IxbFdaSEpPVm1oVVltdHdUMVpzV21GVk1XeHpZVVpPV0dKR1NsWlZWbEpEWVRBeFYxTnViRnBXVmxsM1ZrZDRSMVpWTVVWaGVqQTk=

Based on years of trolling, the title, and some decoding, I figured out that this solution was just seven iterations of bas

root@kali:~/BSidesCTF# echo -ne 'Vm0xd1IxbFdaSEpPVm1oVVltdHdUMVpzV21GVk1XeHpZVVpPV0dKR1NsWlZWbEpEWVRBeFZrZDRSMVpWTVVWaGVqQTk=' | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D | base64 -D
a_g00d_st4rt

If you didn’t get the reference, then I recommend you check out this Wikipedia article.

GPP

The next challenge I worked on was GPP, but I didn’t take any notes about the challenge description. That said, it was something along the lines of, “Are you down with GPP?”.

Based on the hint, I figured I could use gpp-decrypt to get the flag.

root@kali:~/BSidesCTF# gpp-decrypt Ol8DpxxEqiZ7qsK2CtYH4UM6id5mEVcZf/U2BU2jL9k=
/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated
ud0WNW1THGPP?

BSides RDU EverSec CTF – ASCII Art

The next crypto challenge that I worked on was Steve’s ASCII art.

.__.__ __ .__ __ .__.__ .__ __ _____ ______ ____ |__|__| _____ ________/ |_ |__| ______ _______/ |_|__| | | | _____ ________/ |_ \__ \ / ___// ___\| | | \__ \\_ __ \ __\ | |/ ___/ / ___/\ __\ | | | | \__ \\_ __ \ __\ / __ \_\___ \\ \___| | | / __ \| | \/| | | |\___ \ \___ \ | | | | |_| |__ / __ \| | \/| | (____ /____ >\___ >__|__|____(____ /__| |__|____|__/____ >____/____ > |__| |__|____/____/____(____ /__| |__| \/ \/ \/ /_____/ \/ /_____/ \/_____/ \/ /_____/ \/

This at once looked like ASCIi art to me, so I just opened it in a browser and started adjusting the width manually.

Note that I had some issues when I tried a text editor, but (Chrome) worked just fine!

ascii_art_is_still_art

255

The last crypto challenge that I looked at was ‘255’.

YkpKQQVPSkcJBVFNQAVDSURCBUxWBRJNFmhqaktMEEFKcks=

It took me a little while, but based on the hint/base64 output, I realized that this was XOR encrypted.

When I ran it through CyberChef, I was able to get the flag.

Key = 25: Good job, the flag is 7h3MOOni5doWn

CCC2

The final challenge I solved (at least for this post…) was CCC2.

rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAQm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuVHJhbnNmb3JtaW5nQ29tcGFyYXRvci/5hPArsQjMAgACTAAJZGVjb3JhdGVkcQB+AAFMAAt0cmFuc2Zvcm1lcnQALUxvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnM0L1RyYW5zZm9ybWVyO3hwc3IAQG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuQ29tcGFyYWJsZUNvbXBhcmF0b3L79JkluG6xNwIAAHhwc3IAO29yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuZnVuY3RvcnMuSW52b2tlclRyYW5zZm9ybWVyh+j/a3t8zjgCAANbAAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtMAAtpTWV0aG9kTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2lQYXJhbVR5cGVzdAASW0xqYXZhL2xhbmcvQ2xhc3M7eHB1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAAAdAAObmV3VHJhbnNmb3JtZXJ1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3EAfgALTAAFX25hbWVxAH4ACkwAEV9vdXRwdXRQcm9wZXJ0aWVzdAAWTGphdmEvdXRpbC9Qcm9wZXJ0aWVzO3hwAAAAAP////91cgADW1tCS/0ZFWdn2zcCAAB4cAAAAAJ1cgACW0Ks8xf4BghU4AIAAHhwAAAGq8r+ur4AAAAxADoKAAMAIgcAOAcAJQcAJgEAEHNlcmlhbFZlcnNpb25VSUQBAAFKAQANQ29uc3RhbnRWYWx1ZQWtIJPzkd3vPgEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQATU3R1YlRyYW5zbGV0UGF5bG9hZAEADElubmVyQ2xhc3NlcwEANUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQ7AQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACkV4Y2VwdGlvbnMHACcBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAClNvdXJjZUZpbGUBAAxHYWRnZXRzLmphdmEMAAoACwcAKAEAM3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMBAAg8Y2xpbml0PgEAEWphdmEvbGFuZy9SdW50aW1lBwAqAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwwALAAtCgArAC4BABBqYXZhL2xhbmcvU3RyaW5nBwAwAQAQZWNobyB5czBzM3JpNDBVcwgAMgEABGV4ZWMBACgoW0xqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAA0ADUKACsANgEAHnlzb3NlcmlhbC9Qd25lcjQzMDg5NTQ4NzU4ODQ2NQEAIEx5c29zZXJpYWwvUHduZXI0MzA4OTU0ODc1ODg0NjU7ACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAAEAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAHQAOAAAADAABAAAABQAPADkAAAABABMAFAACAAwAAAA/AAAAAwAAAAGxAAAAAgANAAAABgABAAAAIAAOAAAAIAADAAAAAQAPADkAAAAAAAEAFQAWAAEAAAABABcAGAACABkAAAAEAAEAGgABABMAGwACAAwAAABJAAAABAAAAAGxAAAAAgANAAAABgABAAAAIwAOAAAAKgAEAAAAAQAPADkAAAAAAAEAFQAWAAEAAAABABwAHQACAAAAAQAeAB8AAwAZAAAABAABABoACAApAAsAAQAMAAAAIgAGAAIAAAAWpwADAUy4AC8EvQAxWQMSM1O2ADdXsQAAAAAAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACXVxAH4AGAAAAdTK/rq+AAAAMQAbCgADABUHABcHABgHABkBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFceZp7jxtRxgBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAA0ZvbwEADElubmVyQ2xhc3NlcwEAJUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbzsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHABoBACN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbwEAEGphdmEvbGFuZy9PYmplY3QBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAEAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAnAA4AAAAMAAEAAAAFAA8AEgAAAAIAEwAAAAIAFAARAAAACgABAAIAFgAQAAlwdAAEUHducnB3AQB4c3IAEWphdmEubGFuZy5JbnRlZ2VyEuKgpPeBhzgCAAFJAAV2YWx1ZXhyABBqYXZhLmxhbmcuTnVtYmVyhqyVHQuU4IsCAAB4cAAAAAF4

While this was a massive base64 encoded string, I recognized it immediately as a serialized Java payload. This payload starts with rO0 (0xAC 0xED), which is a dead giveaway. For more information, you can check out this blog post.

When I ran this through a base64 decoder, I was able to find my flag towards the bottom. It was a ysoserial payload containing a Java string that was being echoed out, so that wasn’t too difficult.

ys0s3ri40Us

BSides RDU EverSec CTF – Conclusion

This was another great CTF, and we had a ton of participants.

Let me know if you had any questions on these solutions, or one that I did not post about.

I have one or two more write-ups related to this CTF, so stay tuned for those as well!