samedi 14 mars 2015

Infosec Instite n00bs CTF Labs LEVEL 15

URL :http://ctf.infosecinstitute.com/levelfifteen/index.php

Hint  : DNS lookup
lets see what happen with input 127.0.0.1

its like a linux command dig  : http://en.wikipedia.org/wiki/Dig_%28command%29

check command injection using input 127.0.0.1;ls -al


 check command injection using input 127.0.0.1;cat .hey




I found this string in .hey  :
 
Miux+mT6Kkcx+IhyMjTFnxT6KjAa+i6ZLibC
 
The format of this message is like a variante of Base64  encoding system 
 
lets check decoding using :
 
atom128
megan35
zong22
hazz15
base
 
online tools http://crypo.in.ua/tools/
 
 


 
 
 

Flag : infosec_flagis_rceatomized


Infosec Instite n00bs CTF Labs LEVEL 14

URL  :http://ctf.infosecinstitute.com/levelfourteen.php


Download the file http://ctf.infosecinstitute.com/misc/level14
its a sql file dump
Analyzing the dump file  there is interesting Bloc :

--
-- Dumping data for table `flag?`
--

INSERT INTO `flag?` (`ID`, `user_login`, `user_pass`, `user_nicename`, 
`user_email`, `user_url`, `user_registered`, `user_activation_key`,
 `user_status`, `display_name`) VALUES
(1, 'admin', '$P$B8p.TUJAbjULMWrNXm8GsH4fb2PWfF.', 'admin', 
'christyhaigcreations@gmail.com', '', '2012-09-06 20:09:55', '', 0, 'admin');

-- --------------------------------------------------------

--
-- Table structure for table `friends`
--

CREATE TABLE IF NOT EXISTS `friends` (
  `id` int(11) DEFAULT NULL,
  `name` text,
  `address` char(90) DEFAULT NULL,
  `status` char(50) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

--
-- Dumping data for table `friends`
--

INSERT INTO `friends` (`id`, `name`, `address`, `status`) VALUES
(102, 'Sasha Grey', 'Vatican City', 'Active'),
(101, 'Andres Bonifacio', 'Tondo, Manila', 'Active'),
(103, 'lol', 'what the???', 'Inactive'),
(104, '\\u0069\\u006e\\u0066\\u006f\\u0073\\u0065\\u0063\\u005f\\u0066
\\u006c\\u0061\\u0067\\u0069\\u0073\\u005f\\u0077\\u0068\\u0061\\u0074
\\u0073\\u006f\\u0072\\u0063\\u0065\\u0072\\u0079\\u0069\\u0073\\u0074
\\u0068\\u0069\\u0073', 'annoying', '0x0a');
 
 
 
lets decode the hex stream string "

\u0069\u006e\u0066\u006f\u0073\u0065\u0063\u005f\u0066\u006c\u0061\u0067\u0069\u0073\u005f\u0077\u0068\u0061\u0074\u0073\u006f\u0072\u0063\u0065\u0072\u0079\u0069\u0073\u0074\u0068\u0069\u0073 " using online tool http://ddecode.com/hexdecoder/

this is 
Flag  :infosec_flagis_whatsorceryisthis
 

Infosec Instite n00bs CTF Labs LEVEL 13

URL:http://ctf.infosecinstitute.com/levelthirteen.php


Hint :What the heck happened here? It seems that the challenge here is gone? Can you find it? Can you check if you can find the backup file for this one? I'm sorry for messing up :(


the backup file contain  :

<p>Do you want to download this mysterious file?</p>

    <a href="misc/imadecoy">
      <button class="btn">Yes</button>
    </a>

Download and analyze  the file misc/imadecoy :

 
file imadecoy
imadecoy; tcpdump capture file (little-endian) - version 2.4 (Linux "cooked", capture length 65535)






its a tcpdump file open it using Wireshark  :

 Filter HTTP traffic and extract all objects


the image HoneyPY.PNG  contain the flag .
Flag  :Infosec_flagis_morepackets
 

Infosec Instite n00bs CTF Labs LEVEL 12

URL  : http://ctf.infosecinstitute.com/leveltwelve.php
This page web same like level one  ; lets try to found the difference between two pages  :

  
root@kali:~/infos# diff levelone.php leveltwelve.php
1d0
< <!-- infosec_flagis_welcome -->
10a10
>     <link href="css/design.css" rel="stylesheet">
41c41
<               <a href="404.php">Level 7</a>
---
>               <a href="levelseven.php">Level 7</a>
78,79c78,79
<       <p>
<               May the source be with you!
---
>          <p>
>               Dig deeper!
82c82
<   <br /><br /><br /><p style="font-size:.9em;font-weight:normal;">Bounty: $10</p>
---
>       <br /><br /><br /><p style="font-size:.9em;font-weight:normal;">Bounty: $120</p>
87d86
<

the main  difference between two page is css/design.css

#more  css/design.css
.thisloveis{
        color: #696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72;
}

Lets convert the hex stram  696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72 to ascii :

  python
Python 2.7.6 (default, Nov 10 2013, 19:24:18) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> "696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72".decode("hex")
'infosec_flagis_heyimnotacolor'
>>>

You can also use any online converter tools .

Flag : infosec_flagis_heyimnotacolor

Infosec Instite n00bs CTF Labs LEVEL 11

URL :http://ctf.infosecinstitute.com/leveleleven.php


show the source code :





Download php-logo-virus.jpg :
check metadata of the php-logo-virus.jpg using exiftool : (http://en.wikipedia.org/wiki/ExifTool)


exiftool.exe d:\Perso\CTFs\infos\php-logo-virus.jpg
ExifTool Version Number         : 9.59
File Name                       : php-logo-virus.jpg
Directory                       : d:/Perso/CTFs/infos
File Size                       : 13 kB
File Modification Date/Time     : 2015:03:12 11:59:03+00:00
File Access Date/Time           : 2015:03:12 11:59:02+00:00
File Creation Date/Time         : 2015:03:12 11:59:02+00:00
File Permissions                : rw-rw-rw-
File Type                       : JPEG
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 96
Y Resolution                    : 96
Exif Byte Order                 : Big-endian (Motorola, MM)
Document Name                   : infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9wb3dlcnNsaWRlX2xvZ29fbGFyZ2UuZ2lmáå.

Base64 decode  :
aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9wb3dlcnNsaWRlX2xvZ29fbGFyZ2UuZ2lm



Flag  : infosec_flagis_POWERSLIDE

Infosec Instite n00bs CTF Labs LEVEL 10

URL  : http://ctf.infosecinstitute.com/levelten.php

Download the file Flag.wav
open the file with audacity and change the speed of  reading the file  :



Flag : infosec_flagis_sound

Infosec Instite n00bs CTF Labs LEVEL 9

URL : http://ctf.infosecinstitute.com/levelnine.php



Hint  : Cisco IDS Web Login System
Google  : search for defalt password for Cisco IDS

CISO IDS Appliance Version 3 and earlier, two usernames exist called 'netrangr' and 'root'. The default password for both is 'attack'.


Try login root password attack


reverse the string(http://www.string-functions.com/reverse.aspx) or (echo "ssaptluafed_sigalf_cesofni" | rev) 

Flag  :Infosec_flagis_defaultpass