I’ll skip the talk for now. Let’s get started on hacking.


Space-Time Coordinates: Misc

I downloaded the attachment and was greeted with two files: log.txt and rand2. Let’s use the file command to find out more about rand2.

root@kali:~/Downloads# file rand2
rand2: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=0208fc60863053462fb733436cef1ed23cb6c78f, not stripped

I discovered that rand2 is an ELF file. However, due to insufficient permissions, I could not execute it. Running the following command changed the permission of the file:

root@kali:~/Downloads# chmod +x rand2

I executed the file, and this was the result:

Travel coordinator
0: AC+79 3888 - 136608759925923, 230225422091756
1: Pliamas Sos - 140086179711805, 236652168836287
2: Ophiuchus - 219314612270263, 93249404240817
3: Pax Memor -ne4456 Hi Pro - 35675425504786, 13908923340591
4: Camion Gyrin - 22085948879625, 202296682262374
5: CTF -
Enter your destination's x coordinate:
>>> 1
Enter your destination's y coordinate:
>>> 3
Arrived somewhere, but not where the flag is. Sorry, try again.

I deciphered that by entering the correct combination, I would obtain the flag. However, there are too many combinations to try! Since the flag was in this executable, I used the strings command, and there was a massive output. I was looking for a flag, so I simply added that to the GREP command.

root@kali:~/Downloads# strings rand2 | grep flag
Arrived at the flag. Congrats, your flag is: CTF{welcome_to_googlectf}
Arrived somewhere, but not where the flag is. Sorry, try again.

Satellite: Networking

I downloaded the attachment, and it contained two files again: READ_ME.pdf and init_sat. I checked the PDF, and it provided with the name of the satellite.

I proceeded to check the type of file init_sat was.

root@kali:~/Downloads# file init_sat
init_sat: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=YhfyV09rKV_0ewkLiNr1/6ZJO5J8awFQSRgZDzlnA/zvyuoO7Qu3ralSU_Aheb/QK0rATh0jzljJY8j2313, not stripped

ELF again! I tried executing it but did not have sufficient permissions. I fixed that quickly. Then, I ran the file. It opened to this.

root@kali:~/Downloads# ./init_sat
Hello Operator. Ready to connect to a satellite?
Enter the name of the satellite to connect to or 'exit' to quit

I quickly knew to enter the satellite name found in the picture previously: osmium. The results obtained are as below.

Enter the name of the satellite to connect to or 'exit' to quit
osmium
Establishing secure connection to osmium
satellite...
Welcome. Enter (a) to display config data, (b) to erase all data or (c) to disconnect
a
Username: brewtoot password: ******************** 166.00 IS-19 2019/05/09 00:00:00 Swath 640km Revisit capacity twice daily, anywhere Resolution panchromatic: 30cm multispectral: 1.2m Daily acquisition capacity: 220,000km² Remaining config data written to: https://docs.google.com/document/d/14eYPluD_pi3824GAFanS29tWdTcKxP_XUxx7e303-3E

I was provided with a username, an encrypted password and a Google document. I opened the document it consisted of Satellite Config Data, as shown below.

I determined that it was a base-64 encoded string by observing that the end was padded up by ‘==’. I decoded it.

root@kali:~# openssl enc -base64 -d <<< VXNlcm5hbWU6IHdpcmVzaGFyay1yb2NrcwpQYXNzd29yZDogc3RhcnQtc25pZmZpbmchCg==
Username: wireshark-rocks
Password: start-sniffing!

Then, I fired up Wireshark and started executing init_sat again. I found this while observing the packets obtained.

Next, I copied this with printable text and pasted it on a notepad to get the flag!

Work Computer: Sandbox

I connected to Netcat with the given readme.ctfcompetition.com 1337. Immediately, I realised that it was a shell.

help
Alien's shell
Type program names and arguments, and hit enter.
The following are built in:
cd
help
exit
Use the man command for information on other programs.

There were two flags available: ORME.flag and README.flag. I failed to open the files with the cat command, so I decided to enumerate the shell more. I looked through the core programs the shell had in the /bin directory.

I looked through the long list (it’s longer than the picture I have inserted), and busybox caught my attention. However, when I used it, an error ‘could not be called’ came about. Other than that, tar seemed interesting. I read up more and tried using it. It worked, and I obtained the flag!

tar c ORME.flag
tar: can’t open ‘ORME.flag’: Permission denied
tar: error exit delayed from previous errors
> tar c README.flag
README.flag0000400000247200024720000000003413641766516010432 0ustar 13381338CTF{4ll_D474_5h4ll_B3_Fr33}

Home Computer: Forensics

The attachment contained two files: family.NTFS and note.txt. The text file does not really aid in finding the flag because it only gives instructions on how we can change the NTFS file type to suit us if we are running macOS. I checked the type of file and discovered that it is most likely a disk image.

root@kali:~/Downloads# file family.ntfs
family.ntfs: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 0, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors 51199, $MFT start cluster 4, $MFTMirror start cluster 3199, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 072643f694104cb6f

I issued a command to mount the family.ntfs to view the files it contained.

root@kali: sudo mount -t ntfs family.ntfs /family

This is the content found:

root@kali:/mount# ls
bootmgr pagefile.sys 'Program Files (x86)' SSUUpdater.log Users
BOOTNXT 'Program Files' Setup.log swapfile.sys Windows

Based on the files, I determined that it is a Windows machine. First, I started enumerating the Users file. There was nothing in the folders, except for Documents and Pictures. A notable mention would be credentials.txt found in the Documents folder. It stated, “I keep pictures of my credentials in extended attributes”. I found out more information based on this.

root@kali:/mount/Users/Family/Documents# getfattr credentials.txt
# file: credentials.txt
user.FILE0

Then, I wanted to extract the ‘user.FILE0’ file. I issued another command.

root@kali:/mount/Users/Family/Documents# getfattr credentials.txt

From this, I knew that I had found the ‘pictures of the credentials’ as stated in the credentials.txt. To obtain the picture, I directed the results of this command to a file.

root@kali:/mount/Users/Family/Documents# getfattr credentials.txt > image

The image obtained shows us the flag!

 

Government Agriculture Network: Web

The link (https://govagriculture.web.ctfcompetition.com) brings us to a website where we can submit posts.

I submitted a test text, and it brought me to this page.

I checked the Network logs, and it revealed that a POST request had been sent.

From this, I deciphered that the text submitted is posted to the admin. This made me realise that I should perform an XSS attack. I entered a malicious Javascript that sends the session’s cookie to Request Inspector, which is acting as a webserver. Here are the results obtained from Request Inspector, and the flag has been found!

Google CTF has been a fun challenge, and I learnt a few new tools and commands. I look forward to learning more and participating in more CTFs.