Solving a CTF challenge

atan — Fri, 29 Mar 2019 05:00:46 +0000

In my quest to promote CTFs within the dev.to community, here's a writeup that demonstrates what solving a challenge may look like.

The Task

This challenge was published by user RedK on the CTFLearn platform. (Link here login required) The details are as follows!

F1l3 M1X3R

I think my amazing photo was hit by a mixer and now it is not working. Help me fix it? https://mega.nz/#!Ds0mWaCJ!4uKfJeJwhupG7Tvx8ReTBP1reFgdzRLE3YrN0l-5Jrg hint: visit: https://en.wikipedia.org/wiki/List_of_file_signatures Programming might be useful in this challenge.

Feel free to download and attempt this challenge out before reading how I solved it :)

First steps

After downloading the file fl4g.jpeg, the first thing I did was try to open it.

Obviously that didn't work out. The hint in the challenge description lead me to assume that the image's file signature must have been tampered with. Let's take a look at the first few bytes of fl4g.jpeg and compare it to the expected file signature for .jpeg files.

Here's the expected file signature.



FF D8 FF E0 00 10 4A 46 49 46 00 01

I use the xxd command and fl4g.jpeg as an argument to get a hex dump of the first 12 bytes.



$ xxd -l 12 fl4g.jpeg
00000000: e0ff d8ff 464a 1000 0100 4649  ....FJ....FI

At first glance, I saw that the hex values were present, but just in the wrong order.
Using a hex editor (I used 0xed), I deleted the first twelve bytes and replaced it with the correct signature.



$ xxd -l 12 modified_fl4g.jpeg                                                                                                                            
00000000: ffd8 ffe0 0010 4a46 4946 0001            ......JFIF..

Thinking I was done, I opened the file again expecting to be rewarded only to find that the file still wouldn't open....😞

Brainstorming

Fixing the signature didn't work, BUT because the values were all present only scrambled, I decided to take a look at the original file again and noticed a pattern. Every four bytes was reversed in order! FF D8 FF E0 had been reversed to read E0 FF D8 FF and so on for every four bytes of the signature. Fixing just the signature wouldn't get anywhere because it's possible this reversing had happened to the entire file! I wrote a short script to reverse every four bytes of the image in order to test my hypothesis.

The script!



with open("fl4g.jpeg", "rb") as file:
    BUF = 4    
    bytes_rev = b""
    bytes_read  = bytearray(file.read(BUF))

    while bytes_read:
        bytes_rev += bytes_read[::-1]
        bytes_read = file.read(BUF)
    with open("modified_fl4g.jpeg", "wb") as newfile:
        newfile.write(bytes_rev)

To break this down:



with open("fl4g.jpeg", "rb") as file:

Here we open fl4g.jpeg with the rb mode to indicate that we are reading a file in binary mode.



BUF = 4
bytes_rev = b""
bytes_read = bytearray(file.read(BUF))

BUF is set to 4 to indicate that the buffer for each time we read from the file will be four bytes. bytes_rev is set to an empty bytestring so we have a place to store the reversed bytes. The file is then read from and stored as a bytearray into bytes_read.



while bytes_read:
        bytes_rev += bytes_read[::-1]
        bytes_read = file.read(BUF)

Next up we loop as long as bytes_read is True. bytes_rev is appended the reversed bytearray of 4 bytes using slice notation. bytes_read then reads the next set of four bytes from file



    with open("modified_fl4g.jpeg", "wb") as newfile:
        newfile.write(bytes_rev)

Finally, we open a new file and write our bytes to it

Outcome?

Running the script produced a modified_flag.jpeg file with every four bytes reversed.

I opened the file and....

The flag is revealed! I took the liberty to censor out the flag text so that you can try it yourself if you'd like!

What is CTF and how to get started!

atan — Thu, 28 Mar 2019 03:11:17 +0000

CTFs are one of my favorite hobbies. I love the feeling of solving a particularly difficult task and seeing all the puzzle pieces click together. I'd like this post to serve as an introduction to CTF for those in the dev.to community that may not know what it is.

So what is CTF?

CTF (Capture The Flag) is a kind of information security competition that challenges contestants to solve a variety of tasks ranging from a scavenger hunt on wikipedia to basic programming exercises, to hacking your way into a server to steal data. In these challenges, the contestant is usually asked to find a specific piece of text that may be hidden on the server or behind a webpage. This goal is called the flag, hence the name!

Like many competitions, the skill level for CTFs varies between the events. Some are targeted towards professionals with experience operating on cyber security teams. These typically offer a large cash reward and can be held at a specific physical location. Other events target the high school and college student range, sometimes offering monetary support for education to those that place highly in the competition!

CTFtime details the different types of CTF. To summarize, Jeopardy style CTFs provide a list of challenges and award points to individuals or teams that complete the challenges, groups with the most points wins. Attack/Defense style CTFs focus on either attacking an opponent's servers or defending one's own. These CTFs are typically aimed at those with more experience and are conducted at a specific physical location.

CTFs can be played as an individual or in teams so feel free to get your friends onboard!

I'd like to stress that CTFs are available to everyone. Many challenges do not require programming knowledge and are simply a matter of problem solving and creative thinking.

Challenge types

Jeopardy style CTFs challenges are typically divided into categories. I'll try to briefly cover the common ones.

Cryptography - Typically involves decrypting or encrypting a piece of data
Steganography - Tasked with finding information hidden in files or images
Binary - Reverse engineering or exploiting a binary file
Web - Exploiting web pages to find the flag
Pwn - Exploiting a server to find the flag

Where do I start?

If I managed to pique your curiosity, I've compiled a list of resources that helped me get started learning. CTF veterans, feel free to add your own resources in the comments below!

Learning

http://ctfs.github.io/resources/ - Introduction to common CTF techniques such as cryptography, steganography, web exploits (Incomplete)
https://trailofbits.github.io/ctf/forensics/ - Tips and tricks relating to typical CTF challenges/scenarios
https://ctftime.org/writeups - Explanations of solutions to past CTF challenges

Resources

https://ctftime.org - CTF event tracker
https://github.com/apsdehal/awesome-ctf - Comprehensive list of tools and further reading

Tools (That I use often)

binwalk - Analyze and extract files
burp suite - Feature packed web penetration testing framework
stegsolve - Pass various filters over images to look for hidden text
GDB - Binary debugger
The command line :)

Practice

Many of the "official" CTFs hosted by universities and companies are time-limited competitions. There are many CTFs however that are online 24/7 that can be used as practice and learning tools. Here are some that I found to be friendly for beginners.

https://ctflearn.com - A collection of various user-submitted challenges aimed towards newcomers
https://overthewire.org/wargames/ - A series of progressively more difficult pwn-style challenges. (Start with the bandit series)
https://2018game.picoctf.com/ - Yearly time-limited CTF now available to use as practice

Conclusion

CTF is a great hobby for those interested in problem-solving and/or cyber security. The community is always welcoming and it can be a lot of fun tackling challenges with friends. This is my first post, if I was able to spark interest with even a single person, I'd consider it a success 😊. Thank you for reading!

DEV Community: atan