ITTS CTF 2023

WEEK-2

Welcome to my writeup from the ITTS event, where we will explore some interesting challenges in the field of cybersecurity. The challenges we will be covering include:

1. OSINT: Find Me!
2. Network Analysis: HIU KAWAT, Object
3. Web Hacking: Not Easy, Bau Bawang
4. File Structure Analysis: De(compress)
5. Application Service Exploitation: DNS pt.1, DNS pt.2

These challenges are designed to test your skills and knowledge in various areas of cybersecurity, and will provide a great opportunity for you to practice and learn new techniques.

In this writeup, I will walk you through each challenge step by step, and provide guidance on how to approach each one. I will also provide tips and tricks to help you overcome any obstacles you may encounter along the way. By the end of this writeup, you will have gained valuable experience in the field of cybersecurity, and will have a better understanding of the tools and techniques used by security professionals to secure their systems and networks.

So, without further ado, let’s get started!

OSINT PART

TITLE : FIND ME
CATEGORY : OSINT

HINT : Burung Biru, Temukan aku di ulasan

challenge-image

To begin the “FIND ME” OSINT challenge, we downloaded an image file called flag-osint.jpg and used exiftool to analyze the metadata. Within the metadata, we found an XP comment left by the creator, mr_anony123, that read, “Temukan saya di Twitter ya!” or “Find me on Twitter ya!” in English. From this clue, we searched for mr_anony123 on Twitter and found their profile, which contained several tweets related to the challenge.

One tweet caught our attention, as it hinted at the need to locate a mall in Yogyakarta residence. The tweet provided a further clue, which we used to identify the specific location of the mall. We then examined the user’s likes to find a picture of the HARTONO MALL and its coordinates. By determining the mall’s proximity to Tugu Pal Putih Yogyakarta, we were able to search for other malls in the area and found Pakuwon Mall nearby.

As we analyzed the Pakuwon Mall, we discovered a feedback post that contained a hint: “Temukan aku di ulasan!” or “Find me in the review!” in English. We used this hint to search for reviews of Pakuwon Mall on G-MAPS, where we found the flag, flag{0s1nT_ch4allenge_solv3d}.

Conclusion :
The “FIND ME” challenge required us to use various OSINT techniques such as metadata analysis, Twitter, Google Maps, and G-MAPS to locate a mall in Yogyakarta residence and find the flag. Through careful analysis of the creator’s tweets and likes, we were able to narrow down the location of the mall and uncover the flag through a review on G-MAPS.

Network Analysis PART

TITLE : HIU KAWAT
CATEGORY : Network Analysis
HINT : HIU KAWAT = WireShark
TOOLS : WireShark
DESCRIPTION : “Dengan menganalisis packet capture yang ada di lampiran, sebutkan TCP source port yang digunakan saat : Diakses pada May 14, 2022 18:42:09.457360000 SE Asia Standard Time dan Alamat yang diakses http://180.214.246.108:8000/login”

In this challenge, we are provided with a packet capture file in the attachment, to understand what purpose of attachment files read_this.
The first step is to download all the attachments and combine them into one file using the command “cat NM_* > watashi.7z”. Next, we need to extract the 7z file using the command “7z e watashi.7z”. Inside the extracted folder, we can find a directory called “Captures” which contains a file named “NM_2022–05–14T11–38–55.pcap”. This file is a packet capture file, which we can analyze using the network protocol analyzer tool called Wireshark.

After opening the packet capture file in Wireshark, we need to filter the packets to find the TCP source port that was used when accessing the URL http://180.214.246.108:8000/login on May 14, 2022 at 18:42:09.457360000 SE Asia Standard Time. To do this, we can apply a filter in Wireshark by going to “Edit -> Find Packet” and searching for the HTTP request with the specified time and IP address. Once we have found the packet, we can expand the “Transmission Control Protocol” section of the packet and locate the “Source Port” field to get the TCP source port number.

Using this method, we can find that the TCP source port used when accessing the specified URL at the specified time was 62321. This number is the flag for this challenge and should be submitted as “flag{62321}”.

Conclusion :
This challenge required us to analyze a packet capture file using Wireshark to find the TCP source port used when accessing a specific URL at a specific time. Through this challenge, we can learn the importance of packet capture files and how they can be analyzed to extract valuable information.

Web Hacking PART

OTW

File Structure PART

TITLE : De(compress)
CATEGORY : File Structure

HINT : color flag, 14-digit password

Challenge Description:

image attachment from description challenge

SOLUTION :
First, we downloaded the attachment file Brute_Force.zip and tried to extract it. However, the file was password-protected, and we did not know the password. Looking at the challenge image, we noticed an image of a compressed file and a search keyword for “warna bendera perancis” (the colors of the French flag). We assumed that the 14-digit password was the colors of the French flag: “biruputihmerah” (blue, white, and red).

After successfully extracting the ZIP file with the password, we found two files inside: “Decompress me to find hint.txt” and flag.zip. However, the flag.zip file was password-protected again. We analyzed the “Decompress me to find hint.txt” file with the “file” command and found out that it was an XZ compressed data file. We renamed the file to “deco.xz” and extracted it using the “xz” command to obtain the “hint” file.

We then analyzed the “hint” file with the “file” command and found out that it was a lzip compressed data file. We renamed the file to “hint.lz” and extracted it using the “lzip” command to obtain the “hint.lzip.out” file. After analyzing the file again, we found that it was a gzip compressed data file named “wordlist.txt”. We renamed the file to “hint.wordlist.txt.gz” and extracted it using the “gunzip” command to obtain the “hint.wordlist.txt” file. After analyzing the file again, we found out that it was a bzip2 compressed data file. I renamed the file to “hint.wordlist.txt.bz2” and extracted it using the “bzip2” command to obtain the “hint.wordlist.txt.out” file, which contained a wordlist.

We then used the “zip2john” command to extract the hash of the password-protected flag.zip file and used the “john” tool with the extracted wordlist to crack the password. The password was “gunakaniniya”.

Finally, we extracted the flag.zip file with the password and obtained the “flag.txt” file, which contained the flag: flag{f1l3_typ3s_3asy}.

Conclusion :

In this challenge, we learned how to analyze and extract data from compressed files using various tools and techniques. We also used OSINT techniques to gather information about the password for the encrypted file.

This challenge required a good understanding of file structure and compression algorithms, as well as some knowledge of password cracking tools. By completing this challenge, we have gained valuable experience in these areas and can use these skills to tackle similar challenges in the future.

Overall, this challenge was a great opportunity to practice and enhance our cybersecurity skills, and to learn new tools and techniques along the way. We hope that this writeup has been helpful in guiding you through the challenge, and that you have gained some insights and knowledge for me can apply in your future cybersecurity endeavors.

Application Service Exploitation PART

TITLE : DNS pt. 1 and DNS pt. 2
CATEGORY : Application Service
DESCRIPTION : Ambil filemu di ftp://01100111+10010010+10110110+11100011
REFERENCE : https://www.smkyadikabalam.sch.id/read/6/belajar-dan-mengenal-ip-address-subnetting-dan-vlsm

SOLUTION :

To begin with, I tried to understand the purpose of the binary file. Then, I created a simple script to convert the binary file to decimal format.

binary = input("Masukkan bilangan biner: ")

# Memastikan input merupakan bilangan biner
if set(binary) - set('01'):
    print("Input bukan bilangan biner.")
    exit()

# Mengkonversi biner menjadi desimal
decimal = int(binary, 2)

# Memastikan bilangan desimal berada dalam rentang IP yang valid
if not 0 <= decimal <= 4294967295:
    print("Bilangan biner tidak valid untuk IP.")
    exit()

# Mengkonversi desimal menjadi alamat IP
octets = []
for i in range(4):
    octet = decimal % 256
    octets.append(str(octet))
    decimal //= 256

# Membalikkan urutan oktet untuk menghasilkan format yang benar
octets.reverse()

ip_address = ".".join(octets)
print("Alamat IP yang sesuai adalah:", ip_address)
#the script from https://raw.githubusercontent.com/0xr4f/CTF-Repo/master/ittsctf-w2/Application-Service-Exploitation/bin2dec.py

After running the script, I obtained the FTP IP address as 103.146.182.227. I tried to log in to the FTP server with anonymous privileges, and then downloaded all the files. To save time, I created a simple script to download all the files at once.

from ftplib import FTP

ftp = FTP('103.146.182.227')  # Ganti dengan alamat FTP yang diinginkan
ftp.login(user='anonymous', passwd='anonymous')  # Ganti 'username' dan 'password' dengan kredensial login FTP yang valid

directory = '.'  # Ganti '/path/to/directory' dengan direktori yang ingin di-download

ftp.cwd(directory)  # Pindah ke direktori yang diinginkan

files = ftp.nlst()  # Mengambil daftar file dalam direktori

for filename in files:
    with open(filename, 'wb') as f:
        ftp.retrbinary('RETR ' + filename, f.write)

ftp.quit()

print('Semua file di dalam direktori', directory, 'telah berhasil di-download.')
#the script from https://raw.githubusercontent.com/0xr4f/CTF-Repo/master/ittsctf-w2/Application-Service-Exploitation/get.py

After downloading, I found two files named “DNS pt. 1” and “DNS pt. 2”. These files refer to challenges 1 and 2 respectively.

Moving on to the first challenge, I analyzed the “DNS pt. 1” file using the “cat” command.

┌──(kecoak@tempur)-[~/itts2/web/1]
└─$ cat DNS\ pt.\ 1 
 <<>> DiG 9.16.1-Ubuntu <<>> id.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39238
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;id.                            IN      A

;; AUTHORITY SECTION:
id.                     86400   IN      SOA     b.dns.id. hostmaster.pandi.id. 2022300151 28800 7200 604800 172800

;; Query time: 184 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Mar 09 03:04:27 UTC 2023
;; MSG SIZE  rcvd: 90
 Dari informasi di atas di ketahui bahwa waktu yang di perlukan server untuk merespon permintan query Anda adalah ...

I found a line in the file that helped me to solve the challenge, which read “Dari informasi di atas di ketahui bahwa waktu yang di perlukan server untuk merespon permintan query Anda adalah…” Based on the previous information, I knew that the time taken by the server to respond to my query was 184 milliseconds. So, the flag for challenge 1 is flag{184}.

For the second challenge, I analyzed the “DNS pt. 2” file with the “cat” command.

┌──(kecoak@tempur)-[~/itts2/web/1]
└─$ cat DNS\ pt.\ 2 
dig NS id.

Hasil yang di peroleh adalah,

  ; <<>> DiG 9.18.1-1ubuntu1.3-Ubuntu <<>> NS id.
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61486
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
  
  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 65494
  ;; QUESTION SECTION:
  ;id.                          IN      NS
  
  ;; ANSWER SECTION:
  id.                   7139    IN      NS      d.dns.id.
  id.                   7139    IN      NS      c.dns.id.
  id.                   7139    IN      NS      b.dns.id.
  id.                   7139    IN      NS      ns4.apnic.net.
  id.                   7139    IN      NS      e.dns.id.
  
  ;; Query time: 0 msec
  ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
  ;; WHEN: Sat Feb 18 09:31:39 WIB 2023
  ;; MSG SIZE  rcvd: 126

RGFyaSBpbmZvcm1hc2kgZGkgYXRhcywgYmVyYXBhIGp1bWxhaCBuYW1lIHNlcnZlciB5YW5nIG1lbWJhd2EgaW5mb3JtYXNpIGRvbWFpbiAuaWQ/

I found a string at the end of the line, which read “RGFyaSBpbmZvcm1hc2kgZGkgYXRhcywgYmVyYXBhIGp1bWxhaCBuYW1lIHNlcnZlciB5YW5nIG1lbWJhd2EgaW5mb3JtYXNpIGRvbWFpbiAuaWQ/”. I assumed that this string was base64-encoded and tried to decode it, which resulted in the text “Dari informasi di atas, berapa jumlah name server yang membawa informasi domain .id?” Based on the contents of the file, I knew that there were 4 domains that ended with the “.id” domain. So, the flag for challenge 2 is flag{4}.

Conclusion :
These challenges tested our skills in analyzing DNS queries and understanding network protocols. It also required us to use different tools and techniques to solve the challenges such as converting binary to decimal, decoding Base64, and analyzing text files.