HTH 2020 CTF: Misc: whoami (100)

This is from the Hackers Teaching Hackers HTH2020 CTF.

Full Disclosure: I did not complete this challenge in time for the CTF. I solved three of the four parts during the CTF and finally finished it the day after the CTF ended.

For this challenge, we are given a single file to download (no extention): “split” and the following text:

It’s a bird! It’s a plane! It’s…
A story in 4 parts.

We are also provided two hints:

Are we exclusive? Or…

ALL CAPS

To begin, I download the file and open it in notepad++ (as I always do for questionable files).

I initially see that this is a Linux executable (ELF), but I also see a bunch of strange text (strange for an ELF file).

There appears to be some non-printable binary (typical of ELF files), HTML, JAVA, and Unicode (indicative of a PDF).

I first will run the file in Kali to see what it does…

It gives me a hexadecimal string: 4854487b312d62316e7a5f725f66756e5f

I do a hex to ASCII conversion and get: HTH{1-b1nz_r_fun_

This must be part one of the flag.

Next, I copied the file and gave it a .html extension. I can read the HTML, but it would be fun to see how it presents as a webpage. I opened it in Firefox and receive a pop-up alert with another string.

This time, the string is not hex: Ml9odG1sX3J1bGV6X2QwMGRf

I try the usual suspects for decoding. In this case, Base64 was the ticket.

2_html_rulez_d00d_

This must be part two of the flag. Half way there!

Next, based on the text in the file indicative of PDF documents…

I copy the file and give it a .pdf extension and open it as such.

I see a string at the bottom of the PDF that matches the format I would expect for part three of the flag except it is URL encoded. After decoding that I get: 3_a_p0rtabl3_d0c_

One more part to go!

As I mentioned earlier, I saw some JAVA code in the file contents, so I ran the file with java…

That gives me a strange string: |y&x7$)a}5

After a lot of trial and error, I remembered to review the hints and determined this is most likely the output from an XOR cipher (Hint #1).

I used dcode.fr/xor-cipher to try and decode it.

The password must be all caps (Hint #2), but what is the password. I got lost in the weeds thinking that the password should be SUPERMAN because of the challenge name and text. This is where I stagnated.

After the CTF was over, I chatted with the challenge creator @mythdude and he indicated that the password is more simple than SUPERMAN.

I went back to dcode.fr/xor-cipher and tried simpler passwords that I could think of for the cipher. HTH was it.

That gave me the 4th part of the flag: 4-n0cla55}

The final full flag was:
HTH{1-b1nz_r_fun_2_html_rulez_d00d_3_a_p0rtabl3_d0c_4-n0cla55}

This challenge was amazing as it was a polyglot. It was a single file that would be executed/ran in four different way without generating any errors or junk messages. It was a Linux binary program, HTML webpage, PDF file and a JAVA jar file all in one. Certainly the first one I have seen.

I want to thank @mythdude for putting this challenge together. It was very creative!

HTH 2020 CTF: Cloud: OhSnap! (150)

This is from the Hackers Teaching Hackers HTH2020 CTF.

For this challenge, we are provided with this text:

I’m pretty sure that I backed up our hth instance properly. Can you take a look at the AWS EBS snapshots and check?

and this hint:

You will need an AWS account for this challenge. You can make one for free here: https://aws.amazon.com/resources/create-account/

I already had an account, so I logged into it and went to the EBS dashboard…

I then went to “snapshots” in the left navigation pane…

I then changed the search dropdown to “Public Snapshots” and did a seach for “hth”…

This yielded only on result. Look at that! the description field contained the flag…

HTH 2020 CTF: Cloud: BucketList (100)

This is from the Hackers Teaching Hackers HTH2020 CTF.

This was my first cloud challenge.
We are given this challenge text:

Hey guys! I set up an AWS bucket for this year’s hth that we can use to store our flags for the ctf. I think I made the bucket private but I’m not very good at this cloud stuff. Send me a message if I need to edit the permissions.

With this as a hint (yeah I looked at it… This is my first cloud challenge)

Let’s keep a flag in hth2020-private where it should be safe!

Some quick google searching gave me some basic URL examples for AWS buckets…
http://*******.s3.amazonaws.com/
So I plugged this in and I get what I was looking for…
http://hth2020-private.s3.amazonaws.com/

So I then navigate to…
http://hth2020-private.s3.amazonaws.com/flag.txt
And I get the flag…

Notice the hint about snapshots? Check out my next writeup for that.