Let's be transparent about this. (Derpcon CTF Challenge 2)

The second challenge I made for the https://derpcon.io CTF (read about the first challenge here) was a medium difficulty challenge starting at https://derp.randori.com. The idea was to utilize some modern reconnaissance techniques and hide in plain sight, similar to system configurations I have seen in the past.

As before let’s take a look at the source and see if there are any hints. Right click -> View Page Source

View Source

Looking at the HTML we see comments that lead me to believe there is some other environment at play. The comment tells me a developer has made sure something has to be removed before being released to prod. This makes me think there must be some sort of staging or development environment.

Comments are our friends

Certificate Transparency Logs

Certificate Transparency Logs were created to help domain owners, CAs, and domain users aware of what certificates were being issued to help them discover erroneous or maliciously issued certificates. We can utilize these logs to see what host names have been, or are in use for particular domains.

There are many places these logs are stored, for this example we will use https://crt.sh

A query on crt.sh for %.randori.com will reveal the last certificate they registered was for https://derp-dev.randori.com and https://derp.randori.com. This fits with our guess that there must be a dev site somewhere. 

crt.sh

Sadly that hostname does not resolve.

No Resolution

TLS Certificate

Another place we can look for information about a website is the TLS certificate. Certificates can often divulge information about systems.

Cert Info

Yummy Details

For my command line junkies where is a ugly one-liner

OpenSSL FTW

Seeing the DNS name in the certificate gives us a hint that this site might be doing double duty. 

Often with virtual hosts, servers will respond differently depending on what host is set in the HTTP request.  Let’s give it a try and see if anything changes.

Nope

Now let’s try with the host header set...

Our Flag

That does it. Hopefully the challenge was fun and folks got to learn something about TLS, Certificate logs,  virtual hosts.

Thanks again to the hosts of derpcon.io for a wonderful virtual conference.

Derpcon CTF challenge 1

I had the opportunity to make a couple challenges for the https://derpcon.io/ CTF. I had fun making the challenges, so I figured I would drop some quick notes here about how I would have gone about solving them.

A big thank you to all the DERP organizers for a great virtual conference in this interesting time.

Challenge 1 was a beginner challenge that started at https://www.randori.com/

While this challenge is relatively simple, it does demonstrate a common workflow and introduces some useful utilities.

First things first I like to figure out what I am working with. Let's take a look at the source code for the page. Right click -> View Page Source

https://www.randori.com

Something I see regularly in source code is comments that point me to something interesting about an app. Here we find a hint about the image.

HTML Source Code

To the terminal we go! Grab the image and take a look. Here we use wget to download the file.

Download the file

With the file in hand we can use the file utility to discover what type of file this is. (file file file)

Using the file command

Nothing super unusual there. The file we downloaded has an extension .png and appears to be a PNG file. We should check to see if there are any interesting strings in the file for this we use the ... you guessed it strings command. I like to start with -8 which will only show strings that are 8 characters or longer.

Using the strings command

That last string looks like base64 ... Luckily there are more commands that help us. I'm going to run strings again, grab the last line of output, then pass that output to the base64 utility.

wrapping up

And that wraps it up. For sure this is a classic beginner CTF challenge, it introduces some fundamental tools and has (hopefully) just enough hints to keep a beginner interested.

The next challenge was a bit more interesting, stay tuned for derpcon challenge 2.

PS. If you played in the CTF let me know what these challenges wound up being called.

Update 1:
Challenge was called "Something Derpy" thanks to @Zzyzzx

Update 2:
Here is the challenge image:

Hello World... again

Good new everyone! I'm reviving the blog..

 

ubuntu 256 bit color urxvt

Steps used to recompile urxvt with the 256 bit color patch.

$ apt-get source rxvt-unicode
$ sudo apt-get build-dep rxvt-unicode
$ cd rxvt-unicode*
$ patch -p1 < doc/urxvt-8.2-256color.patch 
$ dpkg-buildpackage -us -uc -rfakeroot
$ sudo dpkg -i rxvt-unicode_9.05-4_i386.deb
$ echo "rxvt-unicode hold" | sudo dpkg --set-selections

The last step makes sure apt doesn't reinstall the old package the next time you update.

urxvt meta character gotcha

I recently switched from xterms to rxvt-unicode, unfortunately the added unicode support broke some key bindings I used to navigate tabs in vim.

Originally I had:

...
map <A-1> 1gt
map <A-2> 2gt
map <A-3> 3gt
map <A-4> 4gt
map <A-5> 5gt
map <A-6> 6gt
map <A-7> 7gt
map <A-8> 8gt
map <A-9> 9gt
map <A-0> 10g
...

Allowing me to switch between tabs with alt 1-10, like firefox.

The way urxvt handles unicode, treats the alt sequence as an escape sequence.

The rxvt-unicode --meta8 option didn't help, neither did anything I found googling.

A little python foo and we have a fix.

$ python -c 'for i in xrange(1, 11): print "map \x1b%d %dgt" %((i%10), i)' >> ~/.vimrc

I now have the following in my .vimrc:

...
map ^[1 1gt
map ^[2 2gt
map ^[3 3gt
map ^[4 4gt
map ^[5 5gt
map ^[6 6gt
map ^[7 7gt
map ^[8 8gt
map ^[9 9gt
map ^[0 10gt
...

freeze.py disassemble

freeze.py is a tool used to make a standalone binary out of a python script.

freezedis.py is a tool I put together to parse the elf binary and pull the python code back out, recreating the .pyc file. For now, it does not support stripped binaries.

$ more hello.py
#!/usr/bin/env python
import sys

def main(argc, argv):
    print "hello"

if __name__ == "__main__":
    main(len(sys.argv), sys.argv)

$ /usr/share/doc/python2.5/examples/Tools/freeze/freeze.py hello.py
...
$ make
$ file hello
hello: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.8,
dynamically linked (uses shared libs), not stripped

$ freezedis.py 
Usage: freezedis.py [options] filename
 -o filename.pyc (defaults to a.pyc, appends .pyc if not included)
 -d dump disassembly of newly created pyc

$ freezedis.py -d hello
  2           0 LOAD_CONST               0 (-1)
              3 LOAD_CONST               1 (None)
              6 IMPORT_NAME              0 (sys)
              9 STORE_NAME               0 (sys)

  4          12 LOAD_CONST               2 ()
             15 MAKE_FUNCTION            0
             18 STORE_NAME               1 (main)

  7          21 LOAD_NAME                2 (__name__)
             24 LOAD_CONST               3 ('__main__')
             27 COMPARE_OP               2 (==)
             30 JUMP_IF_FALSE           29 (to 62)
             33 POP_TOP             

  8          34 LOAD_NAME                1 (main)
             37 LOAD_NAME                3 (len)
             40 LOAD_NAME                0 (sys)
             43 LOAD_ATTR                4 (argv)
             46 CALL_FUNCTION            1
             49 LOAD_NAME                0 (sys)
             52 LOAD_ATTR                4 (argv)
             55 CALL_FUNCTION            2
             58 POP_TOP             
             59 JUMP_FORWARD             1 (to 63)
        >>   62 POP_TOP             
        >>   63 LOAD_CONST               1 (None)
             66 RETURN_VALUE        
Disassembly of main:
  5           0 LOAD_CONST               1 ('hello')
              3 PRINT_ITEM          
              4 PRINT_NEWLINE       
              5 LOAD_CONST               0 (None)
              8 RETURN_VALUE        

fun with masking and shifts

def chunkit(num):
    """
    retun list of 2 byte numbers
    0x12345678 = 0x78, 0x56, 0x34, 0x12
    """
    a = (num & 0xff000000) >> 24
    b = (num & 0x00ff0000) >> 16
    c = (num & 0x0000ff00) >> 8
    d = (num & 0x000000ff)
    return [d,c,b,a]