I had the opportunity to make a couple challenges for the
https://derpcon.io/ CTF. I had fun making the challenges, so I figured I would drop some quick notes here about how I would have gone about solving them.
A big thank you to all the DERP organizers for a great virtual conference in this interesting time.
Challenge 1 was a beginner challenge that started at
https://www.randori.com/
While this challenge is relatively simple, it does demonstrate a common workflow and introduces some useful utilities.
First things first I like to figure out what I am working with. Let's take a look at the source code for the page. Right click -> View Page Source
|
https://www.randori.com |
Something I see regularly in source code is comments that point me to something interesting about an app. Here we find a hint about the image.
|
HTML Source Code |
To the terminal we go! Grab the image and take a look. Here we use
wget to download the file.
|
Download the file |
With the file in hand we can use the
file utility to discover what type of file this is. (file file file)
|
Using the file command |
Nothing super unusual there. The file we downloaded has an extension .png and appears to be a PNG file. We should check to see if there are any interesting strings in the file for this we use the ... you guessed it
strings command. I like to start with -8 which will only show strings that are 8 characters or longer.
|
Using the strings command |
That last string looks like
base64 ... Luckily there are more commands that help us. I'm going to run strings again, grab the last line of output, then pass that output to the
base64 utility.
|
wrapping up |
And that wraps it up. For sure this is a classic beginner CTF challenge, it introduces some fundamental tools and has (hopefully) just enough hints to keep a beginner interested.
The next challenge was a bit more interesting, stay tuned for derpcon challenge 2.
PS. If you played in the CTF let me know what these challenges wound up being called.
Update 1:
Challenge was called "Something Derpy" thanks to @
Zzyzzx
Update 2:
Here is the challenge image:
2 comments:
This is how I solved it with one exception, I did not know the -8 flag. I just did strings. Thanks for the information!!
The challenge was titled 'Something Derpy' and was worth 100 points. Thanks!
Post a Comment