Offsec Research CTF Team: “Thinking out of the out of the box”
Following our last post here where OFFSEC is take part in Icelandic Hacking Competition -Ice CTF, which took place between August 12 to 26 – see team points here – you can see how in the results below how the OFFSEC Research CTF Team show the great skills of Iranian security researchers/hackers.
OFFSEC took part at all 4 stages of the Ice CTF and completed challenges in stages 1 to 3.
OFFSEC Team members Mohammad Morshedi, Abbas rare, S Pourali, B Amynazad, Ali warrior, Hamid Rezaei, Mohammad Zamir, and Amir messenger all took part in the CTF challenges.
The OFFSEC Research CTF Team members and their specialities are:
- Abbas Naderi -Cryptography-
- Behzad NajjarPour -Remote code exploits-
- Mohammad Morshedi -Remote code exploits-
- Sajjad Pourali -Web application security-
- Ali Razmjoo -Fuzzing-
- Ali Abbasi -Exploit development-
- Sina Yazdanmehr -Web application security-
- Mohammadreza Zamiri -Network security-
- Hamid Rezaei -Exploit development-
- Amir Rasouli -Miscellaneous-
Offsec say if anyone wants to help support the Offsec Research CTF Team, you can send your CV to [email protected] to be considered.
The Ice CTF challenges
Time Traveler -Forensics, 45- – Abiusx
Find the flag at a URL.
Alien Message -Crypto, 40- – Abiusx
Decrypt a flag at a URL.
Exposed -Web, 60- – Sajjad
Exposed .git control repository & download of git.php & No-SQL blind injection.
RSA -Crypto, 50- – Abiusx
Once decryption key realized, just have to convert it back to string from hex to reveal the flag.
Over The Hill -Crypto 65- – Abiusx
Hill Cypher crypto task with non-reversible matrix using linear algebra but via modular arithmetric the flag was revealed.
Dear Diary -Pwn, 60- – Ali.R.
Handling a string overflow triggered by file input; flag function re-written to reveal the flag.
Geocities -Web, 100- – TMT, Mizerium
Shellshock vulnerability. Perl script connects to DB & flag extracted from the DB table.
R.I.P Transmission -Forensics 65- – Silverfox
Extract provided password-protected .zip files & bruteforce the password; the unzipped .JPEG file then shows the flag.
l33tcrypt -Crypto 90- – Abiusx
A reverse padding oracle on ECB mode; the server encrypts “l33tserver please”+input+flag+PKCS7_padding using AES-ECB mode, and outputs the result Padding size -16 bytes- was forced to enable brute forcing 1 character of the flag at a time, until entire flag leaked.
Intercepted Conversations Pt.1 -Forensics 110- – Sliverfox
Keyboard keystrokes were captured & Wireshark PCAP analysis of Leftover Capture Data & conversion of the codes using a Python script shows keystrokes used; keyboard used was kinesis advantage pro keyboard with a QWERTY layout; conversion from QWERTY to Dvroak revealed the flag.
Intercepted Conversations Pt.2 -Forensics 125- – Silverfox
Wireshark analysis of TCP streams for IRC -Internet Relay Chat- traffic; analysis of the .pyc magic number signature file show needed to install Python version 3.5b2 to run the supplied .pyc file; file was decompiled and encoding algorithm was found; script created to reverse it & ran decoder script with encoded flag as its argument revealed decoded flag.
Root of All Evil -Forensics 150- – Silverfox
Several directories in the provided zip file -only bin and home are non-empty-, under home directory we have 2 users “glitch” and “evil”. “glitch” is empty but “evil” has a .bash_history file; challenge incomplete by OFFSEC.
Attack of the Hellman -Cryptography 200- – Silverfox
Parameters used in Diffie-Hellman algorithm to generate a secret and then this secret -B^a- is used to encrypt the flag, had the encrypted version of the flag ; needed to calculate B ^ a which is used as the key to encrypt flag, we can then use openssl to decrypt the flag -which is encrypted using aes 256 cbc-; challenge incomplete by OFFSEC.
Full Ice CTF writeups can be read here