Summary

This is my writeup of CyberWorrior CTF. This is an ongoing CTF with various challenges for Reversing, Forensics, Binary Exploitation, OSINT, General, etc. As you complete challenges, you’re rewarded points and challenges get harder and harder as you take on more.

Below is the link to the challenge.

I will be providing all the challenge categories provided in their own sections within the writeup. With that explained, let’s get started.

This writeup will be something that I do over time. Not going to go through all the challenges and post one massive writeup. This is going to grow as I work through the problems. There won’t be a specific order to this writeup. I will post within the categories as the challenges for them are completed.

Challenges

Forensics

capture_Brazil - Capture the password - 50 pts

Hey there! I captured a traffic package in an unsecured network, and it may have sensitive information. Analyze this capture and find the correct flag.

Flag Format: cwa.ctf()

Download file for this challenge: capture_c78615cd8fe3ac8436e398f3105694a1.pcapng

To finish this challenge, I opened the file in Wireshark and filtered out ’telnet’. This showed all the packets that are associated with telnet. This provided a list of packets that consisted of Telnet traffic.

Decided to follow the TCP Stream of the first packet in that list and below is the output from that. I will provide a better explanation with some code. I’ve always wanted to play with the Scapy Python library. So, I’ll work on that later and add the script to this.

..... .....'.....................

User Access Verification

Password: ....P...... ........'.......XTERM....$..$ac..........
% Password:  timeout expired!
Password: academy123

Router>eennaabbllee

Password: academy123

Router#

Below is the flag for this challenge:

  • cwa.ctf(academy123)

Korea (Domocratic People’s Republic of)

OSINT

capture_Paraguay - What is Margaret Default password ? - 50 pts

You have been assigned to review the HR Manager’s access points at his home. He is currently using a ubiquity branded device. The first thing you should do is to test access with the default user and password. Try to find out.

Flag Format : cwa.ctf(user/pwd)

I found this flag using Google. Yup, Google. Just type the following in Google Search.

  • Ubiquity default username and password

This provided the following credentials as the default username and password.

  • Username: ubnt
  • Password: ubnt

Entered the flag the same as below successfully.

  • cwa.ctf(ubnt/ubnt)

General

capture_Uruguay - Hexidecimal - 50 pts

What is the number 255 in hexadecimal?

Flag Format: cwa.ctf(uppercase)

Utilized the Python hex() function to complete this challenge.

>>> hex(255)
'0xff'

Challenge flag is below:

  • cwa.ctf(FF)

CRYPTO

capture_Chile - What is that? - 50 pts

Your friend sent you a message saying: I came across this secret code, lets decode this to know what the secret encoded in this string is!! (The answer is without space, is like: HelloWorld)

MyAyNSAyIDUgMTggMjMgMSAxOCAxOCA5IDE1IDE4IDEgMyAxIDQgNSAxMyAyNSA= 

Flag Format: cwa.ctf( )

Little crypto magic here. Well, cipher magic. But still. Should be simple to script out. Though, it’s a rather un-elegant script. It gets the job done. In a perfect world, I’d make it prettier. But I’m here to solve a problem.

This script below will convert the base64 string to ASCII. It will then take the numbers after converting them to numbers because the numbers are really strings. It will find the numbers position in the alphabet, put them in a list, and output what the flag is.

"""
title: capture_Chile - What is that
author: Timothy Loftus (n3s0)
description: Your friend sent you a message saying: I came across this 
            secret code, lets decode this to know what the secret encoded 
            in this string is!!   (The answer is without space, is like: 
            HelloWorld). Cipher text will be in the variable.
file: chile.py
"""

import base64
from string import ascii_lowercase

# Variables
cipherText = "MyAyNSAyIDUgMTggMjMgMSAxOCAxOCA5IDE1IDE4IDEgMyAxIDQgNSAxMyAyNSA="

def captureChileSolution(cipher):
    """Solution for capture_Chile."""

    print("Decoding cipher text.")
    print("Beginning stage one of decoding.")

    # Decode Base64
    stageOne = base64.standard_b64decode(cipher)

    print("Stage one of decoding complete: {}".format(str(stageOne, 'UTF-8')))
    print("Beginning stage two of decoding.")
    print("Converting stage one to UTF-8.")

    stageOne = str(stageOne, 'UTF-8')

    print("Putting output from stage one into a list.")

    stageOne = list(stageOne.split(" "))

    if '' in stageOne:
        stageOne.remove('')

    print("This is the list: {}".format(stageOne))
    print("Converting items in list into integers.")

    for number in range(0, len(stageOne)):
        stageOne[number] = int(stageOne[number])

    print("Here is the new list: {}".format(stageOne))

    stageTwo = []

    for number in stageOne:
        stageTwo.append(ascii_lowercase[(number-1)])

    stageTwo = ''.join(stageTwo)

    print("The flag is: cwa.ctf({})".format(stageTwo))

captureChileSolution(cipherText)

Below is the output from the script. The output explains itself.

n3s0:CyberWarriorCTF/ $ python chile.py                                                                    [2:38:16]
Decoding cipher text.
Beginning stage one of decoding.
Stage one of decoding complete: 3 25 2 5 18 23 1 18 18 9 15 18 1 3 1 4 5 13 25 
Beginning stage two of decoding.
Converting stage one to UTF-8.
Putting output from stage one into a list.
This is the list: ['3', '25', '2', '5', '18', '23', '1', '18', '18', '9', '15', '18', '1', '3', '1', '4', '5', '13', '25']
Converting items in list into integers.
Here is the new list: [3, 25, 2, 5, 18, 23, 1, 18, 18, 9, 15, 18, 1, 3, 1, 4, 5, 13, 25]
The flag is: cwa.ctf(cyberwarrioracademy)

The flag for this challenge is: cwa.ctf(cyberwarrioracademy).