In between of my study for CCNA module #1 I could found a couple of hours, in the last sunday (April 12th 2020), to took part in the first CTF hosted by Hexion Team.
The balance was quite positive, with 4 solves: 3 of them was the easiest that worth a fixed values (50 and 100 points) and the other one, a pcap file. I ended up in 77th position with 1089 points amongst 429 teams.
About - Misc (50 pts)
Description:
Please read the rules 😃
This challenge had 1013 solves and was the entry point in the game. In the rules page we could found all the information about the CTF. At the end we found the ctf flag format and our flag.
hexCTF{mu5t_b3_7he_eas1est_fl4g_y0u_g0t}
Well Known - Web (100pts)
Well… it’s known (:
https://wk.hexionteam.com
Author: Yarin
This challenge had 277 solves and was easy, you only had to know where to search. My approach it’s always the same, with a quick lookup in the page source code, next in the .htaccess and robots.txt (if exists). After that we’ll see…
It was an empty page with a H1 stating "404 Not Found". So I jumped for the .htaccess and I got another "404 Not Found". Next I checked for the existence of robots.txt and I had success.
1 | Sitemap: sitemap.xml |
2 | Allow: * |
This page points me to another one, so I went to the sitemap.xml.
1 | |
2 | <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"> |
3 | <url> |
4 | <loc>https://wk.hexionteam.com/404.html</loc> |
5 | </url> |
6 | <url> |
7 | <loc>https://wk.hexionteam.com/robots.txt</loc> |
8 | </url> |
9 | <url> |
10 | <loc>https://wk.hexionteam.com/.well-known/security.txt</loc> |
11 | </url> |
12 | </urlset> |
Here we get 3 links and we already checked two. So, let’s check the .well-known/security.txt.
1 | Flag: hexCTF{th4nk_y0u_liv3_0v3rfl0w} |
And we have our flag! 🎉
hexCTF{th4nk_y0u_liv3_0v3rfl0w}
Mirage - Misc (100pts)
“Your eyes can deceive you; don’t trust them.”
– Obi-Wan Kenobi
https://mirage.hexionteam.com
Author: Idan
The site has a simple textbox and a strange statement similar to the flag format.
I typed some characters into this textbox and those ones didn’t match those I had typed in. As I said before this seems to be similar to the flag format, so I tried type the beginning of the flag hexCTF{ and I got this.
I matches! It’s the flag! Now I have to decrypt it.
The first thing I had done was view the source code of the page.
1 | <html> |
2 | <head> |
3 | <title></title> |
4 | </head> |
5 | <style> |
6 | .centered { |
7 | position: fixed; |
8 | top: 50%; |
9 | left: 50%; |
10 | transform: translate(-50%, -50%); |
11 | } |
12 | |
13 | @font-face { |
14 | font-family: hexFont; |
15 | src: url("assets/hexfont.ttf"); |
16 | } |
17 | |
18 | input { |
19 | font-family: hexFont; |
20 | font-size: 40px; |
21 | font: url |
22 | } |
23 | </style> |
24 | <body> |
25 | <div class="centered" style="text-align: center;"> |
26 | <img src="assets/flag.png" width=845 height=51/> |
27 | <br> |
28 | <input></input> |
29 | </div> |
30 | </body> |
31 | </html> |
Interesting! The source code has the font file (hexfont.ttf) used for this encryption. In this case my approach was download the font file and match the characters from the flag to the font.
hexCTF{Don7_judge_a_B0Ok_by_1ts_c0v3r}
T&J - Misc (894pts)
Can you help Tom catch Jerry?
Author: Idan
This challenge was my personal goal in this CTF, mainly because it’s a .pcap challenge - my prefered.
When I saw this usb .pcap only with URB_INTERRUPT in frames I reminded my last usb capture from a previous CTF challenge: a capture from an usb flash drive and a keyboard. But this one don’t seems had the same standard in the Leftover Capture Data…
Ok, if it wasn’t from a keyboard probably was from a mouse. Yeah the name of the challenge is T&J - Tom & Jerry (the cat and mouse). So I started learn how the Leftover Capture Data was decrypted and after some Googling I’ve found the USB specification.
There under the mouse specification I’ve found the way how mouse sends data (page 71): the 1st byte defines which button it’s pressed, the 2nd represents the X axis and the 3rd byte the Y axis.
So I exported it into a text file using tshark:
$ tshark -r jerry.pcapng -Y "(usb.transfer_type == 0x01) && (usb.src == \"1.2.1\") && !(usb.capdata == 00:00:00:00:00:00:00:00)" -T fields -e usb.capdata > data.txt
I get all the Leftover Capture Data into data.txt file.
1 | $ cat data.txt |
2 | |
3 | 0100000000000000 |
4 | 0100010000000100 |
5 | 0100010000000100 |
6 | 0100010000000100 |
7 | ... |
8 | 00ff0000ffff0000 |
9 | 00ff0000ffff0000 |
10 | 00ff0000ffff0000 |
11 | 0100000000000000 |
Now I had to parse it and plot all the X-Y pairs into a “screen”. I reuse a python script inspired in one writeup in disconnect3d’s blog when he uses the PIL python’s library to plot all de coordinates into a png image.
1 | #!/usr/bin/env python |
2 | |
3 | from PIL import Image |
4 | import ctypes |
5 | |
6 | width = 4048 |
7 | height = 4048 |
8 | img = Image.new("RGB", (width, height)) |
9 | |
10 | red = (0, 0, 0) # Skipping Right Mouse Btn, its not needed at all |
11 | green = (0, 255, 0) |
12 | blue = (0, 0, 255) |
13 | default = (0, 0, 0) |
14 | |
15 | colormap = { |
16 | 0: red, |
17 | 1: green, |
18 | 2: blue |
19 | } |
20 | x = width/2 |
21 | y = height/2 |
22 | |
23 | with open('data.txt') as f: |
24 | for line in f: |
25 | b0 = int(line[0:2],16) |
26 | b1 = int(line[2:4],16) |
27 | b2 = int(line[4:6],16) |
28 | |
29 | # byte0: 0==LBM, 1=RBM, 2=MBM |
30 | color = colormap.get(b0, default) |
31 | |
32 | # byte1: X displacement |
33 | x_dis = ctypes.c_int8(b1).value |
34 | |
35 | # byte2: Y displacement |
36 | y_dis = ctypes.c_int8(b2).value |
37 | |
38 | x = x + x_dis |
39 | y = y + y_dis |
40 | |
41 | #print "line = ", line, "bytes =", bytes, x, y |
42 | |
43 | img.putpixel((x, y), color) |
44 | |
45 | img.save("image.png") |
And here is the image and our flag!
hexCTF{y3t_an0th3r_pc4p_ch4ll3nge}