Monday, September 23, 2013

CSAW CTF Quals 2013 - RECON (all)

Another CSAW CTF 2013 quals write up! This time by our guest player dyjakan, who has written down the solutions discovered by himself, as well as other Dragon Sector players: mak, gynvael, hasherezade, etc (half of the team went after Teddy heh). Enyoj!

== Recon-1: Alexander Taylor ==
After initial recon, we could not find proper solution. We have spent a lot of time browsing through rather funny trolling site [] where we have landed because "Randall Flagg" (@CTF_tr0ll) is following Alexander (@fuzyll). Meanwhile, following announcement was made: "An error has been fixed in the Alexander Taylor recon challenge. Please reset your reconnaissance.". We did follow their advice and within minutes we have found out that the answer is residing in Alex's profile picture on "Judges" sub-page. Let's see:

$ pnginfo ataylor.png
  Image Width: 604 Image Length: 401
  Bitdepth (Bits/Sample): 8
  Channels (Samples/Pixel): 3
  Pixel depth (Pixel Depth): 24
  Colour Type (Photometric Interpretation): RGB
  Image filter: Single row per byte filter
  Interlacing: No interlacing
  Compression Scheme: Deflate method 8, 32k window
  Resolution: 11811, 11811 (pixels per meter)
  FillOrder: msb-to-lsb
  Byte Order: Network (Big Endian)
  Number of text strings: 3 of 9
    These aren't the chunks you're looking for. (tEXt uncompressed):
    You can go about your business. (tEXt uncompressed):
    Move along. (tEXt uncompressed):

It does look interesting. Digging further revealed XOR-ed kTxt chunk which we have beaten with our internal tool.


== Recon-2: Julian Cohen ==
Looking around got us to Julians wiki user page: and the following message:

Check out my new website:

Testing the IP ( instead of using the domain revealed the flag:

Key: 1a8024a820bdc7b31b79a2d3a9ae7c02

== Recon-3: Jordan Wiens ==
Jumping into linked site [] shows us this: "Michael Vario sure does some suspicious signs, hope he doesn't do me". Quick googling for "Michael Vario" leads us to his blog post about PGP magic. We ignore the post, instead we check Jordan's PGP key at MIT key server []. So, it looks that we are on the right track: "pub  2048R/A827D636 2013-08-08 Jordan Wiens (CSAW folks: getting warmer) <>". We have examined this key and concluded that it contains embedded image. Time for some one-liner action:

$ gpg --recv-keys 0x9fbebc5ea827d636 && gpg --list-options show-photos --fingerprint 0x9fbebc5ea827d636

Key: mvarioisnotmyhomeboy

== Recon-4: Kevin Chung ==
This recon challenge, along with teddy, was the most time-consuming for us. We have spent a lot of time googling for Kevin, alas without success. However, we were not alone in our misery -- apparently other teams also suffered with us, thus organizers have released a hint ("Hint for Kevin Chung: What places can you graduate from?"). After that we have managed to find a link to the key which was residing in "Previous Winners" section of CSAW High School Cyber Forensics Challenge [].

Key: who_in_the_world_is_kevin_chung

Bonus-1: We digg history of SITH's wiki page [].
Bonus-2: We digg this [] even more.

== Recon-5: historypeats ==
After googling for historypeats footprint, we quickly stumbled upon this github profile []. Checking out public activity of this account [] quickly reveals flag [].

Key: whatDidtheF0xSay?

== Recon-6: Brandon Edwards ==
We have started off with "Brandon Edwards" search results from Google. We knew, a priori, that his handle is drraid, hence we have added this to our query string. With such results we quickly checked out social pages where we have found out about his relation to sophsec [] (via GitHub). The key was sitting in source code of main page.

Key: a959962111ea3fed179eb044d5b80407

== Recon-7: Odin ==
Well, this one was quick. Everyone who joined #csaw IRC channel must have noticed user @snOwDIN. Lo and behold:

whois snOwDIN
19:20 -!- snOwDIN []19:20 -!-  ircname  : linkedin:chinesespies
19:20 -!-  channels : @#odin @#csaw19:20 -!-  server   : [ISIS IRC Server]
19:20 -!-       : is using a Secure Connection
19:20 -!-  idle : 0 days 0 hours 1 mins 18 secs [signon: Thu Sep 19 21:04:20 2013]19:20 -!-
End of WHOIS

Visiting chinesespies linkedin account revealed key to us.

Key: cookies_are_for_csaw

== Recon-8: Theodore Reed ==
Major PITA for everyone. We did *a lot* of googling here. This approach was doubleplusungood, instead we should have focused on things that were right in front of our eyes. Anyway, organizers felt everyone's frustration and released yet another hint: "Hint: From "" it takes three clicks (Now it takes more because of asshole CTF players)". This looked helpful. We pulled out all teh links (internal and external) from teddy's website [] and glanced through them. Finally, we have managed to score the flag which was residing 5-clicks away: -> -> -> "All comments" -> "Show".

Key: shmoonconrocksglhfwithcsaw

No comments:

Post a Comment