Google 2018 Beginners' Quest

The Beginners Quest is an adventure targeted to beginners, a gentle introduction to the CTF world.

June 23 - June 24 2018

Google 2018 Beginners' Quest

This started off pretty easy, and ramped up pretty fast. The challenges progress somewhat linearly, with solutions unlocking progress along three interconnected paths. For this one, I had a YouTube walkthrough to get me on to the next step (and occasionally the next challenge) when I ran out of options.

Letter (Misc)

You really went dumpster diving? Amazing. After many hours, SUCCESS! Between what looks like a three week old casserole and a copy of "Relative-Time Magazine", you found this important looking letter about the victims PC. However the credentials aren't readable - can you still obtain them?

This challenge included a PDF letter with a username and password blacked out. I copied all of the text into Word and found hidden text beneath the redaction in the page.


OCR is Cool! (Misc)

Caesar once said, don't stab me… but taking a screenshot of an image sure feels like being stabbed. You connected to a VNC server on the Foobanizer 9000, it was view only. This screenshot is all that was present but it's gibberish. Can you recover the original text?

This challenge included a PNG of a Gmail screenshot with text that appears to be encoded using a simple cipher (Caesarian shift, if the clue is to be believed). I exported it to PDF and ran OCR at then pasted it into a Caesarian shift decoder and got reasonable results with a shift of 7. There were still a few obvious replacements that needed to be made (P -> S, p -> }, [ -> {) that I hand adjusted and set everything to lowercase for the flag: CTF{caesarcipherisasubstitutioncipher}

Security by Obscurity (Misc)

Reading the contents of the screenshot you find that some guy named "John" created the firmware for the OffHub router and stored it on an iDropDrive cloud share. You fetch it and find "John" packed the firmware with an unknown key. Can you recover the package key?

This challenge included a “firmware” file. I started by opening it in a hex editor, and saw that it begins with PK, so I renamed it as a .ZIP file and it just opened the same file. There was also a PK near the end, which I isolated and saved as .ZIP file but with no better luck for either resulting piece.

Floppy (Misc)

Using the credentials from the letter, you logged in to the Foobanizer9000-PC. It has a floppy drive...why? There is an .ico file on the disk, but it doesn't smell right..

This challenge included a .ICO file, which when opened in a hex editor contained several PKs near the end. Isolating from the first PK to the end of the file, and saving it as a .ZIP file, gave me a working ZIP and opened to contain a text file containing the flag and a DOS file.


JS Safe (Web)

Well it's definitely the 90s. Using what was found in the mysterious .ico file, you extract the driver for the Aluminum-Key Hardware password storage device. Let's see what it has in store.

This challenge included a js_safe_1.html file. I opened it in a code editor and saw it was a normal webpage where one can enter a password. It appears as a text field with a key in it and a rotating cube beneath it.

I recognised the variables “code”, a string of random letters, and “secret”, a list of numbers (corresponding to code?), but here’s where I took a big helping hand from the walkthrough. The walkthrough wrote a Python script I didn’t fully understand to get the secret and algorithm from the code variable:

 - Run console.logs to trace function outputs
 - Using blocks of 4 from code, he uses the 2nd position to set an environment action
 - Find the XOR comparison operation to return x[0]|x[1]
 - Comparing a hash (SHA256) of our input to the password’s hash, we can collect the value each input hash is compared to and use it to SHA256decode
 - CTF{Passw0rd!}

Now that I’ve started working on the Cryptopals (Matasano) Crypto Challenges, this makes a bit more sense, but it was certainly beyond my level at the time.

Moar (Pwn)

Finding yourself on the Foobanizer9000, a computer built by 9000 foos, this computer is so complicated luckily it serves manual pages through a network service. As the old saying goes, everything you need is in the manual. 1337

Netcatting the URL and port serves up a man page for the Foobanizer 9000. I fumbled around in here for quite some time, and thought maybe there was something in the socat documentation included in the page. There was not…

I took a hint from the walkthrough here, and learned that man lets you run CLI commands! Just enter a ! and you can run Linux CLI commands. I looked in the home directory, found the file in the moar directory, and found the flag in that file.



The command you just found removed the Foobanizer 9000 from the DMZ. While scanning the network, you find a weird device called Tempo-a-matic. According to a Google search it's a smart home temperature control experience. The management interface looks like a nest of bugs. You also stumble over some gossip on the dark net about bug hunters finding some vulnerabilities and because the vendor didn't have a bug bounty program, they were sold for US$3.49 a piece. Do some black box testing here, it'll go well with your hat.
nc 1337

The provided link connects to a management interface for the Temp-o-matic. There are some patch notes to the effect that v.02 has “fixed path traversal bug” and v.03 is a “rollback of v.02”, as well as a note to “fix random reboots @2:32 every second Friday”.

The service access option of the interface requires a password, and the usual defaults didn’t work.

I did, however, notice that when typing Version0.2 or Version0.3 to get the patch notes, an incorrect entry returned an “Error: no such file or directory found”. Combined with the patch note reference to path traversal, it clear that there was a path traversal vulnerability in the patch note version option. A little blind searching found the /etc/passwd file at ../../../etc/passwd, although permission was denied to ../../../etc/shadow. Looking a little closer to home, turned up nothing in the current directory, but ../flag did come back with a result: CTF{I_luv_buggy_Software}.

Curious about how to do this without blind luck, I had a look at the walkthrough. He chose to dump the whole machine to a file:
echo -e “2\n../main” | nc 1337 > file

This echoes escape the 2nd menu option (where the patch note path traversal vuln is) and on a newline open ../main. This creates an ELF file that can be opened in IDA and searched for the flag.


Final Score: N/A
Final Rank: N/A