Google 2019 Beginners' Quest
The Beginners Quest is an adventure targeted to beginners, a gentle introduction to the CTF world.
June 21 2019
Google 2019 Beginners' Quest
So, what happens when you book a room for the club to get together and participate in an entry-level CTF? The college schedules a campus-wide power shutdown.
And, what happens when you reschedule for next week, because you were lucky enough that the CTF also had to reschedule for its own reasons? The CTF sends you the wrong reschedule dates and turns out not to start until the day after you rebooked the room.
So, with members coming in from out of town, it’s the Google CTF Beginner’s Quest to save the day! We didn't get too deep in the time we had, but had fun working through some new challenges.
This year, Google has us playing the part of an alien lifeform fleeing its uncool planet and seeking out the origins of the strange gold disk marked Property of NASA.
Enter Space-Time Coordinates (misc)
Ok well done. The console is on. It's asking for coordinates. Beating heavily on the console yields little results, but the only time anything changes on your display is when you put in numbers.. So what numbers are you going to go for? You see the starship's logs, but is there a manual? Or should you just keep beating the console?
The attachment they provide is a folder containing a text file with some co-ordinates of some kind:
0: AC+79 3888{6652492084280_198129318435598}
1: Pliamas Sos{276116074108949_243544040631356}
2: Ophiuchus{11230026071572_273089684340955}
3: Pax Memor -ne4456 Hi Pro{21455190336714_219250247519817}
4: Camion Gyrin{235962764372832_269519420054142}
and a file called rand2. Opening the rand2 file in Hex Fiend, we can see that it is an ELF file, and there in plain text is the flag:
CTF{welcome_to_googlectf}
Satellite (networking)
Placing your ship in range of the Osmiums, you begin to receive signals. Hoping that you are not detected, because it's too late now, you figure that it may be worth finding out what these signals mean and what information might be "borrowed" from them. Can you hear me Captain Tim? Floating in your tin can there? Your tin can has a wire to ground control?
The attachment for this challenge is a folder containing README.PDF and a file called init_sat.
The Readme file:
On your way down to earth you almost collided with that communications satellite. Stepping out to inspect, you find some space junk labeled “init_sat”. It looks like humans run it to set up satellites.
Is the communication with the satellite really as secure as those humans always claim? Could this help you read the space-static to learn more about earth creatures, and whether to join the party down there? You load init_sat on your terminal.
Well, let’s look at init_sat in Hex Fiend first. It’s an ELF file, but there’s no useful plain text popping out this time.
Let’s give it a run…in a Linux environment…and we’re presented with a greeting and a question:
Hello Operator. Ready to connect to a satellite?
Enter the name of the satellite to connect to or ‘exit’ to quit
Well, the satellite has Osmium written on it in the image in the PDF, so let’s try that to start…
Establishing secure connection to Osmium satellite…
Welcome. Enter (a) to display configuration data, (b) to erase all data or (c) to disconnect
The configuration data option gives us some interesting data to work with:
Username: brewtoot password: ******************* 166.00 IS-19 2019/05/09 00:00:00 Swath 640km Revisit capacity twice daily, anywhere Resolution panchromatic: 30cm multispectral: 1.2m Daily acquisition capacity: 220,000 km2 Remaining config data written to:
https://docs.google.com/document/d/14eYPluD_pi3824GAFanS29tWdTcKxP_XUxx7e303-3E
The data at the link is:
VXNlcm5hbWU6IHdpcmVzaGFyay1yb2NrcwpQYXNzd29yZDogc3RhcnQtc25pZmZpbmchCg==
Looks like Base64 to me…
Username: wireshark-rocks
Password: start-sniffing!
Well, I guess we better start sniffing the traffic while interacting with this satellite! And following the TCP stream in Wireshark while requesting the satellite configuration data, we get to see the password:
CTF{4efcc72090af28fd33a2118985541f92e793477f}
And that brings us to our first branch in the CTF: we’ve connected to SarahH’s network, but do we want to look at her “home” computer or her “work” computer? The homes of humans sound interesting…
Home Computer (forensics)
The download for this challenge is a folder containing note.txt and family.ntfs
The note just says:
If you're on MacOS, you can rename .ntfs to .dmg
So, it looks like we’ve got an NTFS file system accessible to us. Changing it to a DMG file, it opens as a whole read-only drive. Poking around, we can find a credentials.txt file in the Documents folder:
I keep pictures of my credentials in extended attributes.
So, we’re looking for some file metadata. Running ls –al on the folder, we can see an @ sign at the end of the read/write/execute attributes for the credentials.txt file, indicating that it has extended attributes. Running ls –l@ shows us the extended attributes and credentials.txt has FILE0 and 38202 as extended attributes.
A bit of googling shows us we can extract the file in the extended attributes, but we did have some trouble with that. At first we tried:
getfattr –dump credentials.txt > image
This, however, didn’t give us a working image, just a lot of base64-encoded nonsense that didn’t decode to an image, but it took quite a bit of pointless faffing about with that nonsense file to decide we were on the wrong track. Looking back at the getfattr documentation, we tried:
getfattr –only-value credentials.txt > image
to immediate success. The extracted image contains the flag:
CTF{congratsyoufoundmycreds}
Work Computer (sandbox)
This challenge simply contains the address:
readme.ctfcompetition.com 1337
So, we can netcat into that network:
nc readme.ctfcompetition.com 1337
Here we are presented with a minimalist shell and two files in the current (/challenges) directory: README.flag ORME.flag
Many common commands don’t work, including cat, and ls-al in the /bin folder shows that busybox is the shell running. The mkdir command exists, but the system is read-only.
Looking in the /usr/bin, ls –al shows us a handful of commands that are not linked to busybox. Trying each of those, we eventually run:
iconv /challenge/README.flag
which shows us the flag
CTF{4ll_D474_5h4ll_B3_Fr33}
Government Agriculture Network (web)
https://govagriculture.web.ctfcompetition.com/
This challenge brings us to a webpage with a textbox to make a post in and a couple of images of cauliflower – this alien’s current obsession. There is a link at the top right leading to /admin but it just takes us back to the original page.
There is nothing at robots.txt but a 404, and the same for /user.
Running Burp Suite, we can see little of interest in the loading of the page (or the /admin GET) itself. Submitting test string in the textbox gives us a POST request to /post with the request body being postContents=test string. The post is submitted correctly and we are notified that:
Your post was submitted for review. Administrator will take a look shortly.
An attempt to navigate to the /post page returns Method Not Allowed.
dirb gets us one more page /static, which contains /images (holding the cauliflower images and /styles (holding the CSS file news.css).
If the administrator (automated or otherwise) is “reviewing” the posts, then it may be possible to open a reverse netcat shell using XSS.
Unfortunately, that’s where we ran out of time…
FINAL RESULTS
Final Score: N/A
Final Rank: N/A