Mohawk College CTF
Mohawk College hosted a two week ‘Capture the Flag’ event. It is open to all students from Mohawk regardless of which program they are in or which term.
November 15 - November 29 2019
Mohawk College CTF
In 2019, applied research students at Mohawk College built and ran the first Mohawk College CTF, open to students of the college. I had the privilege of alpha testing their challenges.
Decode the Signal!
You have received multiple signals from an unknown space source containing audio.
What do the signals mean?
Download the audio folder below and capture the flag!
We're provided with the Decode the Signal!.ZIP file that contains 5 .WAV files:
drmwld.wav - old Windows startup chime
hgzgrx.wav - static
hrtmzo.wav - chirpy noise
mlhrtmzo.wav - solid tone
Nlihvxlwv.wav - morse code
I ran the morse code file through the decoder at https://morsecode.scphillips.com/labs/decoder/ and it decoded to USE A SPECTROGRAM.
I ran the remaining static and chirpy files through the spectrum analyser at https://academo.org/demos/spectrum-analyzer/ and the spectrum of the chirpy file is the flag:
FLAG{CMGAsbZM48mKYJMnCQQejPX5GgGxUZ}
Electric Fish
Fred noticed a possible attack on his server. He decided to capture the traffic to see if he could find anything interesting.
Analyze the traffic and capture the flag!
I was Provided with the Jaws.pcapng file, and I started by looking at the HTTP object list using Wireshark. I saw a lot of interaction with 192.168.1.18 but no terribly interesting files. I sorted the capture by Source and followed an HTTP stream, where I found:
username=74656d70&password=%7B696368206372m70a3qccjssxidou9m%7D
That password URL-decodes to: {696368206372m70a3qccjssxidou9m}
I recommended including FLAG as well, or perhaps b64 encoding FLAG{696368206372m70a3qccjssxidou9m}, in the password, so that there's a recognisable flag.
Virus
You and a team of explorers have come across an abandoned research ship out in the ocean. While not necessarily ancient, the ship looks older and something has definitely spooked the crew into leaving the ship behind.
Looking around, you find a note. It looks like the Captain made the call to abandon the ship because of what "the virus" told him...
After a thorough search for clues in his cabin, you were able to find that the Captain had also left the credentials to the server:
Username: root
Password: adminpass
"Not the most secure..." you think to yourself.
With all that being said, you still ask yourself "What did this 'virus' tell the captain that made the whole crew abandon the ship?" Being the vulnerability expert that you are, you decide to solve the mystery.
Determine how the virus managed to spook the crew and capture the flag!
We are provided with the Ship Server.zip file, which contains the Ship Server.ovf ,.VMDK, and .mf files. I ran the OVF appliance in VirtualBox, and was presented with a CentOS server. I was able to login with the provided creds, and a series of lines of text appear one after another:
Hello Captain
Did you come back so soon?
You know you can't stop this from happening
You and your enture crew are in danger
You know you are not in control...
Would you like to see who is in control?
I'm curious to see what you can do...what's...different
I'll let you play...but I'll catch up with you soon
enjoy Captain
We start in the home folder for root. Running ls shows us a message: You have new mail in /var/spool/mail/root and catting /var/spool/mail/root gives a seies of lines of "scroll up ^^^^^^^" Unfortunately, scrolling up is not an option on this machine, so we'll have to head the file
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Hello, Captain......
Funny, isn't it?
I know what port your ship is in...but do you know what port I'm on?
There's only 65535 possibilities!
The question is...do you even really want to know????
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Running nmap 127.0.0.1 returns two results: SSH and SMTP
Trying ssh root@127.0.0.1 makes an SSH connection that repeats the "welcome" message and ends with: Ncat: bind to :::53124: Address is already in use. QUITTING.
Running nmap 127.0.0.1 -p53124 returns an open port running an unknown service
and nmap 127.0.0.1 -p53124 -A returns another threatening message and the flag:
FLAG{Smgj!fmFEmo190M0tG^OpqqN41XiVz}
It's perhaps worth noting that nc 127.0.0.1 53124 showed the message and flag more clearly.
I recommend deleting the BASH history; we can scroll up through all of their past commands and see what they've been doing...although, apparently they had considered this and that was their intent.
Lost in Translation
A Mohawk College student is designing a website dedicated to diversity. Upon viewing his website (which, he admits, is a work-in-progress), it is clear that he has a particular obsession with flags. Definitely not the weirdest thing you've probably heard; but what is weird is this:
He has told me that he has put 10 flags in his website... I only count 9. Can you find the 10th flag?
Visit his website below and capture the flag!
https://lost-in-translation.webs.com
I poked around the different pages - Home, Blog, About, Photo Gallery, Contact and Looked at source code for each page. I found a strange link to the Mohawk logo on the About page named:
FLAG{X2q$fBHa-0uvY-kDhGg39SNDnize57}.png
Not difficult, but a little tedious.
Forensic Files: 551
The CEO of the Torgue Corporation has contacted us about a very delicate situation. He believes one of his employees has stolen his super duper secret password to his special vault. He also believes that the employee has given it to a local competitor on Pandora. He can’t find proof that the password was ever on the employee’s hard drive, but he does believe the employee and competitor were in communication.
Besides for a hard drive image, the CEO has given us very little. We don’t even know the password!
Download and analyze the hard drive image below, find any clues you can to reveal the whereabouts of the password, and capture the flag…uhh..I mean... password!
We are provided with HardDrive.img file, which won't mount on my Mac (no mountable file systems). I opened it up in HexFiend and saw it contains Linux file paths and ELFs and a mention of Ubuntu 7.4.0. A quick strings HardDrive.img | grep "FLAG{" came up empty
I copied the image file to Kali, where file confirms it is a Linux ext4 filesystem data. I mounted the image (mount -t auto ./Downloads/HardDrive.img /mnt/tmp) and it appears to be a system belonging to Borderland's Clap-Trap (user: cl4p-tp). We can even cat ./etc/shadow and see cl4p-tp's encrypted password, so we're running as root. I did give cracking that password a go:
cp /mnt/tmp/etc/passwd ~/Downloads/passwd.txt
cp /mnt/tmp/etc/shadow ~/Downloads/shadow.txt
unshadow passwd.txt shadow.txt > passwords.txt
John --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
It detected the md5crypt hash type, and the session completes, but no cracks.
Let's have a look in the authorisations log /var/log/auth.log. There's not much history in here, so let's follow it...nothing much here
Back to the drawing board. I loaded the image into Autopsy as a partition, and file analysis showed deleted files including: /1/etc/geoclue/MyFavouritePDF/claptrap.pdf -> empty file /1/media/audio/logs/NoteToSelf/Log_1.mp3 to Log_10.mp3 -> some empty - 1,3,6,7 ok I exported exported all non-empty files, but I couldn't get them to open.
Looking around in ./home/cl4p-tp/.thunderbird/j9uiriyg.default/Mail/, the pop.mail.com folder holds plenty of Clap-traps messages annoying the help desk and Tiny Tina. From those exchanges, I found his protonmail email account - general-claptrap@protonmail.com - which he is told to as the password for recordings. He also mentions deleting "non-work" files that he doesn't want people to see and notes the need to look at those voice note MP3s again. He also has a conversation with Tiny Tina (MsCrunkBunny@innocent.com) about Torgue's password , and she finally insists that he send it from his personal email.
This was as far as I got in the time I put towards it, and I know I need to unlock the MP3 notes with the protonmail email, so that I can get the password to the protonmail email and retrieve the password flag. I didn't have the know-how to properly recover the MP3s, but I did make note of interesting files in the .bash_history showing the creation of:
/home/cl4p-tp/Misc/TheDeal.txt
/media/audio/logs/NoteToSelf/
/etc/geoclue/MyFavouritePDF
FINAL RESULTS
I got through 5 of the 6 challenges and was able to give the organisers some good feedback.