_____  _____ _           
       |  _  ||  _  | |         
  _ __ | |/' || |/' | |__  ___  
 | '_ \|  /| ||  /| | '_ \/ __| 
 | | | \ |_/ /\ |_/ / |_) \__ \ 
 |_| |_|\___/  \___/|_.__/|___/
   _____ ___________   
  /  __ \_   _|  ___|
 | /  \/ | | | |_ 
 | |     | | |  _|
 | \__/\ | | | |  
\____/ \_/ \_|
  _           _         
 | |         | |        
 | |     __ _| |__  ___ 
 | |    / _` | '_ \/ __|
 | |___| (_| | |_) \__ \
 \_____/\__,_|_.__/|___/

I learn best through games and puzzles, these are my notes going through Infosec Institutes CTF #1: Hacking for n00bz as I try to get more comfortable doing things through the command line..


Level: [1] [2] [3] [4] [5] [6]



LEVEL 1


Clue

Picture of Yoda with text underneath that reads "May the source be with you!"

Steps

Source code! This one's pretty straight forward, viewing the source code you can see a comment in the first line with the flag.

Flag

infosec_flagis_welcome

More Info..

Sometimes important things are left in the comments.

LEVEL 2


Clue

Broken image and text "It seems like the image is broken..Can you check the file?"

Steps

First I checked the source to see if I noticed an error, tried a few different urls (changing jpeg to gif, png, etc..), then looked at the image through the command line with curl when none of that worked.

$ curl http://ctf.infosecinstitute.com/img/leveltwo.jpeg
aW5mb3NlY19mbGFnaXNfd2VhcmVqdXN0c3RhcnRpbmc=

Whaat, doesn't look like the usual output for an image, and the = sign at the end seems like padding for base64. To check I redirected the output of curl to base64 with option -D to decode (option case depends on your operating system and is either -D or -d, OSX uses -D).

$ curl http://ctf.infosecinstitute.com/img/leveltwo.jpeg | base64 -D
infosec_flagis_wearejuststarting

Yay! But also, there’s usually a ton of different ways to get to the same result and I want to learn and I think you want to learn so here we are.

Another option is to copy the output from curl and use echo, which writes arguments to stdout, redirected (or piped) through base64

$ echo -n 'aW5mb3NlY19mbGFnaXNfd2VhcmVqdXN0c3RhcnRpbmc=' | base64 -D
infosec_flagis_wearejuststarting

Or instead of outputting the result of curl to stdout you could redirect it to a file with the option -O, to save with original name, or option -o to save with specified name.

$ curl http://ctf.infosecinstitute.com/img/leveltwo.jpeg -O
$ ls
leveltwo.jpeg
$ curl http://ctf.infosecinstitute.com/img/leveltwo.jpeg -o out.jpeg
$ ls
leveltwo.jpeg
out.jpeg

Then pipe the output of cat through base64 to get the flag.

$ cat leveltwo.jpeg | base64 -D
infosec_flagis_wearejuststarting

CTFs are really great because you can just keep going deeper and deeper into random things you come across that interest you and if you take the time to learn about them as you go, even if it ends up not being the way to get to the answer right then you might learn something, and that's nice.

$ Tips $ When you get stuck think of what you’re trying to do - the clue says "can you check the file?", so how I started was searching "download image from webpage linux" that brought me to this post on stackoverflow about using curl to download an image and from there went onto learning more about base64.

Flag

infosec_flagis_wearejuststarting

More Info..

curl

curl without options preforms a GET request and returns data from the URL, more specifically..

root@kali:~# man curl
curl(1) Curl.Manual curl(1)

NAME
curl - transfer a URL
SYNOPSIS
curl [options] [URL...]
DESCRIPTION
curl is a tool to transfer data from or to a server, using one of the supported protocols (DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET and TFTP). The command is designed to work without user interaction.

curl offers a busload of useful tricks like proxy support, user authen- tication, FTP upload, HTTP post, SSL connections, cookies, file trans- fer resume, Metalink, and more.

. . .

If you specify URL without protocol:// prefix, curl will attempt to guess what protocol you might want. It will then default to HTTP but try other protocols based on often-used host name prefixes. For exam- ple, for host names starting with "ftp." curl will assume you want to speak FTP.

. . .
OPTIONS
Some options I found interesting browsing through the man page.

-d, --data <data>
(HTTP) Sends the specified data in a POST request to the HTTP server, in the same way that a browser does when a user has filled in an HTML form and presses the submit button. This will cause curl to pass the data to the server using the content-type application/x-www-form-urlencoded. Compare to -F, --form.

Example:
curl.–data."firstName=John&lastName=Doe".https://yourdomain.com/info.php
-F, --form <name=content>
(HTTP) This lets curl emulate a filled-in form in which a user has pressed the submit button. This causes curl to POST data using the Content-Type multipart/form-data according to RFC 2388. This enables uploading of binary files etc. To force the 'content' part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text field from a file.

Example: to send an image to a server, where 'profile' is the name of the form-field to which portrait.jpg will be the input:

curl -F profile=@portrait.jpg https://example.com/upload.cg
-I, --head
(HTTP FTP FILE) Fetch the headers only! HTTP-servers feature the command HEAD which this uses to get nothing but the header of a document. When used on an FTP or FILE file, curl displays the file size and last modifi- cation time only.
-D, --dump-header <filename>
(HTTP FTP) Write the received protocol headers to the specified file.

This option is handy to use when you want to store the headers that an HTTP site sends to you. Cookies from the headers could then be read in a second curl invocation by using the -b, --cookie option! The -c, --cookie- jar option is a better way to store cookies.

When used in FTP, the FTP server response lines are considered being "headers" and thus are saved there.

If this option is used several times, the last one will be used.

See also -o, --output.
:

Since the command curl http://ctf.infosecinstitute.com/img/leveltwo.jpeg is just a URL without protocol curl will default to HTTP (what we want, woo) and then output the data to stdout (standard output, the command line).

$ Tips $ Linux man pages can be super overwhelming and have just a ton of info but they can give you a start for things to look into more and are helpful to find out what a command does (sometimes hahh), how it’s set up and what options are available before going onto searching for examples of the command being used and good to know options to get a general understanding.

base64

Reddit ELI5 (explain like I'm 5) what is base64
Video on base64 by NERDfirst

LEVEL 3


Clue

QR Code and a moving status bar.

Steps

Uploaded the QR code to an online reader and got the result ".. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... .. -. --."

Morse code!

There's a ton of translators online so I just did a quick search annd bam, it translates to INFOSECFLAGISMORSING. (If you're wondering why it looks a bit different then the flags before it's because with Morse code there's no official way to distinguish between upper/lower case, except maybe the Navy?). You could also translate it yourself, each letter is separated by a space and there are Morse code alphabets online if you're not familiar (.. like me =P). 

..	-.	..-.	---	...	.	-.-. 
I	N	F	O	S	E	C	
                    
..-.	.-..	.-	--.	
F	L	A	G	
                    
..	...
I	S	
                    
--	---	.-.	...	..	-.	--.
M	O	R	S	I	N	G

Flag

INFOSECFLAGISMORSING

More Info..

Stealing files with QR codes

LEVEL 4


Clue

Photo of the Cookie Monster that alerts “Stop poking me!” when hovered, text underneath “HTTP means Hypertext Transfer Protocol”

Steps

Cookie Monster! So assuming this has something to do with HTTP Cookies. Checked source just to cover the bases everything looks pretty much the same except for JS alert. Looking more into HTTP and HTTP Cookies..


HTTP means HyperText Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. - www.webopedia.com

An HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small piece of data sent from a website and stored on the user's computer by the user's web browser while the user is browsing. - www.wikipedia.com

HTTP cookies seem like a pretty good bet.

HTTP Cookies are (surprise) stored in the HTTP header, and (surprise, in an even more awesome amazing exciting way), from looking into curl options in Level 2 we already know the option to inspect the header, -I.

curl -I http://ctf.infosecinstitute.com/levelfour.php
HTTP/1.1 200 OK
Date: Wed, 29 Aug 2018 15:44:26 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.6
Set-Cookie: fusrodah=vasbfrp_syntvf_jrybirpbbxvrf
Content-Type: text/html

... Well. The cookie looks a bit weird.

Drawing of Skyrim Fluttershy by plaidsandstripes, my little pony in iron armor, a helmet with mask covering top half of the little ponies face and horns, with studded shin gaurds
[ Image by plaidsandstripes ]


The set cookie also has the layout of the flag, knowing that they've all started with "infosec_flagis" comparing vasbfrp_syntvf you can see that all "i" characters are replaced by v, all "s" characters by "f" which are both 13 places ahead of the original characters, which I confirmed by googling a picture of the alphabet to count from "i" to "v", because I'm tired. So yay! Caesar Cipher! Everything is just substituted 13 places up and is easy to swap back using the tr command to substitute a set of characters for another.

$ echo 'vasbfrp_syntvf_jrybirpbbxvrf' | tr '[a-z]' '[n-za-m]'
nfosec_flagis_welovecookies

Flag

infosec_flagis_welovecookies

More Info..

Using Burp to Hack Cookies and Manipulate Sessions
Caesar cipher explained

LEVEL 5


Clue

Javascript alert that says "Hacker!" repeatedly and won't let you see anything else.

Steps

Figure out the best way for you to view the page, since I already had the source code open from a level before it was easiest for me to change "view-source:http://ctf.infosecinstitute.com/levelfour.php" into "view-source:http://ctf.infosecinstitute.com/levelfive.php". You could also disable javascript on your browser, or request the page from the command line..

curl http://ctf.infosecinstitute.com/levelfive.php

Viewing the source you can see an image underneath the alert, "img/aliens.jpg" browsing to http://ctf.infosecinstitute.com/img/aliens.jpg you'll find.. an image.

Stenography! Most likely, since all that's there is an image, and stenography involves hiding files, images, messages, and videos, inside another file, image, message, or video.

Woo!

First time going through this level I just did this all through online decoders but I ended up coming back to it a few levels after because I wanted to get a bit more out of it, liike learning new programs/tools.


Steghide

It's pretty straight forward, looking at the manual you'll see options for embedding (--embed) and extracting (--extract) data, since I'm not sure if there's any embedded data I could start by checking with --info, I didn't, because I was pretty sure there was something hidden in it and if not it was just faster to find out by not getting any information.

steghide --extract -sf aliens.jpg
Enter passphrase:
wrote extracted data to "all.txt".

The -sf, --stegofile option specifies the file that contains the embedded data (aliens.jpg), when prompted to enter a passphrase I just hit enter, since there is none it goes past and extracts the data, a file called all.txt.

Looking at the file "all.txt" you’ll find its full of binary data, so now we need to convert. And for that I need to refresh my memory, because it's been a while.


Converting Binary Data

How exactly does binary code get converted into letters, Shavais's post on stackoverflow was super helpful for me, breaking it down a bit and going into why it works - also has a good explination of bases. The steps below follow their post pretty close.

1. Convert every 4 binary digits into one hex digit.

I'm just going to work with the first four bytes, since each byte (8 bits) is one ASCII character it should end up being "info" - the first part of the flags so far.

Binary: 0110 1001 0110 1110 0110 0110 0110 1111
Hex: 6 9 6 e 6 6 6 f

2. Split the string of hex digits into pairs.

Converting to ASCII it takes two hex digits to make a character, grouping the string by pairs will break it up by character.

69 6e 66 6f

3. Convert each pair of hex digits into a decimal number.

To convert the pairs into a decimal number, multiply the decimal value of the left digit by 16 and add the second.

Alright. So, working with the first pair

69 hex = 6 * 16 + 9 = 105

105, which is the character 'i' in ASCII, wooooo, and I'm just gonna stop there and make a script for the rest because I'm having flashbacks to my comp organization and design class and want to write a little decoder.

$ Tips $ If you don't want to do any math, it's also super easy to look up a table for characters to binary, then just match them up: 01101001 = i, 01101110 = n, 01100110 = f, 01101111 = o, etc..


Shell Scripting

Refresh! Bash scripting cheatsheet, okay so now on to trying to make a simple script following the steps above, convert binary to hex, then hex to decimal/ASCII.

First, binary to hex.
I decided to use the command line calculator (bc) to convert from binary to hex, by setting the ibase (input base) to 16 (hex) and the obase (output base) to 2 (binary), then just pasted the beginning of all.txt to check.

$ echo "obase=16;ibase=2;01101001011011100110011001101111" | bc
696E666F

Seems right, the first 8 characters match up from before. So now how to go from hex to plain text, searching comes up with a lot of information for the command xxd, looking more in the manual it seems like it will work.

XXD(1) xxd.Manual XXD(1)
-r | -revert
reverse operation: convert (or patch) hexdump into binary. If not writing to stdout, xxd writes into its output file without truncating it. Use the combination -r -p to read plain hexadecimal dumps without line number information and without a particular column layout. Additional Whitespace and line-breaks are allowed anywhere.

$ echo "696e666f" | xxd –r -p
info

Yay, right track. So now putting it all together in a script.

#!/bin/bash

# Set binData variable to contents of all.txt
binData=$(<all.txt)

# Convert from binary to hex, store in hex variable
hex=$(echo "obase=16;ibase=2;$binData" | bc)

# Convert hex to ascii, store in ascii variable
ascii=$(echo $hex | xxd -r -p)

# Output values
echo -e "Binary Value: $binData\nHex Value: $hex\nAscii Value: $ascii\n"

$ Tips $ If you want to get really fancy you can switch out "all.txt" with "$1" and grab the file from the first argument in the command line.

Run with no arguments:

$ ./btoa
Binary Value: 01101001011011100110011001101111011100110110010101100011010111110110011001101100011000010110011101101001011100110101111101110011011101000110010101100111011000010110110001101001011001010110111001110011
Hex Value: 696E666F7365635F666C616769735F73746567616C69656E73
Ascii Value: infosec_flagis_stegaliens

Woo.

Flag

infosec_flagis_stegaliens

More Info..

Hiding a file in an image
Steghide: Encrypts & Hides any file using few Image and Audio formats
Hiding an image inside another: Python Steganography
Fancy Tricks for Changing Numeric Base

LEVEL 6-15


I should be doing homework