Sunday, September 30, 2012

CSAW CTF Quals 2012 Recon 1-3 Writeup


This weekend I participated in the CSAW 2012 Capture the Flag (CTF). Although I didn't have nearly the time I wish I had to spend on solving the problems, I wanted to make some writeups for those I did manage to solve in time.

The following problem categories were available to be solved:

  • Trivia
  • Recon
  • Web
  • Reversing
  • Exploitation
  • Forensics
  • Networking
Solutions to the challenges were awarded points based off of how difficult the solution would theoretically be to obtain, ranging from 100 to 600 points per solution.

I wasn't able to solve the final two 400 point Recon challenges (for Yoda, and Dan Guido's favorite foods), so if anyone participated and managed to find those solutions, I would be interested to hear how you went about it!

Recon 100 - Jordan Wiens (psifertex)

For this challenge, we are simply given a Google Search link for 'Jordan Wiens', one of the judges for the CTF, and the only knowledge we have about the key is that it will most likely be in the format 'key{something}'. Not much to go on, but we'll see what we can do.

The obvious sources of information as seen from the Google Search are his Twitter account, and Linkedin Accounts. From here, we can see the alias 'psifertex' commonly used. This may come in handy. On a hunch, we can check to see on which sites the name 'psifertex' is taken using a common tool called namechk.com. Using this tool, we see that psifertex is taken on quite a few websites, but none of these yield great results.

The next step would be to simply perform a Google Search for 'psifertex' and see if we find anything new. Fortunately, we notice the first result is psifertex.com, which only contains the string 'Nothing to see here, move along.' Not buying it, the next step of recon I like to perform on a domain is to try and brute force the subdomains. To do this, I use a tool called subbrute.py. This tool performs multithreaded DNS lookups to a configurable list of DNS resolvers, searching through a list of possible subdomains. It should be noted that I have tweaked and modified my own version of subbrute, and have added subdomains as I've found them, so the standard install may not work in this case.

However, I find the following output from subbrute.py for psifertex.com:

Checking psifertex.com
74.125.45.121 calendar.psifertex.com
74.125.45.121 docs.psifertex.com
69.163.249.183 ftp.psifertex.com
173.236.129.17 key.psifertex.com
69.163.249.183 ssh.psifertex.com
74.125.45.121 start.psifertex.com
69.163.249.183 www.psifertex.com

Obviously, the first subdomain of interest is 'key.psifertex.com', which indeed yields the key: 'secret sonambul1st'


Recon 100 - Jeff Jarmoc (jjarmoc)

For this challenge we were simply given a Google Search for 'jjarmoc'. Again, not too much to work with. Many teams had trouble with this challenge, yet I found this to be one of the easiest (most likely because I had performed the same recon with Jordan Wiens). From Jeff's Twitter page, we can see that he links offenseindepth.com as his homepage. Let's perform the same recon as before, and run subbrute. Here is the output:

Checking offenseindepth.com
107.21.146.162 finger.offenseindepth.com
173.201.193.71 imap.offenseindepth.com
74.125.45.121 mail.offenseindepth.com
107.21.146.162 www.offenseindepth.com

The only subdomain that seems out of the ordinary is finger.offenseindepth.com. Using the subdomain name as a clue, we can attempt to enumerate information about users on the host using the Finger service. Sure enough, by using jjarmoc as the username, we receive the following information:

jordan@crux:/pentest/recon/subbrute$ finger jjarmoc@finger.offenseindepth.com
Debian GNU/Linux      Copyright (C) 1993-1999 Software in the Public Interest
-----------------------------------------------------------------------------
Username: jjarmoc                   In real life:                       


Plan:
This is my .plan.  There are many more like it, but this one is mine.

{key:does anyone still use finger?}

-----------------------------------------------------------------------------

We can use the key 'does anyone still use finger' and we are awarded 100 points. Moving right along.

Recon 100 - Julian Cohen (HockeyInJune)

I actually found Julian's recon challenge to be the most difficult, only by my own oversights. All we are given is a Google Search for 'HockeyInJune'. This, like the other recon challenges, does not provide much information. However, using namechk.com, I can see that HockeyInJune has a reddit profile, which is consistently posting about the CSAW CTF, so we know it's the right guy. I mentioned my own oversights on this one, and it was simply because I checked every Reddit post except the one that had the key. After finally checking the link posted on the comment (cockcab.com), we can see that it clearly lists the key (although I didn't manage to write it down for this post, and now it looks have been removed).

So there you have it! Those were the first 3 recon challenges for the CSAW CTF. As mentioned, two more 400 point challenges were posted later in the weekend (Dan Guido's two favorite foods and Yoda), but I didn't have time to really look to much into them. If anyone managed to find the solutions, I'd be interested to hear how much work it took to found them!

A big thank you goes out to the organizers of the CTF. Everything went smoothly, and appeared to be well organized with interesting challenges. Hopefully next year I will have more time to work on the challenges, and won't be so bogged down with school projects.

I will post more writeups for the challenges as I create them.

-Jordan

Edit: Dan Guido gave a comment on Reddit that the solution to his Recon challenge could be found here. Thanks, Dan!


4 comments:

  1. Nice! :)
    I've solved Jeff Jarmoc (jjarmoc) Recon by found info inside his photo on Judges page of CSAW CTF site. https://csawctf.poly.edu/judges/photos/jjarmoc.jpg
    Inside this photo was the link to his finger. finger://jjarmoc@finger.offenseindepth.com:79

    Julian Cohen (HockeyInJune) recon we've solved by found a key at the bottom of wiki page http://en.wikipedia.org/wiki/User_talk:HockeyInJune

    ReplyDelete
  2. Very cool! I didn't think to check the judge's photo since I figured the recon info would be far away from the CSAWCTF webpage. :)

    And I remember checking HockeyInJune's Wikipedia page. Specifically, I checked the History of the User Talk page, but I think someone change the key. When I saw it, it had been modified on Sept. 29th with the key 'I like it rammed up in there' or something like that, which wasn't the key. Any other revisions yielded no key, so you must have seen something I didn't.

    Thanks for the heads up, though! It's interesting to see the different clues that were out there! :D

    ReplyDelete
  3. For Jordan Wiens, I found the key as follows.

    psifertex.com
    psifertex.com/robots.txt
    psifertex.com/csaw/

    psifertex.com/csaw/ hinted at bruteforcing subdomains rather than file paths, so I took the hint and tried flag.psifertex.com then key.psifertex.com. Unfortunately, I couldn't figure out the proper syntax for submission. ='(

    ReplyDelete
  4. I should have mentioned that in the original post. After I found the key URL via subbrute, I thought to myself, "There has to be some clue to look for subdomains." Sure enough, after looking in the robots.txt file I found the /csaw directory.

    As a fun side note, the phrase on the page 'Some Understanding Becomes Dominant On Manipulation And Inquisitive Naming' spells SUBDOMAIN.

    Thanks for the comment!

    ReplyDelete