<---WARNING!--->
If you still want to attempt these labs on your own, please read my earlier post first, n00bs CTF Labs - Infosec Institute. Otherwise, continue reading to see my write-up.n00bs CTF Labs
The Infosec Institute CTF challenges begin by going to ctf.infosecinstitute.com. When you get to the page you'll see a banner that says n00bs CTF Labs by Infosec Institute. For this write-up I'll be using the Chrome browser.
On the homepage of this website you'll see a description with information about participating in this CTF challenge. After reading this you're ready to get started with the first challenge.
Level 1
URL: http://ctf.infosecinstitute.com/levelone.phpBounty: $10
Tools: A Web Browser (I used Chrome)
Resources: Web Design, View Source Code, Source Code
Solution:
On this site each of the 15 challenges are considered levels, with the first level being Level 1. So, to get started with Level 1, click on where is says Levels ( ) at the tops left of the page. This will bring down a menu where you can select your first challenge.
Level 1 brings us to ctf.infosecinstitute.com/levelone.php. On this page we see a picture of Yoda, from Star Wars, and text under the picture that says "May the source be with you!". You can also see that the bounty for solving this challenge is $10.
If you haven't seen Star Wars, then you'll need to know that Yoda's actual quote is "May the force be with you!". So, the hint here is the word source, and that word is most likely referring to the Source Code of the webpage we are on right now. To take a look at the source code of the webpage, just right click in the blank blue area on the page, then select View page source (For other web browsers click here).
You'll now have a new tab open showing the source code of the ctf.infosecinstitute.com/levelone.php webpage. If you look at line 1 of the source code you can see that there is a comment saying "infosec_flagis_welcome", which is the flag for Level 1.
Flag: infosec_flagis_welcome
Congratulations, you just found your first flag!
Level 2
URL: http://ctf.infosecinstitute.com/leveltwo.php
Bounty: $20
Tools: Notepad++, Base64 Decode
Resources: Base64, Chrome Developer Tools
Solution:
Just like before lets go up the Levels ( ) drop down menu, but this time we'll take a look at Level 2. This level brings us to the page ctf.infosecinstitute.com/leveltwo.php. Here we see an image that looks like it is missing and a button that says "It seems like the image is broken..Can you check the file?".
Bounty: $20
Tools: Notepad++, Base64 Decode
Resources: Base64, Chrome Developer Tools
Solution:
Just like before lets go up the Levels ( ) drop down menu, but this time we'll take a look at Level 2. This level brings us to the page ctf.infosecinstitute.com/leveltwo.php. Here we see an image that looks like it is missing and a button that says "It seems like the image is broken..Can you check the file?".
It looks like we'll need to take look at the image and figure out why it is broken. First lets see what the path is for the current image. To do this, right click on the small broken picture image on the page, then select Inspect element.
Now the developer tools open up at the bottom of the browser. In here I can see the part of the page's source code and the image path is highlighted. Now I know that the image path is "/img/leveltwo.jpeg".
So, lets take a look at the image. Either browse to the image's path or on the developer screen, just right click on the image path, then select Open link in new tab.
The full path to the image is http://ctf.infosecinstitute.com/img/leveltwo.jpeg. Once on this page we want to save the image to our computer. We do this by right clicking on the broken image icon and selecting Save as.
Once the file is saved, browse to it on your computer. We will now want to explore this so called jpeg file. To do this we'll want to open the file using a text editor. You can use Windows notepad or if you are on Linux you can use something like Nano or Vi. In this case I'm on Windows and will be using Notepad++. So, I'm going to right click on the file, then select Edit with Notepad++.
In the editor I can see that this file is just a text document, with the text "aW5mb3NlY19mbGFnaXNfd2VhcmVqdXN0c3RhcnRpbmc=" in it. When I look at the text I can see that this looks like a message encoded in Base64. I can assume this because of the equal sign at the end of the text.
Now, I need to decode the Base64 message. There are different ways to do this, but the easiest way for me was to just go out to a Base64 Decoding website. Here I just entered in the Base64 encoded message, clicked decrypt, then saw the message was the flag, "infosec_flagis_wearejuststarting".
Flag: infosec_flagis_wearejuststarting
Level 2 completed! We are starting off great.
Level 3
URL: http://ctf.infosecinstitute.com/levelthree.phpBounty: $30
Tools: QR Code Decoder, Morse Code Encrypting/Decyrpting
Resources: QR Code, Morse Code
Solution:
Level 3 brings us to ctf.infosecinstitute.com/levelthree.php, which shows a QR Code and a loading bar. So, lets save this QR code image and to take a look at it. Right click on the QR code image and select Save image as.
Once the QR code image is saved we'll want to see what data is stored in the QR code. To do this just go to an online QR Code Decoder website. Then, upload the picture and submit it to be decoded.
When the QR code is decoded we see the raw text is what appears to be Morse Code.
Now we just need to decrypt the Morse code. I went to an online Morse Code Encrypting/Decyrpting website. Just copy the Morse code and paste it to the website. Then select Decrypt from the drop down. We can see that the Morse code decrypted into "INFOSECFLAGISMORSING", which is our flag.
Flag: INFOSECFLAGISMORSING
Level 3 finished! We are making progress.
Level 4
URL: http://ctf.infosecinstitute.com/levelfour.phpBounty: $40
Tools: ROT13 Decoder, Caeser Cipher Decoder
Resources: HTTP Cookies, View Cookies, Caeser Cipher, ROT13
Solution:
We start Level 4 by going to http://ctf.infosecinstitute.com/levelfour.php. On this page we can see a picture of the Cookie Monster and a message that says "HTTP means Hypertext Transfer Protocol". Because the message is talking about HTTP and the picture is of the Cookie Monster, I'm going to assume this challenge is about HTTP Cookies.
So lets take a look at the cookies for this website. In Chrome is this done by right clicking on the paper symbol next to the URL. Then click on Show cookies and site data. (For other browsers check out this link)
Now we will see a few different domains listed. But we only want to take a look at the cookies for the ctf.infosecinstitute.com domain. So just click the arrow on the left to show it's contents. Then arrow down the Cookies container. Now we can see the cookies for this site. After looking at the different cookies you'll come across one named fusrodah. You'll see that the content of this cookie is "vasbfrp_syntvf_jrybirpbbxvrf", which looks similar to the structure of the other flags we've found so far.
The cookie content starts off with "vasbfrp_syntvf_", which is 7 letters, underscore, 6 letters, underscore, which is just like "infosec_flagis_". This makes me think that the cookie is either a Caeser Cipher or ROT13. So I used an online ROT13 Decoder, but a Caeser Cipher Decoder, with a rotation of 13, would also work. Either tool will get you the flag "infosec_flagis_welovecookies".
Flag: infosec_flagis_welovecookies
Level 4 done! That wasn't too hard. Was it?
Level 5
URL: http://ctf.infosecinstitute.com/levelfive.phpBounty: $50
Tools: Steganographic Decoder, Binary to ASCII converter
Resources: JavaScript, Alert, Disabling JavaScript in the browser, Steganography, Binary code, ASCII
Solution:
HACKER!!! Looks like Level 5 detected our presence. Well, this is just a JavaScript alert that is looping on the page. Even if you click OK, the message will keep coming back.
To stop this alert we need to block JavaScript from running on the page. This can be done by using an add-in or extension or just by Disabling JavaScript in the browser. In Chrome just go to Settings, then click on Show advanced settings, next click on Content settings, then select Do not allow any site to run JavaScript.
Once the JavaScript is disabled go back to the Level 5 page. This time we see a picture. So, lets save this picture (aliens.jpg) and take a look at it.
After looking at a few things I discovered that the picture is using Steganography to hide text in the picture. To extracted this text from the picture I used an online Steganographic Decoder. Just upload the picture and submit it without a password.
Looks like the text found in the picture is Binary code.
Now we just need to translate the Binary code to ASCII text so that we can read it. To do this I used an online Binary to ASCII converter. I found that the Binary converted to the flag "infosec_flagis_stegaliens".
Flag: infosec_flagis_stegaliens
Level 5 down! Just 10 more to go.
Level 6
URL: http://ctf.infosecinstitute.com/levelsix.phpBounty: $60
Tools: Wireshark, Hex to ASCII converter
Resources: Pcap, TCP, UDP, Wireshark, Hexadecimal
Solution:
Is that Clippy?!? I haven't seen him in awhile. Anyways, Level 6 shows us an image of Clippy and text saying "Do you want to download sharkfin.pcap file?".
So, lets just click on the Yes button to download the file. We now have a file sharkfin.pcap to look at. Pcap files are packet captures that hold network traffic information. To look at this file we'll use a popular packet analyzer called Wireshark. When we look at this pcap we see lots of TCP traffic that doesn't get us anywhere, but if we look at the very first packet which is UDP we find something interesting. The data being transferred is Hexadecimal (hex), "696e666f7365635f666c616769735f736e6966666564". So we just want to right click on Text, then copy this hex value.
Now we want to use a Hex to ASCII converter so we can convert the hex to readable ASCII text. We can see that the hex converted to the flag "infosec_flagis_sniffed".
Flag: infosec_flagis_sniffed
Level 6 completed!
Level 7
URL: http://ctf.infosecinstitute.com/404.php, http://ctf.infosecinstitute.com/levelseven.phpBounty: $70
Tools: DevTools, Base64 decoder
Resources: Headers, DevTools, Base64
Solution:
This challenge brings us to http://ctf.infosecinstitute.com/404.php and the page says "f00 not found, Something is not right here???, btw...bounty $70". 404.php doesn't seem right...
All the other challenges went to the levelnumber.php (Ex: levelsix.php). So let's go to http://ctf.infosecinstitute.com/levelseven.php. When we do this it brings us to a blank page, but at least we know this page exist. So we need to look a little closer. After looking around a bit I found something in the page's headers. To get to the page headers in Windows, press F12 to open the Developer Tools for the browser. Then go to the Network tab, and then the Headers tab. In the headers I found Base64 encoded message "aW5mb3NlY19mbGFnaXNfeW91Zm91bmRpdA==".
Now let's use an online Base64 decoder to see what this message says. The Base64 returns back the flag "infosec_flagis_youfoundit".
Flag: infosec_flagis_youfoundit
Level 7 completed!
Level 8
URL:Bounty: $80
Tools:
Resources:
Solution:
Coming soon...
Flag:
Level 8 completed!
Level 9
URL:Bounty: $90
Tools:
Resources:
Solution:
Coming soon...
Flag:
Level 9 completed!
Level 10
URL: http://ctf.infosecinstitute.com/levelten.phpBounty: $100
Tools: Audacity
Resources: Wav
Solution:
Level 10 shows you a picture of Sméagol, from the Lord of the Rings, saying "Not Listening, I'm not listening.". And there is text saying "What kind of sound is this? Sorcery perhaps??". Also, there is a button that says Listen.
If we click on this Listen button it redirects us to a Flag.wav file that plays a squeaky high pitched sound. Let's download this file to take a closer look at. Just right click on the page and select Save as.
Because the sound was high pitched it made me think that the sound was being played at a fast speed. So, I downloaded and used Audacity to slow it down. Once I had the Flag.wav file opened with Audacity, I changed the Playback Speed to 0.15x. Now I can hear the sound at a slow enough speed to know that it is saying "infosec_flagis_sound".
Flag: infosec_flagis_sound
Level 10 completed!
Level 11
URL:Bounty: $110
Tools:
Resources:
Solution:
Coming soon...
Flag:
Level 11 completed!
Level 12
URL:Bounty: $120
Tools:
Resources:
Solution:
Coming soon...
Flag:
Level 12 completed!
Level 13
URL:Bounty: $130
Tools:
Resources:
Solution:
Coming soon...
Flag:
Level 13 completed!
Level 14
URL:Bounty: $140
Tools:
Resources:
Solution:
Coming soon...
Flag:
Level 14 completed!
Level 15
URL:Bounty: $150
Tools:
Resources:
Solution:
Coming soon...
Flag:
Level 15 completed!
More Levels Coming Soon...
I was able to solve all the Levels. I'm sorry, but I haven't had time to post them all yet. I'll be continuing to update this post with solutions when I get time. In the meantime, continue to try the rest of the levels on your own. You'll be surprised in what you can figure out on your own, by doing a little research. Also, check out my Resources page. You might find something helpful there.
No comments:
Post a Comment