Cyberstart Game L13 C1

L13 c1 was spam for dinner, you had to manipulate the page source to change the captcha that was displayed. quite literally, just do that five times and you are in.
L13 C4 was Server Strike, and you really didn't have to do much to strike the server. just sign in and browse around. there is a file there that will uh, stand out a bit. once you get that file to your own PC the rest of the task can be done offline.
something something username something...

Still haven't cracked L13 C09 "Encrypted"... Theres a string in the exe that I looks like its encrypted or encoded, but I can't figure out how to open it.
swi&CNJCtPVbCyyAmNG8PqFZsYpyXegEQRGt - the swi& might be the key, the rest of it is a 32 character string... gdb doesn't do anything to decrypt it as far as I can tell, but I am not a pro with gbd. If you figure it out, I would love to hear about it.

All I have left to do in this entire game is the last 4 of HQ L13. (I've got 142300 pts)
I've only used one hint and it wasn't helpful at all, so I haven't used any more. hahah!

Reply 4

Original post by 1111aaaa2

L13 c1 was spam for dinner, you had to manipulate the page source to change the captcha that was displayed. quite literally, just do that five times and you are in.
L13 C4 was Server Strike, and you really didn't have to do much to strike the server. just sign in and browse around. there is a file there that will uh, stand out a bit. once you get that file to your own PC the rest of the task can be done offline.
something something username something...

Still haven't cracked L13 C09 "Encrypted"... Theres a string in the exe that I looks like its encrypted or encoded, but I can't figure out how to open it.
swi&CNJCtPVbCyyAmNG8PqFZsYpyXegEQRGt - the swi& might be the key, the rest of it is a 32 character string... gdb doesn't do anything to decrypt it as far as I can tell, but I am not a pro with gbd. If you figure it out, I would love to hear about it.

All I have left to do in this entire game is the last 4 of HQ L13. (I've got 142300 pts)
I've only used one hint and it wasn't helpful at all, so I haven't used any more. hahah!

I've done String cruncher but, i can't figure out Binary memories and seashell. Also L10:C12 and L11:07 have me stuck

Reply 5

Original post by hello1523

I've done String cruncher but, i can't figure out Binary memories and seashell. Also L10:C12 and L11:07 have me stuck

*I can help you with string crucher

Reply 6

Original post by hello1523

I've done String cruncher but, i can't figure out Binary memories and seashell. Also L10:C12 and L11:07 have me stuck

I can help with those. Let me sit down with them again and get back to you. I would love a hint or two for strings cruncher too. :smile:

Reply 7

Original post by 1111aaaa2

I can help with those. Let me sit down with them again and get back to you. I would love a hint or two for strings cruncher too. :smile:

Ok thank you so much
for string cruncher,
decode each line from base 64 - one of them will be hex (also each line is more than just what you see on the screen like if it doesn't have an = on the end try copying it again)
then put the string that decodes into hex into the box(in encoded form)

theres a few steps after that but they are fairly simply and hint- invlove xor - good luck

Reply 8

Original post by hello1523

Ok thank you so much
for string cruncher,
decode each line from base 64 - one of them will be hex (also each line is more than just what you see on the screen like if it doesn't have an = on the end try copying it again)
then put the string that decodes into hex into the box(in encoded form)

theres a few steps after that but they are fairly simply and hint- invlove xor - good luck

Ahh, that was what I was missing. pasting the Original string into the field provided. - but wow, you were right, there was a few more steps to go after that.
Another issue I was having was with the xor step.
For anyone else who is truly stumped on this one, Dont try to use an online XOR tool with these huge strings.
Just use python to print the bitwise XOR of them like
>>> a = 0xAbCd1234 # Don't forget to include the 0x
>>> b = 0xFfA57714
>>> print(hex(a ^ b)) # This prints a bitwise XOR of the two hex values like so...
0x54686520

You know you are on the right track when your XOR results in in hex values between (0x) 41 and 7A with a few 0x20's here and there.

Reply 9

Original post by hello1523

I've done String cruncher but, i can't figure out Binary memories and seashell. Also L10:C12 and L11:07 have me stuck

In Binary Memories, HQ level 13 C6, there is some plain text in the binary, but it is spaced out with nulls into parts with 3 characters each so it gets ignored by the strings command. If you cat the file it stands out quite proud. If you have made it this far I am sure probably know the text I am referring to...

The tip that is provided on this one is "gdb unscramble", and again, if you have made it this far I assume you are somewhat familiar with gdb by now, and that's where we are headed next.
If you haven't done so already, I HIGHLY recommend you go get gdb-peda. It's a plugin for gdb and it really makes gdb much more usable by displaying your registers and stack right there on screen every step of the way.
load up the bin into gdb and start it. A temporary breakpoint will get you into the main function. and typing disassemble will show you the code.
now, there is a number of ways to skin this pig, but you would do well to spend some time getting really familiar with the functions and disassembled code. Paying close attention to the eax register.
step through this manually a bunch of times and watch what is happening to the eax register. This is really easy to do with gdb-peda, because you don't have to manually print the eax register after every step. *take note of what goes into there.

Every once in a while I like to refer back to the briefing to see if anything stands out differently now that I have been poking around. what was that tip again? gdb unscramble? what am I seeing in the eax register again?

By this point, you can literally solve this with pen and a notepad without even stepping through the program. - that's how I did it anyway. - but you can also set breakpoints at every place in the program where the mov eax,ds:0xSomeHex gets completed.

I don't want to spoil it completely, so I'll stop here. if you still need help, I'll add some more nudging, but I really think you can get it from here.

Reply 10

L10c12
Dear John

One sec, I have to figure this one out again...
(time passes)
Ahh, OK. so with this one they provide you with two files: an executable (elf) and a wordlist. the same wordlist they use all over.
if you run the program in a linux terminal, (I kali in wsl on windows 10) it says you need to feed it a wordlist.
so if the program is called L10c12.elf and your word list is words.txt, you run L10c12.elf words.txt - OK so far.
This will just spam your screen with the contents of the list and bring you back to a prompt. but we expected that since the briefing says our password isn't in the list.

Tip: They want you to use John, obviously. They said the word is similar to a word on the list, so you want to make a new list of similar words, which a couple google searches will reveal that is called "mangling". I searched google for "how to use johnn to generate wordlist from wordlist" (typo and all) and found the answer on the openwall page. the command syntax is disarmingly simple.
You just need to create a new wordlist from that using john the ripper.

Reply 11

Original post by 1111aaaa2

In Binary Memories, HQ level 13 C6, there is some plain text in the binary, but it is spaced out with nulls into parts with 3 characters each so it gets ignored by the strings command. If you cat the file it stands out quite proud. If you have made it this far I am sure probably know the text I am referring to...

The tip that is provided on this one is "gdb unscramble", and again, if you have made it this far I assume you are somewhat familiar with gdb by now, and that's where we are headed next.
If you haven't done so already, I HIGHLY recommend you go get gdb-peda. It's a plugin for gdb and it really makes gdb much more usable by displaying your registers and stack right there on screen every step of the way.
load up the bin into gdb and start it. A temporary breakpoint will get you into the main function. and typing disassemble will show you the code.
now, there is a number of ways to skin this pig, but you would do well to spend some time getting really familiar with the functions and disassembled code. Paying close attention to the eax register.
step through this manually a bunch of times and watch what is happening to the eax register. This is really easy to do with gdb-peda, because you don't have to manually print the eax register after every step. *take note of what goes into there.

Every once in a while I like to refer back to the briefing to see if anything stands out differently now that I have been poking around. what was that tip again? gdb unscramble? what am I seeing in the eax register again?

By this point, you can literally solve this with pen and a notepad without even stepping through the program. - that's how I did it anyway. - but you can also set breakpoints at every place in the program where the mov eax,ds:0xSomeHex gets completed.

I don't want to spoil it completely, so I'll stop here. if you still need help, I'll add some more nudging, but I really think you can get it from here.

oh lol i had found the flag already with a different command but i had put "367" in front of it which is why it said the flag was wrong(obv). Thanks for your help. If you havent done it already, i have made some progress on silver service and i am willing to share. Still can't figure out seashell though lol

Reply 12

cybernoob2131

Original post by hello1523

I've done String cruncher but, i can't figure out Binary memories and seashell. Also L10:C12 and L11:07 have me stuck

I am also unable to figure out l11:c07. Any help would be greatly appreciated. Thank you

Reply 13

Original post by cybernoob2131

I am also unable to figure out l11:c07. Any help would be greatly appreciated. Thank you

I am trying to reply to this, but I think I got blocked somehow. :frown:

Reply 14

Original post by hello1523

oh lol i had found the flag already with a different command but i had put "367" in front of it which is why it said the flag was wrong(obv). Thanks for your help. If you havent done it already, i have made some progress on silver service and i am willing to share. Still can't figure out seashell though lol

I would love to know more about how you are getting along with silver service. I am having trouble posting my writeup about L11c07 I think some of the code is making the site mad. Perhaps I am just posting too much and don't have enough rep. I dunno.

that challenge is designed to teach you how to over flows an input buffer on an application that compares your input to a known value.

Any time a program does a comparison of your input to some data it has stored, it has to tip it's hand somewhere in there. I use gdb to get around it by flipping a bit from a jump if not equal, to a jump if equal, (or vise versa) and just skip to the "success!" part of the code.

I couldn't find the silver bullet google search to point you in the right direction, but I will say that "man printf" from your linux bash prompt will certainly suffice.

try differn't stuff in the printf function on the command line for that app. I'll try to post more, but I don't know what will get me blocked.

I am really new here, so that might be the reason. I dunno.

Reply 15

Seashell was a real tough one.
You have to take the escaped hex codes from the email, (thats a big give a way for the l11c07 one by the way)
then you need to compile them into a C program using gcc.
Headquarters Base Level 13 challenge 7
Remember: Text can be interpreted as hex assembly codes.

the challenge says you intercepted a message and need to figure out what it says. It includes several lines of escaped hex, which turns out to be a snippet of assembly code.
The red herring is that there is a bunch of text in the file that spells out "shellcode_is_code_code_is_shellcode".
That is because the hex in that text can be read as text or read as code.

Do a search for "online x86 assembler" and you will find one on defuse. you can paste the escaped hex into there and see what it does.
It's not very helpful, but its cool to see it in action.

Next you will want to do a search for "Executing shellcode in C" and the top link is to tuttlem on github. that linked helped me the most.
In that page there is a section on execution with a bit of code there. I took that and replaced their escaped hex and put the hex from our email in there.

getting it to compile was the next hurdle...
you will get a lot of errors, but if you search for those errors you will find a bunch of command line options that were designed to handle those errors specifically. Good luck!

Reply 16

Thanks. So for silver service - sorry if you have already found this out, you probably have - but the first line, xrl, and vi can be decoded with rot cipher. The 0n and 0j ones are ascii. Once you do all of this youll find that its aes. After putting it in cyberchef aes decrypt is the part where is get stuck.

Reply 17

yeah, no luck decrypting it with openssl in the bash prompt either...
I can't figure out if I am supposed to rot 13 the key and iv, or rot13 the key and reverse the iv before converting them to hex and trying to use them for aes decrypt. no luck so far. (because VI is IV backwards too, not just rot13.)

what do you suppose is the significance of the n's and j's in the AES and CBC lines? Why is the first letter of Prepare to be confused! P and not X?
Is the carats in the eyes of the little face on line 2 meaningful? In python, those are bitwise XOR symbols.

So I just stumbled onto something. I just pumped the "string" they give us into a text file using echo -n, the string, and piped it through base64 -d into the file. then I used the "file" command on it, and it shows that it is a "PGP Secret Sub-Key -" - thats gotta mean something.
HMM..... I'll keep at it. let me know if you need more help with anything else.

Reply 18

Original post by 1111aaaa2

Seashell was a real tough one.
You have to take the escaped hex codes from the email, (thats a big give a way for the l11c07 one by the way)
then you need to compile them into a C program using gcc.
Headquarters Base Level 13 challenge 7
Remember: Text can be interpreted as hex assembly codes.

the challenge says you intercepted a message and need to figure out what it says. It includes several lines of escaped hex, which turns out to be a snippet of assembly code.
The red herring is that there is a bunch of text in the file that spells out "shellcode_is_code_code_is_shellcode".
That is because the hex in that text can be read as text or read as code.

Do a search for "online x86 assembler" and you will find one on defuse. you can paste the escaped hex into there and see what it does.
It's not very helpful, but its cool to see it in action.

Next you will want to do a search for "Executing shellcode in C" and the top link is to tuttlem on github. that linked helped me the most.
In that page there is a section on execution with a bit of code there. I took that and replaced their escaped hex and put the hex from our email in there.

getting it to compile was the next hurdle...
you will get a lot of errors, but if you search for those errors you will find a bunch of command line options that were designed to handle those errors specifically. Good luck!

Hi, I keep getting a "Segmentation fault (core dumped)". Any tips?

Reply 19

hashdog