plaidCTF 2014 - freya (misc250)
This challenge is part of the misc category:
freya Misc (200 pts) ------------------- We've traveled back far, but this protocol looks familiar... Our reconnaissance team did a great job, they got us a data capture from the currently running systems and a private key from the server (shell.woo.pctf which resolves to 220.127.116.11). Take a look at the traffic our reconnaissance team picked up, and see if you can get access to The Plague's server, at 18.104.22.168.
with the following four files:
The task is pretty simple - somehow get access to shell.woo.pctf, probably by using ssh.
plaidCTF 2014 - curlcore (for250)
Last week we played plaidCTF with Eindbazen under the name 0xffa (can you figure out why that name?). Write-ups are mandatory in the rules, so let’s start with an easy one :-)
curlcore Forensics (250 pts) ------------------- We managed to grab a memory dump off of The Plague's computer while he was making a secure download. We think he may have been looking for new places to hide the Prime Factorizer. Can you figure out what messages were sent through his computer?
For this challenge, you get 3 files:
- capture (a network capture)
- corefile (a memory dump)
- coremaps (the process’s memory map)
and the shell script which helped generating those files
#/bin/sh sudo rm /tmp/capture 2>/dev/null sudo dumpcap -i eth0 -w /tmp/capture & DUMPCAPPID=$! sleep 1 OUTPUT="`/usr/bin/env -i /bin/dash -c 'ulimit -c unlimited; curl -k https://curlcore.local.plaidctf.com/flag.html & PID=$!; sleep 5; printf "generate-core-file\ninfo proc mappings\ndetach\n" | sudo gdb attach $PID; wait'`" sleep 1 sudo kill -INT $DUMPCAPPID wait sudo chown `whoami` /tmp/capture echo "$OUTPUT" sudo mv "`echo "$OUTPUT" | grep -o 'Saved corefile .*$' | cut -c 16-`" /tmp/corefile sudo chown `whoami` /tmp/corefile echo "$OUTPUT" | awk '/Mapped address spaces/,/(gdb)/' | grep -v '(gdb)' > /tmp/coremaps rm /tmp/curlcore.tgz 2>/dev/null tar czf /tmp/curlcore.tgz `grep -o ' /.*$' /tmp/coremaps | sort -us | tr '\n' ' '` /tmp/corefile /tmp/coremaps /tmp/capture "$0"
Since we have a network capture of the https download, we need to find a way to decrypt the SSL communication…