This is related to a talk given by me and pre & post-event activities, that were conducted at Developer Circles, Pune and Bengaluru.
It all started with DEFCON 2020 Red Team Village CTF, my team and I reached the Top 50 and it was just amazing for all of us. It was an enriching experience, solving challenges from a wide range of categories and learning new stuff in the process. One section of the CTF dealt with Malware Analysis and I was fascinated by this domain of security and have been learning about it.
So, after a few days, when the excitement settled I was talking to the lead of Developer Circles: Pune’s and she asked me if I could take an introductory session on Hacking and Capture the Flag events.
We wanted it to be a learning experience for the people who were interested in security and wanted to start with something. For this, I came up with an idea to have a small pre-event CTF challenge in which the attendees will have to find the name of the speaker.
“Stegosaurus ate my homework!"
We announced the event with this poster as it’s face, this looked different and weird, hence grabbed the attention of people. We crafted a small story around it and posted in the community groups - DevC Pune and Bengaluru.
It was a Steganography challenge and focused on new folks interested in security and CTF. It was supposed to be the first CTF challenge for many people trying, so the pressure was high to make it fun and engaging while keeping it simple and easy.
What is Steganography?
The practice of concealing messages or information within other non-secret text or data, so that the actual data is disguised.
So, coming back to the challenge, the main things that I wanted to focus on was the amount of attention on the details, paid by the participants and obviously steganography.
The poster had lots of hash and gibberish on it. So, basically the challenge involved downloading the image and try to figure out the speaker’s details. Upon downloading, the name of the image also looks like the following, ZGV2Y3t0aGlzX2lzX3lvdXJfcGFzc3dvcmR9.jpg
- it looks like some kind of encoded string.
They had to take that file name and search for the type of encoding that was done. For that, my goto is Cyber Chef and upon checking it gives that the following string is base64
encoded.
The decoded text is the standard way a flag is represented in a jeopardy style CTF. So that complete text is the flag, which suggests it is the password (but for what?). Few people got stuck with just the text inside the curly brackets but that was not the case, we have to try all the permutations to see what works for us.
Reading the challenge description we find that there was a creature that was mentioned - stegosaurus. Upon a bit of google searching, we find that it is related to steganography.
So, there are other ways to get to know if the image is a steganography image or not, there are tools like binwalk
that will tell us that there is something else that we have in the file which suggests steganography.
We have the password and we have an image, now we have to find out tools using which we can extract the data. We can use CLI tools like steghide
to obtain the required information but we can also use online hosted tools like Steganographic Decoder.
Upon submitting the form, we get the details of the speaker!
The Talk!
Received over 600 views and 130 comments followed by many interesting questions and discussions with amazing community members of Developer Circles, Pune and Bengaluru, this was a success, I am grateful that people found that they had something to take back from my talk.
Did you git it?
Seeing the response, of the previous challenge, Sangeeta asked me to bring in one more challenge as people tend to learn a lot from it.
So, I worked out a small challenge, where the objective was to find the flag. As it was a beginner challenge, I kept open several doors and made it super easy to get into.
So, basically the challenge was to download an archived repository which included an executable and using that we had to find out the flag.
The first step was to identify how the application works, and upon using the application for a while, it was evident that it encodes the text in ROT47 and decodes it. There was an admin account and that looked juicy.
Using all the information they had, they needed to find the flag. There are several ways to do this by using hex editors
, decompilers
, etc. but for beginners, they might look a bit intimidating, so there are ways that can be easy to achieve the desired task.
The repo that has been presented to them, contains a .git
directory resembling a git repo. Which means we can treat it as a git repo and run git commands to see what we have.
git status
showed me that there are few files that looked interesting. They are removed but not committed, we can leverage this to retrieve these files.
Several things can be done, like git diff
to see the changes made in these files which give us enough information to crack open the challenge. But the thing I like doing is
shell git checkout .
And we have an encoded string in creds.txt
, which can be decoded by the same tool and can act as the password for the admin account, hence giving the flag.
It was a long post! 😅 Hoooh!
But the experience was amazing :heart: Looking forward to giving more talks and organizing events like these. Especially, I want to thank Facebook Developer Circles, Pune and Sangeeta. She is just so welcoming of new ideas and even supports in implementing those. I learned a lot during the session as well, the kind of engagement she was able to create amongst the audience and the amount of quality questions that came up was really impressive.
Thanks all!