Challenge Brigitte Friang - COROS CTF

COROS CTF write-up

After you got an entry link by solving one of the four entry challenges, which I am talking about here, you had to create an account on the “real” CTF page.

There were 14 challenges
Challenge List
The minimum point award was 50pts, and it could go up to 400pts for the most difficult challenges.

I flagged five challenges, which means about 450pts.
To be honest, I am very happy because I didn’t expect that I could solve one of these.

So, there are only five of the fourteen challenges.
Challenges completed

Sous l’ocean

50pts
Cat. Forensics

Description:

They found Eve Descartes and they received an anonymous file from an Android phone. I had to find some information in the position history.

This file was a memdump from an android device.
I found some GPS locations, and I thought that’s gonna be a location with the flag written on the ground or in a google comment.
I was totally wrong.

The coordinates I found:

Last Known Locations:
gps: Location[gps 37.421998,-122.084000 hAcc=20 et=+8m21s703ms alt=5.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
passive: Location[gps 37.421998,-122.084000 hAcc=20 et=+8m21s703ms alt=5.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
Last Known Locations Coarse Intervals:
gps: Location[gps 37.421998,-122.084000 hAcc=20 et=+43s355ms alt=5.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
passive: Location[gps 37.421998,-122.084000 hAcc=20 et=+43s355ms alt=5.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
Custom Location History :
Custom Location 1
gps: Location[gps -47,1462046 30,9018186 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -47,1963297 30,9012294 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -47,1970164 30,8641039 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -47,1438013 30,8652827 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -47,1448313 30,9642508 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
Custom Location 2
gps: Location[gps -47,0820032 30,8641039 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -47,1300684 30,8643986 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -47,1304118 30,9006402 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -47,0789133 30,9003456 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -47,0847498 30,8131067 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -47,1307551 30,8148758 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -47,1304118 30,8340395 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -47,1084391 30,8319759 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
Custom Location 3
gps: Location[gps -47,0631205 30,8649880 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -47,0322214 30,9015240 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -47,0047556 30,8608621 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -47,0411478 30,8632198 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
Custom Location 4
gps: Location[gps -46.9934318 30.8750074 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.9481132 30.874418 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.953263 30.9085939 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.9961784 30.9047644 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.9927451 30.8511361 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.9457099 30.8508414 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
Custom Location 5
gps: Location[gps -46.9295737 30.8517256 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.9072578 30.8926859 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.8797919 30.853494 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.9137809 30.8505466 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
Custom Location 6
gps: Location[gps -46.8571326 30.8912128 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.856446 30.8484834 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
Custom Location 7
gps: Location[gps -46.8173416 30.8745954 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.7703064 30.8743007 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.7778595 30.9096549 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.8242081 30.904058 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.8125351 30.8404074 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.7733963 30.8474818 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
Custom Location 8
gps: Location[gps -46.7438706 30.8772474 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.7009552 30.8784261 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.7054184 30.9034689 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.7479904 30.8978716 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.7376908 30.8474818 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.7115982 30.8498398 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
Custom Location 9
gps: Location[gps -46.6456803 30.926149 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.6625031 30.9264435 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.6611298 30.8748901 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.6473969 30.8657549 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.6580399 30.8563241 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.6587265 30.8014891 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.6377838 30.7985401 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
Custom Location 10
gps: Location[gps -46.5794168 30.8664391 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.5780435 30.9070986 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.617869 30.9082768 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.6213022 30.8463976 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.575297 30.8428605 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.5746103 30.869386 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
Custom Location 11
gps: Location[gps -46.5114389 30.9053311 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.5443979 30.904742 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.5395914 30.8351962 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.4997659 30.8351962 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
Custom Location 12
gps: Location[gps -46.4729868 30.9006178 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.433848 30.9017961 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.433848 30.8623132 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.4695535 30.8623132 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.433848 30.8629027 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.4297281 30.8222244 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.4674936 30.8269416 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
Custom Location 13
gps: Location[gps -46.3644968 30.8204554 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.3727365 30.9076877 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.4214884 30.8682072 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.3425241 30.8629027 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
Custom Location 14
gps: Location[gps -46.3184915 30.8198657 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.3219248 30.9041528 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.2752329 30.8169173 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.2793527 30.9035636 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
Custom Location 15
gps: Location[gps -46.247767 30.921826 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.2196146 30.9212369 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.2154947 30.8646709 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.2409006 30.8469871 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.2100015 30.8346066 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.2120615 30.7827088 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]
gps: Location[gps -46.2450205 30.7762196 hAcc=20 et=??? alt=0.0 vel=0.0 bear=0.0 vAcc=??? sAcc=??? bAcc=??? {Bundle[{satellites=0, maxCn0=0, meanCn0=0}]}]

Finally I discovered that I probably had to pin each location on a map, with it coordinates.
So I tried, and it looks…
Ocean Dots
… interesting.

I tried to guess a word or someting, but these symbols look like brackets :
Ocean Dots

And the flag format is:
DGSESIEE{x}

Then I saw that there are eight “characters” before the brackets:
Ocean Dots
Exactly like the letters D G S E S I E E
So, the flag, or the thing I have to guess is probably that :

I also thought that the number of dots determines the position of the letter in the alphabet, and it remembers me of braille ( The tactile writing system used by people who are visually impaired)

I did a lot of guesses.
Finally I tried to play with the dots, and connect them together, to … finally, get the word OC34N
Ocean Dots
The flag was DGSESIEE{OC34N}

Definition

50pts
Cat. Misc

Description:

A coworker created a little riddle. He’s asking you to solve it for weeks, make him happy. Here’s the riddle: What time is it?

I had to use netcat to connect to the server. And I had to give a time, I suppose…
“Here’s the riddle: What time is it?”

My first idea was to give my current time in the following format:
14:52:32
And I also wrote different other things, without success.

And then I thought about unix timestamp, at the beginning I was really struggling.
Finally I discovered https://www.epochconverter.com/ which displays the current unix epoch time to the nearest second.

And I just had to wait until the correct timestamp:
Unix Timestamp

And there’s another flag !
Unix Timestamp Flag
DGSESIEE{cb3b3481e492ccc4db7374274d23c659}

Alone Muks

100pts
Cat. Pwn (machine owning)

Description:

I achived to connect a device on one of the autonomous trucks, and now I have to find a vulnerability in the Lates truck system. I am able to connect to the truck with SSH, but I have to get the navigation system privileges.

I had to connect via SSH to port 5004
With the following credentials :
user:user
Let’s do it.
ssh user@51.159.59.20 -p 5004

Connection Via SSH:
Alone Muks SSH

I tried some credentials, and I tried to guess the username.
But found nothing, so I decided to do ctrl+c
And..
Okay, I’m in.
Alone Muks SSH
(You can see that I tried to use some commands, without success…)
I saw that the errors came from “-rbash”, which means I am in a restricted shell.
I restarted my ssh connection and added a parameter, to try to bybass the restricted shell, but it didn’t really work this time.
But my username was green, and, I couldn’t use the ‘cd’ command !

I was able to see see the environment variables:
Alone Muks SSH

But no one was writeable.
(only -x, executable, or -rx, readable-exacutable)

I was able to see what’s in the current directory by using the test command, and doing [TAB]
Alone Muks SSH

And by doing double [TAB] I was able to see the awailable commands, such as the help command, but not as precisely.

As I said, I was able to use ‘cd’ to change my directory:
Alone Muks SSH

And here it is, my flag.txt.
Alone Muks SSH

I was not able to acces to usual commands like ‘cat’, ‘less’, ‘head’… to view the content of flag.txt
I was able to use echo, but I did not have the permission to access the file :
Alone Muks SSH

In the user directory was a file called login.py
Alone Muks SSH
And it starts when I connected to the machine with SSH.
I tried the same techniques I used to read flag.txt to read login.py.
And the echo command saved me:

username: dev
password: Sup3rStr0ngP4ssw0rd!!

Alone Muks SSH
I am dev now :)

But I don’t have more or less permissions than before.
And this file, aswell as all its content is completely useless.

I have to use another shell, to be sure I don’t use a restricted shell I did that command :

ssh user@51.159.59.20 -p 5004 -t "sh"

I can see what’s inside the passwd file:

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
systemd-timesync:x:102:103:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:103:104:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:104:105:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
user:x:1000:1000::/home/user:/bin/sh
globalSystem:x:1001:1001::/home/globalSystem:/bin/bash
navigationSystem:x:1002:1002::/home/navigationSystem:/bin/bash

And I was able to get some system informations:

$ uname -a
Linux 2c45860dc421 4.9.0-13-amd64 #1 SMP Debian 4.9.228-1 (2020-07-05) x86_64 GNU/Linux

But there was nothing really interesting.

I know that there are two uncommon users

globalSystem
navigationSystem

navigationSystem had the permissions to read flag.txt

I am gonna see which commands can be used by my current user with the -l (L) parameter

-l[l] [command]
		If no command is specified, the -l (list) option will list the allowed (and forbidden) commands for the invoking user (or the user specified by the -U option) on the current host.

There’s the output of that beautiful command:
Alone Muks SSH

In green, we have the user who has the permission.
In blue, NOPASSWD means that no password is required.
In yellow, the allowed file or command.

That means, the current user is allowed to use Vim !

I tried a lot of thigs using vim.
Create files, read files, but nothing successful.

Then I found out that I was able to spawn a shell with Vim.

Of course, I used Vim as the globalSystem user :
Alone Muks SSH

Opening a shell:
Alone Muks SSH

And now I am globalSystem

Awesome.

Let’s do that again, to see if we have some additionnal permissions with this account.

Alone Muks SSH

Great, now we can access a file, called update.

This file has enough permissions to access the floag.txt file, well.. in theory.
I just have to edit it with Vim…
Alone Muks SSH

Ans then…
Alone Muks SSH

Oops..
Don’t forget to run that file with navigationSystem’s permissions.
Alone Muks Flag
Allright :)

This part is done as well..

Le discret napier

150pts
Cat. cryptography

Description:

Stockos uses a password based on a mathematical solution. x is the password, find x.
17^x 183512102249711162422426526694763570228 [207419578609033051199924683129295125643]

Basically, I only had to solve 17^x 183512102249711162422426526694763570228 [207419578609033051199924683129295125643] and find x.
The flag should be DGSESIEE{x}.

This looks a lot like congruence (as in the crypto path at the beginning).
But dcode’s tool didn’t work this time and that’s probably because it isn’t exactly the same thing.
This is called discrete logarithm, and as Wikipedia says:

Discrete logarithms are quickly computable in a few special cases. However, no efficient method is known for computing them in general. Several important algorithms in public-key cryptography base their security on the assumption that the discrete logarithm problem over carefully chosen groups has no efficient solution.

It’s not gonna be easy.

Discret Napier

After hours of research, I finally found this document (french):
http://wikisecu.fr/doku.php?id=cryptographie:elgamal

And I started SageMath to try that:
Discret Napier

It seemed not bad at all, so I did the same thing with the informations I have for this challenge.

So d = a^c mod b became 183512102249711162422426526694763570228 = 17^x mod 207419578609033051199924683129295125643
Which means,

sage: a=2
sage: b=5
sage: d=3
sage: e=mod(a,b)
sage: discrete_log(d,e)

Became

sage: a=17
sage: b=207419578609033051199924683129295125643
sage: d=183512102249711162422426526694763570228
sage: e=mod(a,b)
sage: discrete_log(d,e)

But.
Discret Napier
My computer felt very bad, and over that

It didn’t work.
Discret Napier
I broke my Spotify, and my computer was super slow.
That’s probably why I don’t really like maths…

Anyway, I decided to search an alternative to SageMath, and after some other hours of research I finally discovered an online tool to do exactly what I needed !

https://www.alpertron.com.ar/DILOG.HTM

I put all my data in it, and then I was waiting about 7 to 8 hours.
And finally !
Discret Napier

After somes tries, I found out that the flag was DGSESIEE{697873717765}

BONUS
As I write this, I know how to use SageMath to solve this problem in a few minutes (using my computer).

sage: K = GF(207419578609033051199924683129295125643)
sage: g = K(17)
sage: h = K(183512102249711162422426526694763570228)
sage: h.log(g)

Find x in g^x = h mod p, is equivalent to find x = h.log(g) in K .

Chatbot

100pts
Cat. Web

Description:

EvilGouv recently opened a chatbot service, but nobody likes him and he’s really bad… And it is high probably vulnerable. Find a way to access the Intranet !

We are told that EvilGouv recently opened a chatbot. And there’s probably a security breach.
I have to find a way to enter in their intranet.

Clue: Local network.

The chatbot:
Chatbot

The first thing I thought of was checking if there are XSS vulnerabilities.
I was right.
chatbot

I checked the javascript source code of the bot, maybe there are some hidden commands.
But the answers were not on the client side.

I have to access the server side, and I only have a XSS.

I checked the script again, and I saw that, if the input text is an URL, the bot is doing a GET request to get some informations to display with that URL.
But there’s a vulnerability called SSRF, which means that we can exploit the URL checking system to scan for open machines in the intranet.
So I searched four hours, and I finally found out that the virtual host was intranet.
chatbot
Bruteforce by hand is not funny…

writeup CTF challengecybersecfr DGSE ESIEE

Share : | |

How a mobile network is connected to the Internet Previous

Challenge Brigitte Friang - Entry Next