Last year, Bram ter Borch (a fellow student of the Master System and Network Engineering at the University of Amsterdam) and I did a security review of the Blackboard implementation at the University of Amsterdam. In a couple of days time in total, we managed to find several vulnerabilities in the system, which eventually led…
In the Netherlands, the P2000 network is used by, amongst others, ambulances and fire brigades, to communicate about locations of emergencies. Formally, it is part of the broader C2000 network, which is used by the (military) police as well (but has an additional layer of encryption). What still amazes me is how easy it is…
Some 1,5 years ago, I wrote a really basic article about Pupy (an open source RAT). In an on-site CTF I participated in yesterday, I found it quite useful in a challenge that required dumping NTLM hashes of a Windows user.
Lately, I had to crack an RDP password for a known user in an on-site CTF. In this post, I will explain how I solved this challenge.
As the title of the challenge suggests, we are dealing with a simple Vigenere Cipher here. In Vigenere, each character of the plaintext is shifted using a key. Using a lookup table such as the one given in the description, each letter of the plaintext will be ciphered using the according character of the key. Deciphering goes the same.
After connecting, a prompt asking for the flag was displayed. After entering an incorrect flag, it would simply return “Nope\n” and quit. What I noticed after submitting the flag starting with RC3-2016, is that it took the server much longer to respond. After trying it some times more from different machines (also remotely), this behavior seemed to be consistent.
First step, of course, is downloading the files. Turned out it was only an apk file called youtube.apk. APKs are just an archive, and can thus be extracted easily. Let’s try that:
Let’s start by having a look at the website at the URL given in the description. Then, I saw that another image was requested through an additional GET request to the following URL. As it said that “we’re getting there”, I first thought there would have been something on the other end of the link, which turned out to be a Wordpress website. On second thought, this was outside the scope of the CTF environment, so hacking into there might not be a good idea.
After opening the website that was given with the challenge, I was presented a simple-looking website. Of course, I tried to log in with the credentials provided in the description. After logging in, there was only a text:
Have you ever found yourself determined to ‘finally figure something out’ about a specific topic, but giving up after reading Wikipedia pages that look too difficult to understand? Wikipedia has an answer to that.