Some 1,5 years ago, I wrote a really basic article about Pupy (an open source RAT). In an on-site CTF I participated in yesterday, I found it quite useful in a challenge that required dumping NTLM hashes of a Windows user.
Lately, I had to crack an RDP password for a known user in an on-site CTF. In this post, I will explain how I solved this challenge.
As the title of the challenge suggests, we are dealing with a simple Vigenere Cipher here. In Vigenere, each character of the plaintext is shifted using a key. Using a lookup table such as the one given in the description, each letter of the plaintext will be ciphered using the according character of the key. Deciphering goes the same.
After connecting, a prompt asking for the flag was displayed. After entering an incorrect flag, it would simply return “Nope\n” and quit. What I noticed after submitting the flag starting with RC3-2016, is that it took the server much longer to respond. After trying it some times more from different machines (also remotely), this behavior seemed to be consistent.
First step, of course, is downloading the files. Turned out it was only an apk file called youtube.apk. APKs are just an archive, and can thus be extracted easily. Let’s try that:
Let’s start by having a look at the website at the URL given in the description. Then, I saw that another image was requested through an additional GET request to the following URL. As it said that “we’re getting there”, I first thought there would have been something on the other end of the link, which turned out to be a Wordpress website. On second thought, this was outside the scope of the CTF environment, so hacking into there might not be a good idea.
After opening the website that was given with the challenge, I was presented a simple-looking website. Of course, I tried to log in with the credentials provided in the description. After logging in, there was only a text:
Have you ever found yourself determined to ‘finally figure something out’ about a specific topic, but giving up after reading Wikipedia pages that look too difficult to understand? Wikipedia has an answer to that.
There is an .rtf file. Considering that the title of this challenge is RTFspy, there must be something in this file. First, of course, I tried to open it in the regular way, but none of the programs I tried could open the file.
Just like I did with Canada – 1n51d3r’5 j0b and Germany – ch17ch47, I started grep’ing. As there was only one file, which was a pcap, I chose to first look for ASCII strings and then pipe the output to my grep command that looked for the string all flags started with, ‘h4ck’.