You start out with a double-sided card with grey and green letters and numbers. If you look at the front of the card, you'll notice that the legible words are the green letters.
If you look at the back of the card, you'll notice that these are hexadecimal characters. One of my fav online tools helped to solve this one.
Solving the green ones gives a rotational cipher. SLNHJF. KLYIF JVBUALYOHJR. JVT.
Using a rotational cipher solver, one of many that can be found online, you get the url of a website: DERBYLEGACY.COUNTERHACK.COM
Visiting the website, you are asked to create an account. After creating an account, you are greeted with the following screen...
The first question clue was the following:
The solution was to find the item that matches the slip of paper. There was a SANS Pen Test Blog posting with a piece of paper that looked similar to that. Googling Python Reverse Shell and SANS Pen Test Blog Python Reverse Shell showed a blog posting. At the bottom of the completed paper, it says, "Featuring SEC573".
https://pen-testing.sans.org/blog/2017/01/31/pen-test-poster-white-board-python-python-reverse-shell
Another option is to search for the photo using TinEye. TinEye is like a search engine of pictures on the Internet. It can find photos similar to the one that you upload, and it displays the closest matches. It's great for ctf questions involving pictures.
The next one asks which SANS Pen Test Challenge Coin was created, but never released.
This one can be found by looking at the Pen Testing Blog post detailing the Pen Testing coins backstory.
There's also a hint about a SANS poster. The following poster shows a coin that no-one has. It's a coin for SEC562. flag{sec562}
The next question is simple. Simply visit https://www.holidayhackchallenge.com and right-click and select view source. Look for an ascii Santa with the flag. flag{santa}
For the next challenge question, I downloaded the image and used Tineye, as I mentioned earlier to find a similar picture online. The answer is flag{Bryce Galbraith}.
In the next question you can view the hex of the file using a hex editor like Bless or xxd or you can use the strings command. The title is : Introduction to Reverse Engineering for Pen Testers. The speaker is Stephen Sims.
I used Wireshark to look at the following pcap. Then I clicked on Statistics>Protocol Hierarchy, highlighted HTTP, and Right-Clicked and chose Apply As Filter>Selected. After that, I simply looked for a POST message, Right-Clicked and chose Follow TCP Stream. If you look through the requests and responses, you'll see a password in clear text.
The code in the next question prints the flag. It's backwards in the bottom of the code. flag{pyWars}
Google the next one. https://www.sans.org/netwars/cybercity flag{SCADA}
Do a WhoIs lookup to find the first one. Look on https://www.sans.org to see where he is teaching next. Google the last one. flag{edwardskoudissec560washingtonpost}
The next one is easy if you use the strings command. flag{counterhack&sans}
Have fun!
No comments:
Post a Comment