A blog post by Lee Meeker, CODEX Engineer

One way our CODEX engineers have fun and flex their cyber skills is by hosting and participating in Capture the Flag (CTF) events. CTFs are like intense digital hide-and-seek or puzzle solving games. If you love putting clues together to solve a puzzle or taking things apart to figure out how they work, then you too may enjoy CTF challenges!

A few write-ups for CTFs from one of our engineers Tylor Childers may be found on GitHub under RTXCTF_Writeups :

At first glance, I found the title of one in this list curious: “RmluZCB0aGUgU2hhcmU=
It seemed like random jibberish, but a hunch based on past exposure to different types of encoded data (the “=” at the end is normally a telltale sign) made me wonder if it was a simple Base64 encoding which it did turn out to be:

$ echo RmluZCB0aGUgU2hhcmU= | base64 -d
Find the Share

In this “RmluZCB0aGUgU2hhcmU=” CTF write-up with a sub-title of “Net Pen 500” (Network Penetration) we are given the description of a fictitious company that has a new network file share that an employee there wants to find and access. Through a few steps of studying system output and leveraging known exploits this CTF walk-through pivots us from server to server to finally reveal a file on the desired network share containing a text file with the flag – thus capturing the flag. It turned out that another write-up in the list also goes into detail on Base64 encoding as well as some encryption techniques – see the write-up for “Layers - Crypto 300”.

In another CTF write-up “C2 API - Misc 500” we follow the investigation of the inner workings of a C2 (cyber lingo for Command and Control) system by tracing the API it uses in intercepted communications and then using those same APIs to take over the C2 and use it to find and capture the flag “h4d_fun_tr0lling_y0u_0n_th1s_c0ngr4tz”. That may seem like a strange “flag”, but it’s just written in “133t speak” where the spelling of words are modified to use numbers or special characters as in “31337 H4X0R” for “Elite Hacker”. And if you haven’t noticed already, there are also a lot of acronyms used in our profession – at my previous employer we even had an acronym regarding the acronyms: TLA… we’d sometimes say there were too many undefined TLAs in a document meaning there were too many Two/Three Letter Acronyms.

A write-up of a more difficult one focused on forensics, data encodings, encryption, and reverse engineering of an executable, “Floppy Image - Forensics 600”, leads us into examining email headers, uudecoding attachments, more Base64 decodings, and the use of IDA to discover that the Windows executable included in the email is able to run in 16, 32, and 64-bit modes and produce three different pieces of a Windows .com file which then need to be concatenated together in the correct order. Putting all of these pieces together gets us to a final running of the resulting .com file that takes as input a recovered data file that had been deleted from the email attached floppy disk image to then output the well hidden flag – definitely a lot of pieces to put together for this puzzle!

The “Hacker Affiliates - Web 500” write-up describes a web site that takes user input and with some knowledge about the expected wrapper text around the flag we are trying to capture, we discover that server-side PHP code for the site seems to contain the flag, but it is redacted from being seen in the page source if the request does not come from localhost and so we instead get a fake flag RTX_FLAG{YOU_NEED_ADMIN}. However, after some scripting and crafting of our website that we give as input to their web site form, we are able to discover and leverage some vulnerabilities in their site. One last step involves using iframes to get past CORS protection, then we iterate in a script to collect leaked characters from the real flag until we have captured the whole thing: RTXFLAG{XS_L34KS_VIA_FR4M3}.

A similar iterative technique to obtain one character at a time of the flag is described in the “Hash Service - Crypto 400” write-up. After connecting to a hashing service over the network and asking it for help we see there are commands to list files on the server and load files into memory to then perform hashing operations. Armed with knowledge about the hashing operation, we iterate in a script to again capture one character at a time of the flag contained in the file named mysupersecretflagfile (seems like they could use a little more OPSEC in their file naming) that we observed in the file listing from the hashing server’s info command.

Building on another service discovered in the “Hash Service” write-up, we continue in the write-up for “Rosenburg - Crypto 500” to connect to a server that gives a cyphertext prompt and takes a reply. After some testing we discover that the length of our reply results in different replies about padding which leads us to attempt a “Padding oracle attack”. Again this little bit of leaked information combined with our knowledge of the prefix string for the flag ( RTXFLAG{ ) allows us to script an algorithm to identify the remaining bytes of the flag.

The next CTF write-up, “Secure SRAM - Reverse Engineering 500”, delves into the hardware side a little more. SRAM is a special type of computer memory that while still being volatile has some data remanence characteristics. Through another network service we connect to a hardware device, which is our target containing the flag (secure keys), via a UART header on its system board. This network connection allows a binary to be uploaded and executed as firmware on the target device (helper scripts, a sample binary with source, and an emulator for the hardware are provided as part of this challenge). After crafting a binary payload to dump the target’s memory and grepping through it for our known flag prefix, we discover the flag ( RTXFLAG{4VR_P4YL04D$_DUMP_R4M!!} ) was left in plain-text after the hardware device’s boot process completed.

The final write-up we review here is the “Tie Breaker”. This challenge starts with only an IP address and port for a web site and “good luck.” After connecting to the web site’s initial home page, we observe that there are links to a couple of other pages on the site. Seeing an error message after clicking on the bug_report link leads us to experiment with an HTML GET request including a user and password value. Some more experimentation and it seems that we can download arbitrary files from the web site which allows us to grab an index.php source file to see more of how the site is setup. From the PHP source we see its use of shell_exec() and limited input filtering allows us to execute shell commands of our own on the server, but this turns out to be a dead end and nothing is found there. Switching to studying network packet captures from the web site leads us to notice special traffic on port 1025. Binary data is given and Fibonacci numbers are returned. Next, the PayloadDecompiler that was found on and downloaded from the web site allows us to get assembly source for the Payload.vm that was also found on the web site. Googling some of the unique mnemonics ( puship and popip ) from the disassembly leads us to a GitHub site for a “stack machine” that also has example code for Fibonacci number generation. Some more work to get our own “stack machine” program running and leveraging details found on the bug_report page about “leaking secrets from outside of the VM memory” allows us to harvest and decode output from port 1025 on the server to finally capture the flag.

These were just a few examples of CTFs, there are events of all types and sizes hosted by individuals and organizations across the world. Some resources if you’d like to find out more about some of them are: