DC813 MiniCTF 0x2 Writeup

My Defcon Group in Tampa is getting pretty awesome. Makes me miss DC407 and everyone over in Orlando and all the potential that was there before I left the area. Ah nostalgia, but I digress.

DC813 has been throwing up some mini CTFs lately, specifically a guy named Mick who’s pretty rad at getting this stuff together. Tonight was the second one and the first one I’ve been successful at. Sadly at 0x1 I had some hardware issues and couldn’t complete a lot of the challenges. The system I chose to use was vanilla Kali, so you’d be able to solve most of these on your own. I want to get permission to post the challenges online from the creator.

Challenge One, Passwd Pwnage:

This one was pretty easy, we were given a flat file with a username and hash in it:


This was quickly solved by running the file through john using the rockyou wordlist that comes with Kali:

john --wordlist='/usr/share/wordlists/rockyou.txt' '/root/minictf0x2/challenge1'

John ran for about 7 seconds before finding the solution: password123

Challenge Two, What is OTV’s Number:

This was a trivia question, specifically from the movie Hackers. The solution was 212-555-4240. Google-fu was helpful

Challenge Three, I Speak When I Listen:

This challenge was maddening and the last problem I solved. It ended up in a 3 way grepping match between me and 2 other guys, which I didn’t win, but caused me to come in second. What was maddening about the problem is that the hint was easier to understand than I thought. I didn’t fully understand it till I started this writeup, you’ll see at the end of this section what it meant.

On to it then. Challenge three, we were given a hint in the title “I Speak When I Listen” and an Android APK titled DroidSheep.apk. The apk had to be disassembled so I had to do a bit of research on APK, but found the program apktool installed by default on Kali. apktool wouldn’t work according to the documentation, but a post on the Kali forums suggested copying the apk into the apktool folder /usr/share/apktool. Ran the tool with this command:

apktool d DroidSheep.apk droidsheep

Started grepping the directory /user/share/apktool/droidsheep for the keywords in the hint, but the only one that returned anything was “listen”. The command used to  try to locate the flag was

grep -r "listen" /usr/share/apktool/droidsheep.

Unfortunately, I didn’t figure this out on my own, I just overheard the organizers whispering when I had half the string highlighted. The flag was in the first result of the screenshot: “Droidsheep is listening for sessions” The clue meant that DroidSheep “spoke” while it listened 😀

Challenge Four, Cereal Killer

I learned a bit from this challenge. It was a seemingly corrupted video file that wouldn’t play. I had to dip into the hint basket for this one. One of the organizers mentioned hexediting, to my dismay. I am not good at hex. After downloading hexedit because we were told Kali didn’t have a hex editor, I scrolled through it for a bit, went back to the top and worked on another challenge. After a while, I found out Kali comes with hexeditor… after a while this was me:i-have-no-idea-what-im-doing-dog


I had to get a hint, which was “magic numbers”. I had no idea what that meant either, so I had to turn to Google. If you don’t know what they are, magic numbers, in this context, refer to a series of numbers in the header of a filetype. Specificaly m4v, which this file’s was corrupted.


And here is the corrected magic number:

Select to zoom

The video was finally playable, which was a clip of Hackers at the very end when everyone was arrested and being interrogated by the Secret Service, when Cereal Killer saves the day by broadcasting pirate TV and revealing the whole plot and the account number of Plague’s overseas bank account, which was the flag: 03087-08351-27H

Part 2 Coming up once I find some time, as I have to redo some of the screenshots, which got lost while competing at HackMiami Winterfest’s CTF by accident.

Posted in 2013, Main Menu Tagged with: ,

Leave a Reply

Your email address will not be published. Required fields are marked *