Tuesday, May 29, 2012

Wargames.My 2011 - crypto100

Crypto100
Players given this code.


fvrwslwslswhgacsremfberbubgrihgbtvi


Hint given was : I like big,long and yellow
the first thing came in my mind once read the hint was = banana!!..so the answer/passphrase should be monkey.

I googled a little bit about type of ciphers that need a passphrase/key to decrypt it.
I found vignere ciphers.Then try to use online cracker available to crack it, and wollah~ lucky me :D
Flag is = themonkeyisjumpingaroundinthejungle


Here's a python code made by johnburn to solve this challenge. its a dictionary attack btw.

#!/usr/bin/python
charset   = 'abcdefghijklmnopqrstuvwxyz'
encoded = 'fvrwslwslswhgacsremfberbubgrihgbtvi'

keys = open("wordlist.txt", "r")
for key in  keys.read().split('\n'):
    message = ''
    for i in range(len(encoded)) :
        p = charset.index(encoded[i])
        k = charset.index(key[i % len(key)])
        if k - p < 0 :
                   message += charset[((p - k) + 26) % len(charset)]
        else :
                   message += charset[(p - k) % len(charset)]
    if message[:-2].count('the')>1:
        print 'The key: ' + key        
        print 'The message: ' + message
        break

Wargames.My 2011 - writeups

This year there'll be another online ctf games a.k.a wargames in malaysia.Thanks to hackerspace community + TheSexyKambing
http://wargames.my/wgmy2012/
Last year,the game dominated by Kueytiow. He/She manage to solve two binary bonus challenge which made him started the game in a comfort zone.
Can view the last year result here
result

So for those that have interest to join this year wargames do register ASAP.

In my blog I'm gonna share with you some of the writeups for the previous challenge.

Web100
Available in wargames website, web100 writeups

Forensic200
OHMAIGAWD! It seems like we've been hacked! But what did the hackers 
steal? From the logs, it seems like they exploited an SQL injection bug 
on our website. Help us find the name of the database that they stole 
and we shall reward you handsomely.
So players were given with a log to analyze them. You can get it here
From the logs, the attacker just use an automated tool;sqlmap to exploit the web. The injection use Blind technique. If you are good enough in Blind SQL injection,you should get the flag in less than a minute :) goodluck.
Flag = wgmy2011

more will be in my next post...hopefully :P