Tuesday, May 29, 2012

Wargames.My 2011 - crypto100

Players given this code.


Hint given was : I like big,long and yellow
the first thing came in my mind once read the hint was = banana!!..so the answer/passphrase should be monkey.

I googled a little bit about type of ciphers that need a passphrase/key to decrypt it.
I found vignere ciphers.Then try to use online cracker available to crack it, and wollah~ lucky me :D
Flag is = themonkeyisjumpingaroundinthejungle

Here's a python code made by johnburn to solve this challenge. its a dictionary attack btw.

charset   = 'abcdefghijklmnopqrstuvwxyz'
encoded = 'fvrwslwslswhgacsremfberbubgrihgbtvi'

keys = open("wordlist.txt", "r")
for key in  keys.read().split('\n'):
    message = ''
    for i in range(len(encoded)) :
        p = charset.index(encoded[i])
        k = charset.index(key[i % len(key)])
        if k - p < 0 :
                   message += charset[((p - k) + 26) % len(charset)]
        else :
                   message += charset[(p - k) % len(charset)]
    if message[:-2].count('the')>1:
        print 'The key: ' + key        
        print 'The message: ' + message

Wargames.My 2011 - writeups

This year there'll be another online ctf games a.k.a wargames in malaysia.Thanks to hackerspace community + TheSexyKambing
Last year,the game dominated by Kueytiow. He/She manage to solve two binary bonus challenge which made him started the game in a comfort zone.
Can view the last year result here

So for those that have interest to join this year wargames do register ASAP.

In my blog I'm gonna share with you some of the writeups for the previous challenge.

Available in wargames website, web100 writeups

OHMAIGAWD! It seems like we've been hacked! But what did the hackers 
steal? From the logs, it seems like they exploited an SQL injection bug 
on our website. Help us find the name of the database that they stole 
and we shall reward you handsomely.
So players were given with a log to analyze them. You can get it here
From the logs, the attacker just use an automated tool;sqlmap to exploit the web. The injection use Blind technique. If you are good enough in Blind SQL injection,you should get the flag in less than a minute :) goodluck.
Flag = wgmy2011

more will be in my next post...hopefully :P