CTF-BR! – m50 – Treasure

<blockquote>Romors say that something is buried in <strong>treasure.ctf.0ops.sjtu.cn</strong>, happy treasure hunting. :)</blockquote> Inicialmente, ao acessar o endereço e ver que caiu no meu apache local, já senti a pegadinha: v4 é localhost, e tem um v6 apontando para o endereço certo: <pre class="lang:default decode:true">alisson@alisson-note:~$ host treasure.ctf.0ops.sjtu.cn treasure.ctf.0ops.sjtu.cn has address 127.0.0.1 treasure.ctf.0ops.sjtu.cn has IPv6 address 2001:470:d:b28::40:1</pre> Subi uma droplet com ipv6 configurado na Digital Ocean e comecei a brincar. Fiz um escaneamento padrão TCP, mas não havia nada de importante: <pre class="lang:default decode:true ">Nmap scan report for treasure.ctf.0ops.sjtu.cn (2001:470:d:b28::40:1) Host is up (0.080s latency). Not shown: 993 closed ports PORT STATE SERVICE 25/tcp filtered smtp 109/tcp filtered pop2 110/tcp filtered pop3 143/tcp filtered imap 465/tcp filtered smtps 587/tcp filtered submission 995/tcp filtered pop3s</pre> Após isso, mandei um traceroute pra lá, e algo interessante começou a surgir: <pre class="lang:default decode:true ">traceroute to 2001:470:d:b28:0:0:40:1 (2001:470:d:b28::40:1), 30 hops max, 80 byte packets 1 2600:3c01::8678:acff:fe0d:79c1 (2600:3c01::8678:acff:fe0d:79c1) 0.841 ms 0.980 ms 1.028 ms (United States) 2 10gigabitethernet8-2.core3.fmt2.he.net (2001:470:1:3b8::1) 0.939 ms 5.818 ms 5.837 ms (United States) 3 10ge9-11.core1.lax1.he.net (2001:470:0:18d::2) 20.514 ms 20.496 ms 20.534 ms (United States) 4 tserv1.lax1.he.net (2001:470:0:9d::2) 12.992 ms 16.786 ms 19.922 ms (United States) 5 JackWindows-3-pt.tunnel.tserv15.lax1.ipv6.he.net (2001:470:c:b28::2) 27.247 ms 32.423 ms 32.400 ms (United States) 6 2001:470:d:b28::2 (2001:470:d:b28::2) 32.388 ms 31.021 ms 30.379 ms (United States) 7 2001:470:d:b28::1:2 (2001:470:d:b28::1:2) 30.372 ms 30.345 ms 26.734 ms (United States) 8 2001:470:d:b28::2:2 (2001:470:d:b28::2:2) 26.672 ms 19.616 ms 18.041 ms (United States) 9 2001:470:d:b28::3:2 (2001:470:d:b28::3:2) 21.341 ms 22.907 ms 22.883 ms (United States) 10 2001:470:d:b28::4:2 (2001:470:d:b28::4:2) 22.659 ms 18.048 ms 18.301 ms (United States) 11 2001:470:d:b28::5:2 (2001:470:d:b28::5:2) 18.234 ms 18.212 ms 18.136 ms (United States) 12 2001:470:d:b28::6:2 (2001:470:d:b28::6:2) 18.117 ms 18.148 ms 18.122 ms (United States) 13 2001:470:d:b28::7:2 (2001:470:d:b28::7:2) 18.241 ms 18.215 ms 18.196 ms (United States) 14 2001:470:d:b28::8:2 (2001:470:d:b28::8:2) 18.132 ms 20.300 ms 19.312 ms (United States) 15 2001:470:d:b28::9:2 (2001:470:d:b28::9:2) 19.310 ms 19.295 ms 18.946 ms (United States) 16 2001:470:d:b28::10:2 (2001:470:d:b28::10:2) 18.162 ms 18.138 ms 18.110 ms (United States) 17 2001:470:d:b28::11:2 (2001:470:d:b28::11:2) 18.272 ms 18.236 ms 18.279 ms (United States) 18 2001:470:d:b28::12:2 (2001:470:d:b28::12:2) 18.255 ms 18.251 ms 18.232 ms (United States) 19 2001:470:d:b28::13:2 (2001:470:d:b28::13:2) 18.313 ms 18.296 ms 27.247 ms (United States) 20 0000000110001101110000000 (2001:470:d:b28::14:2) 27.207 ms 25.787 ms 25.743 ms (United States) 21 0111110111100111110111110 (2001:470:d:b28::15:2) 25.640 ms 21.151 ms 21.121 ms (United States) 22 0100010110001100110100010 (2001:470:d:b28::16:2) 21.106 ms 20.354 ms 20.326 ms (United States) 23 0100010101000011010100010 (2001:470:d:b28::17:2) 28.017 ms 27.995 ms 27.642 ms (United States) 24 0100010101010101110100010 (2001:470:d:b28::18:2) 27.593 ms 27.574 ms 27.555 ms (United States) 25 0111110110011011010111110 (2001:470:d:b28::19:2) 18.341 ms 18.315 ms 18.359 ms (United States) 26 0000000101010101010000000 (2001:470:d:b28::20:2) 18.334 ms 18.312 ms 18.302 ms (United States) 27 1111111110111100111111111 (2001:470:d:b28::21:2) 18.316 ms 18.363 ms 18.347 ms (United States) 28 0011100010001010011100111 (2001:470:d:b28::22:2) 18.334 ms 20.600 ms 20.577 ms (United States) 29 0100011011001101101000000 (2001:470:d:b28::23:2) 19.844 ms 19.800 ms 19.775 ms (United States) 30 0101010000111110110010100 (2001:470:d:b28::24:2) 19.934 ms 18.526 ms 18.517 ms (United States)</pre> Achei que teria que decodar de Bin to ASCII, mas nada compreensível apareceu. Me veio à mente: "está faltando nós, vou ter que seguir a trilha pra chegar ao pote de ouro". Vi que o range respondia até o .40, então fui verificando um por um em busca dos bits faltantes: <pre class="lang:default decode:true ">2001:470:d:b28::25:2 0011111011010110011010101 2001:470:d:b28::26:2 1001010100000111010010000 2001:470:d:b28::27:2 0001111100000101001010110 2001:470:d:b28::28:2 0110110100110010110100000 2001:470:d:b28::29:2 0100101001101111101000010 2001:470:d:b28::30:2 0110100101100000000001010 2001:470:d:b28::31:2 1111111100111011011101001 2001:470:d:b28::32:2 0000000101101110010101100 2001:470:d:b28::33:2 0111110101111100011100110 2001:470:d:b28::34:2 0100010110011010000001101 2001:470:d:b28::35:2 0100010111011101000011000 2001:470:d:b28::36:2 0100010110010110111010010 2001:470:d:b28::37:2 0111110100101111000010110 2001:470:d:b28::38:2 0000000100000010010100110</pre> Juntando tudo, temos: <pre class="lang:default decode:true ">0000000110001101110000000 0111110111100111110111110 0100010110001100110100010 0100010101000011010100010 0100010101010101110100010 0111110110011011010111110 0000000101010101010000000 1111111110111100111111111 0011100010001010011100111 0100011011001101101000000 0101010000111110110010100 0011111011010110011010101 1001010100000111010010000 0001111100000101001010110 0110110100110010110100000 0100101001101111101000010 0110100101100000000001010 1111111100111011011101001 0000000101101110010101100 0111110101111100011100110 0100010110011010000001101 0100010111011101000011000 0100010110010110111010010 0111110100101111000010110 0000000100000010010100110</pre> Mostrei para nosso colega g3ol4d0, e com seu olho clínico, exclamou: "é um QR Code!". A partir daí, bastaria substituir os "0"s por espaços, e "1"s por blocos para surgir o QR. Fazendo da forma leet, pelo terminal, colocamos os bits num arquivo chamado<span data-rz-params="{"__TYPE":"TEXT"}"> "</span><span data-rz-params="{"__TYPE":"TEXT","T_BOLD":true}">N1MB3R5" (propositalmente, quem estiver ligado vai sacar a dica!) :)</span><span data-rz-params="{"__TYPE":"TEXT"}"> e rodamos o comandinho "mágico":</span> <div data-rz-params="{"__TYPE":"LINE","RANDOM":0.8775288895703852}"> <pre class="lang:default decode:true ">$ cat N1MB3R5 | sed 's/1/\x1b[7m \x1b[m/g;s/0/ /g;'</pre> <a href="https://ctf-br.org/wp-content/uploads/2015/03/Captura-de-tela-de-2015-03-28-183228.png" target="_blank"><img class="alignnone size-medium wp-image-1035" src="https://ctf-br.org/wp-content/uploads/2015/03/Captura-de-tela-de-2015-03-28-183228-300x169.png" alt="Captura de tela de 2015-03-28 18:32:28" width="300" height="169" /></a>   </div> <h2>FLAG</h2> <span data-rz-clipboard="true"><span data-rz-params="{"__TYPE":"TEXT","T_BG_COLOR":"#B5EB5E"}">0CTF{Reverse DNS is so FUN!}</span></span> <h3>CRIADO POR</h3> Epic Leet Team      

Título	m50 - Treasure
Conteúdo	<blockquote>Romors say that something is buried in <strong>treasure.ctf.0ops.sjtu.cn</strong>, happy treasure hunting. :)</blockquote> Inicialmente, ao acessar o endereço e ver que caiu no meu apache local, já senti a pegadinha: v4 é localhost, e tem um v6 apontando para o endereço certo: <pre class="lang:default decode:true">alisson@alisson-note:~$ host treasure.ctf.0ops.sjtu.cn treasure.ctf.0ops.sjtu.cn has address 127.0.0.1 treasure.ctf.0ops.sjtu.cn has IPv6 address 2001:470:d:b28::40:1</pre> Subi uma droplet com ipv6 configurado na Digital Ocean e comecei a brincar. Fiz um escaneamento padrão TCP, mas não havia nada de importante: <pre class="lang:default decode:true ">Nmap scan report for treasure.ctf.0ops.sjtu.cn (2001:470:d:b28::40:1) Host is up (0.080s latency). Not shown: 993 closed ports PORT STATE SERVICE 25/tcp filtered smtp 109/tcp filtered pop2 110/tcp filtered pop3 143/tcp filtered imap 465/tcp filtered smtps 587/tcp filtered submission 995/tcp filtered pop3s</pre> Após isso, mandei um traceroute pra lá, e algo interessante começou a surgir: <pre class="lang:default decode:true ">traceroute to 2001:470:d:b28:0:0:40:1 (2001:470:d:b28::40:1), 30 hops max, 80 byte packets 1 2600:3c01::8678:acff:fe0d:79c1 (2600:3c01::8678:acff:fe0d:79c1) 0.841 ms 0.980 ms 1.028 ms (United States) 2 10gigabitethernet8-2.core3.fmt2.he.net (2001:470:1:3b8::1) 0.939 ms 5.818 ms 5.837 ms (United States) 3 10ge9-11.core1.lax1.he.net (2001:470:0:18d::2) 20.514 ms 20.496 ms 20.534 ms (United States) 4 tserv1.lax1.he.net (2001:470:0:9d::2) 12.992 ms 16.786 ms 19.922 ms (United States) 5 JackWindows-3-pt.tunnel.tserv15.lax1.ipv6.he.net (2001:470:c:b28::2) 27.247 ms 32.423 ms 32.400 ms (United States) 6 2001:470:d:b28::2 (2001:470:d:b28::2) 32.388 ms 31.021 ms 30.379 ms (United States) 7 2001:470:d:b28::1:2 (2001:470:d:b28::1:2) 30.372 ms 30.345 ms 26.734 ms (United States) 8 2001:470:d:b28::2:2 (2001:470:d:b28::2:2) 26.672 ms 19.616 ms 18.041 ms (United States) 9 2001:470:d:b28::3:2 (2001:470:d:b28::3:2) 21.341 ms 22.907 ms 22.883 ms (United States) 10 2001:470:d:b28::4:2 (2001:470:d:b28::4:2) 22.659 ms 18.048 ms 18.301 ms (United States) 11 2001:470:d:b28::5:2 (2001:470:d:b28::5:2) 18.234 ms 18.212 ms 18.136 ms (United States) 12 2001:470:d:b28::6:2 (2001:470:d:b28::6:2) 18.117 ms 18.148 ms 18.122 ms (United States) 13 2001:470:d:b28::7:2 (2001:470:d:b28::7:2) 18.241 ms 18.215 ms 18.196 ms (United States) 14 2001:470:d:b28::8:2 (2001:470:d:b28::8:2) 18.132 ms 20.300 ms 19.312 ms (United States) 15 2001:470:d:b28::9:2 (2001:470:d:b28::9:2) 19.310 ms 19.295 ms 18.946 ms (United States) 16 2001:470:d:b28::10:2 (2001:470:d:b28::10:2) 18.162 ms 18.138 ms 18.110 ms (United States) 17 2001:470:d:b28::11:2 (2001:470:d:b28::11:2) 18.272 ms 18.236 ms 18.279 ms (United States) 18 2001:470:d:b28::12:2 (2001:470:d:b28::12:2) 18.255 ms 18.251 ms 18.232 ms (United States) 19 2001:470:d:b28::13:2 (2001:470:d:b28::13:2) 18.313 ms 18.296 ms 27.247 ms (United States) 20 0000000110001101110000000 (2001:470:d:b28::14:2) 27.207 ms 25.787 ms 25.743 ms (United States) 21 0111110111100111110111110 (2001:470:d:b28::15:2) 25.640 ms 21.151 ms 21.121 ms (United States) 22 0100010110001100110100010 (2001:470:d:b28::16:2) 21.106 ms 20.354 ms 20.326 ms (United States) 23 0100010101000011010100010 (2001:470:d:b28::17:2) 28.017 ms 27.995 ms 27.642 ms (United States) 24 0100010101010101110100010 (2001:470:d:b28::18:2) 27.593 ms 27.574 ms 27.555 ms (United States) 25 0111110110011011010111110 (2001:470:d:b28::19:2) 18.341 ms 18.315 ms 18.359 ms (United States) 26 0000000101010101010000000 (2001:470:d:b28::20:2) 18.334 ms 18.312 ms 18.302 ms (United States) 27 1111111110111100111111111 (2001:470:d:b28::21:2) 18.316 ms 18.363 ms 18.347 ms (United States) 28 0011100010001010011100111 (2001:470:d:b28::22:2) 18.334 ms 20.600 ms 20.577 ms (United States) 29 0100011011001101101000000 (2001:470:d:b28::23:2) 19.844 ms 19.800 ms 19.775 ms (United States) 30 0101010000111110110010100 (2001:470:d:b28::24:2) 19.934 ms 18.526 ms 18.517 ms (United States)</pre> Achei que teria que decodar de Bin to ASCII, mas nada compreensível apareceu. Me veio à mente: "está faltando nós, vou ter que seguir a trilha pra chegar ao pote de ouro". Vi que o range respondia até o .40, então fui verificando um por um em busca dos bits faltantes: <pre class="lang:default decode:true ">2001:470:d:b28::25:2 0011111011010110011010101 2001:470:d:b28::26:2 1001010100000111010010000 2001:470:d:b28::27:2 0001111100000101001010110 2001:470:d:b28::28:2 0110110100110010110100000 2001:470:d:b28::29:2 0100101001101111101000010 2001:470:d:b28::30:2 0110100101100000000001010 2001:470:d:b28::31:2 1111111100111011011101001 2001:470:d:b28::32:2 0000000101101110010101100 2001:470:d:b28::33:2 0111110101111100011100110 2001:470:d:b28::34:2 0100010110011010000001101 2001:470:d:b28::35:2 0100010111011101000011000 2001:470:d:b28::36:2 0100010110010110111010010 2001:470:d:b28::37:2 0111110100101111000010110 2001:470:d:b28::38:2 0000000100000010010100110</pre> Juntando tudo, temos: <pre class="lang:default decode:true ">0000000110001101110000000 0111110111100111110111110 0100010110001100110100010 0100010101000011010100010 0100010101010101110100010 0111110110011011010111110 0000000101010101010000000 1111111110111100111111111 0011100010001010011100111 0100011011001101101000000 0101010000111110110010100 0011111011010110011010101 1001010100000111010010000 0001111100000101001010110 0110110100110010110100000 0100101001101111101000010 0110100101100000000001010 1111111100111011011101001 0000000101101110010101100 0111110101111100011100110 0100010110011010000001101 0100010111011101000011000 0100010110010110111010010 0111110100101111000010110 0000000100000010010100110</pre> Mostrei para nosso colega g3ol4d0, e com seu olho clínico, exclamou: "é um QR Code!". A partir daí, bastaria substituir os "0"s por espaços, e "1"s por blocos para surgir o QR. Fazendo da forma leet, pelo terminal, colocamos os bits num arquivo chamado<span data-rz-params="{"__TYPE":"TEXT"}"> "</span><span data-rz-params="{"__TYPE":"TEXT","T_BOLD":true}">N1MB3R5" (propositalmente, quem estiver ligado vai sacar a dica!) :)</span><span data-rz-params="{"__TYPE":"TEXT"}"> e rodamos o comandinho "mágico":</span> <div data-rz-params="{"__TYPE":"LINE","RANDOM":0.8775288895703852}"> <pre class="lang:default decode:true ">$ cat N1MB3R5 \| sed 's/1/\x1b[7m \x1b[m/g;s/0/ /g;'</pre> <a href="https://ctf-br.org/wp-content/uploads/2015/03/Captura-de-tela-de-2015-03-28-183228.png" target="_blank"><img class="alignnone size-medium wp-image-1035" src="https://ctf-br.org/wp-content/uploads/2015/03/Captura-de-tela-de-2015-03-28-183228-300x169.png" alt="Captura de tela de 2015-03-28 18:32:28" width="300" height="169" /></a>   </div> <h2>FLAG</h2> <span data-rz-clipboard="true"><span data-rz-params="{"__TYPE":"TEXT","T_BG_COLOR":"#B5EB5E"}">0CTF{Reverse DNS is so FUN!}</span></span> <h3>CRIADO POR</h3> Epic Leet Team
Resumo

Old	New	Date Created	Author	Actions
		1 de abril de 2015 às 02:41:51	Álisson Bertochi
		1 de abril de 2015 às 02:40:18	Álisson Bertochi
		31 de março de 2015 às 20:12:12	Álisson Bertochi
		31 de março de 2015 às 20:11:04	Álisson Bertochi
		31 de março de 2015 às 20:07:42	Álisson Bertochi
		31 de março de 2015 às 20:06:26	Álisson Bertochi
		31 de março de 2015 às 20:06:19 [Salvamento automático]	Álisson Bertochi
		31 de março de 2015 às 19:58:17	Álisson Bertochi
		31 de março de 2015 às 19:57:09	Álisson Bertochi
		31 de março de 2015 às 19:38:21	Álisson Bertochi

m50 – Treasure

Revision for “m50 – Treasure” created on 1 de abril de 2015 às 02:41:51