Merge pull request #25 from ValarDragon/master

Added My USB and Scisnerof Writeups

Author: Michael Zhang

cryptography.md

@@ -7,7 +7,7 @@ This category focuses on using advanced mathematical topics to encrypt data to p
 * [RSA 1 \[50 points\]](/cryptography/rsa-1-50-points.md)
 * Let Me Be Frank \[75 points\]
 * RSA 2 \[80 points\]
-* Decode Me \[100 points\]
+* [Decode Me \[100 points\]](/cryptography/decode-me-100-points.md)
 * [Hash on Hash \[100 points\]](/cryptography/hash-on-hash-100-points.md)
 * RSA 3 \[135 points\]
 * Diffie-cult \[140 points\]
@@ -18,6 +18,3 @@ This category focuses on using advanced mathematical topics to encrypt data to p
 * [Genius \[230 points\]](/cryptography/genius-230-points.md)
 * [Premium RSA \[350 points\]](/cryptography/premium-rsa-350-points.md)
 * [Paillier Service \[400 points\]](/cryptography/paillier-service-400-points.md)
-
-
-

forensics.md

@@ -4,14 +4,14 @@ This category refers to the recovery of information from evidence, like extracti
 
 * [20xx \[50 points\]](/forensics/20xx-50-points.md)
 * [Mane Event \[50 points\]](/forensics/mane-event-50-points.md)
-* scisnerof \[70 points\]
+* [scisnerof \[70 points\]](/forensics/scisnerof-70-points.md)
 * [Petty Difference \[75 points\]](/forensics/petty-difference-75-points.md)
 * Flag Collection \[80 points\]
 * Zooooooom \[85 points\]
 * QR 1 \[100 points\]
 * Gibberish \[100 points\]
 * Ogrewatch \[100 points\]
-* My USB \[150 points\]
+* My USB [\[150 points\]](/forensics/my-usb-150-points.md)
 * [Flag PEG \[150 points\]](/forensics/flag-peg-150-points.md)
 * ZIP Tunnel \[160 points\]
 * [Finn \[200 points\]](/forensics/finn-200-points.md)

forensics/my-usb-150-points.md

@@ -0,0 +1,30 @@
+# My USB - 150 points
+
+I found_ [my usb](https://github.com/EasyCTF/easyctf-2017-problems/blob/master/my-usb/usb.img) from a long time ago. I know there's a flag on there somewhere; can you help me find it?
+
+### Solution
+###### Writeup by Valar Dragon
+
+We're given a USB img. First thing I did was try to actually restore the USB image onto a USB. We see a document called "hack.docx", with two images in it, and a zip file called flag.zip, with an image of the usaflag in it, and an image called cryptolock.png.
+
+Doing my standard forensic analysis, like looking at hexdumps, and looking for other file headers through scalpel, yielded nothing.
+There is some code that is visible on both of the images inside the word file, but it seems too distorted to be relevant.
+
+Then I thought to scalpel the original USB img file.
+
+``` bash
+$ scalpel -c scalpelConfig.txt  usb.img
+```
+
+This gives 3 images, instead of just the two inside of the docx! (It doesn't give the image inside of flag.zip)
+
+Heres the extra file:
+
+![flag.jpg](https://raw.githubusercontent.com/HackThisCode/CTF-Writeups/master/2017/EasyCTF/My%20USB/flag.jpg)
+
+Theres our flag!
+`flag{d3let3d_f1l3z_r_k00l}`
+
+### External Writeups
+
+* [https://github.com/HackThisCode/CTF-Writeups/blob/master/2017/EasyCTF/My%20USB/README.md](https://github.com/HackThisCode/CTF-Writeups/blob/master/2017/EasyCTF/My%20USB/README.md)

forensics/scisnerof-75-points.md

@@ -0,0 +1,28 @@
+# Scisnerof - 70 points
+
+I found weird file! [elif](https://github.com/EasyCTF/easyctf-2017-problems/blob/master/scisnerof/elif)
+
+### Solution
+###### Writeup by Valar Dragon
+
+Scisnerof is Forensics backwards, and elif is file backwards! It seems likely that elif is a reversed file.
+This "elif" file has no default app, so let us look at it through a hex editor. I used Bless, a hex editor for linux.
+
+![hexdump.png](https://raw.githubusercontent.com/HackThisCode/CTF-Writeups/master/2017/EasyCTF/scisnerof/hexdump.png)
+If we scroll to the bottom, we see that theres the PNG File header reversed to GNP!
+
+So it looks we just need to reverse the file!
+We can do it in one line with python
+``` python
+$ python3
+open('scisnerof.png','bw+').write(open('elif','br').read()[::-1])
+```
+
+Then open up [scisnerof.png](https://raw.githubusercontent.com/HackThisCode/CTF-Writeups/master/2017/EasyCTF/scisnerof/scisnerof.png),
+![scisnerof.png](https://raw.githubusercontent.com/HackThisCode/CTF-Writeups/master/2017/EasyCTF/scisnerof/scisnerof.png)
+and theres our flag! `easyctf{r3v3r5ed_4ensics}`
+
+
+### External Writeups
+
+* [https://github.com/HackThisCode/CTF-Writeups/blob/master/2017/EasyCTF/scisnerof/README.md](https://github.com/HackThisCode/CTF-Writeups/blob/master/2017/EasyCTF/scisnerof/README.md)

web/edge-2-200-points.md

@@ -0,0 +1,116 @@
+# Edge 2 - 200 points
+
+Last time we screwed up. But we've learned our lesson.
+
+### Solution
+###### Writeup by Valar Dragon
+
+Beginning with the same procedure as Edge 1, navigate to `/.git`
+
+![Git Directory Image](https://raw.githubusercontent.com/HackThisCode/CTF-Writeups/master/2017/EasyCTF/Edge%202/gitDir.png)
+
+So the directory exists, but they've blocked directory listing!
+
+So were going to do the same attack at last time, but instead of doing a recursive download, we will have to download the files manually.
+There is going to be a lot of overlap between the Edge 1 and Edge 2 .git directories, since they are both cloned from the same project.
+So lets start by copying everything from Edge 1 into an Edge 2 directory.
+
+![.git ls](https://raw.githubusercontent.com/HackThisCode/CTF-Writeups/master/2017/EasyCTF/Edge%202/gitLs.png)
+
+So we need to replace all the `logs, refs, COMMIT_EDITMSG, HEAD, index, and then finally the objects`.
+
+Updating everything but objects is pretty straightforward.
+
+Just navigate to the `/logs/HEAD` and `logs/refs/heads/master` to ge those files, and likewise for the rest of the files.
+
+Now we can take the git log!
+
+``` html
+$ git log
+commit a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd
+Author: Michael <michael@easyctf.com>
+Date:   Mon Mar 13 07:32:12 2017 +0000
+
+    Prevent directory listing.
+
+commit 6b4131bb3b84e9446218359414d636bda782d097
+Author: Michael <michael@easyctf.com>
+Date:   Mon Mar 13 07:32:10 2017 +0000
+
+    Whoops! Remove flag.
+
+commit 26e35470d38c4d6815bc4426a862d5399f04865c
+Author: Michael <michael@easyctf.com>
+Date:   Mon Mar 13 07:32:09 2017 +0000
+
+    Initial.
+
+commit 15ca375e54f056a576905b41a417b413c57df6eb
+Author: Fernando <fermayo@gmail.com>
+Date:   Sat Dec 14 12:50:09 2013 -0300
+
+    initial version
+
+```
+
+Now we have to update the objects directory. Here is the format of the directory:
+
+```
+$ ls objects
+09  15  3e  61  6a  7b  8a  96  9e  a7  b9  bf  e0  ee    pack
+14  37  5d  64  71  7c  94  9b  a1  af  bd  d1  ed  info
+$ ls objects/15
+ca375e54f056a576905b41a417b413c57df6eb
+$ cat objects/15/ca375e54f056a576905b41a417b413c57df6eb
+x
�jC!��)�@ˮ������cյ��)��yW��
+
+                                 L�ե��Et��|4NE��H
7����E{�Uw�җ�8Q	>�d���>W\A���[t\�Q�\�c�o��{�Rd6������J�]5�-��v�	@���[�n�j�����d>���3�D�
+```
+Each folder in objects is the first 2 characters of the SHA1, and the names of the files are the rest of the SHA1.
+The contents of each file is not ascii.
+Git objects are actually zlib compressed to save space, so
+``` html
+$ zlib-flate -uncompress < objects/15/ca375e54f056a576905b41a417b413c57df6eb commit 220tree 7b456b0125e74b44d1147182019c704c53132013
+parent 8ac4f76df2ce8db696d75f5f146f4047a315af22
+author Fernando <fermayo@gmail.com> 1387036209 -0300
+committer Fernando <fermayo@gmail.com> 1387036209 -0300
+
+initial version
+
+```
+So each commit has a git object with files it edited!
+So we are going to need to checkout the commit:
+``` html
+commit 26e35470d38c4d6815bc4426a862d5399f04865c
+Author: Michael <michael@easyctf.com>
+Date:   Mon Mar 13 07:32:09 2017 +0000
+
+    Initial.
+```
+So
+
+``` html
+$ zlib-flate -uncompress < objects/26/e35470d38c4d6815bc4426a862d5399f04865c
+commit 215tree 323240a3983045cdc0dec2e88c1358e7998f2e39
+parent 15ca375e54f056a576905b41a417b413c57df6eb
+author Michael <michael@easyctf.com> 1489390329 +0000
+committer Michael <michael@easyctf.com> 1489390329 +0000
+
+Initial.
+
+```
+Then get the file `objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39`
+I did the same for every other commit.
+
+Then `git checkout 26e35470d38c4d6815bc4426a862d5399f04865c`
+and then theres a flag.txt in the main dir!
+```
+$ cat flag.txt
+easyctf{hiding_the_problem_doesn't_mean_it's_gone!}
+
+```
+
+
+### External Writeups
+
+* [https://github.com/HackThisCode/CTF-Writeups/blob/master/2017/EasyCTF/Edge%202/README.md](https://github.com/HackThisCode/CTF-Writeups/blob/master/2017/EasyCTF/Edge%202/README.md)

web/web-tunnel-260-points.md

@@ -32,3 +32,7 @@ Running the program for a few minutes and searching the output file for 'easyctf
 
 
 ###### Flag: easyctf{y0u_sh0uld_b3_t1r3d_tr4v3ll1ng_all_th1s_w4y}
+
+### External Writeups
+
+* [https://github.com/HackThisCode/CTF-Writeups/blob/master/2017/EasyCTF/Web%20Tunnel/README.md](https://github.com/HackThisCode/CTF-Writeups/blob/master/2017/EasyCTF/Web%20Tunnel/README.md)