The RingZer0 CTF Challenges

As this is my week off from work I though I would start, albeit slowly, with some capture the flag challenges. A few, or rather more than ten, years ago I hung around Hack This Site so rationally I went back but only to see that it hasn’t really been updated. This spring I spuriously made my way some of Over the wire challenges but now I looked around for something new. What I found was RingZer0 (https://ringzer0ctf.com) which has as of now 296 challenges and ~25k registered users.

Reasonably I started with the first challenge that comes up, a coding challenge called “Hash me if you can”, a reference to the movie “Catch me if you can” following the life and escapades of Frank Abignale who’s a social engineer and overall smart guy traversing life and the globe whilst keeping a step ahead of the FBI. Anyhow, the challenge promts you this text:

You have 2 seconds to hash this message using sha512 algorithm
Send the answer back using https://ringzer0ctf.com/challenges/13/[your_hash] 

and a message in the following format:

----- BEGIN MESSAGE -----
RVxzHYkAtMDZoK0PSQtwY9cn3BJAlN93zws7lDyEf1uuCk9k1tHPsJ2maCMmfLfF7yCj10N6S7rkiqv9J2P2CHfDaSPftUKrjdAa3e7LcoWkFhkfaZ8Cxd5xVLDfwexFhYFb2CN4QzfmHqrHfpaCt50fHtk3xHyFw3GowjjdJpphFHPKWPdgL4linwbL3zgptMEPWOSw38DzFj9rYdyz7JIl5JWZ92ftFK8soROiPiHkrHCgK0GIzeUvOGkNyq7405meM1ms9TCrr4x1V3Ak7kGLQRpf7maYim2VdfddZGugAR8lKzwIJ3kqKAwINxwVJpHNuLQkhbrISqTtPg2p9cGKC3igqE10TzDeakphmGP4XzoCGgSGjogMhoSySKoC9SG93VhfsXafmoHTvqpFEvhMKZbtzpVz7sz1eG6wt6BGl9pHpFcU1kxB9yVzOHZMZoD3UzpevRKHR0e6wgRnqePqDAQh7FTXUmRFM7J8OkFvbJsxQaK7fpoIQ5QOBzBlMiQofqmUARgBrzZ8zz6EPldvgT9HjBTVKAaPQmAh4HJm6ylwYh1Ds4ZyOZ6XqPJ0gJGWW73QED3A1eWPlNjEI83nXZaeFK4LjBx5yrM3UFtMKgsWUBqtzjGn9HrEhmgqODmdVZ6Gvpi5wARh28Ash6FgDXKLaQ2PkeS64ODp4Mkqc2y40Yn7VSepGP0HwSmHX4ERJ76DJhUMaiH06UYSD279IXH4GTBtO5bn38RCfBefJL6GwUoZNlZm9wgFgIZUE08xYP04h5aQG6m3RBSvMHHM4Oiam7VRYUfNz5HG0InxEAqm19IEHfgBToB6lnOa7TNxPl4GTh4oHlBzk93Re9iYnKVzYAAVkdjZpdw9lqnTBOiLObtTbCHpctO0TeM4iVTxZgwawKTXp1z33SM4kkjnEYeo3RibC2zr8WsuxbiN2HGWqjQBu0PYOTdHBlJ3d9lcVEwjFFWyctktD0UXQzMvjP3K1CE4BQ6nktxPYjd1Dok6f5UWuwhDcae3DIY5
----- END MESSAGE -----

The challenge can be solved in nearly an infinite amount of ways so to choose one that we’re comfortable with and that can solve the challenge is our first step. To do this we can list what we need to achieve:

1. Fetch the message to hash
2. Hash the message
3. Submit the hash to the correct address

We can achieve all this with a python script using a http library like requests, a nice c program or as there are programs dedicated these tasks ready and waiting in our linux environment we can use a simple oneliner in a shell of your choosing. I like shells and it gives us an opportunity to get more familiar with tools that we use regularly anyway so we’ll use a simple shell script.

1. Fetching the message

The first step of fetching the message, and presumably starting the timer, can be done with several programs at your fingertips (wget, curl, etc). I’ll be using curl for this challenge. To fetch your specific challenge you’ll need to be logged in, this is tracked by a cookie called ‘PHPSESSID’ which tracks your current browser session. For a later challenge I might create a bit of
a framework to sign in and automate this step across challenges but for now we’ll just log in with our regular browser, Firefox, and pass the session
cookie to curl for our requests. Fetching the message we’re supposed to hash can be done easily with this command:

curl -sb PHPSESSID=[your cookie] https://ringzer0ctf.com/challenges/13

Easy! But this doesn’t fetch just the message we want but the whole page, no problem we can parse out the message quickly using other handy command line tools. The message is isolated by the markers begin message and end message above, we can easily use these, as long as there are no others hidden in the page, to isolated the message by piping the output of curl to the following command:

grep -A 1 'BEGIN MESSAGE' | tail -1

2. Hash the message

Almost there! If we look at the output of this it isn’t really as clean as we need it. There are tabs and HTML line breaks that we need to clear up,  easily done with a stream editor and the power of regular expressions!

sed -re 's/\t|<br \/>.*$//g'

This might look a bit unreadable but if you don’t read regex but what we are asking sed to do is to substitute all tabs and ‘<br />’ (plus anything inbetween <br /> and the end of the line) with nothing, everywhere in the stream. We might think that we are ready to send this nice looking output the hash function already but there are hidden forces that will ruin the hash if we just pipe this to the hashing function.

We can compare the hash of the message we fetch and the output of our processed command line pipe and see that they do not match. We can compare the two strings with hexdump to see what is going on.

A hexdump of the copied message gives us this output:

printf "[our message]" | hexdump
0000000 5652 7a78 5948 416b 4d74 5a44 4b6f 5030
...
00003f0 3566 5755 7775 4468 6163 3365 4944 3559
0000400

A hexdump of the pipe gives us:

0000000 5652 7a78 5948 416b 4d74 5a44 4b6f 5030
...
00003f0 3566 5755 7775 4468 6163 3365 4944 3559
0000400 000a
0000401

There is one byte extra that we can’t have in the output of our pipe, a new line that ruins the hash for us. But no worries, this is easily taken care of by adding another stage in the pipeline which removes the last byte. Now the message is ready the be hashed!

head -c -1 | sha512sum

3. Submitting our result

Now we have the tools in place to programmatically fetch the message, clean it up and hash it. All that is left is to submit it! This is done by a HTTP
request to the address in the challenge prompt and we can use curl again to perform this request. The hash now looks like this:

d1666bf465316aea7ef2b3210051b1dd248a3523076f7d51548463260cb3f5e6cccf2188ac7917b83edec61c309876b0f65dcacabba1c39c6189d022d4b140f1 -

That dash on the end indicates the hash was calculated from standard input and not a specified filename. That needs to go, easily done with the command cut! In order to specify the address for curl to access the whole url needs to be supplied as an argument but our hash is passed in a pipeline… We can tackle this easily in two ways, execute the first two parts in one go and use the output as a command line argument for curl which would look something like this:

curl -sb 'PHPSESSID=[cookie]' https://ringzer0ctf.com/challenges/13/$([everything we did before])

Easy enough but not all that pretty and as we already did everything up to this point using pipes we might as well see it through! xargs is the program for us in this situation, it a neat utility to pass the standard output of one program as an argument to the next. I confess this might not really be that different from the other solution but it keeps the flow of data linear and adds lots of readability instead of nesting commands in each other. The main difference is that the first solution uses the to store the immediate result on place it on the argument vector for the outer execution of curl whereas we use xargs to do it and execute curl for us. But readability is important as well so I’ll go with xargs.

cut -d ' ' -f 1 | xargs -I {} curl -sb 'PHPSESSID=[cookie]' https://ringzer0ctf.com/challenges/13/{}

If we run this:

curl -sb PHPSESSID=[cookie] https://ringzer0ctf.com/challenges/13 | grep -P -A 1 'BEGIN MESSAGE' | tail -1 | sed -re 's/\t|
.*$//g' | head -c-1 | sha512sum | cut -d ' ' -f 1 | xargs -I {} curl -sb PHPSESSID=[cookie] https://ringzer0ctf.com/challenges/13/{} 

we complete the challenge, hopefully within the timing requirements and in the HTML we get back we find the flag to submit as proof we completed the challenge. We can easily parse it out by adding the following to our pipeline:

grep -Po 'FLAG-\w+'

If someone reads this I hope you might pick up on something, the awesomeness that is the unix command line and piping perhaps?

Good luck!

/Linuxxon