CS2107 Assignment 2 Solution

Introduction

This assignment takes the form of an information security capture-the-flag (CTF) style competition. In a CTF, participants solve problems involving security weaknesses to bypass defences to obtain a sensitive piece of information called the "flag" .
Acknowledgements

AY21/22), Weiu Cheng (AY22/23, AY21/22), Wen Junhua (AY22/23, AY20/21), Shawn Chew (AY 21/22), Chan Jian Hao
(AY21/22), Ye Guoquan (AY21/22), Debbie Tan (AY20/21), Jaryl Loh (AY20/21, AY21/22), Daniel Lim (AY20/21), Chenglong (AY19/20), Shi Rong (AY17/18, AY19/20), Glenice Tan (AY19/20, AY18/19), Ngo Wei Lin (AY19/20, AY18/19), Lee Yu Choy (AY20/21, AY19/20, AY18/19, AY17/18), Nikolas Tay (AY 16/17) and Jeremy Heng (AY 16/17).

This assignment is worth 15% of the grade for the entire module. Assignment 1 is divided into the following sections:
1. Easy (75 points): Answer all challenges.
2. Medium - Web Security (30 points): Answer only one challenge; Solving the other challenge does not earn you bonus points.
3. Medium - System Security (30 points): Answer only one challenge; Solving the other challenge does not earn you bonus points.
4. Hard (15 points): Answer only one challenge; Solving the other challenge does not earn you bonus points.
5. Bonus (15 points): Optional. Solve all challenges to obtain 15 bonus points.
The maximum number of points that can be obtained in this assignment is 150. Solving all questions in the bonus section can help you earn additional bonus points. Note that any bonus points earned in this assignment can be used, if needed, to top up your the following CA components: 2 CTF assignments (30%) and 1 Group Presentation (5%).
To illustrate how the point calculation is done, you can consider the following 2 examples. Suppose Bob correctly answers all easy challenges, 4 medium (2 web, 2 system) challenges, and 0 hard challenges. Bob obtains: 75+30+30+0=135. Alice, meanwhile, correctly answers all easy challenges, 1 medium (system) challenge, 2 hard challenges and all bonus questions. Alice obtains: 75+30+0+15+15=130. Alice actually earns her 15 bonus points, which are then used to directly top up her A2 points.
Please avoid submitting old flags from past assignments of this module. If you are caught submitting a past flag to a challenge, your points to that challenge will be capped to 70% of its possible points. Note that past flags won't work anyway.
Contact

Please direct any inquiries about the assignment to
1. kelzin@u.nus.edu (Tan Kel Zin)
2. weiucheng.tan@u.nus.edu (Tan Weiu Cheng) 3. wen_junhua@u.nus.edu (Wen Junhua)
4. c.akash@u.nus.edu (Akash Chandrasekaran)
5. dcssu@nus.edu.sg (Prof. Sufatrio*)
Note that the TAs will not be debugging your code, but will only be around to discuss high level ideas. Do allow 3 working days for replies. Discussion on forums are highly encouraged.
*: Please cc me if you email your queries about the given challenges; For issues with access to the CTFd server, please email your TAs.
Rules and Guidelines

PLEASE READ THE FOLLOWING BEFORE BEGINNING
1. You are required to log in to https://cs2107-ctfd-i.comp.nus.edu.sg/ (accessible only within NUS Network) to submit flags.
All source codes and scripts, if any, in their respective folder based on the challenge name.
3. Do not attack any infrastructure not explicitly authorised in this document.
4. Multiple flag submission is permitted on the scoring platform without any penalty, but no bruteforcing of flag submission on the server will be tolerated.
8. All challenges have a solution. They are guaranteed to be solvable with assistance of the internet and some research.
9. Ask the TAs for assistance only after you have exhausted every other avenue of self-help.
10. Every challenge will contain a flag and will provide the accepted flag format. Please ensure your submissions meet the flag format stated exactly. This means include the CS2107{} portion unless otherwise stated.
One of the most important skills in the information security field is the skill of seeking an answer independently. It is expected that the participant be able to utilise resources discovered through Google or any other search engine to achieve the tasks.
While the challenges might not be covered in entirety in class, the topics in the assignment are very applicable to security problems in real life. In the long run, the practical skills gained would benefit participants immensely.

Linux Environment

A Linux system is crucial for solving some of the challenges, the challenges in this section will prepare you for the more advanced sections by presenting some elementary tasks to solve. It is expected that the participant has rudimentary proficiency in using a Linux system that can be gleaned by reading the tutorial at this link: https://www.digitalocean.com/community/tutorials/an-introduction-to-the-linux-terminal.
However, more knowledge might be needed, and it is expected that the participant do some self-exploration.
The nc Command

Throughout the assignments, if you see challenge with nc aaa.bbb.ccc.ddd xxxx , then it means that the challenge is hosted on the aaa.bbb.ccc.ddd server on xxxx port.
You can connect to the server by using the nc command in your terminal. In short, you can just copy & paste nc aaa.bbb.ccc.ddd xxxx and run it directly.
If you wish to host a TCP server locally, you can use ncat ncat -lvk -p 15000 -e "python3 main.py" Then connect to it with nc localhost 15000
Python3 Cheatsheet

Some challenges in the assignment might require some scripting to solve. Although you can use any programming languages you prefer, we recommend Python3.
Here's a link to a cheatsheet: https://gist.github.com/DavidTan0527/43edbf49fc550100a5a88d23627480ff If you prefer a PDF file, you can download it from the assignment folder.
System Security Cheatsheet

You can find the cheasheet here: https://gist.github.com/DavidTan0527/ec2a73972284d38b1233bcd7d757f793 If you prefer a PDF file, you can download it from the assignment folder.

Answer all challenges.
E.1 Wireshark (15 mark)
Bob is sending his password unencrypted through the network. We (hackers) have successfully sniffed and captured Bob's packets from the network, but there is a lot of noise from other irrelevant packets.
Can you help us to find his password using WireShark?
His password is in the format of: CS2107{...}
Author: Kel Zin
An attacker managed to steal a shadow password file shadow.txt from a server. It contains the salted + hashed password of Bob, which happens to use a weak password.
Can the attacker find out the weak password of Bob as reported by John the Ripper?
Submit your flag in the following format: CS2107{reported password}
Author: Kel Zin
I started a new personal web project, but it's still work in progress. There is nothing to see here, or is there?
http://165.22.244.105:12345
Flag format : CS2107{...}
Author: Weiu Cheng
I think there is some suspicious network service (HTTP) running on this IP address: 165.22.244.105
Access the network service to get the flag!
Note: please ignore the ports 12345, 48787 as they are not related to this challenge. Other common ports like 80, 443 etc. should also be ignored.
Author: Weiu Cheng
What are cookies? Hmm are they edible? I have hidden my cookies :D. Can you find them? http://cs2107-ctfd-i.comp.nus.edu.sg:16061/
Author: Junhua

You must choose to answer only 1 out of the 3 challenges from this section. Doing more than 1 will not earn bonus points. However, you are welcome to answer all the challenges.
I made a UDP Packet Viewer for one of my classes, but someone said that there was something wrong with it?! Can you find out what?
nc cs2107-ctfd-i.comp.nus.edu.sg 16303
Author: Akash
The bouncer got replaced, now this one is just firm. Uh, mind hacking him so that I can get some tequilas?
nc cs2107-ctfd-i.comp.nus.edu.sg 16302
Author: Akash
This bouncer just won't let me go inside to the shell! Can you just hack him?
nc cs2107-ctfd-i.comp.nus.edu.sg 16301
Author: Akash

You must choose to answer only 1 out of the 3 challenges from this section. Doing more than 1 will not earn bonus points. However, you are welcome to answer all the challenges.
Learn how to execute an XSS attack with step by step instructions on the website http://cs2107-ctfd-i.comp.nus.edu.sg:16062/
Author: Junhua
I have implemented a filter :D. Can you bypass it? http://cs2107-ctfd-i.comp.nus.edu.sg:16063/
Author: Junhua
Special Queryable L33t In Notes (sqli_notes) might be exploitable! Find the flag in the secret note!
http://cs2107-ctfd-i.comp.nus.edu.sg:16305/
Author: Akash

Shellcoding is a traditional way of writing code on turtle shells back when paper wasn't invented. Not everyone has shells to code with, can you try to get a shell yourself?
Author: Weiu Cheng
I have created this new webpage where everyone can keep their own secrets.
However, whats the fun of the secret if no one has a chance of finding it out?
I wonder how someone can do that :P.
http://cs2107-ctfd-i.comp.nus.edu.sg:16064/
Author: Junhua

(This section is optional) These challenges are not in the scope of the module. You are required to do additional research yourself to solve the challenges.
Bonus.1 banana
I couldn't think of a proper name, so this is called banana .
nc cs2107-ctfd-i.comp.nus.edu.sg 16304
Author: Akash
Bonus.2 Local Delicacies
Welcome to my Recipe shop with local delicacies. Feel free to view the various delicacies available. http://cs2107-ctfd-i.comp.nus.edu.sg:16065/
Author: Junhua