2021-2023 blogposts

Author: cacama-valvata

content/blog/0x41414141-ctf-0x414141.md

@@ -0,0 +1,121 @@
+---
+title: "0x41414141 CTF - 0x414141"
+author: "Lyell Read"
+date: 2021-02-02T00:00:00-07:00
+categories: ['Writeups']
+tags: ['0x41414141 ctf']
+caption: "0x41414141 CTF logo"
+
+draft: false
+---
+
+## Prompt
+
+I think offshift promised to opensource some of their code
+
+author: notforsale
+
+## Solution
+
+First off, we navigate to the [offshift-dev](https://github.com/offshift-dev/assets/commits/master) github account, linked from the offshift site. Unfortunately, nothing there. Searching google for “offshift github” brings us to a different github with a [single suspicious repository](https://github.com/offshift-protocol/promo). This has two commits, one where files are uploaded, and one in which the \__pycache__ folder is deleted. That folder sounds interesting, so we clone the repository, and checkout the commit where the files were added:
+
+```
+git clone git@github.com:offshift-protocol/promo.git
+cd promo
+git checkout dc43c1ac33f767a7d30dbeab123a1c87566e885d
+cd __pycache__
+```
+
+There, we see one `.pyc` file, which is very likely where the interesting part of this challenge is. To understand it, we use uncompyle6:
+
+```
+pip3 install uncompyle6 --user
+uncompyle6 script.cpython-38.pyc > ../../uncompyled.py
+```
+
+Now, upon reviewing that file, we see that we have some interesting cipher of sorts that uses XOR and base64 somehow:
+
+```
+import base64
+secret = 'https://google.com'
+cipher2 = [b'NDE=', b'NTM=', b'NTM=', b'NDk=', b'NTA=', b'MTIz', b'MTEw', b'MTEw', b'MzI=', b'NTE=', b'MzQ=', b'NDE=', b'NDA=', b'NTU=', b'MzY=', b'MTEx', b'NDA=', b'NTA=', b'MTEw', b'NDY=', b'MTI=', b'NDU=', b'MTE2', b'MTIw']
+cipher1 = [base64.b64encode(str(ord(i) ^ 65).encode()) for i in secret]
+```
+
+From a little deduction, we can guess that the creation of `cipher1` based on `secret` is how the list `cipher2` was developed. Therefore, to decipher that array, we simply need to reverse the list comprehension that generates `cipher1`.
+
+Working from the outside to the inside (to reverse the operations done during enciphering), we will need to first base64 decode each element. Then, we will have to cast it to an int (the output of `ord()`), and then use `chr()` to undo the `ord()` operation. Lastly we must undo the XOR with 65, which can be done by simply XORing it again. This can all be accomplished as so:
+
+```
+print(''.join([chr(int(base64.b64decode(x)) ^ 65) for x in cipher2]))
+```
+
+From that, we get a URL: [https://archive.is/oMl59](https://archive.is/oMl59). That archive is a post on 4chan’s /x/ board where the original poster included a link to a [mega.nz file download](https://mega.nz/file/AAdDyIoB#gpj5s9N9-VnbNhSdkJ24Yyq3BWSYimoxanP-p03gQWs). This downloads what appears to be a corrupt “PDF” [file called smashing.pdf], which `file` identifies as “data”, indicating that there are no identifiable magic bytes.
+
+> NOTE: At this point, inference is made that this PDF is encrypted with a repeating key that makes use of the magic bytes to reverse.
+
+From Wikipedia, we can see that a PDF file should start with `25 50 44 46 2d`, so we perform an XOR to determine what the key that was used to encrypt this PDF was.
+
+```
+  25 50 44 46 2d -- PDF Magic Bytes
+^ 64 11 05 07 6c -- Start of smashing.pdf
+----------------
+= 41 41 41 41 41 -- key used to encrypt
+```
+
+I would not expect anything less. Therefore, we need to decrypt the whole PDF using this key, and for that, we can use a python script like this one:
+
+```
+with open("smashing.pdf", "rb") as f:
+    contents = f.read()
+
+key = b"\x41\x41\x41\x41"
+out = b""
+for i in range(len(contents)):
+    out += bytes([contents[i] ^ key[i % len(key)]])
+
+with open("done_xor.pdf", "wb") as f:
+    f.write(out)
+```
+
+```
+file done_xor.pdf
+done_xor.pdf: PDF document, version 1.4
+```
+
+That’s much better, but there’s more. When running `strings` on that file, we see references to `flag.txt`, so this could be real steganography. To find out, we use `foremost`:
+
+```
+dd if=done_xor.pdf | foremost
+Processing: stdin
+|360+1 records in
+360+1 records out
+184539 bytes (185 kB, 180 KiB) copied, 0.0017788 s, 104 MB/s
+foundat=flag.txtUT
+*|
+```
+
+Interesting, so we appear to have recovered something. Looking through `foremost`‘s [output folder](https://github.com/lyellread/ctf-writeups/blob/master/2021-0x41414141/0x414141/output), we can see that it sliced a PDF and a Zip archive. Next, we have to unzip that, presumably. Let’s give that a shot:
+
+```
+unzip foremost.zip
+Archive:  foremost.zip
+[foremost.zip] flag.txt password: 
+```
+
+We need a password, and because we do not know it, we are going to have to crack it. To do so, we must build John The Ripper from source (to have access to `zip2john`). For that, I followed [this handy guide](https://hackthestuff.com/article/how-to-install-john-the-ripper-in-linux-and-crack-password). Once installed, it’s as easy as:
+
+```
+zip2john foremost.zip > hashes
+john hashes --show
+foremost/flag.txt:passwd:flag.txt:foremost::foremost
+1 password hash cracked, 0 left
+```
+
+Armed with our password `passwd`, we attack the Zip, and get the flag:
+
+```
+flag{1t_b33n_A_l0ng_w@y8742}
+```
+
+~ Lyell

content/blog/2021-2022-osusec-officers-decided.md

@@ -0,0 +1,25 @@
+---
+title: "2021-2022 OSUSEC Officers Decided"
+author: "Lyell Read"
+date: 2021-04-24T00:00:00-07:00
+categories: ['Club News', 'Meeting Notes']
+tags: ['2021-2022 elections']
+caption: ""
+
+draft: false
+---
+
+For the coming school year, we welcome in 8 officers, in the following positions:
+
+- President: Lyell Read
+- Vice President: Zach Taylor
+- Treasurer: Mike Carris
+- Lab Manager: Cameron McCawley
+- Community Manager: Christa Wright
+- Recruitment: Brandon Ellis
+- CTF League Coordinator: Allen Benjamin
+- Graphic Designer: Sierra Freihoefer
+
+This year is the first year that the posts of Recruitment Officer, CTF League Coordinator, and Community Manager were officially up for grabs. All three were positions that were voted in during the past year by the current officers, to respond to needs for these roles.
+
+Thanks to everyone who participated!

content/blog/2022-2023-osusec-officers-decided.md

@@ -0,0 +1,22 @@
+---
+title: "2022-2023 OSUSEC Officers Decided"
+author: "Lyell Read"
+date: 2022-04-13T00:00:00-07:00
+categories: ['Club News']
+tags: ['elections']
+caption: ""
+
+draft: false
+---
+
+The votes are in! After an entertaining election with some contested positions and contestants running from the floor, the officers for the next academic year, 2022-2023.
+
+**President:** Cameron McCawley
+**Vice President:** Casey Colley
+**Treasurer:** Mike Carris
+**Lab Manager:** Lucas Ball
+**CTF League Coordinator:** Allen Benjamin
+**Recruitment Officer**: Brandon Ellis (Interim)
+**Community Manager:** Gabriel Kulp
+
+Thanks to everyone who participated!

content/blog/2023-2024-osusec-officers-selected.md

@@ -0,0 +1,21 @@
+---
+title: "2023-2024 OSUSEC Officers Selected"
+author: "Julie Weber"
+date: 2023-04-24T00:00:00-07:00
+categories: ['Club News']
+tags: ['elections']
+caption: "The club's new 6 officers in front of screens and a whiteboard"
+
+draft: false
+---
+
+This year’s elections were intense; every candidate was subjected to memes, music, and whiteboard art that led to a lot of laughs and a lot of great people elected. Without further adieu, here are your officers for the 2023-2024 academic year:
+
+**President:** Casey Colley
+**Vice President:** Otso Barron
+**Treasurer:** Abigail Whittle
+**Lab Manager:** Lucas Ball
+**CTF League Coordinator:** Zane Othman-Gomez
+**Recruitment and Community Outreach Manager:** Julie Weber
+
+Thank you to all who came (or attended on Discord) and took part in democracy!

content/blog/bsidespdx-2022.md

@@ -0,0 +1,20 @@
+---
+title: "BSidesPDX 2022"
+author: "Casey Colley"
+date: 2022-10-08T00:00:00-07:00
+categories: ['Club News']
+tags: []
+caption: "OSUSEC members pose on stage after their first-place win being announced. "
+
+draft: false
+---
+
+Howdy Hackers! This Friday, a group of OSUSEC members took a day trip up to Portland to attend BSidesPDX 2022 and compete in their CTF. We had an absolute blast, winning first place in the CTF, attending many interesting talks, and making some new friends! We became known as the team competing in the closet, as the CTF team set up fort in a nearby maintenance closet instead of the official CTF room. For our win, the club won a Flipper Zero and bragging rights 🙂
+
+Many thanks to the BSidesPDX crew for hosting another great year! The passion and hard work they bring to organizing the event is evident, and a treat every year.
+
+For more information on BSidesPDX, please visit: [https://bsidespdx.org/](https://bsidespdx.org/)
+
+![The OSUSEC team at BSides, crammed into an elevator, ready to head home.](/static/blog/bsidespdx-2022-elevator.jpg)
+
+![The CTF team in the “Big W” closet.](/static/blog/bsidespdx-2022-closet.jpg)

content/blog/crowdstrike-adversary-quest-much-sad.md

@@ -0,0 +1,83 @@
+---
+title: "Crowdstrike Adversary Quest - Much Sad"
+author: "Lyell Read"
+date: 2021-02-02T00:00:00-07:00
+categories: ['Writeups']
+tags: ['crowdstrike adversary quest']
+caption: "Logo for Crowdstrike Adversary Quest"
+
+draft: false
+---
+
+# Prompt
+
+We have received some information that CATAPULT SPIDER has encrypted a client’s cat pictures and successfully extorted them for a ransom of 1337 Dogecoin. The client has provided the ransom note, is there any way for you to gather more information about the adversary’s online presence?
+
+NOTE: Flags will be easily identifiable by following the format `CS{some_secret_flag_text}`. They must be submitted in full, including the `CS{ and }` parts.
+
+Files: [muchsad.txt](https://github.com/lyellread/ctf-writeups/blob/master/2021-crowdstrike-adversary/catapult-spider/much-sad/muchsad.txt)
+
+## Solution
+
+First task: understand the file we are provided:
+
+```
++------------------------------------------------------------------------------+
+|                                                                              |
+|                        ,oc,                                                  |
+|   BAD CAT.            ,OOxoo,                                  .cl::         |
+|                       ,OOxood,                               .lxxdod,        |
+|       VERY CRYPTO!    :OOxoooo.                             'ddddoc:c.       |
+|                       :kkxooool.                          .cdddddc:::o.      |
+|                       :kkdoooool;'                      ;dxdddoooc:::l;      |
+|                       dkdooodddddddl:;,''...         .,odcldoc:::::ccc;      |
+|                      .kxdxkkkkkxxdddddddxxdddddoolccldol:lol:::::::colc      |
+|                     'dkkkkkkkkkddddoddddxkkkkkxdddooolc:coo::;'',::llld      |
+|                 .:dkkkkOOOOOkkxddoooodddxkxkkkxddddoc:::oddl:,.';:looo:      |
+|             ':okkkkkkkOO0000Okdooodddddxxxxdxxxxdddddoc:loc;...,codool       |
+|           'dkOOOOOOkkkO00000Oxdooddxxkkkkkkxxdddxxxdxxxooc,..';:oddlo.       |
+|          ,kOOO0OOkOOOOOO00OOxdooddxOOOOOkkkxxdddxxxxkxxkxolc;cloolclod.      |
+|         .kOOOO0Okd:;,cokOOkxdddddxOO0OOOOOkxddddddxkxkkkkkxxdoooollloxk'     |
+|         l00KKKK0xl,,.',xkkkkkxxxxkOOOkkOkkkkkxddddddxkkkkkkkkxoool::ldkO'    |
+|        '00KXXKK0oo''..ckkkkkkkOkkkkkkxl;'.':oddddddxkkkkkkkkkkkdol::codkO.   |
+|        xKKXXK00Oxl;:lxkkkkkkOOkkddoc,'lx:'   ;lddxkkkkkkkxkkkkkxdolclodkO.   |
+|       ;KKXXXK0kOOOOOkkkkOOOOOOkkdoc'.'o,.  ..,oxkkkOOOkkkkkkkkkkddoooodxk    |
+|       kKXKKKKKOOO00OOO00000OOOkkxddo:;;;'';:okOO0O0000OOOOOOOOOkkxddddddx    |
+|      .KKKKKKKKOkxxdxkkkOOO000OkkkxkkkkkxxkkkkkOO0KKKKK0OOOO000OOOkkdddddk.   |
+|      xKKKKKKc,''''''';lx00K000OOkkkOOOkkkkkkkkO0KKKKKK0OO0000O000Okkxdkkx    |
+|     'KK0KKXx. ..    ...'xKKKK00OOOOO000000000OO0KKKKKKKKKKKKK0OOOOOkxdkko    |
+|     xKKKKKXx,...      .,dKXKK00000000KKKKKKKKKKKKKKKKKKKK000OOOOOOkxddxd.    |
+|    ,KKKKKXKd'.....  ..,ck00OOOOOOkO0KKKKKKKKKKKKKKKKKK0OOOOkkkkkkkxdddo.     |
+|    .KKKKK0xc;,......',cok0O0OOOkkkk0KKKK00000KKK000OOOkkkkkkkkkkkxdddd.      |
+|    .KKKKK0dc;,,'''''',:oodxkkkkkkkkkOOOOkOOOOkkkkkkkkkkkkkkkOOkkxdddd,       |
+|     0KKKKK0x;'.   ...';lodxxkkkkkkddkkkkkkkkkkkkkkkkkkOOOOOkkOkkkxddc        |
+|     xKKKKKK0l;'........';cdolc:;;;:lkkkkkkkkkkkkkkkkOO000OOOOOOkxddd.        |
+|     :KKKKK00Oxo:,'',''''...,,,;;:ldxkkkkkkkkkkkkkOkkOOOOOOOOkkkxddd'         |
+|      oKKKKK0OOkxlloloooolloooodddxkkkkkkkkkkkkkkkkkkkkkkkOOkkkxddd.          |
+|       :KKK00OO0OOkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkO0Okkkkkkkkxddd:            |
+|        o0KK00000000OOkkkkkkkkkkkkkkkkkkkkkkkkkkO0000Okkkkkkxdo;.             |
+|         'd00000000OOOOOOkkkkkkkkkkkkkkkkkOkOO00Okkkkkkkkkkko,                |
+|           .oO00000OOOOOkkkkkkkkkkkkkkkkkkOOOOkOOkkkkkkkkko'                  |
+|             .;xO0OOOOOOkkkkkkkkkkkkkkkkkkkkkOkkkkkkkkd:.                     |
+|                .lxOOOOkkkkkkkkkkkkkkkkkkkxxxkkkkkd:'                         |
+|                   .;okkkkkkkkxxkkdxxddxdxdolc;'..                            |
+|                       ...',;::::::;;,'...                                    |
+|                                                                              |
+|                            MUCH SAD?                                         |
+|                      1337 DOGE = 1337 DOGE                                   |
+|                DKaHBkfEJKef6r3L1SmouZZcxgkDPPgAoE                            |
+|              SUCH EMAIL shibegoodboi@protonmail.com                          |
++------------------------------------------------------------------------------+
+```
+
+The description mentions that dogecoin is involved, and the hash `DKaHBkfEJKef6r3L1SmouZZcxgkDPPgAoE` is likely related to that. Therefore, our first order of business is to check that lead out. Not being an expert, that dead-ends [here](https://dogechain.info/address/DKaHBkfEJKef6r3L1SmouZZcxgkDPPgAoE). Next, let’s look into that email.
+
+After some searching, I did a [namechk](https://github.com/lyellread/ctf-writeups/blob/master/2021-crowdstrike-adversary/catapult-spider/much-sad/namechk.com) search for `shibegoodboi`, which indicated that the twitter account `@shibegoodboi` is in use. Looking towards [that account](https://twitter.com/shibegoodboi), we see a new blockchain address or hash of some sort (`D7sUiD5j5SzeSdsAe2DQYWQgkyMUfNpV2v`) and a github account for “shibefan” ([https://github.com/shibefan](https://github.com/shibefan)). That account has the saying “1 DOGE = 1 DOGE” and “shibegoodboi” so we are on the right track, and gives us another blockchain hash of some sort: `D6hRwJbGPxmXGWYfZ7t6S8MRkB7XrBJsLL`.
+
+The first project listed on that github account is [a website](https://github.com/shibefan/shibefan.github.io), which contains an index.html file that contains our flag:
+
+```
+CS{shibe_good_boi_doge_to_the_moon}
+```
+
+~ Lyell

content/blog/cyberforce-competition-2022.md

@@ -0,0 +1,18 @@
+---
+title: "Cyberforce Competition 2022"
+author: "Casey Colley"
+date: 2022-11-08T00:00:00-07:00
+categories: ['Club News']
+tags: []
+caption: "Members of OSUSEC’s CDC Team and chaperone Emily Longman"
+
+draft: false
+---
+
+This past weekend, OSUSEC’s Cyberdefense Competition team flew out to Chicago, IL to compete in the Department of Energy’s Cyberforce Competition! We were tasked with securing and administering a network of 6 virtual machines, then defending it against a team of hackers. Cyberforce also tests students’ abilities to budget their time and respond to miscellaneous requests from managers relating to the NIST framework for cybersecurity. We brought home 10th place out of 169 teams, and placed 1st place for team style 😎
+
+This year, we were also able to play in the Department of Energy’s CTF game “Conquer the Hill: Reign” on-site. The game is super fun and very well done. We had a blast.
+
+The team consisted of Mike Carris, Sean Mack, Julie Weber, Otso Barron, Gabriel Kulp, and Casey Colley, and was chaperoned by Emily Longman.
+
+Many thanks to Department of Energy, the Argonne National Laboratory, and especially Amanda Theel for all their endless hard work to put on Cyberforce every year, we really enjoy and appreciate it!

content/blog/doe-cyberforce-competition-2021.md

@@ -0,0 +1,29 @@
+---
+title: "DOE Cyberforce Competition 2021"
+author: "Lyell Read"
+date: 2021-11-21T00:00:00-07:00
+categories: ['Club News']
+tags: ['cyberforce']
+caption: "Cyberforce Competition logo"
+
+draft: false
+---
+
+On Nov. 13, 2021, the OSUSEC Cyber Defense Competition (CDC) Team placed 1st place regionally and 7th nationwide in the Department of Energy’s annual Cyberforce Competition ([https://cyberforcecompetition.com/](https://cyberforcecompetition.com/)) out of the 135 teams registered for the competition.
+
+The team roster was:
+
+- Casey Colley (Captain)
+- Mike Carris
+- Robert Detjens
+- Brandon Ellis
+- Huy Nguyen
+- Lyell Read
+
+The final scoreboard was as follows, if a link to an official final scoreboard is made available, I will link it here. 
+
+![Screenshot of the scoreboard, showing Oregon State University in 7th place](/static/blog/doe-cyberforce-competition-2021-scoreboard.png)
+
+We look forward to returning next year, even better prepared for the new competition format!
+
+Well done team!! 

content/blog/meeting-notes-1-12.md

@@ -0,0 +1,16 @@
+---
+title: "Meeting Notes 1/12"
+author: "Lyell Read"
+date: 2022-01-12T00:00:00-07:00
+categories: ['Meeting Notes']
+tags: []
+caption: ""
+
+draft: false
+---
+
+Thank you to everyone who attended! This meeting covered the solutions to all NSA Codebreaker 2021 Tasks. I hope everyone enjoyed, questions can always be tossed into the `#nsacc-21` channel.
+
+Here are the slides (requires ONID login): [Google Slides for 1/12/2021](https://docs.google.com/presentation/d/10GhgcgS0sxLY6MwnYGzMLmeJy28oujCk2oxR2RcJt_A/edit?usp=sharing)
+
+The next meeting this week is for **CTF League on Friday 1/14/2021 @ 6:00pm – 8:00pm, virtually** (on Discord).

content/blog/meeting-notes-1-19.md

@@ -0,0 +1,16 @@
+---
+title: "Meeting Notes 1/19"
+author: "Lyell Read"
+date: 2022-01-19T00:00:00-07:00
+categories: ['Meeting Notes']
+tags: []
+caption: ""
+
+draft: false
+---
+
+Thank you to everyone who attended! This meeting covered a presentation called “CS271 for Pwning”, an introduction to assembly and shellcoding with a focus on the useful aspects to pwning / binary exploitation.
+
+Here are the slides (requires ONID login): [Google Slides for 1/19/2021](https://docs.google.com/presentation/d/1oKhRvxC4GU6rgEbQ3mqgAbZDw5V3vboRRaBOBzZhr3g/edit?usp=sharing)
+
+The next meeting this week is for **CTF League on Friday 1/21/2021 @ 6:00pm – 8:00pm, virtually** (on Discord).