"For anyone focused on identifying and reducing attack surface quickly, Randori should be on your shortlist."

DERPCon CTF Challenge 1

Evan Anderson

I had the opportunity to make a couple challenges for the https://derpcon.io/ CTF. I had fun making the challenges, so I figured I would drop some quick notes here about how I would have gone about solving them.

A big thank you to all the DERP organizers for a great virtual conference in this interesting time.

Challenge 1 was a beginner challenge that started at https://www.randori.com/

While this challenge is relatively simple, it does demonstrate a common workflow and introduces some useful utilities.

First things first I like to figure out what I am working with. Let’s take a look at the source code for the page. Right click -> View Page Source


Something I see regularly in source code is comments that point me to something interesting about an app. Here we find a hint about the image.

HTML Source Code

To the terminal we go! Grab the image and take a look. Here we use wget to download the file.

Download the file

With the file in hand we can use the file utility to discover what type of file this is. (file file file)

Using the file command

Nothing super unusual there. The file we downloaded has an extension .png and appears to be a PNG file. We should check to see if there are any interesting strings in the file for this we use the … you guessed it strings command. I like to start with -8 which will only show strings that are 8 characters or longer.

Using the strings command

That last string looks like base64 … Luckily there are more commands that help us. I’m going to run strings again, grab the last line of output, then pass that output to the base64 utility.

wrapping up
And that wraps it up. For sure this is a classic beginner CTF challenge, it introduces some fundamental tools and has (hopefully) just enough hints to keep a beginner interested.

The next challenge was a bit more interesting, stay tuned for derpcon challenge 2.

PS. If you played in the CTF let me know what these challenges wound up being called.

Update 1:
Challenge was called “Something Derpy” thanks to @Zzyzzx

Update 2:
Here is the challenge image:

Originally posted on blog.syndrowm.com