Mar 10, 2014

Download the file and try command 'string' on it
#file Forensics-6.png
....
....
1b|.
ya3 S
yr1bz
0bl0BchUnk    Flag :8bfe6a66710d9652e7fb10f19a75dd8e
%tEXtdate:create
2013-10-19T06:47:30+02:00
%tEXtdate:modify
2013-10-19T06:47:30+02:00
tEXtjpeg:colorspace
2,uU
 tEXtjpeg:sampling-factor
2x2,1x1,1x1I
KtEXtxapMM:DocumentID
adobe:docid:photoshop:6baf7f6c-0033-11da-9596-894fe830229dF
IEND

you got the flag 8bfe6a66710d9652e7fb10f19a75dd8e.
Download the file, extract it, check the file details using the 'file'  command
#file four
four: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x899a337216c40966fb57583c9ff45fcac0384cbb, not stripped

It says 'not stripped' so let's try 'strings' command but it won't give out any flag.
Let's try to execute it from terminal
#./four
Usage: ./four 

#./four abcd
Sorry no flag for you

So our next option is to de-compile it. I used IDA. The assembly code of the main function gives as few clues on how to crack it.
 public main
.text:0804856C main proc near                      ; DATA XREF: _start+17 o
.text:0804856C
.text:0804856C arg_0= dword ptr  8
.text:0804856C arg_4= dword ptr  0Ch
.text:0804856C
.text:0804856C push    ebp
.text:0804856D mov     ebp, esp
.text:0804856F and     esp, 0FFFFFFF0h
.text:08048572 sub     esp, 10h
.text:08048575 cmp     [ebp+arg_0], 2
.text:08048579 jz      short loc_8048597
.text:0804857B mov     eax, [ebp+arg_4]
.text:0804857E mov     eax, [eax]
.text:08048580 mov     [esp+4], eax
.text:08048584 mov     dword ptr [esp], offset format ; "Usage: %s \n"
.text:0804858B call    _printf
.text:08048590 mov     eax, 1
.text:08048595 jmp     short locret_80485C8
.text:08048597 ; --------------------------------------------------------
.text:08048597
.text:08048597 loc_8048597:                          ; CODE XREF: main+D j
.text:08048597 mov     eax, [ebp+arg_4]
.text:0804859A add     eax, 4
.text:0804859D mov     eax, [eax]
.text:0804859F mov     [esp], eax
.text:080485A2 call    check_key
.text:080485A7 test    eax, eax
.text:080485A9 jnz     short loc_80485B7
.text:080485AB call    display_result
.text:080485B0 mov     eax, 0
.text:080485B5 jmp     short locret_80485C8
.text:080485B7 ; ----------------------------------------------------------
.text:080485B7
.text:080485B7 loc_80485B7:                          ; CODE XREF: main+3D j
.text:080485B7 mov     dword ptr [esp], offset s ; "Sorry no flag for you"
.text:080485BE call    _puts
.text:080485C3 mov     eax, 2
.text:080485C8
.text:080485C8 locret_80485C8:                       ; CODE XREF: main+29 j
.text:080485C8                                       ; main+49 j
.text:080485C8 leave
.text:080485C9 retn
.text:080485C9 main endp
.text:080485C9


We can see that there are call to few functions like 'check_key' and 'display_result'. 'check_key' is called before 'display_result'. So we can make a wild guess like the input what we enter will be validated using the 'check_key' function and if it's correct then 'display_result' will be executed and will give out the key.
So we have to get our execution to  'display_result' function but before that there is a 'JNZ' statement. It may be this line that will decide based on the result from 'check_key' whether 'display_result' must run or not. 
Now while debugging when we reach the JNZ statement set the Zero flag to 1 so that that jump will not happen 'display_result'  will get executed. 
Luckily our guess is right and we got the file

Download the file, extract it and check the file details using the command 'file'.
#file three
three: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xdcc8c235853a156ab338ea9833f4a20a713d72a8, not stripped

So it says the file is not stripped then let's try to find out the readable string in the binary using the command 'strings'
#strings three

/lib64/ld-linux-x86-64.so.2
libc.so.6
puts
printf
strcmp
__libc_start_main
__gmon_start__
GLIBC_2.2.5
UH-P
UH-P
l$ L
t$(L
|$0H
Usage: %s 
reversing_is_super_fun
Yaay! Now submit md5 of key for points
Wrong key! Look for key again!
;*3$"

The text 'reversing_is_super_fun' looks like a flag so let's find the md5 of that text and submit it....yeah it works..
Download the file and extract it.
Check the file details using the command 'file'
#file two
two: compiled Java class data, version 51.0
Executing it won't help and so we will move on to de-compile it. I used an online decompiler available in this link
Upload the class file, decompile it and download the source, it will look like this.

import java.io.*;  
 public class challenge {  
 public challenge() { }   
public static void main(string args[]) throws ioexception 
{ 
byte abyte[] = 
{ byte.valueOf((byte)106), byte.valueOf((byte)97), byte.valueOf((byte)50), byte.valueOf((byte)37), byte.valueOf((byte)36), byte.valueOf((byte)103), byte.valueOf((byte)94), byte.valueOf((byte)115), byte.valueOf((byte)94), byte.valueOf((byte)92), byte.valueOf((byte)96), byte.valueOf((byte)101), byte.valueOf((byte)94), byte.valueOf((byte)105), byte.valueOf((byte)105), byte.valueOf((byte)98), byte.valueOf((byte)107), byte.valueOf((byte)100), byte.valueOf((byte)98), byte.valueOf((byte)112), byte.valueOf((byte)92), byte.valueOf((byte)94), byte.valueOf((byte)111), byte.valueOf((byte)98), byte.valueOf((byte)92), byte.valueOf((byte)112), byte.valueOf((byte)113), byte.valueOf((byte)102), byte.valueOf((byte)105), byte.valueOf((byte)105), byte.valueOf((byte)92), byte.valueOf((byte)98), byte.valueOf((byte)94), byte.valueOf((byte)112), byte.valueOf((byte)118), byte.valueOf((byte)36), byte.valueOf((byte)38) 
}; 
string s = "";
 byte abyte1[] = abyte;
 int i = abyte1.length;
 for(int j = 0; j < i; j++) 
{
 byte byte0 = abyte1[j].byteValue(); s = (new StringBuilder()).append(s).append((char)(byte0 + 3)).toString(); 
}  
 bufferedreader bufferedreader = new bufferedreader(new inputstreamreader(system.in));
 bufferedreader.readLine();
 system.exit(0);
 system.out.println(s); }
 }

For a quick look through in the code you can figure out that the key is stored in variable 's' and also before the statement that print out the variable 's' there is an 'exit' statement ' system.exit(0)'.
So remove that line and remove the ' bufferedreader.readLine()' also.
Compile the new code and execute it.
The output will be
md5('java_challenges_are_still_easy')
Find the md5 of the text and it will be the flag.
Download the file and extract it and we can see the file named 'one'

Check what kind of the file it is using the command 'file'
# file one
one: python 2.7 byte-compiled

Okie let's try executing it
# python one
 Gives no O/P just reads what you give as I/P and terminates.

So we have to look inside the compiled file for that we have to de-compile it. Download the tool uncompyle2[only for python2.7] and install it. Run uncomple2 on our file
#uncompyle2 one

# 2014.02.28 10:34:22 IST
#Embedded file name: one.py
eflag = [131, 138, 219, 198, 201, 158, 151, 154, 134, 129, 128, 177, 135, 157, 177, 157, 154, 135, 130, 130, 177, 141, 
 129,
 129,
 130,
 201,
 199]
flag = ''.join(map(chr, map(lambda x: x ^ 238, eflag)))
raw_input()
+++ okay decompyling one 
# decompiled 1 files: 1 okay, 0 failed, 0 verify failed
# 2014.02.28 10:34:22 IST

So they are doing some operation and getting the flag in variable 'flag'. Copy the code and modify it to output the flag, that is add the line print(flag) to the end before 'raw_input()'  and execute the new python code.
The output is
md5('python_is_still_cool')
Find the md5 and it's the flag.
Task
A login from is there, with fields to enter 'username' and 'password', we have to login somehow.

Solution
First let's have a look at the source by clicking the link 'source'
<?php
include 'foo.php';
$user = $_POST['username'];
$pass = $_POST['password'];
if( !strcasecmp($user, "admin") && !strcasecmp($pass, $secret)) {
    echo"<h1>$flag</h1>";
}
else { 
    echo"<h1>No flag for n00bs..</h1>";
}
?>

So we can see the password is obliviously 'admin' but the password is stored in the variable '$secret' which must be in the file 'foo.php', which we have no way to figure out.

Next we option is we can look out for vulnerabilities in function 'strcasecmp()'. A quick googling will reveal that 'strcasecmp()' have a vulnerabiity that when we pass array to that function it return true.

Let's edit the source of the login page and pass array to 'strcasecmp()'. In login page change the below line using 'Firebug' in Firefox or 'Developers tool' in Chrome.
<input name="password" placeholder="Password" type="password">
to the below
<input name="password[]" placeholder="Password" type="password">

And now click login and you will get the flag{fb1186d3dfd25773d51964cf0d62d302}.