CSAW 2015 CTF: Forensic 100 Keep Calm and CTF

My friend sends me pictures before every ctf. He told me this one was special.

Note: this flag doesn’t follow the “flag{}” format


I ran exiftool against the img.jpg. Alternatively I could have probably just ran strings on the image. But this gives me a much better format.

Flag = h1d1ng_in_4lm0st_pla1n_sigh7

CSAW 2015 CTF Forensic 100: Flash

We were able to grab an image of a harddrive. Find out what’s on it.


This one was pretty easy, just ran strings on the file and grep for flag. And low and behold last line has the flag.

Flag = flag{b3l0w_th3_r4dar}

Cool 100 points please.

CSAW 2015 CTF CRYPTO: 50 zer0-day


50 points


cat the file and then decode the base64

python -c “import base64; print base64.b64decode(‘b64string’)”

Flag = flag{We are fsociety, we are finally free, we are finally awake!}

50 points plz!

CSAW 2015 CTF Crypto: 50 ones_and_zer0es


50 points


Convert binary to ascii

A little type-o in the flag but sure enough

Flag = flag{People always make the best exploits.}

Loving the MR Robot references in this CTF. 50 points and on to the next one…

CSAW 2015 CTF Recon 100

The NYUPoly CTF was October 18-20 and was a lot of fun to play. For more info on the CTF check out https://ctf.isis.poly.edu Also check out https://ctftime.org/ for the schedule of all upcoming events.

Recon 100 points

Alexander Taylor Go here http://fuzyll.com/csaw2015/start Get this CSAW 2015 FUZYLL RECON PART 1 OF ?: Oh, good, you can use HTTP! The next part is at /csaw2015/<the acronym for my university's hacking club>.

Stalking a bit

Then go here

http://fuzyll.com/csaw2015/wcsc CSAW 2015 FUZYLL RECON PART 2 OF ?: TmljZSB3b3JrISBUaGUgbmV4dCBwYXJ0IGlzIGF0IC9jc2F3MjAxNS88bXkgc3VwZXIgc21hc2ggYnJvdGhlcnMgbWFpbj4uCg==

Google search for: fuzyll super smash brothers


I felt I was waisting too much tim eon this and was almost ready to give up when I thought of old crypto, and tried enigma.

I entered http://fuzyll.com/csaw2015/enigma And It returned this…

My first reaction was derp.

So I opened the console and entered the following…


CSAW 2015 FUZYLL RECON PART 5 OF 5: Congratulations! Here's your flag{I_S3ARCH3D_HI6H_4ND_L0W_4ND_4LL_I_F0UND_W4S_TH1S_L0USY_FL4G}!

Flag = flag{I_S3ARCH3D_HI6H_4ND_L0W_4ND_4LL_I_F0UND_W4S_TH1S_L0USY_FL4G}

job done 100 points please. I had a lot of fun with this recon challenge, it required a lot of different items to be linked together to solve.

Pure PWNAGE for less than $120.00!



So I’ve been reading and hearing a lot about the Pwn Pad by Pwnie Express.  Security Weekly  dubs this “The lean mean pentesting machine.” Ok seems pretty decent thing to say about a tablet but I didn’t exactly want to go out and spend around $1000 dollars for the device. So I decided to download the Pwnie Express Community Edition, which comes with no support from Pwnie Express. They do however provide some pretty detailed instructions on how to install it on a Nexus 7.

All hardware was available on the Pwnie Express site but I was able to save even more by heading over to Newegg.

As I meantioned earlier Pwnie Express provides some pretty decent instructions on how to install their software. However their instructions are only for Ubuntu, and I am running OSX 10.10.3.

Ok after downloading the software I started the install.  Also for this example I am using the following version. Pwn Pad 2013 (using the Nexus 7 2012 or 2013 tablet)

First I start by verifying the install since it did come from source forge and all. 😐

In the Pwnie docs they mention apt-get installing adb.

But I am running OSX. So I did a brew search. Found fb-adb Seeing it was from Facebook made me feel a little warm and fuzzy.


So I installed it


Then after just blindly running  adb I was greeted with the following message.


So I run the update, also clicked my life away to the Android SDK in their EULA.

Next lets tar out the image files.


NOTE: Connect Nexus 7 to host machine now.

After that cd into the pwnie_img directory and run the following.

After that a ton of interesting things start happening. I clearly chose option 2 because I am not running Ubuntu.

I am running the 32 GB Wifi only Nexus 7


Oh cool it did a thing! Wait it says Pwn Pad 2014?! WTF. I know I downloaded the right version


I went and checked the MD5 that I saw earlier back on their page. Ok so I definitely have the right file. Just some inconsistency I guess, NBD.


Its pretty important to read what is going on, on the screen. To boot into fastboot mode, hold down power and volume. (Yep I had to do it twice ;-))

Press enter and let it do its thing.


This took a little while maybe about 15 -20 minutes or so. This was taking the image and pushing it over to the Nexus 7.

I got a little confused from this point because it was just sitting there, and also had that message a few lines up, that says do not interrupt the process …

It just sat there and waited. Then I clicked reboot. It then said that I had no operating system installed. So I clicked restore and then clicked the image I had pushed to it, and then restored that.


After that it restored the image onto the Nexus 7. This took about 10 minutes.


After the last reboot I was greeted with this screen.


I’ve only been using this for about a half a day, but so far its pretty fun. I can imagine how useful this would be on a pentest. Thanks Pwnie Express for releasing the community edition software. Thanks for reading!

This is what happens when you rely on data scraped from the output.


I am testing out the latest version of Google Apps Manager 3.42 for my personal Google Apps domain. Currently the version I have been running is 3.04. Which was working just fine for what I was doing with it. But since Google changed a lot of what the admin panel can report I figured I would check it out. I built some tools in the past to do some basic google admining from the command line.  Read about them HERE. Every one of the tools that I put together works just fine. However, the remove user from groups script always changes. This is what happens when you rely on data scraped from the output.

I would run a script userinfo.sh to get the following data. Below is the differences of the output:

Output from version 3.04:

Output from version 3.42:

Previously I would have used something like this to print out the group addresses that the user belonged to.

Using GAM Version 3.04 I would have done the following; The first sed command would remove everything up until the word “Groups” Then the grep –v would have actually omitted “Groups:” from being shown. Then the final sed section would have removed the first word and angle brackets around the groups email address. Here is an example of what I was hoping would come back.

Instead, I tried running that same thing on the latest version of GAM but found much different results.

The actual output from running the userinfo.sh script little different than the older one. So that is why this current script doesn’t work. With this script it only left us with the 4 coms and the last two lines (Which were new.) So a little googling for syntax and playing around on my command line I was able to come up with this.

Again the first sed would work just like the last part. It would remove all data up until the word “Groups:”. Since the number next to Groups would always be different I just used “sed 1d” to remove the first line. From there I did a grep for extended regex and invert match. Then removed the licenses and Google-Apps from the bottom of the list. Then removed the <> from the group email addresses. Then finally printed only the second column using awk. It’s a little hacky for sure, but should always work unless they update the output 😉

Here is the latest full script that I am using to remove groups from a user account. This will also log to the current directory that the script is being ran from in the gamlog file.


Thanks for checking this out. I will be posting some more about Google Apps Manager 3.42 soon!


%d bloggers like this: