Quick and dirty

I am going to try and get a few more posts out soon. Tagging them as Quick and dirty.

One example:
Want to list out all users crontab on OSX?


This will get all the accounts on the systems including the internal accounts.  See ya next time.

ALEXCTF TR4: Doesn’t our logo look cool?

This was the logo in question..


This second wave of challenges. So I saw this towards the end. I found it really easy. But for some reason wanted to make this difficult on myself. I noticed that most of the characters were special characters. There were a handful of actual letters in there too. What do you know, a curly brace or two also. 🙂

I wrote this script.

Ran it here…

It sure does… Anyway another fun challenge.

AlexCTF CR1: Ultracoded 50 points

CR1: Ultracoded.

Fady didn’t understand well the difference between encryption and encoding, so instead of encrypting some secret message to pass to his friend, he encoded it!
Hint: Fady’s encoding doens’t handly any special character

They provide you a file called zero_one.

Welp I imagine this is going to be a game of .replace('ZERO','0').replace('ONE','1')

Sure enough after I convert that to binary, and covert that to ascii, it returns base64. Ok ok easy output.decode('base64') and thats it right? WRONG it returns morse code. I was about 95% done writing a python dictionary for this, then decided to pip install morse-talk

that returned ALEXCTFTH15O1SO5UP3RO5ECR3TOTXT hmm something something special characters. A little replace('O', '_') and were good to go right? Pretty much. Except no curly brackets.

Here is a silly script I wrote for this challenge. (sure I could have ran all of this through a web page to do it for me. But whats the fun in that, right? right?)

After running that you would get the following output.

That was fun thanks ALEXCTF!

MAC Address Lookup

Hey everyone! I haven’t forgot about this place. Here is a quick little function I wrote up for another project. I thought it might be a interesting to some.

This function will do a hardware lookup using a systems mac address.

Other useful info I am only asking for the org value in my script. But you can get granular also. If you remove .org from the oui.registration().org you get the following output.

The try block will catch if the mac address is not registered and just return the error associated.

Anyway thanks for stopping by!

CSAW 2015 CTF: Forensic 100 Keep Calm and CTF

My friend sends me pictures before every ctf. He told me this one was special.

Note: this flag doesn’t follow the “flag{}” format


I ran exiftool against the img.jpg. Alternatively I could have probably just ran strings on the image. But this gives me a much better format.

Flag = h1d1ng_in_4lm0st_pla1n_sigh7

CSAW 2015 CTF Forensic 100: Flash

We were able to grab an image of a harddrive. Find out what’s on it.


This one was pretty easy, just ran strings on the file and grep for flag. And low and behold last line has the flag.

Flag = flag{b3l0w_th3_r4dar}

Cool 100 points please.

CSAW 2015 CTF CRYPTO: 50 zer0-day


50 points


cat the file and then decode the base64

python -c “import base64; print base64.b64decode(‘b64string’)”

Flag = flag{We are fsociety, we are finally free, we are finally awake!}

50 points plz!

CSAW 2015 CTF Crypto: 50 ones_and_zer0es


50 points


Convert binary to ascii

A little type-o in the flag but sure enough

Flag = flag{People always make the best exploits.}

Loving the MR Robot references in this CTF. 50 points and on to the next one…

CSAW 2015 CTF Recon 100

The NYUPoly CTF was October 18-20 and was a lot of fun to play. For more info on the CTF check out https://ctf.isis.poly.edu Also check out https://ctftime.org/ for the schedule of all upcoming events.

Recon 100 points

Alexander Taylor Go here http://fuzyll.com/csaw2015/start Get this CSAW 2015 FUZYLL RECON PART 1 OF ?: Oh, good, you can use HTTP! The next part is at /csaw2015/<the acronym for my university's hacking club>.

Stalking a bit

Then go here

http://fuzyll.com/csaw2015/wcsc CSAW 2015 FUZYLL RECON PART 2 OF ?: TmljZSB3b3JrISBUaGUgbmV4dCBwYXJ0IGlzIGF0IC9jc2F3MjAxNS88bXkgc3VwZXIgc21hc2ggYnJvdGhlcnMgbWFpbj4uCg==

Google search for: fuzyll super smash brothers


I felt I was waisting too much tim eon this and was almost ready to give up when I thought of old crypto, and tried enigma.

I entered http://fuzyll.com/csaw2015/enigma And It returned this…

My first reaction was derp.

So I opened the console and entered the following…


CSAW 2015 FUZYLL RECON PART 5 OF 5: Congratulations! Here's your flag{I_S3ARCH3D_HI6H_4ND_L0W_4ND_4LL_I_F0UND_W4S_TH1S_L0USY_FL4G}!

Flag = flag{I_S3ARCH3D_HI6H_4ND_L0W_4ND_4LL_I_F0UND_W4S_TH1S_L0USY_FL4G}

job done 100 points please. I had a lot of fun with this recon challenge, it required a lot of different items to be linked together to solve.

Pure PWNAGE for less than $120.00!



So I’ve been reading and hearing a lot about the Pwn Pad by Pwnie Express.  Security Weekly  dubs this “The lean mean pentesting machine.” Ok seems pretty decent thing to say about a tablet but I didn’t exactly want to go out and spend around $1000 dollars for the device. So I decided to download the Pwnie Express Community Edition, which comes with no support from Pwnie Express. They do however provide some pretty detailed instructions on how to install it on a Nexus 7.

All hardware was available on the Pwnie Express site but I was able to save even more by heading over to Newegg.

As I meantioned earlier Pwnie Express provides some pretty decent instructions on how to install their software. However their instructions are only for Ubuntu, and I am running OSX 10.10.3.

Ok after downloading the software I started the install.  Also for this example I am using the following version. Pwn Pad 2013 (using the Nexus 7 2012 or 2013 tablet)

First I start by verifying the install since it did come from source forge and all. 😐

In the Pwnie docs they mention apt-get installing adb.

But I am running OSX. So I did a brew search. Found fb-adb Seeing it was from Facebook made me feel a little warm and fuzzy.


So I installed it


Then after just blindly running  adb I was greeted with the following message.


So I run the update, also clicked my life away to the Android SDK in their EULA.

Next lets tar out the image files.


NOTE: Connect Nexus 7 to host machine now.

After that cd into the pwnie_img directory and run the following.

After that a ton of interesting things start happening. I clearly chose option 2 because I am not running Ubuntu.

I am running the 32 GB Wifi only Nexus 7


Oh cool it did a thing! Wait it says Pwn Pad 2014?! WTF. I know I downloaded the right version


I went and checked the MD5 that I saw earlier back on their page. Ok so I definitely have the right file. Just some inconsistency I guess, NBD.


Its pretty important to read what is going on, on the screen. To boot into fastboot mode, hold down power and volume. (Yep I had to do it twice ;-))

Press enter and let it do its thing.


This took a little while maybe about 15 -20 minutes or so. This was taking the image and pushing it over to the Nexus 7.

I got a little confused from this point because it was just sitting there, and also had that message a few lines up, that says do not interrupt the process …

It just sat there and waited. Then I clicked reboot. It then said that I had no operating system installed. So I clicked restore and then clicked the image I had pushed to it, and then restored that.


After that it restored the image onto the Nexus 7. This took about 10 minutes.


After the last reboot I was greeted with this screen.


I’ve only been using this for about a half a day, but so far its pretty fun. I can imagine how useful this would be on a pentest. Thanks Pwnie Express for releasing the community edition software. Thanks for reading!