Added nuitduhack2014 writeups

Author: jakemask

_posts/2014-04-07-backdoor-2014-writeups.md

@@ -75,7 +75,7 @@ paranoid.
 
 
 
-<h2>Web 10</h2>
+<h3>Web 10</h3>
 
 <pre><code>[andrew@archa ~]$ curl -v http://backdoor.cognizance.org.in/problems/web10/
 * Hostname was NOT found in DNS cache
@@ -100,7 +100,7 @@ paranoid.
 
 <p>Do you spot the flag?</p>
 
-<h2>Web 30</h2>
+<h3>Web 30</h3>
 
 <pre><code>[andrew@archa ~]$ curl http://backdoor.cognizance.org.in/problems/web30/ -D - -o /dev/null 
 Date: Sun, 23 Mar 2014 02:05:23 GMT
@@ -124,7 +124,7 @@ Sorry , you will never get a flag in your life :P  Not authorized
 Here is a flag : aeba37a3aaffc93567a61d9a67466fdf
 </code></pre>
 
-<h2>Web 50</h2>
+<h3>Web 50</h3>
 
 <p>The PHP script appears to be running a SQL query of the form <code>SELECT FROM QUOTES WHERE quote LIKE '$search';</code></p>
 
@@ -169,7 +169,7 @@ Table: the_flag_is_over_here
 </code></pre>
 
 
-<h2>Web 100-1</h2>
+<h3>Web 100-1</h3>
 
 <p>The server has to retrieve the picture in order to rate it, right? Does it do anything else? Let's listen on port 80 on any server:</p>
 
@@ -194,14 +194,14 @@ Table: the_flag_is_over_here
    &lt;title&gt;Super Secret Page&lt;/title&gt;
    &lt;/head&gt;
    &lt;body&gt;
-     &lt;h2&gt;Super secret page&lt;/h2&gt;
+     &lt;h3&gt;Super secret page&lt;/h3&gt;
  &lt;p&gt;This is a dangerous place. You shouldn't be lurking here. Click &lt;a id="./submit.php"&gt;here&lt;/a&gt; to go back.&lt;/p&gt;
  &lt;!-- By the way, the flag is f556b9a48a3ee914f291f9b98645cb02 --&gt;
    &lt;/body&gt;
  &lt;/html&gt;
 </code></pre>
 
-<h2>Web 300</h2>
+<h3>Web 300</h3>
 
 <p>This problem gives you an interface to check whether a user has registered <a href="http://backdoor.cognizance.org.in/problems/web300/status.php">here</a>. </p>
 
@@ -305,7 +305,7 @@ Table: the_elusive_flag
 </code></pre>
 
 
-<h2>Misc 250-2</h2>
+<h3>Misc 250-2</h3>
 
 <blockquote>
   <p>Username and password based login seemed a bit too monotonous. We developed an

nuitduhack2014/writeups.md renamed to _posts/2014-04-07-nuit-du-hack-2014-writeups.md

@@ -1,11 +1,13 @@
-<link rel='stylesheet' href='markdown8.css'/>
+---
+layout: post
+title: "Nuit Du Hack Quals 2014 Writeups"
+description: ""
+category: writeups
+tags: [nuitduhack2014]
+---
+<!--{% include JB/setup %}-->
 
-Nuit Du Hack Quals 2014 Writeups
-================================
-<a id="carbonara"></a>
-
-Carbonara
----------
+### Carbonara
 
 We're provided the following cryptic string:
 
@@ -40,9 +42,7 @@ No need to reverse-engineer this; we can simply use it in the javascript console
     tncms.unscramble('%96 7=28 7@C E9:D 492= :D iQx>A6C2E@C xF=:FD r26D2C s:GFDQ]')
     "The flag for this chal is :"Imperator Iulius Caesar Divus"."
 
-<a id="onionrings"></a>
-Onion Rings
------------
+### Onion Rings
 
 The hidden service accepts a profile picture upload, and includes the option to load from a non-TOR URL. So, we can ask it to load from our server, and capture the IP of the requestor. 
 
@@ -52,10 +52,7 @@ The server's IP was 212.83.153.197. Visiting [http://212.83.153.197/](http://212
 
     The flag.. It is '0hSh1t1r4n0ut0fn00dl35'
 
-<a id="windowsforensics"></a>
-
-Windows Forensics
------------------
+### Windows Forensics
 
 We are given a 400MB Windows pagefile. A few initial attempts along the lines of `strings pagefile.sys | grep flag` turned up quite a lot of results, but no interesting ones. Noticing several Chrome-related strings, we searched the file for URLs. Still, we found nothing interesting. 
 
@@ -88,20 +85,17 @@ Then, ran page_brute on pagefile.sys and reviewed the results using `strings -el
 
 Neither the password nor either of the two hex strings were the flag, so we tried concatenating the two hex strings. `04c0f778e6dd6c0a025e48c9f5f22f87` was the flag. The lowercase flag format gave us a hint for Here Kitty Kitty.
 
-<a id="herekittykitty"></a>
-Here Kitty Kitty
-----------------
+### Here Kitty Kitty
 
 In lieu of a writeup, we offer the following two images, and leave the solution as an exercise to the reader:
 
-![waveform](kitty-waveform.png)
+![waveform](/assets/images/nuitduhack2014/kitty-waveform.png)
 
-![morse code](morse.png)
+![morse code](/assets/images/nuitduhack2014/morse.png)
 
 Unfortunately, `5BC925649CB0188F52E617D70929191C` was not accepted. We tried HashCat dictionary and bruteforce attacks without success. After solving Windows Forensics, we tried submitting as lowercase, which was successful. Case-sensitivity isn't fun!
 
-BigMomma
---------
+### BigMomma
 
 Though we had the server binary, and briefly attempted to reverse it, we were able to identify how it worked by playing around with it for a few minutes.
 
@@ -147,4 +141,3 @@ Though a script ultimately would have been a better idea, we figured at this poi
     4dM1N15TR4T0R
     Username correct, what is the password?THEpasswordISreallyLONGbutYOUllGETtoTHEendOFitEVENTUALLY
     Well done! Here is the flag: YoMamaIsLikeHTML,SmallHeadAndHugeBody
-