Introducing the QultoftheQuantumQapybaras

QultoftheQuantumQapybaras is a newly formed all female CTF team in the Portland, Oregon area. We are a sibling team of the older QultoftheQuantumQow. Both teams are based out of the nonprofit hackerspace PASCAL. To the best of our collective knowledge, we’re currently the only all female CTF team in the area. If there are others, please let us know.; we’d love some company.

DC Quals was the team’s first contest, and the first CTF ever for the majority of the team. There were six of us playing this round and we finished #119 out of 1262 teams, putting us in the top ten percent. I’m very proud of how well the team worked together.


Challenge prompt: “You know, we had this up and everything. Prepped nice HTML5, started deploying on a military-grade-secrets.dev subdomain, got the certificate, the whole shabang. Boss-man got moody and wanted another name, we set up the new names and all. Finally he got scared and unplugged the server. Can you believe it? Unplugged. Like that can keep it secret…”

It also came with a HINT file, containing the following string: ”Hint: these are HTTPS sites. Who is publicly and transparently logging the info you need? Just in case: all info is freely accessible, no subscriptions are necessary. The names cannot really be guessed. “

The Journey to the Flag

This write up is a combination of our collective notes during the solve. My teammates deserve at least as much credit as I do, especially as they took much better notes. I have elected not to edit my own failures out of the story, in the hopes of inspiring other CTFers not to be discouraged by theirs. The process is messy and that’s okay.

I initially ignored this challenge because someone else was working on it and settled on the RETURN_TO_SHELLQL challenge. At one point, a teammate asked me about certificate authorities because I used to work on Firefox. My curiosity was piqued. OK, I was stuck on shellql and needed a break. Same thing, right?

If the focus on certificates is confusing to you, please recall that the challenge mentions a certificate directly. The hint strongly links that to the certificates used by SSL/TLS for HTTPS traffic.  In this case we’re looking for a certificate issued to a url containing “military-grade-secrets.dev” subdomain.

CAs didn’t really show up in my corner of the Mozilla world unless there was drama around an organization’s application to be a CA. I did dimly remember that there was supposed to be some sort of oversight and audit trail, but not how it worked or if it still existed. As with many things, Certificate Authorities didn’t quite turn out the way the architects intended.

The hint brightened those dim recollections a bit, and I did some googling on ‘certificate authority transparency’, of which the most salient was this wikipedia article on Certificate Transparency . That closely matched my dim recollections about oversight and confirmed that the records should be publicly available. So, my foolproof plan was to find the certificate record, link it to a url, drop the url in the Wayback machine, retrieve the secret page, and find the flag.

This is where most of the wandering in the weeds happened for me. I searched around for DNS, cert records, and found a couple sites like SSLChecker, MX tools, etc . I plugged in variants of “military-grade-secrets.dev” and ooo into several of these without success. RAWR! I _know_ there are historic records! I’ve been digging for them the whole time! After about 3 minutes of seeing red, I calmed down enough to connect the dots. The records I was looking at must only be current records. A quick google for ‘archived dns’ turned up this DNS archive.

The results out of that one were more promising. A search for our key string yielded “Military-grade-secrets.dev”, “www.military-grade-secrets.dev”, “secret-storage.military-grade-secrets.dev”, “Now.under.even-more-militarygrade.pw.military-grade-secrets.dev”. None of the links worked as is. So I proceeded to the next phase of my plan: plugging them all into the Internet Archive’s Wayback Machine.  I came up entirely empty handed for all of them, thought I had failed, and started looking for another angle.

My teammate overheard my Wayback attempts, and unlike me, can use tools correctly. 🙂  The Wayback Machine turned up exactly one record for “Now.under.even-more-militarygrade.pw.military-grade-secrets.dev”. , dated May 11th. It was a redirection to https://forget-me-not.even-more-militarygrade.pw/.  

That page was down of course, the server is supposed to be unplugged after all. Of course, the Wayback Machine had a nice copy which displayed the flag on the lower half of the page in a nice large font: OOO{DAMNATIO_MEMORIAE} .  

Thus, QultoftheQuatumQapybaras’ first flag was captured.

Hacker Quapybara by http://danigrillo.com/

Artwork by Illustrator Dani Grillo