CSESoc x SecSoc CTF 2021

Posted

It’s that time of the year again where my uni society holds a CTF competition!

If you don’t know what a CTF is…It’s a competition where you solve challenges (often computer / forensics / hacking related things) to get the highest score.

Last year my team won despite two people (of our team of 4) going AWOL. This year I paired up with my other half of a brain cell to form a team of two.

Whilst we weren’t eligible to win prizes (that are hands down better than last year’s) we still decided to do it anyway - It’s not for the prize, it’s for the experience (and personally, a reason to write yet another blog post here) 😉!

As per the usual flex-like attitude: Though we started the challenges on time (last year we started 2 hours late) we were a small team of two, competing against teams of threes or fours. But thanks to our unfair advantage of being keyboard warrior, and not being beginners in this “Newbie competition” we still came “first”!

Of course, it’s not a feat to announce coming first against beginners; but my saving grace is that we competed and came first over the other CTF veterans who were also competing for fun.


Here’s some fun stats when the second lot of challenges were released during the evening of the CTF competition (prior to this there were five or six teams who had the same score, the earlier teams to reach the score get a higher rank).

Our team (A BANANA) (well just me) spent around 20 minutes to pump out the new 6 challenges, and just like that we claimed the ineligible first place!


Anyway, so as usual, here’s the writeups for the challenges that I did


Category: Web

Oregano Cafe

Part 0

Flag found in the robots.txt file

robots.txt

# Part 0 Flag: NEWBIE{be3p_b00p_tH!s_siT3_was_pLaGiar!s3D_i_m34n_syNth3sized}

User-agent: *
Disallow: /starch.py

Flag: {be3p_b00p_tH!s_siT3_was_pLaGiar!s3D_i_m34n_syNth3sized}

Part 1

Upon trying a password, the website gives an error as well as the expected hash (a4ec243c744c8424fcb454f4cc4464246ca40484243cd454bcf41424fc048c04). From the robots.txt file, we can see a file starch.py, which when viewed shows the implemented hash function.

Reverse engineer this function to find the password which can be put in.

There is more than one correct password, due to how the hashing function handles the last character of the password input.

Password: lo2eme30m5f2e5h0o0440e3nom.pmn/5
Flag: NEWBIE{wriTinG_y0uR_0wn_ha5#_fuNcTi0N_iSnT_th3_b3St_id3A!}
Script: sol.py

SecBin

File uploader which has and endpoint that allows you to view the file… or any other path in the filesystem. So we can do some LFI (Local File Inclusion) and Directory Traversal exploits to leak some secure files… like /etc/passwd

URL: https://secbin.ctf.unswsecurity.com/download?file=../../../../../../../../../../etc/passwd
Flag: NEWBIE{1m491n3_54y1N9_1T5_uH4x0r4bL3}


Category: Binary

no_code_attached

Given ASLR/PIE protection and a lack of address leak, we know this is not a ret2win challenge.

The vulnerable function in the binary file reads in a password string and returns (as eax) the contents at ebp-0x10. The main function compares this result to 0x4269 and calls the win function (top_secret_admin_stuff) if it matches.

We can exploit the input loop to override the contents at ebp-0x10

Flag: NEWBIE{h4v1ng_th3_c0de_sur3_h3lp5}
Script: sol.py


Category: Forensics

whitespace

MS PAINT OP

The flag is handwritten in a slightly different colour than the background. Use a magic wand selection tool / change the background colour.

Flag: NEWBIE{it_flooded}

My Favourite HEXagon

View the image as hex to find the flag (or like, use strings), in a reversed format.

Flag: NEWBIE{h0w_d1d_u_f1nd_me}

world emoji day

A bunch of images, a text file and a corrupted ‘image’ is provided in a zip file. Looking at the corrupted “image”, it is actually a corrupted PDF file (given away by some metadata tags). Throw it into a PDF file fixer and we can view the flag

Flag: NEWBIE{Em0j!5_4r3_Coo!}


Category: Crypto

secsoc x csesoc

Potentially a substitution cipher, as the second and sixth segments could correspond to the “E” in “NEWBIE”. However jokes it’s just a binary ASCII encoding of the flag, whose dits are replaced with either csesoc or secsoc.

We can replace csesoc as 0 and secsoc as 1, then decode the segments.

Flag: NEWBIE{W3lC0m3_T0_th3_CtF}
Script: sol.py

Askii

Pretty simple challenge, each segment in the provided file is just the ASCII symbol.
The flag is embedded inside a chunk of lorem text, so just CTRL + F after decoding everything

Flag: NEWBIE{Ascii_Rul3s_Th0ugh}
Script: sol.py

Base64 Onion

The flag is encoded in base64 many times, just continually decode until we find the flag.

Flag: NEWBIE{N0_hop3_Ju5t_4dd1ng_l4y3rs}
Script: sol.py


Category: Recon

a rocket

An image of a US rocket is shown. A quick reverse image search as well as searching for “US Rocket” and checking its location reveals the location of Alabama

Flag: NEWBIE{Alabama}


Category: Misc

zippity 2: electric boogaloo

We need to SHA-512 a bunch of potential flags to find the flag whose hash begins with 146

The file turns out to be boogaloo-2042.txt.

Flag: NEWBIE{e#p4!8C_g%4-M!3&R_m%0$m#e?n@T!}
Script: sol.py

The Mining Canary

The flag is split into multiple payloads.

Flag: NEWBIE{F12_Ctr1+sh1ft+I_m0r3}

Plumbing Advice

question highkey stolen from skylight…

There’s a script tag in the source code that tries to source a script from a supposedly non-existent domain.
Check for TXT records with dig to find it (i.e. dig favicon.hakc.xyz TXT)

Flag: SKYLIGHT{dUg_f0r_trE4suRe_x_ic0n_m4rkEd_t#3_sp0t}

More posts

On Air Light

Please don't disturb me, I'm streaming

Posted

Talyte Configurator

Feature Fridays! Expanding the functionality of Talyte

Posted