Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

dCTF 2021 was hosted by DragonSec SI the CTF lasted from 14.5.2021 at 15:00 UTC to 16.5.2021 at 21:59 UTC so i decided to share some of the solutions.

Misc:- Encrypted the flag I have

image

So we download the png file but it was a strange one really but with a bit of research we find out it was Aurebesh alphabet, a writing system used to write in Basic, a language used in the Star Wars universe.

image

Using https://www.dcode.fr/aurebesh-alphabeti was able to decrpyt it and we got our flag.

image

DCTF{MASTERCODEBREAKER}

Misc:- Don’t let it run

image

Downloading pdf file so i open it with http://icyberchef.com/ going through it saw some hidden hex text so decoding it and boom we have the flag.

image

dctf{pdf_1nj3ct3d}

Misc:- Hidden message

image

Pretty easy using zsteg and boom we have the flag.

image

dctf{sTeg0noGr4Phy_101}

Misc:- Leak Spin

image

We have confident insider report that one of the flags was leaked online. Can you find it? checking twitter nothing so i decided to check github and guess what am right.

image

One of the challenges for the upcoming DCTF1. Make sure to keep this info private! also A really simple challenge, if you are reading this, you are close!

image

name: "Leak Spin"
author: "Miha M."
category: Web

description: We have confident insider report that one of the flags was leaked online. Can you find it?
value: 100
type: standard

flags:
  - dctf{I_L1k3_L1evaAn_P0lkk4}

tags:
  - web

state: visible
  
version: "1.0"

And we have our flag .

dctf{I_L1k3_L1evaAn_P0lkk4}

Misc:- Bad Apple

image

Someone stumbled upon this file in a secure server. What could it mean?

Going through it with sonic visualizer found a barcode .

image

Now converting it to black and white and using some online tools to read it give us the flag .

image

dctf{sp3ctr0gr4msAreCo0l}

Misc:- Show us your ID

image

Was also hidden in hex using the same method on Don't let it run i was able to retrieve the flag.

image

dctf{3b0ba4}

Crypto:- Strong password

image

A zip file but protected with password let try to crack it using john the ripper.

image

Now using john the ripper with the rockyou.txt password list to crack it .

john --wordlist=/usr/share/wordlists/rockyou.txt crack

Since i already crack it and have the password no need for me to crack it again password in plain below;

image

Unzip it with the password and we have some txt file with lot of words lol searching through it and we have the flag.

image

dctf{r0cKyoU_f0r_tHe_w1n}

Crypto:- This one is really basic

image

The answer to life, the universe, and everything.

image

dctf{Th1s_l00ks_4_lot_sm4ll3r_th4n_1t_d1d}

Web:- Simple web

image

Ok we are visited with a page with i want a flag but when i click on it i get some error Not authorized .

image

image

Now let check the source code to see what we are missing .

image

We can see the auth is 0 let try changing it to 1 using inspect element .

image

When i click on submit it now boom we have the flag .

image

dctf{w3b_c4n_b3_fun_r1ght?}

Web:- Injection

image

A simple login page but not that simple and not related to sql injection first thing first i try to confirm it if it vulnerable to (SSTI) Server Side Template Injection thanks to my little cheat sheet $% ok let confirm it.

image

image

Cool we got 500 Internal Server Error now let craft our payload all thanks to our captain @Kiomet for the hard work here.

image

Payload ready http://dctf1-chall-injection.westeurope.azurecontainer.io:8080/%7B%7Bconfig.__class__.__init__.__globals__['os'].popen('ls -la').read()}}

image

You can view in page source to make it more clean to see.

http://dctf1-chall-injection.westeurope.azurecontainer.io:8080/%7B%7Bconfig.__class__.__init__.__globals__['os'].popen('cat lib/security.py').read()}}

image

Now getting the flag let reverse and decode the password we found.

image

dctf{4ll_us3r_1nput_1s_3v1l}

Web:- Very secure website

image

Some students have built their most secure website ever. Can you spot their mistake?

Checking the source code that was left behind for us.

 <?php
    if (isset($_GET['username']) and isset($_GET['password'])) {
        if (hash("tiger128,4", $_GET['username']) != "51c3f5f5d8a8830bc5d8b7ebcb5717df") {
            echo "Invalid username";
        }
        else if (hash("tiger128,4", $_GET['password']) == "0e132798983807237937411964085731") {
            $flag = fopen("flag.txt", "r") or die("Cannot open file");
            echo fread($flag, filesize("flag.txt"));
            fclose($flag);
        }
        else {
            echo "Try harder";
        }
    }
    else {
        echo "Invalid parameters";
    }
?> 

I try using admin/admin for both username and password but got no luck so i try to use magic hashes for PHP cheat sheet below;

image

Now using admin for username and LnFwjYqB for password.

image

And boom we have the flag .

image

dctf{It's_magic._I_ain't_gotta_explain_shit.}

Web:- DevOps vs SecOps

image

Automatization is amazing when it works, but it all comes at a cost… You have to be careful…

Now back to the github page .

image

Some really interesting hint.

image

image

Clicking on the .github .

image

Now setup.py .

image

And we have our flag .

dctf{H3ll0_fr0m_1T_guy}

Yea i know all the challenges are cool aand all thanks to my teammates @fr334aks it was really fun playing with you all.

image

Boom and we stand at 15th place out of 1084 teams.

Greeting From Muzec



Back To Home