TUCTF 2019 Write-up

TUCTF is an introductory CTF for teams that want to build their experience. They had the standard categories of Web, Forensics, Crypto, RE, and Exploit, as well as some other categories they have not revealed just yet.

Below are some of the challenges that we managed to solve during the event.

Red Yarn

We were provided with below challenge’s description and file.

DEBUG.COM

Based on the file extension, we couldn’t identify the file type, we used the command file to see what kind of file it is.

It is an executable file. Let’s try strings command to see if the flag is stored as string or not.

The flag stored in string as we expected, and the flag is TUCTF{D0NT_F0RG3T_TH3_B4S1CS!}

Something in Common

We were provided with below challenge’s description and file.

rsa_details.txt

We downloaded the file and viewed it.

They gave us n, e1, e2, c1 and c2. We then used the below code to decrypt the RSA.

import gmpy

def commom_modules_attack(c1, c2, e1, e2, n):
    gcd, s1, s2 = gmpy.gcdext(e1, e2)
    if s1 < 0:
        s1 = -s1
        c1 = gmpy.invert(c1, n)
    elif s2 < 0:
        s2 = -s2
        c2 = gmpy.invert(c2, n)
 
    v = pow(c1, s1, n)
    w = pow(c2, s2, n)
    x = (v*w) % n
    return x
 
e1 = 15
e2 = 13
n = 5196832088920565976847626600109930685983685377698793940303688567224093844213838345196177721067370218315332090523532228920532139397652718602647376176214689
c1 =  2042084937526293083328581576825435106672034183860987592520636048680382212041801675344422421233222921527377650749831658168085014081281116990629250092000069
c2 =  199621218068987060560259773620211396108271911964032609729865342591708524675430090445150449567825472793342358513366241310112450278540477486174011171344408
 
m = commom_modules_attack(c1, c2, e1, e2, n)
flag = ('%x' % m).decode('hex')
print flag

We ran the script and got the flag as TUCTF{Y0U_SH0ULDNT_R3US3_TH3_M0DULUS}

runme

We were provided with below challenge’s description and file.

runme

It had no file extension, so we couldn’t identify the file type. We used the command file to see what kind of file it is.

It is an executable file. Let’s try strings command to see if the flag is stored as string or not.

The same as Red Yarn challenge. The flag was stored as string and it is TUCTF{7h4nk5_f0r_c0mp371n6._H4v3_fun,_4nd_600d_luck}

Open Door

We were provided with below challenge’s description and link.

When we opened the provided link, we saw this web page.

Let’s see the source code of this web page.

We found the flag for this challenge and it is TUCTF{f1r5t_fl46_345135t_fl46}

Test Test Test

We were provided with below challenge’s description and link.

When we opened the provided link, we saw this web page.

Let’s see the source code of this web page.

There is a directory named img. Let’s browse there.

There is a image file and a file named TODO.txt. Let’s open it.

We tried to browse flag.php. The flag was shown for a second and then redirect to main page again.

We then fired up Burp Suite Proxy to capture the flag.

We finally got the flag for this challenge, and it is TUCTF{d0nt_l34v3_y0ur_d1r3ct0ry_h4n61n6}

Router Where Art Thou?

We were provided with below challenge’s description and link.

When we opened the provided link, we saw this web page.

We looked at source code of the web page, but there is no interesting info there. Then we thought about trying the most common credential of router or firewall which is admin:admin.

As we had thought, the credential is admin:admin. The flag for this challenge is TUCTF{y0u_f0und_th3_fun_r0ut3r_d3f4ult5}

And Now, For Something Completely Different

We were provided with below challenge’s description and link.

When we opened the provided link, we saw this web page.

We viewed the source code of the web page.

We found a comment about /welcome/test. We then browsed there, and it seemed to print out everything that we replaced with the word test.

We tried a few things with it without success. We then tried to register a user.

We got error which seemed to be Python code. We then did some googling and found Python Template Injection. We tried some payloads with /welcome.

We found that it is vulnerable to Python Template Injection by passing {{7*7}} and we got 49 in return.

We tried to pass the following exploit.

/welcome/{% import os %}{{ os.popen(“id”).read() }} #id can be replaced with any linux command

We then listed the file and found the flag at /flag.txt.

Based on the output above, the flag for this challenge is TUCTF{4lw4y5_60_5h0pp1n6_f0r)fl465}

Login to Access

We were provided with below challenge’s description and link.

When we opened the provided link, we saw this web page.

We tried to see the source code, but there is nothing important there. We tried to bruteforce with password of user admin but failed. we even tried to do SQL injection which we managed to get the credential as dave:hunter2.

We used the credential to login and were presented with another login page.

We then looked at the challenge’s description again and realized that there might be backup of file somewhere. We then tried to get the login.php.bak.

Surprise, there really is a backup file there. Let’s see what is inside.

We found the flag, and it is TUCTF{b4ckup5_0f_php?_1t5_m0r3_c0mm0n_th4n_y0u_th1nk}

The Droid You’re Looking For

We were provided with below challenge’s description and link.

When we opened the provided link, we saw this web page.

We tried to view page source, but there is no important stuff there. We saw a statement that think like Google. We then tried to go to robots.txt.

We found this. Maybe there is some filter to allow only google? We did googling and found that Google use an user agent called GoogleBot to read robots.txt and sitemap.xml. We then tried to change the user agent and access that site again.

Based on the output above, the flag lied in googleagentflagfoundhere.html, and flag for this challenge is TUCTF{463nt_6006l3_r3p0rt1n6_4_r0b0t}

Cute Animals Company

We were provided with below challenge’s description and link.

When we opened the provided link, we saw this web page.

We tried to view page source, but there is no important stuff there. We tried to click on Admin Login, but it redirected us to the home page all the time. We then fired up Burp Suite Proxy.

We saw that there is a cookie named allowed which has what seemed like a Base64 encoded. We put it into decoder.

The value means false. Which might be the thing that keep us redirect to home page. We then tried to change the value to true and tried to access Admin Login again.

This time we got a redirect to a page named loginform.html.

We tried some default credential with out success. We then tried to run SQL injection with sqlmap and got credential from database name challenge.

We tried to login with the credential and it succeeded. We then presented with a search page.

We tried to play with the search box and we found there is a parameter named file which take what we put in the search box and print it out below it.

We tried many things without success. We then read about Server Side Request Forgery (SSRF) and tried to input file:///etc/passwd in the search box.

Based on the output above, the flag for this challenge is TUCTF{m0r3_cut3_4n1m415_c4n_b3_f0und_4t_https://bit.ly/1HU2m5Q}

Cup of Joe: The Server

We were provided with below challenge’s description and link.

When we opened the provided link, we saw this web page.

Let’s see the source code of this web page.

We tried to click on Give Us Coffee button.

There was a GIF file there. We tried to check coffeepot to teapot according to hint on the source code.

Hmmm! Still nothing. We then realized the HTTP method use to get the coffeepot is BREW. We then fired up the Burp Suite Proxy to change the HTTP Method from GET to BREW.

And we got this response.

Let’s browse to broken.zip.

broken.zip

We got a zip file. Let’s try to unzip it.

We finally found the flag, and it is TUCTF{d0_y0u_cr4v3_th3_418}

Broken

We were provided with below challenge’s description.

This challenge continues from the Cup of Joe: The Server challenge as in the broken.zip file contain a file named broken.img. We ran command file to see what kind of file it is.

It was a file EXT4 file system. we tried to mount it, but it is not working.

We then tried to run command strings to see if can still recover the flag.

As expected, flag strings were still intact there, and the flag for this challenge is TUCTF{D1S4ST3R_R3C0V3RY}

Sonic

We were provided with below challenge’s description.

When we connected to the provided domain and port with netcat, we got the result as below.

We needed to write a script in order to solve the encryption which is ROT-n.

import socket
import binascii
import codecs
import requests
import time

def read_line(s):
    ret = b''
    while True:
        c = s.recv(1)
        if c == b'\n' or c==b"":
            break
        else:
            ret += c
    return ret

s = socket.socket()
host = 'chal.tuctf.com'
port = 30100
s.connect((host, port))
while 1:
    txt = read_line(s)
    if b"Gotta go fast!" in txt:
        break

read_line(s)
read_line(s)

while True:
    q = read_line(s)
    print (q)
    cipher_text = q.split(b":")[1].strip()
    print (cipher_text)

    response = requests.get('http://theblob.org/rot.cgi?text=' + cipher_text.decode('utf-8'))
    list = (response.content.splitlines())
    j = 0
    for i in list:
        if b"ROT-" in i:
            res = (i.split(b':')[1].strip(b'<br>').strip())
            s.send(res + b"\n")
            print (j, ". sent ", res)
            print(read_line(s))
            print(read_line(s))
            print ("==============")

            j += 1
            time.sleep(1)

Warren

We were provided with below challenge’s description.

When we connected to the provided domain and port with netcat, we got the result as below.

We were asked to decode Affine, Baconian, Caesar, Atbash and Vigenere.

Since the cipher did not change even when we disconnect and reconnect again, we tried to find all the clear text of those cipher text and submit it again.

We finally got the flag for this challenge, and it is TUCTF{th4nks_f0r_d1n1ng_4641n_4t_th3_W4rr3n_buff3t}

Super Secret

We were provided with below challenge’s description and file.

document.odt

Based on the extension of the file, it should be an OpenDocument Text file, but let’s run file command on it to verify.

It is really is an OpenDocument Text. Let’s run strings command on it to see if we can get anything out of it.

We did not see the flag here, but we saw something interesting like flag.xmlPK.

Since word document structure is like many file in a zip, we tried to unzip the file.

We found the flag for this challenge, and it is TUCTF{ST0P_TRUST1NG_M4CR0S_FR0M_4N_UNKN0WN_S0URC3}

Onions

We were provided with below challenge’s description and file.

shrek.jpg

Based on the extension of the file, it should be an OpenDocument Text file, but let’s run file command on it to verify.

It is JPEG file. We ran exiftool and stegsolve on the image but got nothing. We then tried binwalk and we found that there is a zip file in there.

We tried to run foremost to extract the file but not success.

We then tried to do manually as we know JPEG file start from FF D8 to FF D9.

Based on the figure above, selected data are not data of the JPEG file. We tried to create a new file named shrek.7z from the selected data.

After decompressing the many archive files, we finally got the flag for this challenge, and it is TUCTF{F1L3S4R3L1K30N10NSTH3YH4V3L4Y3RS}

You may also like...

Leave a Reply

%d bloggers like this: