X-MAS CTF 2019 Write-ups

X-MAS CTF is a Capture The Flag competition organized by HTsP. This year we have prepared challenges from a diverse range of categories such as cryptography, web exploitation, forensics, reverse engineering, binary exploitation, OSINT, quantum computing and more! We made sure that each category has challenges for every skill level, so that there is always something for everyone to enjoy and work on.

Mata Nui’s Cookies

We were provided with below challenge’s description and an image file.

After some googling, we found Matoran Language with the following diagram.

We map the cipher text to clear text and found the flag for this challenge as X-MAS{MATANUIHASPREPAREDTHECOOKIES}

Santa’s Forensics 101

We were provided with below challenge’s description and a file.

We were given a zip file. we unzipped it and found a PNG image file. We ran file command on that PNG file, and it tuned out to be a zip file instead of PNG file. We then unzipped it and found another PNG file. This time it was really a PNG image file. We ran strings command on the file.

Based on the output above, the flag for this challenge is X-MAS{W3lc0m3_t0_th3_N0rth_Pol3}

Bobi’s wHack

We were provided with below challenge’s description.

We did a google search and found the flag. 😀

Based on the output above, the flag for this challenge is X-MAS{subscribelikesharethanks-bobi:)}

Sequel Fun

We were provided with below challenge’s description and a link.

The link took us to a website with a login page.

Based on the challenge title, it seems like an SQL injection, so we tried admin’ OR 1=1 ‘– which led us to below message.

We then tried not to include 1 by using admin’ OR “”=”” ‘– instead, and we was greet with a flag.

Based on the output above, the flag for this challenge is X-MAS{S0_1_c4n_b3_4dmin_w1th0ut_7h3_p4ssw0rd?}

Santa’s Letter

We were provided with below challenge’s description and an image file.

challenge.png

We tried various tools such as strings, exiftool, stegsolve, zsteg without success. We then read the challenge description a few times and did some google search about it, and we found a tool named Digital Invisible Ink Toolkit which we then downloaded and ran.

Based on challenge description, the algorithm should be HideSeek.

The decoding was completed successfully which meant we were on the right track.

Based on the output above, the flag for this challenge is X-MAS{NOBODY:_SANTA:Hyvää joulua!}

SNT DCR SHP

We were provided with below challenge’s description and remote server for nc.

We connected to the remote server and were given 3 options as below:

  1. Add new decoration to the shopping list (this option lets us input item name and quantity)
  2. View your shopping list (this option shows our input from option 1)
  3. Ask Santa for a suggestion (this option gives us the source code of the application)
import os, sys
from secret import flag

items = []
	
def menu():
	print "SANTA's Decoration shop yay!"
	print "1. Add new decoration to the shopping list"
	print "2. View your shopping list"
	print "3. Ask Santa for a suggestion"
	
	sys.stdout.write ("Your choice: ")
	sys.stdout.flush ()
	return sys.stdin.readline ()

class Decoration(object):
	def __init__(self, type, quantity):
		self.quantity = quantity
		self.type = type
	def print_decoration(self):
		print ('{0.quantity} x ... '+ self.type).format(self)

def leak_source_code():
	print "Santa shows you how his shop works to prove that he doesn't scam you!\n\n"
	
	with open(__file__, 'r') as f:
		print f.read()
		
def add_item():
	sys.stdout.write ("What item do you like to buy? ")
	sys.stdout.flush ()
	type = sys.stdin.readline ().strip ()
	
	sys.stdout.write ("How many of those? ")
	sys.stdout.flush ()
	quantity = sys.stdin.readline ().strip () # Too lazy to sanitize this
	
	items.append(Decoration(type, quantity))
	
	print 'Thank you, your items will be added'
	
def show_items():
	for dec in items:
		dec.print_decoration()

print ("""           ___
         /`   `'.
        /   _..---;
        |  /__..._/  .--.-.
        |.'  e e | ___\\_|/____
       (_)'--.o.--|    | |    |
      .-( `-' = `-|____| |____|
     /  (         |____   ____|
     |   (        |_   | |  __|
     |    '-.--';/'/__ | | (  `|
     |      '.   \\    )"";--`\\ /
     \\        ;   |--'    `;.-'
     |`-.__ ..-'--'`;..--'`
     """)

while True:
	choice = menu().strip ()
	
	if(choice == '1'):
		add_item()
	elif(choice == '2'):
		show_items()
	elif(choice == '3'):
		leak_source_code()
	else:
		print "Invalid choice"

We inspected the source code of the application and found a hint that there is no sensitization on both type and quantity variable which meant that this should be the way in. We further checked code associated with both variable and found the below code which is vulnerable to format string.
print (‘{0.quantity} x … ‘+ self.type).format(self)
Next, we injected the code to print out global variables since flag had been imported as global variable.

Based on the output above, the flag for this challenge is X-MAS{C_15n7_th3_0nly_vuln3rabl3_l4nngu4g3_t0_f0rm47_57r1ng5}

Roboworld

We were provided with below challenge’s description, a link and a file.

We followed the given link and landed on a login page.

We viewed the given file, and it showed us the source code of the application.

from flask import Flask, render_template, request, session, redirect
import os
import requests
from captcha import verifyCaptchaValue

app = Flask(__name__)

@app.route('/')
def index():
    return render_template("index.html")

@app.route('/login', methods=['POST'])
def login():
    username = request.form.get('user')
    password = request.form.get('pass')
    captchaToken = request.form.get('captcha_verification_value')

    privKey = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #redacted
    r = requests.get('http://127.0.0.1:{}/captchaVerify?captchaUserValue={}&privateKey={}'.format(str(port), captchaToken, privKey))
    #backdoored ;)))
    if username == "backd00r" and password == "catsrcool" and r.content == b'allow':
        session['logged'] = True
        return redirect('//redacted//')
    else:
        return "login failed"


@app.route('/captchaVerify')
def captchaVerify():
    #only 127.0.0.1 has access
    if request.remote_addr != "127.0.0.1":
        return "Access denied"

    token = request.args.get('captchaUserValue')
    privKey = request.args.get('privateKey')
    #TODO: remove debugging privkey for testing: 8EE86735658A9CE426EAF4E26BB0450E from captcha verification system
    if(verifyCaptchaValue(token, privKey)):
        return str("allow")
    else:
        return str("deny")

We found a private key used for testing captcha verification system. Let’s try to login with the username and password in the source file first and see what it does.

We saw that user, pass and captcha_verification_value were send in POST request, but the it resulted in login failed since there is no valid private key for captcha. Let’s to send private key along with our POST request.

It was still fail. Let’s try URL encoded the captcha_verification_value.

We got some positive response. We followed the redirect URL.

We went through all the files and got the flag from wtf.mp4.

Based on the output above, the flag for this challenge is X-MAS{Am_1_Th3_R0bot?_0.o}

X-MAS Helper

We were provided with below challenge’s description.

It seemed like they were talking about the Bot in their Discord server. We found a Bot named X-MAS Helper which returned “Unauthorized.” each time we passed the word “!flag“. We noted from the challenge’s description that it will only pass the flag to user with Organizer role. We tried to find the Bot on bot public list to add it to our own server, but it was no where to be seen. We then found that we could add Bot to our server if we had it ID using the below URL.
https://discordapp.com/oauth2/authorize?client_id=BOT_ID&scope=bot

We tried to find Bot ID in various ways, and we found it by chatting to the Bot and observed the request and response in proxy on Burp Suite.

After successfully added the Bot to our own server, we created a role named Organizer as in the X-MAS CTF’s Discord server.

Then we tried to ask for “!flag” again.

Based on the output above, the flag for this challenge is X-MAS{FREE_FLAGS_FOR_EVERY0NE}

Dox the Grinch

We were provided with below challenge’s description.

We solved this challenge, but we did not have enough track of it, so we decided not to do the writeup for this challenge.

You may also like...

Leave a Reply

%d bloggers like this: