DevDay CTF — Walkthrough

Introduction:

Dev Day CTF was held at FAST university, Karachi, in which our team Plugins secured third place while submitting all the flags. Challenges were divided into four categories and each category had four challenges varying in difficulty from easiest to hard. The four categories were:

  • Web Exploitation
  • Steganography
  • Cryptography
  • Reverse Engineering

The solutions of all the challenges are explained below.

Web Exploitation:

  1. Cattos are cute.

Solution:

Looking at the website, there’s nothing of interest. But, in the challenge description, it refers to robots.

So, looking at robots.txt , we get encrypted flag. There’s also name mentioned of Julius Caesar, so it hints towards Caesar cipher.

Bruteforcing the key, we get plain-text flag on k=19.

2. Just Ctrl+C, V the flag.

Solution:

Navigating to website, got following page.

Looking at the source, there’s a page link and paragraph gives hint about looking at response.

So, clicking on the link, we get flag in the response headers.

3. Challenges and Scores.

Solution:

There are two users in DB and one is given, so we have to find other.

Entering the given data, we get the following response.

Send the request to burp suite repeater and adding a single quote (‘) at the end of data gives server error. This confirms there’s a SQL injection.

Using the following payload, we get all the data from database which includes our flag.

111.111.111-11' or 1=1-- -

4. Your wish is my command!

Solution:

As the name challenge name suggest, this challenge has command injection. Navigating to given link, we get following interface but entering any command doesn’t show results.

Looking at the response, we get the result of command.

Using ls command to list files on server, we see there’s a directory named hidden.

This directory contains flag.txt file, but the cat command is blacklisted so, we cannot use it to read file.

So, the other command for reading files is more . Using it, we get the flag.

Steganography:

  1. How to survive?

Solution:

Download the given file. Checking for any strings in file using strings command, we get the flag.

strings survival.png

2. Meta meta where are you?

Solution:

As the challenge name suggests, this is about metadata. So, using exiftool, we look metadata of and get cipher text in XP Comment field.

Don’t know what’s the cipher, so looking at hints it says variations of ROT.

So, using ROT47, we get the flag.

3. Doge looks sus.

Solution:

Challenge description talks about hidden file. Using steghide, we try to extract the hidden file but it requires password.

Looking at the metadata, we get base64 encoded password in XP comment field.

Decode the base64 and get plain-text password. Then, using password extract the hidden file from image.

Reading the extracted file, we get flag at the very start.

4. Wiki Search for dogs.

Solution:

Navigating to give url, we get a page with dogs pics.

One by one download the pic from site and examine it.

The first file contains a password in the metadata. Save this password in your notes.

Then, download the next pic. It doesn’t contain anything in metadata but it has an embedded directory which contains a zip and a text file.

The text file is empty. But the zip file requires password for decompressing. The password that we found previously also doesn’t works.

Moving to the next pic, we get another password in the metadata.

Using the just found password, we decompress the zip file and extract the secret file which contains flag.

Cryptography:

  1. Based like You.

Solution:

The encoded message have the base64 format so, decoding it we get the flag.

2. The whisper.

Solution:

The given cypted flag looks like morse code. Using the cyberchef, we get it into plain text format.

But, at the description mentions, we need to use Caesar cipher to get the correct flag. Then, just add the flag format (FastCTF{}) and submit it.

3. Baby RSA.

Solution:

Download the given file. It contains all the variable that we need to decrypt cipher text.

Using decode.fr online, enter all the variable and get the plaintext flag.

4. Can’t Be Done.

Solution:

According to challenge description, the given cipher name is encrypted using 2 variations of same 1 to 1 mapped (substitution) cipher. Caesar cipher is a substitution cipher and has many variation. Using ROT47 and ROT13, we get the name of cipher in plain-text.

Since, now know the name of cipher and have key and plaintext space. We decrypt the given cipher text and get flag.

Reverse Engineering:

  1. Babiest Reverse.

Solution:

Looking at the strings in given binary we get the flag.

2. Baby Reverse.

Solution:

Executing the given binary, it asks for magic number. Inputting anything, it returns same output.

So, decompile the binary using ghidra. Looking at the main function, it uses verify function to check user input. If it returns 1 or True, then it prints flag. Else it gives Nice try.

Looking at the verify function. It compares the user input with some number which is in hex and there’s another function check which takes another user input.

First, we convert the found hex into decimal.

Then, looking at the check function. It also compares user input with another number which is also in hex format.

Also convert this hex number into decimal.

Now, we have both numbers that the program asks for. So, we provide the input and it gives flag but in reverse format. We reverse the found string using python3 and get correct flag.

3. Mathematical Reverse.

Solution:

Download the given binary. Executing it, it ask for number. Giving any input, it returns the same fake flag.

Decompile the binary using ghidra. Looking into the main function, it has a condition that if user input minus some number (which is in hex) is less than 2 then print flag. Else it returns fake flag.

We need to make this condition true to get flag. So, first we convert the hex in to decimal. Then, we provide the same number as input which makes the condition ((73347–73347) < 2.) true and we get the flag.

4. Malware.

Solution:

In this challenge, we are given a python2 compiled program.

Running it, it asks for some number but doesn’t returns anything.

We can decompile this binary using uncompyle6 module of python which can be easily installed using pip. Using compyle6, we decompile this binary and save the output in another file.

Looking at the source code, there are many variable which contain some encoded message and the second last line is concatenating them in trust variable and the last line is decoding and executing the encoded message. We can guess that it’s an encoded code which asks for user input when we run binary.

So, we need to see what’s in the trust variable before it executes, so comment the last line and print the trust variable.

Running the code, the trust variable returns base64 encode message so, we directly pipe it to base64 command to decode it and get the following code. This code asks for magic number and compares it with sum of ascii values flag.

Save the above code in another file and comment the lines that ask for user input and compares it. And directly print the flag.

Then, run the program and get the flag.

Thanks for reading.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
HotPlugin

HotPlugin

Software Engineer into Reverse Engineering and Other things