This is from the 2021 Vishwa CTF
For this challenge, we were given the following clue and a .gzf file:
The “gzf” extension was not familiar and there wasn’t much information online. I did a static file analysis and found some interesting text:
I ran binwalk against it with the extract “-e” switch:
Inspecting the resulting file “FOLDER_ITEM”, I decided to run strings against it:
It yielded a lot of results, so I grep the strings command for “vishwaCTF”:
Now I have the flag!
This is from the 2021 Vishwa CTF
For this challenge, we are given the following clue and a binary file:
When performing a static analysis of the binary, I see what looks like a flag, but as it states, it is a false flag:
Next, I execute the program in terminal to see what it does:
It slowly scrolls out the following text:
The first appearance deceives many,the intelligence of a few perceives what has been carefully hidden...Next, I load up my debugger and inspect it.
I noticed that there a number of characters (in hex) listed out:
I capture those hex values in a text editor.
76 69 73 68 77 61 43 54 46 7b 55 6d 4d 5f 77 33 69 52 44 6f 6f 6f 30 5f 31 5f 41 6d 5f 74 68 33 5f 72 33 34 6c 5f 30 6e 33 7dI then convert them to ASCII:
And now I have the real flag!
This is from the 2021 Vishwa CTF
For this challenge, we are given the following clue and a ELF binary:
After some preliminary poking at the file, I execute it in the terminal to see what it does. I see that it waits for input from the user and replies with “EWWWW DUMBBB” and exits:
Next I load it into my debugger and inspect the code:
I see that there is cmp performed and it results in a jmp to the failure message:
I modify the jmp and fill it with NOPs:
I then provide some random input and watch for its response:
It looks like a scrambled flag. Most likely a simple shift cipher… maybe a ROT (rotation). I head over to rot13.com and decode it:
Now I have the flag!
This is from the 2021 Vishwa CTF
For this challenge, we are given a cryptic hint:
A quick Google search tells me that Reddit is the front page of the internet, so I search for entries related to vishwactf on reddit:
I see that there is a comment indicating that another comment has been deleted:
AI hop in my time machine at Archive.org and go down memory lane:
I now have what appears to be a ciphered flag with a clue. The part about the “18th century French scholars” tells me to try decrypting it as a Vigenere cipher. I head over to dcode.fr and try it out. The automatic decryption failed, so after some contemplating, I try “VISHWACTF” as the key and I get the flag:
And yes, OSINT is overlooked!
This is from the 2021 Vishwa CTF
For this challenge, we are given a URL:
Going to the site, we are given this page:
After a little poking around, I look for a robots.txt entry:
Interesting! Now I follow the clue and look for a robots directory:
I click the link on the page for the source code and I get this:
After reviewing the code, I see that the PHP is looking for an input parameter “php_is_hard” and it runs “preg_replace()” on it and evaluates the output of that.
if (isset($_GET['php_is_hard'])) {
$you_enter = $_GET['php_is_hard'];
$we_enter = 'suzuki_harumiya';
$the_final_one = preg_replace(
"/$we_enter/", '', $you_enter);
if ($the_final_one === $we_enter) {
open_up();
}
}
Analyzing this code, I see that it takes my input and looks for all instances of “suzuki_harumiya” and removes it. Then it compares the resulting string to “suzuki_harumiya”. If it is true, then it runs the “open_up()” function.
I see that I can simply manipulate my input to “ssuzuki_harumiyauzuki_harumiya” and the script will remove the single instance of “suzuki_harumiya” in it and the resulting string will, in fact, be “suzuki_harumiya”. When I feed that input, I get this:
This is from the 2021 Vishwa CTF
For this challenge, we are given a URL:
Going to the page, we get this:
Entering a coupon code does not appear to do anything. If we click the “BUY” button, we get this:
Inspecting the source, we see a hidden element named “current” with a value of “0”. This appears to be how my current balance is tracked.
I modify that element’s value to “7000” and then click the “BUY” button:
That gives us the flag!
