When I went to register to compete in the 0x41414141 CTF I found that is was a little different from other CTFd based CTFs. Besides the normal registration information, it asks for a pin code (secret pin code for CTF registration).
Going back and looking through the site, I see on the About page that the secret pin code for CTF entry is hidden somewhere on the site:
After pouring through the source files for each page on the site, running curl POSTs, and looking at previous versions of the site on Archive.org, I considered the steganography approach.
Besides the normal social media link images, there are only two images on the site. One is the animated Offshift logo, which yielded no obvious results when running strings, binwalk, or other stego decoders:
The second image is a small Offshift logo that is used as the header logo:
After downloading this image, I ran strings on it to look for anything interesting:
Ahh! I see “secret: 100100100101” at the bottom of the results.
I convert the binary string to decimal:
echo "obase=10; ibase=2; 100100100101" | bc
Using the resulting decimal value as the pin, I am now able to register for the CTF.
For this challenge we are given a mildly cryptic description:
do you know … i have secret organization called sad can’t anyone access it by any browser and you should be sad to access and decode anything in your bad life link : http://188.8.131.52/sad_agent/ author : Sad Coder
When I go to the link, I get this page:
When I click the “chek” button, I get some information…
This tell me that the browser’s user agent property is important. Referring back to the challenge text, I believe I need to change my browser’s user agent property to “sad”, so I do this in Chrome’s Developer Tools…
After doing this, I click the “chek” button again and get better results. (I highlighted the black text that is over the black background).
Looking at the resulting source code, I see a strange value for a form input field.
Seeing the makeup of the value, I think it might be base64, so I decode it to…
Interesting! The page appears to take commands through this base64 encoded field. To do a POC, I encode a different command to see what it does…
I see that I get something different. Let’s go for the flag using:
BINGO! The flag was imbedded in the PHP code.
This was a fun challenge. Thank you to Sad Coder. Hopefully you can find some happiness in this writeup!