For this challenge, we are given the following hint:
Going to the link give this page:
Looking at the source of the page, I see the images are named in sequential numbers:
Based on the hint “you are suppose to find the old person out them” on the page, I assume the image names (numbers) correspond to the order they were created. I look to see if there is a 0000.jpg file and there is!
I paste the name “Marie Collinsworth” into the text box and hit the enter key and get the flag as a response:
For this challenge, we are given he following hint:
Going to the link provided, we get this simple page:
After a bit of poking, I register an account:
When I log in with my new credentials, I am given this message:
Remembering a cipher I once saw that uses emojis, I try and decipher it using emojicipher.com
I see it decodes to “ar3_t0kens_$$$}”, which looks a lot like the tail end of a flag!
After some more poking, I see there is a cookie set by this site.
I decode the cookie value (base64) and see it is a JASON Web Token. Knowing how they are formatted, I break up the encoded cookie value and just decode the header to get this:
Seeing the “role” element with a value of “user”, I try changing the value to “admin” and then re-encoding the header and adding the preserved tail end of the original cookie value:
For this challenge, we are just given details for two server instances; one for US and one for EU.
Connecting via netcat, we are told that we will be given a number of problems and we have to solve them. It mentions that level 1 is tower of hanoi. A quick google search and I find more information about it. After some trial and error using different possibilities for the number of pegs.
A manual check confirms the formula is correct, but the server responds with another problem.
There are four disks listed, so n=4. 24 – 1 = 15
We will need to automate this 🙂
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('45.134.3.200', 9660))
print('Server:', str(s.recv(1024)))
#print s.recv(1024)
while True:
data = s.recv(1024).strip()
if data:
count = 0
data = str(data)
print(data)
for i in data:
if i == ',':
count = count + 1
count = count + 1
n = pow(2, count) - 1
if '[' in data:
s.send(str(n))
print('Client: ', n)
s.close()
When I run this script, it iterates through quite a few problems, then the server reports that I’m in level 2: and have to give the number of inversions for the provided output.
When I went to register to compete in the 0x41414141 CTF I found that is was a little different from other CTFd based CTFs. Besides the normal registration information, it asks for a pin code (secret pin code for CTF registration).
Going back and looking through the site, I see on the About page that the secret pin code for CTF entry is hidden somewhere on the site:
After pouring through the source files for each page on the site, running curl POSTs, and looking at previous versions of the site on Archive.org, I considered the steganography approach.
Besides the normal social media link images, there are only two images on the site. One is the animated Offshift logo, which yielded no obvious results when running strings, binwalk, or other stego decoders:
The second image is a small Offshift logo that is used as the header logo:
After downloading this image, I ran strings on it to look for anything interesting:
Ahh! I see “secret: 100100100101” at the bottom of the results.
I convert the binary string to decimal:
echo "obase=10; ibase=2; 100100100101" | bc
Using the resulting decimal value as the pin, I am now able to register for the CTF.
We are given a blockchain address for the Rinkeby network:
0x5CDd53b4dFe8AE92d73F40894C67c1a6da82032d
And a solidity script:
pragma solidity ^0.7.0;
//SPDX-License-Identifier: UNLICENSED
contract sanity_check {
function welcome() public pure returns (string memory){
return "flag{}";
}
}
I googled the Rinkeby blockchain and found that I can look up addresses on the Etherscan.io site. Looking up the provided address gives me some information. Specifically under the “Contract” tab:
I see the handy “Decompile ByteCode” button, so I give it a shot:
This opens a new tab with more information about this tool and another button to execute it. This tool is based on the Panoramix decompiler and is designed to decompile smart contracts.
Running the tool gives me what I am looking for:
#
# Panoramix v4 Oct 2019
# Decompiled source of rinkeby:0x5CDd53b4dFe8AE92d73F40894C67c1a6da82032d
#
# Let's make the world open source
#
const welcome = 'flag{1t_1s_jus7_th3_st@rt}'
#
# Regular functions
#
def _fallback() payable: # default function
revert