diff --git a/Google CTF 2023/Papapapa/README.md b/Google CTF 2023/Papapapa/README.md new file mode 100644 index 0000000..1cb3c13 --- /dev/null +++ b/Google CTF 2023/Papapapa/README.md @@ -0,0 +1,24 @@ +# Papapapa +> Is this image really just white? + +## About the Challenge +We have been given an image (Blank image), and we need to find the flag inside the image (You can download the file [here](d2e5b38d584108c2b63150e7a073b8c104972ee59b83f5ee44d9ef6ae0118b4ad57e64cb328d7e8b839989ae741f793ded5fef7f51f7ecbbaaeaa716312f18c9.zip)) + +## How to Solve? +At first, I tried everything I knew to perform forensic analysis on a jpg file. I used various techniques such as employing steghide, altering the contrast, using binwalk, and more. However, I didn't find any significant results. During my search, I came across a [blog](https://cyberhacktics.com/hiding-information-by-changing-an-images-height/) titled "Hiding Information by Changing an Image's Height", which discusses a method of concealing information within an image by modifying its height and width. + +First, im using [CyberChef](https://gchq.github.io/CyberChef/) and then input the image there + +![tohex](images/tohex.png) + +Grab the hexadecimal, and then use it as an input. Find `ff c0 00 11 08 ?? ?? ?? ??` value + +![find_hex](images/find_hex.png) + +The first `02 00` is the image height and `02 00` is the image width. Change the image width from `02 00` to `02 10` to read the flag + +![flag](images/flag.png) + +``` +CTF{rearview-monorail-mullets-backroom-stopped} +``` \ No newline at end of file diff --git a/Google CTF 2023/Papapapa/d2e5b38d584108c2b63150e7a073b8c104972ee59b83f5ee44d9ef6ae0118b4ad57e64cb328d7e8b839989ae741f793ded5fef7f51f7ecbbaaeaa716312f18c9.zip b/Google CTF 2023/Papapapa/d2e5b38d584108c2b63150e7a073b8c104972ee59b83f5ee44d9ef6ae0118b4ad57e64cb328d7e8b839989ae741f793ded5fef7f51f7ecbbaaeaa716312f18c9.zip new file mode 100644 index 0000000..4f0a0fa Binary files /dev/null and b/Google CTF 2023/Papapapa/d2e5b38d584108c2b63150e7a073b8c104972ee59b83f5ee44d9ef6ae0118b4ad57e64cb328d7e8b839989ae741f793ded5fef7f51f7ecbbaaeaa716312f18c9.zip differ diff --git a/Google CTF 2023/Papapapa/images/find_hex.png b/Google CTF 2023/Papapapa/images/find_hex.png new file mode 100644 index 0000000..fccd8b3 Binary files /dev/null and b/Google CTF 2023/Papapapa/images/find_hex.png differ diff --git a/Google CTF 2023/Papapapa/images/flag.png b/Google CTF 2023/Papapapa/images/flag.png new file mode 100644 index 0000000..25edccb Binary files /dev/null and b/Google CTF 2023/Papapapa/images/flag.png differ diff --git a/Google CTF 2023/Papapapa/images/tohex.png b/Google CTF 2023/Papapapa/images/tohex.png new file mode 100644 index 0000000..dc8b3c7 Binary files /dev/null and b/Google CTF 2023/Papapapa/images/tohex.png differ diff --git a/Google CTF 2023/Papapapa/white.jpg b/Google CTF 2023/Papapapa/white.jpg new file mode 100644 index 0000000..84c4fea Binary files /dev/null and b/Google CTF 2023/Papapapa/white.jpg differ diff --git a/Google CTF 2023/README.md b/Google CTF 2023/README.md new file mode 100644 index 0000000..5e745ca --- /dev/null +++ b/Google CTF 2023/README.md @@ -0,0 +1,7 @@ +# Google CTF 2023 +CTF writeup for The Google CTF 2023. I took part in this CTF competition with the TCP1P team, and got 151th place out of ???? teams (In the scoreboard, there's only a list who succesfully solved at least 1 challs) + +| Category | Challenge | +| --- | --- | +| Web | [Under-Cosntruction](/Google%20CTF%202023/Under-Construction/) +| Misc | [Papapapa](/Google%20CTF%202023/Papapapa/) \ No newline at end of file diff --git a/Google CTF 2023/Under-Construction/22790c2f38bd6adde75753641011c223db7e2c0ec718df6e883976ed9c518ca0a86ef67b7e153fd07a9fa734f6a5350028ca266e3bf646f1096d2c4d536ff45a.zip b/Google CTF 2023/Under-Construction/22790c2f38bd6adde75753641011c223db7e2c0ec718df6e883976ed9c518ca0a86ef67b7e153fd07a9fa734f6a5350028ca266e3bf646f1096d2c4d536ff45a.zip new file mode 100644 index 0000000..2ba5449 Binary files /dev/null and b/Google CTF 2023/Under-Construction/22790c2f38bd6adde75753641011c223db7e2c0ec718df6e883976ed9c518ca0a86ef67b7e153fd07a9fa734f6a5350028ca266e3bf646f1096d2c4d536ff45a.zip differ diff --git a/Google CTF 2023/Under-Construction/README.md b/Google CTF 2023/Under-Construction/README.md new file mode 100644 index 0000000..71fdf95 --- /dev/null +++ b/Google CTF 2023/Under-Construction/README.md @@ -0,0 +1,112 @@ +# Under-Construction +> We were building a web app but the new CEO wants it remade in php. + +## About the Challenge +We got 2 websites, the first one was created using `Flask` and the second one was created using PHP. And I got the source code too (You can download the source code [here](22790c2f38bd6adde75753641011c223db7e2c0ec718df6e883976ed9c518ca0a86ef67b7e153fd07a9fa734f6a5350028ca266e3bf646f1096d2c4d536ff45a.zip)) + +In the first website, there are some functionality that we can test such as register an account, login, and also logout feature. When creating an account, users can select their membership tier (BLUE, RED, GREEN, and GOLD) + +![preview_server_1](images/preview_server_1.png) + +And in the second website, there is only 1 feature (Login user). + +![preview_server_2](images/preview_server_2.png) + +In the `authorized_routes.py` file, there is a function to register as a user + +```python +@authorized.route('/signup', methods=['POST']) +def signup_post(): + raw_request = request.get_data() + username = request.form.get('username') + password = request.form.get('password') + tier = models.Tier(request.form.get('tier')) + + if(tier == models.Tier.GOLD): + flash('GOLD tier only allowed for the CEO') + return redirect(url_for('authorized.signup')) + + if(len(username) > 15 or len(username) < 4): + flash('Username length must be between 4 and 15') + return redirect(url_for('authorized.signup')) + + user = models.User.query.filter_by(username=username).first() + + if user: + flash('Username address already exists') + return redirect(url_for('authorized.signup')) + + new_user = models.User(username=username, + password=generate_password_hash(password, method='sha256'), tier=tier.name) + + db.session.add(new_user) + db.session.commit() + + requests.post(f"http://{PHP_HOST}:1337/account_migrator.php", + headers={"token": TOKEN, "content-type": request.headers.get("content-type")}, data=raw_request) + return redirect(url_for('authorized.login')) +``` + +We can register an account but there is some restriction (We can't register an account using GOLD tier). And the body request will be sent to `account_migrator.php` in port 1336. Now we need to check `account_migrator.php` file + +```php +function insertUser($username, $password, $tier) +{ + $hash = password_hash($password, PASSWORD_BCRYPT); + if($hash === false) { + http_response_code(500); + exit(); + } + $host = getenv("DB_HOST"); + $dbname = getenv("MYSQL_DATABASE"); + $charset = "utf8"; + $port = "3306"; + + $sql_username = "forge"; + $sql_password = getenv("MYSQL_PASSWORD"); + try { + $pdo = new PDO( + dsn: "mysql:host=$host;dbname=$dbname;charset=$charset;port=$port", + username: $sql_username, + password: $sql_password, + ); + + $pdo->exec("CREATE TABLE IF NOT EXISTS Users (username varchar(15) NOT NULL, password_hash varchar(60) NOT NULL, tier varchar(10) NOT NULL, PRIMARY KEY (username));"); + $stmt = $pdo->prepare("INSERT INTO Users Values(?,?,?);"); + $stmt->execute([$username, $hash, $tier]); + echo "User inserted"; + } catch (PDOException $e) { + throw new PDOException( + message: $e->getMessage(), + code: (int) $e->getCode() + ); + } +} +``` + +This function will inserting user information into `Users` table. And inside the `index.php` file, we need to use a gold tier user in order to obtain the flag + +```php +if ($tier === "gold") { + $response .= " " . getenv("FLAG"); + } +``` + +## How to Solve? +To create an account with GOLD tier, we need to use `HTTP Parameter Pollution` technique. In Flask, the framework will read first parameter while in PHP the program will read the second parameter. Here is the example of HTTP request: + +``` +POST /signup +Host: under-construction-web.2023.ctfcompetition.com +... + +username=owkwokwok&password=wokwokwokw&tier=blue&tier=gold +``` + +Now, we need to login to the second website to obtain the flag + +![flag](images/flag.png) + +``` +HackTM{Timisoara} +``` \ No newline at end of file diff --git a/Google CTF 2023/Under-Construction/images/flag.png b/Google CTF 2023/Under-Construction/images/flag.png new file mode 100644 index 0000000..eccb9d1 Binary files /dev/null and b/Google CTF 2023/Under-Construction/images/flag.png differ diff --git a/Google CTF 2023/Under-Construction/images/preview_server_1.png b/Google CTF 2023/Under-Construction/images/preview_server_1.png new file mode 100644 index 0000000..544c538 Binary files /dev/null and b/Google CTF 2023/Under-Construction/images/preview_server_1.png differ diff --git a/Google CTF 2023/Under-Construction/images/preview_server_2.png b/Google CTF 2023/Under-Construction/images/preview_server_2.png new file mode 100644 index 0000000..e3cafd6 Binary files /dev/null and b/Google CTF 2023/Under-Construction/images/preview_server_2.png differ diff --git a/README.md b/README.md index 9a5a5e9..2ad8f9d 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,8 @@ List of CTF events that i have joined before | n00bzCTF 2023 | No | - | | BCACTF 2023 | No | - | | SEETF 2023 | Yes | [Link](/SEETF%202023/) | +| Africa battleCTF 2023 prequal | No | - | +| Google CTF 2023 | Yes | [Link](/Google%20CTF%202023/) | ### Local Events | Event Name | Writeup Available? | Writeup Link |