feat: added Google CTF

2023-06-26 20:49:13 +07:00 · 2023-06-26 20:49:13 +07:00 · 0992d38985
parent 88bcee2a93
commit 0992d38985
13 changed files with 145 additions and 0 deletions
--- a/2023/Papapapa/README.md
+++ b/2023/Papapapa/README.md
@ -0,0 +1,24 @@
 # Papapapa
 > Is this image really just white?
 ## About the Challenge
 We have been given an image (Blank image), and we need to find the flag inside the image (You can download the file [here](d2e5b38d584108c2b63150e7a073b8c104972ee59b83f5ee44d9ef6ae0118b4ad57e64cb328d7e8b839989ae741f793ded5fef7f51f7ecbbaaeaa716312f18c9.zip))
 ## How to Solve?
 At first, I tried everything I knew to perform forensic analysis on a jpg file. I used various techniques such as employing steghide, altering the contrast, using binwalk, and more. However, I didn't find any significant results. During my search, I came across a [blog](https://cyberhacktics.com/hiding-information-by-changing-an-images-height/) titled "Hiding Information by Changing an Image's Height", which discusses a method of concealing information within an image by modifying its height and width.
 First, im using [CyberChef](https://gchq.github.io/CyberChef/) and then input the image there
 ![tohex](images/tohex.png)
 Grab the hexadecimal, and then use it as an input. Find `ff c0 00 11 08 ?? ?? ?? ??` value
 ![find_hex](images/find_hex.png)
 The first `02 00` is the image height and `02 00` is the image width. Change the image width from `02 00` to `02 10` to read the flag
 ![flag](images/flag.png)
 ```
 CTF{rearview-monorail-mullets-backroom-stopped}
 ```
--- a/2023/Papapapa/d2e5b38d584108c2b63150e7a073b8c104972ee59b83f5ee44d9ef6ae0118b4ad57e64cb328d7e8b839989ae741f793ded5fef7f51f7ecbbaaeaa716312f18c9.zip
+++ b/2023/Papapapa/d2e5b38d584108c2b63150e7a073b8c104972ee59b83f5ee44d9ef6ae0118b4ad57e64cb328d7e8b839989ae741f793ded5fef7f51f7ecbbaaeaa716312f18c9.zip
--- a/2023/Papapapa/images/find_hex.png
+++ b/2023/Papapapa/images/find_hex.png
--- a/2023/Papapapa/images/flag.png
+++ b/2023/Papapapa/images/flag.png
--- a/2023/Papapapa/images/tohex.png
+++ b/2023/Papapapa/images/tohex.png
--- a/2023/Papapapa/white.jpg
+++ b/2023/Papapapa/white.jpg
--- a/2023/README.md
+++ b/2023/README.md
@ -0,0 +1,7 @@
 # Google CTF 2023
 CTF writeup for The Google CTF 2023. I took part in this CTF competition with the TCP1P team, and got 151th place out of ???? teams (In the scoreboard, there's only a list who succesfully solved at least 1 challs)
 | Category | Challenge |
 | --- | --- |
 | Web | [Under-Cosntruction](/Google%20CTF%202023/Under-Construction/)
 | Misc | [Papapapa](/Google%20CTF%202023/Papapapa/)
--- a/2023/Under-Construction/22790c2f38bd6adde75753641011c223db7e2c0ec718df6e883976ed9c518ca0a86ef67b7e153fd07a9fa734f6a5350028ca266e3bf646f1096d2c4d536ff45a.zip
+++ b/2023/Under-Construction/22790c2f38bd6adde75753641011c223db7e2c0ec718df6e883976ed9c518ca0a86ef67b7e153fd07a9fa734f6a5350028ca266e3bf646f1096d2c4d536ff45a.zip
--- a/2023/Under-Construction/README.md
+++ b/2023/Under-Construction/README.md
@ -0,0 +1,112 @@
 # Under-Construction
 > We were building a web app but the new CEO wants it remade in php.
 ## About the Challenge
 We got 2 websites, the first one was created using `Flask` and the second one was created using PHP. And I got the source code too (You can download the source code [here](22790c2f38bd6adde75753641011c223db7e2c0ec718df6e883976ed9c518ca0a86ef67b7e153fd07a9fa734f6a5350028ca266e3bf646f1096d2c4d536ff45a.zip))
 In the first website, there are some functionality that we can test such as register an account, login, and also logout feature. When creating an account, users can select their membership tier (BLUE, RED, GREEN, and GOLD)
 ![preview_server_1](images/preview_server_1.png)
 And in the second website, there is only 1 feature (Login user).
 ![preview_server_2](images/preview_server_2.png)
 In the `authorized_routes.py` file, there is a function to register as a user
 ```python
@authorized.route('/signup', methods=['POST'])
 def signup_post():
    raw_request = request.get_data()
    username = request.form.get('username')
    password = request.form.get('password')
    tier = models.Tier(request.form.get('tier'))
    if(tier == models.Tier.GOLD):
        flash('GOLD tier only allowed for the CEO')
        return redirect(url_for('authorized.signup'))
    if(len(username) > 15 or len(username) < 4):
        flash('Username length must be between 4 and 15')
        return redirect(url_for('authorized.signup'))
    user = models.User.query.filter_by(username=username).first()
    if user:
        flash('Username address already exists')
        return redirect(url_for('authorized.signup'))
    new_user = models.User(username=username, 
        password=generate_password_hash(password, method='sha256'), tier=tier.name)
    db.session.add(new_user)
    db.session.commit()
    requests.post(f"http://{PHP_HOST}:1337/account_migrator.php", 
        headers={"token": TOKEN, "content-type": request.headers.get("content-type")}, data=raw_request)
    return redirect(url_for('authorized.login'))
 ```
 We can register an account but there is some restriction (We can't register an account using GOLD tier). And the body request will be sent to `account_migrator.php` in port 1336. Now we need to check `account_migrator.php` file
 ```php
 function insertUser($username, $password, $tier)
 {
 	$hash = password_hash($password, PASSWORD_BCRYPT);
 	if($hash === false) {
 		http_response_code(500);
 		exit();
 	}
 	$host = getenv("DB_HOST");
 	$dbname = getenv("MYSQL_DATABASE");
 	$charset = "utf8";
 	$port = "3306";
 	$sql_username = "forge";
 	$sql_password = getenv("MYSQL_PASSWORD");
 	try {
 		$pdo = new PDO(
 			dsn: "mysql:host=$host;dbname=$dbname;charset=$charset;port=$port",
 			username: $sql_username,
 			password: $sql_password,
 		);
 		$pdo->exec("CREATE TABLE IF NOT EXISTS Users (username varchar(15) NOT NULL, password_hash varchar(60) NOT NULL, tier varchar(10) NOT NULL, PRIMARY KEY (username));");
 		$stmt = $pdo->prepare("INSERT INTO Users Values(?,?,?);");
 		$stmt->execute([$username, $hash, $tier]);
 		echo "User inserted";
 	} catch (PDOException $e) {
 		throw new PDOException(
 			message: $e->getMessage(),
 			code: (int) $e->getCode()
 		);
 	}
 }
 ```
 This function will inserting user information into `Users` table. And inside the `index.php` file, we need to use a gold tier user in order to obtain the flag
 ```php
 if ($tier === "gold") {
        $response .= " " . getenv("FLAG");
    }
 ```
 ## How to Solve?
 To create an account with GOLD tier, we need to use `HTTP Parameter Pollution` technique. In Flask, the framework will read first parameter while in PHP the program will read the second parameter. Here is the example of HTTP request:
 ```
 POST /signup
 Host: under-construction-web.2023.ctfcompetition.com
 ...
 username=owkwokwok&password=wokwokwokw&tier=blue&tier=gold
 ```
 Now, we need to login to the second website to obtain the flag
 ![flag](images/flag.png)
 ```
 HackTM{Timisoara}
 ```
--- a/2023/Under-Construction/images/flag.png
+++ b/2023/Under-Construction/images/flag.png
--- a/2023/Under-Construction/images/preview_server_1.png
+++ b/2023/Under-Construction/images/preview_server_1.png
--- a/2023/Under-Construction/images/preview_server_2.png
+++ b/2023/Under-Construction/images/preview_server_2.png
--- a/README.md
+++ b/README.md
@ -59,6 +59,8 @@ List of CTF events that i have joined before
 | n00bzCTF 2023 | No | - |
 | BCACTF 2023 | No | - |
 | SEETF 2023 | Yes | [Link](/SEETF%202023/) |
 | Africa battleCTF 2023 prequal | No | - |
 | Google CTF 2023 | Yes | [Link](/Google%20CTF%202023/) |
 ### Local Events
 | Event Name | Writeup Available? | Writeup Link |