feat: added ImaginaryCTF 2023

2023-07-24 22:51:32 +07:00 · 2023-07-24 22:51:32 +07:00 · 3d7bdbd26a
parent 5d0fc20161
commit 3d7bdbd26a
28 changed files with 212 additions and 7 deletions
--- a/Escape/Initialization/README.md
+++ b/Escape/Initialization/README.md
@ -2,7 +2,7 @@
 > During a cyber security audit of your government's infrastructure, you discover log entries showing traffic directed towards an IP address within the enemy territory of "Oumara". This alarming revelation triggers suspicion of a mole within Lusons' government. Determined to unveil the truth, you analyze the encryption scheme with the goal of breaking it and decrypting the suspicious communication. Your objective is to extract vital information and gather intelligence, ultimately protecting your nation from potential threats.

 ## About the Challenge
-We got a zip files (You can download the file [here]) that contains 3 more files (1 python script and 2 txt file). Here is the content of `source.py`
+We got a zip files (You can download the file [here](crypto_initialization.zip)) that contains 3 more files (1 python script and 2 txt file). Here is the content of `source.py`

 ```python
 #!/usr/bin/env python3
--- a/Office/README.md
+++ b/Office/README.md
@ -2,7 +2,7 @@
 > The Blue Office's ingenious cipher, meticulously crafted for the prestigious CCTF, became an impenetrable enigma that left even the most seasoned cryptanalysts baffled.

 ## About the Challenge
-We have been given a zip file (You can download the file [here]). And if you unzip the file, you will see there are 2 files called `blue_office.py` and `output.txt`. Here is the content of `blue_office.py`:
+We have been given a zip file. And if you unzip the file, you will see there are 2 files called `blue_office.py` and `output.txt`. Here is the content of `blue_office.py`:

 ```python
 #!/usr/bin/enc python3
--- a/2023/Idoriot/README.md
+++ b/2023/Idoriot/README.md
@ -0,0 +1,76 @@
+# Idoriot
+> Some idiot made this web site that you can log in to. The idiot even made it in php. I dunno.
+
+## About the Challenge
+We have been given a website that has 2 functionality, first we can register as a user in this website
+
+![register](images/register.png)
+
+And then, after registered an account, you can also login into the website
+
+![login](images/login.png)
+
+And then after login, there is a source code that you can see written in PHP
+
+![source_code](images/source_code.png)
+
+```php
+<?php
+
+session_start();
+
+// Check if user is logged in
+if (!isset($_SESSION['user_id'])) {
+    header("Location: login.php");
+    exit();
+}
+
+// Check if session is expired
+if (time() > $_SESSION['expires']) {
+    header("Location: logout.php");
+    exit();
+}
+
+// Display user ID on landing page
+echo "Welcome, User ID: " . urlencode($_SESSION['user_id']);
+
+// Get the user for admin
+$db = new PDO('sqlite:memory:');
+$admin = $db->query('SELECT * FROM users WHERE user_id = 0 LIMIT 1')->fetch();
+
+// Check if the user is admin
+if ($admin['user_id'] === $_SESSION['user_id']) {
+    // Read the flag from flag.txt
+    $flag = file_get_contents('flag.txt');
+    echo "<h1>Flag</h1>";
+    echo "<p>$flag</p>";
+} else {
+    // Display the source code for this file
+    echo "<h1>Source Code</h1>";
+    highlight_file(__FILE__);
+}
+
+?>
+```
+
+To read the flag, we need to login as an admin where the `user_id` is `0`
+
+## How to Solve?
+I believe, I solved this chall using unintended way, as you can see in this code
+
+```php
+if ($admin['user_id'] === $_SESSION['user_id']) {
+    // Read the flag from flag.txt
+    $flag = file_get_contents('flag.txt');
+    echo "<h1>Flag</h1>";
+    echo "<p>$flag</p>";
+}
+```
+
+The location of the flag is `flag.txt` not `/flag.txt`. So, you can read the flag directly by accessing http://idoriot.chal.imaginaryctf.org/flag.txt
+
+![flag](images/flag.png)
+
+```
+ictf{1ns3cure_direct_object_reference_from_hidden_post_param_i_guess}
+```
--- a/2023/Idoriot/images/flag.png
+++ b/2023/Idoriot/images/flag.png
--- a/2023/Idoriot/images/login.png
+++ b/2023/Idoriot/images/login.png
--- a/2023/Idoriot/images/register.png
+++ b/2023/Idoriot/images/register.png
--- a/2023/Idoriot/images/source_code.png
+++ b/2023/Idoriot/images/source_code.png
--- a/2023/README.md
+++ b/2023/README.md
@ -0,0 +1,9 @@
+# ImaginaryCTF 2023
+CTF writeup for The ImaginaryCTF 2023. I took part in this CTF competition with the TCP1P team, and got 21th place out of 879 teams
+
+| Category | Challenge |
+| --- | --- |
+| Web | [Idoriot](/ImaginaryCTF%202023/Idoriot/)
+| Web | [roks](/ImaginaryCTF%202023/roks/)
+| Crypto | [rsa](/ImaginaryCTF%202023/rsa/)
+| Forensic | [web](/ImaginaryCTF%202023/web/)
--- a/2023/roks/README.md
+++ b/2023/roks/README.md
@ -0,0 +1,42 @@
+# roks
+> My rock enthusiast friend made a website to show off some of his pictures. Could you do something with it?
+
+## About the Challenge
+We have been given a source code (You can download the source code [here](roks.zip)) and we got the website too. Here is the preview of the website
+
+![preview](images/preview.png)
+
+There is one button which will generate rock images by hitting `/file.php?image` endpoint. And as you can see in the network tab, `image7` is a file name. Which is we can predict this chall was about path traversal vulnerability
+
+## How to Solve?
+Let's check the source code! There are 2 files, `index.php` and `file.php`. Here is the content of `file.php`
+
+```php
+<?php
+  $filename = urldecode($_GET["file"]);
+  if (str_contains($filename, "/") or str_contains($filename, ".")) {
+    $contentType = mime_content_type("stopHacking.png");
+    header("Content-type: $contentType");
+    readfile("stopHacking.png");
+  } else {
+    $filePath = "images/" . urldecode($filename);
+    $contentType = mime_content_type($filePath);
+    header("Content-type: $contentType");
+    readfile($filePath);
+  }
+?>
+```
+
+This PHP script takes a file name from the parameter called `file`, checks if there is `.` or `/` in the value of the parameter, and serves the corresponding image file with the correct MIME content type. If it detects an unsafe file name, it serves a default image instead. And as you can see, this code was vulnerable to path traversal, but this code using `urldecode()` PHP function twice. That's why to do path traversal, we need to URL encode our payload three times
+
+```
+http://roks.chal.imaginaryctf.org/file.php?file=%2525%2532%2565%2525%2532%2565%2525%2532%2566%2525%2532%2565%2525%2532%2565%2525%2532%2566%2525%2532%2565%2525%2532%2565%2525%2532%2566%2525%2532%2565%2525%2532%2565%2525%2532%2566flag%25252Epng
+```
+
+Open the URL in your browser and then you will get a flag in the form of an image
+
+![flag](images/flag.png)
+
+```
+ictf{tr4nsv3rs1ng_0v3r_r0k5_6a3367}
+```
--- a/2023/roks/images/flag.png
+++ b/2023/roks/images/flag.png
--- a/2023/roks/images/preview.png
+++ b/2023/roks/images/preview.png
--- a/2023/roks/roks.zip
+++ b/2023/roks/roks.zip
--- a/2023/rsa/README.md
+++ b/2023/rsa/README.md
@ -0,0 +1,14 @@
+# rsa
+> I think I did my RSA right...
+
+## About the Challenge
+We got 3 files, `flag.enc`, `public.pem` and `private.pem`. And we need to decrypt the `flag.enc`
+
+## How to Solve?
+Well, because we've got the private key, we can decrypt file directly. In this case im using `CyberChef` to decrypt the flag
+
+![flag](images/flag.png)
+
+```
+ictf{keep_your_private_keys_private}
+```
--- a/2023/rsa/images/flag.png
+++ b/2023/rsa/images/flag.png
--- a/2023/web/README.md
+++ b/2023/web/README.md
@ -0,0 +1,32 @@
+# web
+> We recovered this file from the disk of a potential threat actor. Can you find out what they were up to?
+
+## About the Challenge
+We got a zip file (You can download the file [here](web.zip)) and it contains a mozilla firefox data
+
+![preview](images/preview.png)
+
+## How to Solve?
+We need to import the data first in our mozilla, but how? First, access `C:\Users\test\AppData\Roaming\Mozilla\Firefox\Profiles` if you are using 
+
+![profile](images/profile.png)
+
+And then copy `8ubdbl3q.default` into the `Profiles` folder, and then you need to adjust the profile name on `profile.ini` file, the file location is in `C:\Users\test\AppData\Roaming\Mozilla\Firefox\`
+
+![profile_ini](images/profile_ini.png)
+
+And then, open Mozilla and check the history browser by pressing `Ctrl + H`
+
+![history](images/history.png)
+
+Hmm what is `PALMS Backchannel Chat`? Lets open the website
+
+![website](images/website.png)
+
+The room name was very suspicious and there was an autofill password. Login into the room using the password to obtain the flag
+
+![flag](images/flag.png)
+
+```
+ictf{behold_th3_forensics_g4untlet_827b3f13}
+```
--- a/2023/web/images/flag.png
+++ b/2023/web/images/flag.png
--- a/2023/web/images/history.png
+++ b/2023/web/images/history.png
--- a/2023/web/images/preview.png
+++ b/2023/web/images/preview.png
--- a/2023/web/images/profile.png
+++ b/2023/web/images/profile.png
--- a/2023/web/images/profile_ini.png
+++ b/2023/web/images/profile_ini.png
--- a/2023/web/images/website.png
+++ b/2023/web/images/website.png
--- a/2023/web/web.zip
+++ b/2023/web/web.zip
--- a/README.md
+++ b/README.md
@ -1,6 +1,26 @@
 # CTF Writeup
 This repository shall comprise writeups concerning Capture The Flag (CTF) competitions that I have undertaken. In the past, I participated in local CTF events in 2021; however, after participating in several of them, I did not take part in any further CTF competitions. In 2023, I made the decision to redo CTF from the beginning, and thus created this repository with the aim of assisting other CTF players in comprehending how to solve each challenge.

+## Stats
+This is a list of wins we have achieved while participating in several CTF competitions
+
+### Total Writeups
+There are __396__ writeups that have been made in this repository
+
+### CTF Competitions
+
+| Event Name | Team | Ranking |
+| ---------- | ---- | ------- |
+| The Odyssey CTF | aseng_fans_club | 1 |
+| BDSec CTF 2023 | HCS | 1 |
+| 0xLaugh CTF 2023 | TCP1P | 2 |
+
+### Writeup Competitions
+
+| Event Name | Team |
+| ---------- | ---- |
+| UIUCTF 2023 | TCP1P |
+
 ## List CTF
 List of CTF events that i have joined before

--- a/20221015_173902.mp4,
+++ b/20221015_173902.mp4,
@ -1,5 +1,9 @@
 # Based on the analysis of the video file 20221015_173902.mp4, please provide the GPS coordinates of the possible place, where video was recorded
-> Based on the analysis of the video file 20221015_173902.mp4, please provide the GPS coordinates of the possible place, where video was recorded
+> The main task is to perform the forensic information technology examination on the acquired image of mobile phone. Two suspects (two men) were arrested near Lithuanian and Republic of Belarus border. The truck with stored weapons was taken. During the seizure, a mobile phone without identification tags was founded on the ground near the truck. A criminal case has been opened related to the international illegal arms trade. Please help to find the relevant information for the case, examine the digital dump acquired from the seized phone memory and answer the questions below.
+
+> GPS coordinates. From investigators of the current case, it was determined that the cargo truck recorded in the video file userdata\media\0\Download\20221015_173902.mp4 is the same one that was detained at the time of the crime. Analyze this file and answer the question below.
+
+> Based on the analysis of the video file 20221015_173902.mp4, please provide the GPS coordinates of the possible place, where video was recorded? (please provide the GPS Latitude and Longitude in decimal degrees format (dd.dddd, dd.dddd).

 ## About the Challenge
 We need to find the location of the video
--- a/Shark/README.md
+++ b/Shark/README.md
@ -1,5 +1,7 @@
 # Blue Baby Shark
-> I got recomendation from one of our common acquaintance. I’m a new into all of this CTF stuff. I g...
+> Hello Stranger!
+
+> I got recomendation from one of our common acquaintance. I’m a new into all of this CTF stuff. I got stuck with one challange and I’m not that skilled wit the network traffic analysis. Would you be able to help me out with this partiucalr CTF and find the flag? Only hint I have so far is that one machine was compromised.

 ## About the Challenge
 We have been given a pcapng file and we need to find the flag there (You can find the file [here](Blue%20Baby%20Shark.pcapng))
--- a/Web/README.md
+++ b/Web/README.md
@ -1,5 +1,5 @@
 # Docker Web
-`-`
+> A container that contains a web page (http) service. All answers will appear only after you look at the page.

 ## About the Challenge
 We are given a zip code that contain linux directories
--- a/information/README.md
+++ b/information/README.md
@ -1,5 +1,11 @@
 # RFC standard for security policy information
-> The Lithuanian company Altacom uses one of the latest RFC standard formats for presenting security p...
+> The Lithuanian company Altacom uses one of the latest RFC standard formats for presenting security policy information.
+
+> This standard makes it easier for security specialists to identify the contacts they should reach out to in order to report a vulnerability to the organization.
+
+> Please help me find the email address to report any vulnerabilities found.
+
+> Flag format: VU{email@address.com}

 ## About the Challenge
 We need to know the email that company use to receive vulnerability report
--- a/Web/README.md
+++ b/Web/README.md
@ -1,5 +1,5 @@
 # Simple Web
-`-`
+> It consists of only eight commands, each represented by a single character, and uses a tape-based memory model with a pointer. However, it is considered difficult to write programs in, as it provides very little abstraction over the machine model and requires one to break problems down into very simple steps.

 ## About the Challenge
 We are given a zip code that contain HTML file inside of it