feat: added BlueHens CTF 2023

2023-10-30 18:43:47 +07:00 · 2023-10-30 18:43:47 +07:00 · d2eb0c509d
parent b3820c096c
commit d2eb0c509d
21 changed files with 166 additions and 4 deletions
--- a/JPG/README.md
+++ b/JPG/README.md
@ -0,0 +1,24 @@
+# Big JPG
+> There's more data to this image than what meets the eye.
+
+## About the Challenge
+We were given a `jpg` file and we need to find the flag inside the image
+
+## How to Solve?
+First, run binwalk or you can use CyberChef and then choose `Extract File` operator. You will see a `xz` file
+
+![binwalk](images/binwalk.png)
+
+Open the `xz` file and you will find 2 images called `key.png` and `flag.jpg`. Input the `key.png` file into AperiSolve or you can `zsteg` tool to extract the key
+
+![zsteg](images/zsteg.png)
+
+You got the password! And right now you can use `steghide` or AperiSolve again but don't forget to input `uR_aLmOsT_tHeRe` in the form input
+
+![steghide](images/steghide.png)
+
+Download the result and voila!
+
+```
+UDCTF{lay3r5_0n_lay3r5}
+```
--- a/JPG/images/binwalk.png
+++ b/JPG/images/binwalk.png
--- a/JPG/images/steghide.png
+++ b/JPG/images/steghide.png
--- a/JPG/images/zsteg.png
+++ b/JPG/images/zsteg.png
--- a/1/README.md
+++ b/1/README.md
@ -0,0 +1,24 @@
+# Just Cat The Flask 1/2
+> https://bluehens-cat-the-flask.chals.io/greeting/hi
+
+## About the Challenge
+We were given a website without a source code, every input after `/greeting/*` is reflected in the website
+
+![preview](images/preview.png)
+
+## How to Solve?
+The website was vulnerable to SSTI and this website uses Jinja as its templating engine. Here is the payload I used to execute OS command:
+
+```
+https://bluehens-cat-the-flask.chals.io/greeting/{{lipsum.__globals__.os.popen('ls').read()}}
+```
+
+![ssti](images/ssti.png)
+
+There is a file called `flag1.txt`, read that to obtain the flag
+
+![flag](images/flag.png)
+
+```
+UDCTF{l4y3r_1_c0mpl3t3_g00d_luck_w1th_p4rt_2}
+```
--- a/1/images/flag.png
+++ b/1/images/flag.png
--- a/1/images/preview.png
+++ b/1/images/preview.png
--- a/1/images/ssti.png
+++ b/1/images/ssti.png
--- a/2023/README.md
+++ b/2023/README.md
@ -0,0 +1,10 @@
+# BlueHens CTF 2023
+CTF writeup for The BlueHens CTF 2023. I took part in this CTF competition with the TCP1P team and secured the 16th place out of 435 teams
+
+| Category | Challenge |
+| --- | --- |
+| Web | [Super Admin](/BlueHens%20CTF%202023/Super%20Admin/)
+| Web | [Just Cat The Flask 1/2](/BlueHens%20CTF%202023/Just%20Cat%20The%20Flask%201/)
+| Misc | [Big JPG](/BlueHens%20CTF%202023/Big%20JPG/)
+| Misc | [RSA School 1st Grade](/BlueHens%20CTF%202023/RSA%20School%201st%20Grade/)
+| Misc | [RSA School 2nd Grade](/BlueHens%20CTF%202023/RSA%20School%202nd%20Grade/)
--- a/Grade/README.md
+++ b/Grade/README.md
@ -0,0 +1,37 @@
+# RSA School 1st Grade
+> First day of school!
+
+## About the Challenge
+We were given 2 files, `First_Grade.py` and `output.txt`. Here is the content of `First_Grade.py`
+
+```python
+from Crypto.Util.number import *
+p=getPrime(512)
+q=getPrime(512)
+n=p*q
+e=65537
+msg=bytes_to_long(b'UDCTF{REDACTED}')
+ct=pow(msg,e,n)
+print(p)
+print(n)
+print(e)
+print(ct)
+```
+
+And here is the content of `output.txt`
+
+```
+7009789528005665925389589645247771843738610365138497450285434114825324963561464592190523618045678504210355855286077875965585945664408796837853566415684077
+73061872549912499570368059392056653520123131891860048946474996807859190776947568485365189613739847632132597352816568237525325622321891749472819811314630053648031678826291232292672975634200777457699671848298242827252269004463672931479153540235625891818449660268924228002522141737330313259535617652381070426543
+65537
+8099012654842320180974620472267007973324910863630262955526926760464542904631823196320598910081443799605804614201671967967929893760527002416689993003801924422327762868245291561376910828637706061326005113536536357969201659290874169593264337355365186414719656091960977568710047843815328537885731546232759484717
+```
+
+## How to Solve?
+In this case im using [X-RSA](https://github.com/X-Vector/X-RSA) to recover the plaintext, and then choose the third option
+
+![flag](images/flag.png)
+
+```
+UDCTF{y3a_b0i_b4by_RSA!}
+```
--- a/Grade/images/flag.png
+++ b/Grade/images/flag.png
--- a/Grade/README.md
+++ b/Grade/README.md
@ -0,0 +1,33 @@
+# RSA School 2nd Grade
+> Ok a little tougher
+
+## About the Challenge
+We were given 2 files, `Second_Grade.py` and `output.txt`. Here is the content of `First_Grade.py`
+
+```python
+from Crypto.Util.number import *
+n=166045890368446099470756111654736772731460671003059151938763854196360081247044441029824134260263654537
+e=65537
+msg=bytes_to_long(b'UDCTF{REDACTED}')
+ct=pow(msg,e,n)
+print(n)
+print(e)
+print(ct)
+```
+
+And here is the content of `output.txt`
+
+```
+166045890368446099470756111654736772731460671003059151938763854196360081247044441029824134260263654537
+65537
+141927379986409920845194703499941262988061316706433242289353776802375074525295688904215113445883589653
+```
+
+## How to Solve?
+In this case im using [X-RSA](https://github.com/X-Vector/X-RSA) to recover the plaintext, and then choose the first option
+
+![flag](images/flag.png)
+
+```
+UDCTF{pr1m3_f4ct0r_the1f!}
+```
--- a/Grade/images/flag.png
+++ b/Grade/images/flag.png
--- a/Admin/README.md
+++ b/Admin/README.md
@ -0,0 +1,34 @@
+# Super Admin
+> Comfort food.
+
+## About the Challenge
+We were given a website without a source code, and we need to login as admin in order to get the flag
+
+![preview](images/preview.png)
+
+![preview2](images/preview2.png)
+
+## How to Solve?
+Because there is a JWT token in the website cookie, You can use jwt.io to inspect the cookie
+
+![old_jwt](images/old_jwt.png)
+
+We need to change `"role": "user"` to `"role": "admin"`, but we need to know the password first. The first thing that came to my mind was bruteforcing the key. I used https://github.com/Sjord/jwtcrack to crack the password. Here is the result:
+
+```
+Cracking JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoidXNlciIsImlhdCI6MTY5ODY2NTMzNX0.yozk78J3cGuLt1ofBxUCnUoagoR9wOxXoA30o3hh6ug
+27it [00:00, 12833.89it/s]
+Found secret key: password1
+```
+
+Change the value from `user` to `admin` using the cracked password
+
+![new_jwt](images/new_jwt.png)
+
+Replace the old token with the new JWT token to obtain the flag
+
+![flag](images/flag.png)
+
+```
+UDCTF{k33p_17_51mp13_57up1d_15_4_l1e}
+```
--- a/Admin/images/flag.png
+++ b/Admin/images/flag.png
--- a/Admin/images/new_jwt.png
+++ b/Admin/images/new_jwt.png
--- a/Admin/images/old_jwt.png
+++ b/Admin/images/old_jwt.png
--- a/Admin/images/preview.png
+++ b/Admin/images/preview.png
--- a/Admin/images/preview2.png
+++ b/Admin/images/preview2.png
--- a/2023/README.md
+++ b/2023/README.md
@ -1,5 +1,5 @@
 # CSAW CTF Qualification Round 2023
-CTF writeup for The CSAW CTF Qualification Round 2023. I took part in this CTF competition with the TCP1P team and secured the 67th place out of 1098 teams
+CTF writeup for The CSAW CTF Qualification Round 2023. I took part in this CTF competition with the HCS team and secured the 67th place out of 1098 teams

 | Category | Challenge |
 | --- | --- |
--- a/2023/README.md
+++ b/2023/README.md
@ -4,6 +4,6 @@ CTF writeup for The Srdnlen CTF 2023. I took part in this CTF competition with t
 | Category | Challenge |
 | --- | --- |
 | Cryptography | [RSA](/Srdnlen%20CTF%202023/RSA/)
-| Web | [Spongeweb](/Srdnlen%20CTF%202023/RSA/)
-| Forensic | [stego WarmUp](/Srdnlen%20CTF%202023/RSA/)
-| Forensic | [Urban Odissey](/Srdnlen%20CTF%202023/RSA/)
+| Web | [Spongeweb](/Srdnlen%20CTF%202023/Spongeweb/)
+| Forensic | [stego WarmUp](/Srdnlen%20CTF%202023/stego%20WarmUp/)
+| Forensic | [Urban Odissey](/Srdnlen%20CTF%202023/Urban%20Odissey/)