feat: added BlueHens CTF 2023
|
@ -0,0 +1,24 @@
|
||||||
|
# Big JPG
|
||||||
|
> There's more data to this image than what meets the eye.
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We were given a `jpg` file and we need to find the flag inside the image
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
First, run binwalk or you can use CyberChef and then choose `Extract File` operator. You will see a `xz` file
|
||||||
|
|
||||||
|
![binwalk](images/binwalk.png)
|
||||||
|
|
||||||
|
Open the `xz` file and you will find 2 images called `key.png` and `flag.jpg`. Input the `key.png` file into AperiSolve or you can `zsteg` tool to extract the key
|
||||||
|
|
||||||
|
![zsteg](images/zsteg.png)
|
||||||
|
|
||||||
|
You got the password! And right now you can use `steghide` or AperiSolve again but don't forget to input `uR_aLmOsT_tHeRe` in the form input
|
||||||
|
|
||||||
|
![steghide](images/steghide.png)
|
||||||
|
|
||||||
|
Download the result and voila!
|
||||||
|
|
||||||
|
```
|
||||||
|
UDCTF{lay3r5_0n_lay3r5}
|
||||||
|
```
|
After Width: | Height: | Size: 385 KiB |
After Width: | Height: | Size: 483 KiB |
After Width: | Height: | Size: 310 KiB |
|
@ -0,0 +1,24 @@
|
||||||
|
# Just Cat The Flask 1/2
|
||||||
|
> https://bluehens-cat-the-flask.chals.io/greeting/hi
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We were given a website without a source code, every input after `/greeting/*` is reflected in the website
|
||||||
|
|
||||||
|
![preview](images/preview.png)
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
The website was vulnerable to SSTI and this website uses Jinja as its templating engine. Here is the payload I used to execute OS command:
|
||||||
|
|
||||||
|
```
|
||||||
|
https://bluehens-cat-the-flask.chals.io/greeting/{{lipsum.__globals__.os.popen('ls').read()}}
|
||||||
|
```
|
||||||
|
|
||||||
|
![ssti](images/ssti.png)
|
||||||
|
|
||||||
|
There is a file called `flag1.txt`, read that to obtain the flag
|
||||||
|
|
||||||
|
![flag](images/flag.png)
|
||||||
|
|
||||||
|
```
|
||||||
|
UDCTF{l4y3r_1_c0mpl3t3_g00d_luck_w1th_p4rt_2}
|
||||||
|
```
|
After Width: | Height: | Size: 56 KiB |
After Width: | Height: | Size: 14 KiB |
After Width: | Height: | Size: 35 KiB |
|
@ -0,0 +1,10 @@
|
||||||
|
# BlueHens CTF 2023
|
||||||
|
CTF writeup for The BlueHens CTF 2023. I took part in this CTF competition with the TCP1P team and secured the 16th place out of 435 teams
|
||||||
|
|
||||||
|
| Category | Challenge |
|
||||||
|
| --- | --- |
|
||||||
|
| Web | [Super Admin](/BlueHens%20CTF%202023/Super%20Admin/)
|
||||||
|
| Web | [Just Cat The Flask 1/2](/BlueHens%20CTF%202023/Just%20Cat%20The%20Flask%201/)
|
||||||
|
| Misc | [Big JPG](/BlueHens%20CTF%202023/Big%20JPG/)
|
||||||
|
| Misc | [RSA School 1st Grade](/BlueHens%20CTF%202023/RSA%20School%201st%20Grade/)
|
||||||
|
| Misc | [RSA School 2nd Grade](/BlueHens%20CTF%202023/RSA%20School%202nd%20Grade/)
|
|
@ -0,0 +1,37 @@
|
||||||
|
# RSA School 1st Grade
|
||||||
|
> First day of school!
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We were given 2 files, `First_Grade.py` and `output.txt`. Here is the content of `First_Grade.py`
|
||||||
|
|
||||||
|
```python
|
||||||
|
from Crypto.Util.number import *
|
||||||
|
p=getPrime(512)
|
||||||
|
q=getPrime(512)
|
||||||
|
n=p*q
|
||||||
|
e=65537
|
||||||
|
msg=bytes_to_long(b'UDCTF{REDACTED}')
|
||||||
|
ct=pow(msg,e,n)
|
||||||
|
print(p)
|
||||||
|
print(n)
|
||||||
|
print(e)
|
||||||
|
print(ct)
|
||||||
|
```
|
||||||
|
|
||||||
|
And here is the content of `output.txt`
|
||||||
|
|
||||||
|
```
|
||||||
|
7009789528005665925389589645247771843738610365138497450285434114825324963561464592190523618045678504210355855286077875965585945664408796837853566415684077
|
||||||
|
73061872549912499570368059392056653520123131891860048946474996807859190776947568485365189613739847632132597352816568237525325622321891749472819811314630053648031678826291232292672975634200777457699671848298242827252269004463672931479153540235625891818449660268924228002522141737330313259535617652381070426543
|
||||||
|
65537
|
||||||
|
8099012654842320180974620472267007973324910863630262955526926760464542904631823196320598910081443799605804614201671967967929893760527002416689993003801924422327762868245291561376910828637706061326005113536536357969201659290874169593264337355365186414719656091960977568710047843815328537885731546232759484717
|
||||||
|
```
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
In this case im using [X-RSA](https://github.com/X-Vector/X-RSA) to recover the plaintext, and then choose the third option
|
||||||
|
|
||||||
|
![flag](images/flag.png)
|
||||||
|
|
||||||
|
```
|
||||||
|
UDCTF{y3a_b0i_b4by_RSA!}
|
||||||
|
```
|
After Width: | Height: | Size: 153 KiB |
|
@ -0,0 +1,33 @@
|
||||||
|
# RSA School 2nd Grade
|
||||||
|
> Ok a little tougher
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We were given 2 files, `Second_Grade.py` and `output.txt`. Here is the content of `First_Grade.py`
|
||||||
|
|
||||||
|
```python
|
||||||
|
from Crypto.Util.number import *
|
||||||
|
n=166045890368446099470756111654736772731460671003059151938763854196360081247044441029824134260263654537
|
||||||
|
e=65537
|
||||||
|
msg=bytes_to_long(b'UDCTF{REDACTED}')
|
||||||
|
ct=pow(msg,e,n)
|
||||||
|
print(n)
|
||||||
|
print(e)
|
||||||
|
print(ct)
|
||||||
|
```
|
||||||
|
|
||||||
|
And here is the content of `output.txt`
|
||||||
|
|
||||||
|
```
|
||||||
|
166045890368446099470756111654736772731460671003059151938763854196360081247044441029824134260263654537
|
||||||
|
65537
|
||||||
|
141927379986409920845194703499941262988061316706433242289353776802375074525295688904215113445883589653
|
||||||
|
```
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
In this case im using [X-RSA](https://github.com/X-Vector/X-RSA) to recover the plaintext, and then choose the first option
|
||||||
|
|
||||||
|
![flag](images/flag.png)
|
||||||
|
|
||||||
|
```
|
||||||
|
UDCTF{pr1m3_f4ct0r_the1f!}
|
||||||
|
```
|
After Width: | Height: | Size: 71 KiB |
|
@ -0,0 +1,34 @@
|
||||||
|
# Super Admin
|
||||||
|
> Comfort food.
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We were given a website without a source code, and we need to login as admin in order to get the flag
|
||||||
|
|
||||||
|
![preview](images/preview.png)
|
||||||
|
|
||||||
|
![preview2](images/preview2.png)
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
Because there is a JWT token in the website cookie, You can use jwt.io to inspect the cookie
|
||||||
|
|
||||||
|
![old_jwt](images/old_jwt.png)
|
||||||
|
|
||||||
|
We need to change `"role": "user"` to `"role": "admin"`, but we need to know the password first. The first thing that came to my mind was bruteforcing the key. I used https://github.com/Sjord/jwtcrack to crack the password. Here is the result:
|
||||||
|
|
||||||
|
```
|
||||||
|
Cracking JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoidXNlciIsImlhdCI6MTY5ODY2NTMzNX0.yozk78J3cGuLt1ofBxUCnUoagoR9wOxXoA30o3hh6ug
|
||||||
|
27it [00:00, 12833.89it/s]
|
||||||
|
Found secret key: password1
|
||||||
|
```
|
||||||
|
|
||||||
|
Change the value from `user` to `admin` using the cracked password
|
||||||
|
|
||||||
|
![new_jwt](images/new_jwt.png)
|
||||||
|
|
||||||
|
Replace the old token with the new JWT token to obtain the flag
|
||||||
|
|
||||||
|
![flag](images/flag.png)
|
||||||
|
|
||||||
|
```
|
||||||
|
UDCTF{k33p_17_51mp13_57up1d_15_4_l1e}
|
||||||
|
```
|
After Width: | Height: | Size: 142 KiB |
After Width: | Height: | Size: 168 KiB |
After Width: | Height: | Size: 134 KiB |
After Width: | Height: | Size: 21 KiB |
After Width: | Height: | Size: 18 KiB |
|
@ -1,5 +1,5 @@
|
||||||
# CSAW CTF Qualification Round 2023
|
# CSAW CTF Qualification Round 2023
|
||||||
CTF writeup for The CSAW CTF Qualification Round 2023. I took part in this CTF competition with the TCP1P team and secured the 67th place out of 1098 teams
|
CTF writeup for The CSAW CTF Qualification Round 2023. I took part in this CTF competition with the HCS team and secured the 67th place out of 1098 teams
|
||||||
|
|
||||||
| Category | Challenge |
|
| Category | Challenge |
|
||||||
| --- | --- |
|
| --- | --- |
|
||||||
|
|
|
@ -4,6 +4,6 @@ CTF writeup for The Srdnlen CTF 2023. I took part in this CTF competition with t
|
||||||
| Category | Challenge |
|
| Category | Challenge |
|
||||||
| --- | --- |
|
| --- | --- |
|
||||||
| Cryptography | [RSA](/Srdnlen%20CTF%202023/RSA/)
|
| Cryptography | [RSA](/Srdnlen%20CTF%202023/RSA/)
|
||||||
| Web | [Spongeweb](/Srdnlen%20CTF%202023/RSA/)
|
| Web | [Spongeweb](/Srdnlen%20CTF%202023/Spongeweb/)
|
||||||
| Forensic | [stego WarmUp](/Srdnlen%20CTF%202023/RSA/)
|
| Forensic | [stego WarmUp](/Srdnlen%20CTF%202023/stego%20WarmUp/)
|
||||||
| Forensic | [Urban Odissey](/Srdnlen%20CTF%202023/RSA/)
|
| Forensic | [Urban Odissey](/Srdnlen%20CTF%202023/Urban%20Odissey/)
|