Introduction
Brixel CTF Winter Edition 2020 was the first CTF organized by hackerspace Brixel with callenges in the following categories:
- Programming
- Forensics
- OSINT
- Internet
- Reverse engineering / cracking
- Old tech
- Cryptography
- Steganography
The following is a writeup of the challenges I solved.
Are you fast enough?
Category: Programming
Description: Can you program something that is fast enough to submit the solution before the time runs out?
Solution:
When entering the webpage for the challenge we see the following page.
Lets take a look at the source to find out a way to read the random string and enter it in the input field programmatically.
Ok, we got id’s for the random string, the input field and the submit button. Then all we have to do is to write some javascript to do this for us.
document.getElementById('inputfield').value = document.getElementById('rndstring').innerHTML;
document.getElementById('submitbutton').click();This will do the trick. But we have to execute this code within one second. So lets run window.location = 'http://timesink.be/speedy/index.php' in the console, and right after that we run the javascript we just wrote.
Flag: brixelCTF{sp33d_d3m0n}
Keep walking…
Category: Programming
Description:
This is a challenge to test your basic programming skills.
Pseudo code:
Set X = 1
Set Y = 1
Set previous answer = 1
answer = X * Y + previous answer + 3
After that => X + 1 and Y + 1 (‘answer’ becomes ‘previous answer’) and repeat this till you have X = 525.
The final answer is the value of ‘answer’ when X = 525. Fill it in below.
Example:
5 = 1 * 1 + 1 + 3
12 = 2 * 2 + 5 + 3
24 = 3 * 3 + 12 + 3
Solution:
Pretty straight forward, the following is a implementation in C#.
using System;
namespace Keep_walking
{
class Program
{
static void Main(string[] args)
{
var prev = 1;
for(var i = 1; i <= 525; i++) {
prev = (i * i) + prev + 3;
}
Console.WriteLine(prev);
}
}
}And when we run this we get the flag 48373851
A Song…
Category: Programming
Description: I wrote this song it seems I’m pretty bad at it, but hey! it could get you a flag 🙂
Solution:
Attached to this challenge is the following text.
(intro)
Shout "brixelCTF{" !!!
Brixel is a hackerspace
It's not like any other place
Your skill is hopefully the best
This CTF is the test
put your skill into the test
(-and-) let your score be "blessed"
(chorus)
The challenges are serious
Your skill is mysterious
Build your skill up, up, up (-up,up-)
Knock the challenges down
your skill is true,
your skill is right!
Knock the challenges down
your score is taking flight!
(verse1)
put This CTF into your skill
put Brixel into your Heart (-or not, hey! just chill!-)
the hype is getting to the top,
the beat is ready to drop,
build the hype up!
build the hype up!
build the hype up!
whisper the challenges,
say your score,
Shout the hype, (-and-)
SCREAM YOUR SKILL! (-m-M-M-MONSTERKILL!!-)
(chorus)
The challenges are serious
Your skill is mysterious
Build your skill up, up, up (up,up)
Knock the challenges down
your skill is true,
your skill is right!
Knock the challenges down
your score is taking flight!
(verse2)
Happy Holidays is a wish,
Brixel is wishing you today
Santa is now leaving
(-riding on his sleigh-)
This was fun
This was grand
Turn up your score
Turn up your skill
put your heart into your skill
put your skill into the test
say your score (-because you ARE the best-)
Say Happy Holidays
Say Brixel and "}"
(fin)This looks like Rockstar source code. Lets try it out in the Rockstar online interpreter.
brixelCTF{
5
66
7236
34
66
14
}
Program completed in 70 ms
It worked, so our flag is brixelCTF{5667236346614}
An arduino project
Category: Programming
Description:
I once made this arduino program but forgot what it does.
Unfortunately I lost the schematic that comes with it.
Maybe you can get it running?
Solution:
Here we get an arduino project, opening the file in the Arduino IDE we get the following source code.
int msg[] = {9,0,9,0,9,0,9,0,7,8,3,4,0,7,6,5,4,3,2,0,7,8,6,5,4,2,0,2,3,4,0,7,2,3,8,4,5,0,2,3,4,5,6,7,8,0,7,6,0,7,2,3,8,4,5,0,2,3,4,5,6,7,0,2,3,8,4,5,0,2,3,8,4,5,0,2,3,8,6,5,0};
void setup()
{
pinMode(2, OUTPUT); //A
pinMode(3, OUTPUT); //B
pinMode(4, OUTPUT); //C
pinMode(5, OUTPUT); //D
pinMode(6, OUTPUT); //E
pinMode(7, OUTPUT); //F
pinMode(8, OUTPUT); //G
pinMode(9, OUTPUT); //DP
//COMMON = 5V with 1K resistor
}
void loop()
{
for (byte i = 0; i < (sizeof(msg)/ sizeof(msg[0])); i++) {
if(msg[i] > 0) {
digitalWrite(msg[i],LOW);
}else{
delay(500);
reset();
}
}
}
void reset()
{
for(int p = 2; p < 10;p++)
{
digitalWrite(p,HIGH);
}
delay(500);
}Ok, so we have pin 2-9 set as outputs and some writes to those outputs. Now we need to know what the comments after the pinMode calls means. A search for the values in the comments and arduino leads us to a bunch of articles about seven segment displays. Lets try to map the message to values on a seven segment display.
First of all we need to know what the A, B, C, D, E, F, G and DP pins maps to.
Here we can see what segments each pin maps to. Now its time to map the message to each segment so we easier can map the message to an output number. If we take the msg[] variable and replace each value with the corresponding character from the comments, we end up with the following message.
DP
DP
DP
DP
FGBC
FEDCBA
FGEDCA
ABC
FABGCD
ABCDEFG
FE
FABGCD
ABCDEF
ABGCD
ABGCD
ABGEDAnd if we map this to what is displayed on the led we get the flag 406798190332
Quizbot
Category: Programming
Description:
Legend has it there’s a flag at the end when you have a perfect score
Solution:
This challenge is another web based challenge.
We need to answer 1000 questions correctly in order to get the flag. When entering an invalid answer we get the correct answer for the previous question.
The questions are always the same and in the same order. So we need to scrape all correct answers and then enter those to be able to get the flag. The following code is using Selenium to control a web browser and first scraping all correct answers before answering all questions.
using System;
using OpenQA.Selenium.Chrome;
using OpenQA.Selenium.Internal;
namespace Quizbot
{
public static class Program
{
private const int NumberOfQuestions = 1000;
private static void Main()
{
var questionArray = new string[NumberOfQuestions];
var driver = new ChromeDriver {Url = "http://timesink.be/quizbot/index.php"};
driver.Manage().Timeouts().ImplicitWait = TimeSpan.FromSeconds(10);
for (var i = 0; i < NumberOfQuestions; i++)
{
ClickSubmitButton(driver);
var answer = driver.FindElementById("answer");
questionArray[i] = answer.Text;
}
driver.Navigate().GoToUrl("http://timesink.be/quizbot/index.php");
for (var i = 0; i < NumberOfQuestions; i++)
{
var inputField = driver.FindElementById("insert_answer");
inputField.SendKeys(questionArray[i]);
ClickSubmitButton(driver);
}
Console.WriteLine("Done.");
}
private static void ClickSubmitButton(IFindsByName driver)
{
var submitButton = driver.FindElementByName("submit");
submitButton.Click();
}
}
}When completed we get the following message.
Flag: brixelCTF{kn0wl3dg3}
A message from space
Category: Forensics
Description:
I received a message from space
Beam me up scottie1!
Solution:
Attached to this challenge is an audio file. After some investigation it seems that it is an SSTV signal.
So if we use RX-SSTV we should be able to get an image out of the signal.
Flag: brixelCTF{SP4C3L4B}
Lottery ticket
Category: Forensics
Description:
Someone is trying to sell this lottery ticket online, it has the winning numbers but I suspect foul play
Can you tell me which the new numbers are that are photoshopped?
Add them all up, the resulting number is the flag
Solution:
Attached to this challenge is the following image.
Now we have to find out which numbers are photoshopped. Lets check it out in Stegsolve.
Here we can see four numbers that stands out, 42, 88, 25 and 48.
If we sum those values we get the flag 203
Lost evidence
Category: Forensics
Description:
A buddy of mine is in serious trouble. He works for the feds and accidentally deleted a pendrive containing crucial evidence
Can you get it back and tell us what the evidence is?
We need to know what the suspect bought
Solution:
Here we got an NTFS image file we need to analyze. Lets load the image in Autopsy and see what we can find out.
Autopsy found two deleted wave files. Lets extract those so we can take a listen.
As it turns out, both recordings are identical and it is a recording of a bank transfer. We can also hear that a message is entered using DTMF tones. Lets try to decode those tones to their corresponding numbers to see if we can get the message.
First we need to save only the tones for the message so it will be easier to decode them. At the end of the recording we can clearly see them when using an audio editor like Audacity.
Lets save this to a new file and try to decode the tones. For this we can use dtmf-decoder.
python dtmf.py ..\tones.wav 80449903336667771708443302226662222444663302277788441
Now we have the numbers entered, but we still need to map those to characters. To do this we can use the following image.
After mapping we get the message T HX FOR. P T HE COCAINE BRUH. So the flag is brixelCTF{cocaine}
A quick search
Category: OSINT
Description:
Here’s an easy one to start off the OSINT challenges.
I took this photo but forgot the name of this tower.
Can you give me the name?
I remember it started with an E.
Solution:
Attached is an image of some tower. Lets see what we can find using a reverse image search.
Flag: Eben-Ezer
Manhunt #1
Category: OSINT
Description:
My dad is pissed off! He was told by my mother NOT to buy ice cream but he did anyway when she wasn’t looking.
Someone posted this picture on the internet and my mother saw it, man, he is in so much trouble!
I want to know WHO posted this picture, let’s hunt this guy down!
Solution:
Here we got another picture we need to analyze. Lets check out the metadata using Exif & Metadata Viewer.
System:FileName icecream.jpg System:FileSize 329275 System:FileModifyDate 2020:12:26 13:45:45+00:00 System:FileAccessDate 2020:12:26 13:45:45+00:00 System:FileInodeChangeDate 2020:12:26 13:45:45+00:00 System:FilePermissions 644 File:FileType JPEG File:FileTypeExtension JPG File:MIMEType image/jpeg File:ExifByteOrder MM File:ImageWidth 1536 File:ImageHeight 2048 File:EncodingProcess 0 File:BitsPerSample 8 File:ColorComponents 3 File:YCbCrSubSampling 1 1 IFD0:ResolutionUnit 2 IFD0:YCbCrPositioning 1 ExifIFD:ExifVersion 0231 ExifIFD:ComponentsConfiguration 1 2 3 0 ExifIFD:FlashpixVersion 0100 ExifIFD:OwnerName Johnny Dorfmeister Composite:ImageSize 1536x2048 Composite:Megapixels 3.145728
At the ExifIFD:OwnerName we can see a name, so this is probably the person we are looking for.
So our flag is Johnny_Dorfmeister
Manhunt #2
Category: OSINT
Description:
Ah, now you know his name, good. Can you tell me the name of his last employer?
Solution:
If we do a google search on Johnny Dorfmeister we find a link to his LinkedIn profile.
And here we can see his previous employer pishapasha which is the flag.
Manhunt #5
Category: OSINT
Description:
What is he talking about with that deleted page on his twitter account? can you retrieve it somehow?
Solution:
We got a link to his Twitter account on his LinkedIn profile. Lets head over to it and check out his Twitter activity.
Here we find the tweet mentioned in the description. When navigating to the test-page link we can see that it’s removed.
Lets find out if the page is archived somewhere. Lets head over to the Wayback Machine and enter the URL for the test-page.
We got a hit for the 15th of january 2019. Lets take a look at whats archived.
We got the flag w@yb@ck!
Manhunt #6
Category: OSINT
Description:
So he’s a webdesigner huh? I wonder what his customers have to say about his work. In english please!
Solution:
Taking a look at his page at howitshouldbe.be we see some reviews on the start page.
When we translate the russian sentence we get the following.
So the flag is poetry
Manhunt #7
Category: OSINT
Description:
Can you tell me where he lives? Then I can drop some kind words in his mailbox!
Format: brixelCTF{STREET_NUMBER_POSTALCODE_CITY} e.g brixelCTF{examplestreet_15_8500_kortrijk}
Solution:
On his webpage we can find a contact form. When submitting this form we get this message.
From this we can create the flag brixelCTF{Melkvoetstraat_48_3500_Hasselt}
Manhunt #8
Category: OSINT
Description:
so now you know where he lives, can you tell me what was written on his wall in 2013?
Solution:
Lets start by heading over to google maps and check out the street view of his address. When we have found the place lets take a look at the archived images and select 2013.
Our flag is Just_Married
Manhunt #9
Category: OSINT
Description:
Auth. You’re on your own for this 🙂
Solution:
Lets head back to the webpage on howitshouldbe.be. Just below the reviews and the animated gif we can find a small link.
When we click on the link we get the following message.
Ok, lets take a look at the source to see if we can find anything interesting.
<html>
<body>
<title>Auth</title>
<!-- Authentication script by Johnny Dorfmeister. https://github.com/JohnnyDorfmeister/authentication-requests !-->
Eat shit and die...We got a link to a GitHub repository. Lets take a look at the source code found there.
<html>
<body>
<title>Auth</title>
<?php
if(!isset($_POST['username']))
{
die("Eat shit and die...");
}
if($_POST['username'] == "johnny" && $_POST['password'] == removed for security reasons)
{
$_SESSION["loggedin"] = "true";
include("flag.php");
die();
}else{
echo "<form method=\"POST\" action=\"" . $_SERVER['PHP_SELF'] . "\">\n";
echo "<table align=\"center\">\n";
echo " <tr><td>Username: <td><input type=\"text\" name=\"username\"></tr>\n";
echo " <tr><td>Password: <td><input type=\"password\" name=\"password\"></tr>\n";
echo " <tr><td colspan=2 align=\"right\"><input type=\"submit\" name=\"submit\" value=\"log in\"></tr>\n";
echo "</table>\n";
echo "</form>\n";
die();
}
?>
</body>
</html>
We got the username, but the password is removed. If we take a look at the commit history of the file we can see that there has been two commits. Lets take a look at how the file looked on the first commit.
Great! The password was stored in the commit history, now we have the username and the password. Lets make a request to the auth.php. To do this we can use Postman.
Now we got the response with the flag g1ttern00b
Bird call
Category: OSINT
Description:
I heard this birdcall when walking the other day
Can you give me the LATIN name of this bird species?
Here’s a dutch joke for you: Het is niet de proxi-mus
replace (if any) spaces with underscores (‘_’)
Solution:
For this challenge we get a recording of some birdcall. To figure out what species this is we have to find some way to analyze the recording. If we search for bird from sound we find a page called BirdNET.
Uploading our recording to this service we get the following result.
The recording is of a White Stork (Ciconia ciconia) so the flag is Ciconia_ciconia
Easy
Category: Internet
Description:
On the homepage there is a hidden flag. It’s a Source of easy points!
Solution:
If we take a look at the source of https://ctf.brixel.space/ we can find the following.
<div class="row">
<div class="col-md-6 offset-md-3" align="center">
<h1>Brixel CTF winter edition</h1>
<h8>By <a href="https://www.brixel.be" target="_blank">hackerspace Brixel</a></h5>
<img class="w-100 mx-auto d-block" style="max-width: 500px;padding: 50px;padding-top: 3vh;" src="/files/3e28cc281e12b29b536038aa7d9b058e/snowman.png" />
<h3 class="text-center">
<p>Welkom to the brixel CTF!</p>
</h3>
<h6 class="text-center">
<p>First time? check out our <a href="/guide">guide for new players</a></p>
</h6>
<h6 class="text-center">
<p>Questions or remarks? Find Kevin (kefcom) on the discord server<p>
<p>(<a href="https://discord.gg/28uPqr5wmh">Invite link</a>)</p>
</h6>
<h6><b>This is our first public CTF, so please be gentle with the comments!</b></h6>
<h6><b>❗ We're experiencing some high load on the server, please be patient as we try to improve the response time</b></h6>
<br>
<p>The CTF will run from December 26 13:00 CET to January 03 20:00 CET (GMT+1)</p>
<p id="demo"></p>
<h3 class="text-center">
<p>Ready to play?</p>
<a class="btn btn-primary w-100" href="/register">Create an account</a>
</h3>
<h6>
<br>
<p>Once you are logged in:</p>
</h6>
<h3>
<a class="btn btn-secondary w-100" href="/teams/join">Join a team</a>
</h3>
<h3>
<a class="btn btn-secondary w-100" href="/teams/new">Make a new team</a>
</h3>
<sub>And remember folks: It's only a game. Please do not attack the CTF server. Drink plenty of water (Not only MATE or beer!) and be excellent!</sub>
<!-- hidden flag: 'brixelCTF{notsosecret}' -->
</div>
</div>
Flag: brixelCTF{notsosecret}
Hidden Code
Category: Internet
Description:
Something strange happens on the brixel website when you enter the konami code
flag = the character you see floating by
Solution:
Heading over to the brixel website and taking a look at what scripts are loaded we find this script.
From the last line in the source we can see that this code is bound to the window.WP_Easter_Egg object and we have access to all functions on that object.
If we execute window.WP_Easter_Egg.move_image_across_top() we can see Mario running across the screen.
So the flag is mario
Robotopia
Category: Internet
Description:
I found this cool website, it claims to be 100% robot-free!
There’s nothing there yet at the moment, but at least it’s robots-free. I wonder how they keep it that way?
Solution:
Heading over to the challenge page we see this.
No links or anything useful in the source. But it says that it’s robot free, lets take a look at the robots.txt file.
We found the flag brixelCTF{sadr0b0tz}
Discord
Category: Internet
Description:
Join our Discord and read the rules.
Solution:
Joining the discord server we get the following message.
And in point 5 of the rules we get the flag brixelCTF{th4nk5_f0r_r34d1ng_th3_rulz}
login1
Category: Internet
Description:
My buddy is trying to become a web developer, he made this little login page. Can you get the password?
Solution:
This page consists only of a login form.
Lets take a look at the source. Here we can see the javascript in the script element.
<script type="text/javascript">
function verify() {
password = document.getElementById("the_password").value;
if(password == "brixelCTF{w0rst_j4v4scr1pt_3v3r!}")
{
alert("Password Verified");
}
else
{
alert("Incorrect password");
}
}
</script>
Now we got the flag brixelCTF{w0rst_j4v4scr1pt_3v3r!}
login2
Category: Internet
Description:
Cool, you found the first password! He secured it more, could you try again?
Solution:
This page looks identical to the previous login challenge. Taking a look at the javascript for this page we can see the following.
<script type="text/javascript">
function verify() {
password = document.getElementById("the_password").value;
split = 6;
if (password.substring(0, split) == 'brixel')
{
if (password.substring(split*6, split*7) == '180790')
{
if (password.substring(split, split*2) == 'CTF{st')
{
if (password.substring(split*4, split*5) == '5cr1pt')
{
if (password.substring(split*3, split*4) == 'd_j4v4')
{
if (password.substring(split*5, split*6) == '_h3r3.')
{
if (password.substring(split*2, split*3) == '1ll_b4')
{
if (password.substring(split*7, split*8) == '54270}')
{
alert("Password Verified")
}
}
}
}
}
}
}
}
else
{
alert("Incorrect password");
}
}
</script>
From this we can recreate the flag by concatenating the values in that are checked, starting with substring(0, split) then substring(split, split*2) then substring(split*2, split*3) and then the rest and we get the flag brixelCTF{st1ll_b4d_j4v45cr1pt_h3r3.18079054270}
login3
Category: Internet
Description:
Nice! you found another one! He changed it up a bit again, could you try again?
Solution:
Lets take a look at the javascript to see whats changed.
<script type="text/javascript">
function verify() {
username = document.getElementById("the_username").value;
password = document.getElementById("the_password").value;
if(username == readTextFile("username.txt"))
{
if(password == readTextFile("password.txt"))
{
alert("Password Verified");
} else {
alert("Incorrect password");
}
}else{
alert("Incorrect username");
}
}
function readTextFile(filePath)
{
var result = null;
var xmlhttp = new XMLHttpRequest();
xmlhttp.open("GET", filePath, false);
xmlhttp.send();
if (xmlhttp.status==200) {
result = xmlhttp.responseText;
}
return result;
}
</script>
This time the username and password are matched with the contents of the files username.txt and password.txt. Lets see if we can access those files.
In the password.txt file we get the flag brixelCTF{n0t_3v3n_cl05e_t0_s3cur3!}
login4
Category: Internet
Description:
Whow, another one! You’re good! So I told my buddy how you managed to get the password last time, and he fixed it. Could you check again please?
Solution:
This time we have the following javascript.
<script type="text/javascript">
function verify() {
username = document.getElementById("the_username").value;
password = document.getElementById("the_password").value;
if(username == atob(readTextFile("username.txt")))
{
if(password == atob(readTextFile("password.txt")))
{
alert("Password Verified");
} else {
alert("Incorrect password");
}
}else{
alert("Incorrect username");
}
}
function readTextFile(filePath)
{
var result = null;
var xmlhttp = new XMLHttpRequest();
xmlhttp.open("GET", filePath, false);
xmlhttp.send();
if (xmlhttp.status==200) {
result = xmlhttp.responseText;
}
return result;
}
</script>
It still matches the password to the contents of a file. But this time it base64 decodes the contents before checking the values. Lets get the contents of password.txt.
YnJpeGVsQ1RGe2V2ZW5fYmFzZTY0X3dvbnRfbWFrZV95b3Vfc2VjdXJlfQ==
Now we got a base64 encoded string, when decoding this we get the flag brixelCTF{even_base64_wont_make_you_secure}
Browsercheck
Category: Internet
Description:
I found this weird website, but it will only allow ‘ask jeeves crawler’ to enter?
Can you get me in?
Solution:
Navigating to the page gives us the following message.
So we need to impersonate a Ask Jeeves crawler. First we need to find out the user agent for the crawler. This can be found on this Crawler User Agents page.
Here we find out that the user agent used for Ask Jeeves is Mozilla/5.0 (compatible; Ask Jeeves/Teoma; +http://about.ask.com/en/docs/about/webmasters.shtml)
When we request the page with this user agent we get the following response.
HTTP/1.1 200 OK
Date: Sat, 26 Dec 2020 16:12:58 GMT
Server: Apache/2
X-Powered-By: PHP/7.1.33
Vary: Accept-Encoding,User-Agent
Content-Length: 108
Content-Type: text/html; charset=UTF-8
Connection: close
<html><body><div align="center"><h1>congratulations</h1>the flag is 'brixelCTF{askwho?}'</div></body></html>Flag: brixelCTF{askwho?}
Readme
Category: Internet
Description:
This flag is hidden in a readme
We will only guide those who want to learn on this one
Solution:
On the Guide page for the CTF we get some information for new players, and under hints we see the following.
So the flag is freepoints
SnackShack awards
Category: Internet
Description:
A friend of mine owns a snackbar and is entered in a competition to win an award.
It seems he is not going to win because he has a low amount of votes 😦
Do you think you can boost his votes? adding 5000 votes at once should do the trick!
His snackbar is called Cafetaria ‘t pleintje
Solution:
Here we have a voting page where we can vote for different SnackShacks from 0-5. To be able to change the vote to 5000 for Cafetaria ‘t pleintje we can intercept the request in Burp and change the value to 5000.
score_bammens=0&score_omejan=0&score_fontainas=0&score_tpleintje=5000&score_frietuurtje=0When we send this request we get the response ‘Well done! The flag is brixelCTF{bakpau}‘
Flat earth
Category: Internet
Description:
These idiots… I heard there is a rally of flat earth believers tomorrow
We should access their admin panel and stop that rally from happening!
Solution:
This is the home page of some flat earth community.
No visible links on the page. Lets take a look at the source.
<html>
<title>Flat Earth Believers</title>
<body bgcolor="#000000" text="white">
<div align="center"><h1>The earth is flat!</h1></div>
<hr>
<div align="center">
<p>Ever since that Greek idiot Eratosthenes claimed that the earth is round, we have been living in a lie.</p>
<p><img src="images/ATuin.jpg" alt="flat earth"></p>
<p>The earth is not round! It is a flat disk set on top of a turtle travelling trough space!</p>
<p>We believe that the government is actively trying to hide this great truth from us by sending us pictures from <b>their OWN</b> so called 'space administration' or 'nasa'</p>
<p>Therefor we must unite against the government! Join our protests that are taking place all around the globe.</p>
<br>
<p>Next protest:</p>
<p><script type="text/javascript">var tomorrow = new Date();tomorrow.setDate(tomorrow.getDate() + 1);document.write(tomorrow.toLocaleDateString("nl-NL"));</script></p>
<p>Joe's warehouse on 11th street, Hoboken New Jersey</p>
<br><br>
<p><a href="admin.php"><font color="#000000">administration</font></a></p>
</div>
</body>
</html>
Here we can find a link to admin.php, which is “hidden” by changing the color to the same as the background.
Lets check out admin.php.
A basic login form. Entering some values for the username and password we get the following message.
Lets check for SQLi.
Looks like it might be vulnerable to SQLi! Lets try a basic SQLi to bypass the login form.
It worked and we got the flag brixelCTF{aroundtheglobe}
Hiding in the background
Category: Internet
Description:
Like our CTF homepage?
There is a little secret hiding in (or rather behind) the background
Solution:
Lets head back to the CTF homepage and take a look at the background properties.
So the background is an SVG image. Lets download that and see if there’s something interesting in the file.
Searching for brixelCTF in the file gets us to this part.
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:10.5833px;line-height:1.25;font-family:sans-serif;fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.264583"
x="62.649639"
y="138.42255"
id="text1434"><tspan
sodipodi:role="line"
id="tspan1432"
x="62.649639"
y="138.42255"
style="fill:#000000;fill-opacity:1;stroke-width:0.264583">brixelCTF{happy_holidays}</tspan></text>
Flag: brixelCTF{happy_holidays}
login5
Category: Internet
Description:
Ok, THIS time it should be fine! if you find this one he is going to quit trying.
Solution:
If we take a look at the javascript this time, we can see that it’s obfuscated.
<script type="text/javascript">
var _0x2c58=['getElementById','Incorrect\x20password','Password\x20Verified','length','substr','the_password','abcdefghijklmnopqrstuvwxyz1234567890!{}'];(function(_0x47871f,_0x1326ab){var _0x2c58be=function(_0x58abc9){while(--_0x58abc9){_0x47871f['push'](_0x47871f['shift']());}};_0x2c58be(++_0x1326ab);}(_0x2c58,0x91));var _0x58ab=function(_0x47871f,_0x1326ab){_0x47871f=_0x47871f-0x192;var _0x2c58be=_0x2c58[_0x47871f];return _0x2c58be;};function verify(){var _0x41653e=_0x58ab;password=document[_0x41653e(0x194)](_0x41653e(0x192))['value'],alphabet=_0x41653e(0x193),newpassword=alphabet[_0x41653e(0x198)](0x1,0x1),newpassword=newpassword+alphabet[_0x41653e(0x198)](0x11,0x1),newpassword=newpassword+alphabet[_0x41653e(0x198)](0x8,0x1),newpassword=newpassword+alphabet['substr'](0x17,0x1),newpassword=newpassword+alphabet[_0x41653e(0x198)](0x4,0x1),newpassword=newpassword+alphabet[_0x41653e(0x198)](0xb,0x1),newpassword=newpassword+alphabet[_0x41653e(0x198)](0x2,0x1),newpassword=newpassword+alphabet[_0x41653e(0x198)](0x13,0x1),newpassword=newpassword+alphabet[_0x41653e(0x198)](0x5,0x1),newpassword=newpassword+alphabet[_0x41653e(0x198)](alphabet[_0x41653e(0x197)]-0x2,0x1),newpassword=newpassword+alphabet['substr'](alphabet[_0x41653e(0x197)]-0x4,0x1),newpassword=newpassword+alphabet[_0x41653e(0x198)](0x1,0x1),newpassword=newpassword+alphabet[_0x41653e(0x198)](0x5,0x1),newpassword=newpassword+alphabet['substr'](0x14,0x1),newpassword=newpassword+alphabet[_0x41653e(0x198)](0x12,0x1),newpassword=newpassword+alphabet[_0x41653e(0x198)](0x2,0x1),newpassword=newpassword+alphabet['substr'](0x0,0x1),newpassword=newpassword+alphabet[_0x41653e(0x198)](0x13,0x1),newpassword=newpassword+alphabet[_0x41653e(0x198)](0x8,0x1),newpassword=newpassword+alphabet[_0x41653e(0x198)](alphabet[_0x41653e(0x197)]-0x4,0x1),newpassword=newpassword+alphabet[_0x41653e(0x198)](0xd,0x1),newpassword=newpassword+alphabet['substr'](alphabet[_0x41653e(0x197)]-0x1,0x1),password==newpassword?alert(_0x41653e(0x196)):alert(_0x41653e(0x195));}
</script>
Lets pretty print this code to make it easier to read.
var _0x2c58 = ['getElementById', 'Incorrect\x20password', 'Password\x20Verified', 'length', 'substr', 'the_password', 'abcdefghijklmnopqrstuvwxyz1234567890!{}'];
(function(_0x47871f, _0x1326ab) {
var _0x2c58be = function(_0x58abc9) {
while (--_0x58abc9) {
_0x47871f['push'](_0x47871f['shift']());
}
};
_0x2c58be(++_0x1326ab);
}(_0x2c58, 0x91));
var _0x58ab = function(_0x47871f, _0x1326ab) {
_0x47871f = _0x47871f - 0x192;
var _0x2c58be = _0x2c58[_0x47871f];
return _0x2c58be;
};
function verify() {
var _0x41653e = _0x58ab;
password = document[_0x41653e(0x194)](_0x41653e(0x192))['value'], alphabet = _0x41653e(0x193), newpassword = alphabet[_0x41653e(0x198)](0x1, 0x1), newpassword = newpassword + alphabet[_0x41653e(0x198)](0x11, 0x1), newpassword = newpassword + alphabet[_0x41653e(0x198)](0x8, 0x1), newpassword = newpassword + alphabet['substr'](0x17, 0x1), newpassword = newpassword + alphabet[_0x41653e(0x198)](0x4, 0x1), newpassword = newpassword + alphabet[_0x41653e(0x198)](0xb, 0x1), newpassword = newpassword + alphabet[_0x41653e(0x198)](0x2, 0x1), newpassword = newpassword + alphabet[_0x41653e(0x198)](0x13, 0x1), newpassword = newpassword + alphabet[_0x41653e(0x198)](0x5, 0x1), newpassword = newpassword + alphabet[_0x41653e(0x198)](alphabet[_0x41653e(0x197)] - 0x2, 0x1), newpassword = newpassword + alphabet['substr'](alphabet[_0x41653e(0x197)] - 0x4, 0x1), newpassword = newpassword + alphabet[_0x41653e(0x198)](0x1, 0x1), newpassword = newpassword + alphabet[_0x41653e(0x198)](0x5, 0x1), newpassword = newpassword + alphabet['substr'](0x14, 0x1), newpassword = newpassword + alphabet[_0x41653e(0x198)](0x12, 0x1), newpassword = newpassword + alphabet[_0x41653e(0x198)](0x2, 0x1), newpassword = newpassword + alphabet['substr'](0x0, 0x1), newpassword = newpassword + alphabet[_0x41653e(0x198)](0x13, 0x1), newpassword = newpassword + alphabet[_0x41653e(0x198)](0x8, 0x1), newpassword = newpassword + alphabet[_0x41653e(0x198)](alphabet[_0x41653e(0x197)] - 0x4, 0x1), newpassword = newpassword + alphabet[_0x41653e(0x198)](0xd, 0x1), newpassword = newpassword + alphabet['substr'](alphabet[_0x41653e(0x197)] - 0x1, 0x1), password == newpassword ? alert(_0x41653e(0x196)) : alert(_0x41653e(0x195));
}
So we got some functions and some variables. In the verify function it seems that the correct password are created and stored in the newpassword variable.
Lets rewrite the code a bit so we can access the newpassword variable.
var _0x2c58 = ['getElementById', 'Incorrect\x20password', 'Password\x20Verified', 'length', 'substr', 'the_password', 'abcdefghijklmnopqrstuvwxyz1234567890!{}'];
(function(_0x47871f, _0x1326ab) {
var _0x2c58be = function(_0x58abc9) {
while (--_0x58abc9) {
_0x47871f['push'](_0x47871f['shift']());
}
};
_0x2c58be(++_0x1326ab);
}(_0x2c58, 0x91));
var _0x58ab = function(_0x47871f, _0x1326ab) {
_0x47871f = _0x47871f - 0x192;
var _0x2c58be = _0x2c58[_0x47871f];
return _0x2c58be;
};
password = document[_0x58ab(0x194)](_0x58ab(0x192))['value'], alphabet = _0x58ab(0x193), newpassword = alphabet[_0x58ab(0x198)](0x1, 0x1), newpassword = newpassword + alphabet[_0x58ab(0x198)](0x11, 0x1), newpassword = newpassword + alphabet[_0x58ab(0x198)](0x8, 0x1), newpassword = newpassword + alphabet['substr'](0x17, 0x1), newpassword = newpassword + alphabet[_0x58ab(0x198)](0x4, 0x1), newpassword = newpassword + alphabet[_0x58ab(0x198)](0xb, 0x1), newpassword = newpassword + alphabet[_0x58ab(0x198)](0x2, 0x1), newpassword = newpassword + alphabet[_0x58ab(0x198)](0x13, 0x1), newpassword = newpassword + alphabet[_0x58ab(0x198)](0x5, 0x1), newpassword = newpassword + alphabet[_0x58ab(0x198)](alphabet[_0x58ab(0x197)] - 0x2, 0x1), newpassword = newpassword + alphabet['substr'](alphabet[_0x58ab(0x197)] - 0x4, 0x1), newpassword = newpassword + alphabet[_0x58ab(0x198)](0x1, 0x1), newpassword = newpassword + alphabet[_0x58ab(0x198)](0x5, 0x1), newpassword = newpassword + alphabet['substr'](0x14, 0x1), newpassword = newpassword + alphabet[_0x58ab(0x198)](0x12, 0x1), newpassword = newpassword + alphabet[_0x58ab(0x198)](0x2, 0x1), newpassword = newpassword + alphabet['substr'](0x0, 0x1), newpassword = newpassword + alphabet[_0x58ab(0x198)](0x13, 0x1), newpassword = newpassword + alphabet[_0x58ab(0x198)](0x8, 0x1), newpassword = newpassword + alphabet[_0x58ab(0x198)](alphabet[_0x58ab(0x197)] - 0x4, 0x1), newpassword = newpassword + alphabet[_0x58ab(0x198)](0xd, 0x1), newpassword = newpassword + alphabet['substr'](alphabet[_0x58ab(0x197)] - 0x1, 0x1), password == newpassword ? alert(_0x58ab(0x196)) : alert(_0x58ab(0x195));
Running this and accessing the newpassword variable we get the flag brixelctf{0bfuscati0n}
Dadjokes
Category: Internet
Description:
Darn! Some idiot scriptkiddy broke my favorite website full of dad jokes!
I can’t seem to contact the owner to fix the site
Can you bring it back and remove the defaced page?
Solution:
All we can see when entering the page is a defaced page.
If we take a look at the source we find a comment leading us to the original page.
<html>
<title>Haxx0red!</title>
<body bgcolor="#000000" text="green">
<div align="center">
<h1>This site has been hacked!</h1>
<hr>
<p><img style='display:block; width:400px;height:400px;' id='base64image' src=' data:image/jpeg;base64,<REDACTED>'/></p>
<br>
<p>This site has been hacked by the m4st3r 0f d1ss4st3r</p>
<p>Shoutout to my scriptkidz friends dr.d00m and blazingLaser</p>
</div>
</body>
<!-- Hey bozo! I left your original index file under index_backup.html so you can see how your site looked before I used my l33t skillz to deface it. -->
</html>
Lets check the index_backup.html page.
Looks like this is the original page. Lets find out how the site got defaced and try to restore it.
On the submit page we have a form where we can enter our own joke.
When pressing submit we get a confirmation page.
If we check the URL we can see that it also contains a file name.
http://timesink.be/dadjokes/jokes/submit.php?filename=test.txt&title=test&content=testSo we might be able to overwrite the index.html page with the contents of the index_backup.html using this form. In the YES link we can see that we have another parameter added to the URL.
http://timesink.be/dadjokes/jokes/submit.php?filename=test.txt&title=test&content=test&submit=trueLets try to create a request to restore the page. First we need to get the source of the index_backup.html file.
<html><title>DadJokes, your source of lame dad jokes</title><body><div align="center"><h1>DadJokes</h1><hr><img src="images/banner.png" alt="dadjokes"><br><br><a href="jokes/read.php">Read dad jokes</a><br><br><a href="jokes/submit.php">submit your own jokes</a></div></html>
And to be able to submit this, we need to URL encode it.
%3Chtml%3E%3Ctitle%3EDadJokes%2C%20your%20source%20of%20lame%20dad%20jokes%3C%2Ftitle%3E%3Cbody%3E%3Cdiv%20align%3D%22center%22%3E%3Ch1%3EDadJokes%3C%2Fh1%3E%3Chr%3E%3Cimg%20src%3D%22images%2Fbanner.png%22%20alt%3D%22dadjokes%22%3E%3Cbr%3E%3Cbr%3E%3Ca%20href%3D%22jokes%2Fread.php%22%3ERead%20dad%20jokes%3C%2Fa%3E%3Cbr%3E%3Cbr%3E%3Ca%20href%3D%22jokes%2Fsubmit.php%22%3Esubmit%20your%20own%20jokes%3C%2Fa%3E%3C%2Fdiv%3E%3C%2Fhtml%3ENow we can replace the filename parameter and the content parameter in the request.
http://timesink.be/dadjokes/jokes/submit.php?filename=../index.html&title=test&content=%3Chtml%3E%3Ctitle%3EDadJokes%2C%20your%20source%20of%20lame%20dad%20jokes%3C%2Ftitle%3E%3Cbody%3E%3Cdiv%20align%3D%22center%22%3E%3Ch1%3EDadJokes%3C%2Fh1%3E%3Chr%3E%3Cimg%20src%3D%22images%2Fbanner.png%22%20alt%3D%22dadjokes%22%3E%3Cbr%3E%3Cbr%3E%3Ca%20href%3D%22jokes%2Fread.php%22%3ERead%20dad%20jokes%3C%2Fa%3E%3Cbr%3E%3Cbr%3E%3Ca%20href%3D%22jokes%2Fsubmit.php%22%3Esubmit%20your%20own%20jokes%3C%2Fa%3E%3C%2Fdiv%3E%3C%2Fhtml%3E&submit=trueWhen sending this request we get the message ‘Congratulations, the flag is brixelCTF{lamejoke}‘
Pathfinders #1
Category: Internet
Description:
These f*cking religious sects!
These guys brainwashed my niece into their demeted world of i-readings and other such nonsense.
The feds recently closed their churches, but it seems they are preparing for a new online platform to continue their malicious activities.
can you gain access to their admin panel to shut them down?
Solution:
We need to gain access to the admin panel for this religious sect.
When we try to access the admin page we get a basic auth prompt. So there’s probably a .htaccess file in the admin directory. Lets take a look at the URL.
http://timesink.be/pathfinder/index.php?page=home.phpIt looks like the index.php script is including the file in the page parameter, lets see if we can include the index.php in the admin directory.
Ok, so we’re on the right track. Lets check out the .htaccess file.
AuthGroupFile /dev/null AuthType Basic AuthUserFile /home/cfromage/domains/epsilom/public_html/pathfinder/admin/.htpasswd AuthName "Admin only!" require valid-user ErrorDocument 401 "Unauthorized Access"Great! Now we need to check the .htpasswd file.
#normally you would brute force this, but that is not in scope of this challenge. The flag is: brixelCTF{unsafe_include}
admin:$apr1$941ydmlw$aPUW.gCFcvUbIcP0ptVQF0So the flag is brixelCTF{unsafe_include}
Pathfinders #2
Category: Internet
Description:
It seems they updated their security. can you get the password for their admin section on their new site?
oh yeah, let’s assume they are running a php version below 5.3.4 here…
Solution:
Ok, so now the pathfinders site is upgraded. When we try to access the .htpasswd file with the previous technique we get the message file not ending in .php, terminating.
So we need to trick the script into thinking that the filename requested ends in .php and still be able to access the .htpasswd file. Lets try to add a null byte after the .htpasswd and adding the .php extension after.
http://timesink.be/pathfinder2/index.php?page=admin/.htpasswd.php%00.phpSending this request gives us the message ‘Great work! the flag is brixelCTF{outdated_php}‘
Cookieee!
Category: Reverse engineering / cracking
Description:
This stupid cookie clicker game…
Legend has it there is a reward when you reach 10000000 or more clicks
Can you think of a way to get that many clicks?
Solution:
After extracting the game, we can see that it is a Unity game written in C#. So we should be able to decompile the Assembly-CSharp.dll file to get the source code for the game.
Opening the dll in dnSpy we find a script called endGameScript. Here we find some interesting things.
// endGameScript
// Token: 0x04000003 RID: 3
private string alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 =.{}!";
private void Start()
{
GameObject.Find("endGame").GetComponent<Text>().text = string.Concat(new string[]
{
this.alphabet.Substring(28, 1),
this.alphabet.Substring(14, 1),
this.alphabet.Substring(13, 1),
this.alphabet.Substring(6, 1),
this.alphabet.Substring(17, 1),
this.alphabet.Substring(0, 1),
this.alphabet.Substring(19, 1),
this.alphabet.Substring(20, 1),
this.alphabet.Substring(11, 1),
this.alphabet.Substring(0, 1),
this.alphabet.Substring(19, 1),
this.alphabet.Substring(8, 1),
this.alphabet.Substring(14, 1),
this.alphabet.Substring(13, 1),
this.alphabet.Substring(18, 1),
this.alphabet.Substring(67, 1),
this.alphabet.Substring(62, 1),
this.alphabet.Substring(31, 1),
this.alphabet.Substring(11, 1),
this.alphabet.Substring(0, 1),
this.alphabet.Substring(6, 1),
this.alphabet.Substring(62, 1),
this.alphabet.Substring(63, 1),
this.alphabet.Substring(62, 1),
this.alphabet.Substring(1, 1),
this.alphabet.Substring(17, 1),
this.alphabet.Substring(8, 1),
this.alphabet.Substring(23, 1),
this.alphabet.Substring(4, 1),
this.alphabet.Substring(11, 1),
this.alphabet.Substring(28, 1),
this.alphabet.Substring(45, 1),
this.alphabet.Substring(31, 1),
this.alphabet.Substring(65, 1),
this.alphabet.Substring(12, 1),
this.alphabet.Substring(55, 1),
this.alphabet.Substring(12, 1),
this.alphabet.Substring(52, 1),
this.alphabet.Substring(17, 1),
this.alphabet.Substring(24, 1),
this.alphabet.Substring(66, 1)
});
}
It looks like the flag is being created from the alphabet string. Lets write a small program to generate the flag for us.
using System;
namespace Decoder
{
class Program
{
static void Main(string[] args)
{
var alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 =.{}!";
var flag = string.Concat(new string[]
{
alphabet.Substring(28, 1),
alphabet.Substring(14, 1),
alphabet.Substring(13, 1),
alphabet.Substring(6, 1),
alphabet.Substring(17, 1),
alphabet.Substring(0, 1),
alphabet.Substring(19, 1),
alphabet.Substring(20, 1),
alphabet.Substring(11, 1),
alphabet.Substring(0, 1),
alphabet.Substring(19, 1),
alphabet.Substring(8, 1),
alphabet.Substring(14, 1),
alphabet.Substring(13, 1),
alphabet.Substring(18, 1),
alphabet.Substring(67, 1),
alphabet.Substring(62, 1),
alphabet.Substring(31, 1),
alphabet.Substring(11, 1),
alphabet.Substring(0, 1),
alphabet.Substring(6, 1),
alphabet.Substring(62, 1),
alphabet.Substring(63, 1),
alphabet.Substring(62, 1),
alphabet.Substring(1, 1),
alphabet.Substring(17, 1),
alphabet.Substring(8, 1),
alphabet.Substring(23, 1),
alphabet.Substring(4, 1),
alphabet.Substring(11, 1),
alphabet.Substring(28, 1),
alphabet.Substring(45, 1),
alphabet.Substring(31, 1),
alphabet.Substring(65, 1),
alphabet.Substring(12, 1),
alphabet.Substring(55, 1),
alphabet.Substring(12, 1),
alphabet.Substring(52, 1),
alphabet.Substring(17, 1),
alphabet.Substring(24, 1),
alphabet.Substring(66, 1)
});
Console.WriteLine(flag);
}
}
}
When running this program we get the output ‘Congratulations! Flag = brixelCTF{m3m0ry}‘
no peeking!
Category: Reverse engineering / cracking
Description:
Hidden inside this exe file is a flag
Up to you to find it
Solution:
This is a .NET program, so we can use dnSpy to decompile this. Taking a look at the Form1.cs file we find a method called showFlag.
public object showFlag()
{
Interaction.MsgBox("Hey, stop looking at my innards!", MsgBoxStyle.OkOnly, null);
Interaction.MsgBox("The flag is brixelCTF{d0tP33K}", MsgBoxStyle.OkOnly, null);
Interaction.MsgBox("Happy holidays!", MsgBoxStyle.OkOnly, null);
return true;
}
The flag is brixelCTF{d0tP33K}
registerme.exe
Category: Reverse engineering / cracking
Description:
This program needs to be activated
Can you figure out how to do it?
Solution:
This is a VB6 program, so we can’t just decompile or disassemble it to find out how to activate it. Lets see what we get when we run the program.
Not much here. Lets find the NOT REGISTERED! string location and see what we can find out.
Here we can see the string REGISTERED! and NOT REGISTERED!, we can also see the string activation.key.
Lets create a file with that name in the same directory as the program and see what happens.
Success! We get the flag brixelCTF{f1l34cc3ss}
android app
Category: Reverse engineering / cracking
Description:
This little android app requires a password, can you find it?
the flag is the password
Solution:
Since this is an android application we can decompile it with Bytecode Viewer. After doing this we can find three screens in the application. Inspecting those screens we find out that Screen1 is the main screen, Screen2 is the correct message screen and Screen3 is the invalid message screen.
Lets find out where Screen1 tries to switch the screen to either Screen2 or Screen3. In Screen1 we can find the following method.
public Object Button1$Click() {
runtime.setThisForm();
Object var1;
if (runtime.callYailPrimitive(runtime.yail$Mnequal$Qu, LList.list2(runtime.getProperty$1(Lit23, Lit18), "brixelCTF{th3_4ndr0ids_y0u_4r3_l00k1ng_f0r}"), Lit30, "=") != Boolean.FALSE) {
var1 = runtime.callYailPrimitive(runtime.open$Mnanother$Mnscreen, LList.list1("Screen2"), Lit31, "open another screen");
} else {
var1 = runtime.callYailPrimitive(runtime.open$Mnanother$Mnscreen, LList.list1("Screen3"), Lit32, "open another screen");
}
return var1;
}
So the flag is brixelCTF{th3_4ndr0ids_y0u_4r3_l00k1ng_f0r}
punch card
Category: Old Tech
Description:
I found this old punchcard
it seems to be classified
can you figure out what’s on there?
Solution:
So we got an image of a punch card that we should figure out the contents of.
For this we need an punch card emulator, and when entering enough of the holes in the emulator we get this text.
The flag is BRIXELCTF(M41NFR4M3)
Goodbye old friend
Category: Old Tech
Description:
On 31/12/2020 support for flash will end
Therefor we made you a farewell animation
Can you get the flag?
Beware headphone users! the music is loud.
Solution:
Here we got a Flash animation. So lets decompile it with JPEXS. After looking through the texts in the file we find this.
The flag is brixelCTF{n0_m0r3_5upp0rt}
The tape
Category: Old Tech
Description:
I found this cassette tape from the ’80s. I bet it has some cool games on it or something.
Better start looking for someone who grew up in that era… 🙂
Solution:
For this challenge we get an audio file called CTF-TAPe.wav. And since the TAP format is used for C64 lets try to convert this into a TAP file with WAV-PRG. When we have converted the Wave file to a TAP file we can open it with an C64 emulator like Vice. And when we run it we get the following.
The flag is BASIC
Sea code
Category: Cryptography
Description:
beep beep beeeep…
This one should be fairly straight forward
Solution:
For this challenge we get a recording of some morse code. Lets use a Morse Decoder to find out the message.
The flag is SEAGULL
Merde
Category: Cryptography
Description:
A french messenger was caught during the war
He was carrying a piece of paper that read: Vvr ktdk vl jvtzsyHBI{fnzcievs}
Upon torturing the messenger for an explaination, he only shouted ‘confidentiel’!!!
Too bad he died, I bet something good was in that message 😦
Solution:
This is probably a Vigenère Cipher since he was french. So if we decrypt the ciphertext with the key confidentiel we get the text ‘The flag is brixelCTF{baguette}‘
Merda
Category: Cryptography
Description:
An Italian messenger was caught during the war
He was carrying a piece of paper that read: ymj kqfl nx gwncjqHYK{uneefsfutqn}
Upon torturing the messenger for an explaination, he gestured a V with his fingers. The english guard took it as an insult and killed him right on the spot.
Maybe he just wanted some peace?
Solution:
Ok, so this is probably a Caesar Cipher with shift 5. When we decrypt the ciphertext we get the text ‘the flag is brixelCTF{pizzanapoli}‘
shit
Category: Cryptography
Description:
A messenger droid was caught during the intergalactic war
Upon investigating his memory banks, we found this message:
MDExMTAxMDAgMDExMDEwMDAgMDExMDAxMDEgMDAxMDAwMDAgMDExMDAxMTAgMDExMDExMDAgMDExMDAwMDEgMDExMDAxMTEgMDAxMDAwMDAgMDExMDEwMDEgMDExMTAwMTEgMDAxMDAwMDAgMDExMDAwMTAgMDExMTAwMTAgMDExMDEwMDEgMDExMTEwMDAgMDExMDAxMDEgMDExMDExMDAgMDEwMDAwMTEgMDEwMTAxMDAgMDEwMDAxMTAgMDExMTEwMTEgMDExMTAwMTAgMDExMDExMTEgMDExMDAwMTAgMDExMDExMTEgMDExMDAwMTEgMDExMDExMTEgMDExMTAwMDAgMDExMTExMDE=We are lucky we found him, he was only 64 parsecs from his base
Solution:
Here we got a Base64 encoded message, if we decode it we get the following.
01110100 01101000 01100101 00100000 01100110 01101100 01100001 01100111 00100000 01101001 01110011 00100000 01100010 01110010 01101001 01111000 01100101 01101100 01000011 01010100 01000110 01111011 01110010 01101111 01100010 01101111 01100011 01101111 01110000 01111101
When decoding this from binary we get the text ‘the flag is brixelCTF{robocop}‘
Scheiße
Category: Cryptography
Description:
A german messenger was caught during WW2
He was carrying a piece of paper that read: qbhbh zrmua gfbld ocqbv
He was nice enough to give us all we wanted, except the decoded message, he needs a special machine for that, and we don’t have it.
He DID give us the settings for the machine.
The settings for this machine are:
Model: G-312
Reflector: UKW 11/26
Rotor 1: 2/12/6
Rotor 2: 1/17/16
Rotor 3: 3/12/1
The flag is ONE word, no spaces.
Solution:
So this message is most probably encrypted with an Enigma machine. So we need to use an Enigma decoder and set up the machine with the settings provided.
Now we got the text ‘der flag ist sauerkraut‘
flawed
Category: Cryptography
Description:
Our l33t hackers hacked a bulletin board and gained access to the database. We need to find the admin password.
The user’s database info is:
Username:admin
Passwordhash:d269ce15f9c44bc3992a5f4e5f273e06
The flag is the plaintext password
Solution:
This looks like a MD5 hash. Lets try to do a reverse lookup for the hash and see if we can find anything.
The MD5 hash: d269ce15f9c44bc3992a5f4e5f273e06 was succesfully reversed into the string: notsecure
The flag is notsecure
Don’t be salty
Category: Cryptography
Description:
Our l33t hackers hacked a bulletin board and gained access to the database. We need to find the admin password.
The user’s database info is:
Username:admin
Passwordhash:2bafea54caf6f8d718be0f234793a9be
Salt:04532@#!!
We know from the source code that the salt is put AFTER the password, then hashed. We also know the user likes to use lowercase passwords of only 5 characters long.
The flag is the plaintext password.
Solution:
Now we got a salted MD5 hash. Now we need to brute force the hash in order to get the password. Using HashCat with the md5($pass, $salt) method and setting the length of the password to 5 characters we get the following output.
2bafea54caf6f8d718be0f234793a9be:04532@#!!:bruteFlag: brute
Doc-ception
Category: Steganography
Description:
Need to hide something? why not a word document?
You need to dig deeper
Solution:
For this challenge we get a word document. And since word documents are Zip files we can extract the file to see if there’s anything interesting inside. When we unzip the document we get another word document with the same name, and if we extract this document we get a file called flag.txt. The contents of flag.txt is flag = openxml.
Flag: openxml
Limewire audio
Category: Steganography
Description:
I downloaded this sweet tune from limewire, but there’s something weird going on
can you find the hidden message?
The flag is the name of the character in english, no spaces!
Solution:
Here we got a audio file. Lets open it in Audacity to see if we can get some clues. If we switch to the spectogram view we can see the following image in the audio stream.
Looks like a distorted Hello Kitty.
Flag: hellokitty
Scan me
Category: Steganography
Description:
Can you solve this scan puzzle?
It could be handy to hide messages
Solution:
For this challenge we got an image of a QR code.
But we can’t scan this code. If we look closely it looks like there’s two QR codes in the same image. Lets extract the second one and see if we can scan it.
If we scan this code we get an URL http://www.timesink.be/qrcode/flag.html. Navigating to the URL gives us a barcode to decode.
Decoding this with an online barcode reader gives us the text code-128-easy. Entering this gives us another barcode to scan.
Using the same online tool as before we get the text 5449000133335. Entering this gives us yet another barcode.
Reading this barcode gives us the text congratulations_this_is_the_last_barcode and entering this gives us the flag.
Flag: brixelCTF{m4st3r_0f_sc4n5}
Rufus the vampire cat
Category: Steganography
Description:
This is a picture of Rufus the vampire cat
Despite being cute, Rufus hides a secret, up to you to find it
Solution:
Here we get an image of a cat. Lets try steghide to see if there’s any hidden information in the image.
You thought this was a cute cat picture? NOPE! Chuck Testa! (the flag is: chucktesta)
Flag: chucktesta
kza 