UTCTF 2020 - HackMD

# UTCTF 2020 [TOC] ## [basics] crypto (Crypto, 50) > Can you make it through all of the encodings? > by balex first, we get the binary.txt {%gist a5135324/3cf255a9919bfcbcd895bc5a2b200120 %} Convert it from binary to hex and we get this. {%gist a5135324/f300c7de95a5d2ee3cf8ab6547799ac0 %} **there only characters present are A-Z, a-z, 0-9, and sometimes / and +.** We decode it by base64 and get. {%gist a5135324/b1751beb74d4d7b75cbdf7ffa799879f %} **Looking up Roman people** -> Caesar cipher We decode them by 16 with Caesar cipher. {%gist a5135324/e56b4a1f7201af092a7d2069e2c26f9a %} Final thing is substitution cipher. I use this [tool](https://quipqiup.com/) to analyses, then get the flag. ``` congratulations! you have finished the beginner cryptography challenge. here is a flag for all your hard efforts: utflag{n0w_th4ts_wh4t_i_c4ll_crypt0}. you will find that a lot of cryptography is just building off this sort of basic knowledge, and it really is not so bad after all. hope you enjoyed the challenge! ``` flag: utflag{n0w_th4ts_wh4t_i_c4ll_crypt0} ## One True Problem (Crypto, 50) > Two of my friends were arguing about which CTF category is the best, but they encrypted it because they didn't want anyone to see. Lucky for us, they reused the same key; can you recover it? > >Here are the ciphertexts: 213c234c2322282057730b32492e720b35732b2124553d354c22352224237f1826283d7b0651 > >3b3b463829225b3632630b542623767f39674431343b353435412223243b7f162028397a103e > > by balex Use the same key and recover it -> XOR We know the flag format is utflag{******}, so we can use them to decrypt these ciphertexts. `213c234c232228` XOR `utflag{` will get `THE BES` `3b3b463829225b` XOR `utflag{` will get `NO THE ` According to the problem description, we guess the message is `THE BEST CTF CATEGORY` `213c234c2322282057730b32492e720b35732b2124` XOR `THE BEST CTF CATEGORY` and get `utflag{tw0_tim3_p4ds}` flag: utflag{tw0_tim3_p4ds} ## epic admin pwn (web, 50) >this challenge is epic i promise >the flag is the password >[Link](http://web2.utctf.live:5006/) The website is a login page. After my test, I found it has SQL injection. So I use the sqlmap to read the db and get the flag. ```python python3 sqlmap.py -u "http://web2.utctf.live:5006/" --data="username=admin&pass=' or '1'='1" -D "public" -T "users" -C "username,password" --dump -v 1 ``` ![](https://i.imgur.com/rksZNCC.png) flag: utflag{dual1pa1sp3rf3ct} ## The Legend of Hackerman Pt. 1 (forensics, 50) > My friend Hackerman tried to send me a secret transmission but I think some of it got messed up in transit. Can you fix it? > by balex We use HxD to see the file and we find the file header has `0D0A1A0A`. ![](https://i.imgur.com/wifCkTT.png) It is the signature of PNG so we fix it and get the flag. (PNG file signature is 89 50 4E 47 0D 0A 1A 0A) ![](https://i.imgur.com/GjQwgOh.jpg) flag: utflag{3li3_h4ck3r} ## The Legend of Hackerman Pt. 2 (forensics, 50) > Ok I've received another file from Hackerman but it's just a Word Document? He said that he attached a picture of the flag but I can't find it... > by balex The description shows that there is a pic in docx file, so I use `binwalk` to check. ![](https://i.imgur.com/ud2ykeG.png) There are many pics in it. I use `binwalk -e Hacker.docx` to extract all the file in docx file. ![](https://i.imgur.com/S8Xyvee.png) Then I check these img size and find two suspects. ![](https://i.imgur.com/V1uklUx.png) Open the `image23.png` and I get the flag. ![](https://i.imgur.com/D0tQBKe.png) flag: utflag{unz1p_3v3ryth1ng} ## nittaku 3 star premium (Network, ?) >I found some weird data while monitoring my network but I didn't catch it all. See if you can make sense of it. >by masond First, check the protocol hierarchy. ![](https://i.imgur.com/g0LWAh7.png) We can see that the ICMP packet maybe the suspect. 8 packets send 4352 bytes. ![](https://i.imgur.com/EkRivuL.png) Got it!! The data looks like all printable char, we decode part of them by base64. `\x1f\x8b\x08\x08\x80\x0bV^\x00\x03flag.png\x00\xed\xbagTS]\x136\x9c\x84\x1a\x91\x96X\xe85\x01\x05\xa4J\x93\xa6\x80@@\x8a \xd2\x9b(\xa8t\x90"\x10 \x90[` We get the flag.png in it, so we decode all of them. We use the command `file` to see what it is. `gzip compressed data, was "flag.png", last modified: Wed Feb 26 06:09:04 2020, from Unix ` It is a gzip and unzip it. ![](https://i.imgur.com/CJycL8h.png) We only get part of the flag. I think if we ping the server, what will the server reply? ![](https://i.imgur.com/q8CYQNU.png) Looks like we find the answer! After some experiments, we use `ping pingable.tk -s 1025` get all the responses. The response list in https://gist.github.com/a5135324/ab4b3bed4dafdbaec544c00b30240592 decode, unzip it and we get the flag. ![](https://i.imgur.com/O3tRy7w.png) flag: utflag{p1Ng@b13_f1aG$} ###### tags: `ctf`