NCtfU Writeup - HackMD

NCtfU Writeup = [ToC] :::danger All flags have an hash as the suffix, results for knowing if user is using their own flag; So don't cheat ::: Basic Linux - ### Super Secure Shell Login using ssh (usr:ctf,psw:w3lc0m3_t0_NCtfU) flag:`NCtfU{S3CUR3_SH3L1_d1b639f0b0e34a5b990a174f2f2a77fd}` ### Long Shopping List `ls` is a good command flag: `NCtfU{1_4M_4_SC4RY_GH05T_N07_4_SH0PP1NG_L1S7_5894fc7602db45089b86b9f3f11b14ff}` ### Cute Cat `cat` the flag flag: `NCtfU{CA75_4R3_S0OO0O0O00O0O00OOO0OO0OOOO0O_G00OOOO0OO0O00O0OD_8214817b2d724f38a280efd1bf3d015a}` ### Where is my change? `cd` into the directory flag: `NCtfU{G0OD_U_F0UND_MY_CH4NG3!_fe16dcb368f94b9b8ce0755a5e9867e7}` ### Hidden Shoppping List sometimes you just need a `-a` for `ls` flag: `NCtfU{B0OOO00OOO00000000_1_SC4R3D_U_d7621beb3d1d4084a80a3a0d9cf4fa9a}` ### Grapes `$cat grapes | grep "NCtfU"` for the solution flag: `NCtfU{D3AL_W17H_GR3P_135c8b583aa74d2a925a9be94faed74b}"` ### Hide and Seek sometimes some TAB is a great thing when having no idea of how to pipe it flag: `NCtfU{F1ND_U_L1T7L3_FL49_cd0af659d4ba4feebf4b38a31747513c}` ### Nice Environment such an easy `$env` flag: `NCtfU{0H_1_L0V3_7H15_3NV_bef142acc7fc48a19342365342853d2c}` ### Run run the ELF: `$./run` flag: `NCtfU{RUN_F0R_UR_L1F3_9c5a606412f7422892c97704e1ab6e64}` ### Bugs remove the *bugs* `$rm bugs` flag: `NCtfU{N0_NO7_4_51N9L3_BU9_C4N_B3_1N_MY_S19H7_067368c08061475987a613ecbaaf0443}` ### MOO The flag is at the daily message file! `$cat /etc/update-motd.d/10000-moo` flag: `NCtfU{MO0O_MO7D_M0O0_3798ea5955b248b48a4cdae315fc0d99}` ### You Shall Not Pass `$chmod 777 flag` flag: `NCtfU{N0_0N3_C4N_S70P_M3_N0_0N3_06c0f09daef34d6892fa59d6e28118f9}` ### Flag Printer Hint: you can cat a ELF too!! flag: `NCtfU{F0UND_M3_1N_7H3_S0URC3_d3ccf6384ea64f18b3e9a9770f8584d7}` ### Running Flag `$ps -ax` flag: `NCtfU{U_H4V3_C47CH_7H3_RUNN1N9_FL49_1259eb4388cd41b8983518dc0bb3bfa6}` ### You Shall Not Pass Revenge `$echo chmod 777 flag > update.sh` flag: `NCtfU{U_C4N_RUN_W17H_R0OT_3VEN_U_4R3_N07_ROOT_US3R_73a096095c814d7fae5d683240c406bb}` Web - ### Baby Web Ping A basic command injection, no need to bypass. code: ```php= <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Ping</title> </head> <body> <form action="." method="GET"> CMD: <input type="text" name="cmd" value="ping www.google.com.tw"> <input type="submit" value="run command!"> </form> <pre><?php set_time_limit(2); if(!empty($_GET['cmd'])) echo htmlentities(system($_GET['cmd'])); else highlight_file(__FILE__); ?></pre> </body> </html> ``` payload: `cat flag` flag: `NCtfU{B4D_BAD_P1N9_dfe60bb115ae4df88795170a7bbdea6a}` ### Easy Web Ping Need pipe to bypass it. ```php= <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Ping</title> </head> <body> <form action="." method="GET"> Ping: <input type="text" name="ping" value="www.google.com.tw"> <input type="submit" value="run command!"> </form> <pre><?php set_time_limit(2); if(!empty($_GET['ping'])) echo htmlentities(system('ping -c 4 '.$_GET['ping'])); else highlight_file(__FILE__); ?></pre> </body> </html> ``` payload: `|cat flag` flag: `NCtfU{H0W_D1D_U_U53_AN07H3R_CMD_561afb86e8934bff84e02ac74134c1bd}` ### Beauitful Website 1 1. Found a hidden page in anime_girls' page ![](https://i.imgur.com/pFns7nm.png) 2. Edit page 302 to login ![](https://i.imgur.com/cok6J9k.png) ```php= <?php header('Location: /?page=login'); ``` ![](https://i.imgur.com/6CTerkj.png) 3. Test the login form with basic sql injections payload: `1' or 1=1 -- -` 4. Get all pages with the source viewer ![](https://i.imgur.com/8cfe8kD.png) flag: `NCtfU{an_easy_flag_for_you_9fc38735e2d74b07b411b5cd45a9378d}` ### Beauitful Website 2 **Question said that the flag is the user's password** 1. As Beautiful Website 1, we can se the source code of panel.php and finding out how the site comfirm wether is loggin or not ```php= if (!isset($_COOKIE['token'])) { header('Location: /'); die(); } [$data, $sig] = explode('.', $_COOKIE['token']); if (md5($data . $_ENV['SALT']) !== $sig) { header('Location: /'); die(); } $user = json_decode(base64_decode($data), true); ``` 2. Now we know the cookie is something like `base64(json).md5(sth)` and is named `token` 3. decode the front part of the cookie within b64 4. After decoding you'll get somthing like ```jsonld= {"user":"user","pass":"NCtfU{sql_injection_strikes_again_fc08d00973c94001a32c82184e10f23d}","is_admin":"0","is_enabled":"1"} ``` flag: `NCtfU{sql_injection_strikes_again_fc08d00973c94001a32c82184e10f23d}` --- Advanced Linux - ### Is this zip? No it isn't. `$file a_zip.zip` `>a_zip.zip: PNG image data, 324 x 332, 8-bit/color RGB, non-interlaced` `$mv a_zip.zip a_zip.png` flag: `NCtfU{F1L3_E*73N510N_5UCKS}` ### Running Flag Revenge First finding the process ID of the running program ![](https://i.imgur.com/keX0ekR.png) PID: `17` Then: `$cat /proc/17/exe` ![](https://i.imgur.com/32lqi5o.png) flag: `NCtfU{7H3_FL49_H1DD3N_1N_7H3_PR0C3SS_020fb342d8394b8c92df93f50a475691}` --- Programming - ### Online Judge ```python= from pwn import * conn=remote('nctfu.csie.ncu.edu.tw',23807) def rl(): return conn.recvline().decode('utf-8').strip('\n') def rtl(): return conn.recvuntil('ans:').decode('utf-8').strip('\n') print(rl()) print(rl()) haha=0 while 1: if(haha==1000): ans=conn.recvuntil('\n').decode('utf-8').strip('\n') print(ans) break s=rtl() print(s) s=s.split(':')[-2].strip(' ').strip('\nans') print(str(eval(s))) conn.sendline(str(eval(s))) haha+=1 ``` flag: `NCtfU{U_4R3_F45T_W17H_T0OL5_fe2e7c89a61943349d60d90d25b3a07d}` {%hackmd BJrTq20hE %}