### Final Africa Cyber Defense Forums Cyberlympics CTF 2023 Team: RedTeam-TG Team's members: Assa , Pow3r0ff , M3TA , manasse We'll give the solutions to some of the challenges that we solved during that final session. #### Web : - Grandline (solved by Assa):  This is an injection of graphql code, we even have a console which displays the results of the commands First of all, we are going to do the enumeration in order to see the functions and methods that are accessible. the following payload does the trick:  we can notice that we have an interesting function called “flags” with the id, author, content and flag parameters. Let’s try to query the id 1 of the flags function. here I specified the content and flag parameters.  We notice that we have a return with the following content: “Why don’t you dig harder”; the rest becomes logical we must identify the id which contains our flag. I first tried id 2 then id 3 which turned out to be the right one.  Flag: acdfCTF{L3t_try_s0m3_Graph_0ut} - Image Lookup (solved by Assa):  This one is an easy lfi web challenge you just had to call the flag file with the following payload: “file:///flag.txt” , paying attention to encoding the characters / here is the query that I used to get the flag http://16.170.230.246/index.php?url=file%3a%2f%2f%2fflag.txt Unfortunately the flag is no longer accessible on the server - Konoha (solved by Assa):  we have a source.php file. let's try to analyze it: ```python <?php $secretFilePath = '/app/Sup3rs3cr3tFlag.txt'; $secretKey = 'Kismet-Abzee-Berrywuxxxxx'; $requestedFile = isset($_GET['file']) ? $_GET['file'] : ''; $providedKey = isset($_GET['key']) ? $_GET['key'] : ''; $decodedFile = urldecode($requestedFile); if ($providedKey !== $secretKey) { header("HTTP/1.0 403 Forbidden"); echo "Access denied!"; exit; } if ($decodedFile === 'Sup3rs3cr3tFlag.txt') { $secretContent = file_get_contents($secretFilePath); echo $secretContent; } else { header("HTTP/1.0 403 Forbidden"); echo "Access denied!"; } ?> ``` after reading we see that the source.php script gives us the possibility of making GET type requests with the "file" and "key" parameters. key is then the secret code allowing access to the file and file must contain the name of the file. ```python if ($decodedFile === 'Sup3rs3cr3tFlag.txt') { $secretContent = file_get_contents($secretFilePath); echo $secretContent; } ``` the previous lines check that the file name corresponds to Sup3rs3cr3tFlag.txt and displays this secret message to us ```python echo $secretContent; ``` What could be simpler we have the name of the file and the key to access it. be careful in the key value we have hidden characters (5 characters x) 'Kismet-Abzee-Berrywuxxxxx'. It is therefore necessary to brute force the missing x characters. the hint gave us part of the missing characters, we just had to brute force the rest to obtain the flag. Ps: apparently the 5 missing characters x could be found in the source code of the application personally I didn't solve it like that. here is the final request to have the flag:  The flag has unfortunately been removed from the server. I unfortunately didn't take a picture when I solved it but the request on the picture still exact. #### Cryptography : - What's going on (solved by Assa):  This is an RSA challenge, with a bit of guessing. we have an encoded file which contains the flag. The encoded file was provided with a private key to unlock the flag. The difficulty here is that the key is password protected. He made several attempts before coming across the password which was "password". We used cyberchief to decipher the flag as you see below.  Flag: acdfCTF{4ncrypt10n_1s_W14rd0} #### Steganography : - Toka:  This challenge was simple. the flag was hidden in the image. zsteg allowed us to find it easily  Flag: acdfCTF{W3lc0m3_t0_th3_l4nd_0f_Gh0uls} #### Forensics : - ***: #### Osint : - ***: #### Misc : - ***: #### Binary Exploitation : - ***: #### Boot2root : - ***: