# Questcon CTF writeup 2023
Hello readers, Welcome again for the writeups.
This is the Questcon CTF writeup 2023 which I managed to be no. 02 on scoreboard after solving all the challenges. Let's go now
1. MISC CHALLENGES
- [ ] **Guidelines of the Caribbean**
Solving this question was really simple, you were supposed to click on the rules page of the ctf domain (https://questcon.ctfd.io/rules) then you view the source code of the page because the flag was hidden using html tag: `<span style="display: none">` so the flag was in the source code `<li>🤫 Thanks for reading rules, your flag: REDACTED.<span style="display: none">QUESTCON{C0d3Break3r_Rul35_Expl0r3r}</span>`
**flag: `QUESTCON{C0d3Break3r_Rul35_Expl0r3r}`**
- [ ] **Hexa Pirate's Code**
If you download the file given and extract it, you will find a lot of files named by hashes names, If you open any file you will find `if (!String.Equals(pass, "some random hex numbers here")) {` so i used the command `grep -ir "String.Equals(pass," *` then the output was likely the same format for all files except only two files which were named `cc53495bb42e4f6563b68cdbdd5e4c2a9119b498b488f53c0f281d751a368f19` and `cc53495bb42e4f6563b68cdbdd5e4c2a9119b498b488f53c0f281d751a368f19.save`
From there I decoded the password from hex and I got the flag.
**flag: `QUESTCON{Bl4ckB34rd_Malw4r3_Pir4t3s}`**
- [ ] **Pirate's Port Paradox**
The aim of this challenge was to be aware of some ports (TCP/UDP) that are not so common. so you were supposed to change the port names to port numbers and then you solve the mathematical expression you will get the flag. so I used google to change the port names to port numbers as below.
```
WHOIS: 43
QOTD: 17
CHARGEN: 19
XFER: 82
ECHO: 7
DCE : 135
NNTP : 119
NSCA : 5667
then the expression was supposed to be ((((43 + 17 ) * 19 ) - 82 )% 7 ) * ( 135 + 119 ) * 5667
```
After solving the expression you would get `1439418` which was the answer needed.
**flag: `QUESTCON{1439418}`**
# ***That was all about Misc***
2. CRYPTO CHALLENGES
- [ ] **Riddle of the Hidden Scrolls**
In this challenge we are given a Cipher text without even knowing what it is... but on answering this challenge I used cyberchef (https://gchq.github.io/CyberChef/) Cyberchef is offering one of the interesting thing called `magic` when i used magic in intensive mode then i sawa the flag was encoded using `XOR({'option':'Hex','string':'3'},'Standard',false)
From_Base64('A-Za-z0-9+/=',true,false)`
**flag: `QUESTCON{D34d_M3n_T3ll_No_T4l3s}`**
- [ ] **Sparrow's Cryptographic Treasure**
this was the RSA challenge, and we were given a file that has the following contents
```
N = 882564595536224140639625987659416029426239230804614613279163
E = 65537
C = 164269225538436495685306542268826436068505673594249194166792
```
There are many ways of solving such kind of challenges, but I used the simple way of using online tools to get the flag, so i used https://www.dcode.fr/rsa-cipher
**flag:`QUESTCON{1_HaT3_RS1}`**
# ***Crypto challenges ended that way***
3. FORENSICS CHALLENGES
- [ ] **Island of Hidden Bounty**
I downloaded the file, then I used common image forensics tools such as `exiftool, strings, binwalk, stegsolve` but i didn't get anything interesting, but because the image was .jpg therefore i decided to use steghide to see if there is something hidden. I noticed that there is a hidden file in the image, so since i had no password i used a tool that will brute force the password for me. there fore i used `stegseek` and I found the password was `password` and I was able to extract the file from the image.
After getting the file i used cat to view it's contents and i found a url in it https://hiddenbounty.netlify.app
After visting the url, I didn't find anything there, so i decided to use web tricks to solve the question. i bruteforced the files but it was taking too long, so i decided to check for the common web files and Booooom! i found the robots.txt has the interesting thing.
So, after going to the disallowed page https://hiddenbounty.netlify.app/hiddeninmist I got the flag.
**flag:`QUESTCON{X_M4rk5Th3Digit4lTr34sur3} `**
- [ ] **Isla de Muerta's Secrets**
We were given a pcapng file and we were supposed to find the local address (IP adress) of the intruder... this is very simple you need to open the file on wireshark then follow TCP streams, on stream no.59 you will see something interesting.
If you look closely you will see the request was coming from 192.168.0.129 to 103.83.194.110 therefore the local address of the intruder was `192.168.0.129`
**flag: `QUESTCON{192.168.0.129}`**
- [ ] **Head Jack Sparrow**
This was the most confusing challenge in the CTF for me. If you download the image you will find that it is corrupted in the header.
Uncorrupted images should look like below screenshot
So, i changed the image to hex then i replaced the corrupted hex header data `26 ed af 21 0d 0a 1a 0a 00 00 00 0d 76 22 e2` with the required data `89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44` then i changed back from hex and the header now looks like below
I then user `render image` from cyberchef to get the image.
I downloaded the image and if you look closely at the bottom right conner of the image you will see the flag.
> I cant upload the image here because it exceed a limit of 1 mb, so i will just give you the flag.
**flag: `QESTCON{P1RaT3s_Ha13s_PNG_F1l3}`**
# ***That means, forensic is over***
4. WEB CHALLENGES
- [ ] **Pirate's Hidden Treasure**
I opened the link and the following output appeared `You should have a pirate browser to access this site!`
After getting such output I decided to use `Burpsuite` to solve the challenge. I opened burpsuite, set the proxy on and then captured the request and sent them to repeater, at fist i got the samo output
I then changed the User Agent from Mozilla to `pirate` so that the server can detect that i'm coming from pirate browser. after that I got the different results.
Since it tells us that `You should come from the ship Black Perl to access this treasure!` then I used `Referer` to refer the Black Perl and I got to the next steg.
The next challenge was to `Prove your identity to access the treasure!` so when i went back to the question i saw `A legendary treasure chest, rumored to be enchanted by Captain Jack Sparrow himself, awaits your discovery` Therefore I decided to change the user from `barbossa` to `jack sparrow` and I was able to get the flag.
**flag: `QUESTCON{Thr33_k33p_a_s3cr3t_if_2_of_th3m_ar3_dead}`**
- [ ] **Cursed Treasure**
I tried to access the url and i got the page that has three maps, I tried to click en each map and it was generating `id` parameter on the url whose values was hashed. So i realized that it would be `IDOR` vulnerability. I tried to change the values of id to other values but nothing happened.
Map 1
Map 2
Map 3
When i tried some random values on the id parameter I got an error: `Arrrrr! Ye be lost, matey!`
After there I started looking on the hashed values passed on the url, after a long time I realized that the passed values were hashed using `sha224` and after cracking the hashes i got that the fist map id was `1` the second map id was `2` and the third map id was `4` (I used https://crackstation.net/ to crack the hashes).
I tried to hash the number `3` and pass it on id parameter, and interesting thing appeared.
**sha224(3) = 4cfc3a1811fe40afa401b25ef7fa0379f1f7c1930a04f8755d678474** (i used https://emn178.github.io/online-tools/sha224.html) for hashing
The last step was to verify the Identity. Going back to the question `Captain Barbossa, sly and cunning, held the cursed treasure away from Jack Sparrow's reach. Can you unveil the hidden flag and claim the cursed riches?` So I used the Captain's name as the identity and i was able to get the flag.
**flag: `QUESTCON{Th3_Pir4t3s_0f_Th3_Car1bb34n_Arr_Th3_B3st!} `**
- [ ] **Web Explorer's Journey**
This was the most easier challenge on web challenges, If you open the url you will see the page with the message:` Pirates are warming up for the next adventure. Can you find the flag!!!
Your flag is:
1021089710312384101115116957010897103125`
So I decoded the numbers from decimal (but It requires some knowledge of separating those numbers for them to be decoded in cyberchef).
the flag I got was: `flag{Test_Flag}` which was not the required flag, so i went back to the web and viewed the page source where i found other numbers then I decoded them from hex and I got the flag.
**flag: `QUESTCON{W3B_3XPL0R3R_1S_4W3S0M3}`**
# ***Web challenges ended that way***
5. STEGO CALLENGES
- [ ] **Mystery**
I downloaded the file, then I used common image forensics tools such as `exiftool, strings, binwalk, stegsolve` but i didn't get anything interesting, but because the image was .jpg therefore i decided to use steghide to see if there is something hidden. I noticed that there is a hidden file in the image, so since i had no password i used a tool that will brute force the password for me. there fore i used `stegseek` and I found the password was empty and I was able to extract the file from the image.
The extracted file was also an image,
Because it had nothing then I used strings to read the human readable strings from the image and i found something that was based text.
The text looks like `base64` so i used base64 tool from the terminal to decode the tex, and i got the flag that way.
**flag: `QUESTCON{My5t3ry_1s_4w3s0me!}`**
- [ ] **Mystery 2.0**
I downloaded the file `another_mystery.png` and since it is a png file I decided to use zsteg tool which is used on analysis of PNG images and it given a flag that simple way.
**flag: `QUESTCON{P1raT3s_Ar3_M7s!3rY}`**
# ***This is the end, Hope you enjoyed.......Thanks for reading my writeups***
Sign in with Wallet
Connect another wallet