Try   HackMD

NiteCTF 2022 writeup

Misc

Boys

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Challenge gives us a Github user name sk1nnywh1t3k1d

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Overview I see this user has a project in the repositories, its name is chat-app. And it has nothing special

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

After spending a while looking for sure, I click commit hash, then add ".patch" to the end of the url bar.
I found this way from https://www.nymeria.io/blog/how-to-manually-find-email-addresses-for-github-users

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

And I can see Github user's email

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

By using epieos tool, I can retrieve information linked to this email.
Other useful tools you can try if epieos does not have information you need are Ghunt and Holehe.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

I accessed google calendar and found the flag

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

flag: niteCTF{v0ught_n33ds_t0_g0_d0wn}

Travel

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

This challenge gives us an image file.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Out of habit, I use https://www.aperisolve.com/ to analyze this image.

I found the link in Exiftool

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Then I accessed the link, it lead me to google jamboard

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

But I can only read it, so I made a copy of it to modify this file

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

I pulled out the first box and saw a link

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

I accessed to this link and saw nothing special

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

I viewed its source, then I saw a comment encoded base64, decoded it and I received string "flag.txt". Keep reading source, I saw the comment <!-- <p> <b>Go Back in time and get the previous month's menu!!!</b></p> -->

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

"go back in time", it looks like "Travel back in time for me please" in the description. And the first thing I thought is "Way back machine"

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Go to URLs tab and see urls that being captured for https://tr4v3l1.netlify.app/

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Clicked https://tr4v3l1.netlify.app/flag.txt, then found the flag

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

flag: nitectf{y0u_w3nt_b4ck_1n_t1m3}

Forensics

Wonka-Bar

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

This challenge gives us a pdf file.

The first file I downloaded is different from the current file.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

I did not realise it until I stuck and sought Discord for hints.

So, first, I will go through the first file, and then I will go through the current file.

TheCandyStore.pdf is protected by password. So I bruteforce by rockyou.txt wordlist to find its password.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Firstly I used hashcat and john, but it does not work :), I think I used it the wrong way because other people use them normally.

So I used another tool, its name pdfcrack
https://www.kali.org/tools/pdfcrack/

I did following command pdfcrack -f CandyStore.pdf -w rockyou.txt and waited.

$ pdfcrack -f CandyStore.pdf -w rockyou.txt
PDF version 1.4
Security Handler: Standard
V: 2
R: 3
P: -4
Length: 128
Encrypted Metadata: True
FileID: b16bf5c8a66dac3e924ff5753045861a
U: 6f9bfed42e7c2bf34d93820c2727371028bf4e5e4e758a4164004e56fffa0108
O: 7f444aa3498f9f55c4b118120c8a2e3ae7b4666b6a90514b09285bfaee7a8703
Average Speed: 38346.3 w/s. Current Word: 'total123'
Average Speed: 39363.3 w/s. Current Word: 'lowkill94'
Average Speed: 38104.3 w/s. Current Word: '23607965'
Average Speed: 38856.4 w/s. Current Word: 'trazia'
Average Speed: 37222.7 w/s. Current Word: 'shannon219'
Average Speed: 37599.6 w/s. Current Word: 'poloko_117'
Average Speed: 38023.2 w/s. Current Word: 'mrho71'
Average Speed: 37319.4 w/s. Current Word: 'longwild'
Average Speed: 36971.6 w/s. Current Word: 'juggaloninja'
Average Speed: 37242.3 w/s. Current Word: 'hml880724'
Average Speed: 38856.9 w/s. Current Word: 'ellenrb10'
Average Speed: 38641.4 w/s. Current Word: 'chimchuck'
Average Speed: 38287.2 w/s. Current Word: 'axeltheboy'
Average Speed: 38185.9 w/s. Current Word: 'SALWANI'
Average Speed: 37943.2 w/s. Current Word: 'Apple9876'
Average Speed: 37586.3 w/s. Current Word: '5542090820'
Average Speed: 39081.1 w/s. Current Word: '2014196'
found user-password: '13euro'

Okay, its password is 13euro. Using this password, I opened the pdf file

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

It has a link and ciphertext. Click the link and it lead me to the Meganz link

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

I downloaded this zip file but couldn't open it because of the password.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Firstly I did not think the ciphertext after being encrypted is the zip file's password :). So I used Zydra (https://github.com/hamedA2/Zydra) to crack it.

Oh, after reading README.md from Zydra github, I have just known it can be used to crack pdf, okay, I will try it next time.

Using the rockyou wordlist again.
Zydra.py -f <file> -d rockyou.txt

It took me a long time

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

And error

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
                ####### #     # ######  ######     #
                     #   #   #  #     # #     #   # #
                    #     # #   #     # #     #  #   #
                   #       #    #     # ######  #     #
                  #        #    #     # #   #   #######
                 #         #    #     # #    #  #     #
                #######    #    ######  #     # #     #

                Author : Hamed Hosseini
        @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Start time ==> Mon Dec 26 19:53:58 2022

Starting password cracking for /mnt/c/Users/kietbui/tool/Zydra/wonka-bar-golden-ticket.zip /

 [*] Count of possible passwords: 14344391
        Progress : [#                                         ] 3.907 %Traceback (most recent call last):
  File "Zydra.py", line 680, in <module>
        Progress : [#                                         ] 3.907 %    cracker.main()
  File "Zydra.py", line 638, in main
        Progress : [#                                         ] 3.907 %    self.dict_guess_password(dictfile, file)
  File "Zydra.py", line 359, in dict_guess_password
        Progress : [#                                         ] 3.907 %    for word in wordlist:
  File "/usr/lib/python3.8/codecs.py", line 322, in decode
    (result, consumed) = self._buffer_decode(data, self.errors, final)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf1 in position 923: invalid continuation byte
        Progress : [#                                         ] 4.183 %

I thought it's corrupted. So I sought Discord for any support or hints.
And as I mentioned above, they replaced new file.
So I downloaded new file and using the password I found to open it.

Its content has a little change.
The link is different and they emphasize "chance".

The link also leads me to Meganz.

Back to CandyStore.pdf, as you can see, the Ciphertext and the word "chance" have been emphasized. Ciphertext and key, what type of cipher do you think?
It's Vigenere cipher.
https://en.wikipedia.org/wiki/Vigenère_cipher

After decrypting the ciphertext with the key, I receive the plain text, and it is the zip password (I also use this password with the old zip file above, and it works).

After extracting i get a folder.

I open obj file, it's 3D object.

After a while analyze it, I discovered a ticket with the link inside

The link is http://bit.ly/g01d3nt1ck3t, and it leads me to the Meganz again.

Downloaded it and put it into the Aperi'Solve tool to analyse.
Using exiftool, I saw in the comment that is the cipher text.

I solved the Quadratic equation and x = 13 and x = 5. Then, I try to identify what kind of this cipher and https://www.dcode.fr/cipher-identifier is quite useful (sometimes it sucks :) )

I try Keyboard Shift Cipher but it does not work, then I try ASCII Shift Cipher and found the flag.

And this time, I realise what is x = 5 means, I just need to subtract 5 ASCII offsets from each character of the ciphertext to get the original string.

I removed &quot;, it is HTML Entities then I got the flag.

flag: niteCTF{3arth_says_h3ll0}