NiteCTF 2022 writeup
Misc
Boys
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
Challenge gives us a Github user name sk1nnywh1t3k1d
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
Overview I see this user has a project in the repositories, its name is chat-app. And it has nothing special
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
After spending a while looking for sure, I click commit hash, then add ".patch" to the end of the url bar.
I found this way from https://www.nymeria.io/blog/how-to-manually-find-email-addresses-for-github-users
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
And I can see Github user's email
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
By using epieos tool, I can retrieve information linked to this email.
Other useful tools you can try if epieos does not have information you need are Ghunt and Holehe.
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
I accessed google calendar and found the flag
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
flag: niteCTF{v0ught_n33ds_t0_g0_d0wn}
Travel
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
This challenge gives us an image file.
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
Out of habit, I use https://www.aperisolve.com/ to analyze this image.
I found the link in Exiftool
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
Then I accessed the link, it lead me to google jamboard
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
But I can only read it, so I made a copy of it to modify this file
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
I pulled out the first box and saw a link
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
I accessed to this link and saw nothing special
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
I viewed its source, then I saw a comment encoded base64, decoded it and I received string "flag.txt". Keep reading source, I saw the comment <!-- <p> <b>Go Back in time and get the previous month's menu!!!</b></p> -->
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
"go back in time", it looks like "Travel back in time for me please" in the description. And the first thing I thought is "Way back machine"
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
Go to URLs tab and see urls that being captured for https://tr4v3l1.netlify.app/
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
Clicked https://tr4v3l1.netlify.app/flag.txt, then found the flag
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
flag: nitectf{y0u_w3nt_b4ck_1n_t1m3}
Forensics
Wonka-Bar
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
This challenge gives us a pdf file.
The first file I downloaded is different from the current file.
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
I did not realise it until I stuck and sought Discord for hints.
So, first, I will go through the first file, and then I will go through the current file.
TheCandyStore.pdf
is protected by password. So I bruteforce by rockyou.txt wordlist to find its password.
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
Firstly I used hashcat
and john
, but it does not work :), I think I used it the wrong way because other people use them normally.
So I used another tool, its name pdfcrack
https://www.kali.org/tools/pdfcrack/
I did following command pdfcrack -f CandyStore.pdf -w rockyou.txt
and waited.
Okay, its password is 13euro
. Using this password, I opened the pdf file
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
It has a link and ciphertext. Click the link and it lead me to the Meganz link
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
I downloaded this zip file but couldn't open it because of the password.
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
Firstly I did not think the ciphertext after being encrypted is the zip file's password :). So I used Zydra (https://github.com/hamedA2/Zydra) to crack it.
Using the rockyou wordlist again.
Zydra.py -f <file> -d rockyou.txt
It took me a long time
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Learn More →
And error
I thought it's corrupted. So I sought Discord for any support or hints.
And as I mentioned above, they replaced new file.
So I downloaded new file and using the password I found to open it.
Its content has a little change.
The link is different and they emphasize "chance".

The link also leads me to Meganz.

Back to CandyStore.pdf, as you can see, the Ciphertext and the word "chance" have been emphasized. Ciphertext and key, what type of cipher do you think?
It's Vigenere cipher.
https://en.wikipedia.org/wiki/Vigenère_cipher
After decrypting the ciphertext with the key, I receive the plain text, and it is the zip password (I also use this password with the old zip file above, and it works).

After extracting i get a folder.

I open obj file, it's 3D object.

After a while analyze it, I discovered a ticket with the link inside

The link is http://bit.ly/g01d3nt1ck3t, and it leads me to the Meganz again.

Downloaded it and put it into the Aperi'Solve tool to analyse.
Using exiftool, I saw in the comment that is the cipher text.

I solved the Quadratic equation and x = 13 and x = 5. Then, I try to identify what kind of this cipher and https://www.dcode.fr/cipher-identifier is quite useful (sometimes it sucks :) )

I try Keyboard Shift Cipher but it does not work, then I try ASCII Shift Cipher and found the flag.

And this time, I realise what is x = 5 means, I just need to subtract 5 ASCII offsets from each character of the ciphertext to get the original string.

I removed "
, it is HTML Entities then I got the flag.

flag: niteCTF{3arth_says_h3ll0}