# LKS SMK TELKOM MAKASSAR 2025 CYBER SECURITY: COMPETITION OF THE EARNEST EXPERTISE WRITE-UPS
Greetings, welcome to my LKS SMK TELKOM MAKASSAR 2025 CYBER SECURITY: COMPETITION OF THE EARNEST EXPERTISE write-ups. This is an inner CTF event that was organized by my school to qualificate to the LKSN 2025. The categories on this CTF are mainly web exploitation with some cryptography and miscellanous challenges.
## Table of Contents
1. Miscellanous
a. SANITY
b. Tebak-Tebak
2. Cryptography
a. -- --- .-. ... . (Morse)
b. Piano..
c. Rel
d. XV
3. Web Exploitation
a. Danantara
b. Flag_store
c. Fufufafa
d. Javascript Object Notation
e. Judol - Kids version
f. One Time Password
g. STELKERS
h. SendTheSong
i. Structured Query Language?
j. Structured Query Language
## 1. Miscellanous
### a. SANITY
The competition fields that I enrolled for this LKS event is Cyber Security. Wrap it inside the given flag format and you're good to go.
Flag:
LKS{Cyber_Security}
## b. Tebak-Tebak
Given the *ssh* credentials for this challenge. I went to Kali Linux and entered the provided credentials.
Sadly, I do not have the image to show you for this challenge since I forgot to capture the image of the processes. But I will break it down for you.
In this challenge, you have to guess a numbers from the range of 1 - 1000 in only 10 guesses. Every time you restart the instance, the numbers you have to guess will be randomized.
I solved this by starting with a guess of 500, a good balance in between high or low numbers. I remembered that it said higher. So then I tried 900, and it said higher again. But when I entered 950, it said lower.
I guessed and I guessed until at my last guesses attempt, I finally guessed the correct randomized numbers, in which, if I remembered correctly, was 924.
Flag:
LKS{did_u_guess_or_calculate_it?}
## 2. Cryptography
### a. -- --- .-. ... . (Morse)
Just like the name, all you have to was to decode this morse code into a plaintext. I used cryptii.com as always since it's very simple and convenient.
As you can see, at the end of the sentences, there was an unwrapped flag with a format of "lks". So, I wrapped the flag inside the default format of this event flag.
Flag:
LKS{iloveandhate_pramuka}
### b. Piano..
This is a music sheet cipher. To decode this, I used dcode.fr since it has a music sheet cipher decoder.
Given the decoded plaintext, there was a flag with "LKS" in front of it. I wrapped the flag inside the default format of this event flag.
Flag:
LKS{ILOVEPIANO}
### c. Rel
The descriptions of this challenge gave us a very specific hint of what kind of cipher this text was. It said that the author's friend has been talking all day about a train and a "rail". Noticing the word rail, I immediately realised that this was a railfence cipher.
I used cryptii.com to decode this railfence cipher, and this is what I got.
Flag:
LKS{Rel_kereta_api}
### d. XV
Here is the full decoded text provided in the description.
```
Vm0wd2QyUXlVWGxWV0d4V1YwZDRWMVl3WkRSV01WbDNXa1JTV0ZKdGVGWlZiVFZyVmxVeFYyTkljRmhoTVhCUVZqQmFZV015U2tWVWJHaG9UV3N3ZUZacVFtRlpWMDE1VTJ0V1ZXSkhhRzlVVm1oRFZWWmFkR1ZHV214U2JHdzFWa2QwYzJGc1NuUmhSemxWVm0xb1JGWldXbUZqVmtaMFVteHdWMDFWY0VwV2JURXdZVEZrU0ZOclpHcFNWR3hoVm1wT1UxSXhjRlpYYlVacVZtdGFNRlZ0ZUZOVWJVWTJVbFJHVjFaRmIzZFdha1poVjBaT2NtRkhhRk5sYlhoWFZtMHdlR0l4U2tkWGJHUllZbFZhY2xWcVFURlNNVlY1VFZSU1ZrMXJjRmhWTW5SM1ZqSktWVkpZWkZkaGExcFlXa1ZhVDJNeFpITmhSMnhUVFcxb1dsWXhXbXROUjFGNVZXNU9hbEp0VWxsWmJHaFRWMFpTVjJGRlRsTmlSbkJaV2xWYVQxWlhTbFpqUldSYVRVWmFNMVpxU2t0V1ZrcFpXa1prYUdFeGNGbFhhMVpoVkRKTmVGcElUbWhTTW5oVVZGY3hiMWRzV1hoYVJGSnBUV3RzTlZadE5VOVdiVXBIVjJ4U1dtSkhhRlJXTUZwVFZqRndSMVJyTlZOaVJtOTNWMnhXYjJFeFdYZE5WVlpUWWtkU1lWUlZXbUZOTVZweFUydDBWMVpyY0ZwWGExcDNWakZLVjJOSWJGZFdSVXBvVmtSS1QyTXlUa1poUjNCVFlYcFdXVlpYY0U5aU1XUnpWMWhvWVZKR1NuQlVWbHBYVFRGU1ZtRkhPVmROVjFKSldWVmFjMWR0U2toaFJsSlhUVVp3VkZacVJtdGtSa3AwWlVaa2FXRXdjRWxXYlhCTFRrWlJlRmRzYUZSaE1sSnhWV3RXUzJGR1ZYZGhSVTVUVW14d2VGVnRNVWRWTWtwV1ZtcGFXbFpXY0doWlZXUkdaVWRPU0U5V2FHaE5WbkJ2Vm10U1MxUXlUWGxVYTFwaFVqSm9WRlJYTVc5bGJHUllaVWM1YVUxWFVucFdNV2h2V1ZaS1IxTnVRbFZXYkhCWVZGUkdVMVp0UmtoUFZtaFRUVWhDU2xac1pEUmpNV1IwVTJ0b2FGSnNTbGhVVlZwM1ZrWmFjVkp0ZEd0V2JrSkhWR3hhVDJGV1NuUlBWRTVYVFc1b1dGZFdXbEpsVmtweVdrWm9hV0Y2Vm5oV1ZFSnJUa1prUjFWc1pGaGhNMUpVVlcxNGQyVkdWbGRoUnpsb1RWWndlbFl5Y0VOWGJGcFhZMFJPV21FeVVrZGFWV1JQVWxaa2MxcEhiRmhTVlhCS1ZtMTBVMU14VlhoWFdHaFlZbXhhVjFsc1pHOVdSbXhaWTBaa2EwMVdjRmxhVldNMVZXc3hXRlZzYUZkTlYyaDJWMVphUzFKc1RuUlNiR1JwVjBVME1GWkhkR0ZoTWs1elYyNVNhMUp0YUZSVVZXaERUbFphU0dWSFJtcE5WMUl3VlRKMGIyRkdTbk5UYlVaVlZteHdNMXBYZUhKbFZURldXa1pPYVZKcmNEWldhMk40WXpGVmVWTnVTbFJpVlZwWVdWUkdkMkZHYkhGVGExcHNVbTFTZWxsVldsTmhSVEZ6VTI1a1YxWXpVbWhWZWtaYVpVWldjMkZGT1ZkaGVsWjZWMWQwWVdReVZrZFdXR3hyVWtWS1dGUldXbmRsVmxsNVpVaGtXR0pHY0ZoWk1HaExWakpHY2xkcmVGZE5WbkJJV1RJeFIxSXlSa2hpUms1cFUwVktNbFp0TVRCVk1VbDVVbGhvWVZKWFVsZFpiWFIzWVVaV2RHVkZkR3BTYkhCNFZUSXdOV0pIU2toVmJHeGhWbGROTVZsV1ZYaGpiVXBGVld4a1RtRnNXbFZXYTJRMFV6RktjMXBJVmxSaVJscFlXV3RhZG1Wc1pITlhiVVpXVFZac05GWXlOVk5oTVVwMFZXNUNWMkpIYUVSVk1WcGhZMVpPY1ZWc1drNVdNVWwzVmxSS01HSXlSa2RUYms1VVlrZG9WbFp0ZUhkTk1WbDNWMjVLYkZKdFVubGFSV1IzWVZaYWNtTkZiRmRpUjFFd1dWUktSMVl4Y0VaYVJrNW9Za2hDV1ZkWGVGTlNhekZIVjJ4V1UySklRbk5WYlRGVFYyeGtjbFpVUmxkTmEzQllWVEkxYjFZeFdYcGhTRXBYVmtWYWNsVnFSbGRqTWtaR1QxWmtWMVpHV2pKV2JHTjRUa2ROZDAxSWFGaFhSM2hQVm14a1UxWXhVbGhrU0dSVFRWWktlbFpYZEU5WFIwcEhZMFpvV2sxR1NsQldNbmhoVjBaV2NscEhSbGRXTVVwUlZsUkNWazVXV1hoalJXUmhVbXMxV0ZZd1ZrdE5iRnAwVFZSQ1ZrMVZNVFJXVnpWVFZqSktTRlZzVmxwaVdGSXpXV3BHVjJOV1RuUlBWbVJUWWxob05WWnRNREZoTVZsNFYyNU9hbEpGU2xaV2JGcExVMFphV0dNemFGaFNiRnA1V1ZWYWExUnRSbk5YYkZaWFlUSlJNRmxVUms5U01WcDFWR3hvYVZKc2NGbFdSbEpIVXpBMWMxZHJhR3RTTUZwWldXeGFZVk5XVm5Sa1J6bFdVbXhzTlZsVmFFTldiVXBJWVVWT1lWSkZXbWhaZWtaM1VsWldkR05GTlZkTlZXd3pWbXhrTkdJeVNYaFhXR2hoVWxkb2IxVnFRbUZXYkZwMFpVaGtUazFZUWxsYVZXaExZa1paZUZkcmNGaGhNWEJRVmtkNFlXTnRUa1ZXYkdSVFRUSm9iMVpyVWt0U01WbDRWRzVPWVZJeWFFOVVWM2hMVjFaa1dHVkhPVkpOVlRFMFdUQmFZVll4WkVoaFJsSlZWbTFTVkZwWGVITldiR1J6Vkcxb1YyRXpRWGhXVm1NeFlqRlplRmRZY0doVFJuQlhWbXRXWVZsV2NGWlhiWFJyVm10d2VsWnRNWE5XTVVsNllVWndWMkpIVGpSVWEyUlNaVlphY2xwR1pHbGlSWEJRVm0xNGExVXhaRWRWYkZwV1lUSlNjMVp0ZUV0bGJGcDBUVVJXVjAxRVJsZFpibkJMVm0xS1dWVnVXbGRoYTFwb1ZXMTRhMk50VmtkYVIyaG9UVEJLVWxac1kzaE9SbXhZVkZob2FsSlhhSEJWYlhNeFZERmFjMWRzY0d4aVJuQXdXbFZrUjFack1WWmlSRkphWVRGd2NsWXdaRXRqYlU1R1QxWmthVmRIWjNwV2FrSmhZekZrV0ZSclpHRlNiVkpVV1d0YWQwNVdXblJOVkVKYVZteEdORlp0ZUZkVWJFcElZM3ByUFE9PQ==
```
As you can see at the end of the code, there was a double equal, which means that this was a "Base64" encoded text.
So, I used CyberChef to perform a multiple Base64 decode since this encoded Base64 text looked too long if it's only decoded 1 time.
The "XV" in the title of this challenge represents the amount of decoding you have to do, which was 15 times.
Flag:
LKS{Dont_know_what_toaddsoilovebase64XV}
## 3. Web Exploitation
### a. Danantara
This challenge gave you a vulnerable website without telling you what kind of vulnerability was inside of it. As you can see, the hint said that you have to look at the "publication" section to find the secret.
I clicked the link and quickly observe the traffic at the "publication" section using BurpSuite.
Nothing seems fishy. But what if I clicked the documents?
The endpoint "baca" and the parameter "dokumen" looked like a vulnerability named *LFI (Local File Inclusion)*. In which, if you type "../../../etc/passwd", it will reveals the lists of all user accounts on the Linux system.
I typed the command below and this is what I got.
It's an *LFI* vulnerability indeed.
Last step was to tried typing "flag.txt" to see if I can get anything.
There it is. Took me 3 hours to solve this challenge.
Flag:
LKS{unconvered_mysteries}
### b. Flag_store
This is the challenge page.
By clicking the link, it led me to a shopping-like website.
It said that there was a "Super Secret Flag". Hmm, seems fishy enough.
I added it to the cart and clicked the checkout link while the intercept on my BurpSuite was on to observe the incoming traffic andd analyze it.
It said "Insufficient balance". Well, of course, since I only have 1000 credits while the price of that "Super Secret Flag" was 999999 credits. But as you can see on the right at the last code, there is something that said "discount: 0".
I tried to manipulate it into "discount: 999999" to see if it worked. And turns out, it was.
Flag:
LKS{m4ss_4ss1gnm3nt_4nd_l0g1c_3rr0r_1s_b4d}
### c. Fufufafa
Given the challenge description that we have to breach the security questions of an account with a username of "fufufafa". It also said that this challenge was a combination of web exploitation and an OSINT. Interesting.
I clicked the link and observe the page.
Nothing interesting on the main page. So I clicked the "login" and this is what I got.
I clicked the "forget password" in order to breach the account.
Given the username "fufufafa" that we have to breach, I entered it.
It said that we have to enter the first 5 letter of his email. It's time to do the research.
The username "fufufafa" publicly rumoured as an account of our current Vice President of Indonesia, Mr. Gibran Rakabuming Raka. So, I searched on Google about "fufufafa email", and to my surprise, it quickly shown me the email information of this "fufufafa" account.
So, the first 5 letter was "chili". But there was a slight error on the website, so it was "chilli" instead.
Next question was about 5 last number of his handphone.
I searched on Google again about "fufufafa handphone number", and this is what I found.
The last 5 number of his handphone was "28233". I entered it on the website and this was the next question.
His middle name was "Rakabuming".
After entering all the needed questions, the server got an error.
So, the supervisor send me the flag through Telegram instead.
Flag:
LKS{j3j4k_d1g1t4l_s3l4lu_m3mb3k4s}
### d. Javascript Object Notation
It said that this challenge was about *JSON*.
I clicked the website and observed it.
The challenge just wanted you to correct the provided JSON below like the example.
After correcting the JSON, I got the flag.
Flag:
LKS{j50n_m4st3ry_4ch13v3d}
### e. Judol - Kids version
Given a gambling-like website like this.
I analyzed the source code, and this is what I found.
This looked like it can be manipulated. So, I went to BurpSuite and analyze the traffic.
I turned the intercept on when I clicked spin, and this was the upcoming traffic that I intercepted.
A jackpot can be obtained by changing all the reels to "100".
I did this for 10 times, and I got the flag.
Flag:
LKS{jangan_main_judol_ya_janganyadekyayaya}
### f. One Time Password
Given a login page website with an OTP authentication in it.
I entered the provided credentials and analyzed the traffic in BurpSuite history.
By entering the code, you got the flag.
Flag:
LKS{mf4_byp4ss_th3_OTP_l34k}
### g. STELKERS
This challenge requires you to analyze the traffic of this school website and obtain the informations needed in the descriptions.
I opened the website and logged in using my own credentials. Then I intercepted the traffic in BurpSuite to find something fishy. To my surprise, it's quite quick.
From here, I only need to obtain the private informations needed for each person and wrap it inside the flag format.
Flag:
LKS{544231149_544231133_12860034_21970020}
### h. SendTheSong
Given a website that can send and view a song notes like this.
It was said that the ID could led to something. And yes, it was indeed.
Note ID number 10 said that the ID validation has to be tightened. It was also said that I have to look for a specified ID.
After scrolling through each notes ID, I finally found the flag in the 100th ID.
Flag:
LKS{Uhavesendthesongforanflag}
### i. Structured Query Language?
It was said that this challenge used *NoSQL*, which means that *SQL Injection* method won't work.
I clicked the website and I got this login page.
I tried entering *SQL Injection syntax*, but it didn't work.
So, I searched on Google about how to breach the *NoSQL* login page using BurpSuite, and I found one on *Medium* that helped me.
It said that the intercepted traffic on BurpSuite can be manipulated. And so, I did the same.
I logged in, but not as an admin.
I scrolled through the *Medium* post once again, and looked at the syntax commands.
The problem was that I put "ne" at the "user", which meant "not equal to". In order to log in as an admin, I have to be the admin. So the correct syntax was "in" so that it matches the value of an "admin".
By entering the corrected syntax, I found the flag.
Flag:
LKS{I_thought_there_was_only_SQL-Language_for_Databases}
### j. Structured Query Language
For this challenge, all you have to do was no an *SQL Injection* method into the login page.
Username: admin
Password: ' or '1'='1
Flag:
LKS{SQL_1NJ3CT10N_L0G1N_BYP4SS_M4ST3R}
Sign in with Wallet
Connect another wallet