# URCHINSEC CTF MMXXII WRITEUP i avoided to be an organizer so i could play on this CTF after finishing a UE :grinning::grinning::grinning::grinning: ![](https://i.imgur.com/s1jN9PF.png) so here are my solves ## DISCORD CHALLENGES ### WELCOME [50 Points] ![](https://i.imgur.com/QvtfY5a.png) **solution** joined the server under #urchinsec-ctf-rules! channel we flag : urchin{welcome_hacker!!} ![](https://i.imgur.com/vx46lLW.png) **** ### urchinbot [50 Points] ![](https://i.imgur.com/tvTWToo.png) **solution** i didnt solve it because the bot was acting weird so the free flag was given flag : urchin{y0u_c4n_pl4y_witH_BOTS} ![](https://i.imgur.com/jeWxbpj.png) **** ## OSINT CHALLENGES ## ### dummies [100] ![](https://i.imgur.com/hSk2lWG.png) **solution** i just took some text and google it flag : urchin{lorem_ipsum} ![](https://i.imgur.com/YAPGgvA.png) **** ### welcome To OSINT [100] ![](https://i.imgur.com/uthW6im.png) **solution** easy challenge also like previously you just need to google but if you are familiar with type a question you are already know the answer flag : urch{ransomware} ![](https://i.imgur.com/fgMExKm.png) **** ### Zipped [150 points] ![](https://i.imgur.com/QtcqNiJ.png) **solution** i downloaded the picture and its look like ![](https://i.imgur.com/LiAwxiW.png) i guessed this must be dar es salaam and i dont actually live Dar es salaam haha, but i was able to solve early, `osint way like pro` googled `building with telecom tower in dar` ![](https://i.imgur.com/I8kCda9.png) see the third result its **Airtel headquarter** so since i dont live dar i had to call my young bro to tell where exactly state located and he told me **mikocheni** look at tcra zip code ![](https://i.imgur.com/lIzWYbD.png) boooom flag : urchin{14112} ***** ## FORENSICS CHALLENGE ### Streams [100 points] ![](https://i.imgur.com/eHbuRNS.png) **solution** we were given a pcap file so a wireshark tool is a way to go, so the first thing to look is for **http** request since its easy challenge ![](https://i.imgur.com/F7RK1Oy.png) then follow **tcp stream** we got flag ![](https://i.imgur.com/WeH3CMU.png) flag : urchin{wireshark_1s_pr3tty_g00d_f0r_analys!NG} **** ### Duck Duck Dock [150 points] ![](https://i.imgur.com/5kFhz6x.png) **solution** i took so long to solve this because i was thinking the hard way, using dive ![](https://i.imgur.com/Eh0EEPv.png) exploring a docker layers found this existing file /opt/jump.sh ![](https://i.imgur.com/hMxn5Zx.png) i extracted the file and found weird texts ![](https://i.imgur.com/Vp3MwyY.png) using chef ![](https://i.imgur.com/ppfiAYk.png) i struglled with this output until i found because chef didnt decode some character well flag : urchin{d>cker_f>rensics_is_fun} **** ### Meta [150 points] ![](https://i.imgur.com/tDZrsa6.png) **solution** using exiftool to see meta data since challenge called meta ![](https://i.imgur.com/9B9RE5w.png) using chef to decode strings from **Artist** section ![](https://i.imgur.com/68qnuh7.png) flag : urchin{metadatas_4re_v3ry_int3r3sting_stuff} **** ### virxx [200 points] ![](https://i.imgur.com/xUiZWWS.png) **solution** well, challenge name virxx?? what virus? mhhhhh opening file ![](https://i.imgur.com/5mGK8M5.png) just a strings!! came back to challenge name , its obviously this strings is a reverse shell payload so its always treated like virus... then what?? upload to virustotal ![](https://i.imgur.com/KemJNY1.png) oh we get the flag there flag : urchin{basic_skill_in_mal_analysis} **** ## CRYPTOGRAPHY CHALLENGES ## ### Base [100 points] ![](https://i.imgur.com/NASq1kH.png) **Solution** well since its marked as easy since its weird strings then base85 is a way to go base85 ![](https://i.imgur.com/H6JsD2a.png) base58 ![](https://i.imgur.com/QGQTXdf.png) last base64 ![](https://i.imgur.com/5Fb7G6D.png) boom flag : urchin{base64_encoding_is_easy} *** ### Table [100 points] ![](https://i.imgur.com/kLeSlZO.png) **solution** got one solve?? mhhhhh!!! when since its a table things then lets consider about vigenere cipher ehh but vigenere works with KEY EHH, then what is it? guessing key : urchin we get ![](https://i.imgur.com/8vDEtnl.png) ooops we are close i am able to decode initial urchin , so the organixation actual is urchinsec why not try as key????? ehh then key : urchinsec ![](https://i.imgur.com/RX2RRtW.png) booom!!! we get flag easy piiz flag : urchin{vigener3e_1s_34szpiz} *** ### Owner [100 points] ![](https://i.imgur.com/BxV5GTI.png) **solution** its a hash , from my brain its actually a md5 but let prove it ![](https://i.imgur.com/cLbykCO.png) ok i know google is a best tool for cracking md5 outhere hahah just copied to google and it gave me ![](https://i.imgur.com/pATjTUk.png) flag : urchin{admin} *** ### Morbase [150 points] ![](https://i.imgur.com/tsmk0yL.png) **solution** well its a morse code decoding using chef ![](https://i.imgur.com/AmQ36MK.png) the resuls is full capital letters and also its a base64 `why base64?` `answer` : loo at first DXJJAGLUE fromoutput its actually a urchin word ![](https://i.imgur.com/w8JDCjJ.png) if you solved this then you will know the struggle because base64 care about case, so that means output of a and A is different, after manually fixing ![](https://i.imgur.com/NVNXO8Z.png) boom falg : urchin{l!f3_1s_b34ut!ful!!} *** ## REVERSE ENGINEERING CHALLENGE aint my things but i can do easy one LOOOL!!! ### Add [100 points] ![](https://i.imgur.com/BnzU8VQ.png) **solution** we were given binary so i downloaded and run it we were asked what two number makes 2022110 so its simple ![](https://i.imgur.com/9bQmyVx.png) boom!! flag : urchin{fairly_34SyyT0_g3t} *** ### welcome [100 points] ![](https://i.imgur.com/efZjjbn.png) **solution** easy one , just run the binary and get flag ![](https://i.imgur.com/bpAYVKH.png) boom flag : urchin{welcome_to_urchin_sec_ctf_2022} *** ### HellorUser [100 points] ![](https://i.imgur.com/1JWJaVE.png) **solution** static analysis mhh!!, manually?? then lets start with strings ![](https://i.imgur.com/aWjsULl.png) boom!!! am a RE engineer haha!! flag : urchin{hellouser_GO_r3v3rsing_GO} *** ### CC [150 points] ![](https://i.imgur.com/OIjXGxo.png) **solution** well the same way lets start with strings thou ![](https://i.imgur.com/VyE3HGw.png) we got some hex value using chef ![](https://i.imgur.com/J0dmuZ7.png) boom!! flag : urchin{r3p0rt_r3p0rt_CC_d} *** ## WEB CHALLENGES ### Around ![](https://i.imgur.com/5vYNjZT.png) **solution** from the name its all about LOOKING AROUND and get a flag haha under main.js source code we get ![](https://i.imgur.com/N7HmKak.png) under main.css source code ![](https://i.imgur.com/GsbpAdT.png) what more? what first? look at robots.txt ![](https://i.imgur.com/yMyD3L0.png) boom!!! flag : urchin{moving_i5_fUN_b11_rockingggg1} *** ### Panel [ 100 points] ![](https://i.imgur.com/T6y6HTe.png) **solution** well the first hint is look at robots.txt ![](https://i.imgur.com/a13lvZm.png) we got /secret.php look at source code we got user:admin and password:V1ZkU2RHRlhOV2hrUjFaclRWUkplazVCYnowSwo= decoding it ![](https://i.imgur.com/35Ewstw.png) login with decoded password adminated1234 ![](https://i.imgur.com/Ck3Xaqh.png) boom!! flag : urchin{l33t_1337_L337_Hxxx0r} *** ### En-Code [100 points] ![](https://i.imgur.com/q8P1ad6.png) **solution** look at source code we get weird strings ![](https://i.imgur.com/bYNOpkq.png) using chef i gave a shot to base85 ![](https://i.imgur.com/Onyse1q.png) boom flag : urchin{html 1s c00l} *** ### HeadStart [ 150 points] ![](https://i.imgur.com/tpsvICK.png) **solution** first i thought an error was not intended lol, then later i had do directory search and found ![](https://i.imgur.com/m3hHEmL.png) i started with source endpoint ``` from flask import Flask, request, jsonify, render_template, url_for from decouple import config import jinja2_highlight class MyFlask(Flask): jinja_options = dict(Flask.jinja_options) jinja_options.setdefault('extensions',[]).append('jinja2_highlight.HighlightExtension') app = MyFlask(__name__) flag = config('FLAG') @app.route('/') def index(): data = {'error':'Endpoint Specified Is Not Recognized'} return jsonify(data) @app.route('/getflag', methods=["PEWPEW"]) def getflag(): if request.method != 'PEWPEW': data = {'error':'something went wrong'} return jsonify(data) else: data = {'success':f'{flag}'} return jsonify(data) @app.route('/source') def source(): return render_template('index.html') if __name__ == '__main__': app.run() ``` above code found on source endpoint, so actually there route called /getflag but only accept PEWPEW method to read a flag ohhh pewpew get a flag ![](https://i.imgur.com/3RjdwsO.png) boom!!! flag : urchin{m3th0ds_4re_F4scin@ting} *** ### Route ![](https://i.imgur.com/eygH9tY.png) **solution** opened the page on dowload navigation i got since we were told to get flag.txt then i changed to ![](https://i.imgur.com/FZf5Suq.png) boom!! flag : urchin{LFI_pr3tty_l4m333} *** ### login ![](https://i.imgur.com/ydKxOJB.png) **solution** there login page !! lookin for source code we found view-source: javascipt weird so i had to beautify it we get ``` (async () => { await new Promise(((_0x1f3ax1) => { return window['addEventListener']('load', _0x1f3ax1) })), document['querySelector']('form')['addEventListener']('submit', ((_0x1f3ax1) => { _0x1f3ax1['preventDefault'](); const _0x1f3ax2 = { u: 'input[name=username]', p: 'input[name=password]' }, _0x1f3ax3 = {}; for (const _0x1f3ax1 in _0x1f3ax2) { _0x1f3ax3[_0x1f3ax1] = btoa(document['querySelector'](_0x1f3ax2[_0x1f3ax1])['value'])['replace'](/=/g, '') }; return 'YWRtaW4' !== _0x1f3ax3['u'] ? alert('Incorrect Username') : 'dXJjaGlue3Bld19wZXdfcGV3X3Bld19wZXdfcGV3fQo' !== _0x1f3ax3['p'] ? alert('Incorrect Password') : void(alert(`${'Correct Password! Your flag is '}${atob(_0x1f3ax3['p'])}${'.'}`)) })) })() ``` oops there kind of weird strings lets decode in chef ![](https://i.imgur.com/hT2xRUb.png) boom!! flag : urchin{pew_pew_pew_pew_pew_pew} *** ### Route II ![](https://i.imgur.com/xpEhXyf.png) **solution** spend time with this easy challenge lmao, ![](https://i.imgur.com/K0p44fi.png) above error is LFI , exploiting using ![](https://i.imgur.com/PUbsR6c.png) but i could not get flag because it was not in php file and i was able only get lfi for php extension so i had to bruteforce!! ![](https://i.imgur.com/5dYgKrb.png) then ![](https://i.imgur.com/yKfMN33.png) boom !! easy as hell flag : urchin{RFI_@@@__PPEWWPEWW} *** ## MACHINE CHALLENGES ### Urchinbank -User ![](https://i.imgur.com/PnWhl57.png) **solution** for this challenge i could solve in time because i missed some potential info in dns enumaration but this is way to solve the box which i believe only user is hard !! first to deal with challenge that you were given a domain which is not public is to add in /etc/hosts ![](https://i.imgur.com/i4Lg8mf.png) first i added urchinbank.com alone then api and ibank was added later after i found it Domain enumaration ![](https://i.imgur.com/ThQAnZf.png) found .git in api.urchinbank.com ![](https://i.imgur.com/txaDg0S.png) dump those source code via git-dumper ![](https://i.imgur.com/jvMXHbR.png) dumped source code ![](https://i.imgur.com/ZqEcilX.png) in app.py there upload class where it takes strings and there opened with os.popen() method which actually led to command injection Bingo ``` class UploadFile(Resource): def post(self): try: parser = reqparse.RequestParser() parser.add_argument( 'file', type=str, help='File Required to be downloaded') args = parser.parse_args() _fileLink = args['file'] if _fileLink != "": cmd = str(_fileLink) msg = os.popen(f'{cmd}').read() return {'StatusCode': 200, 'Message': str(msg)} except Exception as e: return {'error': str(e)} ``` i could go further because the server with port 8080 was down but i shared a progress for user from here you can finish by creating payload and sent to server using endpoint ![](https://i.imgur.com/c3mUxtD.png) example ``` curl -XPOST api.urchinbank.com:8080/upload -d "file=id" ``` thanks for **ChainPeter** for giving a hint to this challenge after competition ended!! --- THANKS FOR READING!!! @malwarepeter