Hacktober CTF 2020 Write-Up
Hacktober CTF is 2 day event that organized by Cyber Hacktics, This event start from 9am CDT on Friday, October 16, and will end at 9pm CDT on Saturday, October 17.
On this event i play with my friends from myanmar (You can check his blog here), and we’er solved 38 of 47 challenges, to start playing this event you need to solved challenge start category first, if you solved all of them, web automatically start released the real challenges, on this writeup im not gonna wrote writeup for start category, there’s a some challenge solved by my friend, so i don’t wrote it here too.
Cryptography
1. Hail Caesar!
This challenge is pretty easy, you just need to decode those string, i using dcode.fr this web, and just wrap it with flag format.
Flag: flag{BOO SCARED YOU}
SQL
1. Past Demons
In this challenge we gived one sql file, so i try to open it with sqlite3 on linux, our goal here is to get password of spookynoi user
lets start to find the password, so i dump all password on table passwd
we don’t know wich one the right one, so first find spookyboi id first
spookyboi user is on id 8, so that means password must be on id 8 to, and then because this password is md5 encrypted, i using online web to decrypt it, link in here.
59dea36d05aacaa547de42e9956678e7:zxcvbnm
Flag: flag{zxcvbnm}
2. Address Book
In this challenge our goal is to find email address of user “luciafer”, i already restore this sql file to my local mysql server, so let’s check it
let’s just dump users table and find that user
so there’s a thousand of data, let’s just query it
select * from users where username like "%luc%";
Flag: flag{luc1afer.h4vr0n@shallowgraveu.com}
3. Null and Void
So in this challenges we need to find which field is accepts NULL values, and syntax to show information, so this is really easy challenge, let’s just find all we need
with this syntax we got all what we needed.
Flag: flag{middle, DESCRIBE}
4. Body Count
This challenge was easy challenges to, we need to count how much is users on file sql that we given.
just by using “count()” we can get how much user on table users.
Flag: flag{900}
5. Calisota
Ok on this challenge we need to querying users who live in california and minnesota, so let’s just query it.
Fisrt we need to find what is id for California and minnesota, and if you digging on table states, you can find that id for california and minnesota, so let’s just query it.
select count(*) from users where state_id=6 or state_id=28;
here’s my query as well as our flag.
Flag: flag{select count(*) from users where state_id=6 or state_id=28;}
6. 90s Kids
In this challenge i miss understanding what it means by “90s” , i query data with only “1990” that make me got stuck a few minutes, then i reliazed that means by “90s” is range between 1990 until 1999, so here’s my query
select count(*) from users where dob like "%199%%-10-%";
Flag: flag{32}
7. Jigsaw
This challenge is pretty cool, i learn a lot on this challenge, in this challenges we really need to understand the clue, and using correct pattern regex.
lets start querying for first clue which ask for first two char is char R or K or I
still a lot of victims, lets try to querying for second clue, we need to create pattern that can include any char except newline, so i make it from 0–9,a-z and A-Z and followed by 3 letters
start decreasing, lets just continue to third clue which is asking for the last char is in between from E-N
here we go, thats our victim and username is our flag.
Flag: flag{image.wa1k3624}
Linux
1. Talking to the Dead 1
just connect to ssh server, and start basic enumeration
flag for this challenge is on user Document directory
2. Talking to the Dead 2
Still connecting to same ssh server, keep doing enumeration in the same directory, because it say flag is hidden
Flag: flag{728ec98bfaa302b2dfc2f716d3de7869f3eadcbf}
3. Talking to the Dead 3–4
Here we can get flag3 and flag4 just by doing one thing, so connecting to server, and doing some enumeration, and finally i found file set-uids binary
as you can see, here file binary is own by root, so that means it will give us privilege as root.
If you specified file that doesn’t exist you will get some information for what to do next
As you can see, program that we run is running system command, which mean we can inject it so we can run command that we want, which we’ll want to have highest shell privilege.
and we got shell as root, so we can cat flag4 which is in directory root, and flag3 in user spookyboi Documents directory.
so we get flag3
Flag: flag{445b987b5b80e445c3147314dbfa71acd79c2b67}
now for flag4 is on root directory.
Flag: flag{4781cbffd13df6622565d45e790b4aac2a4054dc}
Programming
1. Message In An Array
In this challenge you just need to pair index and the array
["DEADFACE","Nothing", "Stop", "Will"]
print "[1] [3] [2] [0]"
Flag: flag{Nothing Will Stop DEADFACE}
2. Trick Or Treat
After downloading file, you will get python file, let’s just open it
if we run it, it will only printing “Smell my feet.” and there’s function show_flag and not called, so i think it maybe the flag, so i called it.
you can see that im not only called it, i also print it because that function is return the flag, so we need to print it to see the flag, and let’s run it.
Flag: flag{2f3ba6b5fb8bb84c33b584f981c2d13d}
3. Red Rum
In this challenge we need to connect to nc service and paste our answer which is our answer is list number between 1–500 and for each number is divisible by 3 we need to replace it with red, etc. So here i was make python script
Flag: flag{h33eeeres_j0hnny!!!}
4. Stairway to Hell
In this challenge actually not to hard, but i can’t solved it by myself, i helped from guy named nullcasa, he was confirm am i doing on the right way or not, thanks to him.
so in this challenge is we need make it look like stairs but starting with 666 and 30 rows, also only want space between number and newline is stripted, so i make python script
Flag: flag{plung3_to_the_4by55}
OSINT
1. Creeping 1
Our goal is to find what is company name Ali tevlin work for, so first i trying to find “De Monne Financial” and i find domain name for that company but i didn’t get anything on there, so i start to search “Ali Tevlin” social media, and i found his facebook account page
and we get company name that he working for.
Flag: flag{F. Kreuger Financial}
2. Creeping 2
This challenge goal is to find his position in company, this information also already on facebook page.
Flag: flag{Senior Acquisitions Supervisor}
3. Creeping 3
In this challenge want to know hist birth day, it’s also already on facebook page.
Flag: flag{17 Jun 1973}
4. Creeping 4
If you reliazed that Ali Tevlin upload his vacation on facebook to
so i try to search this location using google image
then, you will find the location.
Flag: flag{Point Pleasant, WV}
Forensics
1. Captured Memories
Here i using volatility, let’s just start it, first you need to find profile image.
if you run it with command pslist, you will got all program process, and if you looking at the end you will find “winpmem_v3.3” program.
if you doing some searching, you’ll find out that program is to doing capture memory or doing memory dump, so we just need the pid, and input it as the flag.
Flag: flag{3348}
2. Prefetch Perfection
In this challenge i using tool from PoorBillionaire, let’s just start it
here you go, instantly we got the flag :)
Flag: flag{2017–05–01 21:11:41}
3. Prefetch Perfection 2
In this challenge we need to find out which program is loaded cookie belong to cmaldonado, we already know that iexplorer is using it, so we need to find out the others.
I still using tool from PoorBillionaire but i make a bash script, to helping us to find it.
for x in $(ls ../../prefetch/); do
echo -ne "$x\n"
python2 prefetch.py -f ../../prefetch/$x | grep -i CMALDONADO | grep -i COOKIE
python2 -c "print '='*200"
done
as you can see other program that use cmaldonado is DLLHOST.EXE which means is that’s our flag
Flag: flag{dllhost.exe}
4. Evil Twins
Ok this challenge is not to easy for me, alright this challenges is want program that is runing duplicate process, let’s just start.
I start with pslist and find out which program suspicious
after looking around about 5 hours, finally i reliazed there’s one program is running suspicious
if you looking on PID 6096 that program PPID(parent process id) is explorer it self, after i looking is there’s program like that im not found it, so i it maybe means by “Evil Twins”, and it’s actulaly correct flag :)
Flag: flag{explorer.exe}
Traffic Analysis
1. Remotely Administrated Evil
We are given pcap file and we need to find executable file in url,i open it with wireshark.
in one sight you maybe reliazed thare’s executable file
Flag: flag{solut.exe}
2. Evil Corp’s Child
i open it with wireshark, and i found picture
and when i try to open it link, that link take me to this site
and when i try to wget that file, it is a exe file, and then i try to input it, and it was the flag
$ md5sum picture4.png
Flag: flag{a95d24937acb3420ee94493db298b295}
3. An Evil Christmas Carol
Our goal is to find ip address that is using to send the file
i try to analyze it, and when i scrolling the traffic, i found out that is some suspicious file was transfered via http
this traffic is doing GET and download file july22.dll, so i input 202.185.125.104 as the flag.
Flag: flag{202.185.125.104}
4. Evil Copr’s Child 2
In this challenge i just doing some analaysis, and i found something fishy in traffic between 192.168.1.91 and 213.136.94.177, because it was in between traffic protocol NBNS, so i think that was sus
and that was the right flag.
Flag: flag{213.136.94.177}
5. Evil Corp’s Child 3
This challenge is want us to find what is the locality Name of the certificate for HTTPS traffic to that ip.
I using filter
ip.src == 37.205.9.252
i search for info said “Server Hello” cause that means https traffic start, and i open
i expand Transport Layer Security, and find locality name.
Flag: flag{Mogadishu}
6. An Evil Christmas Carol2
we need to find domain name which is used for post-infection over HTTPS
this challenges not that difficult because you just need to find domain name that is look like not compatible as profesional domain name.
Flag: flag{vlcafxbdjtlvlcduwhga.com}
7. Remotely Administrated Evil 2
In this challenge you need to find domain from myddns, so i open it using wireshark and filter it with protocol dns
and as you can see, there’s domain for myddns.
Flag: flag{solution.myddns.me}