Winja CTF — C0C0N 2021

Winja CTF at C0C0N 2021 was 15 hours long CTF with 20+ challenges in various categories. Like other CTF, we also faced hurdles in beginning with infrastructure issues but once the event kicked off it was a smooth run. We had around 700+ users register and 450+ teams playing across the globe.

We as CTF moderate were available throughout the CTF time in discord in text and voice chat to handle challenge issues and server.

Reciprocal Cipher

Description: It's not Chinese or Koireng Language, just English try to Decode if possible.

Difficulty: Easy

Category: Crypto

Point: 100

籯籵籪籰粄籁簾簹籫籯籂籫籬簼簼籮籪簽簹籭籯簿籯籯籮簾籭簽籁籬籯籫籁籯簹籬籮籨籮籡簼籬籾籽籲籗籂籨籒籝籨籽籠籒籌籮籨类籮簾籽簹类簼籜籨籀籑籮籨簹类簺籂籲籷籪簺籨籀籮籡籝粆

This was actually a file, but when you look through the Nginx proxy should be different. So you should save it and then process it. Hint was given later during ctf as “Famous cipher with higher value”. This might look like Chinese but when you try to translate you will get similar text in English which is kind of weird.

Its just Unicode character and since its called Reciprocal Cipher which means when you encrypt text twice you will get plain text. Its Caesar cipher or ROT with value 8000. https://rot8000.com/Index

FLAG: flag{850bf9bc33ea40df6ffe5d48cfb8f0ce_eX3cutiN9_IT_tWICe_re5t0r3S_7He_0r19ina1_7eXT}

BlogQL

Description: We have made a secure blog posting platform for our l33t which is powered by new Tech called BlogQL. For Querying blog information without any limits.

Difficulty: Medium

Category: Web

Point: 250

This is how the landing page looks like which has two main blogs, one about some query language and another is about Hasura which is a backend service that uses graphql. We also have a login page for authors, when you try to enter any username and password, you will see a fishy request from client to endpoint called graphql.

you will see two graphql request, one for verify the login username and password, second one pull the login information and validates in client side. Which gives the lead to login into the account. Once you login in that should have information about private blogs.

So we have graphql endpoint and private blogs. hence we construct a graphql query to pull those private blogs.

When you try introspection query, you will find a schema object called secretblogs is found here, Now you have fetch all records inside database and it will give you the flag.

query {
secretblogs {
title
content
}
}

FLAG: flag{ea6a3da74909e79a8aa38005c6810893_d1d_In7r0speC7i0n_wORk_F0r_gRaPhqL}

Circle Cipher

Description: Get some pencil with compass and scale to draw few circles with verticles lines to create a wonderful glyph.

Difficulty: Easy

Category: Crypto

Point: 100

It was a pdf file that had this encrypted text using some random circle and line symbols. When you try reverse image search or google it as circle cipher will not definitely get it. And some results might be leading to Ceaser cipher. But since this was the old way of encryption.

https://www.deviantart.com/irolan/art/Circular-Glyphs-479352599

When you decode it manually you will find the flag.

Flag: flag{6B96EE99EE165EC57B8978ED1FF74601_BORG_AND_BYNAR_5CRIPT5}

The Valet

Description: AES — Advanced Encryption Standard, It’s already broken so You can also break it.

Difficulty: Medium

Category: Crypto

Point: 250

It was Web challenge and we had a landing page with a google chrome website. It looks similar to a chrome browser with 20 tabs already opened, and one among them had a tab named “Secret Tab” which had a hint to use dirbuster.

You will find a hidden directory called .secret which will have three files, one with a hint to solve this challenge by decrypting the chrome password manager with help of an unprotected secret key.

import json, base64
import sqlite3
from Cryptodome.Cipher import AES
secret_key = base64.b64decode()
conn = sqlite3.connect("Login Data")
cursor = conn.cursor()
cursor.execute("SELECT action_url, username_value, password_value FROM logins")
for index, login in enumerate(cursor.fetchall()):
url = login[0]
username = login[1]
ciphertext = login[2]
if url != "" and username != "" and ciphertext != "":
try:
initialisation_vector = ciphertext[3:15]
encrypted_password = ciphertext[15:-16]
cipher = AES.new(secret_key, AES.MODE_GCM, initialisation_vector)
decrypted_pass = cipher.decrypt(encrypted_password)
decrypted_pass = decrypted_pass.decode()
decrypted_password = decrypted_pass
except Exception as e:
print(e)
print("URL: %s\nUser Name: %s\nPassword: %s\n"% (url, username, decrypted_password))cursor.close()
conn.close()

FLAG: flag{57555e23cf996b6fbcb667a1b541c52c_thE_VAl3t_H@S_bEst_$ECURi7y}

Hash Map

Description: HashMap can get right value if you have right key

Difficulty: Medium

Category: Reverse Engineering

Point: 200

FLAG: flag{c912ed9e4f61b6030bdf69166f15ad80_d1Sas53Mble_tHe_char4cTEr}

Hashmap is like all reverse engineering in other ctf, which was given with executable binary. But strings or other tool did not help to find clear text inside the binary.

Opening the binary in any debugger like IDA, Ghidra or Binary Ninja we will find you main function in the problem. one is main function which take a user input and sent as parameter to another function called check password which is consist of nested if-else check condition.

On Closing watching, you will find it check each character of password to another value, which is mapped to index in the actual flag. So you have to decode the value and put it in the respective index value to get the flag.

FLAG: flag{c912ed9e4f61b6030bdf69166f15ad80_d1Sas53Mble_tHe_char4cTEr}

Believe Your Eyes

Description: Look twice or thrice

Difficulty: Easy

Category: Steg

Point: 100

This was one of the easiest challenges in this CTF which has an image with three different parts of CTF hidden inside RGB planes of the image. You can use a tool called Stegsolve to get the flag.

FLAG: flag{849d97fa58871dad45e81027f861739_maYB3_i_SHOULd_BELIeve-7HeM}

Thanks for Reading this CTF write-up till the end, hope you enjoyed the challenges.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aravindha Hariharan

Secarmy Developer | CNSS | Cybersecurity Enthusiastic | CTF Player | InfoSec | Red-Hat Academy Student Ambassador |