How we ranked 4th in SHELL-CTF 0x01 (Writeup)

SECARMY
SECARMY
Feb 12 · 10 min read

This week, We decided to play SHELL-CTF 0x01 organized by SHELL Community, along with AXIS, VNIT Nagpur. It was a really pretty good Capture-The-Flag (CTF) event with a lot of challenges.

CTF started at around 6 PM IST, We joined the team and enjoy solving challenges with such cool hackers.

Our team ranked 4th in this CTF. But according to Scores, we are 2nd 😛

Let’s start writeup with one of the very interesting challenge:

Find the terrorist!

Challenge Description:

Find the country where this image is taken! We need to strike now!

Challenge URL: http://18.222.210.252:8000/files/148bcdfc607a2ce710dc9ebeb2a76c52/file.jpeg

Category: Forensics

Points: 100

Solution:

This challenge was really interesting all I have to do is to find where this image was taken, which will help me to find the terrorist.

file.jpeg

All the information like Camera model, Author, Resolution, GPS Location etc. of an image is stored in Metadata.

I just need a tool which will extract all the metadata from that image.

After uploading the image, you can see Location details of the image.

Latitude and Longitude were showing the location of Syria. So, the flag was:

Flag: SHELL_CTF{Syria}

Caesar Salad

Challenge Description: furyypgs{fr3!_l0h_pna_u@px_gu1at5_g0b}

Challenge URL:

Category: Crypto

Points: 111

Solution:

I got an idea from the title of a challenge. That string was written in Caesar Cipher. I decoded that string using Online Caeser Decoder and got the flag.

Flag: shellctf{se3!_y0u_can_h@ck_th1ng5-t0o}

The-Lost-Language-challenge

Challenge Description:

fragments of the text have been found in a long lost language.. can you decipher it??? flag format: shellctf{word1_word2..}

Challenge URL: http://18.222.210.252:8000/files/c7f78dbb290fb16cf5138dee6c7acf11/lost-language.png

Category: Crypto

Points: 120

Image:

Solution:

That challenge may be seen as difficult because there is no hint provided about this language and looking like ALIEN Language. I searched “Alien Font” on google and found some hints regarding this. So, it was PigPen Cipher. After decoding this I received the flag.

Flag: Shellctf{secrets_and_ciphers}

Dot nd Dash

Challenge Description:

I found this file containing some characters. I think some aliens are trying to communicate with me. Can you find the decoded string?

Challenge URL:

http://18.222.210.252:8000/files/e15655f0355d5483065360a26fe99fc0/data.txt

Category: IRL

Points: 291

Solution:

No need to explain anything.. only challenge title shows everything !!
Dot and Dash = That’s Morse code

Flag: Shellctf{hum4nsweareg0ingtoconqu3ry0us00n}

NOT Allowed

Challenge URL: http://shellctf.ml/na.html

Category: Web

Points: 162

Solution:

After opening the link I saw that the input field is not editable and web app telling us to Login as “admin”.

after that, I checked the source code, and found this form and tried to make get-request through URL.

http://shellctf.ml/na.php?user=admin&submit=login

Flag: shellctf{dis4bl3d_n0t_dis4bl3d_y0u_fr0m_g33tt1ng_th3_fl4g}

My Fav Song

Challenge Description:

Th1s is one of my favorite songs. #iPhoneX

Challenge URL:

http://18.222.210.252:8000/files/d2768e13c8d87b8cde3b5a6696139fe4/iPhoneX.mp3

Category: IRL

Points: 363

Solution:

After listening to that iPhone X mp3 sound file I noticed a morse code sound in between that song.

Uploaded that mp3 sound file to morse sound to text converter.

Got the flag in output!!!

Flag: shellctf{didy0us33interste11ar}

Finding-Nemo

Challenge Description:

Unzip the given file to find 100 subfolders having some data and subfolders. the flag is stored in a file named Nemo.

Challenge URL:

http://18.222.210.252:8000/files/6a35242493d82e18038ecebdb2e584ac/Challenge.zip

Category: Starters

Points: 120

Solution:

This challenge took me 15 Seconds to solve this. As written in the description that the flag is stored in a file named Nemo. I used Windows Explorer search functionality to find that file.

Thanks to my Alienware which find out this file from hundred of folders in 10 seconds.

Flag: shellctf{n@v1gati0n_1s_n3c32633@ry}

data_hide

Challenge Description:

Can you recover the flag from the zip file? It won’t be easy huh… :)

Challenge URL:

https://github.com/dipanshujha/ctf-writeups/blob/master/SHELL-CTF/data_hide/flag.zip

Category: Medium

Points: 400

Solution:

We were provided with a zip file which was obviously password protected.

“file flag.zip” command confirmed about the file is a zip file, now we wanna have the password for the same.

To crack the zip, we used brute-force on zip with the “fcrackzip” utility.

fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u flag.zip

This got us the password which was “godislove”.

Receiving 2 files inside zip, one of them was having the password in them as “P@$$W0rD@_987654#”.

Flag: SHELL_CTF{P@$$W0rD@_987654#}

get_some_c0ffee

Challenge Description: Obtain the flag, format is shellctf{flag}

Challenge URL: http://shellctf.ml/get.html

Category: Web Easy

Points: 287

Solution:

Visiting the URL for the challenge, we got the challenge for GET request.

Provided with code snippet as:

<form action=”g3t.php” method=”get” name=”authform”><div><input type=”text” name=”key” value=”” /> //as it is<input type=”submit” value=”submit” name=”submit” /></div></form>

The name of the challenge suggest get some c0ffee, thus we GET c0ffee from URL.

http://shellctf.ml/g3t.php?key=c0ffee&submit=submit

Flag: shellctf{c0ffee_is_nice_BTW_But_u_sh0uld_have_br0ught_it_earlier!}

Obfuscation

Challenge Description: Obtain the flag, format is shellctf{flag}

Challenge URL: http://shellctf.ml/obfuscation_1.html

Category: Web Easy

Points: 150

Solution:

Visiting the URL for the challenge lands you upon a javascript prompt which asks you for the password.

Default passwords won’t work here thus we visited source code for the site, there we got base64 encoded password which was later decoded to the flag.

Flag: shellctf{w311_th15_is_ur_f14g}

Onions

Challenge Description:

http://wzenhldsuwl74plu.onion

go on the link to get the flag.. if you can’t find the website, go deep.

Challenge URL: http://wzenhldsuwl74plu.onion

Category: Web Easy

Points: 150

Solution:

As a hacker, there is high probability you’ll already be knowing TOR and dark web.

The URL was .onion which when being visited by TOR gives us flag.

Flag: shellctf{T0r_1s_h3lpful_1f_y0u_want_t0_st@y_aN0nym0us}

OREO

Challenge Description: Obtain the flag, format is shellctf{flag}

Challenge URL: http://shellctf.ml/post.html

Category: Web Medium

Points: 317

Solution:

The URL for the challenge would get you this description for the Challenge.

We have this piece of code snippet as a resource.

<form action=”sh0p.php” method=”post” name=”authform”><div><input type=”text” name=”cookie” value=”” /><input type=”text” name=”quantity” value=”” /><input type=”submit” value=”shop” name=”submit” /></div></form>

Here, we have to POST request for cookie=oreo and quantity=2

We used curl for the POST request.

curl -d “cookie=oreo&quantity=2” http://shellctf.ml/sh0p.php

Flag: shellctf{ore0_is_0ne_of_my_fav0urite_cookie}

OSINT

Challenge Description:

#SHELLCTF

Going with the trend…

Challenge URL: None

Category: IRL Easy

Points: 257

Solution:

The challenge was IRL section and that of OSINT means we had to gather info with Open Source Intelligence.

Searching Twitter for #SHELLCTF got us the QR code which was redirecting to the Website with the flag.

Flag: shellctf{y0u_ar3_g00d_at_gath3ring}

R4nd0m

Challenge Description: Juva got some r4nd0m characters in a CTF…. Can you help him 0ut?

Challenge URL: http://shellctf.ml/r4nd0m.html

Category: Web easy

Points: 137

Solution:

Visiting the web page in challenge URL got us nothing but eventually looking out in the source code of a website, we got some randomly arranged characters commented out.

The text:

<! — sAhHeNlOlEcMtXfR{1rQaYnJdQ0FmBlZy)_ZpClBaScReWdG_Ji8s/nKt+_PiNtX}B →

Removing alternate character after encountering “s” in text got us flag.

Flag: shellctf{rand0mly_placed_isnt_it}

Somewhere

Challenge Description: Get the flag, flag format is shellctf{flag}

Challenge URL: http://shellctf.ml/somewhere.html

Category: Web Easy

Points: 97

Solution:

Visiting URL provided to us got us to a page where nothing seems familiar to the flag.

Being a web challenge, we looked source code for the website and got our flag commented out at the very end.

Flag: shellctf{r3m3mb3r!_d0nt_b3li3v3_st4ng3r5!!!}

STAN_LEE

Challenge URL: http://shellctf.ml/stanlee.html
Category: Starters
Points: 327
Solution:

After opening the challenge link I only see this button:

After clicking this button I got this result.

Then I tried to intercept this button’s link and saw the date when “Stan Lee the maker of Avengers” died.

I tried to change the date to the past number and got the flag.

Flag: shellctf{You_saved_Stan_Lee_even_Dr.Strange_couldnt!!!}

Return-of-the-Onions

Challenge Description:

visit this website and get the flag that is stored on the server .. the directory structure is given.

folder :
-index.html
-super=>secret=>folder=>flag.html

Challenge URL: http://wzenhldsuwl74plu.onion

Category: Web

Points: 180

Solution:

After opening tree directory /super/secret/folder/flag.html with that .onion URL with TOR Browser got this page.

Checked the source code and found the flag!!

Flag: shellctf{S.T.A.Y_h1dd3n}

1 or 0

Challenge URL: http://shellctf.ml/1or0.html

Category: Web

Points: 167

Solution:

Opening that link contains this page:

After intercepting with Burp Suite:

changed num=0 to num=1 and captured the flag

Flag: shellctf{y3s_0ne_1s_gr34ter_th4n_Z3r0}

Characters-and-strings

Challenge Description:

Bob has run the provided file “code.py” on the flag and the output is given.. can you figure out the flag?

Challenge URLs:

http://18.222.210.252:8000/files/cde2ecc2caeacd07380627270450f3bd/code.py

http://18.222.210.252:8000/files/69e8aa64a4bfbc329c27806e2f1c2703/params.txt

Category: Starters

Points: 150

Solution:

After opening the params.txt file, I saw that there was a list of numbers.

A code.py file was also included in this challenge to solve but I used a little shortcut.

I used Online ASCII to Text converter to decode these ASCII numbers into Text.

I captured the flag after conversion.

Flag: shellctf{CHar@ct3r$_4Nd_str1ngs}

“Secrets”

Challenge Description:

Alice was sending a file to Bob thinking that it was secure.
Prove them wrong.

Challenge URL: https://pastebin.com/gzc5Dx8y

Category: IRL

Points: 255

Solution:

After opening the Pastebin link saw this Text.

I figured out this text was encoded in base64 which results in ASCII Art after decoding it.

Flag: shellctf{sUpeR_s3cr3t_Mes$@g3}

Bad Boy?

Challenge Description: Can you file the hidden file?

Challenge URL:

Category: Forensics

Points: 200

Solution:
In every CTF as soon as I get a file, I always do first few things to know what type file is it like using strings, use binwalk see if anything is hidden.

TrueRandom2.png

I did binwalk and found a “hidden zip” file in it

So, I extracted the zip by giving this command:

binwalk -e imgfilename

and got the zip file inside the zip file and there was a flag file.

Flag: SHELL_CTF{B1nwAlK_1s_bAd_B0y}

Image_Hide

Challenge Description: Can you recover the flag from the image?

Challenge URL:

http://18.222.210.252:8000/files/9555ac5a3598ad08c6b13947c33752ff/flag.jpeg

Category: Forensics

Points: 100

Solution:

Park of the picture with a bench and trees was given in this Challenge.

All I have to do is to find the flag from the picture.

flag.jpeg

I used strings method on the image and got the flag.

Authentication

Challenge Description:

Can you find the password used to authenticate to FTP service?

Challenge URL:

http://18.222.210.252:8000/files/dd4d8b61f420b763b255655787af4477/flag.pcap

Category: Forensics

Points: 200

Solution:

It was a pcap file, I open it through Wireshark and searched for the password.

Flag: SHELL_CTF{Pa$$w0rD@12345#}

Challenge Description:

Can you find the password to crack the vault…?

Challenge URL:

http://18.222.210.252:8000/files/81da96e21f0ac519e33b888ebb06b853/vault

Category: Danger!!

Points: 500

Solution:

when did strings on the file I found this:

After stripping got this:

We_ar3_hAcK3Th1sisATrium

So first I tried this as password but it was incorrect:

After wasting 1–2 hrs doing all the things like binwalk etc…
I thought of seeing this file using hex editor….
and found out that it has some extra characters

so after stripping, I get

We_ar3_hAcK3R$Th1sisATriumph

Now I thought this has to be the password…And BOOM incorrect :P

So I looked closely and there was patter between every word it was only “.E.”

Between hAcK3R$ and Th1sisATriumph it was also “.E”

So I thought let’s submit them separately and took only first and submitted as the password and BOOM now it was correct :D

Flag: SHELL_CTF{We_ar3_hAcK3R$}

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

SECARMY

Written by

SECARMY

CTF Team

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade