ROOTCON 2019's CTF Writeups for Web Category

Aj Dumanhug
Sep 29 · 6 min read
ROOTCON 13 Official Banner

Introduction

It’s my second time to join ROOTCON’s Capture the Flag (CTF) competition. Last year, we were lucky to win the 2nd place against more than ten teams. This year, we gave our best to win the CTF, and we’ve done it! (Yey!)

The Final Scoreboard

On this writeup, we’ll show you how we almost wipe the web category for this year’s CTF. It’s hard and challenging — what a great set of challenges, Pwn De Manila (Thank you!).

Web Challenges

Winner Winner Chicken Dinner! (100 points)

Landing Page

Solution

The flag is RC13{A_w1nN3r_i5_Y0u!}


Khal Dereta (200 points)

Landing Page

Solution

  • Enumerate the directories and files of the challenge website. I used dirsearch tool and one of the interesting file is the admin.html
  • Viewing the source code of the page will greet us with an interesting code which is a JSFuck.
  • Converting it to plain text will give us this following code:
  • Login to admin page using H4ramba3 as the username and iwantburritosnotjustic3 as the password to get the flag.

The flag is RC13{unFvcK_th3_5tr1Ngzzzzz}


Cleanliness Notice: Pwn De Manila Employees! (300 points)

Landing Page

Source Code

Solution

  • To solve this challenge, we have to send the string pretty_good_passphrase but that is not easy because we have to bypass the preg_replace function that replaces the phrase with blank value.
  • The final payload is prettypretty_good_passphrase_good_passphrase because it will remove the pretty_good_passphase and leave pretty and _good_passphrase.

The flag is RC13{iNput_s4n1ta410N_i5_W3aK}


M4ny (300 points)

Landing Page

Solution

  • On this challenge, the hints are the title of the page which is “Symb0l0gy”, and the “118+” & the “Polonium-Bending” on the image. These are all related to Periodic Elements. Polonium is an element with a symbol of Po and the total number of elements in the periodic table is 118.
  • To exploit this, we had to create a wordlist of symbols of all the elements. We used this gist from GitHub: https://gist.github.com/GoodmanSciences/c2dd862cd38f21b0ad36b8f96b4bf1ee
  • Then we wrote a python script to automate the requests to get the flag.

The flag is RC13{th3_eL3mEnt5_w1LL_D3stR0y_y0u!}


Friday Madness (500 points)

Landing Page

Source Code

A hint was found in the source code. Visiting the log.txt file will give us the following content.

Solution

  • The objective of this challenge is to identify the ID for the following commit:
  • The list of IDs on the landing page has a pattern which gave us an idea on how to craft the ID for the commit above. So during the competition, I read a lot of stuff and found out that the ID is an ObjectID of MongoDB.

The last valid ID is 5ceb5d394a6bd51a08f6cde7.

Following the documentation of ObjectID, we can easily identify the strings in the ID.
5ceb5d39 is the 4-byte value representing the seconds since the Unix epoch;
4a6bd5 is the 3-byte machine identifier;
1a08 is the 2-byte process id;
f6cde7 is the 3-byte counter, starting with a random value.

After checking again the list of valid IDs — the machine identifier and process id should be the same. And we should focus on the first 4-byte and last 3-byte of the ID.

The first 4-byte is the hexadecimal of the seconds of the commit in log.txt.

5ceb5d394a6bd51a08f6cde7 is for the commit Mon May 27 2019 11:44:57 GMT+0800 (UTC) Added security implements.

To validate and convert 5ceb5d39 into Unix timestamp, we can simply perform the following formula:

And convert that timestamp to hex:

From here, we can confirm that 5ceb5d39 is a Unix timestamp of the commit.

To get the flag for the commit below, we have to craft the ID:

Getting the timestamp:

Converting it to hex:

Crafting the ObjectID:

First 4-byte is 5cf36af9
Machine identifier is 4a6bd5
Process id is 1a08

5cf36af94a6bd51a08 + the next value of f6cde7 which is f6cde8

Final ObjectID is 5cf36af94a6bd51a08f6cde8.

The flag is RC13{tH3se_Ar3_N0t_Th3_0bj3cTs_uR_l0ok1nG_F0r}


To end this writeup here is the picture of our team after winning the CTF.

As always, thank you for reading!


InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Aj Dumanhug

Written by

CTO /CISO at Secuna, Moderator at hackstreetboys, Cybersecurity Trainer at UP and Adamson. Cybersecurity PH CERT and ROOTCON 13 CTF Champion.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade