REVERSING
- so_much
The commands ‘strings’ & ‘ltrace’ don’t show much. I then moved on to decompiled code analysis on ghidra. This was a rabbit hole, where I wasted a lot of time. It shows that we are supposed to give an argument. A function, get_flag forms a string which is strcmp() against the argument. But keeping track of these many functions is tough.
But dynamic analysis via GDB made solving it too easy. Setting breakpoint at the call to get_flag() function and stepping to the next instruction stores the flag in one of the registers.
Flag: darkCTF{w0w_s0_m4ny_funct10ns}
WEB
1.Apache Logs
searching for ‘flag’ shows this (looks like SQLi)
And then scrolling and searching, revealed 3 requests which some text encoded into char-code (ASCII values)
192.168.32.1 — — [29/Sep/2015:03:37:34 -0400] “GET /mutillidae/index.php?page=user-info.php&username=%27+union+all+select+1%2CString.fromCharCode%28102%2C+108%2C+97%2C+103%2C+32%2C+105%2C+115%2C+32%2C+83%2C+81%2C+76%2C+95%2C+73%2C+110%2C+106%2C+101%2C+99%2C+116%2C+105%2C+111%2C+110%29%2C3+ — %2B&password=&user-info-php-submit-button=View+Account+Details HTTP/1.1” 200 9582
192.168.32.1 — — [29/Sep/2015:03:38:46 -0400] “GET /mutillidae/index.php?csrf-token=&username=CHAR%28121%2C+111%2C+117%2C+32%2C+97%2C+114%2C+101%2C+32%2C+111%2C+110%2C+32%2C+116%2C+104%2C+101%2C+32%2C+114%2C+105%2C+103%2C+104%2C+116%2C+32%2C+116%2C+114%2C+97%2C+99%2C+107%29&password=&confirm_password=&my_signature=®ister-php-submit-button=Create+Account
192.168.32.1 — — [29/Sep/2015:03:39:46 -0400] “GET /mutillidae/index.php?page=client-side-control-challenge.php HTTP/1.1” 200 9197 “http://192.168.32.134/mutillidae/index.php?page=user-info.php&username=%27+union+all+select+1%2CString.fromCharCode%28102%2C%2B108%2C%2B97%2C%2B103%2C%2B32%2C%2B105%2C%2B115%2C%2B32%2C%2B68%2C%2B97%2C%2B114%2C%2B107%2C%2B67%2C%2B84%2C%2B70%2C%2B123%2C%2B53%2C%2B113%2C%2B108%2C%2B95%2C%2B49%2C%2B110%2C%2B106%2C%2B51%2C%2B99%2C%2B116%2C%2B49%2C%2B48%2C%2B110%2C%2B125%29%2C3
-Decoding them gives
Flag is SQL_Injection (which wasnt the flag)
You are on the right track
5ql_1nj3ct10n (this was the flag}
Flag: darkCTF{5ql_1nj3ct10n}
2.Simple_SQL
- source tells to use id as parameter
Setting id=1, gave some info
So I tried manually incrementing id and check results XD. And we got our flag at id=9 as the password.
Flag: darkCTF{it_is_very_easy_to_find}
3. PHP information
The source code shows that the flag is divided into 4 parts and each part can be accessed by a different payload.
-payload1 : query string should be ?darkctf=2020
-payload2 : user-agent should be base64_decode(“MjAyMF90aGVfYmVzdF95ZWFyX2Nvcm9uYQ==” ). Which is 2020_the_best_year_corona
-payload3 : query string should have ctf2020 equal to base64_encode(“ZGFya2N0Zi0yMDIwLXdlYg==”) (yes encode not decode ). Which is ?ctf2020=WkdGeWEyTjBaaTB5TURJd0xYZGxZZz09
-payload4 : md5 collision. But we can break the logic by setting input to arrays. So /?karma[]=1,2&2020[]=3,4. Which gives us false == false in the if condition, and that’s true.
Flag: DarkCTF{very_nice_web_challenge_dark_ctf}
CRYPTO
- Pipe Rhyme
Simple RSA challenge. Get the factors of ’n’ from http://factordb.com/ and then using this script i wrote, https://github.com/divydividivu/SimpleRSADecryptor, just input the necessary values and we easily get the flag.
Flag- darkCTF{4v0iD_us1ngg_p1_pr1mes}
2. Easy RSA
This is not as straight forward. But one doesn’t need to be a pro at number theory to solve this. After some googling, i found some valuable info. https://crypto.stackexchange.com/questions/80311/attack-rsa-with-very-big-module-n-and-very-small-e-7
Again python can get us the flag.
from Crypto.Util.number import *def find_invpow(x,n):
"""Finds the integer component of the n'th root of x,
an integer such that y ** n <= x < (y + 1) ** n.
"""
high = 1
while high ** n < x:
high *= 2
low = high//2
while low < high:
mid = (low + high) // 2
if low < mid and mid**n < x:
low = mid
elif high > mid and mid**n > x:
high = mid
else:
return mid
return mid + 1c = int(input("Enter the value of c: "))
e=int(input("Enter the value of e: "))
m=find_invpow(c,e)print(long_to_bytes(m))
Flag- darkCTF{5m4111111_3_4tw_xD}
3. haxXor
Trying keyed Xor. There is a property that xor of like terms cancels out.
message xor key = cipher, so cipher xor message(partial) should give the key. So convert the cipher from hex to text, and then xor with key=darkCTF{
Thus, key obtained is ‘1337hack’ , again xor of cipher and key would give the original message back.
Flag: darkCTF{kud0s_h4xx0r}
