Hac-Sec 21 Ctf Write-up
This is the official write-up for all my challenges in the hac-sec ctf conducted on 04/01/2021.
Challenge: Code of chaos
Description: The given binary generates a random binary(base 2) number with every numeric seed that you pass as a command line argument. There is a seed ‘a’ in the range 500 and 650 that generates a binary number that when XORed with another binary number generated by a seed ‘b’ gives the binary(base 2) value of the flag. The difference between seed ‘a’ and ‘b’ is 768 and both seeds are positive. In other words, if bin was the function that converted a seed to a binary number. xor(bin(a),bin(b)) = c and flag = ascii(c).
Each number/seed that we pass as command line argument to this binary is used to generate a random binary number. You can also
use a character counter to figure out that it always returns 216
characters, no matter what the seed is. Also the same seed always
generates the same binary number.
Reversing this binary won’t lead to anything useful. So let’s solve it
the intended way.
According to the description we have to find two seeds. The xored
output of the two binaries generated by the two seeds gives the
binary value of the flag.
We know that both seeds are positive and the first seed lies between
500 and 650. And the difference between both seeds is 764.
Therefore the second seed lies between 1264 and 1414. So, In my code i have a function called getSeedOutputs that extracts all binaries generated by seeds in the range (500–650) and stored in one file(seed_a_bins) and stored all binaries generated by seeds in the range 1264 and 1414 in another file(seed_b_bins).
Then each corresponding binary string from seed_a_bins and seed_b_bins is xored with each other. I used the xor function from geeksforgeeks available here: https://www.geeksforgeeks.org/xor-of-two-binary-strings/
Then each xored binary is stored to a third file called xorbins. Then i used a system call and perl to decode the binaries and store it in a file called xoroutputs.
There are much better ways to solve this challenge and i saw much more efficient and shorter code than mine from the people who solved it, but i am extremely new to python and this is what i came up with ¯\_(ツ)_/¯.
import os
def getSeedOutputs():
#extracts binaries in range (500,600) and (1264,1414) and stores in files
for i in range(500, 650):
os.system(“./binarygenerator “+str(i)+” >> seed_a_bins”)
os.system(“echo ‘\n’ >> seed_a_bins”)
for i in range(1264, 1414):
os.system(“./binarygenerator “+str(i)+” >> seed_b_bins”)
os.system(“echo ‘\n’ >> seed_b_bins”)def xor(a, b, n):
#Xor two binary strings, code taken from geeksforgeeks
ans = “”
for i in range(n):
if (a[i] == b[i]):
ans += “0”
else:
ans += “1”
return ansdef xorseeds():
#opens both seedbins and passes corresponding binaries to xor function and stores it in xorbins
seed1_array = []
seed2_array = []
with open(“seed_a_bins”) as f:
for line in f:
seed1_array.append(line)with open(“seed_b_bins”) as f:
for line in f:
seed2_array.append(line)for i in range(len(seed1_array)):
if(seed1_array[i]==’\n’):
continue
c = xor(seed1_array[i], seed2_array[i], 216)
os.system(“echo “+c+” >> xorbins”)def getflag():
#calls perl system command to decode each binary and stores it in xoroutputs
xor_array = []
with open(“xorbins”) as f:
for line in f:
xor_array.append(line.strip())for i in xor_array:
os.system(“echo “+i+” | perl -lpe ‘$_=pack\”B*\”,$_’ >> xoroutputs”)getSeedOutputs()
xorseeds()
getflag()
Then you can just use grep for the given flag format on the file xoroutputs.
Flag: hacsec{ch40t1c_pr0gr4mm3r}
Challenge: Programmer
Description: I found a lock and a key, but the key is broken. Put the key back in ‘order’ to unlock the flag. The challenge also asks to use onlinegdb compiler.
There is a C code attached with the challenge.
You can get the original code here.
Executing this code does some calculations using the key array, the rand function and the iterating variable and uses it as a index to print an element from the lock array. This is irrelevant to solve the challenge.
The description asks to put the key back in order. This refers to the key array. Putting the key back in order relates to sorting the array. I have written a selection sort function in the below code to sort the key array.
Executing it prints “You might need the seed 133337”. This is regarding the value passed to srand function. That is called a seed and it is used to generate random numbers.
Changing that to 133337 and executing:
Flag: HAC-SEC{H4CX3RS_R_PR0GR4MM3RS}
Challenge: Volatile
Description: He has been talking a lot about the sounds. He found some disks that may lead him to a long lost treasure. But his memory is volatile. Can you help him?
Challenge Category: Forensics
Start by doing imageinfo using volatility to the given raw file.
Now that we have the profile, let’s do pslist to list the currently running processes.
There are two interesting processes here(secretdisk1.exe and secretdisk2.exe)
The description also mentions something about disks, so let’s use procdump module to dump these two executable files.
I executed these two executables using wine.
The first executable mentions pastebin, the second executable just prints a lot of hex data.
I copied it to a file called hexdump and used xxd to convert it back to a normal file.
Doing file on the output shows that it is a zip file. unzipping it gives us a mp3 file humanity.mp3. I used audacity to look at the spectrogram of the file.
It says /JTRYWK07. The other disk mentioned pastebin. Trying this as a pastebin link shows a password protected pastebin.
Let’s go back to the dump file. Let’s try to dump the hashes and crack it
Cracking it gives us qwerty1. Let’s try to use this as the password for the paste.
Unlocking it gives the flag
Flag: HAC-SEC{v0lat1l3_m3m0ry_sp3ctrogr4m}
Challenge Droid:
Description: I made an app that searches for reddit posts and I hid a flag in it. Can you find it?
Start by installing the app in an android emulator or your phone.
It is an app that simply searches for whatever we search for in the reddit api and returns the first 25 posts. It also has two spinners. One that sorts the posts and one that has numbers from 0 to 25.
Let’s keep this in mind and decompile the apk. I used an online apk decompiler and downloaded the files. Let’s take a look at mainactivity.java.
The onCreate function dosen’t seem to have anything interesting. As you can see the onButtonClicked function creates an object of fetchdata class and calls execute function on it. This function is called when the search button is pressed. Let’s take a look at fetchdata class now.
In fetchdata.java, The doInBackground function has an interesting if statement that uses a different url for the reddit web api. This if block also calls a function called getJsonFlag.
Let’s try and see how to satisfy this if condition so that this if block get executed. As you can see, the code block is surrounded by two if statements. The first one checks whether search_string variable in MainActivity is equal to “s4cur3r3dd1tp4ss”. The second if statement checks for two things. First it checks whether the selected position in the sort_preference spinner(drop down menu) is 2. This refers to the third option in the menu as the positions in spinners go as (0,1,2….). It also checks whether the selected position in “key” spinner in MainActivity is 25.
So if we select the third position in first spinner and 26th position in second spinner and give “s4cur3r3dd1tp4ss” as our search string, we should execute this if block.
That gives us the flag.
Flag: HAC-SEC{dr0id_hack3r_0r_reddit_h4cker}
Challenge: Hidden in Plainsight
Description: Lots of locks, lots of keys. Being a brute might help u unlock the locks, but the flag is not in any of the locks. It is hidden in the keys.
The challenge includes a zip file. Start by unzipping the zip file. It extracts to a directory called zipfiles. The zipfiles directory has 36 password protected zip files named 1.zip, 2.zip, 3.zip and so on.
The description hints towards brute forcing. And all files are password protected. So, let’s write a script to brute force all zip files using fcrackzip and the wordlist rockyou.txt
After about 2 minutes, it cracked all the passwords. You can try unzipping each file, but all of them just lead to rabbit holes. I am not going to show them in this writeup. As the description suggested, the flag is hidden in the keys not the locks.
Let’s start by extracting the passwords from the output file of the script.
Looking at the first character of each key seems to show something interesting. Let’s print the first character of each line
The last part is the base64 encoding of the flag
Flag: hacsec{h1dd3n_1n_k3y}
Challenge Aladin:
Description: A land of many mysteries, but the right path can lead you to the all powerful. Ask him the right way and he might give you the
flag.
Visiting the website just redirects in an infinite loop. it redirects to 1.php, 2.php …. 18.php and then goes back to 1.php. Looking at the source of the pages is the next step. 14.php has something interesting
It gives a base64 text that decodes to “/genie.php grants anything that you “wish” for”.
Let’s visit /genie.php and pass in a parameter wish.
Let’s try wishing for the flag
It asks for a key. let’s provide a key as a second parameter
It says key is not numeric. This could be referring to the vulnerable php function “is_numeric”. We will come back to this. For now, let’s just try adding a number as key. Based on some trial and error, you can find that it requires the key to be greater than 1000 but it has to be less than 3 digits. Let’s go back to the is_numeric function. This can be exploited. Let’s try entering a hex value as the key. For example 3e4.
Flag: HAC-SEC{ins3cur3_php_funct10ns}
Challenge: Reprisal
Description: The Fbi captured a dark army operative. Allsafe security engineers are analyzing his laptop. I managed to hack and capture the network traffic of the C.E.O of Allsafe. Your job is to analyze it and find out what they know before it’s too late. Dark army needs you.
Start by opening the pcap file in wireshark and exporting all objects. There are two interesting objects. One is a zip file and the other is a file that his this message.
Let’s unzip the zip file and provide this as the password
The unzipped directory has two files. A password protected pdf and a cap file. The cap file is a wpa handshake capture file. Start by cracking it using aircrack-ng and rockyou wordlist.
Using this as the password for the pdf unlocks it. The pdf has a lot of base64 data. Copy it to a file and decode it.
Decoding it shows a lot of raw data and you can notice a lot of png chunks.
But it is not possible to open it as the image is corrupted. Convert this into a hexdump, then add the png hex header to the beginning and convert it back.
Now opening the file gives us the flag
Flag: HAC-SEC{Mr_r0b0t_cr34t3d_fs0c1ety}
Challenge: Include
Description: Web Developers often forget to include security mechanisms in their websites.
Let’s start by visiting the website
On clicking the button, A string called “Control is an illusion” pops up. We can also see that a parameter called view is added to the url. Also it seems to add the full path of a file as the value of this parameter:
?view=/var/www/html/mrrobot.
The mrrobot file could be suggesting to look at /robots.txt. It leads us to another directory that says this:
So, one way to see linux files in the web server is using local file inclusion. Let’s go back to the index page and see if we can manipulate the view parameter to get the flag.
Let’s try including the flag file “?view=/etc/passwd”.
You can do some manual enumeration and you can get a rough idea of the restrictions it has. Two things to note are that it says not allowed if you do not have /var/www/html in the view parameter. It also says not allowed if you use ‘../..’. You can try using a php wrapper. Let’s start by using a php wrapper on the mrrobot file that the page includes when you click the button.
http://13.233.38.154/?view=php://filter/convert.base64-encode/resource=/var/www/html/mrrobot
Decoding this gives “<?php echo ‘Control is an illusion’; ?>”. This means that mrrobot is a php file and php extension is automatically being appended in the backend php code. Let’s try to include the index file like this.
http://13.233.38.154/?view=php://filter/convert.base64-encode/resource=/var/www/html/indexWe get a base64 code and decoding gives us the backend php code.
Let’s analyze it to figure out how to bypass the filters.
There are three interesting things here. First one is that, it checks for the ext parameter, if it is not present, it uses php as the extension. So we can manipulate this to include files of other extension. Secondly it needs to have /var/www/html and must not have ‘../..’ for the file to be included.
So, if we wanted to include the /etc/flag file, the url would look something like this:
http://13.233.38.154/?view=/var/www/html/..//..//..//..//etc/flag&ext=
Flag: HAC-SEC{L00ks_l1k3_1ts_n0t_th4t_S3cur3}
Challenge: Flag Hunt
Description: Go hunt for the flag. Follow the path you find. You will
get the flag eventually.
Write a bash script to perform steghide on the provided 36 images. The name of the provided file is s3cr3t1234. Use this as the password.
#!/bin/bashfor i in {1..36}
do
steghide extract -sf $i.jpg -p s3cr3t1234
done
All of them creates the same file called nothinghere. But one of them creates a file called somethinghere with a pastebin link.
The paste just has a hexdump. Copy it and convert it back using xxd. It gives us a linux executable.
Doing strings on this file gives us the flag
Flag: hacsec{Y0u_f0und_th3_fl4g}