n00b15CTF Write-up

This is a minimalist write-up of the n00b15CTF.

For readers who are still completing the challenges and are looking for hints, read the HINTS section for each challenge rather than the whole paragraph.

Location-51

HINTS: Javascript, Page redirects.

Going to http://hack.bckdr.in/LOCATION-51/ immediately redirects to http://hack.bckdr.in/LOCATION-51/trap.html which then uses JS to ask for a password prompt, however the source code on the trap page does not reveal the correct flag.

To solve this we need to disable the redirect by disabling Javascript. Looking at the source of /index.html will show us the correct flag.

Test

Simple task to practice creating a SHA-256 hash of some data.

I used http://www.xorbin.com/tools/sha256-hash-calculator as a quick tool.

Hidden Flag – Easy

HINTS: strings

There is a hidden flag in the binary, but it’s a plaintext string which is included in the binary. We can use the command strings to dump all printable strings from the binary, which reveals a line which looks like our hash.

Search

HINTS: file

The command file will tell us what file signature the data has. This time the file extension lied to us, it’s not a txt document but a JPEG.

$ file search.txt
search.txt: JPEG image data, JFIF standard 1.01, ...

Viewing the image gives us a QR Code which when read points us to a webpage that displays the flag.

Lost

HINTS: HTTP POST, curl

Viewing the source (or console logs) gives us the hint to send a POST request to http://hack.bckdr.in/LOST/flag.php.

A simple curl request which does this will return the flag.

Hidden Flag – Medium

HINTS: Dissasembler, Binary patching with radare2

Looking at the call graph in radare2, we see an unused function called print_flag. To call this function we can patch the binary to call print_flag instead of call printf so our flag gets printed out instead of the pesky message.

Clutter

HINTS: Wireshark, Export as txt

The pcap file has too many packets to search through manually, so we need to search for the word flag in every packet. There might be a way to do this within Wireshark, however I just exported the data to a txt file and ran grep over it. The flag we are looking for has come from pastebin!

NoSignal

HINTS: GIMP, Xor

Need to find a way to combine both images to result in one image, since the images are quite noisy, Xor comes to mind. We can put both images on top of each other in GIMP, set the blend mode to difference and out comes the flag.

Sequel

HINTS: Sqli, UNION Select

Looking at the source code we can see the database file being included in from local directory, turns out we can also access this file. Lets take a look inside the database. There’s no user sdslabs! So it looks like we will have to union select our way to victory.

With some sqli magic we can make our username be equal to sdslabs and then get the flag. Making our username ' UNION SELECT null, null, 'sdslabs', null, null -- Will set username to be sdslabs and comment out the rest of the sql query like so.

SELECT * FROM users WHERE username = '' UNION SELECT null, null, 'sdslabs', null, null --'  AND password_hash = ''

The returning row will be this, which is enough to get us the flag.

id name username email password_hash
1 NULL sdslabs NULL NULL

Sound

HINTS: Audacity, Effects

It sounds like gibberish! But the message is actually in reverse and sped up, so reverse the sound and slow it down using Audacity and you can clearly hear what the flag is.

Undisputed

HINTS: ext4, mount

The ext4 file is a file-system so we need to create a temp directory and mount the file-system to it.

$ sudo mkdir /media/tmp
$ sudo mount -o ro file.ext4 /media/tmp

We can then navigate into it, poke around and pretty easily see the flag inside a 7-zip archive.

WordPress.com.

Up ↑