This is a minimalist write-up of the n00b15CTF.
For readers who are still completing the challenges and are looking for hints, read the HINTS section for each challenge rather than the whole paragraph.
Going to http://hack.bckdr.in/LOCATION-51/ immediately redirects to http://hack.bckdr.in/LOCATION-51/trap.html which then uses JS to ask for a password prompt, however the source code on the trap page does not reveal the correct flag.
/index.html will show us the correct flag.
Simple task to practice creating a SHA-256 hash of some data.
I used http://www.xorbin.com/tools/sha256-hash-calculator as a quick tool.
Hidden Flag – Easy
There is a hidden flag in the binary, but it’s a plaintext string which is included in the binary. We can use the command
strings to dump all printable strings from the binary, which reveals a line which looks like our hash.
file will tell us what file signature the data has. This time the file extension lied to us, it’s not a txt document but a JPEG.
$ file search.txt search.txt: JPEG image data, JFIF standard 1.01, ...
Viewing the image gives us a QR Code which when read points us to a webpage that displays the flag.
HINTS: HTTP POST, curl
Viewing the source (or console logs) gives us the hint to send a POST request to http://hack.bckdr.in/LOST/flag.php.
A simple curl request which does this will return the flag.
Hidden Flag – Medium
HINTS: Dissasembler, Binary patching with radare2
Looking at the call graph in radare2, we see an unused function called print_flag. To call this function we can patch the binary to call print_flag instead of call printf so our flag gets printed out instead of the pesky message.
HINTS: Wireshark, Export as txt
The pcap file has too many packets to search through manually, so we need to search for the word flag in every packet. There might be a way to do this within Wireshark, however I just exported the data to a txt file and ran grep over it. The flag we are looking for has come from pastebin!
HINTS: GIMP, Xor
Need to find a way to combine both images to result in one image, since the images are quite noisy, Xor comes to mind. We can put both images on top of each other in GIMP, set the blend mode to difference and out comes the flag.
HINTS: Sqli, UNION Select
Looking at the source code we can see the database file being included in from local directory, turns out we can also access this file. Lets take a look inside the database. There’s no user sdslabs! So it looks like we will have to union select our way to victory.
With some sqli magic we can make our username be equal to sdslabs and then get the flag. Making our username
' UNION SELECT null, null, 'sdslabs', null, null -- Will set username to be sdslabs and comment out the rest of the sql query like so.
SELECT * FROM users WHERE username = '' UNION SELECT null, null, 'sdslabs', null, null --' AND password_hash = ''
The returning row will be this, which is enough to get us the flag.
HINTS: Audacity, Effects
It sounds like gibberish! But the message is actually in reverse and sped up, so reverse the sound and slow it down using Audacity and you can clearly hear what the flag is.
HINTS: ext4, mount
The ext4 file is a file-system so we need to create a temp directory and mount the file-system to it.
$ sudo mkdir /media/tmp $ sudo mount -o ro file.ext4 /media/tmp
We can then navigate into it, poke around and pretty easily see the flag inside a 7-zip archive.