HSCTF 7 event organize by JohnHammond.
1. Read The Rules
The first challenge here we’re gonna solve is read the rules. The description says, “Please follow the rules for this CTF!” https://ctf.nahamcon.com/rules
curl https://ctf.nahamcon.com/rules | grep -i '\flag{'
flag{we_hope_you_enjoy_the_game}
2. CLIsay
The second challenge has 20 scores. The description says, “cowsay is hiding something from us!” and has a file to download.
If we do strings or xxd we’ll get!
root@m4sterph0enix:~/ctftime/nahamcon/warmup/clisay# strings clisay | head -n 30
/lib64/ld-linux-x86-64.so.2
libc.so.6
printf
__cxa_finalize
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
flag{Y0u_c4n_
__________________________________
/ Sorry, I'm not allow to reveal any \
\ secrets... /
----------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
r3Ad_M1nd5}
:*3$"
GCC: (Ubuntu 9.2.1-9ubuntu2) 9.2.1 20191008
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.8055
__do_global_dtors_aux_fini_array_entry
frame_dummy
We can see our flag inside strings. let’s make it more readable.
strings clisay | grep -E 'flag{|}'
flag{Y0u_c4n_r3Ad_M1nd5}
3. Metameme
Let’s start our third challenge. The description says, “Hacker memes. So meta.” and we’re given a download link of the image let’s wget it.
We know the format is JPEG indeed let’s read strings again.
To make it more readable.
strings hackermeme.jpg | awk '/flag{/'
flag{N0t_7h3_4cTuaL_Cr3At0r}
4. Mr. Robot
This challenge is a little bit tricky the descriptions says, “Elliot needs your help. You know what to do.” and we’re given a link.
We have an index page here with Mr. Robot image. I checked with binwalk and strings but couldn’t find anything. So, I started enumerating directories and got this!
/index.html (Status: 200)
/robots.txt (Status: 200)
Upon checking robots.txt we got!
We got our flag.
flag{welcome_to_robots.txt}
5. UGGC
The description of this challenge says “Become the admin!” let’s take a look!
If we open the URL we’ll get!
Enter “guest” and click login to see and intercept the request using burp suite.
POST /login HTTP/1.1
Host: jh2i.com:50018
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 14
Origin: http://jh2i.com:50018
Connection: close
Referer: http://jh2i.com:50018/login
Upgrade-Insecure-Requests: 1
username=guest
Send this request to the repeater.
Click on Follow redirection.
We get to login form again. Let’s login as guest and intercept the request again.
Now, intercept the request and refresh the page.
We get this request.
GET / HTTP/1.1
Host: jh2i.com:50018
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://jh2i.com:50018/login
Connection: close
Cookie: user=thrfg
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
If we take a closer look at the cookie our user=thrfg is “guest”.
Cookie: user=thrfg
If we change “user=abc” and sends the request it changes that to “nop”. Now, we know how this cipher works by doing some google research we’ll know it’s ROT-13 cipher.
If we encrypt “admin” with ROT-13 cipher we’ll get our flag.
admin = nqzva
Let’s change this in our cookie and send the request,
flag{H4cK_aLL_7H3_C0okI3s}