STEM CTF: Cyber Challenge 2019


Menu


Nyan

Description: ssh ctf@138.247.13.114
When you connect to the ssh server, a script displays a "nyan cat" infinitely.
But if you redirect it to xxd, you can see the flag was printed first, and then was erased by many backspaces (0x08 ASCII).
0000f3d0: 2020 2020 2020 2020 2020 2020 2020 2020                  
0000f3e0: 2020 2020 2020 2020 2046 6c61 6720 6973           Flag is
0000f3f0: 3a20 4d43 417b 4169 7261 6461 6570 6f68  : MCA{Airadaepoh
0000f400: 6838 5368 617d 0808 0808 0808 0808 0808  h8Sha}..........
0000f410: 0808 0808 0808 0808 0808 0808 0808 0808  ................
0000f420: 0808 081b 5b31 3b33 376d 596f 7520 6861  ....[1;37mYou ha
0000f430: 7665 206e 7961 6e65 6420 666f 7220 3120  ve nyaned for 1 
0000f440: 7365 636f 6e64 7321 1b5b 4a1b 5b30 6d1b  seconds!.[J.[0m.

Nomination

Description: Download
After extracting the file .zip, you get an image file named Scaredy_Cat.png.You can use stegsolve to check it and find out the flag was hidden in the LSB of the pixels.

Journey to the Center of the File

Description: Download
After extracting the file .zip, you get a file named "flag". If you use file command tool, it reveals that the flag file is a bzip2 file. Then if you extract the flag file, you get another file named "flag", but it's a zip file. Continually, you find another bzip2 file inside the zip file, then a gzip file, a zip file or base64 encode of a compressed file,...
Perhaps you can extract all of them by hand (totally 501 files), but I think a script will be better:
#!/usr/bin/env python
from subprocess import check_output
while True:
    s=check_output('file flag',shell=True)
    if 'bzip2' in s:
        check_output('mv flag flag.bz2;bzip2 -d flag.bz2',shell=True)
    elif 'gzip' in s:
        check_output('mv flag flag.gz;gzip -d flag.gz',shell=True)
    elif 'Zip archive' in s:
        check_output('mv flag flag.zip;unzip flag.zip;rm flag.zip',shell=True)
    elif 'ASCII text, with very long lines' in s or 'flag: , init=' in s:
        check_output('base64 -d flag > temp;rm flag;mv temp flag',shell=True)
    else:
        flag=check_output('cat flag',shell=True)
        if 'MCA{' in flag:
            print flag
            break
        else:
            check_output('base64 -d flag > temp;rm flag;mv temp flag',shell=True)
And finally, the flag is: MCA{Wh0_Needz_File_Extensions?}.

TODO

Description:
TODO: remember where I put the flag
Link: http://138.247.13.110/
When you press the button , you can see this url (and always it): http://138.247.13.110/todolist/1000/. The number 1000 is the ID of the to-do list and it can be used to access the others (an IDOR vulnerability).
So, I use a small script to scan the ID and find out where is the flag:
#!/usr/bin/env python
import requests
s=requests.Session()
for i in range(1000):
    r=s.get('http://138.247.13.110/todolist/'+str(i)+'/')
    if 'flag' in r.content or 'MCA' in r.content:
        print r.content
        print i
        break
And finally, the flag is in http://138.247.13.110/todolist/678/.

Clean room

Description: ssh ctf@138.247.13.108
When you connect to the ssh server, it spawns a rbash shell, leaves very few things for you. Although you can find all tools can be used by press [TAB][TAB], some of them may also be restricted by rbash. But how about mapfile?
mapfile [-n count] [-O origin] [-s count] [-t] [-u fd] [-C callback] [-c quantum] [array]
readarray [-n count] [-O origin] [-s count] [-t] [-u fd] [-C callback] [-c quantum] [array]
Read lines from the standard input into the indexed array variable array, or from file descriptor fd if the -u option is supplied. The variable MAPFILE is the default array.
If you play the other Linux challenges before this one, you'll know the location of the flag is in /root/flag.txt. So, you can you mapfile (or readarray) to directly read the flag file:

Getting A Head

Description: ssh ctf@138.247.13.107
When you connect to the ssh server, you can see a file named HackMe with SUID and own by root. In this challenge, the file /root/flag.txt needs root privilege to read, so you have to use HackMe to bypass it, but how?
When decompiling HackMe by IDA, you can see it executes a command:
HackMe uses the head command without an absolute path, and the PATH environment variable is rewritable. So you can create a file named head, with "/bin/bash -i" inside, then overwrite the PATH and run HackMe again to get the flag.

January 8, 2014

Description: ssh ctf@138.247.13.103
Now, let's see the name of this blog again, any special?
Yes, it is sudo -l. Run it and get the result:
User ctf may run the following commands on 654b698e7a63:
    (root) NOPASSWD: /usr/bin/vim /home/ctf/*/*/HackMe2.txt
So, you can use sudo without password with the command sudo vim /home/ctf/*/*/HackMe2.txt. Then, let's spawn a root shell inside vim by presssing :shell[ENTER]. Finally, cat /root/flag.txt to get the flag: MCA{ohghov1ieli7Eo2}.

Thank you for reading!

Comments