Welcome to my Pragyan CTF 2019's write-up!
Menu
- Forensics
- Web
Magic PNGs
Description:Can you help me open this zip file? I seem to have forgotten its password. I think the image file has something to do with it.Hint:
You may have to hash the secret word to get the flag...Link:
- http://159.89.166.12:8000/files/7fbf7bee11a93f960c42ada523f96304/tryme.zip
- http://159.89.166.12:8000/files/ce61f09f22129660f264b87f36d082e9/you_cant_see_me.png
The zip file has password protected. According to the description, the password is in the image, but the image cannot be displayed. I used file to check its magic number and the tool said that file was not an image. So, I opened the PNG file with xxd:
The image could not be displayed yet. Of course, if you read the PNG file format, it's because this image didn't have any IDAT chunk. I saw a string "idat", so I converted it to IDAT and boom, I could see the password: Imagine you are standing in front of a mirror and read the password, it is "h4CK3RM4n". The hint said I must hash the password, let's use MD5:
00000000: 8950 4e47 2e0a 2e0a 0000 000d 4948 4452 .PNG........IHDR 00000010: 0000 00cd 0000 00f6 0803 0000 0042 dff3 .............B.. 00000020: 3500 0000 0467 414d 4100 00b1 8f0b fc61 5....gAMA......a 00000030: 0500 0000 2063 4852 4d00 007a 2600 0080 .... cHRM..z&... 00000040: 8400 00fa 0000 0080 e800 0075 3000 00ea ...........u0... 00000050: 6000 003a 9800 0017 709c ba51 3c00 0000 `..:....p..Q<... 00000060: 8450 4c54 45ff ffff 4747 4700 0000 3c3c .PLTE...GGG...<< 00000070: 3caa aaaa 9e9e 9e10 1010 f3f3 f3be bebe <............... 00000080: 7878 785f 5f5f f0f0 f0b5 b5b5 5454 546e xxx___......TTTn 00000090: 6e6e fcfc fccf cfcf a6a6 a664 6464 2828 nn.........ddd(( 000000a0: 28f6 f6f6 d7d7 d7dc dcdc c4c4 c496 9696 (............... 000000b0: 7272 72ec ecec 1b1b 1bf9 f9f9 e2e2 e292 rrr............. 000000c0: 9292 5959 5943 4343 2424 24e8 e8e8 4b4b ..YYYCCC$$$...KK 000000d0: 4b2f 2f2f 8c8c 8c38 3838 7e7e 7e87 8787 K///...888~~~... 000000e0: d3d3 d317 1717 3232 3212 9fa2 6b00 0000 ......222...k... 000000f0: 0162 4b47 4400 8805 1d48 0000 0009 7048 .bKGD....H....pH 00000100: 5973 0000 0b13 0000 0b13 0100 9a9c 1800 Ys.............. 00000110: 0016 6969 6461 7478 dadd 1d89 b6aa 384c ..iidatx......8L 00000120: 1114 1415 51c0 0d17 4451 efff ffdf 145a ....Q...DQ.....ZOh, I glanced at its hex dump and it's definitely a PNG file, why the file tool said it's data? Maybe something went wrong with the file's header. The first 8 bytes must be
89 50 4e 47 0d 0a 1a 0a
in hex, not 89 50 4e 47 2e 0a 2e 0a
. Let's correct it! Here I used Sublime Text as a hex editor.The image could not be displayed yet. Of course, if you read the PNG file format, it's because this image didn't have any IDAT chunk. I saw a string "idat", so I converted it to IDAT and boom, I could see the password: Imagine you are standing in front of a mirror and read the password, it is "h4CK3RM4n". The hint said I must hash the password, let's use MD5:
sudoka@MyComputer:~/pragyan/Forensics/Magic PNGs$ echo -n h4CK3RM4n | md5sum 2c919f82ee2ed6985d5c5e275d67e4f8 -Finally, I extracted the tryme.zip and got the flag: pctf{y0u_s33_m33_n0w!}.
Late PR
Description:MarioJones is studying grade 10. He was submitting his school Assignment when something weird happened and his computer shut down without any warning. Can you help him ?Link: https://bit.ly/2J3jIe1
This one is one of the highest points Forensics challenges, but maybe the author hasn't tested it elaborately so it can be solved in a very easy way. The serious way is to use volatility, but if you want to get the flag quickly, you can use strings and grep only:
sudoka@MyComputer:~/pragyan/Forensics/Late PR$ strings DELTAFORCE-PC-20190308-204453.raw | grep pctf{ -m 1 flag: pctf{Late_submissions_can_be_good}Look closely, I think the reason why it's too easy to solve is the flag was put in an HTTP Header and not encoded or encrypted, so I didn't need to extract and examine dump file of Google Chrome from the raw file:
sudoka@MyComputer:~/pragyan/Forensics/Late PR$ strings DELTAFORCE-PC-20190308-204453.raw | grep pctf{ -A 4 -B 3 -m 1 HTTP/1.1 200 OK Date: Sat, 09 Mar 2019 09:06:42 GMT Server: Apache/2.4.29 (Ubuntu) flag: pctf{Late_submissions_can_be_good} Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 143 Content-Type: text/html; charset=UTF-8
Mandatory PHP
Description:PHP, PHP everywhere get the flag and earn your points there.Link: http://159.89.166.12:14000/
<?php include 'flag.php'; highlight_file('index.php'); $a = $_GET["val1"]; $b = $_GET["val2"]; $c = $_GET["val3"]; $d = $_GET["val4"]; if(preg_match('/[^A-Za-z]/', $a)) die('oh my gawd...'); $a=hash("sha256",$a); $a=(log10($a**(0.5)))**2; if($c>0&&$d>0&&$d>$c&&$a==$c*$c+$d*$d) $s1="true"; else die("Bye..."); if($s1==="true") echo $flag1; for($i=1;$i<=10;$i++){ if($b==urldecode($b)) die('duck'); else $b=urldecode($b); } if($b==="WoAHh!") $s2="true"; else die('oops..'); if($s2==="true") echo $flag2; die('end...'); ?>As you see, this script requires:
- $a must contain only alphabetic characters
- $d > $c > 0 and $c*$c+$d*$d=(log10(hash("sha256",$a)**(0.5)))**2
- $b must be "WoAHh!" after passing to urldecode function 10 times
The python script named solve.py:
#!/usr/bin/env python from itertools import product from subprocess import check_output import string charset=string.letters for i in range(1,10): p=product(charset, repeat=i) t=next(p,None) while t!=None: t=''.join(t) s=check_output('php test.php '+t, shell=True) if s!='': print s exit(0) t=next(p,None)And the PHP script's name is test.php:
<?php function check($p){ for($i=1;$i<$p-1;$i++){ for($j=$i+1;$j<$p;$j++){ if($i*$i+$j*$j==$p) return $i."\t".$j; } } return 0; } $a=$argv[1]; $a=hash("sha256",$a); $a=(log10($a**(0.5)))**2; if ($a==intval($a) && intval($a)>1){ $s=check($a); if ($s!=0){ echo $s."\t".$argv[1]."\n"; } } ?>In my computer, it took only 32 seconds to find out the value of $a, $c, $d:
sudoka@MyComputer:~/pragyan/Web/Mandatory PHP$ time ./solve.py 20 21 akO real 0m32.720s user 0m15.760s sys 0m5.844sTo meet the third requirement, I write a short PHP script to urlencode the string "WoAHh!" 11 times:
<?php $s="WoAHh!"; for($i=0;$i<11;$i++){ $s=urlencode($s); } echo $s."\n"; ?>Finally, I constructed the payload: http://159.89.166.12:14000/?val1=akO&val2=WoAHh%2525252525252525252521&val3=20&val4=21, and the flag is: pctf{b3_c4r3fu1_w1th_pHp_f31145}.
Thank you for reading!
Comments
Post a Comment