Pragyan CTF 2019

Welcome to my Pragyan CTF 2019's write-up!

Menu

• Forensics
  • Magic PNGs
  • Late PR
• Web
  • Mandatory PHP

Magic PNGs

Description:

Can you help me open this zip file? I seem to have forgotten its password. I think the image file has something to do with it.

Hint:

You may have to hash the secret word to get the flag...

Link:

• http://159.89.166.12:8000/files/7fbf7bee11a93f960c42ada523f96304/tryme.zip
• http://159.89.166.12:8000/files/ce61f09f22129660f264b87f36d082e9/you_cant_see_me.png

The zip file has password protected. According to the description, the password is in the image, but the image cannot be displayed. I used file to check its magic number and the tool said that file was not an image. So, I opened the PNG file with xxd:

00000000: 8950 4e47 2e0a 2e0a 0000 000d 4948 4452  .PNG........IHDR
00000010: 0000 00cd 0000 00f6 0803 0000 0042 dff3  .............B..
00000020: 3500 0000 0467 414d 4100 00b1 8f0b fc61  5....gAMA......a
00000030: 0500 0000 2063 4852 4d00 007a 2600 0080  .... cHRM..z&...
00000040: 8400 00fa 0000 0080 e800 0075 3000 00ea  ...........u0...
00000050: 6000 003a 9800 0017 709c ba51 3c00 0000  `..:....p..Q<...
00000060: 8450 4c54 45ff ffff 4747 4700 0000 3c3c  .PLTE...GGG...<<
00000070: 3caa aaaa 9e9e 9e10 1010 f3f3 f3be bebe  <...............
00000080: 7878 785f 5f5f f0f0 f0b5 b5b5 5454 546e  xxx___......TTTn
00000090: 6e6e fcfc fccf cfcf a6a6 a664 6464 2828  nn.........ddd((
000000a0: 28f6 f6f6 d7d7 d7dc dcdc c4c4 c496 9696  (...............
000000b0: 7272 72ec ecec 1b1b 1bf9 f9f9 e2e2 e292  rrr.............
000000c0: 9292 5959 5943 4343 2424 24e8 e8e8 4b4b  ..YYYCCC$$$...KK
000000d0: 4b2f 2f2f 8c8c 8c38 3838 7e7e 7e87 8787  K///...888~~~...
000000e0: d3d3 d317 1717 3232 3212 9fa2 6b00 0000  ......222...k...
000000f0: 0162 4b47 4400 8805 1d48 0000 0009 7048  .bKGD....H....pH
00000100: 5973 0000 0b13 0000 0b13 0100 9a9c 1800  Ys..............
00000110: 0016 6969 6461 7478 dadd 1d89 b6aa 384c  ..iidatx......8L
00000120: 1114 1415 51c0 0d17 4451 efff ffdf 145a  ....Q...DQ.....Z

Oh, I glanced at its hex dump and it's definitely a PNG file, why the file tool said it's data? Maybe something went wrong with the file's header. The first 8 bytes must be 89 50 4e 47 0d 0a 1a 0a in hex, not 89 50 4e 47 2e 0a 2e 0a. Let's correct it! Here I used Sublime Text as a hex editor.
The image could not be displayed yet. Of course, if you read the PNG file format, it's because this image didn't have any IDAT chunk. I saw a string "idat", so I converted it to IDAT and boom, I could see the password:

Imagine you are standing in front of a mirror and read the password, it is "h4CK3RM4n". The hint said I must hash the password, let's use MD5:

sudoka@MyComputer:~/pragyan/Forensics/Magic PNGs$ echo -n h4CK3RM4n | md5sum
2c919f82ee2ed6985d5c5e275d67e4f8  -

Finally, I extracted the tryme.zip and got the flag: pctf{y0u_s33_m33_n0w!}.

Late PR

Description:

MarioJones is studying grade 10. He was submitting his school Assignment when something weird happened and his computer shut down without any warning. Can you help him ?

Link: https://bit.ly/2J3jIe1

This one is one of the highest points Forensics challenges, but maybe the author hasn't tested it elaborately so it can be solved in a very easy way. The serious way is to use volatility, but if you want to get the flag quickly, you can use strings and grep only:

sudoka@MyComputer:~/pragyan/Forensics/Late PR$ strings DELTAFORCE-PC-20190308-204453.raw | grep pctf{ -m 1
flag: pctf{Late_submissions_can_be_good}

Look closely, I think the reason why it's too easy to solve is the flag was put in an HTTP Header and not encoded or encrypted, so I didn't need to extract and examine dump file of Google Chrome from the raw file:

sudoka@MyComputer:~/pragyan/Forensics/Late PR$ strings DELTAFORCE-PC-20190308-204453.raw | grep pctf{ -A 4 -B 3 -m 1
HTTP/1.1 200 OK
Date: Sat, 09 Mar 2019 09:06:42 GMT
Server: Apache/2.4.29 (Ubuntu)
flag: pctf{Late_submissions_can_be_good}
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 143
Content-Type: text/html; charset=UTF-8

Mandatory PHP

Description:

PHP, PHP everywhere get the flag and earn your points there.

Link: http://159.89.166.12:14000/

<?php 
include 'flag.php'; 
highlight_file('index.php'); 
$a = $_GET["val1"]; 
$b = $_GET["val2"]; 
$c = $_GET["val3"]; 
$d = $_GET["val4"]; 
if(preg_match('/[^A-Za-z]/', $a)) 
die('oh my gawd...'); 
$a=hash("sha256",$a); 
$a=(log10($a**(0.5)))**2; 
if($c>0&&$d>0&&$d>$c&&$a==$c*$c+$d*$d) 
$s1="true"; 
else 
    die("Bye..."); 
if($s1==="true") 
    echo $flag1; 
for($i=1;$i<=10;$i++){ 
    if($b==urldecode($b)) 
        die('duck'); 
    else 
        $b=urldecode($b); 
}     
if($b==="WoAHh!") 
$s2="true"; 
else 
    die('oops..'); 
if($s2==="true") 
    echo $flag2; 
die('end...'); 
?> 

As you see, this script requires:

• $a must contain only alphabetic characters
• $d > $c > 0 and $c*$c+$d*$d=(log10(hash("sha256",$a)**(0.5)))**2
• $b must be "WoAHh!" after passing to urldecode function 10 times

To meet the first 2 requirements, I wrote a python script to brute force $a's value and a PHP script to simulate the process of the challenge's script, the python script calls to the PHP one.
The python script named solve.py:

#!/usr/bin/env python
from itertools import product
from subprocess import check_output
import string
charset=string.letters
for i in range(1,10):
 p=product(charset, repeat=i)
 t=next(p,None)
 while t!=None:
  t=''.join(t)
  s=check_output('php test.php '+t, shell=True)
  if s!='':
   print s
   exit(0)
  t=next(p,None)

And the PHP script's name is test.php:

<?php
function check($p){
 for($i=1;$i<$p-1;$i++){
  for($j=$i+1;$j<$p;$j++){
   if($i*$i+$j*$j==$p)
    return $i."\t".$j;
  }
 }
 return 0;
}
$a=$argv[1];
$a=hash("sha256",$a);
$a=(log10($a**(0.5)))**2;
if ($a==intval($a) && intval($a)>1){
 $s=check($a);
 if ($s!=0){
  echo $s."\t".$argv[1]."\n";
 }
}
?>

In my computer, it took only 32 seconds to find out the value of $a, $c, $d:

sudoka@MyComputer:~/pragyan/Web/Mandatory PHP$ time ./solve.py 
20 21 akO

real 0m32.720s
user 0m15.760s
sys 0m5.844s

To meet the third requirement, I write a short PHP script to urlencode the string "WoAHh!" 11 times:

<?php
$s="WoAHh!";
for($i=0;$i<11;$i++){
 $s=urlencode($s);
}
echo $s."\n";
?>

Finally, I constructed the payload: http://159.89.166.12:14000/?val1=akO&val2=WoAHh%2525252525252525252521&val3=20&val4=21, and the flag is: pctf{b3_c4r3fu1_w1th_pHp_f31145}.

Thank you for reading!