Pragyan CTF 2019

Welcome to my Pragyan CTF 2019's write-up!


Magic PNGs

Can you help me open this zip file? I seem to have forgotten its password. I think the image file has something to do with it.
You may have to hash the secret word to get the flag...
The zip file has password protected. According to the description, the password is in the image, but the image cannot be displayed. I used file to check its magic number and the tool said that file was not an image. So, I opened the PNG file with xxd:
00000000: 8950 4e47 2e0a 2e0a 0000 000d 4948 4452  .PNG........IHDR
00000010: 0000 00cd 0000 00f6 0803 0000 0042 dff3  .............B..
00000020: 3500 0000 0467 414d 4100 00b1 8f0b fc61  5....gAMA......a
00000030: 0500 0000 2063 4852 4d00 007a 2600 0080  .... cHRM..z&...
00000040: 8400 00fa 0000 0080 e800 0075 3000 00ea  ...........u0...
00000050: 6000 003a 9800 0017 709c ba51 3c00 0000  `..:....p..Q<...
00000060: 8450 4c54 45ff ffff 4747 4700 0000 3c3c  .PLTE...GGG...<<
00000070: 3caa aaaa 9e9e 9e10 1010 f3f3 f3be bebe  <...............
00000080: 7878 785f 5f5f f0f0 f0b5 b5b5 5454 546e  xxx___......TTTn
00000090: 6e6e fcfc fccf cfcf a6a6 a664 6464 2828  nn.........ddd((
000000a0: 28f6 f6f6 d7d7 d7dc dcdc c4c4 c496 9696  (...............
000000b0: 7272 72ec ecec 1b1b 1bf9 f9f9 e2e2 e292  rrr.............
000000c0: 9292 5959 5943 4343 2424 24e8 e8e8 4b4b  ..YYYCCC$$$...KK
000000d0: 4b2f 2f2f 8c8c 8c38 3838 7e7e 7e87 8787  K///...888~~~...
000000e0: d3d3 d317 1717 3232 3212 9fa2 6b00 0000  ......222...k...
000000f0: 0162 4b47 4400 8805 1d48 0000 0009 7048  .bKGD....H....pH
00000100: 5973 0000 0b13 0000 0b13 0100 9a9c 1800  Ys..............
00000110: 0016 6969 6461 7478 dadd 1d89 b6aa 384c  ..iidatx......8L
00000120: 1114 1415 51c0 0d17 4451 efff ffdf 145a  ....Q...DQ.....Z
Oh, I glanced at its hex dump and it's definitely a PNG file, why the file tool said it's data? Maybe something went wrong with the file's header. The first 8 bytes must be 89 50 4e 47 0d 0a 1a 0a in hex, not 89 50 4e 47 2e 0a 2e 0a. Let's correct it! Here I used Sublime Text as a hex editor.
The image could not be displayed yet. Of course, if you read the PNG file format, it's because this image didn't have any IDAT chunk. I saw a string "idat", so I converted it to IDAT and boom, I could see the password:
Imagine you are standing in front of a mirror and read the password, it is "h4CK3RM4n". The hint said I must hash the password, let's use MD5:
sudoka@MyComputer:~/pragyan/Forensics/Magic PNGs$ echo -n h4CK3RM4n | md5sum
2c919f82ee2ed6985d5c5e275d67e4f8  -
Finally, I extracted the and got the flag: pctf{y0u_s33_m33_n0w!}.

Late PR

MarioJones is studying grade 10. He was submitting his school Assignment when something weird happened and his computer shut down without any warning. Can you help him ?
This one is one of the highest points Forensics challenges, but maybe the author hasn't tested it elaborately so it can be solved in a very easy way. The serious way is to use volatility, but if you want to get the flag quickly, you can use strings and grep only:
sudoka@MyComputer:~/pragyan/Forensics/Late PR$ strings DELTAFORCE-PC-20190308-204453.raw | grep pctf{ -m 1
flag: pctf{Late_submissions_can_be_good}
Look closely, I think the reason why it's too easy to solve is the flag was put in an HTTP Header and not encoded or encrypted, so I didn't need to extract and examine dump file of Google Chrome from the raw file:
sudoka@MyComputer:~/pragyan/Forensics/Late PR$ strings DELTAFORCE-PC-20190308-204453.raw | grep pctf{ -A 4 -B 3 -m 1
HTTP/1.1 200 OK
Date: Sat, 09 Mar 2019 09:06:42 GMT
Server: Apache/2.4.29 (Ubuntu)
flag: pctf{Late_submissions_can_be_good}
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 143
Content-Type: text/html; charset=UTF-8

Mandatory PHP

PHP, PHP everywhere get the flag and earn your points there.
include 'flag.php'; 
$a = $_GET["val1"]; 
$b = $_GET["val2"]; 
$c = $_GET["val3"]; 
$d = $_GET["val4"]; 
if(preg_match('/[^A-Za-z]/', $a)) 
die('oh my gawd...'); 
    echo $flag1; 
    echo $flag2; 
As you see, this script requires:
  • $a must contain only alphabetic characters
  • $d > $c > 0 and $c*$c+$d*$d=(log10(hash("sha256",$a)**(0.5)))**2
  • $b must be "WoAHh!" after passing to urldecode function 10 times
To meet the first 2 requirements, I wrote a python script to brute force $a's value and a PHP script to simulate the process of the challenge's script, the python script calls to the PHP one.
The python script named
#!/usr/bin/env python
from itertools import product
from subprocess import check_output
import string
for i in range(1,10):
 p=product(charset, repeat=i)
 while t!=None:
  s=check_output('php test.php '+t, shell=True)
  if s!='':
   print s
And the PHP script's name is test.php:
function check($p){
    return $i."\t".$j;
 return 0;
if ($a==intval($a) && intval($a)>1){
 if ($s!=0){
  echo $s."\t".$argv[1]."\n";
In my computer, it took only 32 seconds to find out the value of $a, $c, $d:
sudoka@MyComputer:~/pragyan/Web/Mandatory PHP$ time ./ 
20 21 akO

real 0m32.720s
user 0m15.760s
sys 0m5.844s
To meet the third requirement, I write a short PHP script to urlencode the string "WoAHh!" 11 times:
echo $s."\n";
Finally, I constructed the payload:, and the flag is: pctf{b3_c4r3fu1_w1th_pHp_f31145}.

Thank you for reading!