NahamCon CTF - Warmup

HSCTF 7 event organize by JohnHammond.

1. Read The Rules

The first challenge here we’re gonna solve is read the rules. The description says, “Please follow the rules for this CTF!” https://ctf.nahamcon.com/rules

curl https://ctf.nahamcon.com/rules | grep -i '\flag{'

flag{we_hope_you_enjoy_the_game}

2. CLIsay

The second challenge has 20 scores. The description says, “cowsay is hiding something from us!” and has a file to download.

If we do strings or xxd we’ll get!

[email protected]:~/ctftime/nahamcon/warmup/clisay# strings clisay | head -n 30
/lib64/ld-linux-x86-64.so.2
libc.so.6
printf
__cxa_finalize
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
flag{Y0u_c4n_
  __________________________________
/ Sorry, I'm not allow to reveal any \
\ secrets...                         /
  ----------------------------------
         \   ^__^ 
          \  (oo)\_______
             (__)\       )\/\
                 ||----w |
                 ||     ||
r3Ad_M1nd5}
:*3$"
GCC: (Ubuntu 9.2.1-9ubuntu2) 9.2.1 20191008
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.8055
__do_global_dtors_aux_fini_array_entry
frame_dummy

We can see our flag inside strings. let’s make it more readable.

strings clisay | grep -E 'flag{|}'

flag{Y0u_c4n_r3Ad_M1nd5}

3. Metameme

Let’s start our third challenge. The description says, “Hacker memes. So meta.” and we’re given a download link of the image let’s wget it.

We know the format is JPEG indeed let’s read strings again.

To make it more readable.

strings hackermeme.jpg | awk '/flag{/'

flag{N0t_7h3_4cTuaL_Cr3At0r}

4. Mr. Robot

This challenge is a little bit tricky the descriptions says, “Elliot needs your help. You know what to do.” and we’re given a link.

We have an index page here with Mr. Robot image. I checked with binwalk and strings but couldn’t find anything. So, I started enumerating directories and got this!

/index.html (Status: 200)
/robots.txt (Status: 200)

Upon checking robots.txt we got!

flag

We got our flag.

flag{welcome_to_robots.txt}

5. UGGC

The description of this challenge says “Become the admin!” let’s take a look!

If we open the URL we’ll get!

username

Enter “guest” and click login to see and intercept the request using burp suite.

POST /login HTTP/1.1
Host: jh2i.com:50018
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 14
Origin: http://jh2i.com:50018
Connection: close
Referer: http://jh2i.com:50018/login
Upgrade-Insecure-Requests: 1

username=guest

Send this request to the repeater.

Click on Follow redirection.

We get to login form again. Let’s login as guest and intercept the request again.

guest

Now, intercept the request and refresh the page.

We get this request.

GET / HTTP/1.1
Host: jh2i.com:50018
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://jh2i.com:50018/login
Connection: close
Cookie: user=thrfg
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

If we take a closer look at the cookie our user=thrfg is “guest”.

Cookie: user=thrfg

If we change “user=abc” and sends the request it changes that to “nop”. Now, we know how this cipher works by doing some google research we’ll know it’s ROT-13 cipher.

If we encrypt “admin” with ROT-13 cipher we’ll get our flag.

admin = nqzva

Let’s change this in our cookie and send the request,

flag{H4cK_aLL_7H3_C0okI3s}