Pragyan CTF 2019

Welcome to my Pragyan CTF 2019's write-up!

Menu

Magic PNGs

Description:
Can you help me open this zip file? I seem to have forgotten its password. I think the image file has something to do with it.
Hint:
You may have to hash the secret word to get the flag...
Link:
The zip file has password protected. According to the description, the password is in the image, but the image cannot be displayed. I used file to check its magic number and the tool said that file was not an image. So, I opened the PNG file with xxd: 
00000000: 8950 4e47 2e0a 2e0a 0000 000d 4948 4452  .PNG........IHDR
00000010: 0000 00cd 0000 00f6 0803 0000 0042 dff3  .............B..
00000020: 3500 0000 0467 414d 4100 00b1 8f0b fc61  5....gAMA......a
00000030: 0500 0000 2063 4852 4d00 007a 2600 0080  .... cHRM..z&...
00000040: 8400 00fa 0000 0080 e800 0075 3000 00ea  ...........u0...
00000050: 6000 003a 9800 0017 709c ba51 3c00 0000  `..:....p..Q<...
00000060: 8450 4c54 45ff ffff 4747 4700 0000 3c3c  .PLTE...GGG...<<
00000070: 3caa aaaa 9e9e 9e10 1010 f3f3 f3be bebe  <...............
00000080: 7878 785f 5f5f f0f0 f0b5 b5b5 5454 546e  xxx___......TTTn
00000090: 6e6e fcfc fccf cfcf a6a6 a664 6464 2828  nn.........ddd((
000000a0: 28f6 f6f6 d7d7 d7dc dcdc c4c4 c496 9696  (...............
000000b0: 7272 72ec ecec 1b1b 1bf9 f9f9 e2e2 e292  rrr.............
000000c0: 9292 5959 5943 4343 2424 24e8 e8e8 4b4b  ..YYYCCC$$$...KK
000000d0: 4b2f 2f2f 8c8c 8c38 3838 7e7e 7e87 8787  K///...888~~~...
000000e0: d3d3 d317 1717 3232 3212 9fa2 6b00 0000  ......222...k...
000000f0: 0162 4b47 4400 8805 1d48 0000 0009 7048  .bKGD....H....pH
00000100: 5973 0000 0b13 0000 0b13 0100 9a9c 1800  Ys..............
00000110: 0016 6969 6461 7478 dadd 1d89 b6aa 384c  ..iidatx......8L
00000120: 1114 1415 51c0 0d17 4451 efff ffdf 145a  ....Q...DQ.....Z
Oh, I glanced at its hex dump and it's definitely a PNG file, why the file tool said it's data? Maybe something went wrong with the file's header. The first 8 bytes must be 89 50 4e 47 0d 0a 1a 0a in hex, not 89 50 4e 47 2e 0a 2e 0a. Let's correct it! Here I used Sublime Text as a hex editor.
The image could not be displayed yet. Of course, if you read the PNG file format, it's because this image didn't have any IDAT chunk. I saw a string "idat", so I converted it to IDAT and boom, I could see the password:
Imagine you are standing in front of a mirror and read the password, it is "h4CK3RM4n". The hint said I must hash the password, let's use MD5: 
sudoka@MyComputer:~/pragyan/Forensics/Magic PNGs$ echo -n h4CK3RM4n | md5sum
2c919f82ee2ed6985d5c5e275d67e4f8  -
Finally, I extracted the tryme.zip and got the flag: pctf{y0u_s33_m33_n0w!}.

Late PR

Description:
MarioJones is studying grade 10. He was submitting his school Assignment when something weird happened and his computer shut down without any warning. Can you help him ?
Link: https://bit.ly/2J3jIe1
This one is one of the highest points Forensics challenges, but maybe the author hasn't tested it elaborately so it can be solved in a very easy way. The serious way is to use volatility, but if you want to get the flag quickly, you can use strings and grep only: 
sudoka@MyComputer:~/pragyan/Forensics/Late PR$ strings DELTAFORCE-PC-20190308-204453.raw | grep pctf{ -m 1
flag: pctf{Late_submissions_can_be_good}
Look closely, I think the reason why it's too easy to solve is the flag was put in an HTTP Header and not encoded or encrypted, so I didn't need to extract and examine dump file of Google Chrome from the raw file: 
sudoka@MyComputer:~/pragyan/Forensics/Late PR$ strings DELTAFORCE-PC-20190308-204453.raw | grep pctf{ -A 4 -B 3 -m 1
HTTP/1.1 200 OK
Date: Sat, 09 Mar 2019 09:06:42 GMT
Server: Apache/2.4.29 (Ubuntu)
flag: pctf{Late_submissions_can_be_good}
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 143
Content-Type: text/html; charset=UTF-8

Mandatory PHP

Description:
PHP, PHP everywhere get the flag and earn your points there.
Link: http://159.89.166.12:14000/ 
  1. <?php 
  2. include 'flag.php'; 
  3. highlight_file('index.php'); 
  4. $a = $_GET["val1"]; 
  5. $b = $_GET["val2"]; 
  6. $c = $_GET["val3"]; 
  7. $d = $_GET["val4"]; 
  8. if(preg_match('/[^A-Za-z]/', $a)) 
  9. die('oh my gawd...'); 
  10. $a=hash("sha256",$a); 
  11. $a=(log10($a**(0.5)))**2; 
  12. if($c>0&&$d>0&&$d>$c&&$a==$c*$c+$d*$d) 
  13. $s1="true"; 
  14. else 
  15.     die("Bye..."); 
  16. if($s1==="true") 
  17.     echo $flag1; 
  18. for($i=1;$i<=10;$i++){ 
  19.     if($b==urldecode($b)) 
  20.         die('duck'); 
  21.     else 
  22.         $b=urldecode($b); 
  23. }     
  24. if($b==="WoAHh!") 
  25. $s2="true"; 
  26. else 
  27.     die('oops..'); 
  28. if($s2==="true") 
  29.     echo $flag2; 
  30. die('end...'); 
  31. ?>
As you see, this script requires:
  • $a must contain only alphabetic characters
  • $d > $c > 0 and $c*$c+$d*$d=(log10(hash("sha256",$a)**(0.5)))**2
  • $b must be "WoAHh!" after passing to urldecode function 10 times
To meet the first 2 requirements, I wrote a python script to brute force $a's value and a PHP script to simulate the process of the challenge's script, the python script calls to the PHP one.
The python script named solve.py: 
  1. #!/usr/bin/env python
  2. from itertools import product
  3. from subprocess import check_output
  4. import string
  5. charset=string.letters
  6. for i in range(1,10):
  7.  p=product(charset, repeat=i)
  8.  t=next(p,None)
  9.  while t!=None:
  10.   t=''.join(t)
  11.   s=check_output('php test.php '+t, shell=True)
  12.   if s!='':
  13.    print s
  14.    exit(0)
  15.   t=next(p,None)
And the PHP script's name is test.php: 
  1. <?php
  2. function check($p){
  3.  for($i=1;$i<$p-1;$i++){
  4.   for($j=$i+1;$j<$p;$j++){
  5.    if($i*$i+$j*$j==$p)
  6.     return $i."\t".$j;
  7.   }
  8.  }
  9.  return 0;
  10. }
  11. $a=$argv[1];
  12. $a=hash("sha256",$a);
  13. $a=(log10($a**(0.5)))**2;
  14. if ($a==intval($a) && intval($a)>1){
  15.  $s=check($a);
  16.  if ($s!=0){
  17.   echo $s."\t".$argv[1]."\n";
  18.  }
  19. }
  20. ?>
In my computer, it took only 32 seconds to find out the value of $a, $c, $d: 
sudoka@MyComputer:~/pragyan/Web/Mandatory PHP$ time ./solve.py 
20 21 akO

real 0m32.720s
user 0m15.760s
sys 0m5.844s
To meet the third requirement, I write a short PHP script to urlencode the string "WoAHh!" 11 times: 
  1. <?php
  2. $s="WoAHh!";
  3. for($i=0;$i<11;$i++){
  4.  $s=urlencode($s);
  5. }
  6. echo $s."\n";
  7. ?>
Finally, I constructed the payload: http://159.89.166.12:14000/?val1=akO&val2=WoAHh%2525252525252525252521&val3=20&val4=21, and the flag is: pctf{b3_c4r3fu1_w1th_pHp_f31145}.

Thank you for reading!

Comments

Post a Comment