In this first-ever blog post, I will be sharing the writeups for some of the flags that I found as a part of the Capture the Flag (CTF) competition 2023 organized by CISCO x CNI IISC x Traboda x bi0s. I had a fun time solving these challenges.
For this write-up, I will be splitting the flags based on the challenge topics.
a) Web
b) Digital Forensics
c) Network Security
d) Cryptography
Web
1.CookieMonster
Solution:
For this challenge, they had given a webpage. The name of the challenge itself suggests that the flag has something to do with the cookies of the webpage. The
Now, Let's search for some hints on the webpage, by clicking on the “Inspect” option. Then when we check the cookies in the Application tab, we see this :
If you closely look at the value of the “cookie” - “eyJhZG1pbiI6MH0\=”, this resembles base64 code. So let’s try decoding this using a base64 decoder present online or using the terminal. After decoding we get, “eyJhZG1pbiI6MH0=” as {"admin":0}. Now change the value of admin to 1 and encode it back to base64. Now {“admin”:1} to encoded as “eyJhZG1pbiI6MX0=”, now this value is given to the cookie named “cookie”. Now we will also add another cookie named “admin” and initialize the value as “1”. Now Refresh the page (CTRL + SHIFT + R), and we get our flag on the webpage.
Thus the flag for the challenge is: bi0s{O2HjHobXBNSdjdrnWVlvew==}
2.Partly_stored_answers
Solution:
We have a webpage with a dialog box to enter the “secret” to reveal the secret.
Let’s check the HTML source using the “View page source” or press CTRL + U . After checking, there is a comment at the bottom of the Page Source :
<!-- The First part of flag: bi0s{iP1ae →
Let’s note this and proceed with further inspection.
Let’s check for any hidden files in the webpage using the /robots.txt
Voila! We have a hidden file. Before accessing this hidden file, let's inspect the “Page Source” of the /robots.txt. In the HTML code, we have the second part of the flag commented out :
<!-- the second part of the flag: QrdAVqllu7 →
Let’s see the /secrets/k3y file on the webpage. A button named “Find the secret” is present. By clicking this button, we get a message “Clicking me will not get you the flag“.So let’s inspect this webpage for any hints. While inspecting the HTML source, we see a script.
While inspecting the HTML source, we see a script at the bottom of the page. The Javascript suggests that it uses the localStorage.setItem() method to store a value in the web browser's local storage. In this case, it sets a value with the key "secret" and the value 96038.
Let’s try entering “96038” or the value stored in “secret” on the first webpage. After entering the value in the dialog box, we finally get the third flag,
So combining all the parts obtained, the final flag is :
bi0s{iP1ae →QrdAVqllu7 →l7V3T4A==}
3.Phone Book
Solution:
There is a webpage given, we have to find the flag. Now, let’s click on the “Click Here” button to check for any clues. On clicking the button, there are Account Details present with the Name “User” and Phone Number “9387294624”.
These details suggest that these details have something to do with the cookies of the webpage. So add a cookie with the Name “User” and Value “9387294624” and refresh the page.
Oops! There is no change in the website. But wait, if you see the Address bar of the page, we see ch1225124301.ch.eng.run/account?id=1, /account?id=1, "?id=1", the query string parameter is passed to the website's server is given as 1 . Let’s change the id value to 0, that is ch1225124301.ch.eng.run/account?id=0 and refresh the page.
Voila! We have our flag .. bi0s{Ib9BlAF8wIglCuIJsr6Rpw==}
4.Secret Keeper
Solution:
We are given a simple web page with a login form. So let’s try giving some input in the Username and Password fields. When I give a string input, for example, I gave Username as “admin” and the Password as “master”. I get the message on the webpage “Only My Master can get through!!! ”
So let’s analyze this challenge from the angle of SQL injection. Let’s give “ ‘ “ in Username and some string as a Password. It returns a syntax error in an SQL query being executed in the /var/www/html/index.php file. This error occurs when the SQL query is not properly written according to the syntax rules of the database being used, specifically near the character 'g'.
This suggests that this may be a case of Login Bypass using Blind SQL injection. So from trial and error, using common login bypass payloads, Let’s give Username as “='or'1'='1'#&” and Password as “foo”(can use any strings).
Voila! We get our flag , bi0s{r2arfTSbHzHLuOoZwXBSzQ==}
Digital Forensics
1.bl1ndf0ld
Solution:
We are given an image name bl1ndf0ld.png. When the image is opened normally, there is no image present. So let’s analyze the image using an image forensic tool present online. Using the “Hidden Pixels” feature, decoding the image, we finally found the flag !!!
Flag - bi0s{7h3_c00l_plan3_stegan0gr4phy}
2.C4pt4inC0ld
Solution:
There is a text file named “secret.txt” given. In the description, there is a hint which says that the secret lies in the whitespaces. This suggests that there is whitespace coding present in the text file. Thus there is whitespace steganography done.
We can use the SNOW program in Windows to decrypt it "SNOW "Program or "stegsnow" in Linux to decrypt it.
#Linux Command
stegsnow -C secret.txt
#Windows Command
SNOW.EXE -C secret.txt
This was extracted after performing ‘stegsnow’ = ohn aFeh iemNi sY sh pbr ,eh2h, fli
But if you closely study the text file, there is a sentence “The password is azrael”.
Let’s try “stegsnow” again with the password “azrael”.
Finally, we found the flag —- > bi0s{7h3_sn0w_0f_surpr1s3s}
3.f1xm3
Solution:
Given a corrupted PNG file. So let's fix this PNG by opening the file in a HEX Editor Online or using “ghex” in the Linux terminal.
Opening this ch4ll.png, the file seems corrupted. The PNG headers and file signatures are invalid.
The following corrupted segments of this PNG file are :
So the PNG Header format (HEX) is - 89 50 4E 47 0D 0A 1A 0A
IDHR - 49 48 44 52
IADT - 44 41 54 78
Changing accordingly and saving the HEX file :
We found the flag! = bi0s{g00d_f1x_g00d_s0lv3}
4.Pr0j3ct_M3t4
Solution:
Given a JPG file named “chall.jpg”. The file opens with the image of Cillian Murphy !!!!.
Let's try opening the Metadata of the image using an online Image Forensics tool or using “exiftool” in Linux terminal.
In this data, if you look at the "JPEG Comment", the content looks like base64 encoding. Let's decode this into ASCII.
Turns out this is a flag! bi0s{ex1f_d4t4}
5.Upgr4d3d_f1xm3
Solution :
Given a Corrupted PNG file named chall.png, fix this png file using ghex in Linux terminal or Online HEX editor.
Some of the corrupted segments of the PNG file are :
The PNG Header format (HEX) is - 89 50 4E 47 0D 0A 1A 0A
IDHR - 49 48 44 52
We can check the PNG's validity using "pngcheck" in Linux or downloading "tweakpng" in Windows .
So The CRC Chunk is invalid. We can fix it by searching for 58 78 d3 0f and replacing it with 5a 2b d3 0f , search for 0c 78 78 00 and replace it with 0c 78 f4 00 :
Flag - bi0s{crc_f1xup}
Network Security
1.Decrypt_The_Secrets
Solution:
Given a .pcapng file named "Decrypt the Secrets". Opening the file with “Wireshark”.
Now analyzing each packet sent, we find a hint which looks like a flag !!
So the hint found is: gn0x{s3yb0wp_nsyjwhjuynts_l0jx_g00rc0c0}
As we know the flag format is:bi0s{.......}, Compare this hint with the format, this is a case of Caesar Cipher. Using an online Caesar cipher decoder to find the flag, with ROT21.
We get our flag: bi0s{n3tw0rk_interception_g0es_b00mx0x0}
Cryptography
1.x0rbash
Solution:
Given two files output.txt and xorbash.py. In the output.txt, we have the following content :
HQYQMAAAHTAAAgYADAc= |
The given code in xorbash.py is a Python implementation of an XOR cipher with an additional step of an affine cipher. Let's understand what each part of the code does:
The affine_cipher function:
This function takes a text string as input and applies an affine cipher to it.
An affine cipher is a substitution cipher where each letter in the plaintext is mapped to its reverse counterpart in the alphabet. For example, 'a' is mapped to 'z', 'b' is mapped to 'y', and so on.
The function iterates over each character in the input text, checks if it is an alphabetic character, and then determines its reversed counterpart using the reverse alphabet.
If the character is not alphabetic, it is added to the result as is.
Finally, the function returns the resulting ciphertext.
The xor_cipher function:
This function takes a text string and a key as input and performs an XOR encryption on the text using the key.
The affine_cipher function is called to encrypt the text using an affine cipher.
The encrypted text is then converted to bytes using UTF-8 encoding.
The key is also converted to bytes using UTF-8 encoding.
The encrypted_bytes variable is created by performing an XOR operation between each byte of the encrypted text and the corresponding byte of the key (with the key repeating if necessary).
The resulting encrypted_bytes are then encoded using base64 encoding to obtain a string representation of the encrypted data.
Finally, the encrypted text is returned
From this, let’s write a decryption Python code with the help of the logic of xorbash.py code :
import base64
def affine_cipher(text):
alphabet = "abcdefghijklmnopqrstuvwxyz"
reverse_alphabet = alphabet[::-1]
result = ""
for char in text.lower():
if char.isalpha():
index = alphabet.index(char)
reversed_char = reverse_alphabet[index]
result += reversed_char
elif char == '_':
result += '_'
else:
result += char
return result
def xor_decipher(encrypted_text, key):
encrypted_bytes = base64.b64decode(encrypted_text)
b = key.encode('utf-8')
decrypted_bytes = bytes([encrypted_bytes[i] ^ b[i % len(b)] for i in range(len(encrypted_bytes))])
decrypted_text = decrypted_bytes.decode('utf-8')
decrypted_text = affine_cipher(decrypted_text)
return decrypted_text
encrypted_text = "HQYQMAAAHTAAAgYADAc=" #Giving the content of output.txt here
key = 'zoro'
decrypted_text = xor_decipher(encrypted_text, key)
print(decrypted_text)
The output that we get is: try_all_angles
Thus the flag is flag{try_all_angles}
2.MOD
Solution:
Given two files chall.py and output.txt
The contents of output.txt
[5, 11, 0, 6, 26, 77, 48, 3, 20, 49, 48, 95, 12, 52, 10, 51, 18, 95, 55, 7, 8, 13, 6, 18, 95, 11, 48, 48, 15,28] |
If in encryption if MOD is taken to a value and an answer is obtained, then in decryption, the MOD value is added to the output. While calculating, these values represent the ASCII codes.
For output values less than 28, 97 is added to the values, and the remaining output values are considered as such for ASCII conversion.
For example. 5+97 = 102 (ASCII - f)
11+97 = 108 (ASCII - l)
77 = 77 (ASCII - M)
Using this logic, let's write a Python code for finding the flag from the given output:
from string import ascii_letters, digits
L = [5, 11, 0, 6, 26, 77, 48, 3, 20, 49, 48, 95, 12, 52, 10, 51, 18, 95, 55, 7, 8, 13, 6, 18, 95, 11, 48, 48, 15,28]
f = ''
for i in L:
if i>28:
f += chr(i)
else:
f += chr(i+97)
Thus the flag for this challenge is: flag{M0du10_m4k3s_7hings_l00p}
3.Wojtek’s Enigma
Solution:
Given a .txt file named chall.txt .The contents from the text file are as follows :
𝑬𝒏𝒔𝒖𝒓𝒆 𝒕𝒉𝒆 𝒄𝒍𝒊𝒆𝒏𝒕 𝒔𝒆𝒄𝒖𝒓𝒊𝒕𝒚 𝒂𝒕 𝒂𝒍𝒍 𝒕𝒊𝒎𝒆𝒔
agin{afkkxf_7e3_ib4d}
𝑴𝒐𝒅𝒆𝒍 : 𝑴3
𝑹𝒆𝒇𝒍𝒆𝒄𝒕𝒐𝒓 : 𝑼𝑲𝑾 𝑩
𝑹𝑶𝑻𝑶𝑹 1 : 𝑽𝑰
𝑷𝒐𝒔𝒊𝒕𝒊𝒐𝒏 : 1𝑨
𝑹𝒊𝒏𝒈 : 2𝑩
𝑹𝑶𝑻𝑶𝑹 2 : 𝑰
𝑷𝒐𝒔𝒊𝒕𝒊𝒐𝒏 : 3𝑪
𝑹𝒊𝒏𝒈 : 4𝑫
𝑹𝑶𝑻𝑶𝑹 3 : 𝑰𝑰𝑰
𝑷𝒐𝒔𝒊𝒕𝒊𝒐𝒏 : 5𝑬
𝑹𝒊𝒏𝒈 : 6𝑭
𝑷𝑳𝑼𝑮𝑩𝑶𝑨𝑹𝑫 : 𝒃𝒒 𝒄𝒓 𝒅𝒊 𝒆𝒋 𝒌𝒘 𝒎𝒕 𝒐𝒔 𝒑𝒙 𝒖𝒛 𝒈𝒉
From the description of the question and the content of the text file, we can decode the possible flag “agin{afkkxf_7e3_ib4d}” using the Enigma decoder. Now setting the parameters given the chall.txt in an Online Enigma decoder, we get the flag!
Thus the flag is : flag{wojtek_7h3_be4r}
