YUBITSEC CTF 2017 - Write-ups

Informations

Version

By Version Comment
noraj 1.0 Creation

CTF

  • Name : YUBITSEC CTF 2017
  • Website : ctf.yubitsec.org
  • Type : Online
  • Format : Jeopardy
  • CTF Time : link

1 - Flag Format - Warmup

Hello,Welcome to YUBITSEC CTF!

We hope you will have a good time.

Flag Format is;

YUBITSEC{}

5 - Bash - Warmup

BFYRGHVX{ZGYZHS_MLG_DVOXLNV_SVIV}

Bash for ATBASH.

YUBITSEC{ATBASH_NOT_WELCOME_HERE}

10 - A fine cipher - Warmup

a:9

b:13

Encrypted:

VLWHCTXF{N_GHAX_FHSYXK}

A fine cipher for Affine cipher.

YUBITSEC{A_FINE_CIPHER}

10 - Rome - Warmup

Encrypted:

PLSZKJVT{TRVJRI_WFLEU_KYZJ_RTKLRCCP}

Rome for Caesar.

YUBITSEC{CAESAR_FOUND_THIS_ACTUALLY}

10 - Telegram - Warmup

Join our telegram group to get the flag

https://t.me/joinchat/AAAAAEHWJtP-LHCynDnIJg

YUBITSEC{Abi_n4sil_uy3_0luy0ruz?}

5 - Disambiguation - Trivia

A well known bug in OpenSSL cryptology library.

There is no flag format, enter the answer in lowercase.

heartbleed

10 - Execution - Trivia

A well known privilege escalation vulnerability.

There is no flag format, enter the answer in lowercase.

shellshock

10 - Talk dirty to me - Trivia

A linux kernel bug that has been around for at least 11 years.

There is no flag format, enter the answer in lowercase.

dirtycow

10 - Ümit Besen - Trivia

A well known computer worm that spreads with emails.

There is no flag format, enter the answer in "uppercase".

ILOVEYOU

15 - Global Surveillance - Trivia

Intercept the communications!

There is no flag format, enter the answer in lowercase.

echelon

150 - Text into image - Steganography

Shaco is hiding something!

lsb.png

Orga did a mistake, this is not a LSB challenge, name of the challenge was changed.

Pure guessing. I simply wrote steganography Text into image into google and used the first online tool:

http://manytools.org/hacker-tools/steganography-encode-text-into-image/

Flag is YUBITSEC{now_you_see_me}.

30 - Robots Are Cool 1 - Web

I think robots are cool. What you think?

http://138.197.41.168/fiuuu/r0b0t.html

Considering the title, I tried to access the robots.txt:

1
2
3
4
5
$ curl http://138.197.41.168/fiuuu/robots.txt
User-agent: *
Disallow: /pewpewpew.html
YUBITSEC{c0me_w1th_m3_If_y0u_w4nt_t0_L1ve}

PS: http://138.197.41.168/fiuuu/pewpewpew.html also contains the flag.

Flag is YUBITSEC{c0me_w1th_m3_If_y0u_w4nt_t0_L1ve}.

75 - Simple Sql Injection - Web

http://138.197.41.168/ctf3/login.html

I tried the following payload:

  • Login: admin
  • Password: ' or 1-- -'

I succesfully bypassed the authentification and got redirected to http://138.197.41.168/ctf3/fl0g.html.

1
2
3
4
5
6
7
8
9
10
11
<!DOCTYPE html>
<html>
<head>
<title>fl0g</title>
</head>
<body>
<p>FLAG IS AROUND HERE SOMEWHERE</p>
</body>
</html>
<!--YUBITSEC{w0w_such_h4ck}-->

175 - Coming Soon!! - Web

Hello I am Zafer. Beşir puts Izzettin in to a coma and I need help to get Avatar 2 DVD. Can you help me to get it?

http://138.197.41.168/ctf1/login.html

Note: For none Turkish players; if you have any issue with language contact hatMadder on irc

hint: take carefull look at names ;)

I tried the following payload:

  • Login: admin
  • Password: ' or 1-- -'

I succesfully bypassed the authentification and got redirected to http://138.197.41.168/ctf1/avatar.html

There is some links:

1
2
3
4
5
6
7
Avatar 2
Avatar 2 720p Full izle Türkçe dublaj - Part 1
Avatar 2 720p Full izle Türkçe dublaj - Part 2
Avatar 2 720p Full izle Türkçe dublaj - Part 3
Avatar 2 720p Full izle Türkçe dublaj - Part 4
Avatar 2 720p Full izle Türkçe dublaj - Part 5
Avatar 2 720p Full izle Türkçe dublaj - Part 6

They looks to be a base64 image splitted into 6 parts.

So I extracted the base64 parts manually and save them into a file. And then retrieve the image:

1
2
3
4
$ cat test.txt| tr -d '\n' | base64 -di > image
$ file image
image: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1280x1221, frames 3

And then I can see a AVATAR 2 CD RIP with YUBITSEC{1zz3tt1n1_k0m4y4_b3n_s0ktUm}.

50 - Location - OSINT

Can you find location ?

We are looking for city name ?

All chars are lowercase and close.

Flag format: YUBITSEC{losangeles}

location.jpg

We are looking for GPS metadata:

1
2
3
4
5
6
7
8
9
$ exiftool location.jpg | grep -i gps
GPS Version ID : 2.2.0.0
GPS Latitude Ref : South
GPS Longitude Ref : West
GPS Altitude Ref : Above Sea Level
GPS Altitude : 0 m Above Sea Level
GPS Latitude : 51 deg 37' 14.65" S
GPS Longitude : 69 deg 13' 47.00" W
GPS Position : 51 deg 37' 14.65" S, 69 deg 13' 47.00" W

I used indlatitudeandlongitude.com (again) to get the location: Ameghino 400-466, Z9400JEJ Río Gallegos, Santa Cruz, Argentina.

Flag is YUBITSEC{riogallegos}.

Note: it's more forensics than OSINT

75 - Mobile Number - OSINT

Who took this photo ?

Can you find photographer's mobile number ?

Show me, How stalker are you!

Note: Flag format will be YUBITSEC{+1234567890}

This time no metadata.

I made a reverse image search with Google image (uploading the picture), and I found that this picture was taken by Isaac Kasamani.

I see his Facebook but nothing there, so I went to his blog and found his phone number: +256 (0) 752166288.

Flag is YUBITSEC{+2560752166288}.

15 - Social Media - OSINT

Nothing on Twitter.

Facebook or Instagram profile are not referenced nor with normal search engine search nor with dorks like yubitsec inurl:instagram.com.

I looked that there is no local/national Turkish social media.

So I asked an admin that redirect me to instagram.

But there is nothing referenced.

So I surfed on StackExchange and found a topic: I don't have an Instagram account. Can I still look at users' Instagram photos?.

The answer was to go to instagram.com/profile_name. I looked for yubitsec and found https://www.instagram.com/yubitsec/.

There is 1 picture, a QR code.

The original picture may be still available on the CDN.

So I used https://webqr.com/ (drag'n'drop) and found: YUBITSEC{W3LC0M3}.

This is not really open source information or publicly available data so we can't really talk about OSINT. But you know CTF organizers often don't care to make challenge about true security, well categorize them or even ban guessing.

25 - Find me - Misc

Find me in source code.

Nothing on ctf.yubitsec.org. Let's try yubitsec.org:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<!DOCTYPE html>
<html lang="en-us">
<!--
██╗ ██╗██╗ ██╗██████╗ ██╗████████╗ ███████╗███████╗ ██████╗
╚██╗ ██╔╝██║ ██║██╔══██╗██║╚══██╔══╝ ██╔════╝██╔════╝██╔════╝
╚████╔╝ ██║ ██║██████╔╝██║ ██║ ███████╗█████╗ ██║
╚██╔╝ ██║ ██║██╔══██╗██║ ██║ ╚════██║██╔══╝ ██║
██║ ╚██████╔╝██████╔╝██║ ██║ ███████║███████╗╚██████╗
╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚══════╝╚══════╝ ╚═════╝
-->
<!-- nothing to see here y0u bad hax0r_1337 -->
<!-- YUBITSEC{AG4_I$L3R_V4R} -->
<head>

Flag is YUBITSEC{AG4_I$L3R_V4R}.

25 - Strings - Misc

Easy Peasy

Strings.jpg

As the title said:

1
2
$ strings Strings.jpg | tail -1
YUBITSEC{H4CK3R_M4N35}

35 - Weird symbols - Misc

What is this?

weird_txt

That is some JavaScript Brainfuck (not original Brainfuck).

You can eval some part in a javascript console, for example !+[]+!+[]+[+[]] equal 20.

So I pasted all into an eval() and waited until I got a pop-up with YUBITSEC{WEIRD_JAVASCRIPT_IS_WEIRD}.

35 - B64 - Misc

File.txt

I remove the b'base64' around the base64 data and then:

1
$ cat file.txt| base64 -di | base64 -di | base64 -di | base64 -di | base64 -di | base64 -di | base64 -di | base64 -di

But it seems very recursive.

So I used and adapted a recusrive command:

1
$ str=`cat file.txt`; for i in `seq 1 100`; do echo -e "$str\n"; str="$(base64 -di <<< $str)"; done

YUBITSEC{YUBITSEC{YUBITSEC{YUBITSEC}}}

50 - File - Forensics

Challenge's link https://drive.google.com/open?id=0B_jBF_ZqfxnBd0tKcDJMVkw1Njg

What is this file ? Can you find hidden flag ?

Flag format: YUBITSEC{}

1
2
3
4
5
6
7
8
9
10
11
$ binwalk File
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
30 0x1E Zip archive data, at least v1.0 to extract, compressed size: 11905297, uncompressed size: 11905297, name: File/Flag.zip
11905348 0xB5A944 End of Zip archive
11905370 0xB5A95A Zip archive data, at least v2.0 to extract, compressed size: 20103, uncompressed size: 24875, name: File/YubitSec.jpg
11925801 0xB5F929 End of Zip archive
$ unzip File -d here

Then there is a lot of recursive zip File/Flag/op/Hacker/HackerMan/HackThePlanet/Last.

At the end we have flag.png: {C0MPR3SS10N_1S_G00D}. So the flag is YUBITSEC{C0MPR3SS10N_1S_G00D}.

100 - Easy - Crypto

Seems like there must be hiding flag, find it!

secret.txt

This is a list of MD5 hashes.

Crack the hashes with https://crackstation.net/ and a text editor replace all feature to go faster.

And then:

1
2
$ cat secret.txt| tr -d '\n'
MD5?_Hell_Yes!_So_you_know_what_do_you_need_to_do_I_think_You_have_to_be_more_fastFlag_must_be_here_but_where_?_I_guess_you_are_so_closeYUBITSEC{I_h0p3_y0u_didn't_try_t0_d3crpyt_on3_by_on3}maybe_flag_can_be_little_bit_upI_think_flag_won't_be_ending_part

50 - Gifted - Reverse

gifted

1
2
$ strings gifted | grep -i yubitsec
YUBITSEC{MEH_IT_IS_SOMETHING}

50 - *blushes* - Steganography

indir.png

The image looks transparent and has no metadata.

But blushes means get red. So using StegSolve, for example, we can see a QR code in red planes:

Then I used https://webqr.com/ to get the flag: YUBITSEC{hello_nothing_here}.

75 - Broken - Forensics

HINT: Compare with normal PNGs. You need to add something ? broken.png

Let's check a correct PNG:

1
2
3
4
5
$ xxd -l50 indir.png
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR
00000010: 0000 00c8 0000 00c8 0806 0000 00ad 58ae ..............X.
00000020: 9e00 0000 0662 4b47 4400 ff00 ff00 ffa0 .....bKGD.......
00000030: bda7

And now the broken one:

1
2
3
4
5
$ xxd -l50 broken.png
00000000: 0000 0226 0000 0226 0806 0000 0067 ce41 ...&...&.....g.A
00000010: 4600 0000 0662 4b47 4400 ff00 ff00 ffa0 F....bKGD.......
00000020: bda7 9300 0000 0970 4859 7300 0000 4800 .......pHYs...H.
00000030: 0000

We can see the broken file lack the first line with the header (magic number) + the first PNG chunck, let's fix this:

1
$ printf "\x89\x50\x4e\x47\x0d\x0a\x1a\x0a\x00\x00\x00\x0d\x49\x48\x44\x52" | cat - broken.png > fixed.png

Now we have a valid PNG and we can read: YUBITSEC{m4g1c_numb3rs_4r3_c00l}.

Share