CTF

Posted on | In

TAMUctf Writeup

Team member: Dingsu Wang, Owen England, Wenhe Li

Web

Science

This website takes to arguments as input and gives back a gif. And this web indicates it is a flask app which is important in the solution!!

Originally, I thought it is about SQL injection or blind injection. While I tried commands like:

1
' OR 1=1; -- !

It does not give feedback but return the input directly. And we noticed the result page will print our input without any modified. We found a potential chance to do Xss. While doing such Xss will only work on client side which seems to be not helpful of finding flag.

After a while, we finally noticed that it is a flask app and using some HTML template which means we can inject python code using special template syntax. The next thing is determine which template engine it is using, so we input:

1
{{ 7 * '7' }}

If the output is 49 it is using Twig, if its output is 7777777 then it uses jinja.

After we got the template engine is jinja, we firstly wanted to direct inject python commands like:

1
2
3
open('flag.txt', 'r').read()
os.system('ls')
subprocess

While none of the above works, it’s probably due to a limit on namespace. Then we found out by calling config.items()[4][1].__class__.__mro__[2].__subclasses__(), we can get all the modules loaded in the currently namespace.

And we can think it as a list contains all the object, we just need to find one that can read/write or call command-line. So we tried subprocess.Popen to run command-line, while we found it is not possible to get the output unless we have subprocess.PIPEP in the environment. Since we can not get the direct output from command, we also tried curl, rsync or wget to send flag file to our personal server. While it turns out that none of the commands are in the environment. So we looked back to the modules they had, we found the had a module called click that can run commands and read file. So finally, by calling:

1
lazyFile('flag.txt').open().read()

We can get the flag.

Buckets

In the description, it indicated us to deal with the buckets. And its url is clearly from Amazon Aws, so we know that we need to deal with aws in this problem. After searching on the buckets SDK, we found that we can run command line like ls using aws cli.

1
aws s3 ls --recursive  tamuctf --no-sign-request --region us-west-2


And just access the flag file with URI, we can get it.

Crypto

-.-

This task gives us a txt file in the following format, with a hint says it is a classical cipher:

1
dah-dah-dah-dah-dah dah-di-di-dah di-di-di-di-dit

First come to our mind is that this is a random combination of di, dah and dit, which sounds like music. It is nothing but indeed contains some information. Look back at the title of the problem: -.-, which is a combination of - and . . It’s MORSE CODE and it really makes sense that di stands for the short one unit while dah stands for the long three units.

We use python to transfer the txt file to the following sequence of number:

1
0X57702A6C58744751386538716E6D4D59552A737646486B6A49742A5251264A705A766A6D2125254B446B6670235E4E39666B346455346C423372546F5430505A516D4351454B5942345A4D762A21466B386C25626A716C504D6649476D612525467A4720676967656D7B433169634B5F636C31434B2D7930755F683476335F6D3449317D20757634767A4B5A7434796F6D694453684C6D385145466E5574774A404E754F59665826387540476E213125547176305663527A56216A217675757038426A644E49714535772324255634555A4F595A327A37543235743726784C40574F373431305149

Because of it starts with 0X, we assume it is a hex and translate it into string. We find the flag in the string!

RSAaaay

This problems gives use a tuple of two integers and a secret message consist of secrets in the following screenshot:
screenshot

From the tile of the problem, it is obvious that this message use a ciphter method called RSA. However, there is one trick that Python does not have large numbers and we are not able to use it to make the computation. Following the algorithm, we use Wolframalpha which the tool to compute to get a sequence of number such as 103 105103. Since there have two 103 at the beginning of the number which match the format of the flag. We know this is the ASCII number of each characters and translate it into stirng and it is the flag.

Misc

I heard you like files

We are given a png file in this problem:

PNG

and here is the description of the problem:

Bender B. Rodriguez was caught with a flash drive with only a single file on it. We think it may contain valuable information. His area of research is PDF files, so it’s strange that this file is a PNG.

It is interesting that it mentions the guy is a researcher about PDF and it is strange to have a PNG. The first thing we thought was to change the file type from .png to .pdf.

Aha! It works and here is the last few lines of the .pdf file:
pdf
It is interesting that all the content in the file is non-sense word and only this two lines have some information. Unfortunately, there is no flag in it. 😦

The title once again gives us some hint about files! We have the idea that the file may be changed to other types. Then, we tried file types like .txt / .word / .xml / .zip and only .zip works.

Here is the content of the zip:

zipfile

There is a txt file that says, the flag is not here. Dissapointed but still eager to explore, we check every folder and file and find another file image1.png in the word/media folder:

another

Interesting! We change its file type to .pdf once again, but still has no flag in it. Here it is:

image2

Emmm… polyception! Another try failed. 😦 Angrily and desperately, we tried to figure out what actually was hidden in this file since it is polyception! We use the following cammand in linux in order to detemine the content of this .png file.

1
strings -a image1.png

The result seems to contain no useful information, BUT the last line is quite different compared to others:

1
ZmxhZ3tQMGxZdEByX0QwX3kwdV9HM3RfSXRfTjB3P30K

There is no slash and punctuations in the string and it looks like a base64 encoded message. With the last hope, we try to change it into string. 😃 BINGO!!! It is the flag.

Hello World

In this problem, we are given a c++ file and not much description which only says My first program!.

Wait… Only the last few lines is the c++ code which prints out the string Hello, Worlds!. What are the other empyt spaces for? We are frustrated, but we find that the whitespaces actually are in certain format:

whitespaces

By googling, we notice there is a programming language called whitespaces and it looks much like what we have now. There are numerous online compilers about the whitespaces programming language, and here is the one that we use whitespaces IDE. Here is the result of what we have:

1
Well sweet golly gee, that sure is a lot of whitespace!

Unfortunately, the flag is not here. While exploring around on the website, we find in the console memory there is a stack:

1
Stack: [103, 105, 103, 101, 109, 123, 48, 104, 95, 109, 121, 95, 119, 104, 52, 116, 95, 115, 112, 52, 99, 49, 110, 103, 95, 121, 48, 117, 95, 104, 52, 118, 51, 125]

Once again, two 103 occured at the beginning of the stack. It’s ASCII, and we find the flag.