Team Details
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Team Name : MINOTAURSEC
Team Members : sys41x4 [Arijit Bhowmick]
(https://twitter.com/sys41x4)
meet9#4291 {Discord} [Meet Bhanushali]
(https://twitter.com/Bhanushalimeet5)
Team Points Earned : 1011
Team Position : 331
Challenges Solved : Bass64 [WARMUPS]
Read The Rules [WARMUPS]
2EZ [WARMUPS]
Target Practice [WARMUPS]
Tsunami [WARMUPS]
Six Four Over Two [WARMUPS]
Butter Overflow [WARMUPS]
Pimple [WARMUPS]
Confidentiality [WEB]
Integrity [WEB]
Swaggy [WEB]
Jed Sheeran [OSINT]
Mike Shallot [OSINT]
Team Score Board : 1011
Challenges
Bass64 [WARMUPS]
Author: @JohnHammond#6971
It, uh... looks like someone bass-boosted this? Can you make any sense of it ?
Bass64 | [SOLUTION]
Download the challenge File from the attachment button
After oppening it we will be presented with an ASCII ART
Here I have used micro (A terminal text editor) to open the file.
We can also use nano,sublime text, or any other text editor we want
After getting the text, we just have to type those in terminal
and we will be presented with a base64 encoded string.
Just decoding it will give us the FLAG for this challenge
FLAG : flag{35a5d13da6a2afa0c62bfcbdd6301a0a}
Read The Rules [WARMUPS]
Author: @JohnHammond#6971
Please follow the rules for this CTF
Read The Rules | [SOLUTION]
In the Challenge description there will be a link
which is https://ctf.hacktivitycon.com/rules
On viewing the source-code of the webpage
we are going to have our flag in HTML comments
FLAG : flag{90bc54705794a62015369fd8e86e557b}
2EZ [WARMUPS]
Author: @JohnHammond#6971
These warmups are just too easy! This one definitely starts that way, at least!
2EZ | [SOLUTION]
Let us first download the provided attachment file
After, downloading it we are going to open it in hexedit
There we can see that it is a JPEG
file.
We can say so by analysing the header bytes
But the first bytes are changed in this case
So we can fix this JPEG file by fixing it’s header bytes
The magical header bytes of jpeg
is FF D8 FF E0
So fixing the first 4 bytes of the file with FF D8 FF E0
we will be provided with the flag, which is written in the JPEG file.
FLAG : flag{812a2ca65f334ea1ab234d8af3c64d19}
Target Practice [WARMUPS]
Author: @JohnHammond#6971
Can you hit a moving target?
Note, this flag contains only 24 hexadecimal characters.
Target Practice | [SOLUTION]
Let us first download the provided attachment file.
We got to see that it is a GIF
file.
While opening it we can see that it is showing some random qr codes like images
I have used strings, hexedit, steghide, exiftool, binwalk but those didn’t work.
So I thought to extract all the frames from the GIF file and then analyse it.
So I have used an online gif-to-png converter tool and got all the frames from the GIF file in png format.
We got to have 22 png file, which means that there might be 22 frames in the PNG file.
So I thought to do a quick reverse search using Google Reverse Image Search Tool https://www.google.com/imghp
with the first png image that was extracted from the GIF file
There we got to see that it is referring to MAXI CODE
Then with no time I have searched for the Maxicode Decoder
and got a website for decoding maxicode images https://products.aspose.app/barcode/recognize/maxicode#
There I have started to try all 22 PNGs that I have.
On the 16th PNG we got the flag for this challenge
FLAG : flag{385e3ae5d7b2ca2510be8ef4}
Tsunami [WARMUPS]
Author: @JohnHammond#6971
Woah! It's a natural disaster! But something doesn't seem so natural about this big wave...
Tsunami | [SOLUTION]
So let us download the file.
while analysing the file type with file
command
we got to see that it is a WAV
file.
After playing the wav file, I was sure that it’s an Audio Stegnography
I quickly fireup the Audacity
and opened the wav file in it.
changed the view from waveform
to Spectrogram
While moving at the very end we got our flag \0/
FLAG : flag{f8fbb2c761821d3af23858f721cc140b}
Six Four Over Two [WARMUPS]
Author: @JohnHammond#6971
I wanted to cover all the bases so I asked my friends what they thought, but they said this challenge was too basic...
Six Four Over Two | [SOLUTION]
Let us download the file of the challenge.
After opening the file we got to see that it has some string written in it.
EBTGYYLHPNQTINLEGRSTOMDCMZRTIMBXGY2DKMJYGVSGIOJRGE2GMOLDGBSWM7IK
With first glance I have understood that it’s a Base32
encoded string.
Then decoding the base32
encoded string gives us the flag for this challenge.
FLAG : flag{a45d4e70bfc407645185dd9114f9c0ef}
Butter Overflow [WARMUPS]
Author: @M_alpha#3534
Can you overflow this right?
Butter Overflow | [SOLUTION]
We will be provided with 3 files as an attachment
But I have used 2 from them which are
source.c
and butter_overflow
butter_overflow
is an binary file, and source.c
is it’s source File.
As it it a warmup challenge I was sure that a basic buffer overflow will get us the flag.
The source.c
has a C-code which is
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <sys/stat.h>
void give_flag();
void handler(int sig) {
if (sig == SIGSEGV)
give_flag();
}
void give_flag() {
char *flag = NULL;
FILE *fp = NULL;
struct stat sbuf;
if ((fp = fopen("flag.txt", "r")) == NULL) {
puts("Could not open flag file.");
exit(EXIT_FAILURE);
}
fstat(fileno(fp), &sbuf);
flag = malloc(sbuf.st_size + 1);
if (flag == NULL) {
puts("Failed to allocate memory for the flag.");
exit(EXIT_FAILURE);
}
fread(flag, sizeof(char), sbuf.st_size, fp);
flag[sbuf.st_size] = '\0';
puts(flag);
fclose(fp);
free(flag);
exit(EXIT_SUCCESS);
}
int main() {
char buffer[0x200];
setbuf(stdout, NULL);
setbuf(stdin, NULL);
signal(SIGSEGV, handler);
puts("How many bytes does it take to overflow this buffer?");
gets(buffer);
return 0;
}
So what I have done is first I have make the binary executable
using the command chmod +x butter_overflow
Then I have analysed it with checksec
(A tool from pwntools package)
Then I have generated a len 1000 cyclic string and forward it to file named alphabet
using the command cyclic 1000 > alphabet
Which means alphabet
is a filename and can be of any name you want, and it contains a string having length 1000.
Let Us now use gdb to analyse the binary.
After passing the strings from the alphabet
file using
r < alphabet
we got to see that a bufferoverflow has occured.
We got to see that we have a hit at string faafgaaf
Finding the string in the alphabet
file using grep
give us the exact string
which we require to cause the overflow.
There was a deploy
button at the challenge details
which provide us an ip address and a port to connect with nc
On deploying the instance we got to see an input string, which ask us to provide an input.
Providing the string that causes the buffer-overflow in the program
as an input string provide us the flag for this challenge.
FLAG : flag{72d8784a5da3a8f56d2106c12dbab989}
Pimple [WARMUPS]
Author: @JohnHammond#6971
This challenge is simple,it's just a pimple!
Pimple | [SOLUTION]
Let us first download the file, and check the type of the file.
Here we can see that it is a GIMP file.
Let us open the challenge file pimple
in GIMP or photopea (alternative GIMP file opener Online)
As I don’t have GIMP installed in my system, I am using the online alternative version for it.
After removing 6 Top-most layers we got to see out flag.
FLAG : flag{9a64bc4a390cb0ce31452820ee562c3f}
Confidentiality [WEB]
Author: @JohnHammond#6971
My school was trying to teach people about the cIA triad so they made all these dumb example applications... as if they know anything about information security. Can you prove these aren't secure?
Confidentiality | [SOLUTION]
Let us start the instance for this challenge.
Then we are provided with a HTTP Address
In this case we are provided with http://challenge.ctf.games:31265
On visiting the webapp we will be provided with a basic webpage
where in the input field it was written as /etc/hosts
On providing the input as /etc/hosts
we are provided with a response text
which is similar for listing directory.
While getting a proper response, we can also generate an error
so that we can analyse the process in a better way
While providing aaa
we can get the command ls -l
that is used to provide us the response.
So I thought of using piping which is |
We can also use ;
or &
to execute two commands at the same time
with which we can generate a one-liner command.
So, First of all I use to list the home directory using the command /etc/hosts | ls -la /home
Then, I got the user in the instance, named as user
Then I list the user
home directory using the command /etc/hosts | ls -la /home/user
and got to see the files in the user directory.
There we have our flag as flag.txt
Then I use the cat
command to get the content of flag.txt
providing input as /etc/hosts | cat /home/user/flag.txt
FLAG : flag{e56abbce7b83d62dac05e59fb1e81c68}
Integrity [WEB]
Author: @JohnHammond#6971
My school was trying to teach people about the CIA triad so they made all these dumb example applications... as if they know anything about information security.
Supposedly they learned their lesson and tried to make this one more secure. Can you prove it still vulnerable?
Integrity | [SOLUTION]
Let us start the instance for this challenge.
Then we are provided with a HTTP Address
In this case we are provided with http://challenge.ctf.games:30043
On visiting the webpage we got to see a homepage, where it was written /etc/hosts
in the input field.
While providing the input as /etc/hosts
we got to see that the webapp was returning a SHA256 hash of that file.
After lot of Try-&-Errors I thought of passing the request through burp.
Sorry but I don’t have the snap of those errors.
Passing the request through burp provide us the request.
Then passing the request to repeater, and with an unusual guess I got Command Injection in the instance.
There we got the user as user
Then listing the user
directory provide us the files in that directory
and we got to see the flag for this challenge there as flag.txt
Then using the cat
command to print the content of flag.txt
file provide us the flag fo rthis challenge.
FLAG : flag{62b8b3cb5b8c6803bf3dc585b1b5141d}
Swaggy [WEB]
Author: @congon4tor#2334
This API documentation has all the swag
Swaggy | [SOLUTION]
Let us start the instance for this challenge.
Then we are provided with a HTTP Address
In this case we are provided with http://challenge.ctf.games:32286
Onn visiting the web address we have been provided with a webapp.
Let us change to staging server for testing
where it was written Production (Currently Unavailable)
so that we can now test the webapp.
We can now click on the Authorize
Tab to see what it does.
On selecting it we can see a Dialog Box
where we have to enter username
and Password
As we all know the default testing credentials is admin : admin
and we can see that we got it correct. \0/
Then closing the Dialog Box and selecting the /flag
Tab to see the content in that Tab.
Then clicking on Try it out
button to see what happens next.
On clicking it we can see that another button mentioning Execute
is shown
While clicking the Execute
button we have be presented with a curl command
While copying and pasting the provided curl
command in terminal and executing it
We got to see the Flag for this challenge.
FLAG : flag{e04f962d0529a4289a685112bf1dcdd3}
Jed Sheeran [OSINT]
Author: @JohnHammond#6971
Oh we have another fan with a budding music carrier! Jed Sheeran is seemingly trying to produce new songs based off of his number one favourite artist... but it doesn't all sound so good. Can you find him?
Find the flag somewhere in the world wide web with the clues provided.
Jed Sheeran | [SOLUTION]
Search For Jed Sheeran
in Google Search
We are going to get a link to soundcloud
at first.
Visiting the link will provide us with Jed Sheeran
Soundcloud profile.
There will be a song named Beautiful People
and opening that song’s comment section provide us our flag for this challenge.
FLAG : flag{59e56590445321ccefb4d91bba61f16c}
Mike Shallot [OSINT]
Author: @JohnHammond#6971
Mike Shallot is one shady fella. We are aware of him trying to share some specific intel, but hide it amongst the corners and crevices of internet. Can you find his secret?
Find the flag somewhere in the world wide web with the clues provided
Mike Shallot | [SOLUTION]
While searching the username mikeshallot
in twitter
, reddit
, facebook
, instagram
and other sites
We didn’t got any valid information about how to proceed further.
But searching in pastebin
as username we got to see his account there
Which provide some information that makes us sure that it is what we are finding for.
There we see that the account has a note for public access named as Shallot's Summons
Opening the note provide some information and 2 strings.
The contents written there was
1
2
3
4
5
6
7
8
This site is not as safe as we need it to be.
Meet me in the dark and I will share my secret with you.
Find me in the shadows, these may act as your light:
strongerw2ise74v3duebgsvug4mehyhlpa7f6kfwnas7zofs3kov7yd
pduplowzp/nndw79
So basically there are two strings provided, the first string at line 6
which seems to be an onion
link.
Using Google Dorking
to find any valid information about the first random string.
I have used inurl:strongerw2ise74v3duebgsvug4mehyhlpa7f6kfwnas7zofs3kov7yd intext:strongerw2ise74v3duebgsvug4mehyhlpa7f6kfwnas7zofs3kov7yd
as dorking string
So here it is. It’s an onion link.
After visiting the link we are provided with Stronghold Paste
webapp
Similar to pastebin
So it’s simply a data pasting field.
Do you remember we have another string at line 8
in pastebin
content ?
On pasting the 2nd strings from line 8
in url as
https://strongerw2ise74v3duebgsvug4mehyhlpa7f6kfwnas7zofs3kov7yd.onion.ly/pduplowzp/nndw79
We got to see the Flag for this challenge \0/
FLAG : flag{6e57a4c0be1656f9bc873647f49b9cdc}
Thankyou, for reading my writeup :)
Hope, I would see you in my next writeup.
Support Me if you want to.