Team Details
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Team Name : MINOTAURSEC
Team Members : sys41x4 [Arijit Bhowmick]
(https://twitter.com/sys41x4)
meet9#4291 {Discord} [Meet Bhanushali]
(https://twitter.com/Bhanushalimeet5)
Team Points Earned : 1011
Team Position : 331
Challenges Solved : Bass64 [WARMUPS]
Read The Rules [WARMUPS]
2EZ [WARMUPS]
Target Practice [WARMUPS]
Tsunami [WARMUPS]
Six Four Over Two [WARMUPS]
Butter Overflow [WARMUPS]
Pimple [WARMUPS]
Confidentiality [WEB]
Integrity [WEB]
Swaggy [WEB]
Jed Sheeran [OSINT]
Mike Shallot [OSINT]
Team Score Board : 1011
Challenges
Bass64 [WARMUPS]
Author: @JohnHammond#6971
It, uh... looks like someone bass-boosted this? Can you make any sense of it ?
Bass64 | [SOLUTION]
Download the challenge File from the attachment button
After oppening it we will be presented with an ASCII ART
Here I have used micro (A terminal text editor) to open the file.
We can also use nano,sublime text, or any other text editor we want
After getting the text, we just have to type those in terminal
and we will be presented with a base64 encoded string.
Just decoding it will give us the FLAG for this challenge
FLAG : flag{35a5d13da6a2afa0c62bfcbdd6301a0a}
Read The Rules [WARMUPS]
Author: @JohnHammond#6971
Please follow the rules for this CTF
Read The Rules | [SOLUTION]
In the Challenge description there will be a link
which is https://ctf.hacktivitycon.com/rules
On viewing the source-code of the webpage
we are going to have our flag in HTML comments
FLAG : flag{90bc54705794a62015369fd8e86e557b}
2EZ [WARMUPS]
Author: @JohnHammond#6971
These warmups are just too easy! This one definitely starts that way, at least!
2EZ | [SOLUTION]
Let us first download the provided attachment file
After, downloading it we are going to open it in hexedit
There we can see that it is a JPEG file.
We can say so by analysing the header bytes
But the first bytes are changed in this case
So we can fix this JPEG file by fixing it’s header bytes
The magical header bytes of jpeg is FF D8 FF E0
So fixing the first 4 bytes of the file with FF D8 FF E0
we will be provided with the flag, which is written in the JPEG file.
FLAG : flag{812a2ca65f334ea1ab234d8af3c64d19}
Target Practice [WARMUPS]
Author: @JohnHammond#6971
Can you hit a moving target?
Note, this flag contains only 24 hexadecimal characters.
Target Practice | [SOLUTION]
Let us first download the provided attachment file.
We got to see that it is a GIF file.
While opening it we can see that it is showing some random qr codes like images
I have used strings, hexedit, steghide, exiftool, binwalk but those didn’t work.
So I thought to extract all the frames from the GIF file and then analyse it.
So I have used an online gif-to-png converter tool and got all the frames from the GIF file in png format.
We got to have 22 png file, which means that there might be 22 frames in the PNG file.
So I thought to do a quick reverse search using Google Reverse Image Search Tool https://www.google.com/imghp with the first png image that was extracted from the GIF file
There we got to see that it is referring to MAXI CODE
Then with no time I have searched for the Maxicode Decoder and got a website for decoding maxicode images https://products.aspose.app/barcode/recognize/maxicode#
There I have started to try all 22 PNGs that I have.
On the 16th PNG we got the flag for this challenge
FLAG : flag{385e3ae5d7b2ca2510be8ef4}
Tsunami [WARMUPS]
Author: @JohnHammond#6971
Woah! It's a natural disaster! But something doesn't seem so natural about this big wave...
Tsunami | [SOLUTION]
So let us download the file.
while analysing the file type with file command
we got to see that it is a WAV file.
After playing the wav file, I was sure that it’s an Audio Stegnography
I quickly fireup the Audacity and opened the wav file in it.
changed the view from waveform to Spectrogram
While moving at the very end we got our flag \0/
FLAG : flag{f8fbb2c761821d3af23858f721cc140b}
Six Four Over Two [WARMUPS]
Author: @JohnHammond#6971
I wanted to cover all the bases so I asked my friends what they thought, but they said this challenge was too basic...
Six Four Over Two | [SOLUTION]
Let us download the file of the challenge.
After opening the file we got to see that it has some string written in it.
EBTGYYLHPNQTINLEGRSTOMDCMZRTIMBXGY2DKMJYGVSGIOJRGE2GMOLDGBSWM7IK
With first glance I have understood that it’s a Base32 encoded string.
Then decoding the base32 encoded string gives us the flag for this challenge.
FLAG : flag{a45d4e70bfc407645185dd9114f9c0ef}
Butter Overflow [WARMUPS]
Author: @M_alpha#3534
Can you overflow this right?
Butter Overflow | [SOLUTION]
We will be provided with 3 files as an attachment
But I have used 2 from them which are
source.c and butter_overflow
butter_overflow is an binary file, and source.c is it’s source File.
As it it a warmup challenge I was sure that a basic buffer overflow will get us the flag.
The source.c has a C-code which is
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <sys/stat.h>
void give_flag();
void handler(int sig) {
if (sig == SIGSEGV)
give_flag();
}
void give_flag() {
char *flag = NULL;
FILE *fp = NULL;
struct stat sbuf;
if ((fp = fopen("flag.txt", "r")) == NULL) {
puts("Could not open flag file.");
exit(EXIT_FAILURE);
}
fstat(fileno(fp), &sbuf);
flag = malloc(sbuf.st_size + 1);
if (flag == NULL) {
puts("Failed to allocate memory for the flag.");
exit(EXIT_FAILURE);
}
fread(flag, sizeof(char), sbuf.st_size, fp);
flag[sbuf.st_size] = '\0';
puts(flag);
fclose(fp);
free(flag);
exit(EXIT_SUCCESS);
}
int main() {
char buffer[0x200];
setbuf(stdout, NULL);
setbuf(stdin, NULL);
signal(SIGSEGV, handler);
puts("How many bytes does it take to overflow this buffer?");
gets(buffer);
return 0;
}
So what I have done is first I have make the binary executable
using the command chmod +x butter_overflow
Then I have analysed it with checksec (A tool from pwntools package)
Then I have generated a len 1000 cyclic string and forward it to file named alphabet
using the command cyclic 1000 > alphabet
Which means alphabet is a filename and can be of any name you want, and it contains a string having length 1000.
Let Us now use gdb to analyse the binary.
After passing the strings from the alphabet file using
r < alphabet
we got to see that a bufferoverflow has occured.
We got to see that we have a hit at string faafgaaf
Finding the string in the alphabet file using grep give us the exact string
which we require to cause the overflow.
There was a deploy button at the challenge details
which provide us an ip address and a port to connect with nc
On deploying the instance we got to see an input string, which ask us to provide an input.
Providing the string that causes the buffer-overflow in the program
as an input string provide us the flag for this challenge.
FLAG : flag{72d8784a5da3a8f56d2106c12dbab989}
Pimple [WARMUPS]
Author: @JohnHammond#6971
This challenge is simple,it's just a pimple!
Pimple | [SOLUTION]
Let us first download the file, and check the type of the file.
Here we can see that it is a GIMP file.
Let us open the challenge file pimple in GIMP or photopea (alternative GIMP file opener Online)
As I don’t have GIMP installed in my system, I am using the online alternative version for it.
After removing 6 Top-most layers we got to see out flag.
FLAG : flag{9a64bc4a390cb0ce31452820ee562c3f}
Confidentiality [WEB]
Author: @JohnHammond#6971
My school was trying to teach people about the cIA triad so they made all these dumb example applications... as if they know anything about information security. Can you prove these aren't secure?
Confidentiality | [SOLUTION]
Let us start the instance for this challenge.
Then we are provided with a HTTP Address
In this case we are provided with http://challenge.ctf.games:31265
On visiting the webapp we will be provided with a basic webpage
where in the input field it was written as /etc/hosts
On providing the input as /etc/hosts we are provided with a response text
which is similar for listing directory.
While getting a proper response, we can also generate an error
so that we can analyse the process in a better way
While providing aaa we can get the command ls -l that is used to provide us the response.
So I thought of using piping which is |
We can also use ; or & to execute two commands at the same time
with which we can generate a one-liner command.
So, First of all I use to list the home directory using the command /etc/hosts | ls -la /home
Then, I got the user in the instance, named as user
Then I list the user home directory using the command /etc/hosts | ls -la /home/user
and got to see the files in the user directory.
There we have our flag as flag.txt
Then I use the cat command to get the content of flag.txt
providing input as /etc/hosts | cat /home/user/flag.txt
FLAG : flag{e56abbce7b83d62dac05e59fb1e81c68}
Integrity [WEB]
Author: @JohnHammond#6971
My school was trying to teach people about the CIA triad so they made all these dumb example applications... as if they know anything about information security.
Supposedly they learned their lesson and tried to make this one more secure. Can you prove it still vulnerable?
Integrity | [SOLUTION]
Let us start the instance for this challenge.
Then we are provided with a HTTP Address
In this case we are provided with http://challenge.ctf.games:30043
On visiting the webpage we got to see a homepage, where it was written /etc/hosts in the input field.
While providing the input as /etc/hosts we got to see that the webapp was returning a SHA256 hash of that file.
After lot of Try-&-Errors I thought of passing the request through burp.
Sorry but I don’t have the snap of those errors.
Passing the request through burp provide us the request.
Then passing the request to repeater, and with an unusual guess I got Command Injection in the instance.
There we got the user as user
Then listing the user directory provide us the files in that directory
and we got to see the flag for this challenge there as flag.txt
Then using the cat command to print the content of flag.txt file provide us the flag fo rthis challenge.
FLAG : flag{62b8b3cb5b8c6803bf3dc585b1b5141d}
Swaggy [WEB]
Author: @congon4tor#2334
This API documentation has all the swag
Swaggy | [SOLUTION]
Let us start the instance for this challenge.
Then we are provided with a HTTP Address
In this case we are provided with http://challenge.ctf.games:32286
Onn visiting the web address we have been provided with a webapp.
Let us change to staging server for testing where it was written Production (Currently Unavailable)
so that we can now test the webapp.
We can now click on the Authorize Tab to see what it does.
On selecting it we can see a Dialog Box
where we have to enter username and Password
As we all know the default testing credentials is admin : admin
and we can see that we got it correct. \0/
Then closing the Dialog Box and selecting the /flag Tab to see the content in that Tab.
Then clicking on Try it out button to see what happens next.
On clicking it we can see that another button mentioning Execute is shown
While clicking the Execute button we have be presented with a curl command
While copying and pasting the provided curl command in terminal and executing it
We got to see the Flag for this challenge.
FLAG : flag{e04f962d0529a4289a685112bf1dcdd3}
Jed Sheeran [OSINT]
Author: @JohnHammond#6971
Oh we have another fan with a budding music carrier! Jed Sheeran is seemingly trying to produce new songs based off of his number one favourite artist... but it doesn't all sound so good. Can you find him?
Find the flag somewhere in the world wide web with the clues provided.
Jed Sheeran | [SOLUTION]
Search For Jed Sheeran in Google Search
We are going to get a link to soundcloud at first.
Visiting the link will provide us with Jed Sheeran Soundcloud profile.
There will be a song named Beautiful People
and opening that song’s comment section provide us our flag for this challenge.
FLAG : flag{59e56590445321ccefb4d91bba61f16c}
Mike Shallot [OSINT]
Author: @JohnHammond#6971
Mike Shallot is one shady fella. We are aware of him trying to share some specific intel, but hide it amongst the corners and crevices of internet. Can you find his secret?
Find the flag somewhere in the world wide web with the clues provided
Mike Shallot | [SOLUTION]
While searching the username mikeshallot in twitter, reddit, facebook, instagram and other sites
We didn’t got any valid information about how to proceed further.
But searching in pastebin as username we got to see his account there
Which provide some information that makes us sure that it is what we are finding for.
There we see that the account has a note for public access named as Shallot's Summons
Opening the note provide some information and 2 strings.
The contents written there was
1
2
3
4
5
6
7
8
This site is not as safe as we need it to be.
Meet me in the dark and I will share my secret with you.
Find me in the shadows, these may act as your light:
strongerw2ise74v3duebgsvug4mehyhlpa7f6kfwnas7zofs3kov7yd
pduplowzp/nndw79
So basically there are two strings provided, the first string at line 6
which seems to be an onion link.
Using Google Dorking to find any valid information about the first random string.
I have used inurl:strongerw2ise74v3duebgsvug4mehyhlpa7f6kfwnas7zofs3kov7yd intext:strongerw2ise74v3duebgsvug4mehyhlpa7f6kfwnas7zofs3kov7yd as dorking string
So here it is. It’s an onion link.
After visiting the link we are provided with Stronghold Paste webapp
Similar to pastebin
So it’s simply a data pasting field.
Do you remember we have another string at line 8 in pastebin content ?
On pasting the 2nd strings from line 8 in url as
https://strongerw2ise74v3duebgsvug4mehyhlpa7f6kfwnas7zofs3kov7yd.onion.ly/pduplowzp/nndw79
We got to see the Flag for this challenge \0/
FLAG : flag{6e57a4c0be1656f9bc873647f49b9cdc}
Thankyou, for reading my writeup :)
Hope, I would see you in my next writeup.
Support Me if you want to.