Home [EZCTF] Report
Post
Cancel

[EZCTF] Report

Tri Nguyen on May 72022-05-07T17:00:00-06:00
Updated May 82022-05-08T16:51:38-06:00 2 min read

Introduction

  • This CTF was 24 hours on May 6th and May 7th. Pretty basic stuff but I only did web exploitation and the others are too CTF specific and just puzzle so I didn’t bother.

  • Fun experience otherwise :)

Forensics

DigitalOcean (50 points)

  • The flag is in the slide, not hidden or anything.
  • EZ-CTF{TH1S_1S_FR33}

Web

Super Secure (100 points)

  • http://ez.ctf.cafe:8888
  • Try OR 1=1' it returns a SQL Error. So the form is susceptible to SQLi.
  • I tried running SQLMap but it does not yield immediate result.
  • I browse to PayLoadAllTheThing GitHub and use this payload ' or 1=1 limit 1 -- -+.
  • EZ-CTF{N0t_S0_S4f3_4ft3r_411}

I made a blog! (150 points)

  • http://ez.ctf.cafe:9999
  • The site is vulnerable to LFI: http://ez.ctf.cafe:9999/blog-posts.php?file=../../../../../etc/passwd
  • Running dirsearch we see interesting results such as /robots.txt, /flag.php.
  • flag.php: How do you filter your coffee?
  • I tried a couple more LFI to RCE but not working.
  • This guide helped me a lot: https://d00mfist.gitbooks.io/ctf/content/local_file_inclusion.html
  • In order to show the content of flag.php, I used the payload: php://filter/convert.base64-encode/resource=flag.php
  • EZ-CTF{LFI_1S_3Z}

Race 1 (200 points) & Race 2 (300 points)

  • Sadly someone DDOS the 2 challenges. The organizer decided to give out the flag for everyone. Kudos to them and big L to the one ruining the fun.
  • EZ-CTF{R3C_T0_34SY_F0R_M3}
  • EZ-CTF{1_4M_PR3TTY_G00D_4T_R3C}

OSINT

American (150 points)

  • Find the Gallery, find Mr. Gud, find the cow.

  • Flag format: EZ-CTF{Mr_Gud_Full_Name_Cow_Painting_Name}

  • Using reverse image search, we found the gallery: https://www.thesignaturegallery.com/artists/james-ayers/

  • Go to the Artist page, CTRL+F for Gud we can find the artist.

  • EZ-CTF{Trent_Gudmundsen_Young_Holstein}

Alien Dream (100 points)

  • Find the painter and find the Bigfoot

  • Flag format: EZ-CTF{Painter_Painting_Name}

  • Reverse image search again, we are arrived at the gallery: https://boonegallery.com/

  • EZ-CTF{Amy_Cordova_Summer_Of_Love}

Hue is This? (170 points)

  • Don’t rotate 180

  • Reverse image search, https://www.discogs.com/release/3724-The-Green-Nuns-Of-The-Revolution-Rock-Bitch-Mafia

  • EZ-CTF{India_Waters_Rock_Bitch}

Limo (190 points)

  • Using Google Image search does not work.

  • Use Yandex: https://yandex.com/images/search?cbir_id=1043830%2F3c-vrkY8PlddLt8Md17p0A9827&pos=0&rpt=imageview&img_url=https%3A%2F%2Fcoub-anubis-a.akamaized.net%2Fcoub_storage%2Fcoub%2Fsimple%2Fcw_image%2F65b740110ed%2F08b66f032f17897be1daf%2F1473499422_00029.jpg&cbir_page=similar&url=https%3A%2F%2Favatars.mds.yandex.net%2Fget-images-cbir%2F1043830%2F3c-vrkY8PlddLt8Md17p0A9827%2Forig

  • The band is Aphex Twin and the song is Windowlickers

  • EZ-CTF{Aphex_Twin_76_Windows}

Follow Avis (280 points)

  • Time to move forward and get on the road

  • On your journey find the unblurred license plate shorturl.at/ptAS1

  • Just move forward ;)
  • EZ-CTF{241340_P}

Crypto

No Kidding (70 points)

8/44/444/7777\\\444/7777\\\8/44/33\\\555/2/6/33/7777/8\\\222/8/333\\\333/555/2/4\\\33/888/33/33/33/33/777

  • Use this to decrypt: https://www.dcode.fr/multitap-abc-cipher

OMG (80 points)

  • This is free.

  • EZ-CTF{1_HAT3_TH15_FL4G}

Steganography

Bernie (125 points)

  • steghide extract -sf Bernie.jfif
s = "\28x\32x\38x\28x\32x\38x\28x\32x\38x\28x\32x\38xE\28x\32x\38x\28x\32x\38xZ\28x\32x\38x-\28x\32x\38xC\28x\32x\38x\28x\32x\38xT\28x\32x\38xF\28x\32x\38x{N\28x\32x\38xO\28x\32x\38xW\28x\32x\38x_\28x\32x\38x\28x\32x\38xY\28x\32x\38x\28x\32x\38xO\28x\32x\38xU_\28x\32x\38xS\28x\32x\38x\28x\32x\38x\28x\32x\38x\28x\32x\38xE\28x\32x\38x\28x\32x\38xE\28x\32x\38x_\28x\32x\38xM\28x\32x\38xE\28x\32x\38x\28x\32x\38x_\28x\32x\38xN\28x\32x\38xI\28x\32x\38x\28x\32x\38xC\28x\32x\38xE\28x\32x\38x}\28x\32x\38x\28x\32x\38x\28x\32x\38x\28x\32x\38x\28x\32x\38x\28x\32x\38x"
ret = s.replace("\28x\32x\38x", "")
print(ret)

NEO (150 points)

  • Using a bunch of tools from HackTricks: https://book.hacktricks.xyz/crypto-and-stego/stego-tricks

  • This stegsolve works. https://github.com/eugenekolo/sec-tools/tree/master/stego/stegsolve

  • EZ-CTF{YOU_TOOK_TH3_R3D_P1LL_DIDNT_YOU}

PWN

Mario (100 points)

  • I thought this was PyJail but apparently not.

  • Try buffer overflow but not working. Then I tried * then it listed all file in the directory.

  • ;cat flag.txt

  • EZ-CTF{UNSECUR3_B4SH}

Peach (300 points)

  • Research pyjail, python sandbox escape

  • print(__builtins__.open('flag.txt', 'rb').read())

CTF, Write Up
ctf write-up
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents

[Announcement] I promise I will upload write-ups!

[Knowledge] Red Team Reconnaissance