Information#
Version#
By | Version | Comment |
---|---|---|
noraj | 1.0 | Creation |
CTF#
- Name : NeverLAN CTF 2018
- Website : neverlanctf.com
- Type : Online
- Format : Jeopardy
- CTF Time : link
50 - more basic math - Scripting#
Author: bt
Description: The answer to this puzzle is the sum of the values in the included file.
Here is what the file looks like:
1 | $ head some_more_numbers.txt |
Here is a quick ruby script to sum that:
1 |
|
Flag is 50123971501856573397
.
100 - even more basic math with some junk - Scripting#
Author: bt
Description: The answer to this puzzle is, yet again, the sum of the values in the included file.
NOTE: If there's a space between two digits they're not part of the same value.
Same as the previous challenge + garbage.
Let's fire ruby again (see comments):
1 |
|
Flag is: 34659711530484678082
.
200 - JSON parsing 1 - Scripting#
The attached file is metadata about one minute's uploads to VirusTotal.
The answer to this puzzle is a comma-separated list of the five antivirus engines that produced the highest percentage of posities in descending order.
Don't draw any conclusions about the efficacy of any antivirus products from this exercise- VirusTotal receives a mixture of malicious and non-malicious files, so it's not necessarily better to have a high ratio than a low one or the other way around here. I also have no associated with any of them. It's just a data manipulation puzzle, people =)
NOTE: The answer should be submitted with no spaces and the engine names should be exactly as they appear in the source data.
https://s3-us-west-2.amazonaws.com/neverlanctf/files/vt_minute_output.tar.bz2
What's easy with Scripting challenge is that you already know what to do, you just don't know how.
So here is my (commented) ruby script:
1 |
|
The flag is: SymantecMobileInsight,CrowdStrike,SentinelOne,Invincea,Endgame
.
50 - Commitment Issues - Reversing#
Author: @gr3yr0n1n
Description: Sometimes I feel it's hard to commit to any type of coding practices. Do you feel the same?
From rabin2
(radare 2) man page:
-z Show strings inside .data section (like gnu strings does)
-i Show imports (symbols imported from libraries)
-I Show binary info
1 | $ rabin2 -I commitment_issues |
Ok this is an ELF 64bits non-stripped binary, so let's see strings:
1 | $ rabin2 -iz commitment_issues |
Flag is flag{don't_string_me_along_man!}
.
100 - ajax_not_soap - Web#
ajax_not_soap
Here is the javascript embed on the login page:
1 | // For element with id='name', when a key is pressed run this function |
The query will be called with AJAX on each key pressed for the username and password field.
Let's query them manually:
1 | $ curl http://neverlanctf-challenges-elb-2146429546.us-west-2.elb.amazonaws.com:14043/webhooks/get_username.php |
100 - the_red_or_blue_pill - Web#
http://neverlanctf-challenges-elb-2146429546.us-west-2.elb.amazonaws.com:14010/
Here is the content of the homepage:
1 |
|
So obviously don't request blue or red but both: http://neverlanctf-challenges-elb-2146429546.us-west-2.elb.amazonaws.com:14010/?red&blue and get the flag:
1 | <h1>Well you chose option 3 which clearly was stated not to do. Good job! :)</h1> |
200 - ajax_not_borax - Web#
http://neverlanctf-challenges-elb-2146429546.us-west-2.elb.amazonaws.com:14032/
1 | // For element with id='name', when a key is pressed run this function |
Same as the previous challenge, request manually the AJAX queries:
1 | $ curl http://neverlanctf-challenges-elb-2146429546.us-west-2.elb.amazonaws.com:14032/webhooks/get_username.php?username=whatever |
So the username in the form is compared to this md5 hash, let's break it with hashkiller:
1 | c5644ca91d1307779ed493c4dedfdcb7 MD5 : tideade |
Now let's request the password of this user:
1 | $ curl http://neverlanctf-challenges-elb-2146429546.us-west-2.elb.amazonaws.com:14032/webhooks/get_pass.php?username=tideade |
Use the base64 string as password and the server answers us the same string.
1 | $ printf %s 'ZmxhZ3tzZDkwSjBkbkxLSjFsczlISmVkfQ==' | base64 -di |
200 - What the LFI? - Web#
Author: @voldemortensen
Description: There is a file located at /var/www/blah.php Get that file to execute to retrieve the flag.
We can install wpscan or use wpscans.com online to check if there are some vulnerabilities on this wordpress website, and there is one.
Information:
- WordPress Version: 4.9.4
- sam-pro-free - v1.8.2.51
After reading the PoC writeup we know we need to generate a base64 LFI payload:
1 | $ printf %s '../../../../../../var/www/blah.php' | base64 |
Now let's send it:
And get the flag: flag{dont_include_files_derived_from_user_input_kthx_bai}
.
200 - Das_blog - Web#
John made a new web site go check it out
http://neverlanctf-challenges-elb-2146429546.us-west-2.elb.amazonaws.com:14054
Go to the login page: http://neverlanctf-challenges-elb-2146429546.us-west-2.elb.amazonaws.com:14054/login.php
Look at the source and see some test credentials:
1 | <!-- Development test account: user: JohnsTestUser, pass: AT3stAccountForT3sting --> |
So log in with them and get back to the home page.
We can read a welcome message:
You have stumbled upon Das Blog
Welcome JohnsTestUser
You have DEFAULT permissions
And there are two log entries, one is containing this:
I can set posts to only show for users with special permissions!
Our cookie look like this:
1 | Cookie: PHPSESSID=tuoeph7shpvg4cbg18mb72bpos; user=JohnsTestUser; permissions=user |
I used burp to intercept the request and send a crafted cookie:
1 | Cookie: PHPSESSID=tuoeph7shpvg4cbg18mb72bpos; user=JohnsTestUser; permissions=admin |
Now the message You have ADMIN permissions is welcoming us.
And there is one new log entry:
The Key, Oh my, The Key
I know this post is only available for admins, and since I am the only admin on the blog, I decided to start keeping my passwords on here for quick access. Everyone says that it isin't a good idea, but I don't care, nobody reads this blog anyway...
flag{C00ki3s_c4n_b33_ch4ng3d_?}
300 - tik-tik-boom - Web#
http://neverlanctf-challenges-elb-2146429546.us-west-2.elb.amazonaws.com:14065/
1 | $ curl --head http://neverlanctf-challenges-elb-2146429546.us-west-2.elb.amazonaws.com:14065/ |
So let's make a request with burp and that cookie:
1 | GET / HTTP/1.1 |
We can now see a hidden field on the source, here is the server's answer:
1 | HTTP/1.1 200 OK |
Now let's try to use those credentials as cookie:
1 | GET / HTTP/1.1 |
The hidden span is now containing this: Close, but your timing is off purvesta....
Reading an old writeup of mine [NeverLAN CTF 2017 100 - purvesta - recon](https://blog.raw.pm/en/Nev rLA -CTF -2017-write-ups/#100-purvesta-recon).
I found back his linked page where I can see he his working at Twin Falls in the Idaho state of USA.
According to Twin Falls wikipedia page the time zone of the city is the following:
- Time zone MST (UTC-7)
- Summer (DST) MDT (UTC-6)
I looked for a way to change the timezone and trick the server but apparently the only way was to wait the right time (23h59) as Pwn Collective did (see their writeup).
A late update of the challenge also told us there was a bug in the app that, Pwn Collective said, was allowing to download the source code.
Flag was flag{You_are_really_good_at_this_timing_thing}
.