writeups

Xiomara CTF 2017 - Write-ups

noraj (Alexandre ZANNI)
, , ,
🇬🇧

Information#

Version#

By Version Comment
noraj 1.0 Creation

CTF#

  • Name : Xiomara CTF 2017
  • Website : xiomara.xyz
  • Type : Online
  • Format : Jeopardy
  • CTF Time : link

50 - Easy Login? - Web Exploitation#

An aspiring engineer started learning web development on Youtube a day ago and he was asked to build a nice, secure, simple login page as part of his project. Well, he just started off so don't blame him. Go, hack!

http://139.59.61.220:23478/

The source is suspicious:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
</head>
<script type="text/javascript" src="main.js"></script>
<link rel="stylesheet" href="flag.css" />
<body>
<h1 align= "center">Login Portal</h1>
<form name="login" method="POST" action="">

        <b>Username :<b> <input type="text" name ="username"/><br>
       <b> Password :<b> <input type="password" name="password" /></br></br>
        <input onclick="Login()" type="button" value="verify" name="button" />
    </form>
</body>
</html>

Let's see main.js:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
function Login(){

    var username=document.login.username.value;
    var password=document.login.password.value;




    if (password == "53cure" && username=="@nokh@") {
        alert("Awesome!");
             window.open("secureflag.html");
    } else {
        alert("Oh swap!You are close. Why cant you try again?");

    }
}

Now we can use @nokh@ and 53cure or directly go to http://139.59.61.220:23478/secureflag.html.

The image is named hiddenflag.jpeg so let's download it.

There is some hidden data here:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
$ binwalk hiddenflag.jpeg

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
48981         0xBF55          Zip archive data, at least v1.0 to extract, compressed size: 29, uncompressed size: 29, name: flag.txt
49154         0xC002          End of Zip archive

$ foremost -v hiddenflag.jpeg
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Sun Feb 26 19:14:21 2017
Invocation: foremost -v hiddenflag.jpeg
Output directory: /home/noraj/CTF/XiomaraCTF/2017/output
Configuration file: /etc/foremost.conf
Processing: hiddenflag.jpeg
|------------------------------------------------------------------
File: hiddenflag.jpeg
Start: Sun Feb 26 19:14:21 2017
Length: 48 KB (49176 bytes)

Num	 Name (bs=512)	       Size	 File Offset	 Comment

0:	00000000.jpg 	      47 KB 	          0 	 
foundat=flag.txtUT
1:	00000095.zip 	      196 B 	      48981 	 
*|
Finish: Sun Feb 26 19:14:21 2017

2 FILES EXTRACTED

jpg:= 1
zip:= 1
------------------------------------------------------------------

Foremost finished at Sun Feb 26 19:14:21 2017

$ cd output/zip

$ unzip 00000095.zip
Archive:  00000095.zip
 extracting: flag.txt

$ cat flag.txt
xiomara{50_y0u_ar3_@_h@ck3r}

50 - Lulz - Web Exploitation#

Heavy sarcasm awaits. Are you a person who finds opportunities even in trolls? Well, let's find out.

http://139.59.61.220:23456

The webpage is a troll opening a pop-up and redirecting to a troll page: http://139.59.61.220:23456/troll.html

But of course you are using NoScript or know about view-source: in Firefox.

Let's see the source (view-source:http://139.59.61.220:23456/):

1
2
3
4
5
6
7
8
9
<head>
<title>Hahaha!!!</title>

<body>
   <img src ="lol.jpg" align ="center" width ="50%" height = "50%" alt ="lollol">
</body>

<script type="text/javascript" src="hook.js"></script>
</head>

hook.js source:

1
2
3
4
5
6
7
8
9
10
11
function catch_me()
{
(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]]) /*VERY LONG*/
}

 function Redirect() {
               window.location="troll.html";
            }

            alert("Warning you are about to be trolled");
            setTimeout('Redirect()', 0);

The catch_me() function looks like some brainfuck-js.

Copy it and paste it in your browser terminal, you will get:

1
"alert(Xiomara{i_4gr33_Y0U_4r3_a_Flash!}))"

The is a mistake troll, so correct Xiomara{i_4gr33_Y0U_4r3_a_Flash!} into xiomara{i_4gr33_Y0U_4r3_a_Flash!} (lowercase the first char).

50 - No Flags? - Web Exploitation#

What would you do if we tell you there are no flags for this question? Go on, solve it. That reminds me, Nothing is impossible.

http://139.59.61.220:23467/

I tried robots.txt:

1
2
3
4
5
User-agent:*
Disallow: /flags/
Disallow: /more_flags/
Disallow: /more_and_more_flags/
Disallow: /no_flag/

/flags/, /more_flags/ and /more_and_more_flags/ are obviously trolls.

Let's see /no_flag/ source:

1
2
3
4
5
6
7
8
9
10
<script>
function encode(str) {
str = str.replace(/http:/g, "^^^");
str = str.replace(/bin/g, "*^$#!")
str= str.replace(/com/g, "*%=_()");
str= str.replace(/paste/g, "~~@;;");
}
</script>
<iframe src="flag.txt" width="2500" height="2255">
</iframe>

It's an iframe of flag.txt which containd some ASCII art, like the three others. But this time there is a script.

The ASCII art display YOU HAVE BEEN HACKED ! but on the middle of HACKED we can see "^^^//~~@;;*^$#!.*%=_()/SwzEKazp".

So let's replace back: http://pastebin.com/SwzEKazp.

So go to pastebin and... This page has been removed!.

So go to the wayback machine, there is a snapshot dating from 25 Feb. 2017.

We can see an untitled document from XIOMARA_CTF containing: eGlvbWFyYXsxXzRtX21yX3IwYjA3fQ==.

1
2
$ printf %s 'eGlvbWFyYXsxXzRtX21yX3IwYjA3fQ==' | base64 -di
xiomara{1_4m_mr_r0b07}
Share