Information#
Version#
| By | Version | Comment |
|---|---|---|
| noraj | 1.0 | Creation |
CTF#
- Name : YUBITSEC CTF 2017
- Website : ctf.yubitsec.org
- Type : Online
- Format : Jeopardy
- CTF Time : link
1 - Flag Format - Warmup#
Hello,Welcome to YUBITSEC CTF!
We hope you will have a good time.
Flag Format is;
YUBITSEC{}
5 - Bash - Warmup#
BFYRGHVX{ZGYZHS_MLG_DVOXLNV_SVIV}
Bash for ATBASH.
YUBITSEC{ATBASH_NOT_WELCOME_HERE}
10 - A fine cipher - Warmup#
a:9
b:13
Encrypted:
VLWHCTXF{N_GHAX_FHSYXK}
A fine cipher for Affine cipher.
YUBITSEC{A_FINE_CIPHER}
10 - Rome - Warmup#
Encrypted:
PLSZKJVT{TRVJRI_WFLEU_KYZJ_RTKLRCCP}
Rome for Caesar.
YUBITSEC{CAESAR_FOUND_THIS_ACTUALLY}
10 - Telegram - Warmup#
Join our telegram group to get the flag
YUBITSEC{Abi_n4sil_uy3_0luy0ruz?}
5 - Disambiguation - Trivia#
A well known bug in OpenSSL cryptology library.
There is no flag format, enter the answer in lowercase.
heartbleed
10 - Execution - Trivia#
A well known privilege escalation vulnerability.
There is no flag format, enter the answer in lowercase.
shellshock
10 - Talk dirty to me - Trivia#
A linux kernel bug that has been around for at least 11 years.
There is no flag format, enter the answer in lowercase.
dirtycow
10 - Γmit Besen - Trivia#
A well known computer worm that spreads with emails.
There is no flag format, enter the answer in "uppercase".
ILOVEYOU
15 - Global Surveillance - Trivia#
Intercept the communications!
There is no flag format, enter the answer in lowercase.
echelon
150 - Text into image - Steganography#
Shaco is hiding something!
Orga did a mistake, this is not a LSB challenge, name of the challenge was changed.
Pure guessing. I simply wrote steganography Text into image into google and used the first online tool:
http://manytools.org/hacker-tools/steganography-encode-text-into-image/
Flag is YUBITSEC{now_you_see_me}.
30 - Robots Are Cool 1 - Web#
I think robots are cool. What you think?
Considering the title, I tried to access the robots.txt:
$ curl http://138.197.41.168/fiuuu/robots.txt
User-agent: *
Disallow: /pewpewpew.html
YUBITSEC{c0me_w1th_m3_If_y0u_w4nt_t0_L1ve}PS: http://138.197.41.168/fiuuu/pewpewpew.html also contains the flag.
Flag is YUBITSEC{c0me_w1th_m3_If_y0u_w4nt_t0_L1ve}.
75 - Simple Sql Injection - Web#
I tried the following payload:
- Login:
admin - Password:
' or 1-- -'
I succesfully bypassed the authentification and got redirected to http://138.197.41.168/ctf3/fl0g.html.
<!DOCTYPE html>
<html>
<head>
<title>fl0g</title>
</head>
<body>
<p>FLAG IS AROUND HERE SOMEWHERE</p>
</body>
</html>
<!--YUBITSEC{w0w_such_h4ck}-->175 - Coming Soon!! - Web#
Hello I am Zafer. BeΕir puts Izzettin in to a coma and I need help to get Avatar 2 DVD. Can you help me to get it?
http://138.197.41.168/ctf1/login.html
Note: For none Turkish players; if you have any issue with language contact hatMadder on irc
hint: take carefull look at names ;)
I tried the following payload:
- Login:
admin - Password:
' or 1-- -'
I succesfully bypassed the authentification and got redirected to http://138.197.41.168/ctf1/avatar.html
There is some links:
Avatar 2
Avatar 2 720p Full izle Türkçe dublaj - Part 1
Avatar 2 720p Full izle Türkçe dublaj - Part 2
Avatar 2 720p Full izle Türkçe dublaj - Part 3
Avatar 2 720p Full izle Türkçe dublaj - Part 4
Avatar 2 720p Full izle Türkçe dublaj - Part 5
Avatar 2 720p Full izle Türkçe dublaj - Part 6They looks to be a base64 image splitted into 6 parts.
So I extracted the base64 parts manually and save them into a file. And then retrieve the image:
$ cat test.txt| tr -d '\n' | base64 -di > image
$ file image
image: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1280x1221, frames 3
And then I can see a AVATAR 2 CD RIP with YUBITSEC{1zz3tt1n1_k0m4y4_b3n_s0ktUm}.
50 - Location - OSINT#
Can you find location ?
We are looking for city name ?
All chars are lowercase and close.
Flag format: YUBITSEC{losangeles}
We are looking for GPS metadata:
$ exiftool location.jpg | grep -i gps
GPS Version ID : 2.2.0.0
GPS Latitude Ref : South
GPS Longitude Ref : West
GPS Altitude Ref : Above Sea Level
GPS Altitude : 0 m Above Sea Level
GPS Latitude : 51 deg 37' 14.65" S
GPS Longitude : 69 deg 13' 47.00" W
GPS Position : 51 deg 37' 14.65" S, 69 deg 13' 47.00" WI used indlatitudeandlongitude.com (again) to get the location: Ameghino 400-466, Z9400JEJ RΓo Gallegos, Santa Cruz, Argentina.
Flag is YUBITSEC{riogallegos}.
Note: it's more forensics than OSINT
75 - Mobile Number - OSINT#
Who took this photo ?
Can you find photographer's mobile number ?
Show me, How stalker are you!
Note: Flag format will be YUBITSEC{+1234567890}
This time no metadata.
I made a reverse image search with Google image (uploading the picture), and I found that this picture was taken by Isaac Kasamani.
I see his Facebook but nothing there, so I went to his blog and found his phone number: +256 (0) 752166288.
Flag is YUBITSEC{+2560752166288}.
15 - Social Media - OSINT#
Nothing on Twitter.
Facebook or Instagram profile are not referenced nor with normal search engine search nor with dorks like yubitsec inurl:instagram.com.
I looked that there is no local/national Turkish social media.
So I asked an admin that redirect me to instagram.
But there is nothing referenced.
So I surfed on StackExchange and found a topic: I don't have an Instagram account. Can I still look at users' Instagram photos?.
The answer was to go to instagram.com/profile_name. I looked for yubitsec and found https://www.instagram.com/yubitsec/.
There is 1 picture, a QR code.
The original picture may be still available on the CDN.
So I used https://webqr.com/ (drag'n'drop) and found: YUBITSEC{W3LC0M3}.
This is not really open source information or publicly available data so we can't really talk about OSINT. But you know CTF organizers often don't care to make challenge about true security, well categorize them or even ban guessing.
25 - Find me - Misc#
Find me in source code.
Nothing on ctf.yubitsec.org. Let's try yubitsec.org:
<!DOCTYPE html>
<html lang="en-us">
<!--
βββ ββββββ ββββββββββ ββββββββββββ ββββββββββββββββ βββββββ
ββββ βββββββ βββββββββββββββββββββββ ββββββββββββββββββββββββ
βββββββ βββ ββββββββββββββ βββ ββββββββββββββ βββ
βββββ βββ ββββββββββββββ βββ ββββββββββββββ βββ
βββ ββββββββββββββββββββ βββ ββββββββββββββββββββββββ
βββ βββββββ βββββββ βββ βββ ββββββββββββββββ βββββββ
-->
<!-- nothing to see here y0u bad hax0r_1337 -->
<!-- YUBITSEC{AG4_I$L3R_V4R} -->
<head>Flag is YUBITSEC{AG4_I$L3R_V4R}.
25 - Strings - Misc#
Easy Peasy
As the title said:
$ strings Strings.jpg | tail -1
YUBITSEC{H4CK3R_M4N35}35 - Weird symbols - Misc#
What is this?
That is some JavaScript Brainfuck (not original Brainfuck).
You can eval some part in a javascript console, for example !+[]+!+[]+[+[]] equal 20.
So I pasted all into an eval() and waited until I got a pop-up with YUBITSEC{WEIRD_JAVASCRIPT_IS_WEIRD}.
35 - B64 - Misc#
I remove the b'base64' around the base64 data and then:
$ cat file.txt| base64 -di | base64 -di | base64 -di | base64 -di | base64 -di | base64 -di | base64 -di | base64 -diBut it seems very recursive.
So I used and adapted a recusrive command:
$ str=`cat file.txt`; for i in `seq 1 100`; do echo -e "$str\n"; str="$(base64 -di <<< $str)"; doneYUBITSEC{YUBITSEC{YUBITSEC{YUBITSEC}}}
50 - File - Forensics#
Challenge's link https://drive.google.com/open?id=0B_jBF_ZqfxnBd0tKcDJMVkw1Njg
What is this file ? Can you find hidden flag ?
Flag format: YUBITSEC{}
$ binwalk File
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
30 0x1E Zip archive data, at least v1.0 to extract, compressed size: 11905297, uncompressed size: 11905297, name: File/Flag.zip
11905348 0xB5A944 End of Zip archive
11905370 0xB5A95A Zip archive data, at least v2.0 to extract, compressed size: 20103, uncompressed size: 24875, name: File/YubitSec.jpg
11925801 0xB5F929 End of Zip archive
$ unzip File -d hereThen there is a lot of recursive zip File/Flag/op/Hacker/HackerMan/HackThePlanet/Last.
At the end we have flag.png: {C0MPR3SS10N_1S_G00D}. So the flag is YUBITSEC{C0MPR3SS10N_1S_G00D}.
100 - Easy - Crypto#
Seems like there must be hiding flag, find it!
This is a list of MD5 hashes.
Crack the hashes with https://crackstation.net/ and a text editor replace all feature to go faster.
And then:
$ cat secret.txt| tr -d '\n'
MD5?_Hell_Yes!_So_you_know_what_do_you_need_to_do_I_think_You_have_to_be_more_fastFlag_must_be_here_but_where_?_I_guess_you_are_so_closeYUBITSEC{I_h0p3_y0u_didn't_try_t0_d3crpyt_on3_by_on3}maybe_flag_can_be_little_bit_upI_think_flag_won't_be_ending_part50 - Gifted - Reverse
$ strings gifted | grep -i yubitsec
YUBITSEC{MEH_IT_IS_SOMETHING}50 - *blushes* - Steganography#
The image looks transparent and has no metadata.
But blushes means get red. So using StegSolve, for example, we can see a QR code in red planes:
Then I used https://webqr.com/ to get the flag: YUBITSEC{hello_nothing_here}.
75 - Broken - Forensics#
HINT: Compare with normal PNGs. You need to add something ? broken.png
Let's check a correct PNG:
$ xxd -l50 indir.png
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR
00000010: 0000 00c8 0000 00c8 0806 0000 00ad 58ae ..............X.
00000020: 9e00 0000 0662 4b47 4400 ff00 ff00 ffa0 .....bKGD.......
00000030: bda7And now the broken one:
$ xxd -l50 broken.png
00000000: 0000 0226 0000 0226 0806 0000 0067 ce41 ...&...&.....g.A
00000010: 4600 0000 0662 4b47 4400 ff00 ff00 ffa0 F....bKGD.......
00000020: bda7 9300 0000 0970 4859 7300 0000 4800 .......pHYs...H.
00000030: 0000We can see the broken file lack the first line with the header (magic number) + the first PNG chunck, let's fix this:
$ printf "\x89\x50\x4e\x47\x0d\x0a\x1a\x0a\x00\x00\x00\x0d\x49\x48\x44\x52" | cat - broken.png > fixed.pngNow we have a valid PNG and we can read: YUBITSEC{m4g1c_numb3rs_4r3_c00l}.