S.H.E.L.L CTF 2021 WRITEUP

Web Security

Opened the challenge link, viewed the page source nothing interesting was there. Performed usual basic enumeration for web page, found the robots.txt. Then a file was disallowed “/yfhdgvs.txt”. Tried using that in url, and got the flag.

Browsing the URL , a message was displayed as “ This web app is still under development.” . Then viewed the page source, a comment gave the hint for the flag as “<! — TODO: Develop auth, buy some cookies from the supermarket →”.

Then checked the cookie value on Inspect element option in Storage tab. the name “privilege” has a value “dXNlcg%3D%3D”. I found that the first string of letters were base64 encoding. Tried decoding it on terminal with the command,

echo “dXNlcg” | base64 -d

Basically this command will decode the value using -d switch. It resulted as “user”.

I tried encoding the value admin for cookie privilege. Then paste it in the value field and refreshed the page. Then got the flag.

Opened the challenge link and searched for the sha256 collision as per the challenge hint “Make sha256 collide and you shall be rewarded”. Then got a CCTF 2020 ctf writeup same as this challenge . Modified the value with given parameters as shell and pwn. This payload “?shell[0]=0&pwn[1]=0” made SHA256 collision and displayed the flag.

Entering into the login page displays a login page and on viewing the page source, a “main.js” file can be seen. On viewing the file a long line of code can be seen. Then a username is displayed as “din_djarin11” with a hash. Then I used the hash to crack it on crackstation.net , got the password.

Entering the credentials and logging in will prompt you to download a file with password as name. Download the file and cat it out will result in displaying the flag.

SHELL{th1s_i5_th3_wa7_845ad42f4480104b698c1e168d29b739}

Forensics

On checking the file type, it showed the file is in PNG format but the actual file is in JPG format. By changing the file from JPG to PNG. Then I used zsteg tool that will scan the LSB(Least Significant Bit) of a PNG file. Got the flag.

Wrap the strings in SHELL{} format.

Downloaded the file, checked the file type. Then from the description of the challenge, got the hint as “huge chunk of data” which can be extracted using binwalk tool. The following command will extract the contents of the file.

binwalk -e imagename.png

After extracting the file, getting into the extracted folder displays a zip archive. Unzip the file, gives us a executable file. Using strings command will result the flag.

Downloaded the file, changed the file format from JPG to PNG as it a PNG file on file check. Then used a tool called stegoveritas which is a python Steganography detection tool. It can be installed using pip on terminal. The command will be used as follows:

stegoveritas <imagename>

The following command will take some time to scan the image. All we need is patience. Then it will list out something interesting, another PNG file. Opening the Image file will display the strings for the challenge.

Cryptography

As the name of the challenge says encoder, its basic encoding. I often use CyberChef for this type for encoding challenges. I found out that it is basic ROT13 encoding. I decrypted the string with ROT13 decryption. Got the flag.

For this challenge I followed up John Hammond’s CSAW CTF writeup video rsa is lub. Modified the content of the python script with these value given in the challenge.

#!/usr/bin/env python

from Crypto.Util.number import inverse

n = 1763350599372172240188600248087473321738860115540927328389207609428163138985769311
e = 65537
c = 33475248111421194902497742876885935310304862428980875522333303840565113662943528
p = 31415926535897932384626433832795028841
q = 56129192858827520816193436882886842322337671

phi = ( p — 1 ) * (q — 1)

d = inverse(e,phi)

m = pow( c, d, n)

x = hex(m)[2:-1]

print (x)

Running the file will display a hex value. Decoding the hex value to ASCII will return the flag.

From the given ciphered text, the characters changed their position randomly. By filtering out the known contents we get this below strings, SHELL{RAT5PN51010TN_C1PH3R}. Then after analyzing, the jumbled string is an actual word “Transposition” which fits the unknown cipher.

Then after changing the positions of the characters we get the actual flag.

SHELL{TRAN5P051T10N_C1PH3R}

Downloading the script file will displays the coding of the ciphered text. The string is result of substitution cipher. Using the key given in the script, we can manually perform decoding the cipher.

alpha = ‘ABCDEFGHIJKLMNOPQRSTUVWXYZ{}_1234567890’
key = ‘QWERTPOIUYASDFGLKJHZXCVMNB{}_1234567890’

By substituting the values of each alphabet, we’ll get the flag for this challenge.

SHELL{5U65T1TUT1ON_C1PH3R}

Reverse Engineering

Downloaded the executable file and ran strings command on the tool and grepped for the string “SHELL{“ . The result will display the flag.

┌──(kali㉿kali)-[~/ctf/shellctf]
└─$ strings check.exe| grep SHELL
SHELL{bas1c_r3v}

Downloaded the file and viewed it. The script will basically append the characters on each iteration. So each characters are declared in a list separately. So in order to solve the challenge append all the characters in ascending order starting from 6 to 28. The six strings “SHELL{“ will be indexed as S-0, H-1,…,{-5, because the list will start its indexing from 0.

The indexing can be done manually and after arranging the characters in order, run the script file to check whether the flag is right or not. If it is correct , submit that as the flag.

┌──(kali㉿kali)-[~/ctf/shellctf]
└─$ python3 keygen.py
enter your flag:SHELL{s3nb0nzakur4_K4g3y05h1}
congrats thats the flag.

Thank you for taking time to read my writeup. It means a lot.

--

--

--

Student Pursuing in Cyber Security

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What I Learned at Work this Week: Terraform Basics

Linux Loadable Kernel Module (LKM)

Entity Groups, Ancestors, and Indexes in Datastore- A Working Example

Deploying a Machine learning model as a Chatbot (Part 2)

AI chatbots

Tackling the Two Number Sum Algorithm

The essence of Scrum — Accountability & Trust

How to change SQL mode 【MySQL】

Is Agile Product Development Right for Your Team?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
DanielRaj

DanielRaj

Student Pursuing in Cyber Security

More from Medium

LOG4SHELL: CRITICAL LOG4J VULNERABILITY CVE-2021–44228 (Effects ON Fortigate Firewalls)

TryHackMe — Poster

Klok Box