WriteUp of Sec-Army-CTF
Our Team:warlock-rootx
MISC Chall:
1 to 9 Misc are In: file
10)Listen it Carefully:
1)In challenge .mp3 file is given We have to find Morse code for decoding and getting flag.
2)Online Tool and Author INSTA post.
3)flag is secarmy{wearesecarmy}
11)WTF-2: WTF-2
12)Fishhy: Fishhy
OSINT Chall:
1.Hack Ollie's Password: 100 Points
1)Chall_link
2)gif
3)image
4)Geeting_password_link
5)flag_image_link
6)flag_png
2.OSINT begins: 200 Points
1)First In Chall #wearesecarmy handle is given so may be of Social Media Most Probably "Twitter" #wearesecarmy
2)You Will Get QR-Code, Scan It Using QR-Code Scanner QR
3)You, Will, Get Link and Do INspect ELement, In comment, You will find flag
Starters Chall:
1.Get Me: 50 Points
1)In this chall You have to authenticate successfully for getting flag. getme
2)Just set value=true for validate. (https://sec-army.ml/getme/authenticate.php?val=true)
3)flag
2.Invisible: 20 Points
1)When you open the link page is perfectly blank Blank_page
2)Open Inspect Element There Are many
Tags Under body in p tag I would find flag.
3.B0T: 80 Points
1)In This chall. ask MEE6 BOT In Discord SerVer "!flag" will give flag secarmy{i_am_sm4rt3r-th3n_b0t}
Crypto:
1.I am not QR Code: 100 Points
1)The chall gives .gif like QR code but it is Actual Esoteric Languaue Code which Have to be Compiled for flag ggif
2)You Can find More Information here There is also online Interpreter
3)Convert gif to png online
4)Upload .png and compile it you would get flag Actual flag is secarmy{Hello, world!}
2.Genetics: 150 Points
1)The chall gives text of made by A,G,T,C
GAGTTGACTATGATTACATTGCGAATGCCATTGACTAAACCCACATTGAAACCACATATGATAAAACATACAAATTTGAGACATTTGAACACAAAGAAACCACAGACATTGATAAAAATCCCAAGTAGTCGATTGAATATGAGAATCACGTTGCATACTAGACAGTTGAGACAGTTGCCCACACACCGATTGCATACAAATAGAATGCCACAGTTGCAGATGATAACATTGCACAAAATCAATATGATATTGCATACACCTCATTTGCATATGTTGATAAAAAGGACATTGCATACTAGACAGTTGACACCCACAATCTTGATAATGCACACATTGAGTATGATCACGTTGAAACCCACAATCACGACACACCAGTTGACAATCAATACGAAAATAACATTGATCTTCCATCATACTTCGACCAGTTCTACGTCACATACTTCAATCAGGTTGCAGATTAGAAATACACACATAAAAATCTTGACCAAACACTTGACCCACATGATATTGACTATGATAACATTGGATGGAGCACTGGGTTTGAACAGACACAATCAGTTGATGACCTTGATTCACACACGATTGACACCCACAATCTTGAGATTGAATATGATCCATTTGAGGATCATGCCGTTGCCGACTCGATTGAGATTGAAAATATTGCCGCACAGACATAGAATCACGTTGCATACTACACAGACATTGATAATGCCCAGAACATTGATCAAAATAACACAGTTT
2)This is basically DNA Codes ,You can find More Information from DNA and katana.
3)Decrypt Using Given Script in that Github Source You will get Flag.
3.Obfuscation?? 200 Points
1)In This chall. first Using online tool Cryptii convert hex to text
2)After That you will be code which should be compiled using Tool for getting flag
4.Tetra Layer Security 200 Points
1)It gives green color ASCII values text which has to convert into text the file and link.
2)After that Using Online Tool We have to convert those ASCII to Text Recursively Four Times(Tetra) Press Covert Button Four Times Continuously.
3)flag is secarmy{CHar@ct3r$_4Nd_str1ngs}
5.Admin2 100 Points
1)Chall link and Credentials Image so Username=admin and For password In Source code md5 is Given.
2)So password=password1234 By Inserting You Would get flag
6.Alien Languaue 120 Points
1)Basically Its Alien Languaue You can get More Info and Author INSTA post.
2)flag is secarmy{wearesecarmy}
WEB:
1)who's contract killer ? 50 Points
1)In chall. Base64 is Given "aHR0cDovLzVocHVjd203c3RraG4zbXluczd2ajRuNzJtNDVlNGV1bnQzaHBxdDNhb2t4YjJ6anM3emphZ2FkLm9uaW9uL"
decode it You will get TOR-LINK Visit link Using
TOR-BROWSER and You Would get Another Base64 "c2VjYXJteXsxX2FtX2MwbnRyNGN0X2sxbGwzcn0=" There Decode it.
2)flag is secarmy{1_am_c0ntr4ct_k1ll3r}
2)Silly Mongolian 150 Points
1)Chall link after That In INspect ELement we can find process.js
2)
if (pass == base64){
alert('ottt p aopur aol alea fvb zbitpaalk dhz dyvun iba thfil fvb zovbsk joljr aopz vba uvmshnolyl.oats');
}
else {
alert('nvvk qvi olyl pz fvby mshn svjhapvu zpssftvunvsphu.oats');
}
3)Both Alerts Encrypt Using Ceaser Cipher Shift-7 When You Decrypt Else Alert gives "noflaghere.html" So Visit link and also get BElow
"Ayy finally a smart Mongol appeared!
Here's your flag: c2VjYXJteXtzbUBydF9tMG5nMGxfMXNfbXlfZnJpZW5kfQ==" (base64)
4)flag is secarmy{sm@rt_m0ng0l_1s_my_friend}
3)BabyPhP: 300 Points:
1)Chall. is about php will get base64
Jycuam9pbihjaHIob3JkKGkpXjkwKSAgZm9yIGkgaW4gJyk/ND56PT8ueig/Ky8/KS56LykzND16LDM/LSk1Lyg5P3oqOyg7Nz8uPygnKQ== and after
decoding will get '.join(chr(ord(i)^90) for i in ')?4>z=?.z(?+/?).z/)34=z,3?-)5/(9?z;(;7?.?(')* basically its py
for viewsource so we have to see "viewsource" of Babyphp [https://sec-army.ml/babyphp/babyphp.php?viewsource]
PHP Code
s3cur3 PHP Hack your way to the flag (^_^) s3cur3 PHP"; echo "Hack your way to the flag (^_^)
"; highlight_file(__FILE__); if(!isset($_GET['key'])) { die("Bye bye hacker"); } if((strcmp($_GET['key'],$key))) { die("Gimme key to the door first!!!"); } echo "Thanks for the key :P
"; if(!isset($_GET['secret'])) { die("Bye bye hacker"); } $_p = 1337; $_l = 13; $l = strlen($_GET['secret']); $_i = intval($_GET['secret']); if($l !== $_l || $_i !== $_p) { die("System Failure Detected..."); } echo ""; echo ""; echo ""; ?> Thanks for the key :P Yaaay...you have breached the most s3cur3 PHP code Here is your flag: ⚑
2)After Analysing code we come to know we have to insert Key for getting flag , by using "curl -x" request or Direct link.
3)By This Link We had Inserted Key [https://sec-army.ml/babyphp/babyphp.php?viewsource&key%5B%5D&secret=0000000001337] secret=0000000001337(getting PHP Enumeration) By URLDecode [https://sec-army.ml/babyphp/babyphp.php?viewsource&key[]&secret=0000000001337]
4)After That In Comment We Got Flag
5)Finally flag is secarmy{php_15_3xpl017abl3_i5nt'17!!}
4)Under Construction: 150 Points
1)The Chall. is about "Try to Login as "admin" link and TextBox is Disabled, open
"INspect ELement" then you come to know input is Disabled, So Select on it "EDIT AS HTML" and remove Disabled after that
Type admin in Textbox and enter.
2)You would get flag
5)validation: 200 Points
1)In this Chall. We have to Redirect Our HTTP Request From Server to [https://sec-army.ml/validation/validation.php] ViA
[https://sec.army] , We can do it Using Curl command which is Below
2)~ curl -e "https://sec.army/" https://sec-army.ml/validation/validation.php
\Hi, I think I seem to know you :)
Hail SEC-ARMY :P
Here's a flag for you:
secarmy{h34der5_ar3_4ngl35}
- Fatherphp
https://github.com/linuxjustin/secarmyctf/blob/master/fatherphpsolution.py
Forensic:
1)Pcapped: 200 Points:
1)The Chall. gives 404.pcapng we can open using "Wireshark",When you open it In first packets You would find flag format
string but Actually That is trap, Those are not flags, So Using Basic file Enumeration I got "ROT47" in strings command
which is given Below.
GET /whatisROT HTTP/1.1 Host: 192.168.46.129:8000 Connection: keep-alive
Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 HTTP/1.0 404 File not found M-SEARCH HTTP/1.1 HOST: 239.255.255.250:1900 MAN: "ssdp:discover" ST: urn:dial-multiscreen-org:service:dial:1 USER-AGENT: Google Chrome/73.0.3683.86 Linux M-SEARCH HTTP/1.1 HOST: 239.255.255.250:1900 MAN: "ssdp:discover" MX: 1 ST: urn:dial-multiscreen-org:service:dial:1 USER-AGENT: Google Chrome/73.0.3683.86 Linux GET /D642C%3EJL(6b==0%9%60D0%60D06cdJN HTTP/1.1 Content-Type: text/html FAke FLags: HTTP/1.1 (secarmy{*******}) HTTP/1.1 (secarmy{^789notheflag})
2)By Using URLDecode we would get "/D642C>JL(6b==0%9D0D06cdJN" and It is ROT47
Encrypted, So Decrypt Using This.
3)Finally We Got flag is secarmy{We3ll_Th1s_1s_e45y}
2)WTF: 150 Points
1)"Dig for the flag", file and chall link is given in chall.
2)first when we checked file It is Empty Also "strings and "binwalk" command did not work.
3)Using hexdump command we got Below Output.
~/ hexdump -C WTF 00000000 20 09 09 20 20 20 09 09 20 20 09 09 20 20 09 20 | .. .. .. . | 00000010 20 09 20 09 20 09 09 20 20 09 09 20 09 20 09 20 | . . .. .. . . | 00000020 20 09 20 09 09 20 20 09 20 09 20 09 09 20 20 20 | . .. . . .. | 00000030 20 09 20 20 09 20 09 20 20 09 09 09 20 09 20 20 | . . . ... . | 00000040 20 09 09 20 20 09 20 09 20 09 20 09 09 20 20 20 | .. . . . .. | 00000050 20 09 09 09 20 09 20 20 20 09 20 09 20 09 20 09 | ... . . . . .| 00000060 20 09 20 20 09 09 20 09 20 09 20 20 20 09 20 09 | . .. . . . .| 00000070 20 09 09 09 09 20 20 20 20 09 20 20 20 09 20 09 | .... . . .| 00000080 20 09 20 09 09 20 20 20 20 20 09 09 20 20 20 09 | . .. .. .| 00000090 20 09 09 20 09 20 09 09 20 09 09 09 20 09 09 09 | .. . .. ... ...| 000000a0 20 09 09 20 20 09 20 20 20 09 20 09 20 09 09 20 | .. . . . .. | 000000b0 20 20 09 09 09 20 20 20 20 09 09 09 09 20 20 20 | ... .... | 000000c0 20 09 20 09 09 20 20 20 20 20 09 09 20 20 20 09 | . .. .. .| 000000d0 20 09 09 20 20 09 20 20 20 09 09 20 09 20 20 20 | .. . .. . | 000000e0 20 09 20 20 09 09 09 20 20 09 20 09 20 09 09 20 | . ... . . .. | 000000f0 20 20 09 09 09 20 20 09 20 09 09 09 09 20 20 09 | ... . .... .| 00000100 20 09 20 20 09 09 20 09 20 09 20 09 20 09 09 09 | . .. . . . ...| 00000110 20 09 09 20 20 09 20 20 20 09 09 20 09 09 09 09 | .. . .. ....| 00000120 20 09 09 20 20 09 20 20 20 09 20 20 20 09 09 20 | .. . . .. | 00000130 20 20 09 09 09 20 20 09 20 09 20 20 09 20 20 09 | ... . . . .| 00000140 20 09 20 20 09 09 20 09 20 20 09 09 20 20 09 09 | . .. . .. ..| 00000150 20 09 20 20 09 20 20 09 20 09 09 09 09 20 09 20 | . . . .... . | 00000160 20 09 09 20 20 09 09 20 20 09 20 09 20 20 20 09 | .. .. . . .| 00000170 20 20 09 09 09 09 20 09 20 20 09 09 09 09 20 09 | .... . .... .| 00000180
| .. .. .. . | | . . .. .. . . | | . .. . . .. | | . . . ... . | | .. . . . .. | | ... . . . . .| | . .. . . . .| | .... . . .| | . .. .. .| | .. . .. ... ...| | .. . . . .. | | ... .... | | . .. .. .| | .. . .. . | | . ... . . .. | | ... . .... .| | . .. . . . ...| | .. . .. ....| | .. . . .. | | ... . . . .| | . .. . .. ..| | . . . .... . | | .. .. . . .| | .... . .... .| Replace "." to "1" and space to "0"
4)Generally "hexdump" must print some weird characters and and special characters but in our case only "." and
space
5)So put "space" to "0" and "." to "1" which gives binary Stream.
011000110011001001010110011010100101100101011000010010100111010001100101010110000111010001010101010011010100010101111000010001010101100000110001011010110111011101100100010101100011100001111000010110000011000101100100011010000100111001010110001110010111100101001101010101110110010001101111011001000100011000111001010010010100110100110011010010010111101001100110010100010011110100111101
6)Convert it to Text So we got c2VjYXJteXtUMExEX1kwdV8xX1dhNV9yMWdodF9IM3IzfQ== which is Base64 Decode it.
7)GOttA flag secarmy{T0LD_Y0u_1_Wa5_r1ght_H3r3}
Reversing
1)am3r1cans: 250 Points
1)In chall. "am3r1cans" Binary is Given, first we have to check whether flag is in plaintext or not
so using "strings" command we can print all printable strings.
~/ strings am3r1cans
/lib64/ld-linux-x86-64.so.2
libc.so.6
puts
printf
strlen
cxa_finalize
libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
gmon_start__
_ITM_registerTMCloneTable
checking license for the key: %s
Access Granted: Well Done! flag: secarmy{d0nt_y0u_th1nk_th1s_w@s_@_e@sy_0n3?}
Umm......That's WRONG!!!<
try harder this is a easy one!!!
Usage: %s
;3$"
GCC: (Debian 8.2.0-16) 8.2.0
flag: secarmy{d0nt_y0u_th1nk_th1s_w@s_@_e@sy_0n3?}