University of Toronto CTF 2024
CTFtime link: https://ctftime.org/event/2219
Read and understand!
FLAG:
{i_understand_the_mission}
Here is an FCC ID, Q87-WRT54GV81, what is the frequency in MHz for Channel 6 for that device? Submit the answer to port 3895
Let's look at the documentation!
I found this documentation - https://fcc.report/FCC-ID/Q87-WRT54GV81/861595
frequency for channel 6 is 2437 MHZ
send to port 3895 and listen it!
printf '2437\n\0' | nc 35.225.17.48 3895
Enter the frequency in MHZ for channel 6: Access granted! The Flag is {FCC_ID_Recon}!
FLAG:
{FCC_ID_Recon}
What company makes the processor for this device? https://fccid.io/Q87-WRT54GV81/Internal-Photos/Internal-Photos-861588. Submit the answer to port 6318
Check the documentation about the processor or look at the photo of the board where you can see the name of the manufacturer!
In the photo we see that the manufacturer is Broadcom
Send to port 6318 with netcat!
printf 'Broadcom\n\0' | nc 35.225.17.48 6318
Enter the company that manufactures the processor for the FCC ID Q87-WRT54GV81 Access granted! The Flag is {Processor_Recon}!
FLAG:
{Processor_Recon}
Submit the command used in U-Boot to look at the system variables to port 1337 as a GET request ex. http://35.225.17.48:1337/{command}. This output is needed for another challenge. There is NO flag for this part.
Submit the full command you would use in U-Boot to set the proper environment variable to a /bin/sh process upon boot to get the flag on the webserver at port 7777. Do not include the ‘bootcmd’ command. It will be in the format of "something something=${something} something=something" Submit the answer on port 9123.
- For looking system variables in U-boot we need to use
printenvcommand
Send printenv command with cURL to port 1337
curl http://35.225.17.48:1337/printenv
addmisc=setenv bootargs ${bootargs}console=ttyS0,${baudrate}panic=1
baudrate=57600
bootaddr=(0xBC000000 + 0x1e0000)
bootargs=console=ttyS1,57600 root=/dev/mtdblock8 rts_hconf.hconf_mtd_idx=0 mtdparts=m25p80:256k(boot),128k(pib),1024k(userdata),128k(db),128k(log),128k(dbbackup),128k(logbackup),3072k(kernel),11264k(rootfs)
bootcmd=bootm 0xbc1e0000
bootfile=/vmlinux.img
ethact=r8168#0
ethaddr=00:00:00:00:00:00
load=tftp 80500000 ${u-boot}
loadaddr=0x82000000
stderr=serial
stdin=serial
stdout=serial
Environment size: 533/131068 bytes
Read U-boot variables and use setenv bootargs=${bootargs} init=/bin/sh for setting the proper environment variable to a /bin/sh process.
And send to port 9123!
printf 'setenv bootargs=${bootargs} init=/bin/sh\n\0' | nc 35.225.17.48 9123
Enter the command you would use to set the environment variables in U-Boot to boot the system and give you a shell using /bin/sh: Access granted! The Flag is {Uboot_Hacking}!
FLAG:
{Uboot_Hacking}
Given site https://storage.googleapis.com/out-of-the-bucket/src/index.html
let's open only /out-of-the-bucket/ directory.
Now we see that there is a secret/dont_show in this directory
<Contents>
<Key>secret/dont_show</Key>
<Generation>1703868647771911</Generation>
<MetaGeneration>1</MetaGeneration>
<LastModified>2023-12-29T16:50:47.809Z</LastModified>
<ETag>"737eb19c7265186a2fab89b5c9757049"</ETag>
<Size>29</Size>
</Contents>
open https://storage.googleapis.com/out-of-the-bucket/secret/dont_show
We have downloaded this file, just open it through the terminal
cat dont_show
FLAG:
uoftctf{allUsers_is_not_safe}
Use Google lens and find airport, this is Bordeaux Merignac Airport (BOD) Bordeaux, France
Airport: BOD
Use Google lens and look for aircraft
Found this plane and airline name
https://www.iberia.com/ru/park/iberia/A340-300
Aircraft is: Airbus A340-300
Airline is: Iberia
So, flag is:
UofTCTF{BOD_Iberia_A340-300}
Read and understand!
FLAG:
UofTCTF{600d_1uck}
We swiped a top-secret file from the vaults of a very secret organization, but all the juicy details are craftily concealed. Can you help me uncover them?
Given a pdf file where the flag is colored black. You can solve this task in 3 different ways.
-
Open the PDF file with any editor and remove the shaded area
-
Open the file with one of the browsers and copy the place where the flag is written
-
Open through a browser and enable the read aloud function.
FLAG:
uoftctf{fired_for_leaking_secrets_in_a_pdf}
Given the site. We need to find a combination of bits in bytes that will make all the pink rounds turn green.
You can see some interesting comments in the source code.
/* LED1 */ /* b1_7_l1_c1 */
From the first comment you can understand that the following lines are related to roundels.
Upon further examination, you will see that under some comments /* b1_7_l1_c1 */ there are almost identical css lines. Having studied them, you can understand that one of the two wrappers changes something. b1 in a comment can mean byte1, l1 catcher, c1 checker. And the remaining number can mean a bit.
By examining the contents of the :has pseudo-class, you can understand under what conditions the change occurs.
Having made all the roundels green, all we have to do is turn all the bytes into ASCII symbols.
FLAG:
uoftctf{CsS_l0g1c_is_fun_3h}
We have been given this text hc0rhh3r3ylmsrwr___lsewt_03raf_rpetouin$_3tb0_t
look at the name of the task and look for cipher related to wheel barrow.
We found this cipher Burrows–Wheeler Transform
Just use this online Burrows–Wheeler Transform decoder.
The decoder gave several possible options.
Take the given burr0w_wh33ler_transform_is_pr3tty_c00l_eh$th3_ option and change th3_ to the beginning of the sentence and wrap the flag in uoftctf{}
FLAG:
uoftctf{th3_burr0w_wh33ler_transform_is_pr3tty_c00l_eh$}