BreakSec v2.0 CTF – Write Up

This write-up will serve as a walkthrough to the BreakSec v2.0 CTF conducted by Kruptos Security Club, on 17th March 2019.

Along with the participants I also sat down to try my hands on the challenges. And I was able to solve most of it. So I am doing a write up here. First off, let’s start with the Web App challenges.

Web Apps

Easy Peasy Lemon Squeezy

The flag is hidden on the provided link somewhere. Let’s see if you can find it.

Upon visiting the given link, and viewing the page source, we immediately find the flag inside a HTML comment.

Source is the key

This challenge provides us with a Login page, and the clue, source is the key. Poking into the source code of the Login page, we find this:

It looks like the string is base64 encoded, and we decode it from Terminal as

Using the username admin and the decoded password, I tried to log into the webpage and got the flag.

Robots disallowed

Using the title as a clue, let me visit robots.txt and I found an html page there.

The flag can be found by opening the html page.

Indexing

Upon opening the page we find that only Bing bots are allowed to access the page.

Search engine bots identify themselves as bots to the server by providing a special User-Agent. Here, the required user agent is Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm). I used a Firefox extension, Custom UserAgent String , to do the job.

Alien Invasion

Okay, this challenge provides us with a login page.

Assuming we could find an SQL injection point and I probed the page.

Since we got an MySQL server error, there is a possible SQLi present, so I perform a quick assessment on SQLMap.

Now I will dump the data from database. Now we have 2 tables and open querying the flag table, we have the flag here.

Include It

There are a couple of links in the challenge page, and notice a GET parameter holding filenames. Trying for Local File Inclusions might help.

Here the flag.txt file is stored in some common directory of the server. I will try the server filesystem root, and found the flag.

Cryptography

All Roads lead to Rome

Alright. This is a secret message which needs to be decoded.

EKZF{xnt_snn_aqtstr}

The easiest cipher in cryptography, the Caesar cipher, is in use here. It is a mono-alphabetic substitution cipher, which substitutes each character in a message with a character which is a fixed offset away in the alphabet. I load up the encoded message in a website, and I got the result in no time.

Secret

So there is a coded message and an image here.

464c41477b6d24272726213d0c39203c1a3e31382d38

This seems like a hex (base 16) encoded data. Decoding it gives us some random clutter and not full flag.

Downloading the attached image and viewing the EXIF data, there is some secret message.

EXIF analysis

It reads MINIONS_ARE_CUTE, and this is ACSII (base256). Now this can be solved in two ways.

The first way is to convert base16 to base256 and we get the output like this

Base64 decode from terminal

The secret message which is also the length of the remaining characters in the encoded message. Now this seems like a key to decode the rest of the flag. So I XOR the hex message with this key and get the output using the Python interpreter.

XOR calculation from terminal

Thus the entire flag would now be: FLAG{minions_fan_army}

Cryptic or not

This challenge gives us a ZIP file with 5 files in it. Each file contains a different encoded message.

So the different encoding schemes used here (in order) are:

  • Hex code for ASCII
  • Base64
  • Binary code for ASCII
  • Decimal code for ASCII
  • Octal code for ASCII

I wrote a Python script to decode all 5 files simultaneously. Or alternatively online decoders can be used.

The flag is jumbled up. Putting it back in order gives the flag,

FLAG{Cyber_security_is_a_huge_domain_you_cannot_cover_all_the_topics_in_depth_easily}

Miscellaneous

Deception

The challenge is a .docx file but opening it gives nothing. So I decided to unzip it instead, and we got the flag.

Just plain but not plain

Now this challenge is apparently a blank PDF file. I will try to select all the text by pressing Ctrl+A, copy and paste it to a file. Now it can be read.

Insecure Transmission

We have been given a pcap file and told that a user had logged in through an insecure channel. Now we need to extract the credentials and find the flag. Let me open the file on Wireshark to analyse the packets.

Inspecting the submitted data posted to /login.php, I got this:

Steganography

Pretty Obfuscation

This challenge is a image named steg1.jpg, clearly indicating a steganography challenge. I will try to extract information using steghide, a popular steganography tool. When asked for a passphrase, I will leave it empty and hit Enter.

The flag seems to be base64 encoded, and thus I will decode it and we got the flag.

We don’t forgive, we don’t forget

This image refers to Anonymous.

Let me try to extract the image with steghide with an empty passphrase, it doesn’t work. So I must guess the passphrase and one of the guesses was ‘anonymous’ and it is the clue present in the image.

Now that’s a lot of ASCII. I decode it using Python.

The flag is again base64 encoded, so I decode it using Python.

The End

Hope you guys enjoyed this little write-up. This CTF consisted of 14 challenges covering Web Applications, Steganography, Cryptography, and other challenges.

I’m pretty sure you would have solved these challenges in a different way. Let us know how you solved it by commenting below.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.