Quals: Saudi and Oman National Cyber Security CTF 2019. WriteUp
Hi, Habr.
On February 7-9, 2019, the qualifying stage of the competition was held at the cybertalents site, the goal is to search for cyber talents for Oman and Saudi Arabia. People from other countries, according to the rules of the event, participate out of competition. Under the cut - analysis of certain tasks.
The competition consists of 9 tasks, four of them are “easy” difficulty levels, four are “medium”, and one is “hard”. For each task given 50, 100 and 200 points, respectively. Tasks are also categorized. Below is a solution to some problems.
Easy, Web Analytics
Let's try a POST request to the second page:
Gently pass the code through JS beautify:
Flag:
Easy Digital Forensics
Link to the picture
Medium, Malware Reverse Engineering
Easy, General Information
On February 7-9, 2019, the qualifying stage of the competition was held at the cybertalents site, the goal is to search for cyber talents for Oman and Saudi Arabia. People from other countries, according to the rules of the event, participate out of competition. Under the cut - analysis of certain tasks.
The competition consists of 9 tasks, four of them are “easy” difficulty levels, four are “medium”, and one is “hard”. For each task given 50, 100 and 200 points, respectively. Tasks are also categorized. Below is a solution to some problems.
Back to basics
Easy, Web Analytics
not pretty much many options. There is always a different wayGiven a link like example.com/somepage. When going through it, we are redirected (301 Moved Permanently) to the same page with a slash at the end, and she, in turn, redirects to google.com:
Let's try a POST request to the second page:
var _0x7f88=["","join","reverse","split","log","ceab068d9522dc567177de8009f323b2"];function reverse(_0xa6e5x2){flag= _0xa6e5x2[_0x7f88[3]](_0x7f88[0])[_0x7f88[2]]()[_0x7f88[1]](_0x7f88[0])}console[_0x7f88[4]]= reverse;console[_0x7f88[4]](_0x7f88[5]) Gently pass the code through JS beautify:
function reverse(_0xa6e5x2) { flag = _0xa6e5x2['split']('')['reverse']()['join']('') } console['log'] = reverse; console['log']('ceab068d9522dc567177de8009f323b2') Flag:
2b323f9008ed771765cd2259d860baecI love images
Easy Digital Forensics
You can find it?The picture is attached to the task:
Link to the picture
Decision
Open the hex editor. Note that the png format has a “IEND” trailer (49 45 4E 44). We look at the end:
It is observed that added additional information to the end of the file. The first assumption is base32, since all letters in one case. We decrypt:
It is observed that added additional information to the end of the file. The first assumption is base32, since all letters in one case. We decrypt:
FLAG{Not_Only_Base64}I love this guy
Medium, Malware Reverse Engineering
Can you find the password?File is given
Decision
Pass the file through Detect It Easy:
We open DNSpy x86
The file is really very small and consists of a single user event - Button_Click:
Also in the current class the line is declared:
There are two possible solutions - in statics and dynamics. First, we solve the static method:
When we make sure that the program is not harmful, you can debug it in dynamics. We set the breakpoint (breakpoint, breakpoint) at the beginning of the method, we look in local variables, we extract the value variable, after which we get a message with a flag.
Flag:
We open DNSpy x86
The file is really very small and consists of a single user event - Button_Click:
string value = new string(new char[] { this.Letters[5], this.Letters[14], this.Letters[13], this.Letters[25], this.Letters[24] }); if (this.TextBox1.Text.Equals(value)) { MessageBox.Show(new string(new char[] { this.Letters[5], this.Letters[11], this.Letters[0], this.Letters[6], this.Letters[26], this.Letters[8], this.Letters[28], this.Letters[11], this.Letters[14], this.Letters[21], this.Letters[4], this.Letters[28], this.Letters[5], this.Letters[14], this.Letters[13], this.Letters[25], this.Letters[24], this.Letters[27] })); } Also in the current class the line is declared:
public char[] Letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ{}_".ToCharArray(); There are two possible solutions - in statics and dynamics. First, we solve the static method:
# text - текст метода >>> for i in range(len(letters)): text = text.replace(f"this.Letters[{i}]", letters[i]) >>> print(text) string value = new string(new char[] { F, O, N, Z, Y }); if (this.TextBox1.Text.Equals(value)) { MessageBox.Show(new string(new char[] { F, L, A, G, {, I, _, L, O, V, E, _, F, O, N, Z, Y, } })); } When we make sure that the program is not harmful, you can debug it in dynamics. We set the breakpoint (breakpoint, breakpoint) at the beginning of the method, we look in local variables, we extract the value variable, after which we get a message with a flag.
Flag:
FLAG{I_LOVE_FONZY}Just Another Conference
Easy, General Information
OWASP in different locations
Flag
Appsec
Source: https://habr.com/ru/post/439590/