NoEscape CTF

NoEscape CTF

NoEscape CTF was conducted by RIT Rookie-Uttarakhand students and was held in both the online and offline versions. IT was pretty good CTF and the challenge had enough information to solve them.  But Challenge creators were not online during the CTF in discord which meant a whole sort of mess and contradiction. In this Blog, as usual, I have given a writeup on how to solve all the above challenges where are solved.


Web

Laugh and Sing

On Inspect the request in the website, one of the x-hash which is not commonly used and decrypting will give you a flag.

Unlock your Santa's gift

"How is it, dear Santa, that in your pack of toys
You have plenty for all of the world’s girls and boys?
Stays so full, never empties, as you make your way
From rooftop to rooftop, to homes large and small,
From nation to nation, reaching them all?"

https://santas-gift.web.app/

It was a client password validation through javascript.

const checkPassword = () => {
    let e = document.getElementById("password").value,
        d = Array.from(e).map(e => 5 * "NO ESCAPE CTF".split("").map(e => e.charCodeAt(0)).reduce(function(e, d) {
            return e + d
        }) + e.charCodeAt(0));
    return 4446 === d[13] && 4477 === d[15] && 4447 === d[0] && 4489 === d[2] && 4492 === d[10] && 4496 === d[8] && 4476 === d[1] && 4476 === d[3] && 4485 === d[19] && 4478 === d[20] && 4421 === d[17] && 4407 === d[12] && 4486 === d[9] && 4489 === d[11] && 4491 === d[16] && 4480 === d[5] && 4407 === d[7] && 4487 === d[18] && 4407 === d[4] && 4490 === d[6] && 4480 === d[14] && e
};
window.addEventListener("DOMContentLoaded", () => {
    document.getElementById("go").addEventListener("click", () => {
        let e = checkPassword();
        e ? window.location.href = e : alert("Wrong password")
    }), document.getElementById("password").addEventListener("keydown", e => {
        if (13 === e.keyCode) {
            let d = checkPassword();
            d ? window.location.href = d : (document.getElementById("password").classList.remove("valid"), alert("Wrong password!"))
        }
    }), document.getElementById("password").addEventListener("keyup", e => {
        checkPassword() ? document.getElementById("password").classList.add("valid") : document.getElementById("password").classList.remove("valid")
    })
}, !1);

In this code, the each character of input password is converted into string and then multiplied with default string called "NO ESCAPE CTF" and at last concated together. With simple python script of converting all printable to encoded value can give you decoding map to get the flag.

Biscuits store

One of my friends stopped by an online bakery last week. She told us that this website is susceptible to attacks since she was so concerned, but she didn't specify what it is. Can you assist the website administrator by identifying the online vulnerability?

https://santa-biscuit-store.herokuapp.com/

This challenge had login page and bypass was easy since it had credentials encoded in base64 in source code hard coded. e3VzZXJuYW1lOid1c2VyJyxwYXNzc3dvcmQ6J3VzZXInfQ== => user:user

As name of the challenge suggest, its a cookie based challenge which was base64 encoded with JWT auth token. That can be decoded and manipulated using tool like https://jwt.io/ and back vulnerability was it did not check for signature verification with private which leads to flag.

There’s snow place like home.

"I'll be home for Christmas
No matter how much it snows
The tracks are clear and I'm getting near
'Cause there's snow place like home"
https://snow-place.web.app

We had Santa's picture on the website but the opening did not give an actual picture, hence we got the flag.

Find your Santa

Barbara was waiting for Santa to come and bring her toys,
But her mother told her no one can find Santa, neither Santa tracker.
Neither human nor even robots can find him!
Can you help Barbara?

https://where-is-santa.web.app

As the challenge description, says we have robots.txt within the website which hold another lead called hidden.txt

index.html,1668603668270,d67329e506af2ceceb69d820ed032c8289cf1e3b066b753fd89bca5ef998510e
hidden.txt,1669246353629,9e6512fcf4a87dccd41c06f65039f07b78172ec9df7fb798d33cd41ac5412244
robots.txt,1669246264369,a8985ec955e790441da9c094e95bb138146627f600e430b7180efdd2fcf499c1
c36bbd258b7ee694eb987221b2b197b0 => jpg
98809c3f491160651ce442f657c62218 => santa
d5189de027922f81005951e6efe0efd5 => location
.
-

After cracking the hash you will get the file name which has the flag, santa-location.jpg

Get your flag

This was a kinda code review challenge with a parameter pollution exploit. https://crack-admin.herokuapp.com/ index.js

const express = require("express");
const bodyParser = require("body-parser");
const { inviteCode, flag } = require("./secret");
const app = express();

app.use(bodyParser.text());
const port = process.env.PORT || 3000;
const baseUser = { picture: "default.png" };

function createAdmin() {
  return `Creating admin account, flag is ${flag}`;
}
function createUser() {
  return "Creating user account";
}

app.post("/", (req, res) => {
  let user;
  try {
    user = JSON.parse(req.body);
  } catch (e) {
    return res.status(400).json({ message: "Invalid Request body" });
  }
  if (user.isAdmin && user.inviteCode !== inviteCode) {
    res.send("No invite code? No admin!");
  } else {
    let newUser = Object.assign(baseUser, user);
    if (newUser.isAdmin) {
      res.send(createAdmin(newUser));
    } else {
      res.send(createUser(newUser));
    }
  }
});
app.listen(port, () => {
  console.log(`App listening on port ${port}`);
});

This Object.Assign is vulnerable to parameter pollution and you can manipulate the value through injecting payload like {"proto":{"isAdmin":true}} which will give you the flag.


PWN

The Real Santa

It was an easy binary-based reversing challenge I am not sure why it was under the PWN category. It had simple validation where the data is strong in encoded value and check with user input. Decoding from HEX to ASCII will give you the flag.

Santa is near

Just one more step and you will meet Santa.

nc ctf.x-mas.biz 8081

Found it was Sqlinjection challenge but discovering which type of database was difficult and after multiple attempts found it was SQLite Database. Used Union-based attack to find the table name and columns to get the flag.

nc ctf.x-mas.biz 8081                                                         

Username:  
Password: ' AND 1=2 UNION SELECT value,text from flag --
Welcome 1 NECTF{SQL_1nj3cti0n_is_3asy}

Stenography

Santa Claus

Santa is on the way to deliver gifts, he just took a foto of himself with his magical camera.
How is he looking, can you comment :) ?

https://drive.google.com/file/d/1ds9j85xA_jhJ-1pWrCKPAHVuYVf8MOv3/view?usp=sharing

The given file was PNG and after spending 2 hours using various tools to find which type of steganography technique was used. Found that it was stegsolve tool and with my strong eye sight I was able to find the flag. But only photoshop skill helps at last.


Misc

Santa's key

Santa was on the way to your home. But, in the way he lost his vehicle's key. Help him find the key & reach your home.

def str_xor(secret, key):
    #extend key to secret length
    new_key = key
    i = 0
    while len(new_key) < len(secret):
      new_key = new_key + key[i]
      i = (i + 1) % len(key)
    a = []
    for (secret_c,new_key_c) in zip(secret,new_key):
        a.append(chr(ord(secret_c) ^ ord(new_key_c)))
    return ''.join(a)


flag_enc = 0x1d,0x24,0x2d,0x20,0x27,0x28,0x32,0x2e,0x1a,0x35,0x32,0x46,0x1d,0x2b,0xa,0x60,0x18,0x31,0x1c,0x52,0x21,0x52,0x13
flag = str_xor(flag_enc, 'Santa')
print('That is correct! Here\'s your flag: ' + flag)

It was again kinda code-review challenge, we just want to fix the code which will give the flag. We can see that ord is used against an integer which should be removed to get the flag.

Bad Cake

Santa stored delicious cake for you somewhere, and stored that info in this file. Some bad eyes hackers steal that info and stored it in an encrypted file.But, Somehow we managed to get that encrypted file for you , can you decrypt it?

As the challenge name says we have to bake a good cake from cyberchef.

Welcome to NECTF

Nice challenge but hiding the flag in source code comments.

Star of Bethlehem

Ancient Story :

The Star of Bethlehem, or Christmas Star, appears in the nativity story of the Gospel of Matthew chapter 2 where "wise men from the East" are inspired by the star to travel to Jerusalem. There, they meet King Herod of Judea, and ask him: Where is He who has been born King of the Jews?

Can you see the brightest star?

Simple and Easy challenge where flag was hardcoded as string within the binary which could be retrieved through strings command.

Wise Men from the East

Oh no! there's bunch of stars. Wise Men from the East lost there way to Jerusalem. Who gonna help him? Can you identify the real star.

Which Star? Which Star? Twinkle, Twinkle Real Star... How I wonder where you are? Up above the world so high, like a diamond in the sky...

https://drive.google.com/file/d/1PdtV4PtRUq7NnzLGficWNTkQ7552ERT6/view?usp=sharing

This was also kind of easy challenge, you have a zip file and it has n number of text file and one among them have the flag. Like previous challenge you can use string command with grep to find the flag.

Santa's Letter

Do you really think it's just a letter?

NECTF{flag}

The given PDF file has this db900b5ccc33a4e61a8cf9abeb0cae4a md5 hash in white text and I also found DAFSyxPwzYk,BAFSsXzcNXY it from metadata that ended up in a rabbit hole. It was just hash cracking challenging, but initially, the crackstation-like tool did not work since it was a password with a special character.

https://www.md5online.org/md5-decrypt.html

Knock Knock

Can you open your gate for Santa?
Logic Lock // Beginners Quest 2 - Google CTF
A writeup for challenge 2 of the beginners quests of the Google CTF.
NECTF{LMPQTUZ}

But Challenge authors reveal the challenge mistake one hour from the ending time that XNOR was XOR and flag changed LMPQTURZ.


Forensics

X-mas Tree

You know, Christmas trees are quite important; they filter water, lower runoff and potential flooding, give animals a place to live, food to eat, and shelter. So this year, on the eve of Christmas, you have set out on a quest to plant one Christmas tree. To unlock the seedling nursery, you will, however, require a type of hidden flag. Can you spot the flag? All we have is the picture of the Christmas tree.

It was an interesting challenge where two JFIF Magic but ended up in a rabbit hole again, the flag was hiding in the string itself.

X-mas Carol

Namaste Hacker!We have special x-mas carol for you.Go ahead feel the music!
And yes, Don't forget about the flag!!

Again Easy and simple challenge, flag was hidden within lyrics of the mp3, unzipping the file and using string with grep will get you the flag.

X-mas Tree - II

I'm not sure, but someone informed me this number is intriguing.

44,642
https://drive.google.com/file/d/11ZX-PFvGBwj0pQkWtJ9NdS_TrTCrPojk/view?usp=sharing

Yet another strings challenge.


Trivia

Quick feasibility check

Discord 😉
https://discord.gg/M5Nsp3Spry

Smart Brains

mhsn pz olyl vusf. Qbza zbitpa.
flag format: NECTF{flag}

One of the dumbest challenges. This text was rot19 and the flag was falg.

Santa's Mail


Santa's account was hacked, and the hacker received a private email.But we manage to capture the screenshot in some way,However, we have no notion what is written there.For the sake of humanity, could you understand it?

Another ROT challenge where you have to extract text and rot13 to get the flag.

Github

Entrance Exam

Can you pass the Entrance exam?

https://github.com/NOESCAPECTF-LIVE/Welcome_to_NoEscape_EntranceExam

Join the github classroom and it will give you the flag


Crypto

X-mas Present

Santa has something for you. Go look for it.

nc ctf.x-mas.biz 8080

Simple and easy challenge converting the HEX number ignore the other character will give you the flag.

Hello Santa

Santa will be welcomed with an unique message!  Can you decrypt it? The key to decrypting the message is "merry xmas."

This was an XOR challenge that was written in python and reversing the process of calculating gives you the flag.

Hello Santa II

Santa has an exclusive message for you that only you will get! however regrettably some nasty folks mingled that key with some other keys. Can you locate the real key and decode it to retrieve your secret message?

Same above challenge but here key was not given you have to brute force for key

Jingle Bells

Oh, jingle bells, jingle bells Jingle all the way Oh, what fun it is to ride In a one horse open sleigh Jingle bells, jingle bells Jingle all the way Oh, what fun it is to ride In a one horse open sleigh Dashing thr...

Oh Sorry! i think you need flag, here's the file. Go & look for it, All the best.

Yet another HEX Decode challenge, decoding the HEX to ASCII will give you the flag.


Overall the CTF was kind of easy, hope this blog was useful for learning something new. Thanks for Reading!