CyberTalents National CTF 2021

My team and I recently took place in the CyberTalents National CTF 2021 where we emerged 1st in Kenya :) We managed to solve all challenges but one. Here are some of the writeups for the challenges we solved

Since the challenges are down, I will try my best to reconstruct the solutions

Argos was an ‘easy’ rated challenge, well some may tend to disagree :) This challenge was solved by @k0imet

First step involved a directory bruteforce on the challenge link, which gave us a directory java.php . This page contained some obfuscated javascript that handled the authentication.

The important function to look at is check. Towards the end a comparison is made and an alert is given. The alert was the error message shown if the login was correct or incorrect. We also have an array of strings and in the array is a string called ‘CT2021’

This writeup has a similar challenge and we can find out which variables are being passed. CT2021 was the user and pass for the website, which upon login gives us the flag.

In this challenge we had trace the most recent online activity of a missing person. We were given this https://bitly.com/3frKIAX link which led us to a twitter account with protected tweets.

From the new twitter url https://twitter.com/rzsdw2iwug77eda/status/1394223468003176455

We can spot the username rzsdw2iwug77eda . So immediately my mind went to sherlock.

We get a pastebin, with a date

So apparently this is a red herring. This date wasn’t the user’s most recent activity.

After thinking for a while. I decided to try and trace when the bit.ly was created. My teammate ended up uncovering the trick. By adding a ‘+’ to the end of the bit.ly link you can trace when it was first created. The date here was the solution

In this challenge, we needed to fix the source code provided. The data being passed to the function was not being sanitized and one could achieve some XSS

Modify the utils file to . Submitting the modified code gives us the flag

This solution was curated by @k0imet and @mystickev . We are given a base64 encode string fdXU1Z2hSRwIzaHAxQ8zcjNIX3MxNUdqaWRmPT09XiNUdqaWRmPT09XihkZCUtVGhncz8lHJmIzmh1dGRyZ0Zmd2dlfV8zcjNIX3MxX3IzaHAxQ18zNXIzdjNSXzNscG0zNV97Z2FsZgZGRmNVxQ18zanNnaGZkYWhocaWRmPT0TWNkc2hdXU1Z2hSRwIzaHAxQ8zcjNIX3MxNfV9fM3IzSF9zMV9yM2hwMUNfMzVyM3YzUl8zbHBtMzVfX3tnYWxm==

Using cyberchef to decode , you can pick out bits of the flag in the output i.e 1s_H3r3

So our goal is to remove noise from the base64 string by removing some chunks of bytes. Removing fd at the beginning and == at the end

We get 2 flags. One of them was the answer

For this challenge, we are given an IP for a machine. We need to gain a shell and get the flag.

From the challenge name I suspected the solution would involve pipes. So I google the samba version of the nmap results

So our vuln was the is_known_pipename() from SambaCry. Luckily metasploit has this module

We get a shell

This was a simple forensics challenge that required us to utilize a registry explorer tool to find the most recent executed application

After tons of googling. I found a tool called Registry Explorer that could simplify the solution. All I needed to do was supply a registry key to navigate the file hierachy as follows

Load the hive file

Interact with the hive file to get an overview of the file hierachy

Use the registry key — ‘recent file list’ to get the most recent executed application

The flag was gpedit.msc

This solution was curated by my teammate @gilbert. It is a simple buffer overflow challenge where we need to overwrite the return address with 0xdeadbeef

We can solve the challenge using pwntools as follows

These were the tricky challenges in the CTF and I hope you learned a thing or two. Follow like and share if you enjoyed :)

Just a hacker looking for fun