🇺🇸NeverLAN CTF 2020 Writeup (English) 8 min read
本文最后更新于 600 天前,其中的信息可能已经有所发展或是发生改变。

Author:颖奇L’Amore

Blog: www.gem-love.com

NeverLan CTF ID: Y1ng


web

Cookie Monster (10pt)

This challenge has already come out on NeverLAN Pre-CTF and I’ve written the writeup:

🇺🇸NeverLAN Pre-CTF Writeup


Stop the Bot (50pt)

Seeing the challenge’s name, I know that it’s something about bot. Thus try to visit /robot.txt

then visit /flag.txt and flag is there: flag{n0_b0ts_all0w3d}


SQL Breaker (50pt)

Just an easy SQLi. Username is injectable without any filter

Attempting the SQL query is like 

select user, password from users where user = '$u' and password='$p'

But if we inject this following SQL code to username:

1' or 1=1#

the SQL syntax will become:

select user,passwrod from users where user = '1' or 1=1

all SQL codes after 1=1 are disabled by # and the SQL query return True owing to Or 1=1. Payload:

Username: 1' or 1=1#

Password: anything

SQL query  return TRUE and you will login successfully, and you can see flag as well.


SQL Breaker 2 (75pt)

It’s an upgrade of the previous challenge. If we also use OR 1=1# we can login as John but if we wanna flag we need to login as admin

Payload:

user:admin'or 1 limit 1,1#

pass: anything

login as successfully and flag is there


Follow Me! (100pt)

It is a cite with too many 302 redirections, A redirect to B and B redirect to C and so one. You can use BurpSuite to stop it and view the each content of the page. After approximately 30 times redirections I finally get the flag (exhausted)


Browser Bias (150pt)

Open the challenge page, it tells that:

Sorry, this site is only optimized for browsers that run on commodo 64

it is obviously that we need to change User-Agent

A List of Every User Agent Ever Used To Download a File from PyPI

https://gist.github.com/dstufft/2502524

On this pag e i found the UA of Commodore 64:

Contiki/1.0 (Commodore 64; http://dunkels.com/adam/contiki/)

modify User-Agent and refresh page, flag came out


Trivia

Milk Please! (10pt)

Introduction:

Trivia Question: a reliable mechanism for websites to remember stateful information. Yummy!

Your flag won't be in the normal flag{flagGoesHere} syntax. Instead, you're looking for the answer to the definition given.

What is the reliable mechanism for websites to remember stateful information? It is cookie! Sadly, there is no flag on cookie

Now it need some out of the box thinking, flag is: cookie


Professional Guessing (10pt)

Introduction:

The process of attempting to gain Unauthorized access to restricted systems using common passwords or algorithms that guess passwords

Your flag won't be in the normal flag{flagGoesHere} syntax. Instead, you're looking for the answer to this question.

Weak password, just guess or brute force. But the right flag also need some out of the box thinking. flag is: password cracking


Base 2^6 (10pt)

Introduction:

A group of binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation

Your flag won't be in the normal flag{flagGoesHere} syntax. Instead, you're looking for the answer to the definition given.

Nothing is need to say, flag is: base64


AAAAAAAAAAAAAA! I hate CVEs (2opt)

Introduction:

This CVE reminds me of some old school exploits. If flag is enabled in sudoers

By searching google, the CVE the introduction said is CVE 2019-18634, then I check this CVE’s detail out. This CVE’s applicable conditions is to enable pwfeedback, so the flag is : pwfeedback


Rick Rolled by the NSA??? (50pt)

Introduction:

This CVE Proof of concept Shows NSA.gov playing "Never Gonna Give You Up," by 1980s heart-throb Rick Astley.

Use the CVE ID for the flag. flag{CVE-?????????}

By searching google, the CVE is CVE-2020-0601

flag:flag(CVE-2020-0601}


PCAP

Unsecured Login (50pt)

Introduction:

We caught someone logging into their website, but they didn't use https!

flag is in one of those HTTP packets

flag: flag{n0httpsn0l0gin}


Unsecured Login2 (75pt)

Introduction:

We caught someone logging into their website, but they didn't check their links when submitting data!

Just filter out all packets except HTTP and you will find flag: flag{ensure_https_is_always_used}


FTP (100pt)

Introduction:

It looks like someone forgot to use a secure version of ftp...

Filter out all packets except FTP and find string “flag”, there is a text file at /home/pi/flag.txt

but FTP protocol isn’t used for DATA transmission, so we must clear our filter. then just search flag{ in packet details and you will get flag: flag{sftp_OR_ftps_not_ftp}


Teletype Network (125pt)

Introduction:

It looks like someone hasn't upgraded to ssh yet...

Your flag will be in the normal flag{flagGoesHere} syntax.

Attachment: telnet.pcap

Unlike ssh, telnet is not safe, its data won’t be encrypted while transmitting. Therefore we needn’t do anything else, just search flag (in fact it is also fit for that FTP challenge)

flag: flag{telnet_1s_n0t_secur3}


hidden-ctf-on-my-network (250pt)

Same way to solve this 250pt challenge. Just search flag

flag: flag{who-actually-looks-at-dhcp-server-traffic-anyway}


Crypto

Stupid Cupid (100pt)

Attachment: stupid_cupid.txt

Download the attachment and observe it, it is a 16×21 matrix and some numbers. There are 16 numbers as well as lines, so maybe those numbers are the index of each line, the 1st number 6 means the 6th letter on the 1st line and the 2nd number 12 means the 12th letter on the second line and so on.

I’ve marked them red

Thus, flag is flag{VERYSIMPLECIPHER}


Pigsfly (30pt)

Cipher:

Obviously it is pigpen cipher, decode it according to this pic:


BaseNot64 (50pt)

cipher:

ORUGS43PNZSXG33ONR4TGMRBEEYSC===

The cipher has three =s,  so it may be Base32. This website can decode base32 online.

Decode result: thisonesonly32!!1!

Flag: flag{thisonesonly32!!1!}


Dont Take All Knight (75)

cipher:

It is Knights Templar Cipher, there is evidence that suggests that the Knights Templar utilized a pig-pen cipher. Let’s check it out:

This website can decode Knights Templar Cipher, decode it and you will get flag

flag: flag{evenknightsneedcrypto}


The Invisiable (75pt)

Cipher:

Decode it on this website:

Arthur and the Invisibles Alphabet

https://www.dcode.fr/arthur-invisibles-cipher


My own encoding (200pt)

This challenge just need some out of the box thinking. cipher:

There are totally 26 English letters but it gives us a 5×5 matrix. But recon it carefully we can see that there is one matrix without any BLACK Square, so it may means the leftover letter.

So, it must be one square for one letter, just guess it:

B C D E F
G H I J K 
L M N O P 
Q R S T U
V W X Y Z

and blank means A

Flag: nicejobyouhacker


It is like an onion of secret (300pt)

Attachment:

Load it to zsteg/StegSolve.jar, there are something in LSB

Decode the Base64 twice(or maybe 3times) then we got a cipher:

lspv wwat kl rljvzfciggvnclzv

The hint said that it need a passphrase and the passphrase is the name of the CTF.

So vigenere decrypt it with key neverlanctf


Recon

Front Page of the Internet (50pt)

Introduction:

Whoops... I leaked a flag on a public website

-ZestyFE

Searching google we know that the front page of the Internet is Reddit

then search the name of this challenge’s admin, ZestyFE, on reddit.

flag is here:

https://www.reddit.com/user/zestyfe

The Big Stage (75pt)

Introduction:

One time we keynoted @SaintCon... I think I remember hiding a flag in our pres

The first time i went to SaintCon’s website to find flag but failed.

After quite a while  of searching in google, I turned my focus on NeverLAN’s twitter.

https://twitter.com/NeverLanCTF/status/1044640438131388422

Click the link to a google doc page, and it is a PPT about NeverLAN CTF. As we all know an app called keynote is apple’s PPT editor just like Microsoft Office PowerPoint. So maybe the word “keynoted” in the introduction hints for PPT

https://docs.google.com/presentation/d/1v_Pj4s5zVxBKXcq5ySPBwQVSXW2dhDm1jkKfU3AJx3w/edit#slide=id.g4276f19bda_0_56

Flag is in the PPT

flag:flag{N3v3r_g0nna_g1v3_y0u_up}


The link (75pt)

The challenge said “secret Track 2”, you can find “track 2” on this site:

https://live.neverlanctf.com/

Track 2 gives a youtube video, follow to youtube and search flag by using Ctrl+f/Command+f, flag is in comments


Phreaky (200pt)

By searching google, i finally found this site:

THE PHREAKY WORLD OF PBX HACKING

https://darknetdiaries.com/episode/1/

view source and get flag

flag{n3v3rl4nctf_s4ys_t3ll_us_4n0th3r_1_jack}


Chicken Little

Chicken Little 1 (35pt)
cat Welcome.txt


Chicken Little 2 (36pt)

there are some hidden files that can’t be seen by command ls

cat `find /home/level1 -name "*"`


Chicken Little 3 (37pt)

It has a BAWKBAWK.txt with too many BAWK BAWK. if just cat it, it may loss too much time so we need some quick check

I guess the flag may include “chicken” so i just search c

cat BAWKBAWK.txt | grep "c"


Chicken Little 4-7

teammate solved them


Reverse Engineer

RE1 (100pt)

open it with IDA Pro and get username/password

login successfully and it will alert flag


Teammate Solved

just visit my teammates' blog
Reverse & Programming & Chicken Little

https://renjikai.com/

Forensics & Crypto

https://imagin.vip/

 

颖奇L'Amore原创文章,转载请注明作者和文章链接

本文链接地址:https://www.gem-love.com/ctf/1291.html

注:本站定期更新图片链接,转载后务必将图片本地化,否则图片会无法显示

暂无评论

发送评论 编辑评论

上一篇
下一篇