HAC-SEC CTF 2021

A 24 hour Jeopardy CTF

WEB

Easy

Open the link and we are redirect to the homepage again

Viewing the page source and find the flag format we can get the flag!

Guessing Game

The page seems down and I cant screenshot anything but to solve this challenge was to use guess parameter and try guess the numbers till you will get the flag!

https://hacsecchalls.000webhostapp.com/chall1.php?guess=2809

Aladdin

When we open the website it will redirect to use from 1.php to 17.php . So I create one liner command to get all the output.

for i in {1..17};do curl -s -k https://aladinhacsec.herokuapp.com/$i.php 
       \ | grep -Fv -e "head" -e "html" -e "title" -e "meta" -e "content"
       \ | tr "\n" " ";done

And we will get output looks like this

Decode base64 we will get this

/genie.php grants anything that you "wish" for

Going to /genie.php we found a site with genie

It seems like they might be parameter if we look back to what we decode from base64. Adding parameter wish will get genie to grants us something

Let ask for flag >.<

Okay now he ask for parameter key? We tried with the parameter and here are the conditions

1. key must be numeric
2. key only accept 3 numbers => 999 or 000 
3. Input 999 (which could be the highest) get us output => Key lesser than lower bound

From this testing we found that by adding e which is equivalent to exponent we can get higher numbers. After a lot of tries 1e4 is the answer.

From what i think maybe behind it looks like this

#1e4 = 10000

if key < 10000:
    Key lesser than lower bound
elif key > 10000:
    Key greater than upper bound
else:
    FLAG

Include

When we enter the site we will encounter this

By click the button it shows one parameter with an output.

This looks like LFI ? Since mrrobot did not have any extensions we guess that it must add .php as default. Lets try use php filter and see the results

?view=php://filter/convert.base64-encode/resource=/var/www/html/mrrobot

It works! It seems like it only echo the sentence. Now let's try to read index.php

?view=php://filter/convert.base64-encode/resource=/var/www/html/index

We will get this

From what we understand it should fulfill this requirements

1. Get parameter view
2. Get parameter ext (if not set then default .php)
3. view parameter must not contain "../../"
4. view parameter must contain "/var/www/html"

Based on this conditions we manage to bypass this and try to read robots.txt

?view=php://filter/convert.base64-encode/resource=/var/www/html/robots.txt&ext

We manage to get new file

/Sup3r_S3cr3t.txt

Decode the base64 from that file we got

I hid a flag in /etc/flag

Since we can't use ../../ and we must include /var/ww/html in the parameter we found a solution for that

?view=php://filter/convert.base64-encode/var/www/html/resource=/etc/flag&ext

And we got the flag!

HAC-SEC{L00ks_l1k3_1ts_n0t_th4t_S3cur3}

CRYPTOGRAPHY

It is a lottt!

We are given one file which content

CyberChef identify this as Base64 , to get the flag we need to decode it numerous of times.

Jadoo Got Old

We are given one image file which content

We have tried to search for a few keywords but predator letters give us one results

Looking at some images we found this

Let's try to decode it and we get the flag!

HAC-SEC{I_am_n0t_alien}