DEV Community: Michal Biesiada

CTF Writeup — Hackme CTF

Michal Biesiada — Wed, 15 Nov 2023 12:30:35 +0000

Hi All,

This time I want to present you CTF without time pressure — you can play it as long, as you want. 🎉

Referring to the Wayback Machine, it looks that first edition of this CTF was released on 2014. Now is 2023 so almost 10y later and it is still alive, so cool!

Captured flags — HackmeCTF, source: https://ctf.uw-team.org/

Text there is not written in English, but it’s not an issue for us — we can use many tools to translate the content (our goal is focused on the flags!).
Visiting the site https://ctf.uw-team.org/ we can get to know that flags are with FLG-XXXXXX format, and… flags can be everywhere! This should be enough for us. Uh, yeah, one more thing, the rules — please notice info that automated scanners are forbidden.

At first, visit mentioned before site of HackmeCTF: https://ctf.uw-team.org
We don’t need to register in, etc. It’s quite convenient in my opinion.
Please keep in mind that thanks to writeups many things looks obvious, but the best fun is just be a participant, so I encourage you to take a part!
There can be different ways to get the same flag in some cases. 🍀

This writeup will be more focused on the final results, on showing ‘winning ways’, because of respect your time — many flags to discuss here.
There are usually many lines of thought when solving — in short, you often don’t know at the beginning how you will ultimately get a specific flag. 🚩

[FLAG-1] Source code (warm-up)
Checking source code during CTF is mostly not a bad idea. Let’s check it!
CTRL+U -> CTRL+F: “FLG-”. Result:

Flag 1 — Source code — HackmeCTF

[FLAG-2] Cookies
Author/s said that can be everywhere, right? Let’s check the cookies.
F12 -> Application. Result:

Flag 2 — Cookies - HackmeCTF

[FLAG-3] HEXView
Below our form which is used for sending a captured flags, there is some possible interesting image “TOP SECRET”. Let’s take a look closer there.
RMB -> Open in new tab: https://ctf.uw-team.org/zerknij.gif
Hm, interesting. Why it’s with .gif format? What means the file name?
Meaning is “take a look”, OK. Some kind of a tip.
Download this file. Use some image viewer/editor, ie.: IrfanView.
Select ‘View’ tab from Menu -> ‘Show HEX view’. Result:

Flag 3 — HEXview — HackmeCTF

[FLAG-4] Robots.txt
Let’s check what we will get if type something like https://ctf.uw-team.org/flag Oh, 404 error site — “Not Found”, roger that.
So, let’s check robots.txt file. Result:

Flag 4 — robots.txt — HackmeCTF

[FLAG-5] Directory listing
Let’s play again with DevTools — quite useful tool, isn’t it?
F12 -> Sources tab -> images -> select some image -> RMB -> Open in new tab. For example: https://ctf.uw-team.org/images/body_bg.png OK, cool, body background:D Let’s check /images, so remove filename with extension — go to https://ctf.uw-team.org/images/ Some ‘unknown’ .txt file, we have to check it! Result:

Flag 5 — Directory listing — HackmeCTF

[FLAG-6] Admin
Wait a second, do you remember cookies table? Let’s back there for a while.
We are not logged in (even registered:D), why there is ‘admin’ cookie with value ‘0’? Let’s change this to value ‘1’. Refresh. Result:

Flag 6 — Admin cookie — HackmeCTF

[FLAG-7] XSS — Cross-site scripting
Quite funny moment from my point of view now. Already collected at least few flags, right? One of the golden rule is “Never trust user’s input”.
Enter XSS payload alert() to captured flags’ input. Result:

Flag 7 — XSS — HackmeCTF

[FLAG-8] Base64
A lot of fun. It’s time to use some of site tab. On the page https://ctf.uw-team.org/?page=kodowanie we can see:

2023–11–12 00:33 — RkxHLUJBU0U2NA==
2023–11–11 23:16 — dGVzdHVqZQ==
2023–11–10 22:33 — cmF6LCBkd2E=

It looks like Base64. Let’s check the content. DevTools -> Console -> use atob() function, so -> atob(‘RkxHLUJBU0U2NA==’). Result:

Flag 8 — Base64 — HackmeCTF

[FLAG-9] Parameter page=
Link for previous task was https://ctf.uw-team.org/?page=kodowanie
Check site behaviour for other parameter ‘?page=’ value, type at start ‘?page=qwe’. Result:

Flag 9 — param ?page= — HackmeCTF

[FLAG-10] CSS — 404err
Using DevTools, visit Sources tab -> style.css Result:

Flag 10 — CSS and 404err — HackmeCTF

[FLAG-11] Response header
Have you previously checked Network tab? Not yet? Good time is now!
DevTools -> Network tab -> refresh main site -> check Response Headers
Result:

Flag 11 — Response header — HackmeCTF

[FLAG-12] SQLi — SQLite Injection
Payload:

' or 1=1 -- true

So, finally: https://ctf.uw-team.org/?page=newsy&kod=%27%20or%201=1%20--%20true
Result:

Flag 12 — SQLi — HackmeCTF

Last flag is for you, please share your solutions! Tip: it is connected with ‘Redirection’ challenge.

I hope you enjoy! 🍀

Sources — HackmeCTF: https://ctf.uw-team.org/
Note: Originally published on Medium

Best wishes,

CTF Writeup — pingCTF 2021 — Steganography

Michal Biesiada — Wed, 15 Nov 2023 12:08:23 +0000

Hi All,

I was wondering whether to write this article for a while. Why? Because it’s from almost two years ago and in general it’s quite easy (if you know what is going on). Moreover, this time I don’t have to many resources for you…

But, I decided to show you this Challenge, because it’s quite interesting and can be in different forms (keypoint). So I hope it will be useful for you at all. 🎉

First, please keep in mind that there wasn’t any info about keyword here — Steganography. Next, the task/challenge is from pingCTF 2021 (2021-12–19), online form. More info: https://ctftime.org/team/147266/ and https://ctf.knping.pl/ctf

Challenge name: Colors

Description is like here:

Image 1 - pingCTF 2021 — Colors, source: https://ctf.knping.pl/ctf

So, how to say, not so many tips:D but we can see that we have to download some .bmp file. Then, analyze it. ✨

Quick intro: “The BMP file format or bitmap, is a raster graphics image file format used to store bitmap digital images (…)”, source: https://en.wikipedia.org/wiki/BMP_file_format

But, what is ‘Steganography’?

is the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video.
Source: https://en.wikipedia.org/wiki/Steganography

We can not see any connected with challenge site, all what we have is some file (image).

Let’s take a look there! Result:

Image 2 - pingCTF 2021 — colors.bmp file

My first approach was checking metadata (there you can see usually many interesting things) and how it looks with HEX representation and so on, if I’m not mistaken. That was waste of time (this time)…

Then, I decided to make some of simple changes with mentioned file — changing brightness, contrast and similar. No result.

I decided to use ‘reverse the colors’ feature (using Gimp software) — yeah, the flag is there! 🚩 Result:

Image 3 - pingCTF 2021 — Colors challenge — flag

Quite interesting — as mentioned above/before — the flag was there all the time. The point is, I could not see this. Making changes — visually I can grap the flag finally.

If you will be more familiar with ‘Steganography’ topic — it’s really interesting in my opinion. As mentioned above — it can be connected with music file, with .pcap and other and other.

I hope you enjoy! 🍀

Note: Originally published on Medium

Best wishes,

CTF Writeup — Fetch the Flag CTF 2023 — Unhackable Andy

Michal Biesiada — Wed, 15 Nov 2023 11:55:24 +0000

Hi All,

It is connected with OSINT at start, and Command Injection at the end. ✨

Description of the challenge: “Someone might want to let ol’ Andy know the old addage — pride goeth before the fall.” — source: https://snyk.ctf.games/challenges — Unhackable Andy

That’s all. Now we have to visit some site: http://challenge.ctf.games:30900/

Site is quite simply. There are two options — Home and Login.

Referring to my last notices: CTRL+U & F12 are clear. 🎉

‘Home’ gives the same site of course, ‘Login’ gives Login panel. At the main site there is pinned GH GitHub profile of mentioned creator (“Unhackable Andy”; by the way, text there is quite funny — great job!). Let’s take a look there. https://github.com/UnhackableAndy

There we can see two repos: ‘my-awesome-site’ and ‘my-other-awesome-site’.
Interesting, right? We even don’t have to fork or clone this — just using features from GitHub — please check Git History.

If you dig deeper there, you will know that mentioned actor made some mistake. We can see this here https://github.com/unhackableandy/my-awesome-site/commit/d4d664824980d04de78b6aa114f3bac6e27d59d8

Image 1 - Fetch the Flag CTF 2023 — Unhackable Andy — GitHub repo

So we can see credentials. Large security issue by Unhackable Andy.

Let’s check this on actor’s site — it works fine, logged in. ✔

Here, the site is also quite simple. Endpoint /logout works like we suppose (logging out). No more interesting features there.

Image 2 - Fetch the Flag CTF 2023 — Unhackable Andy — site

But we can see that command ‘shutdown -r’ and btn Submit.

What if we type there something else? Is is protected? Is it safe?

Please use there: ls (https://en.wikipedia.org/wiki/Ls)
Result:

Image 3 - Fetch the Flag CTF 2023 — Unhackable Andy — site — Command Injection

We are so close! * Now please just use “cat” https://en.wikipedia.org/wiki/Cat_(Unix)
so ‘cat flag.txt’:

Result — the flag:

Image 4 - Fetch the Flag CTF 2023 — Unhackable Andy — site — Command Injection

Funny fact, this flag was achieved in literally the LAST MINUTE before the end. So exciting! 🚀

I hope you enjoy! 🍀

Note: Originally published on Medium

Best wishes,

I’ve completed the Hacktoberfest challenge!

Michal Biesiada — Sun, 18 Oct 2020 19:33:08 +0000

What I Learned From Hacktoberfest

Highly recommended to everyone! Great experience & event! 🎉🎉