CTF at Wingify 2021

https://res.cloudinary.com/shauryakalia/image/upload/v1656849165/CTF2021/Screenshot_2022-06-24_at_3.08.09_AM_s31rpf.png

Engineering team at Wingify organizes a Capture The Flag event every year where the whole team divides into groups of three and solves challenging problems for a race to the top.

In case you’re wondering, Capture the flag AKA CTF is a cybersecurity competition where the participants play hacker games or challenges to find hidden flags by either hacking, finding vulnerabilities, or solving codes legally and safely. It is a place where we can learn what happens when things are implemented improperly and protect ourselves. Generally, CTF is played as a team game.

There are mainly three types of CTF:

1. Jeopardy - Solve as many challenges as you can in a given amount of time. In Jeopardy, the challenges are present in unique and intriguing ways which can be solved using networking, programming, applications, mobile, forensics, reverse engineering, and cryptography. 2. Attack-Defense - Attack a server to find the flag while denying access to your competitors. Your team has to do two tasks together - attack the system breaking through the defense in the server and defense made by other competitors and create fortification so that your competitors can’t get through. 3. The third type is a combination of both Jeopardy and Attack-Defense.

Our iteration of CTF was a 3 hour event was organized in a Jeopardy style format. Participants worked in groups of up to 3 to solve multiple challenges. Each challenge had a flag with the format flag{congr4tzy0ufound_1t}.

The problems were divided into three categories:

Easy - 500 pts Medium - 1000 pts Hard - 1500 pts The team which completes a challenge first was awarded additional points and as each team solves that challenge value of these extra points for the team decreases.

Hints were available but would cost some points based on the level of difficulty.

My team StrikeTeamAlpha came in fifth position at the end, so I am writing about the problems that we were able to solve here.

#1 Spain - FOCUS!! A Russian hacker left us something that allows us to track him in this image, can you find it?

https://res.cloudinary.com/shauryakalia/image/upload/v1656848928/CTF2021/spain_question_ypc9wa.png

SOLUTION In this challenge, we get an image. A pitch-black image. So, it is a case of image steganography, but of what kind? There are so many ways to hide a message in an image that you can’t have a set of methods to look into to decode the message. Edit the image using photo editing tools, On https://www.befunky.com/, we edited the exposure by maxing the brightness and reducing the contrast, and we found:

https://res.cloudinary.com/shauryakalia/image/upload/v1656848928/CTF2021/spain_solution_mkemld.png

#2 Brazil - I heard you are good at breaking codes, can you crack this ciphertext?

7=28LG<uI3AG'="~FCC%(;"C&N

SOLUTION To crack this ciphertext. We first have to identify the cipher. Using https://www.dcode.fr/cipher-identifier, we found a list of possible ciphers. We decided to try each one of them one by one.

ASCII85 - has invalid characters Substitution Cipher - not possible without a dictionary ROT47 gave us the right flag{vkFxbpvVlQOurrTWjQrU}

#3 Australia - Hey Ninja Hattori!

Can you use your ninja skills to hack this website?

Link: http://138...*:6142/home?name=Hattori

SOLUTION The link provided in the problem has something to do with query param name; The value passed in the query param was being printed on the served HTML.

We tried putting values like CTF, flag, ctf_flag in the query param, and obviously, they did not work.

It looked like a case of Server-Side Includes (SSI) Injection as the param was being executed at the server when we tried passing the value inside double braces like {{34-12}}. We got some direction here. We looked for the server/templating engine used using the network requests and found the server was Python-based Werkzeug.

We looked for various possible exploits to access the server. We were able to print all the environment variables using {{request.environ}}, but the flag was not found there. Finally, after multiple tries, we found that the app config could also be printed using {{config.items()}} and the flag{hzATagZTDGVvBpAwKKwz} was hidden there.

#4 Egypt- Can you crack this flawless Zig-Zag ciphertext?

pXgf{lxt7gwleS8NICxac30}6R

SOLUTION It was a simple one for us. We looked for multiple zig-zag ciphers that were available and tried them all. We tried to use https://www.dcode.fr/cipher-identifier cipher-identifier here. Rail fence cipher was a suggestion (though a bit below in the list), but it was named Zig-zag, so we gave it a try. We used this decoder https://www.dcode.fr/rail-fence-cipher and a quick CMD+F on the page directly led us to the flag{wexcXlgSC3Rpx78I06tN}

#5 Congo - Find the weakest password in this log file You know the drill!! Crack the hashes and capture the flag!

Link 1: http://138...*:10007/system/login.php?username=name&password=password

Link 2: https://drive.google.com/file/d/1QI6BVM5UCPrICNpBJX2p-q0LA8-GSLHV/view

SOLUTION The question seemed very straightforward, and we thought of following what it asked. The first link just needed the correct username and password combination. The log file shared was huge. It had around 200 usernames and hashes.

We quickly did some VScode keyboard shortcut sorcery to extract only hashes out of the big log file, nicely sorted and separated by a newline. We started looking for websites where we could find dictionaries of already cracked hashes. We tried multiple websites, but none of them allowed us to bulk post hashes, and we had 200 of them to try. Fortunately, we found CrackStation.net accepted 20 hashes at once, and we thought of giving it a try. Initially, none of them worked. We had already tried 120 and were losing hope, but the next batch of 120-140 had a vulnerable hash and found the password.

Final Link: http://138...*:10007/system/login.php?username=wscott83&password=Password1983

It worked flawlessly, and we found our flag{NwcQbRSfUXEJ3Dhz13K9}

#6 USA - Are you good at reverse engineering?

Can you help us recover the flag from this APK file?

Link: https://drive.google.com/file/d/1PwJg6M-74upIH50TaMdf5kFWj4ZXjlpb/view

SOLUTION This challenge had a link to an APK file, and we had to reverse engineer it to find the flag.

First, we tried to unzip the APK file to check for any strings in the APK files but unzipping the APK files didn’t help much as most of the unzipped files were binary.

Then we tried a tool to reverse engineer the apk. The tool we used was Apktool. This tool helped in decoding the apk and the entire code of the apk was available. Then the next thing we did was to search for any familiar strings in the apk. A simple “flag” string search led us to a url as seen below:

https://res.cloudinary.com/shauryakalia/image/upload/v1656848928/CTF2021/usa_1_m54gx0.png

We tried a simple get call to this url, but it failed. After more debugging, we found that we need to send username and password in the request body to fetch the flag. A simple “password” string search revealed an xml where the username and password value were defined:

https://res.cloudinary.com/shauryakalia/image/upload/v1656848928/CTF2021/usa_2_vyginl.png

The final step was to send the username and password in the request body to the URL revealed in first screenshot and it returned the flag{TVbTVuKnKLonxWaKAEmb}

Conclusion https://res.cloudinary.com/shauryakalia/image/upload/v1656848929/CTF2021/result_1_uolbhg.png

https://res.cloudinary.com/shauryakalia/image/upload/v1656848928/CTF2021/result_2_d3jogg.png

CTF 2k21 at Wingify was an amazing experience and a great chance for learning. Competing with the whole engineering team with time running against us was exhilarating and finally, in the end we were a team of SDE 2s and competing with the best in the organization we ended up with the fifth position. Solving challenges has become our second nature, so it was fun to solve challenges in a new way with a competition to win, and the adrenaline rush as we went through each puzzle was very exciting.

Everyone at Wingify enjoyed it, even in the remote setup. The COVID care half-day off after the event made it a Friday well spent and a kick start to a great weekend.

Stay safe and stay home!

blogs