Al Capwn: Evlz CTF 20190202-20190203

I recently heard of the Evlz CTF from a reddit post in /r/securityCTF by u/coffee-loop. The CTF is put on by Al Capwn, a collaboration of Indian college CTF players with members from eavesdroppers, UPES, and Amrita University. 


Holy macaroni did this competition blow me away! There were so many quality challenges I can't believe it was limited to less than 48 hours. I only had about 6 hours between Saturday and Sunday to put towards the challenges so I was only able to get a few of the "easy" ones.

They had multiple challenges for each of the following categories:
  • Sanity
  • Misc
  • Crypto
  • Forensics
  • Web
  • Pwn
  • Reverse
I have write ups for the Sanity challenges as well as two of the Misc challenges.

Let's get started:

Sanity Check 1

1 point, simply enter the flag that was set for the ctf channel in the evlzctf slack workspace.
evlz{I_pledge_to_play_fair_and_I_promise_to_not_attack_the_infrastructure}ctf

Sanity Check 2

50 points. This challenge provided a link to the following QR code:


I scanned the code and obtained the following link: link: https://www31.zippyshare.com/v/09nlhIKo/file.html
(Warning - this website causes cancer)

The zippyshare website was full of fake download buttons and pornographic popups. However, if you hovered your mouse over the download button above the "Advertisement" section, you could copy this link to download flag.zip: https://www31.zippyshare.com/d/09nlhIKo/384/flag.zip

The zip file was password protected.

Here's how I solved this one:

[1] # zip2john flag.zip > ziphash

[2] # john --wordlist=/usr/share/wordlists/rockyou.txt ziphash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!!!0mc3t         (flag.zip/flag.txt)
1g 0:00:00:01 DONE (2019-02-03 13:55) 0.6134g/s 8798Kp/s 8798Kc/s 8798KC/s !!rebound!!..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed

As seen in the output above, !!!0mc3t was the password. 
I then unzipped the flag.txt file and that's where I found the following string:
652076206c207a207b207320302075206e2064205f20302066205f206d2075203520692063207d206320742066

I took a lazy approach to this part of the challenge and sent it to cyberchef and used "magic" to decode the string. Magic used from hex to convert the reveal the flag:
e v l z { s 0 u n d _ 0 f _ m u 5 i c } c t f

I manually removed the spaces and submitted the flag.

Don't Blink

This challenge was an animated gif that flashed small lines and color blotches as it looped. I figured I'd need to piece each frame together in order to see the complete image. I loaded the gif in to gimp and found that the backgrounds were solid white so I couldn't simply merge them.

I did a bit of googling and found a command that would change the white background in each frame to transparent:
# convert persistant.gif -transparent white result.gif

I then opened up result.gif with gimp and got the flag:


This one was 100 points.

Jail

I didn't solve this challenge while the CTF was open so I didn't receive the 290 points it was worth at the time. I ended up chatting with Stroppa (no relation) about this one after the event ended and they set me straight with my redirects which was key to solving this one. Anyway, I forgot to document what I did the 100 point WeTheUsers web app challenge so I'm going to call it even and post this writeup instead.

This challenge had you ssh to a box with a specific user, password, and port combination.

When connected, you were in a restricted shell that simply prompted you with "Your input:"

I entered /bin/bash as my input which dropped me to a quasi usable shell. What made this a real challenge for me was the extremely limited set of commands you could run, and the fact that all command output was not sent to standard out.

Tab completion helped me find the file that contained the flag, and ultimately, redirecting standard out to standard error got me the flag. Here's the commands that I used to solve this one:

Your input:
/bin/bash
bash-4.3$ ls
bash: ls: command not found
bash-4.3$ cd /home/u1/                #note: tab completion output seen below this line
.bash_profile Desktop/ Music/ Videos/ flag.txt
.bashrc Documents/ Pictures/ bin/ programs/
bash-4.3$ echo "$(</home/u1/flag.txt)"
bash-4.3$ echo "$(</home/u1/flag.txt)" 1>&2
Pass: evlz{0ut_0f_ech0}ctf
bash-4.3$


I have some other notes on partially solved challenges, but I don't feel they are worth posting at this point. For instance, if anyone knows what to do with this:

Goddamnit Mark! Learn how to type you f00l

rollllllin about an axis boi

    +/*386-112

I'd love to hear about it!  I found this text by following the link to a pastebin site that I found in a file that I pulled out of an image using steghide and a password I found using strings. Apparently what I posted there was 1 of 6 challenges. #humbled

This competition was pretty amazing. I wish I the team together in a room to hack on this one and I'm definitely going to be watching for what these folks do in the future.

-strupo_

Popular posts from this blog

A Primer for On-Site CTFs

BHIS CTF@Shmoocon 2019 - Feeling Blue?

ArcticCon 2019 CTF