Arkavidia 5 CTF

4 minute read Published:

Arkavidia 5 CTF

These are write-ups for some of the challenges that I solved during the Quals. Also, huge thanks to my teammates @bungamaku and @crosscheese for inviting me to join in their team.

Reverse Engineering

Sanca

We were given a .pyc file, sanca.pyc. This is a straightforward RE challenge, the program will output “Correct!” if we enter the correct flag. I used uncompyle6 to decompile the .pyc.

With python’s handy assignment, We could just turn all the string conditionals into list assignments.

#!/usr/bin/env python
data = raw_input('Flag:')
data = list('Arkav5{                    }')  # The initial list with len 28
data[-2] = 'n'
data[10] = '3'
data[::-2] = list('_otp5ar}3l3333')
data[::-3] = list('_hpvrtls3r')
data[::-5] = list('_yat3v')
data[::-7] = list('_{}s')
data[::4] = list('rr_tk{h')
data[::7] = list('r3Ap')

print ''.join(data)

This gave us r3v3r3s3_l33t}Arkav5{python_, which was a pretty good approximation to our desired flag.

Flag: Arkav5{python_r3v3rs3_l33t}

Forensics

YaQueen

We were given a .jpg file, YaQueen.jpg. This file looked like a normal jpg, but after a little inspection using binwalk revealed that the image file also had a zip file. The zip file contained 625 other jpgs, each with 11x11 size and either white or black color.

We could quickly deduce that these images might have been a QR code or some sort. So I wrote a little python script that will print empty space or ascii block character in my terminal based on the color numbered images.

#!/usr/bin/env python3
from PIL import Image

data = []
for i in range(1, 626):
    im = Image.open("data/um_%d.jpg" % i)
    fr = im.load()

    temp =fr[1,1][0]
    data.append(temp // 255)

    # do something to im

print(u'██' * 27)
for i in range(25):
    print(u'██', end='')
    for j in range(25):
        print(u'██' if data[i * 25 + j] else '  ', end='')
    else:
        print(u'██')
print(u'██' * 27)

I also needed to place a few padding here and there so that the printed characters will be recognizable by online QR code reader. It also depends on your terminal emulator settings how nice the final rendered version will be.

Output was:

██████████████████████████████████████████████████████
██              ████  ████████  ██  ██              ██
██  ██████████  ██    ██    ██      ██  ██████████  ██
██  ██      ██  ████      ████    ████  ██      ██  ██
██  ██      ██  ██    ██  ██        ██  ██      ██  ██
██  ██      ██  ██████  ██  ████    ██  ██      ██  ██
██  ██████████  ██  ██  ██████      ██  ██████████  ██
██              ██  ██  ██  ██  ██  ██              ██
██████████████████████████  ██    ████████████████████
██          ██          ██        ██  ██  ██  ██  ████
████          ██      ████████████        ██    ██████
██  ██████████  ██    ██    ██      ██      ██      ██
██████████  ████          ████    ██    ██████████████
██████  ████      ██  ██        ██      ██      ██  ██
██  ████  ██  ██    ██  ██  ████      ██  ██  ██  ████
██  ██      ██    ██    ██████    ██      ██████    ██
██  ██████  ██████      ██████  ██          ████    ██
██  ████  ██    ████████  ██    ██          ██  ██  ██
██████████████████    ██  ██████    ██████  ██████  ██
██              ██  ██  ██████  ██  ██  ██          ██
██  ██████████  ████  ██  ████  ██  ██████    ████████
██  ██      ██  ██  ████  ██                ██  ██████
██  ██      ██  ██    ██████  ██████    ████████    ██
██  ██      ██  ██    ██████    ████████  ████████  ██
██  ██████████  ██    ██  ██████            ██████  ██
██              ██  ████  ████  ████    ██  ██      ██
██████████████████████████████████████████████████████

Flag: Arkav5{McQueenYaQueeeen___}

Web

Fancafe

We were given the source code of web service running in http://18.223.125.143:10011/, fancafe.zip. The source code contained:

.
├── app
│   └── web
│       └── main.go
├── database
│   ├── database.go
│   └── mysql.go
├── entity
│   ├── entity.go
│   └── post.go
├── fancafe.go
├── handler
│   ├── handler.go
│   └── home.go
├── service
│   ├── post.go
│   └── service.go
└── view
    └── home.html

7 directories, 11 files

The most interesting part of the source code is the Search function.

func (p *PostService) Search(keyword string) ([]entity.Post, error) {
    // We only support one keyword at the moment
    keyword = strings.Fields(keyword)[0]
    query := "SELECT * FROM posts WHERE is_deleted = false AND content LIKE '%" + keyword + "%'"
    log.Println(query)
    posts := []entity.Post{}
    err := database.MySQL.Select(&posts, query)
    if err != nil {
        return nil, err
    }
    return posts, nil
}

We could see that the only filter/escaping here was to only allow a single keyword from the search field. To execute our injection we need to compose our payload without using whitespace character, therefore we can use inline comment instead such as /**/ to bypass the strings.Fields() function.

payload:

%'/**/OR/**/is_deleted/**/=/**/true;#

Flag: Arkav5{SQLi_adalah_jalan_ninjaku}

Misc

geet

We were given a zip file, geet.zip. As the name suggest the zip file contained a git repository containing a file called flag. But, that will be too easy, right? Another thing to note was that the commit history even numbered 731 commits. We can use simple bash command to search through all commit history;

$ for i in {1..731}; git diff HEAD~$i >> out
$ cat out | grep Arkav5{

Flag: Arkav5{git_s4ve_y0uR_h1st0ri3s}