# nCTF | CyVIT 2021 0x3

CyVIT, part of annual CyVIT Conclave, was a 12 hour overnight CTF hosted by Cyber Security and Digital Forensics Division of Vellore Institute of Technology, Bhopal.

Our Team :- 1MP3N3TR4BL3
Members:-
Vinayak Agrawal, Rishabh Rai

We solved:

# Algo Breaker

Pretty straightforward huh… A get parameter “number” is accepting the string of length greater than 6 whose value is between 90000- 99999.
So it’s simple answer can be 0090001 (choose any number number between range and place 0 before that to meet the length requirement).

# Message Uou

Here, a simple morse code is given
“-.-. -. — …- .. — -.-. — — -. — . .-. .- — ..- .-.. .- — .. — — -. … — .. — — .- ..- . … — .. — — -. -.-. .-.. . .- .-. . -..”
Let’s decode it using CyberChef .

cyvit{congratulations,questioncleared}

# Origin Checker

Interesting, password is given in some encoded format. Looks like base64, decode it using cyberchef.
Yay! got it

Login with the credentials and you will get the flag.

# NOCAB can solve this

00010 10110 10011 01000 10010 00010 01101 01100 00110 10000 00000 10010 10011 01010 00000 10010 01000 01101 01100 10001 01111 10011 00100 10001 10010 01000 01101 01100 00010 01010 00100 00000 10000 00100 00011

Hmm… initially I thought it was binary but it wasn’t.
I copied the string in CyberChef and its magic feature decoded it from BACON

cyvit{congratulationsquestioncleared}

# Let Inspect

Scan it to get the flag. cyvit{y0u_4r3_sm4r7}

# PYVERS

Okay, so this challenge contained two files. One txt file and one python script.

Output.txt

`alphabet = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j','k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z']def shift(offset):    message = input("Input Message You Would Like Encrypted:\n")    new_message = ''    for letter in message:        letter = letter.lower() #doesn't handle upper-case yet        if letter.isalpha():            shift_pos = alphabet.index(letter) + offset            new_pos = alphabet[shift_pos]            new_message += new_pos        #these will not be shifted        elif ' ' or '/t' or '/n' in letter:             new_message += letter        elif letter.isnumeric():             new_message += letter        else:            print("An error took place in recording the message. Check input.\n")    print(new_message)shift(-1)`

Notice the shift function. Looks like it will shift the letters provided in input by 1 place. Run the program and input the content of output.txt. Okay that was not the answer. Change the value of shift(-1) to shift(-25)and run the program. Also you can decode it using any Caesar Cipher decoder tool.

# VIT VIT VIT

xgodb{Vjvzmimpttoqhia, jpmloqhi kezikzl}
Analyze with cipher analyzer tool, boxentriq.

Okay so its Vigenere Cipher. Let’s try to decode it using VIT as key.

Yay!!!, Got the flag.

# INVESTIGATE

So here we are given a image of a car’s number plate and we need to find registration date of car. Woooo CarOSINT…

Nothing much to do. You can visit vahan.nic.in and check the details of number plate.

cyvit{29-NOV-2006}

# FindME

Okay another OSINT. So we have a name Tuhin Bose also known as tuhin1729. We need to find a post in his social accounts which he posted on 2nd Sept 2021, which contains the flag.

7H95N81C9FTAQN9KS8JY82T9:H9\$09P0

Time to search in this accounts. Luckily, found the flag in 1st search result itself, i.e., his Instagram account.

okay its in base64 format. PS: this meme😂😂😂.

# XCoupon

It was a good one too. Navigating to the chall link.

Okay we know the username is admin. Same thing first we will check source code if anything important is given there. Guess what we can find password there.

Blehhh!!!😑😑😑

Okay we need to find correct token to see the flag… how to get it???
Amm… let’s see if any other scripts are there… Okay so we can see a main.js file which contains token at the end.

var token=”1_4m_4n_3mpl0y33”.
Cool let’s change the value of token to the one we found in main.js.

# TRICKY TRACK

Here on navigating to the challenge link, the first website redirects us to https://vitbhopal.ac.in within few seconds.

Have a look at source code.

So for this I used curl to check the request headers. And guess what SET-Cookie option was having the flag.

cyvit{you_fReker_FinD_Me}

# XFILE

https://pastebin.com/raw/SmbwqGsH

Okay we are provided with a pastebin link. But it has been deleted.

One thing we can do here is to checked the archive version of the URL using our waybackmachine .

Now decode the string using CyberChef .

# CORRUPT SIGN

In this challenge we were given a .iso file . I checked the file using strings command.

You can notice the red part. These are the PNG chunk files. It means the given file contains image data but its file signature is changed into iso. So we will change the file headers back to png. You can use hexeditor in kali or an online tool.

┌──(root💀kali)-[~/Desktop]
└─# hexeditor e7667002-f1b2–41a1–89a1–26c10c9941e0-source.iso

Save the file with .png extension. Now open the png file, you will get the flag.

# COMBO6

In the chall link there are 6 more challenges. Each chall contains the flag in parts, adding them will give our final flag.

STRCMP v1.0

Here, the comparison of the password parameter and the flag is being performed with a double operator. To bypass this we would add [] this in front of password parameter in the captured request.

That’s how we get our first part of the flag: cyvit{A1Dm_

STRCMP v2.0

This is a little trickier than v1.0. In this, each element is compared, so we will have to make a payload for each element (11 in quantity).

This is how you can capture the request and put your payload and send it to get the 6th part of the flag: _bPass3OTP}

Crack The Hash

It was a pretty easy one, just had to decrypt a md5 hash and put it in the password box and collect the flag. Use any online md5 decrypting tool or john/hashcat to break the hash.

That’s how we got the 3rd part of the flag: _XcbF23

Magic?

In this part we have to use a flaw in md5 algorithm which is, two different strings can have same md5 hash and upon searching same md5 hash for 2406107… you will find one very easily. Put it as the password and you will get pass this challenge.

Now we have 4th part of the flag as well: _M3zIk

# Lucky numbers

In this challenge we have to enter a no. greater than 6 digit but in range (90000–99999) we can do it by 2 ways. Either putting a dot in between and making the number decimal or by putting zeros in front of the number. As dots are already filtered we will go with zero in the front. So our payload could be 0090005, it should work fine.

Voilà, we have the 5th part of the flag: _n3RiK

# Bypass like a 1337

By, looking at the code we can see that there is extract function used here which can be exploited. And after researching i found out that extract can be used to change the value of a defined parameter so here is what we did. We intercepted the request and …..

and used the payload “password=abcd&otpcode=abcd” to get the flag and the 2nd part of the flag: B3pAss

FINALLY, COMBO6 is finished and all sums up to become one big flag: cyvit{A1Dm_B3pAss_XcbF23_M3zIk_n3RiK_bPass3OTP}

This CTF was a lot of fun and we learned a lot of new things. With this blog we want the people who couldn’t take part in this CTF to learn the same things. 😃

HAVE FUN HACKING!!! 🥳