Skip to content

SSTC Writeups

These are ‘quick’ write-ups for SSTF challenges. I am sorry don’t have a lot of time to have a good write-up but want to the solutions with you

 

 Crypt1 

Basically we have cipher that we need to decrypt and we have the encryption function. Most of the operation in the encryption are reversible. The only missing part is the “secret” key. The function uses xor encryption. We know the flag starts with “SSCTF{“, we can use these 6 chars to get the first 6 chars of the flags. We will have 2 chars left which we can basically bruteforce or work smartly and get these two values. I will leave you with the code that solved the challenge 🙂

 

Flag: SSCTF{1qaz9ol.nhy64rfv7ujm}

Crypt2:

It wasn’t a real crypto challenge, I call it more of a coding challenge. The challenges is basically a lot of zip files that are encrypted with a password. The challenge description was try “start”. I coded a script to try ‘start’ as password for all zip files. I managed to decompress one zip file, I read the content and then it contained the password for another file. I kept going into the chain until I found a zip file that contains: pwd.zip and flag.zip.

pwd.zip wasn’t encrypted with a password and flag was encrypted. Basically, we need to use pwd to get the password and decrypt the  the flag file. Inside the pwd.zip there was compressed zip files where everyfile has a text file. There was a file named ‘start.txt’. If you read that file, you get “Next is [file_name]”. The other pattern which was in some files was “Next is [file_name], or [file_name2]”. Basically, it is like a graph and we need to visit all nodes. Every zipfile that contains a text file has a comment. The comment is either ‘\t’ or ‘ ‘.. two values ?? Binary 0 or 1 ??

The graph was cyclic graph means that if we visited every node and blindly followed it, we will go into a loop and we will never exit. I visited the graph using Breadth First Search (BFS) with a visited array to mark visited nodes and avoid infinity loop. With every node I visit I store the path that got me to that node.
After visiting all nodes, I got all paths and replaced them with the comments. I have now strings of binary (0,1), I converted them to integer and then to ascii. I managed to get the password for the flag.zip which was “Thispasswordistoolongandyoudon’twanttocrackitbybruteforce”

flag: SSCTF{Somewhere_Over_The_Rainbow}

I will leave you with the code ^^

 

 

Web 400

 

Web 400

The goal of this challenge is to forge a cookie with user id 1 and get the flag. To be able to forge the cookies, we need to get the secret key that used to sign the cookies. To get the secret key, we did the following
create github account and the name of the account should be
{{ config.SECRET_KEY }} 
This is python template language which is parsed with by the flask application and it will expose the secret
Visit the website and you will get the key used to sign the cookies
use this code to generate cookie for flag man
flag man cookie
eyJpbmZvIjpbMSwie3sgY29uZmlnLlNFQ1JFVF9LRVkgfX0iLDExNDA0NSwiaHR0cHM6Ly9hdmF0YXJzLmdpdGh1YnVzZXJjb250ZW50LmNvbS91LzM5NTk0MjE_dj0zIl19.CbSoXA.TTp0QBWySKrHaNl7IwqkK_QrhCA
<img src=”http://www.seclover.com/wp-content/uploads/2015/07/logo.png” /><br><lable>name:flagman</lable><br><lable>uid:SSCTF{dc28c39697058241d924be06462c2040}</lable><br><lable>id:1</lable>
We could have got Remote Code Execution from this vulnerability of rendering template code. For more details, check the following url: http://www.freebuf.com/articles/system/97146.html
PS: I apologise for the very very quick write-up, I Will try to enhance it later on. If you have any questions and the code doesn’t explain it, please let me know.

 

Published inwriteups

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

eight − 5 =