This page looks best with JavaScript enabled

Net0n CTF

 ·  ☕ 5 min read

Pwn

Crash, crash, crash!

Crash, crash, crash!

This challenge was pretty straight forward just tried to do a buffer overflow and got the flag:

┌──(jusepe㉿nix)-[~/Documents/CTFs/Neton]
└─$ nc 167.99.129.209 10000                                                                                                                               
> 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
FLAG: NETON{Y34h_1_kn0w_th3_cr4sh_cr4sh_cr4sh_j0k3_w45_4_b1t_b4d}

Forensics

Infiltration

Infiltration

For this challenge we have a pcap file, so used Apackets to analyze it. After some time checking the HTTP connections found this packet containing login credentials:

Credentials

The website involved was eljoselillo7.tech, tried to sign in with the leaked credentials and got the flag:

Flag

Web

Welcome to FilterLand

Filtering

The first thing we see when we arrive to the web is a small form:

Filtering Landing

, so checked the source code which had inside an endpoint with the source code of the backend:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
<?php
	$FLAG =  (file_get_contents("/flag.txt")); //SECRET
	$PASSWORD = $_POST['password']; //User password
	if(isset($PASSWORD)){
	$PASSWORD = str_replace("s4cuRe_p4sW0rD","Nice_try!",$PASSWORD); //Replace
	if(strcmp('s4cuRe_p4sW0rD', $PASSWORD) == 0){ //Check
			echo $FLAG;
		}
		else{
			header("Location: /fail.html");
			die();
		}
	}
	else {
		echo "Give me what I'm looking for ):";
	}
?>

After reading the source code the vulnerability seemed to be on the week comparison using == instead of ===. Made a small research and passing an array can bypass that comparison according to HackTricks

Filtering Landing

Let me in!

Let me in!

The home page is just a simple HTML:

1
2
3
4
5
6
7
8
<html>
	<head>
		<title>Try to catch the flag!</title>
	</head>
	<body>
		<a href="flag.php">Try to catch me!</a>
	</body>
</html>

When you hit on flag.php you inmediately get redirected to the index. However paused the request through burp and got this response before the redirection occurs:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
<html>
	<head>
		<title>Try to catch the flag!</title>
	</head>
	<body>
		<form method="POST">
			<p>
				<label for="captcha">Please Enter the Captcha Text</label><br />
				<img src="captcha.php" alt="CAPTCHA" class="captcha-image">
			</p>
			<p>
				<input type="text" id="captcha" name="captcha_challenge">
				<input type="submit" value="Send">
			</p>
		</form>
	</body>
</html>

At first though that needed to write a script that doesn’t follow the redirection and I get the session captcha in order to get the flag. After some time wasn’t able to get that approach working without too much effort so checked if just opening a new tab and giving that captcha would work and luckily it did:

Let me in flag

Stego

Jungle Meeting

Jungle Meeting

As it was a steganography challenge checked all the images with strings together with grep to filter by the flag format:

┌──(jusepe㉿nix)-[~/Documents/CTFs/Neton/jungle]
└─$ strings *.jpg | grep NETON                                                                                                                                                                                                                                                                                                
  <photoshop:City>NETON{l00k_at_m3tadata}</photoshop:City>

Winter

Jungle Meeting

For this challenge it seems that we only have a plain text file, so searched for techniques to hide text in plain text and found this article that mentioned the tool stegsnow, used the tool and got the flag:

┌──(jusepe㉿nix)-[~/Documents/CTFs/Neton]
└─$ stegsnow -C Winter.txt                                                                                                                                                                                                                                                                                                    
NETON{wh1t3_spac3_tr1cks}

Osint

Caesar’s Secret

Caesar

We have a twitter account and found an interesting tweet on it:
Caesar

Then used web archive trying to see the deleted tweets, luckily they were there. However next step wasn’t in the tweets but in the bio:
Caesar bio

It was encoded with Caesar Cipher, decoded it and got the following:
Caesar data

There was only one that seemed like a proper english sentence so used that one to decode de zip file which actually worked. Inside of the zip there was the following content:

The secret is that there are 10 types of people in the world, those who know binary and those who do not.


flag: 01001110 01000101 01010100 01001111 01001110 01111011 01001010 01110101 01101100 01101001 01110101 01110011 01000011 01100001 01100101 01110011 01100001 01110010 01111101

Finally to get the flag translated the binary to ascii:
Caesar data

Capture the flag

CTF.png

For this challenge we have this image and we are looking for a CTF that took place in there:
Original Image

Made some zoom and we can see some chinese letters and 2019, so that may be the year of the ctf.
Zoom

Searched in google for a ctf in 2019 and this is what I got:
CTF Google

Finally searched Zhengzhou in google maps and found the same lake:
CTF Maps

Coding

Run Run Run

Run Run Run

For this challenge we need to automaet getting the value from a specific html tag and then submit it with a POST request hashing it with MD5. This is the script I made to solve the challenge using BeautifulSoup:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
#!/usr/bin/python3
import requests
import hashlib
from bs4 import BeautifulSoup

s = requests.Session()

url = "http://167.99.129.209:7777/"

r = s.get(url)
soup = BeautifulSoup(r.text, 'html.parser')

calc = soup.find_all('h3')[0].text
result = eval(calc)
hashed = hashlib.md5(str(result).encode()).hexdigest()

data = {"md5": hashed, "send": ""}
r = s.post(url, data=data)
print(r.text)

Misc

Inception

First QR

For this challenge we are given this QR:
First QR

The challenge points to a Mega file, the content of the file is encoded using base64:

Base64 content

It seemed like an svg so just used jsbin to show the svg output which contains the flag:
Final QR

Photogra.fy

Photografy

The twitter account FyPhotogra has in his tweets the url to his website:
Tweet

Inside the web there is a small javascript with a validate function:

1
2
3
function validate() {
    console.log(String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65'](0x4e, 0x45, 0x54, 0x4f, 0x4e, 0x7b, 0x4e, 0x61, 0x54, 0x69, 0x30, 0x6e, 0x61, 0x31, 0x5f));
}

If we run on the console the validate function we get the first part of the flag:

validate()
NETON{NaTi0na1_

Then checked the styles and found an interesting commentary:

1
/*Maybe some picture has something interesting...*/

So checked the metadata from the images and the last image contained the second part of the flag in the “Make” field:
Tweet

Share on

ITasahobby
WRITTEN BY
ITasahobby
InTernet lover