Neverlan CTF 2019

Neverlan CTF 2019 was both easy and fun.

I was able to solve some of the challs from every category and our team secured ‘35th’ positon at the last.

This writeup includes the following Challenges.


Binary 1
Binary 2
Binary 3


Forensic 1


React To This
Das Blog 1
Das Blog 2


Its to KeyZ
Jackalope’s Live set


Zero C00l Bruh!!

Ok lets get our hands dirty !! in the Binary World. XD



using command

xxd -r -p users_db | base64 -d | grep 'flag{'

I Found this…



For this Challenge I had to boot my Windows machine to run the exe . :P I have a Wine Problem ..

The Application is made using .NET. I searched some Decompilers for .NET Applications And Found dotPeek from JetBrains, and this was enough to solve this chall. I decompiled it and found CheckUsername() and CheckPassword() functions.

I noticed that the fields were declared.

And then I simply Logged IN using the creds … BoomYa!!!



After making it executable by changing permissions, I got a login prompt. Fine!! Till Now. After Reversin with IDA i saw an ADMIN string and tried that in the username but password was a bit complicated.

Researching a bit further…

I found that its issuing a GET Request to

Then Checking the References took me to the d function

I observed that the d function was not being called by the main.
So I did it manually on GDB.

print ((char*(*)()) d)()



The Forensic Challenges were not too fun.. As it required for us to download a 6.2 GB file.. XD.. This can be a limitation for some players.

But I was lucky to download that in just 15 mins. LOL !!
Importing and Booting up the OVA in VirtualBox I saw that a user was already there..
I logged in with the Password given in the TASK INFO.

I discovered a .vnc dir in home dir and there existed a passwd file which we can easily decrypt using the vnc passwd decryptor

GitHub LINK :

I cloned the repo and transferred the passwd file into my local machine using python -m SimpleHTTPServer

And That was it..

Boom Ya!!!



This Challenge was too easy…
It just needed us to see the source files carefully.

There existed Admin.js which contains the flag for the chall.

Just Walking Now !!



The Source is the Master here and the functions are the Slave… XD

I saw that there is an if condition… and as the challenge says to use the console…
I bypassed the condition statement using the Developer Console available in the browser.



This was a Basic SQL Injection if u had the right and the most common payload. LOOL !!

Payload : 'or 1=1-- 

And plz don’t forget the trailing spaces after the - -.

We were logged in as Johnny with permissions as admin.

After Clicking on the
click here to go to the main page

We saw our flag in one of the posts…



Ahh !! After using the same payload for SQL Injection, we are logged in as USER. Now, here we have to think a little smarter.

Next I tried dumping the database using sqlmap

sqlmap -u '' --data='Username=1&Password=1&submit=Login' --dump

And Here we go!!

The flag was in the Admin Records.



I found this Github Repo : I Cloned this to my local Machine, and after tinkering around a bit it yielded our flag.

./key -g passwords.keyz flag



I found this LiveStream Link

and Eventually found the Flag at 23:30 .



This Challenge also required the right tools and understanding both…. XD

We can use steghide to get the hidden text with the Passphrase as neverlanctf.

Next, I tried to decrypt the string using the Vignere Cipher Decoder From Cryptii..

And Most Important part was guessing the Key … This part was fun as the key was hackers

At the end the flag was ::