Neverlan CTF 2019

Neverlan CTF 2019 was both easy and fun.

I was able to solve some of the challs from every category and our team secured ‘35th’ positon at the last.

This writeup includes the following Challenges.

Binary

Binary 1
Binary 2
Binary 3

Forensics

Forensic 1

Web

React To This
Das Blog 1
Das Blog 2
Console

Recon

Its to KeyZ
Jackalope’s Live set

Crypto

Zero C00l Bruh!!

Ok lets get our hands dirty !! in the Binary World. XD

Binary1

Task:

using command

xxd -r -p users_db | base64 -d | grep 'flag{'

I Found this…

Binary2

Task:

For this Challenge I had to boot my Windows machine to run the exe . :P I have a Wine Problem ..

The Application is made using .NET. I searched some Decompilers for .NET Applications And Found dotPeek from JetBrains, and this was enough to solve this chall. I decompiled it and found CheckUsername() and CheckPassword() functions.

I noticed that the fields were declared.

And then I simply Logged IN using the creds … BoomYa!!!

Binary3

Task:

After making it executable by changing permissions, I got a login prompt. Fine!! Till Now. After Reversin with IDA i saw an ADMIN string and tried that in the username but password was a bit complicated.

Researching a bit further…

I found that its issuing a GET Request to www.gr3yROn1n.com

Then Checking the References took me to the d function

I observed that the d function was not being called by the main.
So I did it manually on GDB.

print ((char*(*)()) d)()

Forensic1

Task:

The Forensic Challenges were not too fun.. As it required for us to download a 6.2 GB file.. XD.. This can be a limitation for some players.

But I was lucky to download that in just 15 mins. LOL !!
Importing and Booting up the OVA in VirtualBox I saw that a user was already there..
I logged in with the Password given in the TASK INFO.

I discovered a .vnc dir in home dir and there existed a passwd file which we can easily decrypt using the vnc passwd decryptor

GitHub LINK : https://github.com/jeroennijhof/vncpwd

I cloned the repo and transferred the passwd file into my local machine using python -m SimpleHTTPServer

And That was it..

Boom Ya!!!

ReactToThis

Task:

This Challenge was too easy…
It just needed us to see the source files carefully.

There existed Admin.js which contains the flag for the chall.

Just Walking Now !!

Console

Task:

The Source is the Master here and the functions are the Slave… XD

I saw that there is an if condition… and as the challenge says to use the console…
I bypassed the condition statement using the Developer Console available in the browser.

DasBlog1

Task:

This was a Basic SQL Injection if u had the right and the most common payload. LOOL !!

Payload : 'or 1=1-- 

And plz don’t forget the trailing spaces after the - -.

We were logged in as Johnny with permissions as admin.

After Clicking on the
click here to go to the main page

We saw our flag in one of the posts…

DasBlog2

Task:

Ahh !! After using the same payload for SQL Injection, we are logged in as USER. Now, here we have to think a little smarter.

Next I tried dumping the database using sqlmap

sqlmap -u 'https://challenges.neverlanctf.com:1130/login.php' --data='Username=1&Password=1&submit=Login' --dump

And Here we go!!

The flag was in the Admin Records.

ItsToKeyZ

Task:

I found this Github Repo : https://github.com/durkinza/KeyZ I Cloned this to my local Machine, and after tinkering around a bit it yielded our flag.

./key -g passwords.keyz flag

JackalopeLiveSet

Task:

I found this LiveStream Link

https://chew.tv/s7a73farm/dj-jackalopes-neverlanctf-mix

and Eventually found the Flag at 23:30 .

ZeroC00lBruh

Task:

This Challenge also required the right tools and understanding both…. XD

We can use steghide to get the hidden text with the Passphrase as neverlanctf.

Next, I tried to decrypt the string using the Vignere Cipher Decoder From Cryptii..

And Most Important part was guessing the Key … This part was fun as the key was hackers

At the end the flag was ::

flag{myfavoritemovie}