Nurgiel/ctflearn.md

## ctflearn.md

      
    Raw
  

              ctflearn.md
            
          
    CTFLearn.com Solutions

EASY Challenges


#96 Forensics 101
strings image.jpg | grep flag


#103 Taking LS
ls -la


#104 Git Is Good
git log
git show -1


#107 Where Can My Robot Go?

https://ctflearn.com/robots.txt

https://ctflearn.com/70r3hnanldfspufdsoifnlds.html


#108 Binwalk
foremost PurpleThing.jpeg
xdg-open output/png/00000299.png


#115 Character Encoding
echo "41 42 43 54 46 7B 34 35 43 31 31 5F 31 35 5F 55 35 33 46 55 4C 7D" | xxd -r -p


#158 Hextroadinary
python
a=0xc4115
b=0x4cf8
c=a^b
print(hex(c))


#168 Wikipedia

https://en.wikipedia.org/w/index.php?title=Flag&diff=prev&oldid=676540540


#174 Simple Programming
result = 0
with open("data.dat") as file:
    for line in file:
        if (line.count('0') % 3 == 0) or (line.count('1') % 2 == 0):
            result += 1
print(result)


#192 Base 2 2 the 6
echo "Q1RGe0ZsYWdneVdhZ2d5UmFnZ3l9" | base64 -d


#227 BruXOR

https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(1,100,0,'Standard',false,true,false,'')&input=cXt2cGxuJ2JIX3Zhckh1ZWJjcnF4ZXRySE9YRWog

or https://www.dcode.fr/xor-cipher


#228 QR Code
zbarimg qrcode.39907201.png
echo "c3ludCB2ZiA6IGEwX29icWxfczBldHJnX2RlX3BicXI=" | base64 -d
echo "synt vf : a0_obql_s0etrg_de_pbqr" | tr 'a-zA-Z' 'n-za-mN-ZA-M'
def rot_decrypt(ciphertext, shift):
    plaintext = ""
    for char in ciphertext:
        if char.isalpha():
            alpha_start = ord('a') if char.islower() else ord('A')
            index = (ord(char) - alpha_start - shift) % 26
            plaintext += chr(alpha_start + index)
        else:
            plaintext += char
    return plaintext

ciphertext = "synt vf : a0_obql_s0etrg_de_pbqr"
shift = 13
print(rot_decrypt(ciphertext, shift))


#230 Reverse Polarity

https://www.rapidtables.com/convert/number/binary-to-ascii.html


#305 Vigenere Cipher
plaintext = "gwox{RgqssihYspOntqpxs}"
key = "blor{pyblorpyblorpyblor}"
result = ""

for i in range(len(plaintext)):
    char = plaintext[i]
    if char.isalpha():
        if char.isupper():
            result += chr((ord(char) - ord('A') - (ord(key[i]) - ord('a')) + 26) % 26 + ord('A'))
        else:
            result += chr((ord(char) - ord('a') - (ord(key[i]) - ord('a')) + 26) % 26 + ord('a'))
    else:
        result += char

print(result)


#309 Exif
exiftool Computer-Password-Security-Hacker\ -\ Copy.jpg


#309 Morse Code
echo "..-. .-.. .- --. ... .- -- ..- . .-.. -- --- .-. ... . .. ... -.-. --- --- .-.. -... -.-- - .... . .-- .- -.-- .. .-.. .. -.- . -.-. .... . . ..." | morse2ascii -


#348 WOW.... So Meta
exiftool 3UWLBAUCb9Z2.jpg


#443 HyperStream Test

Cyber Chef - Bacon Cipher Decode


#691 Lazy Game Challenge
printf "Y\n-1000000\n0\n0\n0\n0\n0\n0\n0\n0\n0\n0\n" | nc thekidofarcrania.com 10001


#883 I'm a dump
strings file | grep -n2 "CTF"


#885 Modern Gaius Julius Caesar 

https://www.dcode.fr/keyboard-shift-cipher

Shift: Left

Number of keys/steps for shift: 2


#933 Rubber Duck
exiftool RubberDuck.jpg


#934 Snowboard
file Snowboard.jpg
echo "Q1RGbGVhcm57U2tpQmFuZmZ9Cg==" | base64 -d


#935 PikesPeak
strings PikesPeak.jpg | grep -i ctf
file PikesPeak.jpg | grep CTFl


#936 GandalfTheWise
file Gandalf.jpg
echo "Q1RGbGVhcm57eG9yX2lzX3lvdXJfZnJpZW5kfQo=" | base64 -d
# CTFlearn{xor_is_your_friend}

printf "xD6kfO2UrE5SnLQ6WgESK4kvD/Y/rDJPXNU45k/p" | base64 -d | xxd -p -d | tr -d "\n" | sed 's/\(..\)/\1 /g'
# c4 3e a4 7c ed 94 ac 4e 52 9c b4 3a 5a 01 12 2b 89 2f 0f f6 3f ac 32 4f 5c d5 38 e6 4f e9

printf "h2riEIj13iAp29VUPmB+TadtZppdw3AuO7JRiDyU" | base64 -d | xxd -p -d | tr -d "\n" | sed 's/\(..\)/\1 /g'
# 87 6a e2 10 88 f5 de 20 29 db d5 54 3e 60 7e 4d a7 6d 66 9a 5d c3 70 2e 3b b2 51 88 3c 94 

# https://xor.pw/

echo "4354466c6561726e7b47616e64616c662e42696c626f42616767696e737d" | xxd -r -p


#955 Minions
strings Hey_You.png
binwalk -e Only_Few_Steps.jpg
cd _Only_Few_Steps.jpg.extracted
unrar x 22806.rar
strings YouWon\(Almost\).jpg | grep CTF
echo "VmtaU1IxUXhUbFZSYXpsV1RWUnNRMVpYZEZkYWJFWTJVVmhrVlZGVU1Eaz0=" | base64 -d
echo "VkZSR1QxTlVRazlWTVRsQ1ZXdFdabEY2UVhkVVFUMDk=" | base64 -d
echo "VFRGT1NUQk9VMTlCVWtWZlF6QXdUQT09" | base64 -d
echo "TTFOSTBOU19BUkVfQzAwTA==" | base64 -d


#957 PDF by fdpumyp
strings dontopen.pdf
echo "Q1RGbGVhcm57KV8xbDB3M3kwVW0wMG15MTIzfQ==" | base64 -d


#959 Blank Page
sed 's/ /0/g; s/\xE2\x80\x8F/1/g' TheMessage.txt | perl -lape '$_=pack"B*",$_'


#971 Pho Is Tasty!
head Pho.jpg


#972 Chalkboard
strings math.jpg | grep flag -n4   


#973 Tux!
file Tux.jpg
echo "ICAgICAgUGFzc3dvcmQ6IExpbnV4MTIzNDUK" | base64 -d
binwalk -e Tux.jpg
cd _Tux.jpg.extracted
unzip 1570.zip
cat flag


#1072 Time Traveller 

https://web.archive.org/web/19961231235847/http://www.nasa.gov/


#1135 My Friend John
zip2john use-rockyou.zip > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
unzip -P kdbs0429 use-rockyou.zip
zip2john custom-list.zip > hash2.txt
john --wordlist=custom-list.txt hash2.txt
unzip -P 1N73rD3N0M1N4710N41 custom-list.zip
with open('pinlist.txt', 'w') as file:
  for pin in range(1000000):
      file.write(f'{pin:04d}\n')
zip2john brute-force-pin.zip > hash3.txt
john --wordlist=pinlist.txt hash3.txt
unzip -P 991337 brute-force-pin.zip
cat flag.txt


MEDIUM Challenges


#97 07601
binwalk -e AGT.png
cd _AGT.png.extracted
find . -type f -exec strings {} \; | grep -i "ctf"


#109 Don't Bump Your Head(er)
curl http://165.227.106.113/header.php
curl http://165.227.106.113/header.php -A "Sup3rS3cr3tAg3nt"
curl http://165.227.106.113/header.php -A "Sup3rS3cr3tAg3nt" -e "awesomesauce.com"


#114 POST Practice
curl http://165.227.106.113/post.php
curl http://165.227.106.113/post.php -d "username=admin&password=71urlkufpsdnlkadsf"


#142 Up For A Little Challenge?
strings Begin\ Hack.jpg | grep -i mega
strings Begin\ Hack.jpg | grep -i real
unzip Up\ For\ A\ Little\ Challenge.zip
cd Did\ I\ Forget\ Again\?
binwalk -e .Processing.cerb4
cd _.Processing.cerb4.extracted
unzip -P "Nothing Is As It Seems" 0.zip
xdg-open skycoder.jpg # Flag is in the bottom right


#195 Milk's Best Friend
binwalk -e oreo.jpg
cd _oreo.jpg.extracted
strings b.jpg | grep -i flag


#231 Symbolic Decimals
echo '^&,*$,&),!@#,*#,!!^,(&,!!$,(%,$^,(%,*&,(&,!!$,!!%,(%,$^,(%,&),!!!,!!$,(%,$^,(%,&^,!)%,!)@,!)!,!@%' | sed 's/\!/1/g' | sed 's/\@/2/g' | sed 's/\#/3/g' | sed 's/\$/4/g' | sed 's/\%/5/g' | sed 's/\^/6/g' | sed 's/\&/7/g' | sed 's/\*/8/g' | sed 's/(/9/g' | sed 's/)/0/g' | sed 's/,/ /g' | awk '{ for (i=1; i<=NF; i++) printf "%c", $i; print "" }'


#237 Digital Camouflage
wireshark data.pcap
echo "UEFwZHNqUlRhZQ==" | base64 -d


#238 Substitution Cipher

https://www.dcode.fr/monoalphabetic-substitution

https://gchq.github.io/CyberChef/#recipe=Substitute('ABCDEFGHIJKLMNOPQRSTUVWXYZ','AYWMCNOPHZRSTJIQKDLEGXUVFB',false)&input=TUlUIFlTQVUgT0wgT1lHRlNCREdSVEtGRUtCSE1HQ0FMU09RVE1JT0w


#274 Ambush Mission
wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar
chmod +x stegsolve.jar
mkdir bin
mv stegsolve.jar bin/ && cd bin
java -jar stegsolve.jar
echo "bTNFdF9tZV80dF8xMl9hTQ==" | base64 -d


#356 A CAPture of a Flag
wireshark -Y 'http contains "GET /?m"' flag\ \(4\)
echo "ZmxhZ3tBRmxhZ0luUENBUH0=" | base64 -d


#890 Naughty Cat
java -jar stegsolve.jar
binwalk -e cut3_c4t.png
cd _cut3_c4t.png.extracted/
hexeditor y0u_4r3_cl0s3.rar
# change Cat! to Rar!
echo -n -e '\x52\x61\x72' | dd conv=notrunc bs=1 count=3 of=y0u_4r3_cl0s3.rar
# Get rar password from purrr_2.mp3 using Audacity Spectogram
unrar x -psp3ctrum_1s_y0ur_fr13nd y0u_4r3_cl0s3.rar
cat f1n4lly.txt
echo "ZjByM241MWNzX21hNXQzcg==" | base64 -d


#903 Smiling ASCII
zsteg -a smiling.png


HARD Challenges


#89 Image Magic
import PIL
from PIL import Image

# 27968 / 304 = 92
imgWidth = 92
img = Image.open("out copy.jpg")
pixels = list(img.getdata())

pixel_rows = []
row = []
for i, pixel in enumerate(pixels):
    row.append(pixel)
    if len(row) == imgWidth:
        pixel_rows.append(row)
        row = []

pixels = []
for row in pixel_rows:
    pixels.extend(row)

out = Image.new('RGB', (imgWidth, 304))
out.putdata(pixels)
out = out.rotate(-90, 0, 1)
out = out.transpose(PIL.Image.FLIP_LEFT_RIGHT)
out.show()


#121 So many 64s
cat flag.txt | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d


#138 Corrupted File
echo -n -e '\x47\x49\x46\x38' | cat - unopenable.gif > tmpfile && mv tmpfile unopenable.gif
# open gif file in photopea.com or photoshop
echo "ZmxhZ3tnMWZfb3JfajFmfQ==" | base64 -d


#149 Inj3ction Time
jsql
https://web.ctflearn.com/web8/?id=1
Injection


#150 Calculat3 M3

https://web.ctflearn.com/web7/
document.getElementById('d').value = ";ls";
document.getElementsByTagName("form")[0].submit();


#394 Old memories

https://github.com/zardus/ctf-tools
java -jar stegsolve.jar
# Analyse -> Image Combiner


#243 Encryption Master

https://github.com/zardus/ctf-tools
echo "TmljZSEgTm93IGtlZXAgZ29pbmcuIDU0Nzc2ZjIwNmQ2ZjcyNjUyZTIwMzAzMTMwMzAzMDMxMzEzMDIwMzAzMTMxMzAzMTMwMzAzMTIwMzAzMTMxMzAzMTMxMzEzMDIwMzAzMTMxMzAzMDMwMzAzMTIwMzAzMTMxMzAzMTMxMzAzMDIwMzAzMDMxMzAzMDMwMzAzMDIwMzAzMTMwMzAzMDMxMzAzMDIwMzAzMTMxMzAzMDMxMzAzMTIwMzAzMTMxMzAzMDMwMzEzMTIwMzAzMTMxMzEzMDMwMzEzMDIwMzAzMTMxMzEzMTMwMzAzMTIwMzAzMTMxMzEzMDMwMzAzMDIwMzAzMTMxMzEzMDMxMzAzMDIwMzAzMTMxMzAzMTMwMzAzMTIwMzAzMTMxMzAzMTMxMzEzMTIwMzAzMTMxMzAzMTMxMzEzMDIwMzAzMDMxMzAzMDMwMzAzMTIwMzAzMDMxMzAzMDMwMzAzMDIwMzAzMTMwMzEzMDMwMzAzMTIwMzAzMDMxMzEzMDMwMzAzMTIwMzAzMTMwMzEzMDMwMzEzMDIwMzAzMTMwMzAzMDMxMzEzMTIwMzAzMTMxMzAzMDMxMzAzMTIwMzAzMDMxMzEzMDMwMzAzMDIwMzAzMTMxMzAzMTMxMzAzMDIwMzAzMTMxMzAzMDMxMzEzMDIwMzAzMTMwMzEzMDMwMzAzMTIwMzAzMTMwMzEzMDMxMzAzMTIwMzAzMDMxMzEzMDMwMzAzMTIwMzAzMTMxMzAzMDMxMzEzMDIwMzAzMTMwMzEzMDMxMzAzMTIwMzAzMTMwMzAzMDMxMzEzMDIwMzAzMTMwMzAzMTMwMzEzMDIwMzAzMTMwMzEzMDMwMzAzMDIwMzAzMTMwMzEzMDMxMzEzMDIwMzAzMTMwMzEzMDMxMzAzMTIwMzAzMTMwMzEzMDMwMzEzMDIwMzAzMTMxMzAzMDMxMzEzMDIwMzAzMTMwMzEzMDMxMzAzMDIwMzAzMDMxMzEzMDMwMzAzMDIwMzAzMTMwMzEzMTMwMzEzMDIwMzAzMTMxMzAzMDMxMzEzMDIwMzAzMTMwMzEzMDMxMzEzMTIwMzAzMTMwMzEzMDMxMzAzMTIwMzAzMDMxMzEzMTMwMzAzMTIwMzAzMTMwMzEzMDMxMzEzMDIwMzAzMTMxMzAzMDMxMzEzMDIwMzAzMTMwMzEzMDMwMzAzMTIwMzAzMDMxMzEzMTMxMzAzMTIwMzAzMDMxMzEzMTMxMzAzMQ==" | base64 -d | sed 's/Nice! Now keep going\. //' | xxd -r -p  | sed 's/Two more\. //' | tr -d ' ' | perl -lape '$_=pack("B*", $_)' | sed 's/Final Decryption! //' | base64 -d


#441 Seeing is believing
unzip message.zip
cd seeingisbelieving
cat help.me
file help.me
cp help.me help.ogg
xdg-open help.ogg # open with audacity
Use Spectogram in Audacity and scan QR code.

https://pastebin.com/zhEhyp3G


#484 RSA Twins!

https://github.com/RsaCtfTool/RsaCtfTool
./RsaCtfTool.py -n 14783703403657671882600600446061886156235531325852194800287001788765221084107631153330658325830443132164971084137462046607458019775851952933254941568056899 -e 65537 --uncipher 684151956678815994103733261966890872908254340972007896833477109225858676207046453897176861126186570268646592844185948487733725335274498844684380516667587


Resources


https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/