UAE and Sudan National Cyber Security CTF 2019 — Solutions
This is the first time i have ever participated in any CTF. I have been practicing on CyberTalents and this CTF is also hosted by them (online).
This CTF started on 28 March 2019 , 16:00 pm UTC and ended on 30 March 2019 , 21:00 pm UTC.
This CTF consisted of 3 easy and 7 medium level challenges.
Let’s start solving them.
1. Encoding (Easy)
We need to find what’s inside the hashed text. Well if we try to use Hash-Identifier it says that this hash is MD5(half) but. The thing is this text is base64 encoded. On simple decoding we are presented with our 1st flag.
2. Where is the flag (Easy)
We are provided with the link and we need to find the flag. On opening the link we are presented with some text on the screen.
Let’s look onto the source code of this page.
We can see the flag in the comments.
- The flag is URL Encoded. Decode it first!
- We got the base64 encoded text. Decode it!
- We got the flag!
3. Secret Blog (Medium)
This challenge is also web based and we are provided with the link.
Only [Admins] can see the flag!. On opening the link we can see a simple blog.
We can log into the account by providing any data. In this case i have used admin:admin combination.
There is nothing else other than this page. This is the time when we need to move onto checking the cookies. We can see that there is a cookie named admin which is set to False. All we need is to set it to True.
Once done. Refresh the page and we have got the flag !
4. Johnny Little Experiment (Medium)
This challenge also consists of a blog and we need to find the flag!
All we need is to fire up Burp Suite and will spider this website. While being done i found that there is a php page which accepts input.
On submitting flag. Text appears onto the page and i moved onto checking the source code where i found a PHP code commented. That’s the key leading us to our flag!
On quick google! the source code lead me to OWASP PHP Object Injection page.
PHP Object Injection - OWASP
PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of…
We can see the same code on their page as well. We have been provided with the exploit code. It just needs to be edited.
We got our flag!
These were the challenges i was also to solve on that day. Didn’t got time to solve other challenges of this CTF.
Happy Reading :))