SwampCTF 2024 | CTF WriteUp | Easy Challenges

on

SwampCTF 2024 | CTF WriteUp | Easy Challenges

 


Category: Misc

1) What the Form

I found this form but it doesn't go anywhere! I was told I'd find the flag after I'd gone through enough form questions but I've answered the same question 20 times and I'm still on the same page...

https://docs.google.com/forms/d/e/1FAIpQLScBhPBcA5e85DHiJST7jlJWEUPyzMpR69s3n4FDLd6c5d6HFg/viewform

Objective:

We are given a google form link and we need to find the flag.

Solution:

 When we open the link, there is only one question which is:

Even if we chose the option "Possibly" and press Next, nothing really happens.

So, Let's inspect the page.

1)Search for  ctf in the elements space.

2)There we can see the flag.

This is the flag:

swampCTF{F0rm5_K33p5_D4T4_H1dd3n}

Category: pwn

 1) Beginner Pwn 1

Pwn can be a pretty intimidating catagory to get started in. So we made a few chals to help new comers get their feet wet!

nc chals.swampctf.com 61230

Objective:

We need to exploit bufffer overflow vulnerability to overflow  the username variable to make is_admin variable 1.

Solution:

We are given 2 files. A C code file and and an ELF binary file. The C code file contains source code of the binary file.Also a netcat address to connect to their server to get the flag.

C file: main.c

Binary file: system_terminal

Let's check what the binary file does.

To execute the file, we need to make it executable,

The command is:

chmod u+x system_terminal

./system_terminal

Let's give it a sample username as "user".

We are shown that user is not a system admin.

Hmm...Okay fine.

From the options we are interested in option 3 because it prints the flag.

Oops.. We are not the admin, So we cannot print the flag.

Now lets check the main.c the C source code file.

 
Here in the main() function, we can see that is_admin variable is declared before username with length 15 chars which  is obtained through user input.

So in STACK where function's local variables are stored is_admin comes in bottom and username comes on top. Also there is no code to check the length of user input.

So user can give input of any length.


In the second part of code, we can see that if we choose option 3 , the code checks whether the is_admin variable is 0 or not. It will print the flag only if is_admin is not 0.

To make the is_admin not 0, what we can do is when we give input for username, we can give any input with length 16 and making the last character as 1. 

aaaaaaaaaaaaaaa1

This overflows the username variable size of 15 , and the 16th char which is 1 gets stored in is_admin variable.

Now let's check what happens.


Now it shows that the user is system admin.So we can give option 3 to print the flag.

But here , The flag file is not in my system, so I need to connect to their system to get the flag.

We are given a netcat address to connect.

nc chals.swampctf.com 61230


Now we got the flag:

swampCTF{y0u_@r3_a_h@ck3r}

Category: Forensics

1)  Notoriously Tricky Login Mess (Part 1)

We found out a user account has been compromised on our network. We took a packet capture of the time that we believe the remote login happened. Can you find out what the username of the compromised account is?

Flag format: swampCTF{username}

Objective:

From the given network traffic packets, we must find the username that has signed on to the system in the network.

Solution:

We are given a pcap file swamchall.pcap.

Let's open it with wireshark.

We can see a lot of HTTP traffic.So filter out the HTTP packets by typing http on the search bar on top.


After scrolling down a bit, we can see that 2 usernames are trying to sign on. Administrator and adamkadaban.

We know from description that flag format is swampCTF{username}.

So let's submit both username as flag in the given format. It turns out swampCTF{adamkadaban} is the right one.

Flag: swampCTF{adamkadaban}

2) New C2 Channel?

Sometimes you can exfiltrate data with more than just plain text. Can you figure out how the attacker smuggled out the flag on our network?

Objective:

The task is basically ASCII art. We just need to read the ASCII art from the data in network packets.

Solution 

Here, we are given a pcap file playback.pcap.

Open it with wireshark.


We can see a bunch of HTTP traffic in the list. So let's filter it out.

Once filtered , on the right side we can see some meaningless data with lots of dots,8 and b that are being sent to the URL.

If we check the data from the bottom window, we could see something interesting.

We can see an s , which is the starting of the flag format swampCTF{}.

Now we just need to select a packet after around 10 packets and u could see the next letter.

 
Keep going like this till we get the full flag which is:

swampCTF{w3lc0m3_70_7h3_l4nd_0f_7h3_pc4p}

 

Keep Learning....

Happy Hacking!!!!!


Comments

Post a Comment