Writeups for Insecure blocks & serial killer from WiCSMECTF 2022

Published on November 05, 2022 by 0xRar

Writeups CTF Web Crypto

2 min READ

Women in Cyber Security Middle East conference present its 3rd WiCSME2022 CTF in collaboration with the Cyber Talents platform.

The CTF was really beginner friendly and for you to participate you need at least 1 female member in the team, we were able to get the 14th place out of 230 teams.

Pasted image 20221105160150

scoreboard url

serial killer:

  • Category: Cryptography
  • Level: Easy
  • Points: 50

Description:

FPI was tracking a serial killer who was responsible for at least 7 victims in California, USA.

and he left some messages behind him, could you help us figure out what is it?

Pasted image 20221104192425

Solution:

This is a straight forward challenge for a Symbol Cipher, would be really basic if you know about Symbols & the name of the challenge is kind of a hint, for this kind of challenges i go to dcode.fr they have a really good symbol cipher list after looking at the list for about a minute i was able to find the cipher which was the Zodiac Killer Cipher and decrypted it using the zodiac killer decryption.

Pasted image 20221104204339

Flag: flag{DONOTLOOKBEHINDYOU}

Insecure blocks:

  • Category: Web Security
  • Level: Easy
  • Points: 50

Description:

Do you think this developer can prevent you from getting your points?

Source-Code:

 <?php
  include './.flag.php';

  highlight_file(__FILE__);

  if(preg_match("/flag/",$_GET['echo'])) { 
    echo"Nah , we don't do that here!"; exit(); 
  }
  $_GET['echo'] = urldecode($_GET['echo']);
  if($_GET['echo'] == "flag"){
    echoFlag();
  }

?>

Solution:

In this challenge we are given a small php webapp that takes a GET parameter: echo, and in order to get the flag we need to run the function echoFlag() by passing the string flag into the echo GET parameter and apparently the code decodes any special characters but from what i’ve read from the php manual seems like decoding a $_GET is bad and the urldecode function only decode’s ones so it can be fooled by double url encoding your payloads for example this urlencode %2527 the urldecode function will decode this into %27 and it will accept the single quote, so in our case i encoded every char from the word flag and then double encoded it using cyberchef.

Ref: php manual

# https://www.w3schools.com/tags/ref_urlencode.asp
%66%6C%61%67 = flag

# https://cyberchef.org/#recipe=URL_Encode(true)
%2566%256C%2561%2567 = double url encoded flag

final url: http://challenge-url.com/?echo=%2566%256C%2561%2567

Pasted image 20221104212704

flag{This_is_just_a_gift_for_you}

Thank You For Reading ♥