QUESTCON CTF Writeup

QUESTCON CTF Writeup

By IIT(BHU)CyberSec Team

·

7 min read

Misc

Guidelines of the Caribbean

  </li>
  <li>🤫 Thanks for reading rules, your flag: REDACTED.<span style="display: none">QUESTCON{C0d3Break3r_Rul35_Expl0r3r}</span>
</ul>
</p>
  </div>

Line number 233 in the source code of the page in the rules directory.
challenge name: Guidelines of the Caribbean
Flag : QUESTCON{C0d3Break3r_Rul35_Expl0r3r}

Hexa Pirate's Code

this is the message I got when I tried to download it normally T_T.
so I spun up my VM.

so I used my cli tool wget.

It was a zip file with a QuestCON folder.

Used file command to check the file type of files.

I noticed some ambiguity in the names of one such file it was pure luck tbh xd.

there was another file to troll and I got trolled 🥹

it was a red herring and a fake flag.

got this line of code different in this file cc53495bb42e4f6563b68cdbdd5e4c2a9119b498b488f53c0f281d751a368f19

5155455354434f4e7b426c34636b42333472645f4d616c773472335f50697234"+"7433737d-0000-0000-000000000000
got this weird text which was unique from other files and wasn't present in any other I checked using grep.

challenge name: Hexa Pirate's code
flag : QUESTCON{Bl4ckB34rd_Malw4r3_Pir4t3s}

Pirate's Port Paradox

these are the values of ports and then it's easy maths.

Crypto

Riddle of the Hidden Scrolls

challenge name: Riddle of the Hidden Scrolls
flag : QUESTCON{D34d_M3n_T3ll_No_T4l3s}

Sparrow's Cryptographic Treasure

Basic RSA question

solution:

challenge name: Sparrow's Cryptographic Treasure
flag: QUESTCON{1_HaT3_RS1}

Forensics

Island of Hidden Bounty

trailing hex dump contains a link: https://hiddenbounty.netlify.app/

I clicked the blue Read the treasure map.

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Pirate's Cove</title>
    <link rel="stylesheet" href="style.css" />
  </head>
  <body>
    <div class="container">
      <div class="pirate">
        <img src="pirate.gif" alt="Animated Pirate" />
      </div>
      <div class="quote">
        <blockquote>
          "X marks the spot where the treasure lies, follow the path hidden in
          the skies."
        </blockquote>
        <a href="#" onclick="alert('Not so easy!')">Read the treasure map</a>
      </div>
    </div>
    <script src="script.js"></script>
  </body>
</html>

Tried going through script.js...

seems red herring...

// Function to generate a random integer within a specified range
function getRandomInt(min, max) {
  return Math.floor(Math.random() * (max - min + 1)) + min;
}

// Function to create a random pirate position on the screen
function setRandomPiratePosition() {
  const pirate = document.getElementById("pirate");
  const screenWidth = window.innerWidth;
  const screenHeight = window.innerHeight;

  const randomX = getRandomInt(0, screenWidth - 100);
  const randomY = getRandomInt(0, screenHeight - 100);

  pirate.style.left = randomX + "px";
  pirate.style.top = randomY + "px";
}

// Initialize pirate position on load and add event listener to reposition the pirate on window resize
window.addEventListener("load", setRandomPiratePosition);
window.addEventListener("resize", setRandomPiratePosition);

So back to basics robots.txt directory of the website contains something useful.
new directory.

challenge name: Island of Hidden Bounty
flag: QUESTCON{X_M4rk5Th3Digit4lTr34sur3}

Isla de Muerta's Secrets

contains PCAP files.

Protocol hierarchy shows it has HTTP traffic.
so tried to look into it.

So we need to find the local address of the Intruder.
We can see that the convo is happening between two IPs. Intruder is definitely among those two.

POST / HTTP/1.1
Host: darkweb-pirates.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.google.com/
Connection: close
Cookie: _gcl_au=1.1.110235367.1692289103; _ga_LSTPX0X820=GS1.1.1698081501.7.0.1698081501.60.0.0; _ga=GA1.2.1757389618.1692289104; _ga_Y33X5YZFHF=GS1.1.1696522521.1.1.1696522598.0.0.0; _gid=GA1.2.764025055.1698081504
Upgrade-Insecure-Requests: 1
X-User: Attacker
X-Hackerone: loser31014
Content-Type: application/x-www-form-urlencoded
Content-Length: 104

Discover the clandestine chest's whereabouts on Isla de Muerta.
30.089251341863626, -114.54361624717956
HTTP/1.1 200 OK
Date: Mon, 23 Oct 2023 17:20:30 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, close
Last-Modified: Sat, 10 Oct 2020 19:37:25 GMT
Accept-Ranges: bytes
Content-Length: 163
Vary: Accept-Encoding
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Content-Type: text/html

<html><head><META HTTP-EQUIV="Cache-control" CONTENT="no-cache"><META HTTP-EQUIV="refresh" CONTENT="0;URL=/cgi-sys/defaultwebpage.cgi"></head><body></body></html>

challenge name: Isla de Muerta's Secrets
flag: QUESTCON{192.168.0.129}

Head Jack Sparrow

I used the HXD tool on Windows to view its hex dump. it seems off.

The head is damaged. So I spun up another PNG and copied the Magic bytes as they say 🤩

These were the changed bytes.
and Boom! we have an Image...

Challenge name: Head Jack Sparrow

flag:

Web

Pirate's Hidden Treasure

Burp Suite is a proxy tool. I used it here...
Here I intercepted a GET request that contained Cookie user=barbossa .
Now I am sending it to Repeater for further Investigation.

The pirate browser is interpreted by the server through User-Agent so I set it to pirate

it's kinda of asking where this request is coming from which completely replicates te functionality of referer header.

now this Part was very weird to be asked. Since the cookie of the user was already set to barbossa it says to prove the Identity. Then One of my teammates thought may go through the description again. After a while, we came across this line :

" for only those with the heart of a true pirate, much like Captain Jack"

Then we thought maybe change the user to Jack Sparrow.

challenge name: Pirate's Hidden Treasure
flag : QUESTCON{Thr33_k33p_a_s3cr3t_if_2_of_th3m_ar3_dead}

Cursed Treasure

Went through the source code of the page using "CTRL+ U"

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Pirate's Map</title>
  <link rel="stylesheet" href="styles.css">
</head>
<body>
    <div class="background" ></div>
    <div class="head">Find the Cursed Treasure!</div>
  <div class="ship">
    <a href="maps.php?id=e25388fde8290dc286a6164fa2d97e551b53498dcbf7bc378eb1f178" class="card card1">MAP 1</a>
    <a href="maps.php?id=58b2aaa0bfae7acc021b3260e941117b529b2e69de878fd7d45c61a9" class="card card2">MAP 2</a>
    <a href="maps.php?id=271f93f45e9b4067327ed5c8cd30a034730aaace4382803c3e1d6c2f" class="card card3">MAP 3</a>
  </div>
  <script src="script.js"></script>
</body>
</html>

IDs mentioned were fishy. I knew it would be an IDOR
crack station to crack those hashes
found out that :
e25388fde8290dc286a6164fa2d97e551b53498dcbf7bc378eb1f178 -> 1
58b2aaa0bfae7acc021b3260e941117b529b2e69de878fd7d45c61a9-> 2
271f93f45e9b4067327ed5c8cd30a034730aaace4382803c3e1d6c2f-> 4
3 was missing on the source.
so made the sha224 of 3.

now it asked for the user name. Which was Barbossa.

Challenge name: Cursed Treasure
Flag:QUESTCON{Th3_Pir4t3s_0f_Th3_Car1bb34n_Arr_Th3_B3st!}

Web Explorers Journey :

source code of the page:

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Web Explorer's Journey</title>
    <link rel="stylesheet" href="./styles.css" />
  </head>
  <body>
    <h1>
      Pirates are warming up for the next adventure. Can you find the flag!!!
    </h1>
    <div class="container">
      Your flag is:
      <div id="flag">
        81856983846779781238751669551888076488251829549839552875183487751125
      </div>
      <div class="displaynone">
        NOTE: Flag contains only capial letters, numbers and curly brackets.
      </div>
    </div>
    <script src="script.js"></script>
  </body>
</html>

script.js code was ..

let flag = "flag{Test_Flag}";
let encryptedFlag = "";
function encodeFlag() {
  for (let i = 0; i < flag.length; i++) {
    encryptedFlag += flag.charCodeAt(i);
  }
}
encodeFlag();
document.getElementById("flag").innerHTML = encryptedFlag;

One of my Teammate did that manually:
His thought process :
1. Split the number in such a way that if the number is less than 32 after taking 2 characters then take 3 characters.

32 being ASCII space

81 85 69 83 84 67 79 78 123 87 51 66 95 51 88 80 76 48 82 51 82 95 49 83 95 52 87 51 83 48 77 51 125

Challenge name: Web Explorer Journey

flag: QUESTCON{W3B_3XPL0R3R_1S_4W3S0M3}

Stego

Mystery

Since the description is talking about passwords. If you have experience with the Stego you know the Admin is hinting here Stegohide with no password.

this is the image. Tried looking at its metadata using Exiftool.

Image Unique ID : UVVFU1RDT057TXk1dDNyeV8xc180dzNzMG1lIX0=

this seems promising...

Challenge name: Mystery

flag: QUESTCON{My5t3y_1s_4w3s0me!}

Mystery 2.0

Seeing a PNG the first tool comes in my mind is Zsted that displays LSBs.

Challenge name: Mystery 2.0
flag: QUESTCON{P1raT3s_Ar3_M7s!3rY}

Standing

Author Details:

Author: Yash Somalkar from IIT(BHU)Varanasi
Linkedin: https://www.linkedin.com/in/yash-somalkar-337957227/
CTFtime: https://ctftime.org/user/132028

Team Details:

Team Name : IIT(BHU)CyberSec
CTFtime: https://ctftime.org/team/22546

Â