# QUESTCON CTF Writeup

## Misc

### Guidelines of the Caribbean

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698560343549/1ea13439-873b-4f03-b166-caf06e66ff86.png align="center")

```xml
  </li>
  <li>🤫 Thanks for reading rules, your flag: REDACTED.<span style="display: none">QUESTCON{C0d3Break3r_Rul35_Expl0r3r}</span>
</ul>
</p>
  </div>
```

> Line number 233 in the source code of the page in the rules directory.  
> challenge name: Guidelines of the Caribbean  
> Flag : `QUESTCON{C0d3Break3r_Rul35_Expl0r3r}`

### Hexa Pirate's Code

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698562136770/4ba3c96c-0464-4da0-a13e-5476dc97113a.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698562169283/c1fca5dd-6286-40ab-806d-46863867739c.png align="center")

this is the message I got when I tried to download it normally T\_T.  
so I spun up my VM.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698562281670/df8a2338-e2c1-475a-9dca-959fab3d9a11.png align="center")

so I used my cli tool wget.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698562408841/68d393a4-f8d5-406a-bf3c-82526aec6e57.png align="center")

It was a zip file with a QuestCON folder.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698562489410/4dac69b9-b015-4ecc-b513-9139c6fc9714.png align="center")

Used file command to check the file type of files.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698562581882/7127792b-6ae2-4aa8-b69a-0a42303b45b4.png align="center")

I noticed some ambiguity in the names of one such file it was pure luck tbh xd.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698562739304/9f74beed-e562-49e4-b9df-187a368e13c8.png align="center")

there was another file to troll and I got trolled 🥹

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698562798109/4701eb7c-d8e8-4208-899f-e326b2309ab5.png align="center")

it was a red herring and a fake flag.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698563351683/eac9f714-d406-4fae-9706-9d9dcb7135ad.png align="center")

got this line of code different in this file **cc53495bb42e4f6563b68cdbdd5e4c2a9119b498b488f53c0f281d751a368f19**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698563445988/7dd1ec92-bbdb-43d2-89fb-6185498b5aa1.png align="center")

`5155455354434f4e7b426c34636b42333472645f4d616c773472335f50697234"+"7433737d-0000-0000-000000000000`  
got this weird text which was unique from other files and wasn't present in any other I checked using grep.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698569054088/53145e12-4353-4000-934c-4aad3065d244.png align="center")

> challenge name: Hexa Pirate's code  
> flag : `QUESTCON{Bl4ckB34rd_Malw4r3_Pir4t3s}`

## **Pirate's Port Paradox**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698569174521/7d7ccdd2-9dd8-4ca8-bd58-bd56a0c5b1c9.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698569400076/61804656-cd8f-4493-8603-2de22cfd66ae.png align="center")

these are the values of ports and then it's easy maths.

## Crypto

## **Riddle of the Hidden Scrolls**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698569497801/b63cefe3-f2c2-4710-b36b-466c6c3f43b7.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698569563853/990dd5a4-bb32-4e3d-afc9-6daba28257b9.png align="center")

> challenge name: **Riddle of the Hidden Scrolls**  
> **flag :** `QUESTCON{D34d_M3n_T3ll_No_T4l3s}`

## **Sparrow's Cryptographic Treasure**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698569647983/e20f1caf-6fa2-46fe-8c90-78d25d890ac5.png align="center")

Basic RSA question

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698569696042/e0b53f18-643f-4236-86e0-c3f0e3b55a4b.png align="center")

solution:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698569730510/88341346-7d60-4f9d-9b87-ba59b1d72185.png align="center")

> challenge name: **Sparrow's Cryptographic Treasure**  
> flag: `QUESTCON{1_HaT3_RS1}`

## Forensics

## **Island of Hidden Bounty**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698569855212/2f7861a6-09ff-4949-bef0-d70837f63414.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698569958142/8c3828b1-90a3-4a2b-8a42-cc826d19d343.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698570008832/eb89c847-90ae-4bdd-9d70-f8928aa79991.png align="center")

trailing hex dump contains a link: [https://hiddenbounty.netlify.app/](https://hiddenbounty.netlify.app/)

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698570129580/fae19682-1ef5-4975-be00-8cdc14eae06e.png align="center")

I clicked the blue Read the **treasure map**.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698570175258/01f60ea4-d67d-4564-a9be-f211245c5bd5.png align="center")

```xml
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Pirate's Cove</title>
    <link rel="stylesheet" href="style.css" />
  </head>
  <body>
    <div class="container">
      <div class="pirate">
        <img src="pirate.gif" alt="Animated Pirate" />
      </div>
      <div class="quote">
        <blockquote>
          "X marks the spot where the treasure lies, follow the path hidden in
          the skies."
        </blockquote>
        <a href="#" onclick="alert('Not so easy!')">Read the treasure map</a>
      </div>
    </div>
    <script src="script.js"></script>
  </body>
</html>
```

Tried going through script.js...

seems red herring...

```javascript
// Function to generate a random integer within a specified range
function getRandomInt(min, max) {
  return Math.floor(Math.random() * (max - min + 1)) + min;
}

// Function to create a random pirate position on the screen
function setRandomPiratePosition() {
  const pirate = document.getElementById("pirate");
  const screenWidth = window.innerWidth;
  const screenHeight = window.innerHeight;

  const randomX = getRandomInt(0, screenWidth - 100);
  const randomY = getRandomInt(0, screenHeight - 100);

  pirate.style.left = randomX + "px";
  pirate.style.top = randomY + "px";
}

// Initialize pirate position on load and add event listener to reposition the pirate on window resize
window.addEventListener("load", setRandomPiratePosition);
window.addEventListener("resize", setRandomPiratePosition);
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698570383133/58f0fca8-1b71-44e0-a55b-646130966e44.png align="center")

So back to basics robots.txt directory of the website contains something useful.  
new directory.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698570443767/7f644187-26f7-491d-aeed-415a34002ee1.png align="center")

> challenge name: **Island of Hidden Bounty**  
> **flag:** `QUESTCON{X_M4rk5Th3Digit4lTr34sur3}`

## **Isla de Muerta's Secrets**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698570601975/5c9c38f8-5270-4bae-8c1f-cd4e2530c2b3.png align="center")

contains PCAP files.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698570660145/9990ccf6-03a3-4f1c-9e4e-091bae3c3144.png align="center")

Protocol hierarchy shows it has HTTP traffic.  
so tried to look into it.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698570759221/38f1d0f2-6fb4-4018-a85a-7a37ea888466.png align="center")

So we need to find the local address of the Intruder.  
We can see that the convo is happening between two IPs. Intruder is definitely among those two.

```http
POST / HTTP/1.1
Host: darkweb-pirates.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.google.com/
Connection: close
Cookie: _gcl_au=1.1.110235367.1692289103; _ga_LSTPX0X820=GS1.1.1698081501.7.0.1698081501.60.0.0; _ga=GA1.2.1757389618.1692289104; _ga_Y33X5YZFHF=GS1.1.1696522521.1.1.1696522598.0.0.0; _gid=GA1.2.764025055.1698081504
Upgrade-Insecure-Requests: 1
X-User: Attacker
X-Hackerone: loser31014
Content-Type: application/x-www-form-urlencoded
Content-Length: 104

Discover the clandestine chest's whereabouts on Isla de Muerta.
30.089251341863626, -114.54361624717956
HTTP/1.1 200 OK
Date: Mon, 23 Oct 2023 17:20:30 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, close
Last-Modified: Sat, 10 Oct 2020 19:37:25 GMT
Accept-Ranges: bytes
Content-Length: 163
Vary: Accept-Encoding
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Content-Type: text/html

<html><head><META HTTP-EQUIV="Cache-control" CONTENT="no-cache"><META HTTP-EQUIV="refresh" CONTENT="0;URL=/cgi-sys/defaultwebpage.cgi"></head><body></body></html>
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698571102524/94e3dd0f-017a-4319-aa00-5adfbee0982e.png align="center")

> challenge name: **Isla de Muerta's Secrets**  
> **flag:** QUESTCON{192.168.0.129}

### Head Jack Sparrow

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698571294004/2fa5d57c-bd60-4afd-b6b3-d0f04f483b90.png align="center")

I used the HXD tool on Windows to view its hex dump. it seems off.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698571448513/e165ef89-b63c-4e98-be6b-6beff503d2ca.png align="center")

The **head** is damaged. So I spun up another PNG and copied the **Magic bytes** as they say 🤩

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698571568885/0cbf1e1b-d37f-4188-b4c4-85a2f642c223.png align="center")

These were the changed bytes.  
and Boom! we have an Image...

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698571636322/aa30ae23-c110-4287-8ff3-929705c8199b.png align="center")

> Challenge name: Head Jack Sparrow
> 
> flag:
> 
> ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698571741590/80a8020f-298a-4db4-b4ac-99a590557d8d.png align="center")

## Web

## **Pirate's Hidden Treasure**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698571973963/748ddead-1ffc-4528-bc13-1924dedb433b.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698572048546/b2218410-94d5-45f4-a155-f58d7dc576af.png align="center")

Burp Suite is a proxy tool. I used it here...  
Here I intercepted a GET request that contained Cookie `user=barbossa` .  
Now I am sending it to Repeater for further Investigation.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698572212292/bc1cbbd9-4db9-41b5-85d3-413afef44409.png align="center")

The pirate browser is interpreted by the server through User-Agent so I set it to `pirate`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698572350897/4375a142-3f7a-41ae-a4c7-6be90e877c94.png align="center")

it's kinda of asking where this request is coming from which completely replicates te functionality of `referer` header.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698572511371/7fcd2e2a-943f-4783-8d61-2527395a2652.png align="center")

now this Part was very weird to be asked. Since the cookie of the user was already set to barbossa it says to prove the Identity. Then One of my teammates thought may go through the description again. After a while, we came across this line :

" for only those with the heart of a true pirate, much like Captain Jack"

Then we thought maybe change the user to Jack Sparrow.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698572681562/930623f9-adeb-48af-8c7d-3940808a19f2.png align="center")

> challenge name: **Pirate's Hidden Treasure**  
> flag : `QUESTCON{Thr33_k33p_a_s3cr3t_if_2_of_th3m_ar3_dead}`

### Cursed Treasure

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698572788842/84424622-b412-4cfe-9b91-7b091c283933.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698572860881/cfae915b-bdd7-4eb3-b3ea-21dab18f5002.png align="center")

Went through the source code of the page using "CTRL+ U"

```xml
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Pirate's Map</title>
  <link rel="stylesheet" href="styles.css">
</head>
<body>
    <div class="background" ></div>
    <div class="head">Find the Cursed Treasure!</div>
  <div class="ship">
    <a href="maps.php?id=e25388fde8290dc286a6164fa2d97e551b53498dcbf7bc378eb1f178" class="card card1">MAP 1</a>
    <a href="maps.php?id=58b2aaa0bfae7acc021b3260e941117b529b2e69de878fd7d45c61a9" class="card card2">MAP 2</a>
    <a href="maps.php?id=271f93f45e9b4067327ed5c8cd30a034730aaace4382803c3e1d6c2f" class="card card3">MAP 3</a>
  </div>
  <script src="script.js"></script>
</body>
</html>
```

IDs mentioned were fishy. I knew it would be an ***IDOR***  
crack station to crack those hashes  
found out that :  
e25388fde8290dc286a6164fa2d97e551b53498dcbf7bc378eb1f178 -&gt; 1  
58b2aaa0bfae7acc021b3260e941117b529b2e69de878fd7d45c61a9-&gt; 2  
271f93f45e9b4067327ed5c8cd30a034730aaace4382803c3e1d6c2f-&gt; 4  
3 was missing on the source.  
so made the sha224 of 3.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698573189171/ff5549a1-b454-441c-bea9-f02a86d26952.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698573220395/f3e73d06-4a5e-432b-aa20-5eb71ef0fcd7.png align="center")

now it asked for the user name. Which was **Barbossa**.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698573272176/53f1b3ca-d624-4399-a325-8a5c5243f1b4.png align="center")

> Challenge name: Cursed Treasure  
> Flag:`QUESTCON{Th3_Pir4t3s_0f_Th3_Car1bb34n_Arr_Th3_B3st!}`

### Web Explorers Journey :

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698573594338/d6ee1657-ec04-47cc-ba71-1a3c44640876.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698573647216/34e6842f-eec6-46c0-93a1-08743ef3906a.png align="center")

source code of the page:

```xml
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Web Explorer's Journey</title>
    <link rel="stylesheet" href="./styles.css" />
  </head>
  <body>
    <h1>
      Pirates are warming up for the next adventure. Can you find the flag!!!
    </h1>
    <div class="container">
      Your flag is:
      <div id="flag">
        81856983846779781238751669551888076488251829549839552875183487751125
      </div>
      <div class="displaynone">
        NOTE: Flag contains only capial letters, numbers and curly brackets.
      </div>
    </div>
    <script src="script.js"></script>
  </body>
</html>
```

script.js code was ..

```javascript
let flag = "flag{Test_Flag}";
let encryptedFlag = "";
function encodeFlag() {
  for (let i = 0; i < flag.length; i++) {
    encryptedFlag += flag.charCodeAt(i);
  }
}
encodeFlag();
document.getElementById("flag").innerHTML = encryptedFlag;
```

One of my Teammate did that manually:  
His thought process :  
1\. *Split the number in such a way that if the number is less than 32 after taking 2 characters then take 3 characters.*

*32 being ASCII space*

> `81 85 69 83 84 67 79 78 123 87 51 66 95 51 88 80 76 48 82 51 82 95 49 83 95 52 87 51 83 48 77 51 125`
> 
> Challenge name: Web Explorer Journey
> 
> flag: `QUESTCON{W3B_3XPL0R3R_1S_4W3S0M3}`

## Stego

### Mystery

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698574008783/64efae62-4c33-4149-8e70-bb42dc3377e6.png align="center")

Since the description is talking about passwords. If you have experience with the Stego you know the Admin is hinting here Stegohide with no password.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698574146119/c52f7dbb-73d6-4231-815b-5cb7f4e6bc1d.png align="center")

this is the image. Tried looking at its metadata using Exiftool.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698574167380/de8283e0-7045-40f8-a818-7d85c48e259f.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698574216142/8d866951-8cc4-4790-8d13-2308e467cb25.png align="center")

`Image Unique ID : UVVFU1RDT057TXk1dDNyeV8xc180dzNzMG1lIX0=`

this seems promising...

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698574282142/1ef45f54-8573-44dc-aa07-cf02ee45a4c5.png align="center")

> Challenge name: Mystery
> 
> flag: `QUESTCON{My5t3y_1s_4w3s0me!}`

### Mystery 2.0

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698575429096/34186894-9a7b-4e5e-a666-bd9160d41a25.png align="center")

Seeing a PNG the first tool comes in my mind is Zsted that displays LSBs.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698575437668/f8127f32-ee45-4727-bd19-06c6a5570331.png align="center")

> Challenge name: Mystery 2.0  
> flag: `QUESTCON{P1raT3s_Ar3_M7s!3rY}`

## Standing

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1698575555103/60a560ba-7562-42b8-bef1-5962c70e26e9.png align="center")

## Author Details:  

Author: Yash Somalkar from IIT(BHU)Varanasi  
Linkedin: [https://www.linkedin.com/in/yash-somalkar-337957227/](https://www.linkedin.com/in/yash-somalkar-337957227/)  
CTFtime: [https://ctftime.org/user/132028](https://ctftime.org/user/132028)  

## Team Details:

Team Name : IIT(BHU)CyberSec  
CTFtime: [https://ctftime.org/team/22546](https://ctftime.org/team/22546)
