Intigriti 1337UP CTF 2022



These are a few write ups from the 1337UP CTF hosted by [Intigriti]](https://www.intigriti.com). It was a 24 hour CTF so didn’t get as much time on it as I would have liked however it was still a lot of fun.

Mirage - Misc

The link for the ‘Mirage’ challenge was https://mirage.ctf.intigriti.io/. There were no additional files with this challenge. Looking at the website was just a static page with no working links.


I looked at /robots.txt and found a whole list of entries.


There are a few entires that lead no where and a some are trolls, the important ones are:

Disallow: /wordlists.txt
Disallow: /ok.txt

I used wget https://mirage.ctf.intigriti.io/wordlists.txt to download the wordlist to my machine. On /ok.txt is some text which includes ‘/uncclzrny.wct’ with a hint of using ROT.


I went over to CyberChef and used rot13 on the text. This provided the url ‘/happymeal.jpg’.


This led to another page ‘HelpMeOut.txt’.


This page provides a link to a download. Again using wget I download the zip file.


The zip is password protected.

└──╼ $unzip flag.zip 
Archive:  flag.zip
[flag.zip] flag.txt password: 
   skipping: flag.txt                incorrect password

I used zip2john to create a hash.

└──╼ $zip2john flag.zip > zip.john                                                                          
ver 1.0 efh 5455 efh 7875 flag.zip/flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=68, decmplen=56, crc=CC303849

Then use john to crack the hash with the word list downloaded earlier.

└──╼ $john --wordlist=wordlists.txt zip.john 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Soeasypeasy214   (flag.zip/flag.txt)
1g 0:00:00:00 DONE (2022-03-11 20:32) 100.0g/s 15500p/s 15500c/s 15500C/s ##this will help you later..violent
Use the "--show" option to display all of the cracked passwords reliably
Session completed
└──╼ $unzip flag.zip 
Archive:  flag.zip
[flag.zip] flag.txt password: 
 extracting: flag.txt                
└──╼ $cat flag.txt 

Traveler - Web

The link for the ‘Traveler’ challenge was https://traveller.ctf.intigriti.io/. There were no additional files with this challenge. Looking at the link its a travel agent based website.


Poking around the website I found a section to check availability.


I sent the request to Burp and started fuzzing the pack name field.


When submitting Single' an error was generated showing

An error occurred whilst executing: bash check.sh Couple’


It doesn’t appear to be verifying user input so I should be able to just append bash commands to the syntax so I tried Single&ls because of the special character I URL encoded it.


It worked, so getting the flag was simple using the payload pack=Single%26%63%61%74%20%2e%2e%2f%2e%2e%2f%2e%2e%2f%66%6c%61%67%2e%74%78%74&submit=Submit which is &cat ../../../flag.txt URL encoded.


Lovely Kitten Pictures 1 - Lovely Kitten Pictures

The link for the ‘Lovely Kitten Pictures 1’ challenge was https://lovelykittenpictures.ctf.intigriti.io/. No files were included as part of this challenge. Navigating to the website just showed a picture of a cat with an option to switch.


I sent the requests through Burp and saw a request to ‘/pictures.php?path=assets/1.jpg’. That looks it could be vulnerable to an LFI (Local File Inclusion).


I played around for a while trying the basics such as ../../../../flag.txt, ../../../../etc/passwd & etc but just got 404’s so decided to try ‘/pictures.php?path=pictures.php’ which if it worked would include the source code of the php file and I would be able to see how the request worked and it worked!


Reading the code it looks like any file other than .jpg would return the contents of flag1.txt I look at the headers and the flag was included1.

Thanks for reading!


Any comments or feedback welcome! You can find me on twitter.

Buy Me A Coffee