11 March 2022 / INTIGRITI, CTF Intigriti 1337UP CTF 2022 Overview These are a few write ups from the 1337UP CTF hosted by [Intigriti]](https://www.intigriti.com). It was a 24 hour CTF so didn’t get as much time on it as I would have liked however it was still a lot of fun. Mirage - Misc The link for the ‘Mirage’ challenge was https://mirage.ctf.intigriti.io/. There were no additional files with this challenge. Looking at the website was just a static page with no working links. I looked at /robots.txt and found a whole list of entries. There are a few entires that lead no where and a some are trolls, the important ones are: Disallow: /wordlists.txt Disallow: /ok.txt I used wget https://mirage.ctf.intigriti.io/wordlists.txt to download the wordlist to my machine. On /ok.txt is some text which includes ‘/uncclzrny.wct’ with a hint of using ROT. I went over to CyberChef and used rot13 on the text. This provided the url ‘/happymeal.jpg’. This led to another page ‘HelpMeOut.txt’. This page provides a link to a download. Again using wget I download the zip file. The zip is password protected. └──╼ $unzip flag.zip Archive: flag.zip [flag.zip] flag.txt password: skipping: flag.txt incorrect password I used zip2john to create a hash. └──╼ $zip2john flag.zip > zip.john ver 1.0 efh 5455 efh 7875 flag.zip/flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=68, decmplen=56, crc=CC303849 Then use john to crack the hash with the word list downloaded earlier. └──╼ $john --wordlist=wordlists.txt zip.john Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Soeasypeasy214 (flag.zip/flag.txt) 1g 0:00:00:00 DONE (2022-03-11 20:32) 100.0g/s 15500p/s 15500c/s 15500C/s ##this will help you later..violent Use the "--show" option to display all of the cracked passwords reliably Session completed ┌─[daz@parrotos]─[~/Documents/1337UPCTF/Mirage] └──╼ $unzip flag.zip Archive: flag.zip [flag.zip] flag.txt password: extracting: flag.txt ┌─[daz@parrotos]─[~/Documents/1337UPCTF/Mirage] └──╼ $cat flag.txt 1337UP{Wh4tAM3ss.txt.jpg.whyareyouputtingmethroughthis} Traveler - Web The link for the ‘Traveler’ challenge was https://traveller.ctf.intigriti.io/. There were no additional files with this challenge. Looking at the link its a travel agent based website. Poking around the website I found a section to check availability. I sent the request to Burp and started fuzzing the pack name field. When submitting Single' an error was generated showing An error occurred whilst executing: bash check.sh Couple’ It doesn’t appear to be verifying user input so I should be able to just append bash commands to the syntax so I tried Single&ls because of the special character I URL encoded it. It worked, so getting the flag was simple using the payload pack=Single%26%63%61%74%20%2e%2e%2f%2e%2e%2f%2e%2e%2f%66%6c%61%67%2e%74%78%74&submit=Submit which is &cat ../../../flag.txt URL encoded. Lovely Kitten Pictures 1 - Lovely Kitten Pictures The link for the ‘Lovely Kitten Pictures 1’ challenge was https://lovelykittenpictures.ctf.intigriti.io/. No files were included as part of this challenge. Navigating to the website just showed a picture of a cat with an option to switch. I sent the requests through Burp and saw a request to ‘/pictures.php?path=assets/1.jpg’. That looks it could be vulnerable to an LFI (Local File Inclusion). I played around for a while trying the basics such as ../../../../flag.txt, ../../../../etc/passwd & etc but just got 404’s so decided to try ‘/pictures.php?path=pictures.php’ which if it worked would include the source code of the php file and I would be able to see how the request worked and it worked! Reading the code it looks like any file other than .jpg would return the contents of flag1.txt I look at the headers and the flag was included1. Thanks for reading! ========================================================================== Any comments or feedback welcome! You can find me on twitter.