Intigriti 1337UP CTF 2022
Overview
These are a few write ups from the 1337UP CTF hosted by [Intigriti]](https://www.intigriti.com). It was a 24 hour CTF so didn’t get as much time on it as I would have liked however it was still a lot of fun.
Mirage - Misc
The link for the ‘Mirage’ challenge was https://mirage.ctf.intigriti.io/. There were no additional files with this challenge. Looking at the website was just a static page with no working links.
I looked at /robots.txt and found a whole list of entries.
There are a few entires that lead no where and a some are trolls, the important ones are:
Disallow: /wordlists.txt
Disallow: /ok.txt
I used wget https://mirage.ctf.intigriti.io/wordlists.txt to download the wordlist to my machine. On /ok.txt is some text which includes ‘/uncclzrny.wct’ with a hint of using ROT.
I went over to CyberChef and used rot13 on the text. This provided the url ‘/happymeal.jpg’.
This led to another page ‘HelpMeOut.txt’.
This page provides a link to a download. Again using wget I download the zip file.
The zip is password protected.
└──╼ $unzip flag.zip
Archive: flag.zip
[flag.zip] flag.txt password:
skipping: flag.txt incorrect password
I used zip2john to create a hash.
└──╼ $zip2john flag.zip > zip.john
ver 1.0 efh 5455 efh 7875 flag.zip/flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=68, decmplen=56, crc=CC303849
Then use john to crack the hash with the word list downloaded earlier.
└──╼ $john --wordlist=wordlists.txt zip.john
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Soeasypeasy214 (flag.zip/flag.txt)
1g 0:00:00:00 DONE (2022-03-11 20:32) 100.0g/s 15500p/s 15500c/s 15500C/s ##this will help you later..violent
Use the "--show" option to display all of the cracked passwords reliably
Session completed
┌─[daz@parrotos]─[~/Documents/1337UPCTF/Mirage]
└──╼ $unzip flag.zip
Archive: flag.zip
[flag.zip] flag.txt password:
extracting: flag.txt
┌─[daz@parrotos]─[~/Documents/1337UPCTF/Mirage]
└──╼ $cat flag.txt
1337UP{Wh4tAM3ss.txt.jpg.whyareyouputtingmethroughthis}
Traveler - Web
The link for the ‘Traveler’ challenge was https://traveller.ctf.intigriti.io/. There were no additional files with this challenge. Looking at the link its a travel agent based website.
Poking around the website I found a section to check availability.
I sent the request to Burp and started fuzzing the pack name field.
When submitting Single' an error was generated showing
An error occurred whilst executing: bash check.sh Couple’
It doesn’t appear to be verifying user input so I should be able to just append bash commands to the syntax so I tried Single&ls because of the special character I URL encoded it.
It worked, so getting the flag was simple using the payload pack=Single%26%63%61%74%20%2e%2e%2f%2e%2e%2f%2e%2e%2f%66%6c%61%67%2e%74%78%74&submit=Submit which is &cat ../../../flag.txt URL encoded.
Lovely Kitten Pictures 1 - Lovely Kitten Pictures
The link for the ‘Lovely Kitten Pictures 1’ challenge was https://lovelykittenpictures.ctf.intigriti.io/. No files were included as part of this challenge. Navigating to the website just showed a picture of a cat with an option to switch.
I sent the requests through Burp and saw a request to ‘/pictures.php?path=assets/1.jpg’. That looks it could be vulnerable to an LFI (Local File Inclusion).
I played around for a while trying the basics such as ../../../../flag.txt, ../../../../etc/passwd & etc but just got 404’s so decided to try ‘/pictures.php?path=pictures.php’ which if it worked would include the source code of the php file and I would be able to see how the request worked and it worked!
Reading the code it looks like any file other than .jpg would return the contents of flag1.txt I look at the headers and the flag was included1.
Thanks for reading!
==========================================================================
Any comments or feedback welcome! You can find me on twitter.
