Nairobi Tech Week CTF Teaser 2019 WriteUp
Nairobi Tech Week 2019 is coming up and they held a CTF teaser before the event that ran this last week.
There were 5 categories of challenges. Our team participated and was able to solve all challenges except one. We got first place.
Onto the challenges I solved.
Web
As the description says the website allows us to create a birthday invitation by adding your name and invitee name.
Results of using the website.
Since the description says the website is created using python, I bet it’s using flask framework. First is to test for server side template injection.
Using a simple payload {{2*2}} should confirm it and if the multiplication is evaluated.
The 4 confirms that it is vulnerable to template injection. What else can we do with this? In previous CTFs the flag was usually hidden in the app’s variables which you can access using config. Payload is {{config}}.
After loading the config, the flag wasn’t there so we must dig deeper. Since template injection can pretty much allow us to execute code I thought I probably need a payload to read local files and read the flag. Payloads from https://github.com/swisskyrepo/PayloadsAllTheThings didn’t work for file read. After some more reading I came across this nice tool: tplmap. It’s like sqlmap for template injection.
Running this results in a shell prompt on the server, -e specifies the templating engine. Flask uses jinja2.
tplmap.py -u http://ctf-2019.nairobitechweek.com:9009/\?first_name\=Michael\&last_name\=Ikua\&date\=2019-04-19 -e jinja2 --os-shell
Flag:
Forensics
Little Sad Bear
Here’s the provided image. Since it’s a png the best tool to find any hidden data is zsteg.
Flag:
Crypto
1. Unlucky but lucky
L5R;v4`d*9tc=k5iAJKb2lv`j2V<+*yhZ%B.4=H[E2o*%*7j_+2xF}AAt first I thought this was malbolge esoteric language but it wasn’t then I tried base85 but it wasn’t that either. I guessed it was probably close to those two so after looking around on dcode.fr I landed on base91 cipher.
Flag:
2. Weak hellman
This is a RSA challenge. Given the encrypted file and public key RsaCtfTool can crack it to get the unencrypted text.
Flag:
Misc
Weird Broadcast
We are provided with an audio file. On the first listen the audio doesn’t make any sense, so my first thought was to play it backwards. I used this online page for that, audacity is also good tool for this.
The reversed audio says the flag is in hex and then reads out it out. Following the words was not easy so I chose to use speech to text to get the information easily.
I got the resulting hex which I decoded to get the flag.
