SANS Community CTF (15–16 Oct, 2020)

Samantha

7 min readOct 19, 2020

You can check out this link HERE, If you would like to participate in any of the upcoming events.

Let’s get started!

We are given a website address. When navigating to the website, we see the following:

When you right-click and choose “Inspect Element”, you will see this under the Console Tab (Logs):

For this one you are given a huge log file to sort through. My method was to search for “200” and then just read each line. Eventually, I came to this:

You can either use netcat or just pull this one up in your internet browser. You will see a huge bunch of Hex characters:

I basically just copied and pasted this into CyberChef and used the “From Hex” recipe. The first time I did not find anything, so I refreshed the page and got a new group of hex characters.

On the third refresh I was able to see this in CyberChef:

For this challenge you are given a .zip file with a word document that has some crazy looking text at the top:

However, if you use Select All you will see that there is actually something at the bottom hidden in white font. Change the font color to reveal what appears to be the flag.

I actually had a bunch of trouble with the flag format for this one, so I was not able to turn it in. It might have been the word processor I was using, or maybe this was not the real flag, I’m not sure.

For this challenge you are directed to a login page:

If you look at the page source you will see this:

I redirected myself to that page and then saw this:

Open up the webpage and you will see this:

Use “Inspect Element” and check out the source code. You will see this line somewhere in there:

What’s missing is the .png on the end of “flag” to complete the file path. Add it on and the image will be revealed at the bottom of the page where it says “PNG of the copyright logo”.

Here we are given a web address which takes us to this page of Spongebob on fire:

I used dirsearch with the common word list:

At the /security directory, we see this:

Click on the link to reveal the flag:

I also ran dirbuster, because sometimes I can’t make up my mind:

It finished after I already had the flag, but it’s interesting to note that it picked up on /security/flag.txt while dirsearch only picked up on /security.

We arrive at a service that shows the following:

What I did was subtract the delimiter from each decimal and then run those numbers through CyberChef with the following recipe:

This is what that service spits out. I will use netcat to get it to work properly after I figure out the code.

First thing I did was look up “Blaise.c encryption”

Looks like we are dealing with Vigenere, which means we need a key. We have some decimals, but Vigenere needs a key with letters. Let’s first decode the decimals.

I switched to a different tool here since I couldn’t get the next part to work in CyberChef. I put the letters + key in and chose automatic decryption to produce this:

THE PROTECTED KEY IS IHEARTFRENCHCIPHERS

From here the server responded with what appears to be a bunch of random numbers:

These looked to be signed integers, so we can just use CyberChef to decode them (using the same recipe as question A07):

Here we have another Vigenere challenge:

For this one I used the same decoder as C01, just changing a couple settings:

THE PROTECTED KEY IS IDIDNOTNEEDALEAKYKEY

When you connect you are given a password hash:

What I did was simply use CrackStation, which returned the password:

This is a continuation of E10:

Using the same method with CrackStation, we get another password:

But that password does not work:

It is letting us know that it ran strtolower(), which basically means it will turn all the uppercase characters into lowercase characters. So just submit the password in all lowercase and you will get the flag: