HOSTED BY SNYK
Hello everyone, i hope you all are doing well. This is my first writeup, feel free to comment your suggestions which helps me to improve. In this writeup I am solving some challenges from the recent FETCH THE FLAG CTF by SNYK.
Going directly in to it…
Potty Training (steg)
As we can see, the challenge is related to steganography. Basic analysis like file,exiftool doesn’t gave anything so i tried zsteg which gave a link.
Similarly, we can use the tool stegano mentioned in the chall description
Yeah..!! We got something interesting.
When try to access the link we got, it gives error
Then I checked other chall links, which uses http instead https. So I tried http.
BOOM.. We got the flag…..
File Explorer (web)
This is a web based challenge, there is a free hint github repo with source code but before that i visited the given webpage
This /public/ page makes me think about path tarversal, so i tried ../
but it returns to homepage, then i tried url encoded payload ..%2f
(%2f = /)
and tried to read /etc/passwd
we got the file and understood that it is vulnerable but there is no need to read the /etc/passwd just wanted to go a single directory backward. Now we can see the files and there itself the flag file
We got the flag..
Treasure Trove (web)
The challenge description points about JS reversing. A link and a file is provided, like the above challenge i first visited the website
and checked the source code, found a js file ‘swashbuckle.js’. While going through the js file i found a validate method.
I used browser console and entered validate, i found this code
I tried to understand the code
- It takes the HTML input
- checks the characters
- checks the key length is 25
- convert the keys to charcode and add together, check if the sum is 1800
So i reversed it
- 1800/25 = 72
- 72 is the charCode of ‘H’
- As we can see in the input field it hints about 5 character in each 5 fields
- so i tried HHHHH in each input fields
Ta-da! We got it..
Thank you everyone for reading my writeup…
Feel free to comment and suggest.