FETCH THE FLAG CTF 2022

ag3n7
4 min readNov 10, 2022

HOSTED BY SNYK

Hello everyone, i hope you all are doing well. This is my first writeup, feel free to comment your suggestions which helps me to improve. In this writeup I am solving some challenges from the recent FETCH THE FLAG CTF by SNYK.

Going directly in to it…

Potty Training (steg)

Potty Training Challenge Description
potty.png

As we can see, the challenge is related to steganography. Basic analysis like file,exiftool doesn’t gave anything so i tried zsteg which gave a link.

zsteg

Similarly, we can use the tool stegano mentioned in the chall description

stegano-lsb

Yeah..!! We got something interesting.

When try to access the link we got, it gives error

error

Then I checked other chall links, which uses http instead https. So I tried http.

BOOM.. We got the flag…..

flag

File Explorer (web)

File Explorer Challenge Description

This is a web based challenge, there is a free hint github repo with source code but before that i visited the given webpage

/public/

This /public/ page makes me think about path tarversal, so i tried ../

but it returns to homepage, then i tried url encoded payload ..%2f

(%2f = /)

and tried to read /etc/passwd

we got the file and understood that it is vulnerable but there is no need to read the /etc/passwd just wanted to go a single directory backward. Now we can see the files and there itself the flag file

vulnerable to path traversal
flag

We got the flag..

Treasure Trove (web)

Treasure Trove Challenge Description

The challenge description points about JS reversing. A link and a file is provided, like the above challenge i first visited the website

website

and checked the source code, found a js file ‘swashbuckle.js’. While going through the js file i found a validate method.

swashbuckle.js

I used browser console and entered validate, i found this code

validate

I tried to understand the code

  • It takes the HTML input
  • checks the characters
  • checks the key length is 25
  • convert the keys to charcode and add together, check if the sum is 1800

So i reversed it

  • 1800/25 = 72
  • 72 is the charCode of ‘H’
  • As we can see in the input field it hints about 5 character in each 5 fields
  • so i tried HHHHH in each input fields
flag

Ta-da! We got it..

Thank you everyone for reading my writeup…

Feel free to comment and suggest.

--

--