A collection of CTF write-up by PYMI team.
- Challenge desciptions may INTENDED be misleading. A problem with "backup is important", may have no bug in backup part, just to be misleading. So does the difficulty, "easy" one maybe hard and "hard" one may be easy.
- Low-effort solutions (5-10 mins) should be tried what-so-ever. Over-thinking is a problem. E.g: a problem gives 3000 pictures and ask to find unique one. Using hash of image can easily solve, but if after viewing some images and see they are differents noises images, one could think the real one is uniq real photo has content and use object recognition (deep learning) to solve is way over thinking, and wrong.
- Again, low effort methods should be tried, e.g XOR with 6 first chars of flag while easy, could be solution (and no tool can auto-decrypt that)
- Look at file carefully, one with many empty lines may misunderstood as ended. Ctrl-A to highlight text same color with background.
- When writing code search for flag (e.g in many webpages), the flag may start with
sdctf, but as nothing says flag would in the pages, try check shorter word, e.gsdcis the domain name of the CTF site. - Double check code edge-cases.
- Use the same platform the challenge run on. E.g Docker, because there are different when using on different OSes, on Linux newline is
\non Windows is\r\n. - Look from far before zooming in details. Some results may show up if look
from far, not close. Example: ASCII art, or this string
|][]¥°|_|7#][\\]X'/[](_):-:∂|/€|†- it isDOYOUTHINKYOUHAVEIT. - Normal browsers do not display non valid HTML, use curl/BurpSuite/requests/other programming clients...
- Reading used library source code to find special case, e.g URI in Java can use
url:file://which by-pass the check forstartswith("file://"), or Pythonipaddresslibrary allow127.0.0.01and treat it same as127.0.0.1. - On web challenges, especially those with many solves, highly chance the exploit is simple such as server-side template injection (SSTI), not cracking AES 128 or find bug in JWT. Notice the (unusual) usage of template, or unnecessary passing secret around.
- Try some (3, 5) inputs, not only one. Luck matters. E.g CyberChef could not decode this
eJwrzy_Kji8oys9Ps81MTUkpT7FISTXLMC03tkw1M8uwAIoZphmkFVuYpWYAAGHLDyw=(need remove = to work) but could do thiseJwrzy_Kji8oys9Psy1MSjQ2NDIwyzQysSg2TMtItchIMSlOzEwySzXIsEzJAABNuw6j. - When see a command
git commit -m 'abc', ask first question: what this does then ask again: what else can happen when this run (git hook).
- Classic crypto are all solved problems. It's more to find "what it is" then use tool to solve it, than to find "how to solve it".
- Modern crypto might requires thinking, reading papers/blogs, guessing a lot, e.g RSA/ECC.
Find flag hiding somewhere just need to think differently to find:
- (s/d/c/t/f on URL),
- or in robots.txt
- or in many files then some "secret" hide
- "leaked" in source code (HTML) or git "deleted" secrets.
Bypass mechanism, real hacking: harder, need to understand mechanism or source code etc...
- Search on sourcegraph.com (or local, not github) headers supported by framework, many weird things can happen based on header like X-Forwarded-For, X-Forwarded-Prefix e.g https://sourcegraph.com/search?q=context%3Aglobal+repo%3A%5Egithub%5C.com%2Fgin-gonic%2Fgin%24+X-&patternType=standard&sm=1&groupBy=path
- Corrupted files: use tools or write code to fix headers
- Hidden files: read file headers to find hidden files, use tools.
- Exiftool checks additional infos
- bmp, jpeg, wav files could be used with steghide, steghide may not using password
- https://gchq.github.io/CyberChef > Magic
- https://www.dcode.fr/cipher-identifier - turn off adblock first.
- https://www.boxentriq.com/code-breaking/cipher-identifier
- Java/Python/Lua/C# decompilers https://www.decompiler.com/
- Java http://www.javadecompilers.com/
- Binary https://binary.ninja/
- radare2 & Cutter UI
- ghidra
- anbox for emulator
- adbcat to view log
- pwnlib.asm (belongs to pwntools)
- angr to "auto" solve re challs
- Webhook to send flag to https://webhook.site/
- Generate revshell https://www.revshells.com/
- Kali on VirtualMachine (VirtualBox, VMWare...) because its repo has many tools that not available on Ubuntu repo. E.g ghidra
- https://gchq.github.io/CyberChef - can find hidden files base on magic headers, choose specific type (image/audio...) to find more accurate.
- https://stegonline.georgeom.net/upload for image steg.
- binwalk - note sometimes binwalk may not work (e.g to find hidden jpeg image)
- https://github.com/sherlock-project/sherlock - run this by
python3 sherlock USERNAME --print-all --timeout 10to see which sites failed/blocked, set timeout to not stuck forever (e.g TikTok may fail). NOTE: this not search discord, so search in discord manually. - https://github.com/mxrch/ghunt - investigate google accounts