Introduction

Managed to learn a few things from this CTF, thought I would share them here.


Web

Firmware Update

The website is pretty simple. You are able to upload a zip file, and then it gives you a link to download it. Also note, the challenge description tells us where the flag is, “/etc/flag”.

Because I’m a web n00b, I took quite a while to solve this. If you want the solution directly, you can skip all the way down to the last 2 paragraphs. After inspecting the website, there isn’t really anything interesting to be found. Then I experimented around with the upload filename. I realised that It didn’t have to be a zip file. As long as it ended with .zip, it was a valid upload. This led me to try sending a text file with cat /etc/flag, but to no avail.

Then I tried uploading a file named “cat /etc/flag”. However, you can’t have forward slashes in filenames. Welp, there goes that idea too.

I then resorted to google, trying to find previous ctf challenges that exploited a vulnerability from file up loads. Most of them tried to get shell by uploading a php payload. So then I tried doing the same, playing around with wrappers and stuff. However, this yielded no results since the website was returning application/zip. At least I learnt how to solve another challenge, although unrelated….

This was when I noticed after uploading a file, they not only told you where it was but also listed other things in the directory. Among these was example_firmware.zip. So I downloaded this file, unzipped it and noticed a README.md file among its contents. Hmm… maybe it’s related to the message we get when we uploaded all those zip files earlier, “Fail with Readme file!”, something which I chose to ignore cause I had other plans (Big mistake…). So I uploaded the example firmware back to the website and indeed, the message is different.

This time, we get,

Let's look what do we have in README!
$ cat uploads/b4c58259a397dbea07303e2b32e9ab28/README.md
Make sure you agree with firmware privacy policy. Backup data before update!

The contents of the README file are being shown. So how do we exploit this… At first, I tried playing around with the filenames such as Readme.md, README.md.php… again no results. Just then I had an idea: what if README.md was pointing to the contents of another file. I remembered exploiting this before at some local conference CTF, more specifically, /proc/self/cwd, where the self was a symbolic link its process directory, and cwd was yet another symbolic link to the current working directory.

A quick google tells us how to create these links. We use ln -s /etc/flag README.md. To verify this worked, we check with ls -l and sure enough, we see README.md -> /etc/flag. Now, we just zip the file and send the payload to get the flag.

Flag: justCTF{A_Fin3_W4y_T0_Upd4t3_m3_y0}

Misc

Matryoshka

We are given an image of a matryoshka doll. In case you don’t know what that is, it is basically a doll that contains another doll that contains another doll. This suggest there is more to the image than meets the eye.

Inspecting the image with exiftool, we notice that there is a thumbnail image. We can use exiftool -b -ThumbnailImage to extract it. This gives us another image, this time, with a smaller doll beside and a fake flag. Looks like we are getting closer. Repeating the steps for 2 more times, we finally arrive at the flag.

Flag: justCTF{d1d_y0u_kn0w_7h47_f1r57_m47ry05hk4_d0ll_w45_m4d3_129_y34r5_4g0}