Cybertalents Quals : Saudi, Sudan, Egypt and Tunisia National CTF 2020 Write-Up

Mahmoud Youssef
5 min readSep 20, 2020

--

Web Challenges

1- Pr0mo [ easy (50 pts) ]

From the challenge name I recognize that is somthing about cookies or tokens to be admin instead of user(guest) … So after going to the url I looked for cookies and I found JWT

So I went Here to debug the token and as I expected I am guest

Sure let’s edit guest to admin , and then send it

OMG!! Nothing happen and the token didn’t change . Then I recognize that this token is missing secret-key , so let’s make a Dic-attack on it by jwt_tool

Bingooo Secret-key founded it took seconds to find it :)

Let’s Inject The secret-key into the token

And voilà I found a somthing looks like a programming language i know , it was BrainFuck language .. So Let’s decode it

BINGOO I found the FLAG

Red Alert 2.0 [ easy (50 pts) ]

From the challenge name I thought that this is a XSS and the flag will appear if i just make alert

So after open url i search for the parameter to inject the payload and it was ?keyword= .. OK let’s check for tags and quotas to know if it wil printed or not

and it was amazing no tags or quotas was filtered .. This make me thing that is an easy challenge. so i put a small payload <script>alert(1)</script> and surprise all the payload didn’t printed . ok i go ahead to inspect place where the payload printed and i found the payload has something like deactivate

So i’ll try some attribute to know what is will not deactivate like <script>

I’ll try <div> <img>

Good it worked and it likes DOM tree. So let’s inject <img> xss payload

<div><img src=1 onerror=alert(1)></div>

Bingooooo it worked and it makes alert But there is no Flag , so it wasn’t as I expected :( … The answer is more than alert…

So I search For DOM tree bypass using XSS

and I found This amazing article which learn me something about XSS called Mutation XSS .. So I searched about it and found this

and after reading the article I found the final payload to get the flag

<noscript><p title="</noscript><img src=x onerror=alert(1)>">

And Finally I solved It .. Really it was a good challenge

Mystery [ medium (100 pts) ]

After opening the url i found 3 links refer to 3 downloadable files

The files name were unusual , they like hash.. so let’s crack it on crackstation and i found something interesting : file names were numbers but it decrypted by md5 algorithm

So good , let’s make a simple script make md5 hash for numbers from 1 to 200 , maybe i find something good

(numbers.txt) has 1 : 200 numbers

and put the result in file fuzz.txt to make fuzzing in the files

bingoo a new file appears.. Let’s download it

Amazing it is the Flag :)

Digital Forensics Challenges

Images3c [ easy (50 pts) ]

It was more than easy challenge .. Just run stegcracker and you will found the Flag

malicious [ file medium (100 pts) ]

Description

To find the MFT entry number you need to download Shellbags Explorer

after opening there is a folder called Windows Loder it seems has something so i opened it and i get the MFT entry number (17120) and make md5 to it and it is the flag.

Hash is the Flag

Cryptography Challenges

Queen [ medium (100 pts) ]

From The name it seems something related mary queen cipher. The challenge was include 5 text files seems not too good but i thought it require to make XOR brute-force to find the key , maybe i can reed the files content . So I used this site to find it

Then Let’s go to cyberchef to find the right key

Bingooo JFIF … it seems it is image , let’s render it

So it was as same as i expected :) It was Mary Queen Cipher

If you have any question you can contact me via Twitter LinkedIn

--

--