Classic CTF
Hawkins National Laboratory (Stackfault)
“Je verse des larmes de metal” (25)
URL="https://hawkins.ctf.ihack.computer"
WL=/usr/share/dirb/wordlists/common.txt
gobuster dir -u $URL -w $WL -s '200,204,301,302,307,403,500' -e
https://hawkins.ctf.ihack.computer/~root (Status: 301)
https://hawkins.ctf.ihack.computer/images (Status: 301)
https://hawkins.ctf.ihack.computer/index.html (Status: 200)
https://hawkins.ctf.ihack.computer/map (Status: 301)
https://hawkins.ctf.ihack.computer/robots.txt (Status: 200)
https://hawkins.ctf.ihack.computer/robots.txt
User-agent: *
Disallow: /map/
Disallow: /help/
Disallow: /laboratory/
Disallow: /HF-CLSjhdgh56yr0poqhgdyhq9i8ekklssr/
Disallow: *
Flag: HF-CLSjhdgh56yr0poqhgdyhq9i8ekklssr
Boom Video Conferencing
Bomb a Boom meeting! (125)
Looking at the code, we can see that the meeting ID must be \d-\d-\d. E.g. 1-2-3
Submit an invalid number like 1-2-3. A meeting ID is in the page title... 0-6-9
Go to https://boom.ctf.ihack.computer/0-6-9
Looking at the code, we can see a password.
UPDATE: <a href="/0-6-9?password=069960">This meeting URL</a> was compromised. Someone removed the password and we got Rick Roll'D! <br>
I've sent y'all a new meeting link privately!<br>
MR. NUTSACK WE KNOW YOU'RE STILL IN THERE! PLEASE JOIN THE NEW MEETING!
This is not the real meeting ID. We must find the new one.
Try to find the new URL by bruteforcing:
for i in {0..9}; do for j in {0..9}; do for k in {0..9}; do echo "$i-$j-$k" >> boom.txt; curl "https://boom.ctf.ihack.computer/$i-$j-$k" >> ./boom.txt;done;done;done;
We find 4-1-8. Following the same password logic:
0-6-9 = 069960
4-1-8 = 418814
https://boom.ctf.ihack.computer/4-1-8?password=418814
We are now logged into the meeting. There is supposed to be a live stream with the flag but it had technical problems. We also get kicked out after a few seconds with this message:
You were kicked from the meeting. Reason: GTFO INTRUDER!!
Flag: HF-9E7C6F2A3C19
iHack, the Musical (TheEnarki)
An audio classic (50)
- Open the audio file with Audacity
- Click on the file name on the left and click Spectogram.
- Click on the file name on the left and click on Rate. Select 8000 Hz.
- We can see something is written at the top of the spectrogram, but it is still too difficult to read. Click on the file name on the left and click Spectogram Settings. Set min frequency (Hz) to 3000 and max frequency (Hz) to 4000.
- Click on the Zoom In button.
Flag: HF-YdxmaUzgJQiJRrmG
Funny note:
exiftool TheEnarki_-_iHack_The_Musical.flac
ExifTool Version Number : 11.98
File Name : TheEnarki_-_iHack_The_Musical.flac
Directory : .
File Size : 12 MB
File Modification Date/Time : 2020:06:20 23:21:56-04:00
File Access Date/Time : 2020:06:20 23:25:32-04:00
File Inode Change Date/Time : 2020:06:20 23:21:58-04:00
File Permissions : rw-r--r--
File Type : FLAC
File Type Extension : flac
MIME Type : audio/flac
Block Size Min : 4096
Block Size Max : 4096
Frame Size Min : 567
Frame Size Max : 12162
Sample Rate : 44100
Channels : 2
Bits Per Sample : 16
Total Samples : 5292000
MD5 Signature : 2416fa5a28c48b5a119f649a8adb2b76
Vendor : reference libFLAC 1.3.0 20130526
Album : iHack CTF 2020
Artist : TheEnarki (Keven Duchesneau)
Comment : Enjoy! Alas, the main flag is definitely not hidden in the Metadata, but I'm glad you came here and visited me. Did you know that the "comment" tag (technically the METADATA_BLOCK_VORBIS_COMMENT tag) can contain up to 2^24 bytes? Me neither, until writing this comment! And the length could be 2^64, but the genius behind FLAC deemed the limit unnecessary.
Date : 2020/06/20
Genre : Metal
Title : iHack, The Musical!
Duration : 0:02:00