Bearcat CTF 2024 Challenges Writeup
Assalom-alikum! This is Rehan from team m4lware. I participated in BearCTF, 2k24 edition. Challenges were quite easy but due to time constraint, I couldn’t solve other challenges. I will be sharing some of the challenges writeups which I solved in the competition earlier.
Challenges category:
- Reversing
- Web
- Cryptography
- Stego
Reversing
Simple Mystery — 300 pts
This challenge is all about the binary file been given. Its simple quite one. Run strings command with this file will retrieve the flag.
BCCTF{SoLv1n6_TH3_C4se_4_All_ThI2gS}
Web
No Humans — 500 pts
In this challenge, we have been given a url. Opening the url in browser shows us this webpage.
Checking the contents here gives us with hint of checking robots.txt file. In robots.txt file, there were 2000+ endpoints were given.
There is also useragent specified. We need to keep in mind when making the request to these endpoints. It would take a lot of time if I would have tried one by one. Lets open up the terminal and do the automation.
Use this command to filter out the endpoints only and save in it separate file.
awk ‘{$1=””; sub(/^ */, “”); print}’ endpoints.txt
Since we have all the endpoints, now do make bash script that is going to curl for every endpoint in the file with the specified user agent.
#!/bin/bash
BASE_URL="http://chal.bearcatctf.io:48605"
USER_AGENT="Overlords"
while IFS= read -r endpoint; do
url="$BASE_URL$endpoint"
curl -A "$USER_AGENT" "$url"
done < endpoints.txt
Pro-Clicker V2–700 pts
In this web challenge, there is a pointer for click button that increase the score for every click that we do.
Checking out the source, we found javascript source code that will be quite helpful.
function incrementScore() {
var currentScore = parseInt(getCookie("score"));
currentScore += 1;
document.cookie = "score=" + currentScore;
document.getElementById("score").innerHTML =
"Number of clicks : " + currentScore;
showButton();
}
function getCookie(name) {
var value = "; " + document.cookie;
var parts = value.split("; " + name + "=");
if (parts.length == 2) return parts.pop().split(";").shift();
}
function showButton() {
var goal = 5000000000;
var score = getCookie("score");
if((score > 1) && (score % 123982415941 == 0) &&
(score % 807045832 == 0) &&
(score % 247964831882 == 0) &&
(score % 201761458 == 0) &&
(score % 403522916 == 0) &&
(score % 100880729 == 0) &&
(score % 495929663764 == 0)) {
document.getElementById("scoretitle").style.display = "block";
document.getElementById("scoreredirect").style.display = "block";
}
else{
document.getElementById("scoretitle").style.display = "none";
document.getElementById("scoreredirect").style.display = "none";
}
}function showButton() plays main key role here that appears to control the visibility of certain elements based on the score. It sets a goal score of 5000000000 and checks if the current score meets certain conditions (being divisible by specific numbers). If the conditions are met, it displays two elements with ids “scoretitle” and “scoreredirect” by setting their display style to “block”. Otherwise, it hides these elements by setting their display style to “none”.
There is sort of link that redirects to flag page but directly accessing it leads to 403 error. That means we need to update the cookie by fulfiliing these conditions here in the last code block. We need to find LCM of these numbers that get past these checks. I wrote a python code to figure it out
from math import gcd
def lcm(x, y):
return x * y
numbers = [123982415941, 807045832, 247964831882, 201761458, 403522916, 100880729, 495929663764]
lcm_value = numbers[0]
for num in numbers[1:]:
lcm_value = lcm(lcm_value, num)
print("LCM:", lcm_value)LCM value : 991859327528
Inserting this value in the coookie redirects us to the flag page.
Cryptography
Many Encode — 300 pts
As depict from its name, challenge is about double encoding. We were given some sort of strings
34 32 20 34 33 20 34 33 20 34 33 20 35 34 20 34 36 20 37 62 20 37 33 20 36 66 20 36 64 20 36 35 20 35 66 20 36 36 20 36 63 20 36 31 20 36 37 20 37 64 (not a exact string)
Feeding it to cyberchef retrieved the flag. It was using double hex encoding
Difference of P — 700 pts
This challenge is about RSA, we were given
ct: 1974980851853019257771773253811679794137241209581612326758022524735213521549252839752456399226743
e : 65537
N: 22124683985039812698470600343255891405990431861180855450772516395200335369863431601013187704080051
Lets go to dcode.fr to decrypt rsa. We find P and Q.
Then we have to find Phi of N by (P-1)*(Q-1)
Lastly we find modular inverse;
and then feed all the values found to decryptor
BCCTF{F3rMaT_yOu_BugG3r}
Stegnography
Best Painting
In this challenge, we were given a zip file. Unzipping the file gives the image. It was blank image with no content or picture just the white color. Checking its exifinfo record does not give some useful direction. Uploading it to aperisolve gives us the flag with the color change variation in filter section
Happy Hacking!
Follow me on twitter: https://twitter.com/cyber_cypher007
& Linkedin: https://www.linkedin.com/in/rehan-mumtaz
