22nd June 2021
Beyond Advent of CTF

Beyond Advent of CTF 2020

Best wishes for 2021!

Overview

The last month of 2020, the month of December, was dominated by the various Capture The Flag (CTF) competitions. If you’re not familiar with CTF, I give you a short explanation. A CTF competition consists of multiple hacking challenges that participants must complete. You can get your hands dirty, in a safe environment. The difficulty of the challenges can vary, in most CTFs start with simple challenges and as the participants complete the challenges, the challenges become more and more difficult. The player can complete a challenge by obtaining a flag and must submit it and receive points for this flag. The amount of points the player receives usually depends on the difficulty of the challenge. for example, the format of the flag can be ^FLAG^37ae568362f974017fa575f08cd215044cd6bb395c3f5e5e293ee5324ba6769c$FLAG$ (HackerOne CTF) or HTB{Th1s_ 1s_4n_3x4mpl3_fl4g} (Hack The Box).

CTFs usually have different categories of challenges. Common categories are:

  • Web: The player is presented with a website and has to find a vulnerability in the web application and hack it to get to the flag.
  • Coding (Programming): The player receives a script or program which needs to be resolved. In some cases, this type of challenge can be mixed with the ‘Web’ type.
  • Reverse Engineering: The player needs to reverse engineer an executable to solve this challenge.
  • Stenography: The player needs to find hidden messages in plain-looking objects, the Stego categories will have you use steganographic tools, and your detective intuition to search for the hidden flag.
  • Forensics: In this category, the player needs to find the flag through WireShark traces, or data recovery is involved.
  • OSINT: In this category, the player needs to find publicly available information to get to the flag.
  • Misc: this category is for challenges which are not fit in a specific category. Just another which needs to be solved.

Advent of CTF 2020

This year I participated in the CTF competition ‘Advent of CTF‘. This CTF was organized by the NOVI University of Applied Sciences. The challenges were built by Arjen Wiersma, the Chief Lecturer for Cyber Security at NOVI. This was my first CTF competition in which I participated. The CTF competition has started on 1 December 2020 and has ended on 24 December 2020, on every day there was a challenge unlocked. During this challenge, it was not allowed to use any automatic tools like sqlmap, tplmap, and so on. Everything has to be done manually. We are only allowed to use the web browser (with the Development Tools) and CyberChef. Burp Suite was allowed, and I have used this application.

Of the 416 participants I finished on place 19, in the top 20. For my first CTF competition, I am quite proud of this position on the scoreboard. I’ve participated in this challenge for the reason that I want to develop my skills and learn something new. So, that’s the prize that I’ve received for participating in this CTF competition.

To get the most out of the knowledge gathering, I also published the write-ups with a walkthrough on how I solved the 24 challenges. I write these write-ups to organize my thoughts, to share the knowledge, and to summarize what I have learned. You can find my write-ups here. I hope you will like my write-ups and make sure that you leave a comment!

24
Challenges completed
30651
Points earned
19
Place of 416
53
Cups of Coffee Consumed during the CTF

Skills improvement and learning

I learned a lot during this competition. I have improved my skills, gained new knowledge and experiences. It is also always fun to share your techniques with the community and learn new techniques from the community. On some challenges, it was difficult for me to complete and it is always nice that someone from the community can think along with you and give you a nudge in the right direction. The CTF was 100% based on Web Exploitation. Below is an overview of topics covered during the challenges, each challenge had its own specific topic for education.

ChallengePointsLearning topicsWrite-up
Challenge 1100Inspect page source
Identify and decode Base64
How does the Advent of CTF system works
Advent of CTF 1
Challenge 2200How cookies are stored in a browser
Identifying structures with Base64
URL Encoding
Manipulating JSON structures
Advent of CTF 2
Challenge 3300How you can view Javascript in your browser
Read some Javascript to figure out what is happening
Running Javascript you wrote yourself
Advent of CTF 3
Challenge 4400What Local Storage is in the browser
How to examine Javascript code in the browser
How to run code that is part of a web application in the browser
Advent of CTF 4
Challenge 5500Discover of SQL Injections
Deducing SQL queries
Manipulating SQL queries
Advent of CTF 5
Challenge 6600How to identify a UNION SELECT
How to learn about other tables in a schema
How to use a substring
Advent of CTF 6
Challenge 7700Identify SQL injections when there are no error messages
Use SLEEP() to extract data, character for character
Advent of CTF 7
Challenge 8800What robots.txt files areAdvent of CTF 8
Challenge 9900Read error messages
Identify JSON structures in Base64
JSON Web Tokens (JWT) and the NONE algorithm
That session management is important
Advent of CTF 9
Challenge 101000Local File Inclusions in PHP
Rainbow tables
Advent of CTF 10
Challenge 111100How to detect filtering
How to use php://filter
Advent of CTF 11
Challenge 121200Identifying a command injection
Using shell processing to execute commands
Redirect command output
Advent of CTF 12
Challenge 131300Edit and Resend requests with Firefox
Identify an XML file
Extract data using PHP filters
Advent of CTF 13
Challenge 141400Read some PHP
PHP Types
Advent of CTF 14
Challenge 151500Type juggling in strcmpAdvent of CTF 15
Challenge 161600Identify SSTI
Use SSTI to read program variables
Use SSTI to read files from the filesystem
Use some python
Advent of CTF 16
Challenge 171700Bypassing filtersAdvent of CTF 17
Challenge 181800How to identify a Javascript injection
How to exploit a Javascript injection
Advent of CTF 18
Challenge 191900Bypassing the safe-eval moduleAdvent of CTF 19
Challenge 202000Identify serialized data
Manipulate serialized data
Advent of CTF 20
Challenge 212100The call_user_func function
The extract function
PHP sessions
Advent of CTF 21
Challenge 222200Server-Side Request ForgeryAdvent of CTF 22
Challenge 232300How to identify WebSockets
How to send your own messages
Advent of CTF 23
Challenge 242400The basics of a blockchainAdvent of CTF 24

Earning extra points

During this CTF competition, every player could receive a badge after solving a challenge. The badge is an appropriate image for the challenge in question. During this challenge, two extra challenges were suddenly added, starting from challenge 20 and challenge 24. These challenges related to the earned badges. There are apparently hidden messages to be found in these badges.

Badge Collector #2

This extra challenge was unlocked after solving challenge 20 and it’s worth 250 extra points. So, I’ve grabbed badge 20 and after some time of thinking and trying, I was able to reveal the hidden message with strings. The hidden message: thisisgreatfun.

 ~$ 
 strings c1f93b6ee2e1cd25ea02f9a78c364b12.png 
...
 2020-12-11T10:20:04+01:00
 IEND
 So far the challenge has been all about web application security. But these badges are quite something! Level 20 is a great point to add something in the mix don't you think?
 This puzzle does not have a badge, nor does the top 10 get additional points, but who doesn't like 100 extra points?
 Badge Collector #2: thisisgreatfun 

After submitting this message, I’ve earned 250 extra points.

Badge Collector #1

This extra challenge was unlocked after solving challenge 24 and it’s worth 250 extra points. After grabbing the badge from challenge 24. I have tried several ways to read some information from this image. Like the previous one, I used strings, but no luck this time. As it’s an image it holds EXIF data. So, we can try to read the EXIF data from this image. As we are working from a macOS machine, we can use the builtin utility mdls (which stands for metadata-ls) for extracting this information.

~$ mdls b915cb528c4b3d6fc4644f73ba8b829d.png

 _kMDItemDisplayNameWithExtensions      = "b915cb528c4b3d6fc4644f73ba8b829d.png"
 kMDItemBitsPerSample                   = 32
 kMDItemColorSpace                      = "RGB"
 kMDItemComment                         = "Thank you for playing Advent of CTF. I had a great time creating these challenges. I hope you had a great time solving them!  You can enter this flag for the challenge "Badge Collector #1": untilnextyear"
 kMDItemContentCreationDate             = 2020-12-11 09:41:14 +0000
 kMDItemContentCreationDate_Ranking     = 2020-12-11 00:00:00 +0000
 kMDItemContentModificationDate         = 2021-01-01 16:36:11 +0000
 kMDItemContentModificationDate_Ranking = 2021-01-01 00:00:00 +0000
 kMDItemContentType                     = "public.png" 
...

We can now read the flag from the EXIF data, the flag: untilnextyear. Does this mean that we have the next Advent of CTF in 2021? I hope so!

Looking forward to the next CTF competition. Thanks for creating and hosting this CTF challenge!

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *