Post

Beyond Advent of CTF 2020

Best wishes for 2021!

The last month of 2020, the month of December, was dominated by the various Capture The Flag (CTF) competitions. If you’re not familiar with CTF, I give you a short explanation. A CTF competition consists of multiple hacking challenges that participants must complete. You can get your hands dirty, in a safe environment. The difficulty of the challenges can vary, in most CTFs start with simple challenges and as the participants complete the challenges, the challenges become more and more difficult. The player can complete a challenge by obtaining a flag and must submit it and receive points for this flag. The amount of points the player receives usually depends on the difficulty of the challenge. for example, the format of the flag can be ^FLAG^37ae568362f974017fa575f08cd215044cd6bb395c3f5e5e293ee5324ba6769c$FLAG$ (HackerOne CTF) or HTB{Th1s_ 1s_4n_3x4mpl3_fl4g} (Hack The Box).

CTFs usually have different categories of challenges. Common categories are:

  • Web: The player is presented with a website and has to find a vulnerability in the web application and hack it to get to the flag. Coding (Programming): The player receives a script or program which needs to be resolved. In some cases, this type of challenge can be mixed with the ‘Web’ type.
  • Reverse Engineering: The player needs to reverse engineer an executable to solve this challenge.
  • Stenography: The player needs to find hidden messages in plain-looking objects, the Stego categories will have you use steganographic tools, and your detective intuition to search for the hidden flag.
  • Forensics: In this category, the player needs to find the flag through WireShark traces, or data recovery is involved.
  • OSINT: In this category, the player needs to find publicly available information to get to the flag.
  • Misc: this category is for challenges which are not fit in a specific category. Just another which needs to be solved.

Advent of CTF 2020

This year I participated in the CTF competition ‘Advent of CTF‘. This CTF was organized by the NOVI University of Applied Sciences. The challenges were built by Arjen Wiersma, the Chief Lecturer for Cyber Security at NOVI. This was my first CTF competition in which I participated. The CTF competition has started on 1 December 2020 and has ended on 24 December 2020, on every day there was a challenge unlocked. During this challenge, it was not allowed to use any automatic tools like sqlmap, tplmap, and so on. Everything has to be done manually. We are only allowed to use the web browser (with the Development Tools) and CyberChef. Burp Suite was allowed, and I have used this application.

Of the 416 participants I finished on place 19, in the top 20. For my first CTF competition, I am quite proud of this position on the scoreboard. I’ve participated in this challenge for the reason that I want to develop my skills and learn something new. So, that’s the prize that I’ve received for participating in this CTF competition.

To get the most out of the knowledge gathering, I also published the write-ups with a walkthrough on how I solved the 24 challenges. I write these write-ups to organize my thoughts, to share the knowledge, and to summarize what I have learned. You can find my write-ups here. I hope you will like my write-ups!

Skills improvement and learning

I learned a lot during this competition. I have improved my skills, gained new knowledge and experiences. It is also always fun to share your techniques with the community and learn new techniques from the community. On some challenges, it was difficult for me to complete and it is always nice that someone from the community can think along with you and give you a nudge in the right direction. The CTF was 100% based on Web Exploitation. Below is an overview of topics covered during the challenges, each challenge had its own specific topic for education.

Challenge Points Learning topics Write-up
Challenge 1 100 Inspect page source
Identify and decode Base64
How does the Advent of CTF system works
Advent of CTF 1
Challenge 2 200 How cookies are stored in a browser
Identifying structures with Base64
URL Encoding
Manipulating JSON structures
Advent of CTF 2
Challenge 3 300 How you can view Javascript in your browser
Read some Javascript to figure out what is happening
Running Javascript you wrote yourself
Advent of CTF 3
Challenge 4 400 What Local Storage is in the browser
How to examine Javascript code in the browser
How to run code that is part of a web application in the browser
Advent of CTF 4
Challenge 5 500 Discover of SQL Injections
Deducing SQL queries
Manipulating SQL queries
Advent of CTF 5
Challenge 6 600 How to identify a UNION SELECT
How to learn about other tables in a schema
How to use a substring
Advent of CTF 6
Challenge 7 700 Identify SQL injections when there are no error messages
Use SLEEP() to extract data, character for character
Advent of CTF 7
Challenge 8 800 What robots.txt files are Advent of CTF 8
Challenge 9 900 Read error messages
Identify JSON structures in Base64
JSON Web Tokens (JWT) and the NONE algorithm
That session management is important
Advent of CTF 9
Challenge 10 1000 Local File Inclusions in PHP
Rainbow tables
Advent of CTF 10
Challenge 11 1100 How to detect filtering
How to use php://filter
Advent of CTF 11
Challenge 12 1200 Identifying a command injection
Using shell processing to execute commands
Redirect command output
Advent of CTF 12
Challenge 13 1300 Edit and Resend requests with Firefox
Identify an XML file
Extract data using PHP filters
Advent of CTF 13
Challenge 14 1400 Read some PHP
PHP Types
Advent of CTF 14
Challenge 15 1500 Type juggling in strcmp Advent of CTF 15
Challenge 16 1600 Identify SSTI
Use SSTI to read program variables
Use SSTI to read files from the filesystem
Use some python
Advent of CTF 16
Challenge 17 1700 Bypassing filters Advent of CTF 17
Challenge 18 1800 How to identify a Javascript injection
How to exploit a Javascript injection
Advent of CTF 18
Challenge 19 1900 Bypassing the safe-eval module Advent of CTF 19
Challenge 20 2000 Identify serialized data
Manipulate serialized data
Advent of CTF 20
Challenge 21 2100 The call_user_func function
The extract function
PHP sessions
Advent of CTF 21
Challenge 22 2200 Server-Side Request Forgery Advent of CTF 22
Challenge 23 2300 How to identify WebSockets
How to send your own messages
Advent of CTF 23
Challenge 24 2400 The basics of a blockchain Advent of CTF 24

Earning extra points

During this CTF competition, every player could receive a badge after solving a challenge. The badge is an appropriate image for the challenge in question. During this challenge, two extra challenges were suddenly added, starting from challenge 20 and challenge 24. These challenges related to the earned badges. There are apparently hidden messages to be found in these badges.

Badge Collector #2

This extra challenge was unlocked after solving challenge 20 and it’s worth 250 extra points. So, I’ve grabbed badge 20 and after some time of thinking and trying, I was able to reveal the hidden message with strings. The hidden message: thisisgreatfun.

1
strings c1f93b6ee2e1cd25ea02f9a78c364b12.png 

The response:

1
2
3
4
2020-12-11T10:20:04+01:00
IEND
So far the challenge has been all about web application security. But these badges are quite something! Level 20 is a great point to add something in the mix don't you think? This puzzle does not have a badge, nor does the top 10 get additional points, but who doesn't like 100 extra points?
Badge Collector #2: thisisgreatfun 

After submitting this message, I’ve earned 250 extra points.

Badge Collector #1

This extra challenge was unlocked after solving challenge 24 and it’s worth 250 extra points. After grabbing the badge from challenge 24. I have tried several ways to read some information from this image. Like the previous one, I used strings, but no luck this time. As it’s an image it holds EXIF data. So, we can try to read the EXIF data from this image. As we are working from a macOS machine, we can use the builtin utility mdls (which stands for metadata-ls) for extracting this information.

1
mdls b915cb528c4b3d6fc4644f73ba8b829d.png

The output:

1
2
3
4
5
6
7
8
9
_kMDItemDisplayNameWithExtensions      = "b915cb528c4b3d6fc4644f73ba8b829d.png"
kMDItemBitsPerSample                   = 32
kMDItemColorSpace                      = "RGB"
kMDItemComment                         = "Thank you for playing Advent of CTF. I had a great time creating these challenges. I hope you had a great time solving them!  You can enter this flag for the challenge "Badge Collector #1": untilnextyear"
kMDItemContentCreationDate             = 2020-12-11 09:41:14 +0000
kMDItemContentCreationDate_Ranking     = 2020-12-11 00:00:00 +0000
kMDItemContentModificationDate         = 2021-01-01 16:36:11 +0000
kMDItemContentModificationDate_Ranking = 2021-01-01 00:00:00 +0000
kMDItemContentType                     = "public.png" 

We can now read the flag from the EXIF data, the flag: untilnextyear. Does this mean that we have the next Advent of CTF in 2021? I hope so!

Looking forward to the next CTF competition. Thanks for creating and hosting this CTF challenge Arjan Wiersma!!

This post is licensed under CC BY 4.0 by the author.