TCS HackQuest Season 7 Round 1 Writeup

Harsh Mehta
6 min readJan 7, 2023

--

TCS Hackquest is a Campus Level cyber security-based competition similar to other Capture the Flag (CTF) events conducted across the globe for finding the maximum flags in a duration of six hours. The challenges are divided into categories like Web exploitation, Forensics, Reverse engineering, etc.

I was able to solve all 10 questions and in addition to that I did solve one extra question from reverse engineering category. I found the CTF easy to intermediate level of difficulty with some questions requiring to guess few things along the way.

Web Exploitation

Strand Match

A login web application which asks for a user ID and flag itself.

It was a simple challenge to exploit string comparision of a PHP site. The site was a simple login form.

Request intercepted in Burp Suite

By simply making the Flag variable into the the array will simply give us the flag.

Adding square brackets to the Flag
Flag displayed in the alert

Agent 007

A simple company web page.

By simply checking out robots.txt file we get:

Checking out sitemap of the website also reveals some interesting endpoints:

Sitemap

devl0per.html is an interesting endpoint so I intercepted the web request and changed the User-Agent to HQBOT

Crafted request

It returns a redirect which we follow with the same config gives us the flag.

Sassy Spaghetti

A web page which with Guest / basic priviledges.

Checking robots.txt gives an endpoint to the old version of the main website.

robots.txt

It had the source code clearly visible.

<?php
class User{
public string $name;
public string $role;
public bool $haveTicket;
}

$userobj=new User();
$userobj--->name="guest";
$userobj-&gt;role="Guest";

$ser_obj =serialize($userobj);
$cookiee=base64_encode($ser_obj);
if(!isset($_COOKIE["session"])){
setcookie("session",$cookiee,time()+86400*30,"/","",TRUE,TRUE);
header('Location: /check.php');
}
?>;

<?php
if(isset($_COOKIE["session"])){
$resobj=unserialize(base64_decode($_COOKIE["session"]));
if($resobj--->name=="hqadmin" &amp;&amp; $resobj-&gt;role=="Administrator" &amp;&amp; $resobj-&gt;haveTicket==TRUE){

echo "<img src="Flag.gif" width="480" height="auto" frameborder="0" allowfullscreen=""><br>";
echo "HQ7{404 Flag not found}";
}
else{
echo "<h2>You don't have Administrator role.</h2>";
echo "<img src="Ticket.gif" width="60%" height="auto" frameborder="0" allowfullscreen="">";
}}
?>

So simply crafting the PHP object using Burp Suit and base64 encoding it and sending it as a cookie will get us our flag.

Manupulating Cookie

Miscellaneous

Nemo

A web application log file was given.

By simply searching for “HQ7” as it is the flag fromat, I discovered the flag as well as RCE endpoint.

Flag in reverse

Rorschach Test

A text file was given which had a lot of “Wahzaa !! ” string.

Simply by replacing “Wahzaa !! ” with empty string and some formatting we get the flag.

Onion Head

A pdf file was given.

PDF

Running strings on the file gave out some interesting hexadecimal block.

Hex block

Converting it to ASCII using CyberChef gave out a Zip file.

Zip file header “PK” clearly visible

Extracting it gave out flag.png

Forensics

Lure

A word file was given.

The extension was .docm the “m” stands for Macro enabled file. To extract macro code, I used olevba .

Obfuscated VBA Code

To deobfuscate code I simply replaced invoke expression command with ActiveDocument.Content.InsertAfter Text:= which basically, prints the output to the word document file. I used inbuilt macro editor in Microsoft Word to execute the script.

Microsoft Word inbuilt Macro editor

It gave out a huge string of base64 encoded string.

Output as Base64 encoded string

I used CyberChef to decode the base64 string which gave out a PowerShell script.

Obfuscated PowerShell Script

Again after decoding the base64 string I got the main PowerShell script.

Main PowerShell script

The $mainInfo variable contains the flag in ASCII values.

Using PowerShell to print out the variable
Converting ASCII to Char using CyberChef

Shallot Discover

Docker repo folder was given.

Checking out JSON files gave the location for the flag.

One of the folders contained layer.tar archive which contained the file “.WhatsInside.txt” which had our flag encoded using ROT13.

ROT13 encoded flag

Dull Drip

A git initilized folder was given which was of LinPeas.

I simply used git log command to check the logs an dfound an interesting entry. Then I used git revert to rollback to the initial state.

Commits made to local repo

This gave out flag.txt

Reverse Engineering

Tokyo RE

The encrypted flag was given along with a python compiled file which had the logic for the encryption.

Encrypted flag

I used uncompyle6 to decompyle the .pyc file.

Decompiled logic

I coded a python script to decrypt the flag.

flag = [72, 82, 57, 126, 55, 58, 128, 128, 103, 121, 61, 63, 134, 134, 139]
enc = []

for i in range(0, len(flag)):
enc.append(chr(flag[i] - i))

for k in enc:
print(k, end="")

Lame Rev

Another similar challenge to the previous one, this challenge was only up for few minutes for me hence, I was not able to submit the flag on the portal.

Encrypted flag

Used uncompyle6 to decompile the python compiled file.

Decompiled python code for encryption logic

So, I wrote a python script to decrypt the flag.

l1 = [74, 82, 57, 124, 54, 109, 118, 52, 116, 111, 54, 117, 53, 96, 81, 113, 53, 115, 54, 117, 51, 112, 112, 126]
Encrypted = []
for i in range(len(l1)):
if i % 2 == 0:
Encrypted.append(chr(l1[i] - 2))
else:
Encrypted.append(chr(l1[i] - 1))

for k in Encrypted:
print(k, end="")

--

--