TCS HackQuest Season 7 Round 1 Writeup
TCS Hackquest is a Campus Level cyber security-based competition similar to other Capture the Flag (CTF) events conducted across the globe for finding the maximum flags in a duration of six hours. The challenges are divided into categories like Web exploitation, Forensics, Reverse engineering, etc.
I was able to solve all 10 questions and in addition to that I did solve one extra question from reverse engineering category. I found the CTF easy to intermediate level of difficulty with some questions requiring to guess few things along the way.
Web Exploitation
Strand Match
A login web application which asks for a user ID and flag itself.
It was a simple challenge to exploit string comparision of a PHP site. The site was a simple login form.
By simply making the Flag variable into the the array will simply give us the flag.
Agent 007
A simple company web page.
By simply checking out robots.txt
file we get:
Checking out sitemap of the website also reveals some interesting endpoints:
devl0per.html
is an interesting endpoint so I intercepted the web request and changed the User-Agent to HQBOT
It returns a redirect which we follow with the same config gives us the flag.
Sassy Spaghetti
A web page which with Guest / basic priviledges.
Checking robots.txt
gives an endpoint to the old version of the main website.
It had the source code clearly visible.
<?php
class User{
public string $name;
public string $role;
public bool $haveTicket;
}
$userobj=new User();
$userobj--->name="guest";
$userobj->role="Guest";
$ser_obj =serialize($userobj);
$cookiee=base64_encode($ser_obj);
if(!isset($_COOKIE["session"])){
setcookie("session",$cookiee,time()+86400*30,"/","",TRUE,TRUE);
header('Location: /check.php');
}
?>;
<?php
if(isset($_COOKIE["session"])){
$resobj=unserialize(base64_decode($_COOKIE["session"]));
if($resobj--->name=="hqadmin" && $resobj->role=="Administrator" && $resobj->haveTicket==TRUE){
echo "<img src="Flag.gif" width="480" height="auto" frameborder="0" allowfullscreen=""><br>";
echo "HQ7{404 Flag not found}";
}
else{
echo "<h2>You don't have Administrator role.</h2>";
echo "<img src="Ticket.gif" width="60%" height="auto" frameborder="0" allowfullscreen="">";
}}
?>
So simply crafting the PHP object using Burp Suit and base64 encoding it and sending it as a cookie will get us our flag.
Miscellaneous
Nemo
A web application log file was given.
By simply searching for “HQ7” as it is the flag fromat, I discovered the flag as well as RCE endpoint.
Rorschach Test
A text file was given which had a lot of “Wahzaa !! ” string.
Simply by replacing “Wahzaa !! ” with empty string and some formatting we get the flag.
Onion Head
A pdf file was given.
Running strings
on the file gave out some interesting hexadecimal block.
Converting it to ASCII using CyberChef gave out a Zip file.
Extracting it gave out flag.png
Forensics
Lure
A word file was given.
The extension was .docm
the “m” stands for Macro enabled file. To extract macro code, I used olevba
.
To deobfuscate code I simply replaced invoke expression command with ActiveDocument.Content.InsertAfter Text:=
which basically, prints the output to the word document file. I used inbuilt macro editor in Microsoft Word to execute the script.
It gave out a huge string of base64 encoded string.
I used CyberChef to decode the base64 string which gave out a PowerShell script.
Again after decoding the base64 string I got the main PowerShell script.
The $mainInfo
variable contains the flag in ASCII values.
Shallot Discover
Docker repo folder was given.
Checking out JSON files gave the location for the flag.
One of the folders contained layer.tar archive which contained the file “.WhatsInside.txt” which had our flag encoded using ROT13.
Dull Drip
A git initilized folder was given which was of LinPeas.
I simply used git log
command to check the logs an dfound an interesting entry. Then I used git revert
to rollback to the initial state.
This gave out flag.txt
Reverse Engineering
Tokyo RE
The encrypted flag was given along with a python compiled file which had the logic for the encryption.
I used uncompyle6
to decompyle the .pyc file.
I coded a python script to decrypt the flag.
flag = [72, 82, 57, 126, 55, 58, 128, 128, 103, 121, 61, 63, 134, 134, 139]
enc = []
for i in range(0, len(flag)):
enc.append(chr(flag[i] - i))
for k in enc:
print(k, end="")
Lame Rev
Another similar challenge to the previous one, this challenge was only up for few minutes for me hence, I was not able to submit the flag on the portal.
Used uncompyle6
to decompile the python compiled file.
So, I wrote a python script to decrypt the flag.
l1 = [74, 82, 57, 124, 54, 109, 118, 52, 116, 111, 54, 117, 53, 96, 81, 113, 53, 115, 54, 117, 51, 112, 112, 126]
Encrypted = []
for i in range(len(l1)):
if i % 2 == 0:
Encrypted.append(chr(l1[i] - 2))
else:
Encrypted.append(chr(l1[i] - 1))
for k in Encrypted:
print(k, end="")