Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
First off, running python3 sherlock 0xDarkArmy
gives us hits on reddit, instagram and twitter, among others.
While nothing interesting was found on the twitter or instagram, there was a qr code posted on the reddit page, seen here
Scanning the qr code, we are directed to a .onion
site, openable in tor. see here
At a first look it seems like a static template page. However navigating to /robots.txt
we get half of the flag: darkctf{S0c1a1_D04k_
Opening up developer tools and going to the 'networks' tab, we can see that in the get request to the page, there is a custom HTTP header Flag:
under Date. This contains the second half of the flag: _w3b_051n7}
darkctf{S0c1a1_D04k_w3b_051n7}
Try to find username and password.
Webiste: http://simplesql.darkarmy.xyz/.
In the source we see the comment <!-- Try id as parameter -->
.
Injecting a simple ?id=1 or 2=2
gives us the response Username : LOL Password : Try
.
Trying ?id=2 or 2=2
gives us a difference response, Username : Try Password : another
, so I tried a few more till at http://simplesql.darkarmy.xyz/?id=9%20or%202=2
you get the flag.
darkCTF{it_is_very_easy_to_find}
taking small Bites of Bytes
File
looks hard to reverse, but really it just checks a funtion's output
Put a break on both checks
set the value of eax to 0 to pass them
get the flag
darkCTF{4rgum3nts_are_v3ry_1mp0rt4nt!!!}
I lost my phone while I was travelling back to home but I was able to get back my eNB ID, MCC and MNC could you help me catch the tower it was last found. Note: decimal value upto 1 digit
So firstly, after seeing what they have said about the eNB ID
, MCC
, and MNC
, I decided to look up what they meant, so :
eNB ID
: used to identify an EnodeB uniquely
MCC
: mobile country code
MNC
: mobile network code
You can distinguish which one is which by knowing that the MCC
and MNC
are both 3 digits so 81097
must be the eNB ID
We can use the MCC
and MNC
to find out that the cell tower is in the US, and that its provider is AT&T. Now we need to triangulate the cell tower so after a bit of googling I found a website called cellmapper.net, where you can specify the eNB ID
, MNC
and MCC
, so finally you get the latlong coordinates by clicking on the location, which are 32.8464489
and -24.554806.
Because we know that the briefing says the format is darkCTF{latitude, longtitude}
to 1 decimal place we know that the flag is DarkCTF{38.4, 24.5}
The rounding is very odd
Mr.Wolf was doing some work and he accidentally deleted the important file can you help him and read the file? ssh ctf@findme.darkarmy.xyz -p 10000 password: wolfie
Running ps aux
to see the running processes showed us that the command tail -f /home/wolf1/pass
was running at PID 10. However in the /home/wolf1 directory, this file was not to be found.
After googling how to view the contents of a background process I ran the command cat /proc/10/fd/*
and got mysecondpassword123
.
Since there was a wolf2
directory I figured this was the password for wolf2, so running su wolf2
and inputting this as the password means we are now wolf2. List the files and get the flag.
darkCTF{w0ahh_n1c3_w0rk!!!}
Don't Try to break this jail.
ssh wolfie@linuxstarter.darkarmy.xyz -p 8001 password : wolfie
Sshing in and running echo $SHELL
shows us we have an rbash shell- that is, a restricted shell.
Googling how to bypass this I found you could add 'bash --noprofile' to the end of the ssh command.
So running ssh wolfie@linuxstarter.darkarmy.xyz -p 8001 'bash --noprofile'
gives us an unrestricted shell. From there, just cd imp
and cat flag.txt
to get the flag.
darkCTF{h0pe_y0u_used_intended_w4y}
Wolfie is doing some illegal work with his friends find his contacts.
File
Opening the file in autopsy, we can see some emails. In the headings of some, you could see parts of the flag.
Alternatively, this challenge could be done by opening the file in mousepad and ctrl + F searching for 'darkctf{'
darkCTF{C0ntacts_4re_1mp0rtant}
Wolfie getting free games from somewhere. Find the full url to that game. Note: Use the same file provided in Wolfie's Contacts Flag Format: darkCTF{http://site}
file
Using the same file from Wolfie's contacts, I searched for the string http://
in autopsy.
There were a few results but one was a .zip so I assumed this was the game.
darkCTF{http://aries.dccircle34.com/realitydownloadgo/c4d37739ca3dc3ed2d4852395d5ed228/784b4647446e334c58556e5473326556422e624f612e51432e4a6472/2019/07/31/PencakSilat2_1.zip}
"Hello, hello, Can you hear me, as I scream your Flag! "
file
Opening the file in sonic visualiser, you can see two audio streams. Seaparete the streams and then add a spectogram layer. Play around with the colour settings to see the flag more clearly.
darkCTF{1_l0v3_5p3ctr3_fr0m_4l4n}
We know the plaintext starts with darkCTF{
so using this as the key as so you'll get the actual key outputted- see
Therefore using the key 1337hack
gives us the flag- see