N7CTF challenges

690 words

3 minutes

N7CTF challenges

2024-10-07

CTF

N7CTF

/

CTF

first of all, i want to say thank you to the organizers and everyone who had a hand in organizing this event. thanks to the ctf developers for their effort, the challenges were fun to play.
so, let’s start with the network challenges.

Network#

PORT FLOW#

the challenge was easy, just run the game and match the protocols with their ports. Screenshot from 2024-10-06 12-07-10

Protocol	Port Number
FTP	21
SSH	22
TFTP	69
HTTP	80
NetBus	12345
SMTP	25
IMAP	993
HTTPS	443
MySQL	3306
LDAP	389
ncat	31337
NTP	123

PACKET LAB#

for this challenge, you first need to enable port Fa0 on the pc. Screenshot from 2024-10-06 12-34-02

change the ip for all servers to dhcp (except, of course, the dhcp server).
in the dns server, go to the Services tab and select DNS.
Screenshot from 2024-10-06 12-37-09

so, 192.168.1.3 is the ip of CTF_SERVER, but it doesn’t give us anything.
let’s test 192.168.1.8; there is no server with this ip, but there is a strange server named Server_MESG. you can change the ip address to 192.168.1.8 and connect via the browser to this link—you will get that.

or skip all that, go to Server_MESG Services, HTTP, and click edit the image.html. XD

Binary#

BOMB GAME#

it’s just a binary to hex problem.

Key to the Vault#

use dogbolt.org and upload the vulnerable file, then look for this code 3N5ET_5UPR3MACY.
it’s the secret key you should use to get the flag. Screenshot from 2024-10-06 12-47-50

Screenshot from 2024-10-06 12-48-26

PWN the Vault#

the challenge should not include canary but i think there is a problem Screenshot from 2024-10-06 12-50-59

EMAIL#

Screenshot from 2024-10-06 18-33-08

IMAGE STEGANO#

using chatgpt, it gave this code to extract it:

1
from PIL import Image
2

3
def extract_lsb(image_path):
4
    # Open the image file
5
    img = Image.open(image_path)
6
    binary_data = ""
7

8
    # Get image size
9
    width, height = img.size
10

11
    # Loop through each pixel
12
    for y in range(height):
13
        for x in range(width):
14
            # Get the pixel value (RGB tuple)
15
            pixel = img.getpixel((x, y))
16

17
            # Extract the least significant bit from each RGB channel
18
            for color in pixel[:3]:  # Assuming RGB image, ignore alpha if exists
19
                binary_data += bin(color)[-1]  # Append the LSB of the color value
20

21
    # Split the binary string into chunks of 8 bits (1 byte)
22
    binary_chars = [binary_data[i:i+8] for i in range(0, len(binary_data), 8)]
23

24
    # Convert binary strings to characters
25
    message = ""
26
    for byte in binary_chars:
27
        char = chr(int(byte, 2))
28
        # Stop if we reach a null character (assuming message ends with a null)
29
        if char == "\x00":
30
            break
31
        message += char
32

33
    return message
34

35
# Use the function to extract the hidden message
36
image_path = "path_to_your_image.png"
37
hidden_message = extract_lsb(image_path)
38
print("Extracted message:", hidden_message)

AUDIO STEGANO#

same as before:

1
import wave
2

3
def extract_lsb_from_audio(audio_path):
4
    # Open the audio file
5
    audio = wave.open(audio_path, mode='rb')
6

7
    # Read frames and convert to byte array
8
    frame_bytes = bytearray(list(audio.readframes(audio.getnframes())))
9

10
    # Extract the LSB from each byte
11
    extracted_bits = ''.join([str(frame_bytes[i] & 1) for i in range(len(frame_bytes))])
12

13
    # Split the binary string into chunks of 8 bits (1 byte)
14
    binary_chars = [extracted_bits[i:i+8] for i in range(0, len(extracted_bits), 8)]
15

16
    # Convert binary strings to characters
17
    message = ""
18
    for byte in binary_chars:
19
        char = chr(int(byte, 2))
20
        # Stop if we reach a null character (assuming message ends with a null)
21
        if char == "\x00":
22
            break
23
        message += char
24

25
    # Close the audio file
26
    audio.close()
27

28
    return message
29

30
# Use the function to extract the hidden message
31
audio_path = "path_to_your_audio.wav"
32
hidden_message = extract_lsb_from_audio(audio_path)
33
print("Extracted message:", hidden_message)

Forensics#

Fake TP#

open the file with wireshark in the line 20 i’ve seen (text/x-sh) it may be interested to look at it click follow TCP stream you should see some functions just remove the bash in every function so it will not be executed and it should give u the flag Screenshot from 2024-10-07 10-57-38

Screenshot from 2024-10-07 11-00-51

Cryptography#

Duplicate Deception#

i found this in reddit https://www.reddit.com/r/DataHoarder/comments/gokrmx/these_different_2_images_has_the_same_md5_hash/ just upload the two files and u will get the flag

Web#

Charikat Dajaj#

capture the first request with burpsuite change the user-agent to charikat dajaj it will redirect you to login page tab anything send and capture the request, change the user-agent to charikat dajaj again, copie the request and make file .txt with it in sqlmap run

1
python3 sqlmap.py -r req.txt --dbms=MySQL --tables -T users

it should give u all the tables we can see the table users in database dbtry1 now run

1
sqlmap -r req.txt --dbms=MySQL -D dbtry1 -T users --dump

you will get the flag

Screenshot from 2024-10-06 23-14-32

Misc#

Escape 3okacha#

Blacklisted[27] i think

All challenges in : GitHub

N7CTF challenges

https://zakariaf.vercel.app/posts/n7ctf/

Author

Zakaria Farahi

Published at

2024-10-07

License

CC BY-NC-SA 4.0

Cybersecurity Day CTF