TMCTF Qualification Round 2015 - Crypto 300
Description for this challenge was:
Capture the flag competitors playing to kill time
Description for this challenge was:
This is how I solved VirusClicker
This is how we solved Forensics 150 :)
The clues given to us were the following.
A game that you can click to grow your grass! Neat! Well let us take a look around shall we? If you take a look at the source code under the premium section there is an interesting JS segment:
Here are the trivia answers:
As we navigate to http://challs.ctf.site:10000/hackersmarket/
we see a 'hackersmarket' where you can buy and sell exploits! Well, let us see if we can break in and steal the exploits ourselves shall we? :) As we navigate to the separate pages you can see the p
parameter changing of the index.php
file changing. The unconventional .tpl extension is being used to reference page content. This looks ripe for a local file inclusion attack! Typically this involves ../../../../../passwd
which should be displayed, but inclusion of and ..\
appears to cause a redirect to the home page. Looking some more we see 1NULLo3KCSKeCZeDQc7ZxY8xcbYiDGrnbY
for a bitcoin address. That NULL
looks out of place, maybe a clue? Simply doing http://challs.ctf.site:10000/hackersmarket/index.php?p=index.php
displays the page overlapped, so this indicates the code is being executed twice. If we look at the page source there is some PHP code:
Description given : IVFU662CIFJUKXZTGJPWG2DBNRWH2=== Dosent look base64, lets try base32 Flag: EKO{BASE_32_chall}
We are now live!! :)