CTF Competitions Write-ups GitBook About

Contents

Cyber Apocalypse 2021 - Challenges

 included in Categories
   162 words   One minute 
/hackpock/hackpoc.png

AlienPhish

/hackpock/alienphish1.png

Unzip the downloadable file and view the slide1.xml.rels file. Inside is a command with some of the text backwards. Flip the text and decode the base64 for the flag.

/hackpock/alienphish2.png
/hackpock/alienphish3.png

Authenticator

/hackpock/authenticator1.png

Open the downloadable file with Ghidra and look through the functions. In the check pin function is a string with a ^9. Take the string to CyberChef and XOR with a key of 9 to get the flag.

/hackpock/authenticator2.png
/hackpock/authenticator3.png

BlitzProp

/hackpock/blitz1.png

View the website and intecept the traffic with Burp. A hint is given on the song names since AST is capitalized. Check out AST Injection for some more info. Insert a command to read the directory the flag is in an then read the flag itself once you have the name.

/hackpock/blitz2.png
/hackpock/blitz3.png

CAAS

/hackpock/caas1.png

Have the website request file:/flag to read the flag.

/hackpock/caas2.png

MiniSTRYplace

/hackpock/ministry1.png

Viewing the downloadable file tells us that requests with ../ will be replaced with a space. Exploit the LFI vulnerability by putting …/./…/. before the file to read the flag.
/hackpock/ministry2.png
/hackpock/ministry3.png

Updated on 2021-04-24
 Tags
Back | Home