Africa Hackon CTF – 2019

This is a CTF series which was created by Africa Hackon for their 6th conference which was being hosted at United States International University – Africa (USIU-A). The CTF was 24 hours long which had various type of challenges which included web, steganography, pwnanble, mobile forensics, steganography and cryptography.

I began the CTF by doing the steganography where it was divided into two subsections 1. Which was named waves and the other one was mr eventruary, I don’t know where they got their naming schemes from but the second one is very weird.

  1. STEGANOGRAPHY
  2. WAVES

I started up with waves, well this made sense cause it was an audio steganography, so as what a normal person would do I played the audio and the only thing that I could hear was beeping noises, is when I realized it was Moores code, after realizing that I downloaded the file and was trying to figure out how would I translate the audio into text then I remembered a good friend of mine once told me that Google is your best friend, so I went and googled online audio Moores code translator.

I then clicked on the following link which took me to an online audio translator httpsss://morsecode.scphillips.com/labs/decoder/

I uploaded the audio file and the bellow text appeared, and once I read  the text I was puzzled it didn’t make sense to me so I was thinking to my self was flag really on the audio wave, then after reading the paragraph properly I realized that the flag started from “hidden in the audio waves”  

Once I tried it out in this format AH{H 1 D D 3 N I N A U D I O W A V 3 S} it was successful and scored some points for it.

  • MR EVENTRUARY

Next, I went to the mr eventruary challenge once I began the challenge I found that there was an image file as shown below, which was written AH{eventuary_decoy} so I went on and downloaded the image and my first instinct was to check if there was any text inside the binary or data file by using the tool called strings but unfortunately there wasn’t anything there, then the next thing was to check the exif of the image and found that there was nothing there also.

The next thing was to check for embedded files or executable codes where I used binwalk. Binwalked reviled that there was a zipped file which was embedded on the image.

the next thing I had to extract the file from the image where I used the following command to achieve that which was binwalk -e “name of the image”.

After extracting the image the next step was to open the extracted file and I realized that the file was encrypted which required a password to see the contents, so to achieve this I used a tool called Fcrackzip. I used the following commands of fcrack zip in order to brute force the password fcrackzip -b -c ‘aA1!’ -l 1-10 -u  7055A.zip

Patience is a virtue when doing brute force and after waiting for like 5 mins I eventually got the password and then fed the password to the zipped folder and it opened.

After extracting the folder I found that there was a lot of binary files, bash file and a text file, I scrolled to the end of the file and opened the file flagapw

After opening the file I managed to get the other flag which made me so happy and more determined to do other challenges.

The next challenge that I went for was cryptography, this was one of the trickiest for me cause here you had to be familiar with the different type of encoding systems.

CRYPTOGRAPHY

  • MANIFESTO

The first challenge here was called MANIFEST, once opened up the file I was shocked and found a bunch of random numbers but the way they were formatted I knew that it was a sentence which was being encoded so I had to find out what encoding system

So I had to get to google and do my research, after hours of googling I decided to google a random attempt, I know what I googled might sound funny but it was actually fruitful, I googled “what encoding system has numbers only” and after exploring different web pages I eventually managed to get one where after pasting the encoded text it gave me plain text and here is where I learnt that this type of encoding system was called Octal ASCII.

After decoding the text I found the flag In between the text when I submitted the flag it wasn’t going through, I had to change the format of the flag in order to successfully submit it. Notice that the flag was ah{e4sy_t4sk} but apparently the flag was supposed to be submitted in this format AH{e4sy_t4sk}

The last challenge that I went for was the web challenge which was kind of relatively easy not compared to the others which were kind of tricky.

  • WEB
  • Access – right authentication

I opened the web page and after finishing loading a web page popped up and the immediate thing, I did first was to check for robots which didn’t work and next went to the source code and found nothing important there too.

The next thing I had to inspect the page elements of the page and after going through each line of code I found the flag just sitting there waiting to be collected, the flag was AH_flag_2019_{586f7249734e6f74536f6f533363757233

  • Easy Flags

The last web challenge I did was called easy flags, well it was easy but it was tricky to me since it wasn’t something I’m used to.

So as usual, I began to check the web page and I clicked on the grab ze flag button and the next thing I knew am redirected on a 404 error page, But after checking the error I noticed something odd if you check the URL you will see /can_y#u_get_the_flag?! But on the page error it just ends at /can_you, it seems the browser isn’t recognizing starting from the hash up to the end.

After hours of looking, I came to realize that the website URL was using an Html encoding system which made the browser not to read the part starting from the # sign. So I googled as usual and clicked the following link  httpsss://www.w3schools.com/tags/ref_urlencode.asp

And found the page was talking about HTML URL encode.

After checking the table, I realized that I had to replace the # with the sign that the URL could understand which was %23 and at the end with %3F once after doing the replacement and pressing enter the flag was right over there AH_CTF_2019_{y0u_4r3_3l_3nc0d1ngs}

SUMMARY

There are a lot of things that this CTF has helped me learn which I never learnt before from each challenge that I had done

  1. On the web challenge easy flags, I managed to learn about URL encoding
  2. On cryptography the manifest challenge I managed to learn about the Octal Ascii which I didn’t know about
  3. On steganography mr eventruary challenge I managed to learn that you could extract a hidden file from an image using binwalk itself
  4. The last thing that I learnt was to be patient when you’re doing any type of brute force attack.

Note: the challenges done by the author weren’t the only challenges but due to time constraints and trial and error, those were the only challenges that the author managed to do on this CTF competition.

Download A.H CTF 2019

Leave a Reply

Your email address will not be published. Required fields are marked *