Midnight Monologues

日々勉強したことを書いてきます

UUTCTF 2020 - Writeup

Participated in the UUTCTF2020 (Sat, 20 June 2020, 06:30 UTC - Mon, 22 June 2020 , 06:30 UTC). Describe the write-up in question.

Let Me In (web)

describe

Go inside the website and it will show you the flag.

URL: http://185.206.93.66:800/

writeup

Access the specified URL. If basic authentication is used under /auth and the correct username and password are entered, the user will be asked to enter The version of nginx is slightly old, 1.14.0.

# curl http://185.206.93.66:800/
<center>
<h1> hello </h1>
 <h2> if you want flag you must pass <a href="http://185.206.93.66:800/auth">this</a> auth ! </h2>
 <h3> It depends on your curiosity </h3>
</center>
# curl http://185.206.93.66:800/auth
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.14.0 (Ubuntu)</center>
</body>
</html>

If you check the -v option of curl, it responds with the basic authentication username and password.

# curl -v http://185.206.93.66:800/
*   Trying 185.206.93.66:800...
* TCP_NODELAY set
* Connected to 185.206.93.66 (185.206.93.66) port 800 (#0)
> GET / HTTP/1.1
> Host: 185.206.93.66:800
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Sat, 20 Jun 2020 18:18:22 GMT
< Content-Type: text/html
< Content-Length: 176
< Last-Modified: Mon, 01 Jun 2020 17:29:20 GMT
< Connection: keep-alive
< ETag: "5ed53af0-b0"
< username: corona
< password: ihateyoucorona
< Accept-Ranges: bytes
< 
<center>
<h1> hello </h1>
 <h2> if you want flag you must pass <a href="http://185.206.93.66:800/auth">this</a> auth ! </h2>
 <h3> It depends on your curiosity </h3>
</center>
* Connection #0 to host 185.206.93.66 left intact

Enter username (corona) and password (ihateyoucorona) to see a flag.

# curl -H 'Authorization: Basic Y29yb25hOmloYXRleW91Y29yb25h' http://185.206.93.66:800/auth
UUTCTF{I_J45T_H4T3_C0R0NA}
flag:UUTCTF{I_J45T_H4T3_C0R0NA}

Collect the Onions (misc)

※After the tournament, the tournament organizer carefully taught me how to solve the puzzles. Thank you very much for your help.

description

Collect the onions from this hidden service!

Address: http://lyrtt5cc2mfixd5f.onion

writeup

Access the URL specified in the problem statement from the Tor network. (The Tor browser is used.)

The flag is divided into four parts and you need to collect four of them.

Part1

After establishing tor routing, you can use the torify command to access the home page, and you will see the first flag. The first part is: UUTCTF{0N10N

 torify curl http://lyrtt5cc2mfixd5f.onion/
<!DOCTYPE html>
<html lang="en">
<title>COLLECT THE ONIONS</title>
<meta charset="UTF-8">
<link rel="icon" type="image/png" href="img/logo.png"/>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Lato">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
<style>
    body, h1, h2, h3, h4, h5, h6 {
        font-family: "Lato", sans-serif;
    }

    body, html {
        height: 100%;
        color: #777;
        line-height: 1.8;
    }

    .bgimg-1 {
        background-attachment: fixed;
        background-position: center;
        background-repeat: no-repeat;
        background-size: cover;
    }

    .bgimg-1 {
        background-image: url('img/red.jpg');
        min-height: 100%;
        filter: blur(5px);

    }

    .w3-wide {
        letter-spacing: 10px;
    }


    @media only screen and (max-device-width: 1600px) {
        .bgimg-1 {
            background-attachment: scroll;
            min-height: 400px;
        }
    }
</style>
<body>

<div class="bgimg-1 w3-display-container w3-opacity-min" id="home">
</div>

<div class="w3-display-middle" style="white-space:nowrap">


    <span class="w3-center w3-padding-large w3-xlarge w3-wide w3-animate-opacity" style="width: 150px ;height: 140px; margin: 100px; padding: 5px !important;
    display: inline-block;">
      <img src="img/p0scon1.png" width="100px">
    </span>
    <span class="w3-center w3-padding-large w3-xlarge w3-wide w3-animate-opacity" style="width: 150px; height: 140px; margin: 100px;
    display: inline-block;">
      <img src="img/unnamed.png" width="100px">
    </span>
    <span class="w3-center w3-padding-large w3-xlarge w3-wide w3-animate-opacity" style="width: 150px; height: 140px; margin: 100px;
    display: inline-block;">
      <img src="img/logo.png" width="100px">
    </span>
    <br>
    <br>
    <span class="w3-center w3-padding-large w3-xlarge w3-wide w3-animate-opacity" style="margin-left: 460px;">
      <img src="img/Scroll-White-1.gif" width="100px">
    </span>
    <br>
    <br>
    <br>
    <span class="w3-center w3-padding-large w3-black w3-xlarge w3-wide w3-animate-opacity" style="margin-left: 300px;">COLLECT THE ONIONS</span>

</div>

<div class="w3-content w3-container w3-padding-64" id="about">
    <h3 class="w3-center">Collect the Onions</h3>
    <p class="w3-center"><em>I love ONIONS</em></p>

    <p>Find the four parts, merge them, make the flag! Happy collecting!</p>
    <p>The first part is: UUTCTF{0N10N</p>

</div>
</body>
</html>
Part2

The second flag is listed in the comments section when you access a different server than the one on which the first flag is listed.

# torify curl http://lyrtt5cc2mfixd5f.onion/
<!DOCTYPE html>
<html lang="en">
<title>COLLECT THE ONIONS</title>
<meta charset="UTF-8">
<link rel="icon" type="image/png" href="img/logo.png"/>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Lato">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
<style>
    body, h1, h2, h3, h4, h5, h6 {
        font-family: "Lato", sans-serif;
    }

    body, html {
        height: 100%;
        color: #777;
        line-height: 1.8;
    }

    .bgimg-1 {
        background-attachment: fixed;
        background-position: center;
        background-repeat: no-repeat;
        background-size: cover;
    }

    .bgimg-1 {
        background-image: url('img/red.jpg');
        min-height: 100%;
        filter: blur(5px);

    }

    .w3-wide {
        letter-spacing: 10px;
    }


    @media only screen and (max-device-width: 1600px) {
        .bgimg-1 {
            background-attachment: scroll;
            min-height: 400px;
        }
    }
</style>
<body>

<div class="bgimg-1 w3-display-container w3-opacity-min" id="home">
</div>

<div class="w3-display-middle" style="white-space:nowrap">


    <span class="w3-center w3-padding-large w3-xlarge w3-wide w3-animate-opacity" style="width: 150px ;height: 140px; margin: 100px; padding: 5px !important;
    display: inline-block;">
      <img src="img/p0scon1.png" width="100px">
    </span>
    <span class="w3-center w3-padding-large w3-xlarge w3-wide w3-animate-opacity" style="width: 150px; height: 140px; margin: 100px;
    display: inline-block;">
      <img src="img/unnamed.png" width="100px">
    </span>
    <span class="w3-center w3-padding-large w3-xlarge w3-wide w3-animate-opacity" style="width: 150px; height: 140px; margin: 100px;
    display: inline-block;">
      <img src="img/logo.png" width="100px">
    </span>
    <br>
    <br>
    <span class="w3-center w3-padding-large w3-xlarge w3-wide w3-animate-opacity" style="margin-left: 460px;">
      <img src="img/Scroll-White-1.gif" width="100px">
    </span>
    <br>
    <br>
    <br>
    <span class="w3-center w3-padding-large w3-black w3-xlarge w3-wide w3-animate-opacity" style="margin-left: 300px;">COLLECT THE ONIONS</span>

</div>

<div class="w3-content w3-container w3-padding-64" id="about">
    <h3 class="w3-center">Collect the Onions</h3>
    <p class="w3-center"><em>I love ONIONS</em></p>

    <p>Find the four parts, merge them, make the flag! Happy collecting!</p>
    <!-- wanna 2nd part? HERE it is: _H1DD3N -->

</div>
</body>
</html>
Part3

If you check the header, there is a third flag.

X-Part3: _S3RV3RS
Part4

If you check robots.txt, there is a flag.

Part 4  is: _R0CK}
flag:UUTCTF{0N10N_H1DD3N_S3RV3RS_R0CK}