added writeup for 5 challenges (njitacm#11)

mostafamohamed8881 · web-flow · commit 6ab6cc6cfa58 · 2021-04-11T22:12:30.000-04:00
diff --git a/writeups/%20rainbows/DeadRobin/README.md b/writeups/%20rainbows/DeadRobin/README.md
@@ -0,0 +1,55 @@
+# DeadRobin's Write-up for %20rainbow
+
+---
+
+1. because of the hint i got an idea to transform the hex code of the colors to hexdecimal characters so lets extract the hex codes first using imagemagick
+
+   ```bash
+   $ convert Untitled.png txt:
+   0,0: (30583,26728,28527)  #77686F  srgb(119,104,111)
+   1,0: (8224,27499,25443)  #206B63  srgb(32,107,99)
+   2,0: (25957,30583,8224)  #657720  srgb(101,119,32)
+   3,0: (31097,28527,30069)  #796F75  srgb(121,111,117)
+   4,0: (8224,25443,28527)  #20636F  srgb(32,99,111)
+   5,0: (30069,27756,25700)  #756C64  srgb(117,108,100)
+   6,0: (8224,25957,28270)  #20656E  srgb(32,101,110)
+   7,0: (25443,28527,25700)  #636F64  srgb(99,111,100)
+   8,0: (25957,8224,29812)  #652074  srgb(101,32,116)
+   9,0: (25957,30840,29812)  #657874  srgb(101,120,116)
+   10,0: (8224,24929,28270)  #20616E  srgb(32,97,110)
+   11,0: (8224,26985,28013)  #20696D  srgb(32,105,109)
+   12,0: (24929,26471,25957)  #616765  srgb(97,103,101)
+   13,0: (16191,8224,25700)  #3F2064  srgb(63,32,100)
+   14,0: (26985,25700,8224)  #696420  srgb(105,100,32)
+   15,0: (31097,25700,30069)  #796475  srgb(121,100,117)
+   16,0: (8224,28527,28784)  #206F70  srgb(32,111,112)
+   17,0: (25957,28270,8224)  #656E20  srgb(101,110,32)
+   18,0: (29812,26728,26985)  #746869  srgb(116,104,105)
+   19,0: (29555,8224,24929)  #732061  srgb(115,32,97)
+   20,0: (29555,8224,24929)  #732061  srgb(115,32,97)
+   21,0: (8224,28784,28270)  #20706E  srgb(32,112,110)
+   22,0: (26471,11308,8224)  #672C20  srgb(103,44,32)
+   23,0: (28527,29298,8224)  #6F7220  srgb(111,114,32)
+   24,0: (27242,30069,29555)  #6A7573  srgb(106,117,115)
+   25,0: (29812,8224,25443)  #742063  srgb(116,32,99)
+   26,0: (28527,28270,30326)  #6F6E76  srgb(111,110,118)
+   27,0: (25957,29298,29812)  #657274  srgb(101,114,116)
+   28,0: (8224,26985,29812)  #206974  srgb(32,105,116)
+   29,0: (8224,27242,25443)  #206A63  srgb(32,106,99)
+   30,0: (29812,26214,31611)  #74667B  srgb(116,102,123)
+   31,0: (26214,29298,28527)  #66726F  srgb(102,114,111)
+   32,0: (28013,8224,26728)  #6D2068  srgb(109,32,104)
+   33,0: (30069,30840,16191)  #75783F  srgb(117,120,63)
+   34,0: (32125,8224,8224)  #7D2020  srgb(125,32,32)
+   ```
+
+2. and because i am a newbie i am going to extract them manually and then transform them using python
+
+   ```python
+   >>> s = "65207477686F206B63657720796F7520636F756C6420656E636F6465787420616E20696D6167653F2064696420796475206F70656E2074686973206173206120706E672C206F72206A75737420636F6E76657274206974206A6374667B66726F6D206875783F7D2020"
+   >>> bytes.fromhex(s).decode('utf-8')
+   'who knew you could encode an image? did ydu open this as a png, or just convert it jctf{from hex?}  '
+   
+   ```
+
+    
diff --git a/writeups/clientside/DeadRobin/README.md b/writeups/clientside/DeadRobin/README.md
@@ -0,0 +1,22 @@
+# DeadRobin's Write-up for clientside
+
+1. view the source coded, we can see an interesting script
+
+```javascript
+    function _9x34856(_458sd4) { return _458sd4.split("").reverse().join("")  }  
+    function check(val) {
+      if ( val == "clientside" ) {
+        alert(atob(_9x34856("=0HO0UDOzg3XzQWMzRnblFDbj9FMu9FMu9FMutnZ0Nma")))
+      } 
+    }
+```
+
+2. this looks like a reverse base64 code lets decode it
+
+```python
+>>> import base64
+>>> s = "=0HO0UDOzg3XzQWMzRnblFDbj9FMu9FMu9FMutnZ0Nma"[::-1] # to reverse it
+>>> print(base64.b64decode(s))
+b'jctf{n0_n0_n0_cl1ents1d3_x38548}'
+```
+
diff --git a/writeups/hidden-in-plain-sight-2/DeadRobin/README.md b/writeups/hidden-in-plain-sight-2/DeadRobin/README.md
@@ -0,0 +1,26 @@
+# DeadRobin's Write-up for hidden-in-plain-sight-2
+
+1. try to use cat and grep to find the flag i found two but they were fakes
+
+   ```
+   4fc53c8dee89f40f3c2969d8a282e24c519fadc7b9403aa711c91ab22830
+   jcft{this-is-certaintly_a_flag_lolz}
+   578c003ab8fd78b6d0967767c02b6b4f025fd7bc156b8d9edd068133cf42
+   .
+   .
+   .
+   177e89fad20fb65c007a8ca2skajdhf782337bjjctf23478f6a11c7cbf3b
+   2345235jctf{defnNotAFlag}98127978719274891729347912794719279
+   177e89fad20fb65c007a8ca2skajdhf782337bjjctf23478f6a11c7cbf3b
+   ```
+
+2. I though maybe the flag is base64 encoded because the files gives the impression that it is so i encoded the string `jctf` and searched for it
+
+   ```bash
+   $ echo "jctf" | base64
+   amN0Zgo=
+   $ cat flag.txt | grep -i "amN0Z" | base64 -d
+   jctf{hips2-b64_c0mes_with_different_equals}
+   ```
+
+   
diff --git a/writeups/investigating-windows/DeadRobin/README.md b/writeups/investigating-windows/DeadRobin/README.md
@@ -0,0 +1,44 @@
+# DeadRobin's Write-up for investigating-windows
+
+---
+
+1. from the hints i understood that i should use a tool called regripper and after installing it i found this [article](https://resources.infosecinstitute.com/topic/registry-forensics-regripper-command-line-linux/)
+2. in the article it says `The ProfileList key in the registry can be used to resolve  SIDs to users on the machine. If a user has logged onto this machine, a  subkey with that user’s SID as its name will be created under  ProfileList. Use the profilelist plugin in RegRipper to pull this  information` so lets try it
+
+```bash
+$ regripper -r software -p profilelist
+Launching profilelist v.20200518
+profilelist v.20200518
+(Software) Get content of ProfileList key
+
+Microsoft\Windows NT\CurrentVersion\ProfileList
+
+Path      : %systemroot%\system32\config\systemprofile
+SID       : S-1-5-18
+LastWrite : 2013-08-22 13:25:43Z
+
+Path      : C:\Windows\ServiceProfiles\LocalService
+SID       : S-1-5-19
+LastWrite : 2013-08-22 14:48:03Z
+
+Path      : C:\Windows\ServiceProfiles\NetworkService
+SID       : S-1-5-20
+LastWrite : 2013-08-22 14:48:02Z
+
+Path      : C:\Users\robbr
+SID       : S-1-5-21-1410353290-3892556988-1991803543-1001
+LastWrite : 2021-03-16 23:02:27Z
+
+Path      : C:\Users\Administrator
+SID       : S-1-5-21-1410353290-3892556988-1991803543-500
+LastWrite : 2021-03-16 22:59:46Z
+
+```
+
+3. and we have the flag
+
+   ```
+   jctf{S-1-5-21-1410353290-3892556988-1991803543-1001}
+   ```
+
+   
diff --git a/writeups/reDirector/DeadRobin/README.md b/writeups/reDirector/DeadRobin/README.md
@@ -0,0 +1,45 @@
+# DeadRobin's Write-up for reDirector
+
+---
+
+1. from the name we can understand that we will be redirected alot so lets open burp suite to intercept each request manually
+
+2. nothing special in the first request but then we can notice that each redirect is of one letter so maybe if we gather them we could achieve something
+
+```
+GET /j HTTP/1.1
+GET /c HTTP/1.1
+GET /t HTTP/1.1
+GET /f HTTP/1.1
+GET /%7B HTTP/1.1
+GET /y HTTP/1.1
+GET /0 HTTP/1.1
+GET /u HTTP/1.1
+GET /_ HTTP/1.1
+GET /l HTTP/1.1
+GET /1 HTTP/1.1
+GET /k HTTP/1.1
+GET /E HTTP/1.1
+GET /m HTTP/1.1
+GET /Y HTTP/1.1
+GET /- HTTP/1.1
+GET /R HTTP/1.1
+GET /e HTTP/1.1
+GET /d HTTP/1.1
+GET /i HTTP/1.1
+GET /r HTTP/1.1
+GET /3 HTTP/1.1
+GET /C HTTP/1.1
+GET /T HTTP/1.1
+GET /s HTTP/1.1
+GET /%7D HTTP/1.1
+```
+
+3. forming all of them together and url decoding for the brackets we get the flag
+
+```
+jctf{y0u_l1kEmY-Redir3cts}
+```
+
+
+
