Last updated: 23 Sep 24 11:11:41 (UTC)

MindBreak

MindBreak - ESGI

MindBreak CTF by ESGI was a open, physical only CTF that happened June 22nd from 21:00 to 6:00

for this event my team classed 4/17

My team was composed of 3 other players, we didnt know each other and just composed our team on the spot :

- Lawcky (me)

- W0red

- rougefleur

- Брунек

it was a pretty good CTF event which my team really enjoyed, we will probably be participating in the next edition.

b9067db3efd7aba0fb6b74fbd58f9cdb.png

Braquage - Steganography

we are given a audio file in which we can hear an alarm & the sound of someone dialing a phone number, the flag format is MB{PhoneNumber}

after looking i found this (its in spanish but easy to understand)

cf0f62980c800fe8ee624bcc698fc04b.png

using Audacity i was able to isolate the pressing sound of each number,

here is a summary of it in the format : order - lowest frequency - highest frequency --> number it corresponds to

1- 917 - 1323 --> 0

2- 836 - 1479 --> 9

3- 763 - 1189 --> 4

4- 836 - 1338 --> 8

5- 751 - 1213 --> 4

6- 836 - 1211 --> 7

7- 697 - 1211 --> 1

8- 698 - 1479 --> 3

9- 836 - 1335 --> 8

10- 771 - 1212 --> 4

flag : MB{0948471384}
flag : MB{0948471384}

petite fille et la chevre - Misc

we are given a audio file of a little girl talking to her grandfather and saying weird things.

to find the secret message we need to decode it.

after slowing down the audio we are able to get the folowing string

4F485233625642525556464F596E6C4B656E4E435657354C5A3274585A48563161304E59636A5A6957486C7752556454556D7059574846694F48593D0A
4F485233625642525556464F596E6C4B656E4E435657354C5A3274585A48563161304E59636A5A6957486C7752556454556D7059574846694F48593D0A

Cyberchefs is able to do 3 steps alone : hex to ascii --> from Base64 --> from Base58 now it looks like this

uPZaOtVy1PsA1Yf8yey1p0Vnyv4jdFF3
uPZaOtVy1PsA1Yf8yey1p0Vnyv4jdFF3

After some more testing we understand that the final solution was : hex to ascii --> from Base64 --> from Base58 --> from Base62 --> from Base64

flag :  MB{4ed1_78b2_78cc}
flag :  MB{4ed1_78b2_78cc}

Journal du FOU 1/7 - Geoint

we are given 2 pictures and are told that the flag is the name of the lake at the north est of this moutain in the format MB{xxxx-xxxx}

9adcb1639133952cf16c4b33a2285858.png

after a search through Google Lens’ tool we find an image that has the same montain range in the background, after going on the site we see that its called the “Pic les Tours”, then we look for a map of the area and find the Bious-Antigues lake

c5bd20db4549b1b586737a7e33418050.png

flag : MB{bious-antigues}
flag : MB{bious-antigues}

Shell-ébration - FullPWN

we are given 3 ports and are told that we need to exploit the machine to get the user’s flag & the root flag.

we use nmap :

$ nmap -sV -p 40758,46598,59586 192.168.205.5

Starting Nmap 7.80 ( https://nmap.org ) at 2024-06-23 01:38 CEST
Nmap scan report for 192.168.205.5
Host is up (0.00052s latency).

PORT      STATE SERVICE VERSION
40758/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
46598/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
59586/tcp open  ftp     ProFTPD 1.3.5
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.29 seconds
$ nmap -sV -p 40758,46598,59586 192.168.205.5

Starting Nmap 7.80 ( https://nmap.org ) at 2024-06-23 01:38 CEST
Nmap scan report for 192.168.205.5
Host is up (0.00052s latency).

PORT      STATE SERVICE VERSION
40758/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
46598/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
59586/tcp open  ftp     ProFTPD 1.3.5
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.29 seconds

we know that ProFTPD 1.3.5 is vulnerable (can also be checked by using searchsploit ftp 1.3.5

Metasploit has a working exploit for this so lets use it :

930b70332480d6fd4f5e22615f6e7fe4.png

went through a small bug but session was still created successfully

we need to find mike’s password’s file

b38c3d1535d6970c7538fbce7dd943ea.png

a1b707845c2c2cb7fc6938783eb60741.png

mike:HUFmoei62PqO890.!
mike:HUFmoei62PqO890.!
user flag : MB{Pr0F7PD_g0t_m3333}
user flag : MB{Pr0F7PD_g0t_m3333}

we are now connected as mike, we check sudo permissions and find that the set of permission is vulnerable

7d3ec3c49d3e70aafeb671c5d3d381ba.png

root flag : MB{5ud0_n0_g0o0o}
root flag : MB{5ud0_n0_g0o0o}

A not very easy going Robot 1/2

there is a discord bot that we can invite on our own server, after doing so we try to talk to him but he only answered once “i don’t like talking to humans”.

we understand that it’ll only talk to a robot (discord bot), i then invited another bot to the server and it unlocked the first flag

MB{@r3_U_5@lty_b3c@u53_I@M}
MB{@r3_U_5@lty_b3c@u53_I@M}

sadly i knew that for the other part of the challenge i needed to have a bot rewrite everything i was saying but i didnt know any discord bot that could do that, and before i found one the CTF ended.

thanks for reading !

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.