NeverLAN CTF is a beginner friendly CTF . Me any my friend D4mianWayne did this together, it’s really fun and we enjoyed it. In this post I write a walkthrough for the CTF.
The title of the challenge is
- Google search “cookie monster favorite guy red”
- It’s a character named Elmo
Got the Flag!
Stop the Bot
It says bot everywhere so I looked at
The robots exclusion standard, also known as the robots exclusion protocol or simply robots.txt, is a standard used by websites to communicate with web crawlers and other web robots. The standard specifies how to inform the web robot about which areas of the website should not be processed or scanned.
It shows the files or directories in the webpage.
Found a Login page
Since it is an SQL Breaker I tried some normal sql injection
Source : https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
admin'-- - : admin
SQL Breaker 2
Another login page
Like Before I tried some normal SQLi
' or 1=1 limit 1 -- -+
It says only admin user can see the flag, Since the normal sqli works, So adding an offset to the payload (offset 1) will make me select the next from the list.Implicit offset is 0. The 1 in the limit states, show me 1 line of output so if you do LIMIT 1 OFFSET 1. It will give you one line, specifically the second line in the output
' or 1=1 limit 1 offset 1-- -+
It looks like the page keeps on redirecting ,If a website returns 302 redirect page, browser don’t bother loading the page. So normally we won’t see that data. If we prevent following of redirects, we’ll be able to view the page. I captured the request in burp and started Follow Redirecion, at a particular domain I got Flag.
The Webpage shows us a message that the site is only optimized for browsers that run on commodo 64. So I googled which browser do that.
So I capture the request in burp and changed the User Agent to Hyperlink 2.5e from Firefox.
HTTP requires data to be transferred from one point to another over the network. The transfer of resources happens using TCP
So I searched directly as
tcp contains flag
Did the same thing as I did on the first challenge
This time flag is in url so I opened it to get the flag
Since its FTP, I tried searching as FTP and checked each packet in ftp. Found the flag in FTP-DATA Protocol.
The file name give me the hint so I searched for
telnet contains flag
Hidden ctf on my network
So from the given hint : When a new machine connect to an network , DHCP first assign IP for the machine.
We can even use
strings to get flag , because everything in plain text, thats why it works.
Front Page of the Internet
Front Page of the Internet and found it is
Since the creator of this challenge is
ZestyFE I searched for his account in reddit.
The Big Stage
Hint : One time we keynoted @SaintCon… I think I remember hiding a flag in our pres
So I started googling about the conference and found a YT link
Did some fastforwarding at 1:49:40 found an example of a CTF flag.
Hint : NeverLAN’s secret Track 2
Track represents Music maybe , when I register for CTF I saw
Music category in the main page.
So I opened that and found
Track3 (If its not displayed reload the page.)
We know Track2 is what we want, Its an youtube video so I opened link directly to YT and found the flag in comments.
Thats just Phreaky
|Hint : The first of many stories that have been told. 01 September 2017||14:01|
From the given hints I googled and opened the first link which relates everything with the hint
Looks like some story.
I searched the flag in source code of the page.
I started with
steghide not good results then I tried
binwalk - tool for searching binary images for embedded files and executable code
It extracted the files.
-e, --extract Automatically extract known file types
Look into the past
I downloaded the file to my machine and extracted and started searching whats there.
root@w0lf:~/CTF/CTFTIME/NeverLAN /2020/Forensic/look_into_the_past/home/User# ls -la total 52 drwxr-xr-x 9 1000 rvm 4096 Feb 8 21:54 . drwxr-xr-x 3 1000 rvm 4096 Feb 8 21:54 .. -rw-r--r-- 1 1000 rvm 349 Feb 7 00:03 .bash_history -rw-r--r-- 1 1000 rvm 864 Feb 7 00:04 .bashrc drwxr-xr-x 2 1000 rvm 4096 Feb 8 21:54 Desktop drwxr-xr-x 2 1000 rvm 4096 Feb 8 22:22 Documents drwxr-xr-x 2 1000 rvm 4096 Feb 8 21:54 Downloads drwxr-xr-x 2 1000 rvm 4096 Feb 8 21:54 Music drwxr-xr-x 2 1000 rvm 4096 Feb 8 21:54 Pictures -rw-r--r-- 1 1000 rvm 672 Feb 7 00:04 .profile drwxr-xr-x 2 1000 rvm 4096 Feb 8 21:54 Public drwxr-xr-x 2 1000 rvm 4096 Feb 8 21:54 Videos -rw-r--r-- 1 1000 rvm 37 Feb 7 00:03 .vimrc
In computing, various shells maintain a record of the commands issued by the user during the current session. The history command works with the command history list.
Found some commands history.
I looks like 3 passwords we created and decoded the
flag.txt file to
flag.txt.enc and the 3 passwords are split into 3 places
- Embeded pass1 in a image using Steghide.
- Created an user with
- pass3 Added in sqlite database.
So I started from
steghide embed -cf doggo.jpeg -ef $pass1 mv doggo.jpeg ~/Pictures
Its embeded in an image and its located in
root@w0lf:~/CTF/CTFTIME/NeverLAN /2020/Forensic/look_into_the_past/home/User/Pictures# steghide extract -sf doggo.jpeg Enter passphrase: wrote extracted data to "steganopayload213658.txt". root@w0lf:~/CTF/CTFTIME/NeverLAN /2020/Forensic/look_into_the_past/home/User/Pictures# ls doggo.jpeg steganopayload213658.txt root@w0lf:~/CTF/CTFTIME/NeverLAN /2020/Forensic/look_into_the_past/home/User/Pictures# cat steganopayload213658.txt JXrTLzijLb
They didnt used any password so I left the passphrase empty.
useradd -p '$pass2' user
New user added with the name of
pass2, basically passwords will be in
sqlite3 /opt/table.db "INSERT INTO passwords values ('1', $pass3)" tar -zcf /opt/table.db.tar.gz /opt/table.db
A Sqlite Database created and
pass3 inserted into
passwords and its in
root@w0lf:~/CTF/CTFTIME/NeverLAN /2020/Forensic/look_into_the_past/opt# ls table.db.tar root@w0lf:~/CTF/CTFTIME/NeverLAN /2020/Forensic/look_into_the_past/opt# file table.db.tar table.db.tar: POSIX tar archive root@w0lf:~/CTF/CTFTIME/NeverLAN /2020/Forensic/look_into_the_past/opt# tar -xvf table.db.tar table.db
Got 3 pass now
We know they encrypted with openssl with these command
openssl enc -aes-256-cbc -salt -in flag.txt -out flag.txt.enc -k $(cat $pass1)$pass2$pass3
Now we can decrypt the
flag.txt with the passwords we found.
I combined all 3 passwords
openssl enc -d -aes-256-cbc -salt -in flag.txt.enc -out flag.txt -k JXrTLzijLbKI6VWx09JJnBNfDKbP5n
-d for decode
Chicken Little 1
I logged in with the given credentials
They Provide the password in
Chicken Little 2
Hint : Password is hidden
We can view all files even hidden files using
Chicken Little 3
If I cat the
BAWKBAWK.txt it keeps on printing
BAWK and We know that on every password has
level before the password.
So I used
grep that level
Chicken Little 4
Its a binary file so we can use
strings to see printable characters in the file.
Chicken Little 5
This is an gzip file but I cant decompress it because the extension is missing, I added them and tried extracting.
gzip -d the_sky_is_falling.gz
-d = decompress
Chicken Little 6
The Hint is we need to download the image file to our machine and see it
Reference : https://linuxize.com/post/how-to-use-scp-command-to-securely-transfer-files/
SCP (secure copy) is a command-line utility that allows you to securely copy files and directories between two locations. With scp , you can copy a file or directory: From your local system to a remote system
Chicken Little 7
The Hint is we can get level7 password in normal hash location which is
/etc/shadow and crack them using hashcat.
I copied the hashes to my machines and named it as hash
-m 1800 = sha512crypt -a 3 = attack mode
How do you find its sha512crypt? I used
john before that and it shows me what hash it is?
Cookies were designed to be a reliable mechanism for websites to remember stateful information.
AAAAAAAAAAAAAA! I hate CVEs
With the give hint I googled the exploit
This is because of
Rick Rolled by the NSA???
I googled with the hint
We managed to get into the position of 136 out of 1121