# 🚩 Insomni'hack 2022 CTF write-up

@
18 min. read | 1337 views

The Insomni’hack 2022 CTF is a CTF hosted during the Insomni’hack conference in Geneva, Switzerland. You had to register yourself so that you can attend to the on-site CTF. There was a total of 31 challenges. As a beginner in CTFs I decided to mostly take the easy challenges. The CTF was from March 25 (6pm UTC) to March 26 (4am UTC) 2022.
As my first on-site CTF it was nice to see how many people were participating. It was also pretty amazing to see how some people were prepared; some people even decided to transport their own big monitor(s) 🤯 It was an overall amazing CTF, so many thanks to the organizers!
All flags had the same format which was INS{...}. Anyways, enough talking, here are the write-ups:

## 🐛 GDBug - 120 points

We were given a binary file (Download the file) that we had to execute to get the right flag. Let’s start by running it with basic ./gdbug:
When executing the file, a serial number to check needs to be given as an argument. After providing one as argument it would check the serial and return if it was a valid one or not. So let’s open up the binary in a disassembler and see how it works.

There also was another, invalid, flag in the strings

Looking at the top there was --debug, after running the binary with that serial it wasn’t a success; INS{Th1$Fl4gSuck$}. There also was a call to ptrace(), typical anti-debugging trick. If the binary was to be run from any debugger it would give this flag INS{W0ULDNT-1T-B3-T00-34SY}. Simply NOPing the entire ptrace check was enough to bypass it, now the binary can be ran in a debugger if needed. So let’s look at how the check for the serial works:

A loop that will iterate over the length of the given serial

At first there is a variable x initialized with the value 0x539, then a new variable i initialized with the value 0x0. After that, a loop starts:

• It loops forever until i has reached the length of the serial, so it goes over all characters in the serial
• The hexadecimal value of the character is then added to the x value
• i is incremented by one

gdb also confirmed that it was the hexadecimal value of each character that was added to x:

The binary was ran with 'AAAAAAA' as serial, 0x41 is the hexadecimal value of A

At the end of that loop there were more checks as you can see from this:

This is the last assembly picture for this challenge, no worries..

It will be checked if x is equals 0xb38, so the sum of all hexadecimal values of all characters in the serial must result to 0xb38. After this check, there are 5 more checks that are really easy to understand:

• The length of the serial must be 0x18
• At index 0x4, 0x9, 0xe and 0x13 of the serial, there should be a character with hexadecimal value 0x2d, which is the hexadecimal value of -.

A valid serial pattern would look like xxxx-xxxx-xxxx-xxxx-xxxx.
Based on these restrictions, we could simply create a bruteforce tool in Python:

The output was quite interesting…

The reason was quite simple, all of them were valid flags!

According to another player, the number is accurate

## 🤖 Bot Telegram - 75 points

This challenge was my personal favorite. We were given a Telegram bot to chat with, and we had as challenge to exploit it. So at first I tried to execute some of the commands it has. None of them were really surprising when being executed. Then I tried with some random arguments after the command, and boom! When executing the command /challs leet the bot returned

Oops an error occured : (1054, “Unknown column ‘leet’ in where clause”)

The challenge is about an SQL injection. After trying to get the list of tables to perform an UNION attack the bot said that whitespaces were not allowed, only one argument was allowed. Fortunately there is an easy bypass, which is to replace all whitespaces with /**/ (comments), it will then be interpreted the same as a whitespace.
The first discovery was that some fields are too long to be sent along in some fields, so using SUBSTR() did the trick. The bot ended up leaking the users table.

I was unable to fit everything in one single picture...

Then we can leak the columns inside that table, there was the column username and password:

There were only 2 columns that could've been guessed

## 🔮 Magic Words - 7 points

For this challenge we were given a link to a website. The website asked for a sentence, so basically we had to get this sentence. When looking at the source code there was some checks, so the first thing to do was to create the same file on the local machine.
Then simply take each check one by one and get the words in each paragraph. Then recreate the checks locally and execute the script.

Then the result was please show of if in of is in an it to me to to of is by in or the way. There was just to find a good word that would fit in the sentence for pleas show [of if in of is in an it to me to to of is by in or] the way, the best is definitely please show me the way.

When submitting that, the flag (INS{jQu3ry_1$[email protected]_C0oL}) was given as response. ## 👋 Welcome challenge - 6 points We get a link to a GitLab repository where there are instructions to follow to actually solve the challenge which included commiting changes. After folowing the steps the first time my shell looked kind of, weird: But I wasn’t the only one who got this joke: The staff was building a botnet, no worries After checking where this came from, it was located in inso/.circleci/pre-commit, there also was a exec$SHELL command at the end of the file, to make sure you see that. By simply removing the lines that changed my PS1 variable and removing the exec \$SHELL command, I was able to get the flag in return.
The flag was given with a response to a failed commit like the following: remote: INS{S0_F4r_S0_g00d}.