Skip to content

Venu's Blog

InCTF 2019 Quals

CTF, Security3 min read

Hey peeps

After Vipin Sir's suggestion I decided to try something new. I planned to participate in the Amrita InCTF 2019. Amrita InCTF is the India’s First Ethical Hacking contest, Capture the Flag contest.


The process is simple, you need to register for it and need to participate in the Qualifier round. They would pick up the top 150 contestants who would appear for the finals at Amritapuri.

This was the first time I am trying something like this. So, this Qualifier round will be tough thing for sure. But, I decided to give it a try. Why not! I have a lot of time in my final year. 😛

Online Qualifier Round: 09/11/2019 - 10/11/2019

The contest was for 36 hours and has challenges from Web, Forensics, pwn, RE and Crypto. I started with the Sanity checks flag submissions. 😄

Web Exploitation

I have prior knowledge in Web Development. So, decided to give this a try at the starting of the contest.

1Cookie's everywhere !!
3Points: 100
5Description: Can u spot the difference...
7Challenge link -
9Author : Captain-kay

img img

The name and the source code gave me good idea that this is a cookie based challenge. I installed EditThisCookie and started analyzing the cookies. Not much of use I thought. Then I did refresh and I found something fishy. The page changed and earlier there was only one cookie in use, PHPSESSID but later there was another cookie too, _THE_FLAG_IS. But that was the flag. C'mon this wont be so easy!

I knew cookies are stored as MD5 hash, tried to crack the cookie value using HashBuster. I found something fishy but not really complete.

1vchrombie@gf ~/Desktop/InCTF/quals/web [11:33:16]
2> $ python3 -s 13b5bfe96f3e2fe411c9f66f4a582adf
3_ _ ____ ____ _ _ ___ _ _ ____ ___ ____ ____
4|__| |__| [__ |__| |__] | | [__ | |___ |__/
5| | | | ___] | | |__] |__| ___] | |___ | \ v3.0
7[!] Hash function : MD5

This was interesting, seems it to be a part of the flag. The flag format is inctf{_}. The unhashed cookie gave the first two letters of the flag. Then I did a refresh of the page again. Suprise! The cookie changed, a different value now. I used the same method above.

1vchrombie@gf ~/Desktop/InCTF/quals/web [11:33:44]
2> $ python3 -s 4fdeddb85f44ee6ef00c9c40c2c802fe
3_ _ ____ ____ _ _ ___ _ _ ____ ___ ____ ____
4|__| |__| [__ |__| |__] | | [__ | |___ |__/
5| | | | ___] | | |__] |__| ___] | |___ | \ v3.0
7[!] Hash function : MD5

Kitti! The next two words of the flag. I understood the scene. Started hunting down all the cookies. There were 15 hashes, in which the last hash is repeating later on. Wrote them into a file and cracked all the MD5 hashes altogether.

1python3 -f hash.txt

And the results were interesting.

113b5bfe96f3e2fe411c9f66f4a582adf : in
2afc32308426e771f1ad98b5790b91c77 : 1p
3ab6c040066603ef2519d512b21dce9ab : co
47ce8636c076f5f42316676f7ca5ccfbe : lo
5e47ca7a09cf6781e29634502345930a7 : oo
64fdeddb85f44ee6ef00c9c40c2c802fe : ct
7a8655da06c5080d3f1eb6af7b514e309 : t}
812470fe406d44017d96eab37dd65fc14 : es
9988287f7a1eb966ffc4e19bdbdeec7c3 : ki
101a6269dd75567939534a8457c3cf6a43 : _!
11d41d8cd98f00b204e9800998ecf8427e :
122c3ba657da75eab82c88c429fbbf2207 : s_
133b5e2fd0bdc8d3094bd676aa0744a726 : _u
146f207f8b5dfe1eebac63467930df5189 : h3
153424ebae0833a931962d307d923b0304 : f{

Wow, the flag is in parts and I started arranging them according to the flag format and tried to make up something meaningful. I got the flag!


This was a bit tough but interesting though. Thanks to s0md3v for the awesome tool, Hash-Buster.

Reversing Engineering

I saw a python challenge and decided to try this up next.

3Points: 300
5Description: Python is cool. And this is Python 3.
7Author: Mr_UnKnOwN
9File attached:

Challenge file link:

A file was given I looked at it. Basically the flag was converted into some format and they have given the value check. So, I need to write a script to reverse the whole process and get the value. Reverse Engineering it was.

There were two funtions push() and sage() which were applied in a particular fashion.


where x is the flag input encoded to hex.

The push() generates another string from the hex encoded flag string which has a unique encoding type[(type.index(i)+3)%total_types]. All I need to do is replace +3 with -3. I wrote the unpush() function.

The sage() takes this string from push() and generated a list by slicing the string into parts of step 4, encode as hex and converting them into int. I reversed it, converted to string and decode hex. I wrote the unsage() function.

1>>> check = [959592808, 959852599, 960049253, 926430775, 892811314, 946419251, 929576502, 946419765, 909391664, 925972535, 892613940, 912864564, 12391]
4>>> bytes.fromhex(unpush(unsage(check))).decode('utf-8')

Kitti! Quite simple and straight forward.


I love forensics, makes you feel you are a detective. 🕵️‍♂️

1Easy Peasy
3Points: 100
5Description: My friend sent me this file and he tells me that something is hidden in it. Can you help him find it?
7Author: g4rud4
9File attached: chall.jpg

Challenge file link: chall.jpg

I was given an image file, chall.jpg. Looked upon some image tools and tried to analyze the image and it's details. The exiftool gave me some good results but something was fishy in the details.

1vchrombie@gf ~/Desktop/InCTF/quals/forensics [12:32:02]
2> $ exiftool chall.jpg
3ExifTool Version Number : 10.80
4File Name : chall.jpg
5Directory : .
6File Size : 132 kB
9X Resolution : 1
10Y Resolution : 1
11XMP Toolkit : Image::ExifTool 10.80
12Author : c3RhcmxvcmQ=
13Image Width : 1280
14Image Height : 720

Everything looked normal except te Author. I know that a Base64 value ends with a '='. I tried decoding it using


WoW, starlord is the author. Pretty impressive. I learned about steghide while going through the bi0s wiki. This tool needs a passphrase to hide something in a file and you need the same passphrase for extracting that. Well, I guess I am close to something.

1vchrombie@gf ~/Desktop/InCTF/quals/forensics [12:42:28]
2> $ steghide extract -sf chall.jpg
3Enter passphrase:
4wrote extracted data to "flag.txt".
6vchrombie@gf ~/Desktop/InCTF/quals/forensics [12:42:34]
7> $ cat flag.txt

Kitti! The passphrase was starlord, the name of the author itself. This challenge was fun.


3Points: 100
5Connect To: nc 1111
7Author: Chandu K
9File attached:

Challenge file link:


That's it. I couldn't attempt the pwning and android challenges as the time was up. The straight effort of sleepless 36 hours is 611 points. I ended up being in the top 150 and got selected to attend the Amrita InCTF 2019 Finals in December, post my last semester. Looking forward to it.

The experience of playing CTF for the first time was wonderful. I will write another blog post for the finals solves too.

Repo for reference: vchrombie/ctf-solutions.