WriteUp of VIIT CTF V2_Part-2

Hello, this is part 2 of the short writeup series of VIIT CTF V2

Team - N00bs | Position - 2nd (Runner ups) | Team Members:

vj0shii - Vaibhav Joshi | p4nk4j - Pankaj Verma | H4$H - Anuja Khandelwal | loopspell - Ankit Kushwah Note- I havn’t made notes for some of the challanges as I was in hurry to complete all, so there may be chances that some Strings or Filenames may be different from original, but the method is correct


Crack It

For this challange, 1 file containing hash is provided, and a link to a login page

On researching found that the hashes are bcrypt encrypted, to decrypt I used Decryptor

python3 crack.py
You want crack? y/n y
hash to crack: --HASHHERE--

Decrypting both the hashes with this and logged in with found credentials, after login found the flag

Fuzz It

For this challange a domain is provided, where we need to fuzz the directories, I used dirsearch for this

after directory brute forcing found a number of directories, the hint is that, if you are in current directory you will see text Fuzz Dipper and if you are in incorrect directory, it will show something that This is not the directory

When you reach at last directory a text will show on the page like The flag is in front of you, open the source of the page and the flag is in html comment

Shell It

A domain is provided to start the challange, on the domain homepage it is written that there is a cmd parameter which can be used to execute command, to execute ls visit


there was a file names flag.txt, reading the file to get flag



FTP - Removed from the CTF

A domain is provided to start the challange, first started enumeration of ftp if any vulns exist or any misconfiguration but found nothing

On the webserver found robots.txt with a entry, on visiting that link, found base64 encoded credentials, decoded the strings and used as username and password to login into ftp

flag was in a file inside ftp, just get the file and read it


After getting ftp access, found a ssh key on the server, with filename - tonystark, from that I guessed user as tonystark

when tried to login found that, there is a need of passphrase to login with the key

cracking the passphrase

I used two tools for this ssh2john.py & john, first convert hash from ssh key from ssh2john then crachek the hash with john

$ ssh2john.py tonystark > hash
$ john -w=rockyou.txt hash

Found passphrase with this and logged in with the key with below command

$ ssh -i tonystark tonystark@viitctf

On the home directory found the flag in a file


After completing SSH there was a hidden file in the home directory .db.php which cotains code to connect with mysql server and containing bcrypt hashes of username & password,

decrypted that as did in Crack It, and login in mysql server with the creds and get the flag



Analysing the binary in radare2

$ r2 d ./rev3_x64
> aaa               analysing the binary
> afl               loading all module and listing
> s sym.print       Opening print function because it is the function looked suspecious to me after going through other functions
> pdf               To view the the assembly code

In the assembly code i found 3 strings , combined them in a single string & tried to submit it as flag but falied

After that for better understanding decompiled the binary with ghidra and viewed the source code manually, a small part of code is below, which is useful

if (*(char *)(parm_1 + 1) == A) {
else {
  printf("13 ->")

After some hit and try got nothing, after some research for encoding I came across rot13 encoding, which is a hope as the else condition is “13 ->” which is similar, I reverted the strings, with the string in this code I found nothing, but remember the string we found in starting with radare2, when I reversed that, what I found looks like a sentence and made sense

So I combined it with VIITCTF to make standard format as from the code


Submitted the flag successfully


Working on it comming soon

Written on June 3, 2020 by Vaibhav Joshi