PwCTF - Prequal - 2018

A link was posted to a challenge website: https://prequal.pwctf.com/

Step 1 - Login:

No username or password were given, guess that's the challenge.

Checked source code for interesting lines:

Line 13:     <!-- Rotation -->
Line 64: <!-- Line: Base -->
Line 128: <!-- Comments Are Awesome! -->
Line 256: <!-- Scroll! -->
Line 512: <!-- Scroll More! -->
Line 1024: <!-- It's Not Enough! -->
Line 1337: <!-- So You Think You Got What It Takes To Own The CTF? VERY LONG NUMBER -->
Line 2048: <!-- I Think You Missed It :S. Bip, Bip, Bip, Reversing To Line esaB... -->

In line 1337 we get a long string of number, looks like hex.

VERY LONG BINARY SEQUENCE

It was (30=0, 31=1, 62=b).

Ok so now binary to ascii?

=0aPA0SVtbDQvtvBt4JnuqJLtDKnt8TMt8TqtDJMy5TVfkJn3OFqiySVfDJMa5JLbATVyy2ni92Dt42ocA3pyASVlI3o5OPMhSTVyWKMbOPqiqTV19JrtLJFvNPVtNvPAjvVh42ocA3pyASVlI3o5Olo0OPMyEKLlIzoyqTV5kJoiEzouWUVmyTVh9Jn0IUoiAUV5WKM2IxVtNPVtbDQoOvBvZKM09zovNPVX0NYvxzAxxJC6gPL7ymH3DaGhWPV6VPMl92qmAKLjWPVtbDQfVvM0A0IDWPV6VFMgSzolI2p1WPVtbDQfVFLmDQBuA2AjDGZyOQB3VGLkpwMlVzZuWPV6VlnhIanvNPVX0jr

Yes! It looks like reversed base64...

rj0XVPNvnaIhnlV6VPWuZzVlMwpkLGV3BQOyZGDjA2AuBQDmLFVfQDbtVPW1p2IlozSgMFV6VPWDI0A0MvVfQDbtVPWjLKAmq29lMPV6VPWhGaD3Hmy7LPg6CJxxAzxvYN0XVPNvoz90MKZvBvOoQDbtVPNtVxI2MKW5VUAioUI0nJ9hVTymVUWuozEioJk5VTqyozIlLKEyMPO0olO5o3IlVSAyp3Aco24hVvjAPvNtVPNvFJLtrJ91VTqiqPObMKWyVTShMPO5o3IlVSAyp3Aco24tD29in2yyVTAbLJ5aMJDfVSyiqFO3nJkfVT5yMJDtqT8tMT8tnKDtLJqunJ4tBvtvQDbtVS0APa0=

But this decodes to gibberish :(, now what?

Wait, the hints. Lines 64, 1337, 2048, done. Lines 128, 256, 512, 1024 kind of boring. Oh line 13, rotation? rot-13!

ew0KICAianVuayI6ICJhMmIyZjcxYTI3ODBlMTQwN2NhODQzYSIsDQogICJ1c2VybmFtZSI6ICJQV0N0ZiIsDQogICJwYXNzd29yZCI6ICJuTnQ3Uzl7YCt6PWkkNmkiLA0KICAibm90ZXMiOiBbDQogICAgIkV2ZXJ5IHNvbHV0aW9uIGlzIHJhbmRvbWx5IGdlbmVyYXRlZCB0byB5b3VyIFNlc3Npb24uIiwNCiAgICAiSWYgeW91IGdvdCBoZXJlIGFuZCB5b3VyIFNlc3Npb24gQ29va2llIGNoYW5nZWQsIFlvdSB3aWxsIG5lZWQgdG8gZG8gaXQgYWdhaW4gOigiDQogIF0NCn0=

Lets try to decode again:

{
  "junk": "a2b2f71a2780e1407ca843a",
  "username": "PWCtf",
  "password": "nNt7S9{`+z=i$6i",
  "notes": [
    "Every solution is randomly generated to your Session.",
    "If you got here and your Session Cookie changed, You will need to do it again :("
  ]
}

Yay!

Ok time to login.

Step 2 - Source Control:

View Source leads to https://prequal.pwctf.com/readme-src/157fa083-f9cf-4cd9-9f6d-fca666eec466/README.md which displays the following text:

Read Me
========
Can you find the file that contains a secret **SOURCE** code?  
That's where you'll find the registration URL.  
Please **CONTROL** yourself, try not to DOS our server....  
So some source control based magickaroo? Alright...

From now on all links will be appended to the challenge link replacing the /README.md part.

Some interesting files to look at:

• /refs/stash
• /refs/heads/master
• /logs/HEAD

And so on. In hindsight /refs/stash is plenty for finding the registration URL.

Contents of /refs/stash:

117e7ccdf7e84a722e75202dc1b306a7d2d51c39

So we learned that blobs are saved in /.git/objects/first two letter of sha/rest of sha

Then let's navigate there!

It downloaded a file. Let's mimic a git repo on out machine. (git init in an empty directory and save the downloaded file in the objects folder as described) Now that that's done we can use git cat-file -p SHA:

$ git cat-file -p 117e7ccdf7e84a722e75202dc1b306a7d2d51c39
tree e0a377b06fbac432f4fff4f8eba7f98eb105c4eb
parent e24a3a95d60b16038abb3a99b79629bda984b1b0
parent 16b58ef382282a619c152953c703111d86702df8
author Ubuntu <[email protected]> 1516178316 +0000
committer Ubuntu <[email protected]> 1516178316 +0000
WIP on rossg: e24a3a9 Commit 128

Ok we got 3 more files, same technique to download them and display their contents.

This is the interesting one:
$ git cat-file -p e0a377b06fbac432f4fff4f8eba7f98eb105c4eb
100644 blob 09e4f17def7f17d206045421221fe7d20050abfe    README.md
100644 blob bd2daed378ccb0f6776ba3034974b8447f8ce8ee    interesting.txt

The interesting one:

$ git cat-file -p bd2daed378ccb0f6776ba3034974b8447f8ce8ee
Not Mississippilessly? https://prequal.pwctf.com/register.php?token=1466ada0cfd4d6f3e0d0fa6b167840c5

Jack pot!

We get a page that asks for name and email for registration and then:

Hope to make one for the onsite challenge too!

Resource list

• ASCII text,Hex,Binary,Decimal,Base64 converter
• Reverse A String Online
• rot13.com
• Git - Git Objects
• git ready » what's inside your .git directory

VERY LONG NUMBER

30301111301306230301130303030306230113030303013062301301303030303062301303030303013062303011303030303062301301303011306230130130113030623011130130303062301130303013030623013030301303030623013013030301306230111301130306230111301303030623011130113030623013030303013030623011130130303062303011301303030623013030130130306230113011130306230111301301306230111303030130623013030130130306230130301130303062301113013030306230130303013030306230130301301130623011301113030623011130130303062303011130303030623013013013030306230130301130130623011130130303062303011130303030623013013013030306230111303030130623011130130303062301303030130303062301303013013030623013030113013062301111303013062303011301301306230130130130303062301301301130306230113030113030623011301301130623013030130130306230113011130306230301130301130623013030111130623013030301130306230111303030130623011301303013062301111303013062301301303011306230130130113030623011303011303062301303030130303062301303013013030623013030113013062301130303030130623030113013013062301303013013030623013030113030306230113030301303062301303030303013062301301301303030623013013011303062301111303013062301111303013062303011303013030623011301113030623011301303013062303011130301306230301130301303062301303030130303062301113013030306230301130130303062303011303013030623011301111306230113030301130623013030303030130623030113030113062301113030303030623011113030130623013030303030130623013013030113062301301301130306230113011303030623013030130301306230301130301130623011301111306230301130130130623013030111130623013013030303030623013030113013062301130130303030623013013030113062301301301303030623013013011303062301111303013062301301301113062301303013011306230130301130130623011303030130306230130301111306230130130303030306230111303030130623011301303013062301113030301306230130130130303062301301301130306230301130303013062303011130301306230130301301303062301113030130306230111301303030623013030113030306230130301301303062301303030113030623011130113030623013030111303062301301303030303062301301301130306230111301303030623013030111303062301113011303062301301303030303062301303030303013062301130130130306230111301130306230130130113030623011301303030306230301130130303062303011303013030623011301111306230113030301130623013030303030130623030113030113062301113030303030623011113030130623013030303030130623013013030113062301301301130306230113011303030623013030130301306230301130301130623011301111306230301130130130623013030111130623011301130303062301130111130623030113030303030623013030111130623013013030303030623013030113013062301111303013062301303030130130623013030130113062301303011303030623011301130303062301303013030130623011113013030623011301111306230111130301306230111303030130623013013013030306230130130113030623030113013013062301130130113062301303013013030623011301111306230113013030130623013030301301306230111130130306230113011113062301113013013062301301301113062301301301301306230130130113030623011301130130623011113030130623013013013030306230130130113030623011301303030306230301113030130623013030130130306230113011130306230301130303030306230130301303013062301301301301306230113011113062301130130301306230130303030301306230130130130130623013013011303062303011301301306230130130111306230130301301130623013030113013062303011303013030623013030130301306230111130303030623013013011303062301113013030306230130301113030623013013030303030623013013011303062301113013030306230113030301303062301303030130303062301301303030130623011301111306230130301111306230111301130306230130303030130306230111301130306230130113013030623013030130113062301303011301306230301130303030306230301113030130623011113013030623011301111306230111301130306230130301113030623013013030303030623013013011303062301301130303030623030113030303030623013030111303062301301130301306230111301130306230111130303030623011113013030623013030303030130623011113030303062301111303030306230130301301303062301303030301130623030113011303062301130301113062301301303030303062301303011303030623030113011130623011113030130623011301130130623013030130303030623030113030113062301303030130303062301130303030130623013030301113062301130130303030623013013011130623013013030303030623013013011303062303011301130306230130130113030623013013030303030623013030113013062301130113030306230301113030130623030113030130306230111303030130623011301130130623013030303030130623013030130113062301303011303030623011301301303062301301301113062301301303030303062301301301130306230111301303030623011303030130306230130303013030306230130130303013062301130301130306230130130113030623011130113030623013030113013062303011303030303062301303030303013062303011303030303062301303013030130623013030301303030623013013011130623013013030303030623013013011303062303011301130306230130130113030623013030301130306230130301130130623011303011130623013013030113062301111301303062301130111130623011301130303062301303013030130623030113030130306230111303030303062303011303030130623013013011130623013013030303030623013013011303062301113013030306230113030301303062301303030130303062301301303030130623011303011303062301301301130306230130303011303062301303011303030623011301130130623013030301303030623013013030301306230130303030130306230111301301306230130303030301306230301130301303062301303030303013062301130130130306230130303013030306230130303011130623013011301303062301111303013062301303011113062301301303030130623013030303013030623030113030113062301301301130306230130303011130623013030113030306230113013011306230111303030303062301113011130623013030113013062301130113030306230130130113030623011113013030623013011301303062301113013013062301301301113062301301303030303062301301301130306230301130113030623013013011303062301130113030306230113011130306230113013030303062301303013030130623011303030301306230113011130306230111301130306230130301113030623013013030303030623013013011303062301301130303030623030113030303030623011301301303062301113030130

VERY LONG BINARY SEQUENCE

001111010b001100000b011000010b010100000b010000010b001100000b010100110b010101100b011101000b011000100b010001000b010100010b011101100b011101000b011101100b010000100b011101000b001101000b010010100b011011100b011101010b011100010b010010100b010011000b011101000b010001000b010010110b011011100b011101000b001110000b010101000b010011010b011101000b001110000b010101000b011100010b011101000b010001000b010010100b010011010b011110010b001101010b010101000b010101100b011001100b011010110b010010100b011011100b001100110b010011110b010001100b011100010b011010010b011110010b010100110b010101100b011001100b010001000b010010100b010011010b011000010b001101010b010010100b010011000b011000100b010000010b010101000b010101100b011110010b011110010b001100100b011011100b011010010b001110010b001100100b010001000b011101000b001101000b001100100b011011110b011000110b010000010b001100110b011100000b011110010b010000010b010100110b010101100b011011000b010010010b001100110b011011110b001101010b010011110b010100000b010011010b011010000b010100110b010101000b010101100b011110010b010101110b010010110b010011010b011000100b010011110b010100000b011100010b011010010b011100010b010101000b010101100b001100010b001110010b010010100b011100100b011101000b010011000b010010100b010001100b011101100b010011100b010100000b010101100b011101000b010011100b011101100b010100000b010000010b011010100b011101100b010101100b011010000b001101000b001100100b011011110b011000110b010000010b001100110b011100000b011110010b010000010b010100110b010101100b011011000b010010010b001100110b011011110b001101010b010011110b011011000b011011110b001100000b010011110b010100000b010011010b011110010b010001010b010010110b010011000b011011000b010010010b011110100b011011110b011110010b011100010b010101000b010101100b001101010b011010110b010010100b011011110b011010010b010001010b011110100b011011110b011101010b010101110b010101010b010101100b011011010b011110010b010101000b010101100b011010000b001110010b010010100b011011100b001100000b010010010b010101010b011011110b011010010b010000010b010101010b010101100b001101010b010101110b010010110b010011010b001100100b010010010b011110000b010101100b011101000b010011100b010100000b010101100b011101000b011000100b010001000b010100010b011011110b010011110b011101100b010000100b011101100b010110100b010010110b010011010b001100000b001110010b011110100b011011110b011101100b010011100b010100000b010101100b010110000b001100000b010011100b010110010b011101100b011110000b011110100b010000010b011110000b011110000b010010100b010000110b001101100b011001110b010100000b010011000b001101110b011110010b011011010b010010000b001100110b010001000b011000010b010001110b011010000b010101110b010100000b010101100b001101100b010101100b010100000b010011010b011011000b001110010b001100100b011100010b011011010b010000010b010010110b010011000b011010100b010101110b010100000b010101100b011101000b011000100b010001000b010100010b011001100b010101100b011101100b010011010b001100000b010000010b001100000b010010010b010001000b010101110b010100000b010101100b001101100b010101100b010001100b010011010b011001110b010100110b011110100b011011110b011011000b010010010b001100100b011100000b001100010b010101110b010100000b010101100b011101000b011000100b010001000b010100010b011001100b010101100b010001100b010011000b011011010b010001000b010100010b010000100b011101010b010000010b001100100b010000010b011010100b010001000b010001110b010110100b011110010b010011110b010100010b010000100b001100110b010101100b010001110b010011000b011010110b011100000b011101110b010011010b011011000b010101100b011110100b010110100b011101010b010101110b010100000b010101100b001101100b010101100b011011000b011011100b011010000b010010010b011000010b011011100b011101100b010011100b010100000b010101100b010110000b001100000b011010100b01110010