ACES CTF Writeups

9 min readJan 30, 2023

ACES CTF was a Capture The flag competition organized by Association of Computer Engineering Students, Dharan on the occasion of ACES TECHFEST 5.0 . The aim of this competition was to educate students on security concepts and help them develop practical skills in area such as cryptography and web security.

For those who want to play the CTF , challenges are still available at:

https://github.com/dahalsharad/ACES-CTF

CHALLENGES:
WEB:

COMM3NTS

While opening the URL mentioned in the task, nothing interesting was found .

While checking source code we get:

The flag is incomplete but the hint clearly points towards css.

While checking the css we get the second part.

Flag: ACESCtf{Even_Dogs_Need_Love}

2. LOGIN

Opening the url we get:

Looking into the source code, there exists a interesting javascript function:

It is comparing md5 hash of input with “1a1dc91c907325c69271ddf0c944bc72”

Using Rainbow function we get:

Logging In with Username- admin and password — pass, we get the flag.

Flag: ACESCtf{US3r_S1de_V@l1d@t10n}

3. ROBOTS

This challenge clearly points towards robots.txt. Opening robots.txt of this website we get,

Opening the disallow page.

Obviously everybody clicked and

lets view source code instead of clicking it,

Decoding the comment on first line we get,

/css/r/o/b/o/t/s/file.txt

Navigating there we get the flag.

Flag:ACESCtf{Aren't_You_A_Robot_??}

4. LogIn 2.0

We got similar interface as lOGIN.

Nothing interesting was found in the source code.

Trying SQL Injection, Username — admin Password — “ OR “1 == 1, we get the flag.

Flag: ACESCtf{Aren’t_You_A_Robot_??}

5. KALPAVRIKSHA

web interface looks like.

While asking for flag we get no response.

Looking at the source code we find interesting function.

It is filtering string flag 3 times from input.

Creating a payload as: flagflagflagflag and asking for it gives the flag.

Flag : ACESCtf{F1lter_Bypassed}

6. PARLE-G

username = Irene-322434

Googling for Irene Adler’s password we find password to be

After successful login we find.

Looking into cookies we find a JWT token.

“eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gV2F0c29uIiwiZmxhZyI6IkFDRVNDdGZ7SXTigJlzX01vcmlhcnR5fSJ9.ALw3u_iKZJEzA5GOyuFT4kJ9NiFXvlYNkikxvDNy1MI”

Decoding this we get,

Flag: ACESCtf{It’s_Moriarty}

CRYPTO:

1. Müller’s Secret

Attached File contains: “++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>> — — -.++.++.++++++++++++++. — — — — — — — — .>++++++++++++++++. — — — — — — — .+++++++++++++++++++++.<++++++.++++++++++++++++++++++. — — — — — — — — — — — — — — -.> — — — — — — — — — — — .+++++++++++++++. — — — — — — — — — — -. — — — .++++++++++++++++++++++.++++++. — -. — — — — — — — — — -.<.>+++++++++++++++++++. — — — — — — — — -.++++++++.+++++. — — — — — — — -.<+++++++.>++++++++++++++++++++. — — — — — — — — — — .←-.<+++++…..>>++++++++++++++++++++++++++++++.”

The description hints toward brainfuck Language. Decoding with Brainfuck Decoder we get the flag

Flag: ACESCtf{I_Bet_Your_Brain_Is_F#####}

2. Vige…. What??

We identify the cipher to be vigénere cipher.

But we need password to decode this.

Since password is unknown and we know first 7 letter is “ACESCtf” using this information to decode the string and get the flag.

Flag:ACESCtf{Simple_Vigenere}

3. CAPS

The code looks like base64 decoding it multiple times we get.

acesctf{what_about_caps??}

1111100{1000_10000_1111??}

1001100{1000_10000_1111??}

First one surely looks like a flag but it looks little different from previous flags. The flag itself is also hinting about capitalization.

our flag should look like ACESCtf{…} Hence 1 in second string suggests upper case and 0 suggests lower case. Third one can be discarded as it converts to “AceSCtf” which is invalid.

Hence,

acesctf{what_about_caps??}

1111100{1000_10000_1111??}

ACESCtf{What_About_CAPS??} which is the required flag

4. PIC

The picture gives away the Vigénere Cipher.

Table suggests alphabets are in reversed order and missing letters are A C E S which is the password

Flag: ACESCtf{Vigenere_Once_Again}

5. BOMB

In this Challenge, M4 Shark B thin hints Enigma.

incomplete address at the end can be read by the use of devtool which says “ bletchley park”

Using enigma decoder we get

acesctf{enigma_busted} and 1111100{100000_100000} gives us the flag.

flag: ACESCtf{Enigma_Busted}

FORENSICS:

1. St. Rings

The attached image is:

Here St. Rings is just a cryptic way to say “strings”. Checking strings of the image we get the flag

Flag: ACESCtf{Kapustin_Yar}

2. DATA Breach

The attacked file is Here.

So, this is a sql dump. Searching for ruby we only get one one ruby smith whose username is “Rsmith321”.

searching for Rsmith321 we get user id

This userid reveals a hashed password:

Hence,Decrypting the hashed password we get,

hash = qwerty

Flag: ACESCtf{qwerty}

3. HE58

The given file was corrupt.

Opening it with hex editor we can see its header is not correct.

After changing header to FF D8 FF we can open the file:

Flag: ACESCtf{Headers_Are_Important}

4. DOGE’S SECRET

Looking at its exif details we find password.

Using steghide tool and password Jackson we find a new image.

Decoding this image again using steghide we get the flag.

Flag: ACESCtf{DOGE_TO_THE_MOON}

OSINT:

1. Colosseum

Google search on this image reveals the image to be from Gladiator.

Googling “Where was gladiator Collosseum scene flimed?” gives us Fort Ricasoli, Kalkara.

Fort Ricasoli’s Wikipedia page gives us the coordinate.

Flag:ACESCtf{35°53′51″N,14°31′33″E}

2. All You Need

Mentioned web interface:

The website was just for distraction and ALL YOU NEED was actually in the description, “ I find social media to be a soul-sucking void of meaningless affirmation.” is a famous dialogue from a famous web series “Wednesday” which was said by “Wednesday Addams”.

Flag: ACESCtf{Wednesday_Addams}

3. ELSE IF OR

looking at the exif data we get the Authors name.

“Aphotographer7” turns out to be the twitter username of author. Scrolling his twitter profile we get the hastag.

Flag: ACESCtf{#Messi}

4. IMPOSTER

The snap reveals the imposter’s email address krakenjawbone@gmail.com

Using epios we get weird name .

The name turns out to be a youtube channel. creating the channel url as: https://www.youtube.com/channel/UCdTWiYFd-TcWvEpNxfs8ETw ,we get the name:

Flag: ACESCtf{Andrew_Smith}

5. ACES

Visiting https://aces.ioepc.edu.np/ we find nothing.

The description said,”ACES has erased all of her information from their website, but a trail of clues still remains.”, which hinted towards wayback machine.

On a capture from Jan 14 2023, There existed a new member who wasn’t present in live website and her profile picture made it clear, she was the one.