ICECTF 2016 Writeups

| Posted in Security Articles |


  • Sumo

I recently just started participating in CTF events with my team, NaijaSecForce. However, due to time constraints, it has always been a struggle coming up with writeups on how we solved some of the challenges. Luckily, ICECTF 2016 was on for 2weeks – so I was able to come up with writeups for some of the challenges I solved.

ICECTF is a Jeopardy-style CTF where you are given a question or task where you are suppose to extract a flag from it. I participated with my team NaijaSecForce and we placed 188th out of 1696 teams (yaaay. .we made top 11% :-).  So without further ado, let’s get to cracking.

Stage 1

Spotlight (Web – 10 Points)

Someone turned out the lights and now we can't find anything. Send halp! spotlight


Once you view the source of the webpage, you will see <script src="spotlight.js"></script>

View the content of this “spotlight.js” file and you will see the flag



All your Base are belong to us (Misc · 15 p)

What a mess… we got a raw flag but now what do we do… flag.txt


This is obviously a binary and all we had to do was to convert it to ASCII. I came up with a quick python code to do that.

import binascii

r = int('01001001011000110110010101000011010101000100011001111011011000010110110000110001010111110110110101111001010111110110001001100001011100110110010101110011010111110110000101110010011001010101111101111001011011110111010101110010011100110101111101100001011011100110010001011111011000010110110001101100010111110111100100110000011101010111001001011111011000100110000101110011011001010111001101011111011000010111001001100101010111110110110101101001011011100110010101111101', 2)

binascii.unhexlify('%x' % r)




Rotated! (Cryptography · 20 pt)

They went and ROTated the flag by 5 and then ROTated it by 8! The scoundrels! Anyway once they were done this was all that was left VprPGS{jnvg_bar_cyhf_1_vf_3?}


There seems to be a hint here as 5+8 = 13 and ROT13 is a common substitution cipher.

Using , we got IceCTF{wait_one_plus_1_is_3?}


Move Along (Web · 30 pt)

This site seems awfully suspicious, do you think you can figure out what they're hiding?


Let’s start by viewing source i.e. view-source: , from here we can see <img src="move_along/nothing-to-see-here.jpg"></img> . Then we change directory to . In there, we can see another directory which leads us to our flag secret.jpg


Substituted (Cryptography · 30 pt)

We got a substitute flag, I hear they are pretty lax on the rules… crypted.txt


Using , we got out flag IceCTF{always_listen_to_your_substitute_flags}


Time Traveler (Forensics · 45 pt)

I can assure you that the flag was on this website at some point in time.


There is a popular website – “The Wayback Machine” which  provides links to older versions of a webpage.  So we searched for in and we got our flag:



Stage 2

Complacent (Reconnaissance · 40 pt)

These silly bankers have gotten pretty complacent with their self-signed SSL certificate. I wonder if there's anything in there.


Open on chrome browser, click on the “SSL lock” >> Click on details >> certificate details and in the “Issuer” field, you will see our flag




Hidden in Plain Sight (ReverseEngineering · 45 pt done)

Make sure you take a real close look at it, it should be right there! /home/plain_sight/ or download it here


Open the file in any hex editor or use radare2 . The flag is in plain sight



Toke (Web · 45 pt)

I have a feeling they were pretty high when they made this website


  1. Register a new user
  2. View the cookies parameter and you will notice a jwt_token
  3. There is a Jwt token decoder available online here
  4. Decode and get your flag



Flag Storage (Web · 50 pt)

What a cheat, I was promised a flag and I can't even log in. Can you get in for me? They seem to hash their passwords, but I think the problem is somehow related to this.


We were given this hint that the challenge was related to SQL Injection – so we tried some basic SQLi login bypass i.e. username : admin'/* ; password: admin'/* and we got our flag



Exposed! (Web · 60 pt)

John is pretty happy with himself, he just made his first website! He used all the hip and cool systems, like NginX, PHP and Git! Everyone is so happy for him, but can you get him to give you the flag?


I had previously solved similar challenges – so what I did was to make use of GitTools.

I then navigated to the GitTools directory and ran this

root@kali:~/Desktop/GitTools/Dumper# ./ exposed


root@kali:~/Desktop/GitTools# ./ ~/Desktop/GitTools/Dumper/exposed ~/Desktop/GitTools/exponew

Then we use our old dear friend, Grep to search for the flag