3108 CTF (2024)

This is my writeup for some of the challenges in 3108 CTF organized by Bahtera Siber. The event was made possible thanks to the support of many sponsors, including rawSEC and Yayasan Digital Malaysia, among others. While I may not list every sponsor by name, my respect and gratitude extend to all who contributed to making this event a success. Nonetheless, enjoy reading !

📝 Mesej Rahsia

Material

a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z='j','b','a','c','m','n','i','p','o','q','r','t','x','z','v','s','u','y','h','g','d','e','f','k','l','w'
flag=((3108,"{",p,q,b,p,l,g,l,q,l,v,"_",d,g,h,s,v,k,"_",l,v,m,l,"}")[::-1])

Flag

Firstly, the script doesn't have a print function so it will not display any output. Secondly, if it DOES have a print function, it will display the flag in reverse order and the strings not joined together. Use str to convert the number 3018 and join all the flag tuple to a one big string. Run the modified code below to get the flag.

a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z='j','b','a','c','m','n','i','p','o','q','r','t','x','z','v','s','u','y','h','g','d','e','f','k','l','w'
flag=((str(3108),"{",p,q,b,p,l,g,l,q,l,v,"_",d,g,h,s,v,k,"_",l,v,m,l,"}")[::1])
print("".join(flag))

3108{substitute_cipher_text}

📝 Tinggi Lagi

Material

Flag

Just use Google Lens to identify what building it is. It's the Tradewinds Square Tower. Search it up on Google Maps and right click on the location to reveal the latitude and longitude values. Remember, only two decimal points lads..

3108{3.15,101.70}

📝 Cer Cari

Material

17KB
CerCari

Flag

The text file contains a long list of flag possibilities in year format. However, the hint tells us to search up a little bit about an important year for the state Sabah. The year 1863 is when Sabah got their independence.

3108{S4b4h_1963}

📝 Sarawak Kita

Material

783KB
Sarawak_KITA.doc.bin

Flag

The file itself is a Word document so change the extension to the correct one. I tried to extract any embedded data using binwalk but no luck. But Word documents may contain macros that can be inspected. Use olevba to perform the inspection.

Notice that there is a peculiar base64 encoding there. Decode it using any decoder you like and retrieve the flag.

3108{Kuch1ng_1bu_N3g3r1_S4r4w4k}

📝 Makanan Popular

Material

758KB
Makanan

Flag

An exe file is given. Before even inspecting its behaviour, use strings utility to display readable strings of the executable and use grep to filter out the flag format.

📝 Wordle Bahasa Utaqa

Flag

Simply play the wordle game to get the flag.

📝 Kontras

Material

99KB
Sejarah_Ringkas.pdf
pdf

Flag

Open the file and there would be some texts being censored. As the name Kontras suggests, maybe the flag is censored in white censor hmm. Just search the word 3108{ and you'll be fine.

📝 Jauh Bono Umohnyo

Flag

Input the code into cipher analyzer to determine the cipher which will be Multi-Tap Cipher.

3108{REMBAU_MOST_WANTED}

📝 Hang Tak Tidur Lagi ?

Flag

Enumerate the source code for any information and looks like we've found ourselves some credentials, great !

It doesn't end there as it says that we have no access to the flag. Look at the question again and notice that the word Pembesar Berempat is in bold character. Make a quick search about Pembesar Berempat and they would be Bendahara, Penghulu Bendahari, Temenggung dan Laksamana. Maybe we need to login using each of their account's to get the flag.

Open up the browser's developer tools and check the cookie set for our Laksamana Hang Tuah login session. The cookie has a "role" section and the cookie set looks encoded. Decode it using base32 and we will get the role in plaintext which is LAKSAMANA. Now decode Bendahara, Penghulu Bendahari and Temenggung in base32 and set them as the cookies. Next, reoad the page to retrieve the parts of the final flag.

3108{1d0R_s4nGa7l4h_Bah4y4!}

📝 Sultan Yang Hilang

Material

Website interface

Flag

Take a look at the source code of the website to further understand the workings of it. We can see that it fetches data from an API which is the year of a sultan's reign. Back at the website interface, copy all the Sultan names and paste in ChatGPT to reveal which Sultan is missing in the list. As a result, we can know that Sultan Muhammad III is missing.

Note that the sultanYears array contains the years when each of those Sultans first began their rule. Sultan Muhammad III first began his ruling era in 1889. So we should try fetch some data using 1889 year.

We can use curl command to fetch the data about the year 1889 and it will reveal the flag.

📝 Tanpa Nama 3

Material

606B
cryptochalle.py

Flag

The material given is a Python script that performs a XOR operation but doesn't yield any result or output because it lacks print() function. If it has the function, it would display result in binary form. We need to convert the binary results to ASCII characters in order to be able to read it. Use the modified code below and run it to get the flag.

def xor_with_binary(binary_str, xor_str):
    binaries = binary_str.split()
    xor_num = int(xor_str, 2)
    xor_results = []
    for b in binaries:
        num = int(b, 2)
        result_num = num ^ xor_num
        xor_results.append(format(result_num, '08b'))
    
    # Convert the binary results to ASCII
    ascii_results = ''.join(chr(int(b, 2)) for b in xor_results)
    return ascii_results

binary_str = "01010110 01010100 01010101 01011101 00011110 00110110 01010100 00101000 00110101 00101001 01010110 00111010 00100110 00110111 00110101 00111100 00110001 01010101 00111010 00100110 00101101 00100100 00101001 00101001 00100000 00101011 00100010 00100000 00011000"
xor_str = "01100101"

result = xor_with_binary(binary_str, xor_str)
print(result)

📝 Lahad Datu

Material

78KB
Lahad_Datu.docx

Flag

Now we have a .docx file on our hands but the problem is it is locked. We need to figure out something. For this, we need to use office2john to extract file password hash value from the file and fire up johntheripper to crack the hash. Save the hash into a .txt file

Use johntheripper to crack the hash and retrieve the plaintext of the hash. Please note that this may take several minutes to complete.

It looks like we have found the flag but nope. It doesn't end here. Hint says the flag is not what we thought of, so try to analyze what cipher it is encoded with. It seems impossible to decode it so we have to look for clues. In the file, notice that the word JamalulKiramIII is in bold characters, maybe we can use it as a key for decoding. After some tries, it came out as Vigenere Cipher.

📝 Jalan Jalan Desa

Material

306KB
Syah_Vacation.jpg
image

Flag

Use Google Lens to identify the place in the image. Leverage Google Dorking to look for the flag.

📝 Sejarah N9

Flag

Use cipher analyzer to determine the cipher type. Scroll through the numerous possibilities and look for the one that makes sense. Change the option to be in Brute-Force mode.

📝 Sambungan Telefon

Flag

Take the numbers to a cipher analyzer and we would know that it is encoded using Numeric Keypad Draw cipher. The challenge name is "Sambungan Telefon" so we can guess it got something to do with mobile phone. In the cipher analyzer, choose the Device option to be Phone Keypad as shown in the image below.

3108{hobinjanghobin}

📝 Pandak Lam

Material

1KB
Sumber_Sekunder.txt

Flag

The .txt file contains unreadable contents. Decode it using ROT13 and search for the flag in it.

3108{k3b4ngk1tanp4hl4w4n}

📝 Mamu Kasi Tau

Material

308KB
mamu_kasi_tau.mp3

Flag

The mp3 file doesn't make sense at first because the sound is like a mumbling sound. Reverse the sound and Mamu will literally tell us the flag !

3108{peningtelinga}

📝 zZzZz

Flag

Open the website and a trivia question will greet us. Answer it and we will be given a cipher text :

0x33z0x31z0x30z0x380x7bz0x37z0x30z0x30z0x650x66z0x34z0x61z0x37z0x39z0x39z0x350x39z0x360x31z0x350x62z0x360x37z0x650x61z0x35z0x32z0x39z0x37z0x65z0x37z0x32z0x350x63z0x300x36z0x65z0x7dz

Decode it using Cyberchef with From Hex option.

📝 Hulu Selangor

Flag

The website returns 403 code forbidden. It looks like we have to use curl to fetch the webpage. Inspect the source code and we can see some interesting web pages we can use to further our journey.

<!DOCTYPE html>
<html lang="ms">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Sejarah Penubuhan Negeri Selangor</title>
    <link rel="stylesheet" href="style.css">
</head>
<body>
    <h1>Sejarah Penubuhan Negeri Selangor</h1>
    <p>Negeri Selangor merupakan salah satu negeri yang terletak di Pantai Barat Semenanjung Malaysia. Negeri ini terkenal dengan kekayaan sejarah dan budaya yang pelbagai.</p>

    <h2>Daerah-daerah di Selangor:</h2>
    <ul>
        <li><a href="/hulu_langat.html">Hulu Langat</a></li>
        <li><a href="/klang.html">Klang</a></li>
        <li><a href="/kuala_langat.html">Kuala Langat</a></li>
        <li><a href="/kuala_selangor.html">Kuala Selangor</a></li>
        <li><a href="/petaling.html">Petaling</a></li>
        <li><a href="/sabak_bernam.html">Sabak Bernam</a></li>
        <li><a href="/sepang.html">Sepang</a></li>
        <li><a href="/gombak.html">Gombak</a></li>
        <li><a href="/hulu_selangor.html">Hulu Selangor</a></li>
    </ul>
</body>
</html>

Use curl to fetch every page and we will get the flag on the /hulu_selangor.html page.

3108{S3lang0r_temp4t_kelahiran_ku}

PreviousAbout MENextSSH Architecure using IDS, IPS, Port Knocking and SIEM System

Last updated

Was this helpful?