Template Shack

Web [150 pts]

Description: Check out the coolest web templates online!

When we first visit the site we are greeted with a normal dashboard and seems to use a template engine. So we know our exploit will involve templates.

One useful information is the JWT, when decoded, gives this:

So we know it is using HS256 and if we want to elevate our privileges, we need our username to be admin. HS256 can be brute forced if it has a weak secret, so trying that with JTR, we receive the signature secret:

Changing the JWT username to “admin” and verifying it with our secret will allow us to access the admin panel.

An interesting find when we visit a 404 page on the side navbar:

Since it is printing us /admin/charts.html, we can try to use this as an injection point for SSTI.

Using the payload {{config}}, we leak information about the application:

Using this payload, we are able to see the current files in the directory:


Now we do see a flag.txt, so we simply change the ‘ls’ to cat the flag:

Lightweight Contact Book

Web [150 pts]

Description: Lookup the contact details of any of our employees!

When we visit the page, we see an employee look-up tool.

Given the name “Lightweight”, this hints that the web app is using LDAP (Lightweight directory access protocol)

Resource: https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

Typing an asterisk (*) in the search bar gives us all the users.

So, our goal is to do an LDAP injection to leak information. We cannot sign in as admin without the password, but we do see a “forgot password” feature for the web app. Clicking on it gives this information:

The description field is a built-in LDAP field. More reading here: https://docs.bmc.com/docs/fpsc121/ldap-attributes-and-associated-fields-495323340.html

After messing around with the search bar and receiving errors, one payload gives us a pass:


This payload will show the admin user and verifies that our payload matches what is stored in the description field.

Using a short python script, we can do a blind LDAP injection to retrieve the password:

Logging in with “administrator” and the extracted password “very_secure_hacktivity_pass”, we get the flag:

Official Business

Web [125pts]

Description: Are you here on official business? Prove it.

When we visit the page, we are greeted with a generic login page. When attempting to log in as admin, we get redirected to a 403 Forbidden error page.

Since we don’t receive much information from this and it is not a SQL injection vuln, we navigate to /robots.txt and find source code.

So we know our backend is Flask and there is a way that we have to log in. We notice that it is quite difficult to bruteforce the password to decrypt to the requested text. So we turn our attention to cookies.

When we enter the home page, the server calls load_cookie(), which gets “auth” and verifies it. We get our “auth” from do_login(), which only includes username, password, and a check if admin is true. So we mimic this in a short Python script:

Finally we create our “auth” cookie while intercepting a GET request to the home page and enter our value, receiving our flag:

Flag Jokes

Web [200pts]

Description: Want to hear a joke? Want the flag? How about both? Why don’t YOU tell me a joke!

We reach a login page and attempt to login as any user, it seems any user is accepted. So logging in as “lmao”, we receive this message:

The interesting piece of information we get is a cookie, most notably a JWT, that when decoded, gives this:

A few interesting information in the headers that are not commonly noted are:

jku (JWK Set URL) and kid (key id).

Resource: https://tools.ietf.org/html/rfc7515

Now we notice that jku is used in localhost, so if we browse to the challenge/static/jwk.json, we receive their signing algorithm:

If we have this, we can forge our own JWK on our own web server and create our own public/private key as well as modify the payload. So to do that, we start by creating our RSA key pair:

We notice in our given JWK that “e” and “n” are defined, so to extract “e” and “n” from our public key, we use a short python script:

Next we have to convert our “e” and “n” to base64 since that is the format we received from the challenge.

Using this information, we add this to our “e” and “n” in our forged JWK:

Adding all the pieces together, we use our private and public key for generating and verifying our JWT respectively. Then we modify our payload to the requested “admin” as well as use the JKU header to include our own web server URI with the forged payload:

Now replacing the cookie on the challenge with our new JWT token, we receive our flag:

Tree Man

OSINT[300Pts] Given Information: I’m so glad we’ve got you on the team; I don’t think we’d have manged to get that last one if it weren’t for you. We’ve been watching the account, and the target just posted another image. This guy really doesn’t learn. We don’t think he’s left Spain yet, but we really need this one pinpointed exactly. Can you work where he took this?

The map here should be accurate to 50 meters.


First thing is to Reverse Image search for any clues. Key search words are Spain Tree Man.

Copyright: (c) Blitzy | Dreamstime.com

Found an exact copy of the “Tree Man.” Note the tags are: Park Portaventura and Entrance. So we now have an exact location.


We can now see where the entrance is from this map given by the Port Aventura website.

Matching it to Google Maps, then using the link to locate the exact location to the challenge.

Correct Flag

Dead Man

OSINT[350Pts] Given Information: Aargh! They gave us the slip again. We got another image from their Twitter, but it doesn’t look like they’re in the same country anymore. Are you able to track them down again for us and tell us the town they’re in? You’re our best man at this point, so we’re expecting great things.

Our map here should be accurate to 500 meters.

Right way the language was a dead give away at Thai or some Southeast Asian Language.

Educated Guess it was Thai
Christian Cemetery

Christianity is not very big in Southeast Asia. Searching for a Christianity Cemeteries yielded:

One of the more interesting results were the Kanchanaburi War Cemetery

Kanchanaburi War Cemetery, Thailand

The three noticeable features are the same cross, cemetery pattern, and with similar buildings in the background.

Submitted Flag Location(Correct)

Suspended Belief

OSINT[350Pts] Given Information: Amazing work with that last image! We dispatched a team right away, but it seems our target was one step ahead of us. We’re not sure what they’re planning, but we managed to download one final image off the Instagram account until they locked it down.

Can you work out where this picture was taken? One of the guys thought it might have been Queensferry crossing, but that doesn’t look right. You’ll have to be accurate to within 2 kilometres.

Doing a basic Google search of the username yielding someone from of Chinese origin.

Could just be a coincidence, but checking for suspended bridges in the Chinese area. I found one in Hong Kong called “Tsing Ma Bridge”

Tsing Ma Bridge from Google Search

Tried the location of the Tsing Ma Bridge

Flag was found when submitting the location.


Misc [300pts]

Description: Spentalkux 🐍📦

So the description for the challenge is a little vague. But, looks like its a Python package called Spentalkux.

When we import the latest version of this package, we get a message and a small cipher:

This message is a Vigenere cipher. When we decode this, we get a pastebin link:

“Hello, If you’re reading this you’ve managed to find my little… interface. The next stage of the challenge is over at https://pastebin.com/raw/BCiT0sp6″

The pastebin link contains a large hex value that when decoded using CyberChef, we get what looks to be an image:

We use a small python code to convert to image based on this link: https://stackoverflow.com/questions/50734133/convert-hex-text-file-to-original-imagejpeg-in-python-or-java-code/50734487

and what we get is a picture that says:

The binary is decoded into: _herring. Indicating that this is a red herring. Now “look back into the past” can mean many different things. For this, I looked up spentalkux again and it seems there was a previous version as well.

So I ran pip install spentalkux==0.9.

Importing this version of spentalkux, we are greeted with a different message:

Using CyberChef once again, this message is decoded in the sequence of:

From Base32 -> From Base64 -> gzip

Extracting the gzip gives us a large binary. Following this decoding sequence (lots of trial and error), we eventually reach the flag:


Misc [400pts]

Description: https://youtu.be/zi3pLOaUUXs (We are given a YouTube link)

We are given a YouTube link that shows a bunch of barcodes changing quickly within a 6 second video. There are numbers being repeated throughout as well.

So after recording down the numbers, I downloaded this YouTube video and extracted the frames out of the mp4. After running each image through a barcode scanner, we see that there are values of this ordering:

5WlndrAehA 8PdGSTvnaY 9zuPGubRMc 7cyqggztfa 6AqGoWfWwR 7JwvAOM{Px 4JIEbOEkws 5NDuG4sOeb 9chPBBYtfr 8iwkHVYpcf 7hVMGQe0xL 3vBdLvZLbB 2T3iNatxiU 5kNLb_eoyi 4AfAmLXyJo 4oFE4iSJmP 3ajdUBIXVe 4oAQnoJxEV 8SzMNoIa3j 9aaIBHbqls 2vsDNpidao 1}gfkrtfrm

It turns out that the beginning number for each decoded barcode and the numbers being said in the video match. After some careful analysis, we notice that each index of the decoded barcode corresponds to the flag we are looking for:

Flag: ractf{b4rc0d3_m4dn3ss}

Mad CTF Disease

Misc [350]

Description: Todo: [x] Be a cow [x] Eat grass [x] Eat grass [x] Eat grass [ ] Find the flag

So we are given a picture of a cow. In cow.jpg

Running Steghide on this image gave us moo.txt:

I did not know what this was so I randomly googled: “decode moo”

We are given a link that resembles the same type of text given to us:


It turns out that this is a COW esolang. So decoding our text using the above link gives us: