CursedNova logo

Basic Information

Event type CTF
Organized by SecuRing
Start Time June 6 (11:00 a.m.) CEST
End Time June 20 (11:00 a.m) CEST
URL https://ctfd.cursednova.securing.pl
Based on SteemNova
Challenges solved 10/25
Points gathered 430
Place 32nd

Challenges

Network

Misc

Programming

Web

Write-up

Basic Findings

This part will describe the things that helps in later tasks, so please make sure that you read it first.
In any of the Network Response you will be able to find X-Powered-By PHP/7.3.33 header in response that is worth noting. Ctf is based on Steem Nova engigne, that is avaialble on Github you can use it for routes, files etc. It is possible to read the source files by using special url for example: Source. By checking the source of source.php you will be able to find that files with words 'flags', 'custom', 'cache', 'templates_c', 'backups', 'config', '.log' are excluded.

Challenge name: Communication Breakdown

Category: Network
Points: 50
Software used: Wireshark, John the Ripper
Challenge description

"I can't do it anymore", thought Twardowski. "Being a prisoner is one thing, I can handle being alone. But these attacks... I don't deserve this. I'm still suffering from a stupid mistake I made two centuries ago..."

communication_breakdown.pcapng

Lets take a look at the file in the description, extenstion of the file is .pcapng on wireshark wiki we can find that it is PCAP Next Generation Dump File Format. Lets open it with wireshark then. You should view similiar to this one: screenshot from wireshark It seems like it is a capture of some FTP communication and we can that as a result of this exchange there's a file called flag.zip. Click on this packet with your right mouse button and choose Follow -> TCP Stream. In Show Data As choose RAW and save the file. Unluckily this zip file needs a password. I was not able to think about any clue from the description so decided to crack it up. Lets start by getting right hash for our john the ripper, do it you need to run command similiar to this zip2john flag.zip > zip.hash. Then we just need to crack this hash, to do it lets try john the ripper with standard dictionary usign this commandjohn zip.hash. screenshot from john the ripper
Use this password and flag will be in the text file that is inside.

CURSEDNOVA{FtP_N0t_s0_s4f3_oops}

Challenge name: Trademark

Category: Network
Points: 120
Software used:
Challenge description

Our law deparment already prepared the papers for trademark registration. Soon, we will be able to use the CursedNova™! We need to hurry and register the proper domains. We already registered cursednova.PL, but there will be many more! TLDr: go for it!

Challenge name: Cipher suite

Category: Network
Points: 120
Software used:
Challenge description

The DDT (Devil Development Team) created the new shiny leet cipher suite that will be used to secure the communication between Hell and CursedNova departments. In a couple sprints there will be also a release of the modified OpenSSL binaries. Stay tuned!

Challenge name: Welcome to CursedNova

Category: Web
Points: 10
Software used: Firefox
Challenge description

Welcome to CursedNova! Please register - and don't forget to read the rules!

Task is pretty simple to make you familiar with the system. When entered https://uni1.cursednova.securing.pl/ url you will be able to find Register Now! button. At the bottom there will be a link to Rules, flag is at the bottom. Don't forget to register your user anyway as you will need it later.

CURSEDNOVA{The_game_is_on!_Douy3bah}

Challenge name: Hidden Universe

Category: Web
Points: 50
Software used: Firefox
Challenge description

Are we really alone in time and space? Is it only Nekla? Try to discover hidden universes.

Lets get once again to login page.
We can see dropdown that lets us choose the Universe, but there's only one option possible:
task_9
Maybe it will be worth inspecting this select element? (use your Right Mouse Button and choose Inspect from contextual menu) 


          <select name="uni" id="universe" class="changeAction">
            <option value="1" selected="selected">Nekla</option>
            <option style="display:none" value="2">Sagitta Adastreia</option>
            <option style="display:none" value="3">Icarius Star System</option>
            <option style="display:none" value="8">Crux Sirius</option>
            <option style="display:none" value="13">Hemithea Galaxy</option>
            <option style="display:none" value="21">Capella</option>
            <option style="display:none" value="34">Aegialeus Nebula</option>
            <option style="display:none" value="55">Aquila Eioneus</option>
            <option style="display:none" value="89">Zeta Hyperion</option>
          </select>
We have more options, but they seem to be hidden. The thing that we should look for is that we have Fibonacci numbers, but they are missing 5.
Lets try chaning value of Nekla option to 5 and login with our registered credentials. Flag will be shown in query after.

CURSEDNOVA{I've_a_feeling_we're_not_in_Kansas_anymore_wua7Rua1}

Challenge name: 1337

Category: Web
Points: 50
Software used: Firefox
Challenge description

Legend has it that a person who has 1337 metal in their storage will receive a blessing.

Challenge name: Robot Language

Category: Web
Points: 50
Software used: Firefox
Challenge description

Robots don't speak English... Does this app offer any normal languages, like, I don't know, the robot language?!

After playing a bit with source reading I was able to find that there's a directory called language/robot, but couldn't take it any futher.

Challenge name: Roll the dice

Category: Web
Points: 50
Software used: Firefox
Challenge description

Wise man once said "Fortune favours the brave". Can you beat the odds and roll the dice 100 times with all of them landing on 1? Hop in the chat and try your luck with the /roll command!

Lets get to the chat page and lets try the roll command.
Adishone rolls 1d6 and gets 3
It seems that we have a possbility to roll different dices same as in Role Playing Games when your dice can have more edges than six. Lets try suppling parameters to roll command like that /roll 1d1 and repeat command two times.
Adishone rolls 1d1 and gets 1
Adishone rolls 1d1 and gets 1
Seems like we are able to specify parameters like that and d stands for dimension, so for now we are rolling dice with only one value, we are halfway there.
Lets try to play a bit with the first number now /roll 5d1
Adishone rolls 5d1 and gets 1,1,1,1,1
Ok seems like the first number controls how many times are we rolling our dice. Lets go with command /roll 100d1. Flag will come up in chat.

CURSEDNOVA{They_see_me_rollin_c​hunaeF6}

Challenge name: Note

Category: Web
Points: 50
Software used: Firefox
Challenge description

It's good to know your enemy. Can you access Twardowski's notes?

Lets visit the notes page small popup should show up and let's try to create a new note. In my case url looked like this:
https://uni1.cursednova.securing.pl/game.php?page=notes&mode=detail&id=30
Maybe we could get notes of other user by manipulating the id parameter? Let's try going for id 1, you can paste it into another tab of the browser. Flag will show-up in that note.

CURSEDNOVA{Twardowski's_curse_iemeV0ou}

Challenge name: FAQ

Category: Web
Points: 50
Software used: Firefox
Challenge description

Check out the FAQ!

By visitng FAQ page I was unable to find anything so decided to use source checking and found this interesting part:
header("Secret: " . $LNG['W7_FAQ']);
Lets check the headers in response for FAQ page then, flag will be visible in Secret header.

CURSEDNOVA{The_answer_you_were_looking_for_Euj4ar8e}

Challenge name: Disabled

Category: Web
Points: 50
Software used: Firefox
Challenge description

Excuse me Sir, our workers say they have no clue how to build the Metal Mine. Can you help them with that task?

When visitng buildings page you will see that build link is greyed out on Metal Mine.
Lets inspect the code for that link 


          <form action="game.php?page=buildings" method="post" class="build_form">
            <input type="hidden" name="cmd" value="insert"> 
            <input type="hidden" name="building" value="1">
            <button type="button" class="build_submit" style="color: gray;">Build</button>
          </form>
You could probably already see what's the problem, but lets compare it with other button <button type="submit" class="build_submit">Build</button> Problem is that button type is not set to submit, let's change it and click build, flag will show-up on the building card, but you will need to refresh the page.
Flag will only show up on level 1 metal mine, so be sure to pick up the flag before upgrading the building.

CURSEDNOVA{Do_not_trust_frontend_security_puch8Air}

Challenge name: Alliance

Category: Web
Points: 50
Software used: Firefox
Challenge description

Create your own alliance.

When visitings alliance page and try to create a new alliance you will be greeted with message:
Functionality available only from localhost
Lets take a look at source code: 

          
            private function createAlliance()
            {
                $action    = $this->getAction();
                if ($action == "send") {
                    $checkOriginIpResult = checkOriginIP(getallheaders());
                    echo($checkOriginIpResult[1] . "\n");
                    if($checkOriginIpResult[0] === true)
                        $this->createAllianceProcessor();
                } else {
                    $this->display('page.alliance.create.tpl');
                }
            }
Unluckily we are not able to check what's in the checkOriginIP function as it is a part of excluded routes, but we can assume that we need right ip in the headers. Lets play a bit with it, by navigating to Network tab in Firefox and using Edit and Resend on our POST Request.
By changing Origin header to localhost we will be greeted with message: Not localhost enough
which could indicate that we are going into right direction. Tried going for double Host header, but with no luck. Changing Referrer to https://localhost/game.php?page=alliance&mode=create doesn't work either.

Challenge name: Mindblown

Category: Web
Points: 50
Software used: Firefox
Challenge description

Hey, hey - here! Do you want something good? I've got something nice, just look into your messages, the one from the Administrator. This will blow your mind!

When visitng messages page there's one message from admin that goes like this:

          
            Welcome to CursedNova! First build a solar power plant, because +<]>.---.+.[-> --> energy is needed for the production of raw materials. 
            To build one, left click in the menu on "buildings". Then build the 4th Building from the top.
            When you have energy, you can begin to build mines. 
            Go to buildings on the menu and build a metal mine, followed by+++<]>-.---[->++<]>-.+[-->+<]>++++ --> a crystal mine.

            In order to be able to build ships you need to have a shipyard. 
            To see what is needed to unlock that building+<]>-.[-->+<]>-----.---.+++ --> you can take a look at "Technologies" at the left menu.
            If you more questions you can+++<]>.[----->+++<]>.++++++++++.++ --> look at the beginnersguide, our forum or open a support ticket.

            The team wishes you much fun exploring the universe!+<]>+++. -->
Pay attention to strange pluses, dashes and arrows also by seeing name of the challenge we could assume that it is a language called Brainf*ck.
For this challenge I will use online compiler here.
As all characters that are not a part of of the language will be ignored by compiler so we can just paste the whole message.
Unluckily we have some syntax errors, but to my attention last three characters --> stood up, that maybe there was some HTML comments before.
I was right, by inspecting message we can see that there is more about that: 
          
            Welcome to CursedNova! First build a solar power plant, because +<]>.---.+.[-> --> energy is needed for the production of raw materials. 
            To build one,  left click in the menu on "buildings". 
            Then build the 4th Building from the top. When you have energy, you can begin to build mines. 
            Go to buildings on the menu and build a metal mine, followed by+++<]>-.---[->++<]>-.+[-->+<]>++++ --> a crystal mine.
            In order to be able to build ships you need to have a shipyard. 
            To see what is needed to unlock that building+<]>-.[-->+<]>-----.---.+++ --> you can take a look at "Technologies" at the left menu.
            If you more questions you can+++<]>.[----->+++<]>.++++++++++.++ --> look at the beginnersguide, our forum or open a support ticket.
            The team wishes you much fun exploring the universe!+<]>+++. -->
We can start by clearing not needed charcters so keep only those ones: > < + - . , [ ] and also remove dots, colons from phrases and html comments: 
          
            ++++[++++>---<]>.>-[--->+<]>.---.+.[->+++++++<]>.-.++++++++++.+.+++++++.++[---->+++<]>-.---[->++<]>-.+[-->+<]>++++.---[----->+<]>-.[-->+<]>-----.---.+++[-->+++<]>.[----->+++<]>.++++++++++.+++.++++++++.---------.[--->+<]>+++.
Flag will appear in compiler.

CURSEDNOVA{Br41Nblown}

Challenge name: Market brawl

Category: Web
Points: 50
Software used: Firefox
Challenge description

Those Rexxan's knuckleheads are brawling at the Market area. Head over there and get that silly idea out of their empty heads.

When visitings market page you will be greeted with message:
Where are they? The market seems to be empty... Move your head and find those Rexxan's knuckleheads!
It has some tips around the word head. If we take a look at source code we can see this one if statement: 

          
            if ($_SERVER['REQUEST_METHOD'] === 'HEAD') {
              header('Secret: ' . $LNG['W19_BRAWL']);
            }
Lets try changing http method to HEAD in firefox (Edit and Resend under right mouse button contextual menu). Flag will appear in Secret response header.

CURSEDNOVA{Request_method_matters_tuyoh8Oh}

Challenge name: Gravity

Category: Web
Points: 70
Software used: Firefox
Challenge description

Everything is upside down on this planet... Can you fix the user interface?

By removing first parts of navigation.css we are able to make UI look normal, but not sure what to do next

Challenge name: The hidden entry

Category: Web
Points: 100
Software used: Firefox
Challenge description

Moon moon cannot into space. Make sure chat channel names don't contain any whitespace.

Challenge name: Dark Matter

Category: Web
Points: 100
Software used: Firefox
Challenge description

There are great items for sell in the Dark Matter Shop! Check out the Officers tab.

By taking a look at Officier page code we are able to see code like this: 

          
            if($getFreeDarkMatter > 0 && $getFreeDarkMatter != 1) {
              if(strpos(strval($getFreeDarkMatter), ".")) {
                  echo("No chance!");
                  exit;
              }
  
              $darkMatter = min(1 / $getFreeDarkMatter, 300);
  
              $this->setUserDarkMatter($USER['id'], $darkMatter);
  
              echo("You now have " . $darkMatter . " Dark Matter.");
              
              exit;
          }
$getFreeDarkMatter is passed in input, so bascially we need a value that:
  • is greater than 0
  • it is not 1
  • 1 divided by this value will be greater than 300
  • doesn't have dot in it
I thought that I need 0.0001, but I need to bypass dot somehow, found some bug about strpos beign vulnerable to double encode, so tried %252e0001 and 0%252e0001, but with no luck.

Challenge name: Robot Factory

Category: Web
Points: 100
Software used: Firefox
Challenge description

My grandpa always told me to never trust robots. You never know what's inside their silicon brains. However in these harsh times of need, we would gladly accept any helping hand - even if it's made out of steel and copper wire. Unfortunately building the Robot Factory needs an additional authorization key. Can you help us find the key and build the factory?

We need a key to build a robot factory, but I was not able to find one.

Challenge name: The Invasion

Category: Web
Points: 100
Software used: Firefox
Challenge description

Invade Planet Rome.

Challenge name: Feedback

Category: Misc
Points: 20
Software used: Firefox
Challenge description

We would love to hear your feedback about CursedNova CTF!

You need to answer questions in google form to get the flag. Not providing the flag as I don't want to send fake data to the form.

Challenge name: Paint the sky

Category: Misc
Points: 50
Software used: Firefox
Challenge description

"Something is wrong", said Ender to Valentine. "I don't believe it's just a game". "I know, Ender", Valentine agreed sadly. "However, you've never been to Nekla universe before. We have to learn how to navigate its stars, if you really want to go there. Fortunately, I found some information about it". Help Ender and Valentine understand Nekla skymap.

constellations.txt skymap.txt

Challenge name: Message

Category: Misc
Points: 100
Software used: Firefox
Challenge description

Required challenge: Sensors Ender landed smoothly on what looked like a green desert. The sensors indicated the proper levels of oxygen, so he opened the hatch without putting his helmet on. Twardowski was waiting for him. His face showed fatigue and concern. "I believe you're Ender", said Twardowski. "My name is Jan Twardowski. My planet is under attack for almost three weeks now and I'm not sure how long I will hold anymore. They made it a game, you know. To destroy my planet." Ender nodded. "I had a feeling that CursedNova is not what it looks like. How can I help you?", he asked. "The thing is, you can't. I've been living here by myself for 100 years. I can't leave, I can't die. When I was young and ambitious, I made a deal with the Devil. This is my punishment. I guess my simple life here seemed too good for him - so he decided to step up his game and make me miserable again", said Twardowski hopelessly. Ender looked him in the eye with determination. "I will tell your story to the universe, Twardowski. I will ask them to stop the attack. You can count on me". They shook hands. Ender turned around and entered his ship. What was Ender's message to the universe?