My First Ever CTF: InfernoCTF


Hi fellas, imma back again but this time i participated an online CTF which was a dream for me ;)

It was a lil frustrating because due to inexperince i wasn’t able to solve 3 challenges which was really sneaky and i love them. Here i’ll discuss how i approached them.


For this challenge the flag was available at discord server in channel #announcement.

Flag: infernoCTF{Y0u_sh4ll_R0t_1n_h3ll_n0w}

New Developer

This was also very easy OSINT challenge.

I checked iamthedeveloper123’s repositories list, latest commit by this time was in bash2018 repo.

So i checked latest commit for which it was 1 commit ahead of parent f6008f3d67829ad0ab19d029eec6833a196db8d8.

  printf "\nYou have lost, better luck next time.\033[0m\n"
  source ../dotfiles/.bashrc2
  printf "\nYou have lost, try going to$CODE for help!.  (And also for some secrets...) \033[0m\n"

Here it was confirmed that the .bashrc2 file in other repo sets a variable CODE. By checking that file here, i got value of CODE (trpNwEPT) which is the pastebin shorten code. And opeing gives us the flag.

Flag: infernoCTF{n3ver_4dd_sen5itv3_7hings_to_y0ur_publ1c_git}

Btw i was unable to solve the other challenge Whistle Blower which was related to this. I got a hint i guess for InfoSec twitter.

Where did he GO?

This was pretty straight forward.

The string flag was stored in bytes. so i added a print statement to see it and run without entering any password.

$ ./test 
Enter Password: 

# encrypted code

# mandir_wahi_banega

# jai_ram_ji_ki

# mandir_wahi_banega

# jai_ram_ji_ki

Don't Worry, Relax, Chill and Try harder

Becuse it was using ^ for encryption, i enterned flag as password to get the decrypted string:

$ ./test
Enter Password: !!tA3rG_s1_gn1MMaRg0rP_0g

# encrypted code

# mandir_wahi_banega

# jai_ram_ji_ki

# mandir_wahi_banega

# jai_ram_ji_ki

Don't Worry, Relax, Chill and Try harder

Now print statements are removed and re compiled & run again:

$ ./test
Enter Password: g0_Pr0gRaMM1ng_1s_Gr3At!!
You Cracked it, A Hero is born
Flag: infernoCTF{g0_Pr0gRaMM1ng_1s_Gr3At!!}

Check Again

This pissed off a lot !

The hint [D]ante [N]ero [S]parda a[re] the true de[mon]s. was awesome ! Here i get DNSremon which is close enough to dnsrecon.

$ dnsrecon -d
[*] Performing General Enumeration of Domain:
[!] Wildcard resolution is enabled on this domain
[!] It is resolving to
[!] All queries will resolve to this address!!
[-] All nameservers failed to answer the DNSSEC query for
[*] 	 SOA
[*] 	 NS
[*] 	 Bind Version for 20171212
[*] 	 NS 2606:4700:50::a29f:26c3
[*] 	 Bind Version for 2606:4700:50::a29f:26c3 20171212
[*] 	 NS
[*] 	 Bind Version for 20171212
[*] 	 NS 2606:4700:58::adf5:3b8f
[*] 	 Bind Version for 2606:4700:58::adf5:3b8f 20171212
[-] Could not Resolve MX Records for
[*] 	 A
[*] 	 A
[*] 	 AAAA 2606:4700:30::681f:5292
[*] 	 AAAA 2606:4700:30::681f:5392
[*] 	 SPF v=spf1 a mx ?all - infernoCTF{N1c3_Pl4c3_
[*] 	 TXT 70_h1d3_1n_th3_Rec0rds}
[*] 	 TXT ca3-d0f129e83e07442d981e6eadd9e57915
[*] Enumerating SRV Records
[-] No SRV Records Found for
[+] 0 Records Found
Flag: infernoCTF{N1c3_Pl4c3_70_h1d3_1n_th3_Rec0rds}

Dante’s Personal Home Page

preg_match("/_| /i", $check) can be passed using . which transforms to _ in php external variables. Thanks to @13k53c for pointing to the external variable docs.

It was exploiting null byte poisoning to bypass egrep which was the second check (ereg ("^[a-zA-Z0-9]+$", $magic)) using any alpha numeric and %00. For example: abc123%00

The request URL can be:$dark$

Flag: infernoCTF{1_gu3ss_y0ur_m4g1c_was_w4y_t00_d4rk}


Dank PHP

First i created a test.php file to generate searilized data for the id. Which looks like below snippet:


class user {
  var $name;
  var $pass;
  var $secret;

$new_user = new user();

$new_user->name = "admin";
$new_user->pass = &$new_user->secret;

echo (serialize($new_user));


This generates the serialized data O:4:"user":3:{s:4:"name";s:5:"admin";s:4:"pass";N;s:6:"secret";R:3;} for id param. Then i used python urllib to encode it properly:

>>> import urllib
>>> urllib.quote('O:4:"user":3:{s:4:"name";s:5:"admin";s:4:"pass";N;s:6:"secret";R:3;}')

Now the second part was to bypass WAF and run echoFlag(). Which can be done with Php webshell without numbers and letters. And there was also a length limitation of 45 digits. So we required string length 45. Thanks to @13k53c again, he was able to discover 40 digits webshell.

Now the caption param becomes caption = "$_=" + make_letters("echoFlag") + ";$_();".

I was about to write my curl style here but @13k53c shared his awesome python script to do whole process and print the flag in one script. The script is here.

Flag: infernoCTF{pHp_1s_a_h34dache}

Yeh definitely, it was a headache ;(

Thanks for reading ;) Will update it later when ingoing challenges are solved. Btw imma doing another CTF so, this is it !

o EOP o