Unlocking Creativity: TCS HackQuest S8 Unveiled - Round 1

TCS HackQuest, a campus-level cyber security competition, mirrors global Capture the Flag (CTF) events, challenging participants to uncover maximum flags within a six-hour timeframe. Categories span Web exploitation, Forensics, Reverse engineering, among others, fostering a competitive yet collaborative environment. Participants showcase their prowess in problem-solving and technical acumen, engaging with industry-standard challenges provided by TCS. HackQuest serves as a premier platform for enthusiasts to network, learn, and hone their cybersecurity skills under the guidance of industry experts, emphasizing real-world problem-solving.

Challenge Title : SCRAP SCRUBBER

Solution :

There was a zip file given along with the description to download

And we have to unzip the file using a command unzip <filename>

From there we got another file with an extension .chal and i thought huhhh! may be lets try some basic commands like file , strings , cat , grep.

When i was used the file command i found that it was data inside the file

That means it cannot recognize the data inside it . It was some randomized text without any file signature.

Ok! I thought let’s try strings command and from there i found some intresting things

I utilized the strings command with additional parameters, specifying the desired length and the command is

strings -n 10 <filename>

Subsequently, I employed the grep command to extract the flag, resulting in the following command

strings -n 10 <filename> | grep “HQ8{.*}$" --colour=none

And there is our flag!!!🥳🥳🥳

Challenge Title : CHOWKIDOR

Solution :

On the challenge page, there was a link to a website

Upon visiting the site, a login page was encountered.

Hmmm! I thought we have to perform some sql injection to that login page after trying some sql injection payloads and tool like sqlmap i got nothing

And then, i thought ok lets try some basic usernames and passwords like admin:admin admin:password root:root root:toor etc.., and i got nothing here as well

I then opted to inspect the page source and astonishingly found some credentials to log in to the website.

Using those credentials, I successfully logged into the website.

Additionally, I activated my Burp setup to capture and analyze each request.

I discovered that there is a password change functionality available on the website.

After providing the current password of the logged-in user, I was granted permission to set a new password. Upon entering the new password, I captured the request and sent it to the repeater within Burp Suite for further analysis.

While analyzing the request, I discovered a JWT token in the cookie. I proceeded to decode the token using a website, but unfortunately, I was not successful.

Upon further observation, I noticed that the request only contained the “username” and the “new password,” with no mention of the current password. This prompted me to consider changing the username instead.

I modified the username from “user” to “admin” , and this action resulted in obtaining the flag!!!🥳🥳🥳

Challenge Title : CODE DE TOUR

Solution :

There was a zip file given along with the description to download

And we have to unzip the file using a command unzip <filename>

From there we got another file and i thought huhhh! may be lets try some basic commands like file because there was no extension for that file

When i was used the file command i found that it was an ELF 64-bit LSB pie executable

In the properties, it is evident that the file is dynamically linked and not stripped. This implies that we have access to the main function. However, if it were stripped, we would typically have an entry function instead.

After analyzing the properties, I granted execute permissions to the file using chmod +x <filename> and subsequently executed the file with ./<filename>

After executing the file, it repeatedly prints the same text and then automatically exits the code.

I was thinking like what to do now!!! 🤔

I utilized tools such as ltrace, strace, gdb, and Ghidra to analyze the binary file.

Ghirda :- Ghidra is a powerful open-source software reverse engineering suite developed by the National Security Agency (NSA), which analyzes “assembly-level code” or “compiled binaries”.gdb :- GDB (GNU Debugger) is a powerful command-line debugger for troubleshooting and analyzing program execution in various programming languages.ltrace :- Ltrace is a dynamic tracing utility used for monitoring library calls made by a program.starce :- strace is a powerful Linux tool used to trace and debug system calls made by a process.

I used the command ltrace ./<filename> && strace ./<filename> to check for any data leaks or flags, but unfortunately, none were found. 😔

Then i thought about analyzing the file by opening it in ghidra

I discovered a suspicious function named callM3 during my analysis.

After analyzing the main function, I found that it does not call any other function; it simply prints a simple text and exits the code.

And then i have analyzed the callM3 function and in that function i found that it actually decrypts and prints the flag by using the values assigned to the variables.

From this scenario, I conceived the idea of setting a breakpoint before the code exits in the function and then jumping into the callM3 function to print out the flag.

Quickly, I opened my terminal and loaded the file into gdb using the command gdb ./<filename>, then I set my layout to asm for a more graphical representation of the compiled code using the command layout asm.

After setting the layout to asm, I placed a breakpoint for the main function using the command b *(main).

After setting the breakpoint, I typed run to execute the binary file. Then, I jumped to another function using the command jump *(callM3).

And there is our flag!!! 🥳🥳🥳

Kudos to you for making it through this article! If you believe it can make a difference for others, don’t hesitate to share it and give it a clap for greater visibility.

I trust it has sparked some valuable ideas for you. Keep up the learning momentum, and I’ll catch you in the next blog! Follow me for more content.