added first batch of images

Author: Slavetomints

_config.yml

@@ -98,7 +98,7 @@ theme_mode: # [light | dark]
 cdn:
 
 # the avatar on sidebar, support local or CORS resources
-avatar:
+avatar: /assets/img/favicons/favicon.svg
 
 # The URL of the site-wide social preview image used in SEO `og:image` meta tag.
 # It can be overridden by a customized `page.image` in front matter.

_posts/2024-12-23-babyflow.md

@@ -0,0 +1,25 @@
+---
+title: Babyflow
+date: 2024-12-23 19:47:00 +/-0600
+categories: [Capture The Flags, 1337Up Live 2024]
+tags: [ctf, 1337up, writeups]
+---
+
+Challenge description:
+
+> Does this login application even work?!
+
+For this one we are provided a remote connection, where we are then prompted for a password.
+
+![](/assets/img/1337up-2024/babyflow/image1.png)
+
+We are also provided the binary behind the program, and once we open it in Ghidra we see this
+
+![](/assets/img/1337up-2024/babyflow/image2.png)
+
+Looking at the `strncmp`, we see the password that it wants us to get is `SuPeRsEcUrEPaSsWoRd123`, however it checks if we are admin. We also can see that it compares only the first 22 characters, so it is vulnerable to some overflow. 
+
+![](/assets/img/1337up-2024/babyflow/image3.png)
+
+FLAG: `INTIGRITI{b4bypwn_9cdfb439c7876e703e307864c9167a15}`
+

_posts/2024-12-23-bob-leponge.md

@@ -0,0 +1,21 @@
+---
+title: Bob L'éponge
+date: 2024-12-23 19:47:00 +/-0600
+categories: [Capture The Flags, 1337Up Live 2024]
+tags: [ctf, 1337up, osint, writeups]
+---
+
+Challenge description:
+
+> I'm an epic hacker and I'm trying to start a YouTube channel to show off my skills! I've been playing around with some of the video settings and stumbled upon a few cool features. Can you find the secret I've hidden?
+> https://youtu.be/DXZrAGYS6X8 
+
+Alright, so we're given a youtube video titled `test`. Now, this video is actually a red herring. I know, crazy right? A red herring in a CTF. If we go to the youtube channel we'll see that they have a YT Short named `test3`, so we can safely assume that there's a `test2` hidden somewhere, and upon further investigation it seems to be the case. They channel has a playlist with 1 unlisted video named `test2`
+
+![playlist](/assets/img/1337up-2024/image1.png)
+
+A great tool for video forensics is [https://mattw.io/youtube-metadata/](https://mattw.io/youtube-metadata/), and plugging the video link into there reveals many things about the videos metadata, including a flag in the tags.
+
+![the flag in the metadata](image2.png)
+
+FLAG: `INTIGRITI{t4gs_4r3_m0stly_0bs0l3t3_zM1H7RH6psw}`

_posts/2024-12-23-in-plain-sight.md

@@ -0,0 +1,36 @@
+---
+title: In Plain Sight
+date: 2024-12-23 19:47:00 +/-0600
+categories: [Capture The Flags, 1337Up Live 2024]
+tags: [ctf, 1337up, writeups]
+---
+
+Challenge description:
+
+> Barely hidden tbh..
+
+We're given this photo
+
+![kibby!](/assets/img/1337up-2024/in-plain-sight/meow.jpg)
+
+So lets do some good digital forensics and run `binwalk` on it
+
+![binwalk pt.1](/assets/img/1337up-2024/in-plain-sight/image0.png)
+
+Aha! So there's some hidden zip files in there. Lets use the extract option with `binwalk` by adding `-e` to the end of the command.
+
+![binwalk pt.mine](/assets/img/1337up-2024/in-plain-sight/image1.png)
+
+Alas, it appears the zip files contents are locked. Maybe someone else has already figured out a password? Lets check out `Aperi'Solve`
+
+![locked!](/assets/img/1337up-2024/in-plain-sight/image2.png)
+
+![Aperi'Solve](/assets/img/1337up-2024/in-plain-sight/image3.png)
+
+It's right, I never wouldve gotten that. Let's throw that into the file and we get a blank white image. Hm. maybe `Aperi'Solve` isn't done yet 
+
+![flagged!](/assets/img/1337up-2024/in-plain-sight/image4.png)
+
+Looks like the flag was hiding, but we found it nonetheless.
+
+FLAG: `INTIGRITI{w4rmup_fl46z}`

_posts/2024-12-23-lost-program.md

@@ -0,0 +1,19 @@
+---
+title: Lost Program
+date: 2024-12-23 19:47:00 +/-0600
+categories: [Capture The Flags, 1337Up Live 2024]
+tags: [ctf, 1337up, writeups]
+---
+
+Challenge description:
+
+> I was working on a bug bounty program the other day but I completely forgot the name!! I guess that will teach me not to use emoji notation in future 😩 Anyway, if you could help me find it again, I'd really appreciate it! Here's my notes..
+> 
+> TODO: find lots of 😎🐛 on 🥷🥝🎮
+>
+> flag format = INTIGRITI{company_name}
+
+For this one you have to decipher some emoji code "TODO: find lots of 😎🐛 on 🥷🥝🎮". This leads you to find the Ninja Kiwi program on Intigriti.com
+
+
+FLAG: `INTIGRITI{Ninja_kiwi}`

_posts/2024-12-23-no-comment.md

@@ -0,0 +1,42 @@
+---
+title: No Comment
+date: 2024-12-23 19:47:00 +/-0600
+categories: [Capture The Flags, 1337Up Live 2024]
+tags: [ctf, 1337up, osint, writeups]
+---
+
+Challenge description:
+
+> Or is there? 🤔
+
+We get this... psychedelic image
+
+![ripple.jpg](/assets/img/1337up-2024/no-comment/ripple.jpg)
+
+With a description about as obvious as a script kiddie on social media, we know that we are looking for a comment somewhere. So, lets use exiftool. Exiftool is an amazing digital forensics tool that can be used both on the command line and as a Perl library. It's designed to scrape out all avaliable metadata from an image
+
+![exiftool results](/assets/img/1337up-2024/no-comment/image1.png)
+
+We see the image has a comment, but what does it mean? 
+
+Here's the part where I was stumped. I had no idea where to even go with the comment of `/a/pq6TgwS`. CyberChef had nothing, I had nothing, but thankfully while working on another task I noticed the format for images on `Imgur.com` matched perfectly. So armed with this knowledge, I headed to `https://www.imgur.com/a/pq6TgwS` and found:
+
+![imgur results](/assets/img/1337up-2024/no-comment/image2.png)
+
+Finally, something I can work with. Something interesting about Base64 is that if the string isn't long enough it pads the ending with equals signs, so this immediately rose suspicion as we decoded the message (with CyberChef ofc).
+
+![decoded message](/assets/img/1337up-2024/no-comment/image3.png)
+
+Yes... Yes it has. Following the pastebin link surprisingly doesn't lead us to a scam, but rather to a locked paste. Using the password provided earlier `long_strange_trip` reveals a cryptic string of numbers and letters. Checking out the user's profile we can see that they made another paste and this time its about XORing passwords. The article attached is a hint that they might not know to not reuse passwords yet.
+
+![first paste](/assets/img/1337up-2024/no-comment/image4.png)
+
+![second paste](/assets/img/1337up-2024/no-comment/image5.png)
+
+So lets hit up `dcode.fr` the site for all things ciphers, codes, and cryptography, and run a XOR through it with the weird string we got earlier, using the same password as a key. 
+
+![decoded](/assets/img/1337up-2024/no-comment/image6.png)
+
+Bullseye!
+
+FLAG: `INTIGRITI{instagram.com/reel/C7xYShjMcV0}`

_posts/2024-12-23-private-github-repository.md

@@ -0,0 +1,96 @@
+---
+title: Private Github Repository
+date: 2024-12-23 19:47:00 +/-0600
+categories: [Capture The Flags, 1337Up Live 2024]
+tags: [ctf, 1337up, osint, writeups]
+pin: true
+---
+
+Challenge description:
+
+> Bob Robizillo created a public instructions for Tiffany, so she can start work on new secret project. can you access the secret repository?
+
+Unfortunately, or, rather fortunately, there is no way to see a private GitHub repository unless you've been invited as a collaborator. So lets leverage our amazing OSINT skills to find any trace of Mr. Robizillo on the Internet. Now, your results may vary, but for me `"Robizillo" site:github.com` turned up nothing, so I then tied with a more general search `"Robizillo"`. And now we see why the first search turned up nothing, it's a github gist! Lets t ake a look at what it says.
+
+![A GitHub Gist, where Bob Robizillo asks TIffany to add a key to her account](/assets/img/1337up-2024/private-github-repository/image1.png)
+
+Hm, the provided "key" doesn't seem to be an actual SSH/RSA Key, I wonder if it's an encrypted message of some sorts. My favorite site to use for decryption is [CyberChef](https://gchq.github.io/CyberChef/), so lets copy and paste the encrypted message into there. 
+
+Now, when using CyberChef, you create a 'recipe' using blocks that do various functions. One of the more useful ones to always start with is the `magic` block, as it try's to automatically detect what you can do to it. It's very helpful for when you have no idea where to even begin, or if you are stuck and don't know where to go next. For this time around, it recommended we do `From Base64` and then `Unzip`, so lets load that into the recipe and see what we get!
+
+![A Picture of CyberChef, the current recipe is From Base64 and then Unzip](/assets/img/1337up-2024/private-github-repository/image2.png)
+
+Looks like there was a file hidden in the message! Let's download the file and see what we get. Once its on our machine we'll use `cat id_rsa` to output it to the commandline
+
+![output of cat id_rsa, its a openssh private key](/assets/img/1337up-2024/private-github-repository/image3.png)
+
+Looks like we now have a private key for ssh. Remember back to the message that Bob Robizillo said TIffany would have to add it in order to work on the repository. Lets add the key to our session and try to clone the `1337up` repository Bob mentioned in his earlier message. Since we know Bob's username is `bob-193`, we can be pretty sure that the repository is hidden in there. First things first, we need to add the key. `ssh-add id_rsa` takes care of that perfectly, and `git clone git@ithub.com:bob-193/1337up` gets us the repository!
+
+![Adding the key to our session](/assets/img/1337up-2024/private-github-repository/image4.png)
+
+![Cloning Bob Robizillo's 1337up repository](/assets/img/1337up-2024/private-github-repository/image5.png)
+
+Checking inside the repository shows up a file named `readme.md`, which reads:
+
+> Hey, Tiffany! You will need to save this repo in your user space and implement changes we agreed earlier.
+
+![Poking around the repository](/assets/img/1337up-2024/private-github-repository/image6.png)
+
+Hm, thats not very helpful. A further inspection of `git log` shows only the one commit, and there's nothing hidden in the `.git` directory. Is this the end of the line? We know we need to find Tiffany's username since she made a fork of the repository. We know she did because Bob alluded to it in his first message, and now in the recent `readme.md`. If only we had a way to authenticate a key... but wait! we do! Lets take a closer look at the `ssh` command.
+
+```terminal
+┌─[slavetomints@parrot]─[~]
+└──╼ $ssh 
+usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
+           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
+           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
+           [-i identity_file] [-J [user@]host[:port]] [-L address]
+           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
+           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
+           [-w local_tun[:remote_tun]] destination [command [argument ...]]
+```
+
+Now, most of that isn't going to be useful to us, except for the `-i` option Checking the manpage for `ssh` also shows up the `-T` option. Lets take a closer look at each.
+
+The `-T` option tells ssh to no allocate a pseudo-terminal for the connection. Since we don't need a terminal for authenticating, theres no reason to allocate one. This should show the difference between using and not using it.
+
+```terminal
+┌─[slavetomints@parrot]─[~]
+└──╼ $ssh git@github.com
+PTY allocation request failed on channel 0
+Hi Slavetomints! You've successfully authenticated, but GitHub does not provide shell access.
+Connection to github.com closed.
+┌─[✗]─[slavetomints@parrot]─[~]
+└──╼ $ssh -T git@github.com
+Hi Slavetomints! You've successfully authenticated, but GitHub does not provide shell access.
+```
+
+It's not required to use it, but it helps to keep the terminal a little bit clearer. Now, the `-i` option specifies an identity file to use, such as the `id_rsa` file we have. So, now we can try to authenticate with GitHub using that identity only. The full command now is `ssh -T -i id_rsa git@github.com`.
+
+![Authenticating with GitHub](/assets/img/1337up-2024/private-github-repository/image7.png)
+
+This is great! Now we know Tiffany's username, so we can clone over her fork of the `1337up` repository!
+
+![Cloning Tiffany's fork of 1337up](/assets/img/1337up-2024/private-github-repository/image8.png)
+
+Let's poke around a bit in here. we see the same `readme.md` from earlier, but now there's also a `config/` directory. Going into that and checking it out reveals a `.env` file which unfortunately doesn't contain a flag. 
+
+![Poking around Tiffany's 1337 repository](/assets/img/1337up-2024/private-github-repository/image9.png)
+
+However, `git log` does show that theres been 4 commits on this repo. While its possible to use `git diff [<options>] [<commit>]` to see the changes in a commit, I prefer to use VSCodes built in git log functionality. And looking at the changelogs there for previous commits reveals...
+
+![git log on the repository](/assets/img/1337up-2024/private-github-repository/image10.png)
+
+![VsCode](/assets/img/1337up-2024/private-github-repository/image11.png)
+
+![The changelog for the commits in VSCode](/assets/img/1337up-2024/private-github-repository/image12.png)
+
+Another repository! Ugh this is getting kind tedious, but nevertheless, lets clone that one and check it out
+
+![cloning the other repository](/assets/img/1337up-2024/private-github-repository/image13.png)
+
+![finding the flag!](/assets/img/1337up-2024/private-github-repository/image14.png)
+
+Finally! We've found the flag, but we should clean up first. All we'll need to do is run `ssh-add -d is_rsa` to remove that key, because we don't need it anymore, and we're all good! Hopefully you learned a thing or two about git and GitHub on your way here.
+
+FLAG: INTIGRITI{9e0121bb8bce15ead3d7f529a81b77b4}

_posts/2024-12-23-quick-recovery.md

@@ -1,6 +1,6 @@
 ---
 title: Quick Recovery
-date: 2024-12-23 19:47:SS +/-0600
+date: 2024-12-23 19:47:00 +/-0600
 categories: [Capture The Flags, 1337Up Live 2024]
 tags: [ctf, 1337up, misc, writeups]
 ---

_posts/2024-12-23-sanity-check.md

@@ -0,0 +1,16 @@
+---
+title: Sanity Check
+date: 2024-12-23 19:47:00 +/-0600
+categories: [Capture The Flags, 1337Up Live 2024]
+tags: [ctf, 1337up, writeups]
+---
+
+Challenge description:
+
+> Join our discord, there are flags!!
+>
+> https://go.intigriti.com/discord 
+
+For this one, its pretty simple, all you have to do is go check out the discord, then once you go to the #ctf-general channel, there will be a flag in the description.
+
+FLAG: `INTIGRITI{1f_y0u_l34v3_7h3_fl46_w1ll_b3_r3v0k3d}`