DownUnderCTF 2021 Writeup

Posted on

The Introduction (100 points)

Connect to the service with the provided command. Enter a name and then the hacker manifesto gets slowly written to the terminal. Say yes to the next question and you will be given the flag.

Answer: DUCTF{w3lc0m3_70_7h3_duc7f_7hund3rd0m3_h4ck3r}

Discord (100 points)

Go to the request-support channel on the discord server to find the flag.

Answer: DUCTF{if_you_are_having_challenge_issues_come_here_pls}

Twitter (100 points)

I opened all of the pictures on the Twitter page that had the “DUCTF” Flag Format text in the background. One of the pictures has a section in the bottom right that is noticeably lighter green than the rest of the background. The highlighted section of the background is the correct flag.


Get over it! (100 points)

I used the provided image to find a similar looking image on Yandex reverse image search that led to an instagram post. Some of the tags underneath the photo mentioned Brisbane, Australia and the name Eleanor Schonell. I then searched Google with the those three terms to verify that I had the correct bridge. Afterwards, I just had to search Google with eleanor schonell bridge span to find the main span length. After formatting the flag with the information, the flag sucessfully validated.

Answer: DUCTF{Eleanor_Schonell_Bridge-185m}

Retro! (100 points)

I used the strings command on the downloaded file. The flag is on of the the first strings in the output.

Answer: DUCTF{sicc_paint_skillz!}

How to pronounce GIF (100 points)

To solve this challenge, I had to first split up the gif file into into individual images using While looking through the images, I realized that there were multiple QR codes broken up and they appeared to be color coded as well. I used MS Paint to manually reassemble the QR codes and then used to validate that I reassambled the QR codes well enough that the data in it was readable. I had to redo the assembly of the gif frames multiple times. I skipped around a bit and had to reassemble 6 QR codes to find the two that were necessary to get the flag. The two that gave me the flag had the first frame as challenge-gif_005_delay-0.05s.gif and challenge-gif_007_delay-0.05s.gif. From there I just “added 10” to the part of the url that changed between frames. So, challenge-gif_017_delay-0.05s.gif, challenge-gif_027_delay-0.05s.gif, etc. until reaching challenge-gif_117_delay-0.05s.gif which was the last frame for one of the QR codes needed for the flag. After reading the data from the QR codes, I got fMV9oYVhYMHJfbjB3P30= as the output for one of them and RFVDVEZ7YU1 as the output for the other. It looked like base64 to me so I just put the second output in front of the first and converted from base64 to ASCII as such: echo RFVDVEZ7YU1fMV9oYVhYMHJfbjB3P30= | base64 -d. The output from all of this was the correct flag. I found several interesting strings and videos such as “The princess is in another castle”, “f0ll0w 7h3 wh173 r4bb17”, All your Base Are Belong To Us, and It’s pronounced GIF. from decoding a few of the other QR codes, but given how time consuming manually assembling each QR code was, I stopped as soon as I found the flag.

Answer: DUCTF{aM_1_haXX0r_n0w?}

Cowboy World (100 points)

I used the hint for this as none of my SQL injection attempts worked at the beginning. The hint reminded me that I should check for a robots.txt file. There was indeed a robots.txt file and it mentioned a sad.eml file on the server. I downloaded the file and ran the strings on it. It gave me the username sadcowboy that is the correct username on the website. When trying to log in, it would only say that the password was incorrect instead of saying that both the username and password were incorrect. When I tried SQL injection again with the username as sadcowboy and the password as ' OR 1=1--, the correct flag was displayed on the page.

Answer: DUCTF{haww_yeeee_downunderctf?}

no strings (100 points)

I unpacked/extracted the ELF file and found the flag with spaces in the extracted .rodata file. The flag was D U C T F { s t r i n g e n t _ s t r i n g s _ s t r i n g }. I just removed all of the spaces and it correctly validated.

Answer: DUCTF{stringent_strings_string}

Bad Bucket (100 points)

Go one directory up from the landing page to The xml file there gives the path for the images on the main page and also the relative path to the flag, buckets/.notaflag. The full path has the correct flag.

Answer: DUCTF{if_you_are_beggining_your_cloud_journey_goodluck!}

Who goes there? (100 points)

I used the site to get the correct phone number associated with the domain registration.

Answer: DUCTF{+61.420091337}

The Internet is Written in Ink (100 points)

The challenge description gives a big hint that the flag is (or was) up on on the event page for this CTF, I used the wayback machine at to search through all of the saved entries for the event page. The first result was in March 2021, and it did indeed have a 404 page. I copied the flag that was provided in the text, put it in the correct flag format and it was marked correct.

Answer: DUCTF{a5abef5222adc680a453607384bcb4d2}

Survey (10 points)

Do the end of CTF survey to get the flag

Answer: DUCTF{th4nk_y0u_f0r_pl4ying_DUCTF_2021_!!}