| Name | Category |
| --------------- | --------- |
| Hidden\_Passage | Web |
| PlayerDelf | Forensics |
| rm\_rf\_bin | Misc |
{% stepper %}
{% step %}
### Hidden\_Passage
> APD messed up while setting up the system now files are leaking! Can you help uncover the hidden secrets
The intended way of solving this is getting the file hints the server gave lots of hints even in the .bashrc we got a hint about a notes so it hinted about where the flag is solving it you just need to exploit the lfi like url/endpoint?page=../../hidden/flag.php
you will get a reversed base64 then after decoding you can get the flag
note : i didnt do the above and used an unintended way
so because the server is using php we can exploit a part of the back end to create files into the web server by this i managed to make a shell to go to
i tried using base64 encoding to get the full message but it seems like the server cuts long output from the output so we can just put the output to another file
after doing a ls in the /var/www i managed to find a directory called /hidden then going into that it contains the file flag.php
heres what inside of flag.php
after some time i found out that its from a reverse base64
one of the best challs i did unintendedly i will not disclose the way i did it with full info
{% endstep %}
{% step %}
### PlayerDelf
> Sometimes, the meaning is hidden in the spaces between the words—don’t just focus on what’s on the surface.But before that, it’s a PDF, but why isn’t the content showing? Maybe the answer lies in what you don’t immediately see. Try looking a bit deeper, especially where things begin.
the score is suprisingly low for 11 solves
starting the challenge we were given a pdf file opening it gives us a blank page so i went straight to the metadata
the header gave us a pastebin code but the link is asking us for a password
you can actually find the password carefullly reading the strings of the file
after that i tried fixing the file by the hint its saying that there are some unused data so we can just remove the text from the hex header then we can open the file again
we will get a page that has tons of '\\' and '/' i suspected that this is a binary and created a script
```python
a = r"""
/\/\\//\/\\/\\\\/\\\/\/\\\\///\/
\///////\//\\//\/\\\/\\//\\//\/\//
\//////\\///\\/\\/\\\\/\\/\\/\/\\//\/
\//\//////\\////\//\//////\\/\\///\\/\\
\\/\\/\\\//\\//\\\//\//////\\\/\\\/\
\////\/\\\\//\\\\///\/\///////\//\/
\///\\\/\\\/\\//\/\/\\/\\///\\/\\////
\//////\\//\///\\/\\\\/\\/\\\//\\//\/
\//\////\//\//////\//\\\//\\/\\\\/\\\/\
\\//\/\\////\//////\\\/\///\\/\////\
\//\/\//\//////\\//\\//\\/\\///\\////
\/\\//\\\//\//////\\/\//\/\\\//\\//
\//////\\\//\//\\/\//\/\\//\\\/\\/
\////\\\/\////\//////\\/\//\/\\/\\\///
\//////\\//\\//\\\//\//\\/\\\\/\\/\\
\//\\\/\////\//////\\/\\\\/\\//\\///
\//////\\\\//\/\\/\\\\/\\\/\/\//\/\\
\///\//////\/////\/\\/\\///\\/\\////
\//////\\\\//\/\\/\\\\/\\\/\/\//
\//////\\/\\\//\\//\/\/\\//\/\/\\//
\////\//////\\\/\///\\/\\\\//\//////\
\//\///\\/\\\\//\//////\\/\//\/\\\//\
\//\//////\\//\/\/\\\\////\\\/\///\\
\//\//\\////\/\\///\\/\\\/\////\//////\
\/\//\/\\\/\////\//////\\//\\//\\\//
\//\\/\\\\/\\/\\/\//\//////\\/\////\
\//\/\/\\\//\//\\//\/\//\\\/\///
\//////\\\\////\////\//\\//\\\/\\/\\/
\/\/\/\/\//\\/////\////\///\\/\////
\////\
"""
print(a.replace('/','0').replace('\\', '1'))
```
after that we can get the message
we got a handy string
btw when opening the fixed pdf there seems to be extra pages so i just recorded me opening them then used a slowmotion feature in capcut to see the pages
going inside the mega file
after getting the file it was asking for a password and after we use the password we got from the youtube video we managed to get the flag
> ```
> pearl{PDF_1ay3r_3xtract10n_Adv3ntur3}
> ```
{% endstep %}
{% step %}
### rm\_rf\_bin
> My friends, Semay Rhianna and Ravneer Alabadiya, ended up in jail after deleting all the binaries in /bin. Find a way to help them escape—without offending anyone..
going inside the netcat we were given a very limited shell our goal is to read the flag.txt
my friend found out that we can use echo to check directories like so if you want to see whats inside the root directory you can do echo /\* and it will print out all of directory and file names from there
so when doing echo ../ there was a /sh and /socat given we can use the sh using echo $(../sh)
then we have a better shell then we can use the socat to print the file like
> ../socat -u "file:flag.txt" -
the - means we are moving the output to our command line (CMIIW)
{% endstep %}
{% endstepper %}
