Full Name: Ha Quang Minh (Takagi-san)

SID: 57040174
Email: quangmha2-c@my.cityu.edu.hk
Department: School of Data Science (SDSC)
Home Major: Data Science (DSC)
Cohort: 2021
Degree: Bachelor of Science (BSC1)

This is the first time I have participated in a CTF competition and it was a memorable
experience for me. I felt really happy when I was in fourth place in this interesting
competition. Honestly, my writing skills is not really good, so if there is any mistake in my
writes-up, please tell me immediately, I hope that I can express my idea clearly to you.

CITYF Writes-up Solution

rev
Problem hidden flag:
I open the file rev_00 in Notepad and then use Ctrl + F to search for keyword of the flag
“CITYF”. It appeared like this and then I could find the flag for the problem is
“CITYF{st31ngs_1s_4asy}”:

web
Problem babysite 1:
With the first hint “There are some hidden information in the main page.”, so I used F12 tools
to view webpage source code (because I believed that the flag would not be shown on the
main page). Again, I used Ctrl + F to search for the keyword of the flag “CITYF”. And then I
saw this, a part of the flag appeared:
Now, I had to find the rest of the flag. So I tried to search “}” and successfully got the key.
The flag is “CITYF{1s_th3_Sit3_b3aut1ful}”

Problem babysite 2:
I looked at the problem and immediately realized that “a directory on the website which
google can not find” is specified for the robots.txt at the root of the website (because I had
read it before in an article). So I opened cityf01.cs.cityu.edu.hk:30002/robots.txt and it gave
me this:

After that, I opened with that pad, and it led me to the flag:
The flag of this question is: “CITYF{s1t3_is_NOT_v1s1ble_t0_R0b0t}”

Problem babysite 3:
Firstly, I found that there was a strange code inside webpage source code when I tried to
search “debug” with Ctrl + F:

I don’t learn much about JavaScript so I couldn’t understand these lines and gave up the
problem immediately. But after I saw the hint “find the cookie in
http://cityf01.cs.cityu.edu.hk:30002/”, I could solve it easily. I accessed the cookies in that
link, I found the one cookie named “flag” and its value was
Q0lUWUZ7YzAwa2kzX0lzX2Z1bl8xMjM0NTZ9. Suddenly, I realized that this line was
created in Base64 format, so I used Base64 Decode and Encode - Online to decode it, and the
result was like this:
The flag of this question is “CITYF{c00ki3_Is_fun_123456}”

Problem masterecho:
I used F12 to access the HTML file of the website page. The HTML document had a
comment “src is a common folder”, so I opened http://cityf01.cs.cityu.edu.hk:30005/src and it
gave me a Python code for the Flask app server:

This Flask app utilized jinja2 to render the username in an injection-proof manner. Because
“config” and “self” were set to “None”, so I tried “{{__globals__}}”, but it still didn’t work.
Luckily, when I were googling and found a blog post
https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2/ on this hard
problem. It turns out that I can use Flask's 'url for' function to get '__globals__' with ease. So
I typed “{{url_for.__globals__['current_app'].config}}” and it gave me back the config,
which contained the flag of this quesiton:

The flag is: “CITYF{SsTi_4nd_w@f_t0gether}”

crypto

Problem rsa_improved:
"Two primes are not enough for RSA." is the hint and I knew that RSA is an algorithm that
usually uses an integer n that is the product of two extremely large prime numbers. So the
hint suggested to me that the algorithm uses a lot of primes to encrypt the plain text and the
file “rsa_improved.py” improved that.
Then I used wolframAlpha to factor the number n into primes:

I didn’t know how to do the next step, which required me to reverse the algorithm. But
luckily, someone had previously done it and provided it on github
https://gist.github.com/jackz314/09cf253d3451f169c2dbb6bbfed73782. So I just used it with
the given input which returned me the plaintext as an integer. Convert the integer to the text
(hex to string) and then got the flag:
The flag is: “CITYF{RSA_1s_IMprov3d_t0_Mu1ti_v3rsi0n}”
misc

Problem welcome:
Just submit the flag “CITYF{welcome_to_CITYF}” to check in.

Problem sea_and_sky:
I didn’t know how to find a text behind a png, but luckily I found this wonderful tutorial
video on youtube: TUTORIAL - Steganography in PNG Images - YouTube

So I tried to open the picture badweather.png in HxD and then searched for “IHDR”, “IDAT”
and “IEND” respectively. I just could find one keyword “IEND”:
In the next step, I did like the tutorial in youtube, copied from the keyword “PK” next to
“IEND” to the end of decoded text and put it in a new file.

After that, I saved it in a zip file named badweather.zip and then extracted that zip file.

When I opened the file badweather, I found a picture contained the flag for this question: