3108CTF KEMBARA TUAH 2024 - Writeups

One of Malaysia’s Annual CTF in Conjuction of Malaysia Independence Day, 3108 was take from the date of ours beloved Malaysia Indepnedent date. This CTF is open mainly for Local Citizens only (Individual), with the theme of “14 Negeri Di Malaysia” (14 States in Malaysia) and Jeopardy format. About 902 participant has joined and compete in this CTF. Win Infra by the organizers. I categorize the challenge based on the state.

JOHOR

1) ZZZZZZ - WEB + CRYPTO

Material

Challenge link : https://9798fd3cc4.bahterasiber[Dot]my

Solution

Go into the website you will see prompt the a webpage that ask a question which is “Siapa yang membunuh Sultan Mahmud pada tahun 1699?”

Go to find answer a we found that Laksaman Bentan is the right answer, filled in the blank and submit. once submit the page will give us a cipher text

The cipher text : 0x33z0x31z0x30z0x380x7bz0x37z0x30z0x30z0x650x66z0x34z0x61z0x37z0x39z0x39z0x350x39z0x360x31z0x350x62z0x360x37z0x650x61z0x35z0x32z0x39z0x37z0x65z0x37z0x32z0x350x63z0x300x36z0x65z0x7dz

Decode the cipher text using Cyberchef with From hex reciper to get the actual flag : 3108{700ef4a79959615b67ea5297e725c06e}

2) KEKACAUAN HURUF - CRYPTO

Material.

Chall .py :
import random
from Crypto.Util.number import bytes_to_long, long_to_bytes

q = 64

# Read the flag from a file
flag = open("flag.txt", "rb").read()
flag_int = bytes_to_long(flag)

# Add random padding
padding_length = random.randint(5, 10)
padding = random.getrandbits(padding_length * 8)
flag_int = (flag_int << (padding_length * 8)) + padding

# Generate the secret key
secret_key = []
while flag_int:
    secret_key.append(flag_int % q)
    flag_int //= q

<-----Shuffle the secret key
original_order = list(range(len(secret_key)))
random.shuffle(original_order)
shuffled_secret_key = [secret_key[i] for i in original_order]

# Add a random offset to each value in the secret key
offset = random.randint(1, q)
shuffled_secret_key = [(x + offset) % q for x in shuffled_secret_key]

# Save the secret key and offset
with open("secret_key.txt", "w") as f:
    f.write(f"secret_key = {shuffled_secret_key}\n")
    f.write(f"offset = {offset}\n")
    f.write(f"padding_length = {padding_length}\n")
    f.write(f"original_order = {original_order}\n")

print("Secret key, offset, and original order saved to secret_key.txt")

secret_key.txt:
secret_key = [54, 38, 12, 47, 37, 37, 53, 22, 6, 38, 62, 22, 10, 54, 19, 41, 43, 53, 0, 62, 63, 28, 63, 63, 22, 10, 7, 37, 63, 53, 44, 8, 10, 42, 35, 43, 42, 63, 37, 21, 4, 19, 45, 21, 19, 18, 3, 62, 53, 24, 2, 62, 18, 35, 41, 14, 53, 3, 37, 63, 55, 62, 5]
offset = 50
padding_length = 9
original_order = [9, 20, 6, 12, 22, 38, 14, 24, 53, 52, 61, 29, 45, 11, 57, 44, 8, 46, 55, 59, 31, 2, 51, 43, 21, 27, 17, 40, 15, 58, 0, 26, 19, 36, 60, 28, 48, 39, 34, 50, 7, 16, 56, 30, 10, 49, 13, 3, 5, 42, 41, 47, 37, 4, 32, 33, 62, 1, 18, 23, 25, 35, 54]

Solution

Basically for this challenge is we need to reverse the encryption, here im using the CHATGPT to construct the code for me (time saver method) :

Solve.py :
from Crypto.Util.number import long_to_bytes
import itertools

q = 64

# Read the secret key, offset, padding length, and original order from the file
with open("secret_key.txt", "r") as f:
    lines = f.readlines()
    shuffled_secret_key = eval(lines[0].split('=')[1].strip())
    offset = int(lines[1].split('=')[1].strip())
    padding_length = int(lines[2].split('=')[1].strip())
    original_order = eval(lines[3].split('=')[1].strip())

# Reverse the random offset
secret_key = [(x - offset) % q for x in shuffled_secret_key]

# Restore the original order
restored_secret_key = [None] * len(secret_key)
for i, pos in enumerate(original_order):
    restored_secret_key[pos] = secret_key[i]

# Reconstruct the flag as an integer
flag_int = 0
for num in reversed(restored_secret_key):
    flag_int = flag_int * q + num

# Remove the padding
flag_int >>= padding_length * 8

# Convert the integer back to bytes
flag = long_to_bytes(flag_int)

print(f"Recovered flag: {flag}")

Run the script and you will get the flag : 3108{9546880676d3788377699aad794c5a44}

3) MALAYAN UNION - OSINT

Material

Flag Format

Format Flag: 3108{nama_tempat}

Solution

For this challenge, material provided is not bring you directly to the flag, it just as an lead or guide to the flag. First i visit malayan union wikiepedia to learn about the protest event. and found that the one that opposing the Malayan Union is party known as UMNO. UMNO was found by Onn Jaafar

The challenge is inside JOHOR state so the place should be in JOHOR but after trying seaching for Malayan union protesting event in the JOHOR, all i got is wrong place.

A little bit searching on the party UMNO, i found a link to the important events in the party UMNO, maybe that in that website mention about the events happen in JOHOR. I try every location mentioned in JOHOR and fortunately i got the flag.

The flag is 3108{istana_besar} then i know that the place that we are looking for is not where the protesting event in the material happened but the place where UMNO was established.

4) KAPLA HARIMAU SELATAN - WEB

Material

Challenge Link : https://8303a1befe.bahterasiber[dot]my/

Solution

Visit the link, you will see the Admin Access Denied error, first step is when meet a web challenge with no source code provided is by watching the source code.

In the source code, there is a comment line that mentioned <!-- reveal.txt -->, let to go the path.

Go to the reveal.txt, you will see PHP code, here is the code with the comment of each line of code function for more understanding :

<?php

# Allow the script to be accessed only from a specific origin (https://127.0.0.1)
header("Access-Control-Allow-Origin: https://127.0.0.1");

# Define the header name we want to check ('Origin')
$headerName = 'Origin';

# Define the expected value of the 'Origin' header
$headerValue = 'https://127.0.0.1';

# Define a secondary custom header name we want to check ('X-Custom-Header')
$secondaryHeaderName = 'X-Custom-Header';

# Define the expected value of the 'X-Custom-Header', which is base64 encoded
$secondaryHeaderValue = 'Sm9ob3IganVnYSBkaWtlbmFsaSBzZWJhZ2FpIEdfX19fX19fIG9sZWggb3JhbmcgU2lhbQ==';

# Convert the 'Origin' header name to a format suitable for the $_SERVER array
# (e.g., 'Origin' -> 'HTTP_ORIGIN')
$headerKey = 'HTTP_' . strtoupper(str_replace('-', '_', $headerName));

# Convert the 'X-Custom-Header' name to a format suitable for the $_SERVER array
# (e.g., 'X-Custom-Header' -> 'HTTP_X_CUSTOM_HEADER')
$secondaryHeaderKey = 'HTTP_' . strtoupper(str_replace('-', '_', $secondaryHeaderName));

# Check if both the expected headers exist in the request
if (isset($_SERVER[$headerKey]) && isset($_SERVER[$secondaryHeaderKey])) {

    # Retrieve the actual value of the 'Origin' header from the request
    $actualValue = $_SERVER[$headerKey];

    # Retrieve the actual value of the 'X-Custom-Header' from the request
    $actualSecondaryValue = $_SERVER[$secondaryHeaderKey];

    # Compare the actual values to the expected values
    if ($actualValue === $headerValue && $actualSecondaryValue === $secondaryHeaderValue) {
        # If both headers match the expected values, output the flag
        echo "The flag is 3108{this-is-fake-flag}";
    } else {
        # If the headers exist but don't match the expected values, output "Close enough"
        echo "Close enough";
    }
} else {
    # If one or both headers are missing, output "Denied!"
    echo "Denied!";
}

?>

Decode the base64 encoding at the custom header : Sm9ob3IganVnYSBkaWtlbmFsaSBzZWJhZ2FpIEdfX19fX19fIG9sZWggb3JhbmcgU2lhbQ== , you will get Johor juga dikenali sebagai G_______ oleh orang Siam. Its look like a question and we need to fill in the blank and use it as our custom header.

Try to find the answer for that question on google and we find that the answer is : Gangganu, at first using curl command i try to use the full text as the custom header like this and all i got as a return is Close Enough response from the server.:

First Attempt : curl -H "Origin: https://127.0.0.1" -H "X-Custom-Header: Johor juga dikenali sebagai Gangganu oleh orang Siam" https://8303a1befe.bahterasiber[dot]my/

Respone : Close Enough !

but then i try to use only the answer which is the Gangganu as our custom header and yup we got the flag :

Second Attempt : curl -H "Origin: https://127.0.0.1" -H "X-Custom-Header: Gangganu " https://8303a1befe.bahterasiber[dot]my/

Respone :  The flag is 3108{d941697cea9e3f341864780b68416961}

KEDAH

1) WORDLE BAHASA UTARA - WEB

Materials

Challenge link : https://7e6d97fe1f.bahterasiber[dot]my/

Solution

For this challenge basically a game to guess the Utara words and obtain the flag which is like word wordle game. Guess the right words and you get the flag : 3108{h4ng_m3m4ng_s3mp0i}

KELANTAN

1) SULTAN YANG HILANG - WEB

Material

Challenge Link : https://f2add8dd3a.bahterasiber[dot]my/

Solution

In the source code, we will be given a javascript code, below in the js code with comment in each line for better understanding :

# Array of years for which the names of Sultans will be fetched
const sultanYears = [1763, 1795, 1800, 1835, 1837, 1886, 1890, 1899, 1920, 1944, 1960, 1979, 2010];

# Loop through each year in the sultanYears array
sultanYears.forEach(year => {
    # Fetch the data from the API endpoint for the current year
    fetch(`/api/v1/sultan/${year}`)
        # Convert the response to JSON format
        .then(response => response.json())
        # Handle the JSON data returned from the API
        .then(data => {
            # Get the HTML element with the id 'sultan-list'
            const list = document.getElementById('sultan-list');
            # Create a new list item element
            const listItem = document.createElement('li');
            # If the response contains an error, display the error message
            if (data.error) {
                listItem.textContent = `${data.error}`;
            } else {
                # Otherwise, display the Sultan's name
                listItem.textContent = `${data.nama}`;
            }
            # Append the list item to the 'sultan-list' element
            list.appendChild(listItem);
        })
        # Log any errors that occur during the fetch or processing
        .catch(error => console.error('Error:', error));
});

The website will fetch the sultan name based on the year, in the challenge description mentioned that there is one sultan that missing in that list, go to sultan kelantan wikiepdia, and notice that the missing sultan is Sultan Muhammad iii who ruled the state with the least period than the others sultan which is from year 1889 - 1890.

Notice that the sultanYears array consist of the year where each of the sultan started year became the sultan. The missing sultan started year was 1889 and was not include in the array. The API will fetch the sultan name based on the year so let fetch the missing sultan by using the year 1889.

use the path of the API path and the year of the missing sultan : https://f2add8dd3a.bahterasiber[dot]my/api/v1/sultan/1889, You will get the flag : 3108{putera_sulong_Sultan_Ahmad}

MELAKA

1) PERIGI - OSINT

Material

Locked Zip file.

Solution

For this we need to find the password to unlock the zip file to get the flag, based on the description, the password hint is to find the The country that poisoned the well for the second time. Since this challenge was in the Melaka state category so the well must be located in Melaka and the well mentioned was Perigi Hang Li Po.

A little bit searching on the history of Perigi Hang Li po, i found a facebook that told us about the well has been poisoned event :

Based on the story, The first one who poisoned the well was Johor,followed by Belanda and Acheh, so the second one is Belanda, use it as the password of the zip file and we got the flag : 3108{th3_k1ngs_w3ll_st4ys_0n}

2) HANG TAK TIDUR LAGI? - WEB

Material

Challenge link : https://fc9044a5b6.bahterasiber[dot]my/

Solution

view the source code we will get login credentials : tuah:tuah, login using the credentials, the servers response that we dont have access to the flag. In the webpage mentioned asked with the title of “Laksamana”, so maybe this kind of role, using developer tools and view the cookie section, we can view the role sections.

When login as tuah, the role that we got is JRAUWU2BJVAU4QI=, seem like an encoded text, decode the text with base32, we get the role in plaintext : LAKSAMANA, maybe we can change the role to another role, but what is the roles?. In the chall description mentioned about meeting the others Pembesar berempat. try to google and we found that in the Kesultanan Melayu Melaka , sultan ruled a country along side with the help of the Pembesar Berempat known as Bendahara, Penghulu Bendahari, Temenggung & Laksamana.

To solve the challenge, i convert each Pembesar Berempat roles except for Laksamana to base32 and URL Encode it and change the value of the role in the cookie one by one. and we will get the flag, part by part. Combine all the 3 parts and we get the final flag : 3108{1d0R_s4nGa7l4h_Bah4y4!}

3) PAHLAWAN LAGENDA - FORENSIC

Material

Tuah.flag.txt (File with bunch of words 127K words)

Solution

Using strings and grep for 3108{ on the txt file, and you will get the flag : 3108{gr3p_15_@w3s0m3_l4ks4m4n4}

4) ILMU HISAB - REVERSE

Materials

File : Pengiraan (Data)

Solution

This challenge vulnerability was Integer overflow, Note : integer overflow occurs when an arithmetic operation on integers attempts to create a numeric value that is outside of the range that can be represented with a given number of digits – either higher than the maximum or lower than the minimum representable value.

The first number is 1337 and the second numbers is the biggest sign number 2147483647 and we will get the flag : 3108{n0mb0r_k3r4mat}

NEGERI SEMBILAN

1) SEJARAH N9 - MISC + CRYPTO

Material

Cipher Text : 2097119120211115191514712116114

Solution

Put the cipher text in the dcode cipher identifier to identify the encryption type. The result show that cipher text was encode using ↑↓ ↑↓ Letter Number Code (A1Z26) A=1, B=2,. Use the same tools to decode it, change option bruteforce mode :

At the result section, you will see the most readble text among the others , wrap it in the flag format and we solve it : 3108{TIGASATUKOSONGLAPAN}

2) SAMBUNGAN TELEFON - MISC

Material

Cipher Text : 741456369 321478963 1478965456321 258 7415963 36987 7412369654 7415963 321478965 741456369 321478963 1478965456321 258 7415963

Solution

Put in the dcode cipher identify to identify the type of encode. Found that it is a Numeric Keypad Draw encode. But for this challenge we need to change the method of encode for a better approach tu the flag, usually the nueric keypad draw, it will use the numberic keypad on laptop or pc as a refference, but for this challenge, as you can see the challenge name mentioned Telefon, so we have to refer the mobile keypad to decode it more precisely.

Once you finish you will get the flag : 3108{hobinjanghobin}.

3) JAUH BONO UMAHNYO - MISC

Material

Cipher text : 777 33 6 22 2 88_6 666 7777 8_9 2 66 8 33 3

Solution

USe SMS Phone Tap Code Cipher (SMS) tools to decode it and you will get the flag : 3108{rembaumostwanted}

PAHANG

1) SEMBUNYI - MISC

#### Material

Rahsia.txt

Solution

Open the txt file, you found that the txt file is empty but if you use CTRL + A, you can see there is some hidden text in it. This is what we called White Space Encoding. USe a tool call white space decoder to decode the hidden message and you will get the flag : 3108{S3jarah_Ters3mbunyi_P4hang}

2) SEMBUNYI V2 - MISC

Material

Bendera.txt

Solution

This challenge is a advanced version than the first one, to solve this challenge, I use White space interpreter to visible the whitespace character in the txt file.

SSTTSSTTSSTTSSSTSSTTSSSSSSTTTSSSSTTTTSTTSTTTSSSSSTTTSTSTSTTTSTSSSTTSTSSTSTTSTSSSSTSTTTTTSTTSSTSSSTTSSSSTSTTSTTTSSTSTTTTTSTTSTSSSSTTSTSSTSTTTSTSSSTTSSSSTSTTSTTSTSTSTTTTTSTTSSTSSSTTSSSSTSTTSTTSSSTTSSSSTSTTSTTSTSTSTTTTTSTTSTTTSSTTSSTSTSTTSSTTTSTTSSTSTSTTTSSTSSTTSTSSTSTSTTTTTSTTTSSSSSTTSSSSTSTTSTSSSSTTSSSSTSTTSTTTSSTTSSTTTSTTTTTST

The whitespace will turn to the letter S and T so it will be more visible, then change the whitespace to binary format which is the letter S change to 0 and letter T change to 0 :

1100110011001110110011111100011110000100100011111000101010001011100101101001011110100000100110111001111010010001101000001001011110010110100010111001111010010010101000001001101110011110100100111001111010010010101000001001000110011010100110001001101010001101100101101010000010001111100111101001011110011110100100011001100010000010

To decode it , i use scwf tools and we got the flag : 3108{putih_dan_hitam_dalam_negeri_pahang}

PERAK

1) PANDAK LAM - CRYPTO

Material

Sumber_Sekunder.txt : Snxgbe craragnatna Qngb Znunenwn Yryn
Zratnzovy unx zrathgvc phxnv. 
24Whynv1875 Ovepu zrznxfn Fhygna Noqhyynu zranaqngnatnav cratvflgvunena 
lnat zrzobyruxna Oevgvfu zratnzovy unx zrathgvc phxnv.
Fhygna Noqhyynu qvhthg nxna qvghehaxna gnxugn wvxn rattna zranaqngnatnav cratvflgvunena grefrohg. 
Ovepu zrzonxne ehznu Enwn Atnu Benat Orfne Crenx xrenan zrarehfxna xhgvcna phxnv qv Ovqbe.
Zrapnone Xrghnana Zrynlh.
Xrznenuna Fhygna qna crzorfne Crenx zrzhapnx cnqn 2Bxgbore1875.
Fhygna Noqhyynu qvcnxfn zranaqngnatnav fheng cralrenuna xhnfn xrcnqn Oevgvfu. 
Xhnfn zragnqove artrev qvfrenuxna xrcnqn Erfvqra lnat orexhnfn zrynagvx unxvz, zrathehfxna 
phxnv qna zrynagvx cratuhyh.
Zrzcrexranyxna Phxnv Oneh Ovepu oregvaqnx frfhxn ungv qratna zrzcrexranyxna phxnv oneh frcregv phxnv 
cnqv, crenuh ngnc, frawngn qna onlnena crezvg haghx zrzonynx. 3108x3o4atx1gnac4uy4j4a Frgvnc vfv ehznu creyh
zrzonlne 2Qbyne frontnv phxnv xrynzva. Zrapnohyv Nqng Erfnz Ovepu qvorapv byru fhygna qna 
crzorfne-crzorfne Crenx ncnovyn zratunenzxna fvfgrz creunzonna lnat zrawnqv nqng erfnz Zrynlh 
Ovepu fratnwn zravzohyxna xrznenuna benat Zrynlh qratna zralvzcna unzon-unzon crerzchna qv ehznualn.na zralvzcna unzon-unzon crerzchna qv ehznualn.

Solution

To solve the challenge, decode the text in the txt file using ROT13 to make the text more readable and get the flag : 3108{k3b4ngk1tanp4hl4w4n}

2) KONTRAS - FORENSIC

Material

Sejarah_ringkas.txt

Solution

View the pdf file, there are some part that got sensored in the text, that must be the flag. To get the flag, we can convert the pdf to html using tools pdftohtml. Once you convert the pdf to html tools, view the html file will give you the flag : 3108{Peghak_Darul_ridzuAn}

PERLIS

1) JALAN-JALAN DESA - OSINT

Material

Solution

Reverse search the material and you will find the location which is Kota Kayang Museum, the challenge said that Syah always left a review to the place his visit. First, using Google maps and see the review section for Kota Kayang Museum but we got nothing, need to use another way. Maybe syah review on others platform such as the museum website or media social. After few searching, flag was found at the museum facebook review section : 3108{Muzium_Bersejarah_Perlis}

2) SYAH SESAT - CRYPTO

Material

Cipher text : }AYPF_KYMSOL_TOMMNG{8013EJVWASCUQOYOAGNURBETMYUIBMTNHGMALKGZTXUBDPS Key : AMPUKAMPUKBULAN

Solution

Decode the cipher text using Vigenere Decode and the given key and dont forget to reverse the output to get the flag : 3108{GAMBUS_BUDAYA_LAMA}

PULAU PINANG

1) BAWANG - WEB + OSINT

Material

tmdjl5kyfzimrsrkkjisxybwb7664epxizxfz6hbivkg6k4a3x2svrad

Solution

Bawang here is refer to onion, so I install tor browser and search for the website by combining the material with .onion domain. Then in the website we need to find the the credentials to login, view the source code and we got the credentials. Once enter the website, we’ll be give three location, all three location is a Nasi Kandar Restaurant, Go through all the location, on the second location Nasi Kandar Line Clear google maps review, you will find the flag : 3108{surrr_punya_tobat_jumpa}

2) MAMU KASI TAU - MISC

Material

Mamu_kasi_tau.mp3

Solution

Reverse the material provided using Audacity or Audio Reverser tools and use you hearing sense. Flag : 3108{peningtelinga}

3) PANGKALAN - NETWORK

Material

Transmisi_Rahsia.pcapng

Solution

Open the pcapng file using wireshark and follow the tcp stream. View the tcp stream packet, Start from the steam 1 until stream 13. you will get a few base64 encoded text.Combine them you should get like this : Mw==MQ==MA==OA==ew==bWlrZQ==YWxwaGE=bGltYQ==YnJhdm8=YWxwaGE=dGFuZ28=dGFuZ28=fQ==. Seem like base6 encode, decode the text you will get : 3108{mikealphalimabravoalphatangotango}, but that not the actual flag yet. To get the real flag we need to decode it using NATO phonetic alphabet decode. Flag : 3108{MALBATT}

SELANGOR

1) MESEJ RAHSIA - CRYPTO

Material

SecretMessagePY :
a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z='j','b','a','c','m','n','i','p','o','q','r','t','x','z','v','s','u','y','h','g','d','e','f','k','l','w'
flag=((3108,"{",p,q,b,p,l,g,l,q,l,v,"_",d,g,h,s,v,k,"_",l,v,m,l,"}")[::-1])

Solution

The code was not incomplete cause it will not return the flag value and the value will be in reverse, so to complete the code, add print(flag) so that the code will return the flag value and change from [::-1]) to [::1]). Run the code and you will get the flag : 3108{substitue_cipher_text}.

2) TANPA NAMA 3 - CRYPTO

Material

cryptochalle.py :
def xor_with_binary(binary_str, xor_str):
    binaries = binary_str.split()
    xor_num = int(xor_str, 2)
    xor_results = []
    for b in binaries:
        num = int(b, 2)
        result_num = num ^ xor_num
        xor_results.append(format(result_num, '08b'))
    return ' '.join(xor_results)

binary_str = "01010110 01010100 01010101 01011101 00011110 00110110 01010100 00101000 00110101 00101001 01010110 00111010 00100110 00110111 00110101 00111100 00110001 01010101 00111010 00100110 00101101 00100100 00101001 00101001 00100000 00101011 00100010 00100000 00011000"
xor_str = "01100101"

Solution

The material gave to us has a missing part which is, the code does not perform the xor operation and not print the result, to solve this we need to perform the xor_with_binary function and print the output :

solve,py:
def xor_with_binary(binary_str, xor_str):
    binaries = binary_str.split()
    xor_num = int(xor_str, 2)
    xor_results = []
    for b in binaries:
        num = int(b, 2)
        result_num = num ^ xor_num
        xor_results.append(format(result_num, '08b'))
    return ' '.join(xor_results)

binary_str = "01010110 01010100 01010101 01011101 00011110 00110110 01010100 00101000 00110101 00101001 01010110 00111010 00100110 00110111 00110101 00111100 00110001 01010101 00111010 00100110 00101101 00100100 00101001 00101001 00100000 00101011 00100010 00100000 00011000"
xor_str = "01100101"

# new added
xor_results = xor_with_binary(binary_str, xor_str)
print(xor_results)

Run the code, you will the result in binary, decode the binary and you will get the flag : 3108{S1MPL3_CRPYT0_CHALLENGE}

3) SELANGORKU - WEB

Material

Challenge link : https://6654c734cc.bahterasiber[dot]my/

Solution

Visiting the link will result with 403 Forbidden error code, so the only way to view the content is by using curl command.

curl https://6654c734cc.bahterasiber[dot]my/                                                              
<!DOCTYPE html>
<html lang="ms">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Sejarah Penubuhan Negeri Selangor</title>
    <link rel="stylesheet" href="style.css">
</head>
<body>
    <h1>Sejarah Penubuhan Negeri Selangor</h1>
    <p>Negeri Selangor merupakan salah satu negeri yang terletak di Pantai Barat Semenanjung Malaysia. Negeri ini terkenal dengan kekayaan sejarah dan budaya yang pelbagai.</p>

    <h2>Daerah-daerah di Selangor:</h2>
    <ul>
        <li><a href="/hulu_langat.html">Hulu Langat</a></li>
        <li><a href="/klang.html">Klang</a></li>
        <li><a href="/kuala_langat.html">Kuala Langat</a></li>
        <li><a href="/kuala_selangor.html">Kuala Selangor</a></li>
        <li><a href="/petaling.html">Petaling</a></li>
        <li><a href="/sabak_bernam.html">Sabak Bernam</a></li>
        <li><a href="/sepang.html">Sepang</a></li>
        <li><a href="/gombak.html">Gombak</a></li>
        <li><a href="/hulu_selangor.html">Hulu Selangor</a></li>
    </ul>
</body>
</html>

As you can see we get a few endpoint from the server. let Curl each of them as see what we got. The \hulu_selangor.html" endpoint will return us the flag : 3108{S3lang0r_temp4t_kelahiran_ku}<

TERENGGANU

1) PRIVACY MATTERS - OSINT

Material

Tiktok Username : @rockey_smokey1337

Solution

Visit the tiktok profile, we can view on video that related to terengganu which is video at Jambatan Angkat Terengganu. but next lead is not in this profile.

To find the next lead, click on the Following and you will find another tiktok account which is @p3tualang1337, visit the profile, in of the latest video posted, there is comment/conversation between this two suspect :

@rockey_smokey1337 ask @p3tualang1337 to tag him on instagram and give us the username of his instagram that same as tiktok. Visit the instagram, view the Healing highlight, the last picture in that highlight gave us a little bit teaser of the flag, so now we need to find the full flag.

Based on the image in the highlight, he was eating at the Steak Restaurant that stat with K and end with Steak, thanks to the hashtag, but which Steak Restaurant?, He last location is in Terengganu at the Jamabatan angkat so the restaurant that he go must be around that place too. Using google maps i try to find near steak restaurant around the Jambatan angkat and found KBBSTEAK restaurant. In the restaurant google review, you will find the full flag :

SABAH

1) CER CARI - LINUX

Material

Cer_cari.txt : bunch of flag.

Solution.

The txt file contain a lot of flag, but only one is the right one. Hint is already at the challenge description that say the true flag is the most important year for Sabah. Do some research, the most imporant year for Sabah was 1963 which is the year sabah got their independence. use strings command on that file and grep flag that have 1963. Flag : 3108{1863}

2) ASAL NAMA SABAH - REVERSING

Material :

Asal_Nama_Sabah.exe

Solution

The file is less than 2mb, so i use Dogbolt Decompiler tools to decompile the apk and to see the function inside. Scroll down you will find the key function check_flag that responsible for verifying if the user-provided input matches the correct flag. It starts by initializing two strings: one is an encoded version of the flag var_38, and the other is a key var_46 used for decoding. The function calculates the length of the key and then decodes the encoded string by performing an XOR operation between each character of the encoded string and the corresponding character of the key.After decoding, the function compares the decoded string with the user’s input. If they match, it prints a success message along with the correct flag

As you can see in the image, we can clearly see the var_38 the encode text and var_46 the key. Without run the exe file, we can decode the encoded text by performing XOR operation. Here my solving script :

Solve.py :
def xor_decrypt(encoded_str, key):
    decoded_chars = []
    key_len = len(key)

    for i in range(len(encoded_str)):
        # XOR the characters and append to the result list
        decoded_char = chr(ord(encoded_str[i]) ^ ord(key[i % key_len]))
        decoded_chars.append(decoded_char)

    return ''.join(decoded_chars)

# Given encoded string
encoded_hex = "5d505d591a20552e47293d325c3e3159291c"
# Convert the hex string to a bytes-like object
encoded_str = bytes.fromhex(encoded_hex).decode('latin-1')

# Key used for XOR
key = "namaasalsabah"

# Decrypt the string
decoded_flag = xor_decrypt(encoded_str, key)
print("Decoded flag:", decoded_flag)

Run the script and you get the Flag : 3108{S4B4H_S4PP4H}

3) LAHAD DATU - FORENSIC

Material

Lahad_Datu.docx (Secured file)

Solution

For this challenge we need to brute force the docx file password. I use a couple of tools such office2john and JohnTheRipper, first we have to get docx file password hash value by using office2john command, save the output, for me i save as hash.txt. And then use John to brute force the password using the hash.txt and rockyou.txt wordlists. Let it for awhile and we will get the password which is playboy. Use the password to open the file :

The first thing that I focus inside the docx file is 3108{0Y3R4E1_D4FF4E} but it seem like not readable, the admin said the flag should be readable. Its mean that the flag that we got is encoded and need to be decode. Trying to decode using normal way is not working so it must have sort of key, and then I notice that there a word in that dox file that got bold which is JamalulKiramIII. That must be the key. Jump to cyberchef, decode using the vigenere cipher with the possible key and yup we got the flag : 3108{0P3R4S1_D4UL4T}

SARAWAK

1) SARAWAK KITA - FORENSIC

Material

Sarawak_KITA.doc.bin

Solution

For this challenge, in the chall description mentioned about getting the flag from Malicious file, investigate the file we can find a few file such as XML and VBA. so here I use the oletools, there are so much sub-tools in oleytools, for this chall i use olevba to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML). Run the command olevba [file name] :

At the output, there is a base64 encoded text at the command sections : MwAxADAAOAB7AEsAdQBjAGgAMQBuAGcAXwAxAGIAdQBfAE4AMwBnADMAcgAxAF8AUwA0AHIANAB3ADQAawB9AA==, decode the text and we get the flag : 3108{Kuch1ng_1bu_N3g3r1_S4r4w4k}.

2) MAKANAN POPULAR - LINUX

Material

Makanan (ELF 64-bit LSB pie executable file)

Solution

Using strings and grep the flag format which is 3108{, we will get the flag : 3108{L4KS4_S4R4W4K}

3) DAERAH SABAH & SARAWAK - FORENSIC

Material

Kenali_Daerah_SabahSarawak.

Solution

First i use file command to identify the file type, it is an Archive Zip. Rename it as a zip file and unzip it. Got a few jpg : 2.jpg, 3.jpg, 4.jpg files. Investigate on each file by using binwalk to find any embeded files and we got something from the 3.jpg.

Extract all of the files using binwalk and -e flag and view the extracted files, we got another few files : Daerah_Sabah&Sarawak.txt, file.zip (secured file) and BenderaKeNi.txt (fake flag). Daerah_Sabah&Sarawak.txt contains the list of daerah in Sabah and Sarawak. Look like a wordlists that we can use to bruteforce the flag.zip file. So here, I use Zip2John on the file.zip file to get the password hash value and save as hash.txt and then use John with the Daerah_Sabah&Sarawak.txt wordlists to bruteforce the password, wait for awhile and we got the password.

Use the password found to open the zip file and we got the flag : 3108{S4B4H_27_D43RAH_S4R4W4K_40_D43R4H}

WILAYAH PERSEKUTUAN KUALA LUMPUR

1) TINGGI MAT - FORENSIC

Material

WHT.rar

Solution

Unzip the .rar file, get a few files WarisanMerdekaTower.png and Flag2.rar (secured file), so we need to find the password to unlock the Flag2.rar file but where?, there must be inside the WarisanMerdekaTower.png, using zsteg command on the WarisanMerdekaTower.png file, we got the password to open the .rar file which is MERDEKA118 and the first part for our flag : 3108{th3_t4ll3st

Unzip the flag2.rar file using the password, got a flag2.txt file, but open in normal pad, we will only see bunch of text talk about the description of the building. To find the second part of the flag, first i open the flag2.txt file using vim.

Seem a lot more different than open using the normal pad, some sort of steganography here i guess. A bit of research found that this is known as Unicode Steganography. To retrieve the hidden message, i use Unicode steganography tools. Paste the text in the tools and decode it, you will get the second part. combine both 1st and 2nd part of the flag and GG : 3108{th3_t4ll3st_0n3_1n_M4l4ys14!}

2) TINGGI LAGII - OSINT

Material

Bangunan.jpg

Solution

The challenge ask us to find the location coordinate of the bulding in the image which is an image of the building has not built, first i reverse search the image and found the name of the building which is Tradewinds Square Tower, It was expected to be completed in 2022, but construction was halted in 2018. The location of this building construction is located along Jalan Sultan Ismail in Kuala Lumpur, Malaysia. Go to location and use the coordinate as our flag, the coordinate is until the second decimal : 3108{3.15,101.70}