Writeups

[H4CK1T 2016] ch17ch47 – Germany Writeup

Standard

Description:

ch17ch47 – Germany – 200 – Forensics
Find out who is the recipient of the information from the agent.
http://ctf.com.ua/data/attachments/CorpUser.zip

This challenge was second in this CTF which took me no more then five simple and basic commands in order to get the flag.

I roughly follow the same simple system whenever I face a new challenge. This system has prove itself again and again in almost any kind of challenge in different levels.

  1. Examine the file types that are given to you: An image, pcap, pe, etc. You can do it using the file command or just by open it
  2. Run ‘strings’ command on it. 
    strings file_name | grep - i flag{convention}
  3. Run foremost (and binwalk) on the file
  4. Run strings on all the extracted files
This time we are given with a zip file. First, we want to unzip it in order to examine the files inside. It has a lot of file so I don’t paste here the full output.
Megabeets:/tmp/h4ckit/germany# unzip CorpUser.zip
Archive:  CorpUser.zip
   creating: CorpUser/
   creating: CorpUser/AppData/
   creating: CorpUser/AppData/Local/
   creating: CorpUser/AppData/Local/Apps/
   creating: CorpUser/AppData/Local/Apps/2.0/
   creating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/
   creating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/
   creating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/clic...exe_baa8013a79450f71_0001.0003_none_8554920337a51673/
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/clic...exe_baa8013a79450f71_0001.0003_none_8554920337a51673/GoogleUpdateSetup.exe
   creating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/google.app_baa8013a79450f71_0001.0003_75c9b16f02ab5371/
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/google.app_baa8013a79450f71_0001.0003_75c9b16f02ab5371/GoogleUpdateSetup.exe
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/google.app_baa8013a79450f71_0001.0003_75c9b16f02ab5371/clickonce_bootstrap.exe
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/google.app_baa8013a79450f71_0001.0003_75c9b16f02ab5371/clickonce_bootstrap.exe.cdf-ms
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/google.app_baa8013a79450f71_0001.0003_75c9b16f02ab5371/clickonce_bootstrap.exe.manifest
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/google.app_baa8013a79450f71_0001.0003_75c9b16f02ab5371/clickonce_bootstrap_unsigned.cdf-ms
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/google.app_baa8013a79450f71_0001.0003_75c9b16f02ab5371/clickonce_bootstrap_unsigned.manifest
   creating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/manifests/
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/manifests/clic...exe_baa8013a79450f71_0001.0003_none_8554920337a51673.cdf-ms
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/manifests/clic...exe_baa8013a79450f71_0001.0003_none_8554920337a51673.manifest
  ...
  ...
  DELETED LOT OF ROWS
  ...
  ...

 

We have a lot of files of different types from what seems like Windows machine (AppData, Favorites, Downloads, Desktop…). We can start step 2 that I mentioned before and recursively search for the flag in the strings of the files.

Megabeets:/tmp/h4ckit/germany# grep -R 'h4ck' CorpUser
Binary file CorpUser/AppData/Roaming/Skype/live#3aames.aldrich/main.db matches

This command iterates recursively all the files in the directory and the sub-directories and grep for the string ‘h4ck’. The command returned that there is a database file that is containing part of the flag. Now let’s strings command on the file:

Megabeets:/tmp/h4ckit/germany# strings CorpUser/AppData/Roaming/Skype/live#3aames.aldrich/main.db | grep h4ck1t
live:black.zogzog blackabauh4ck1t{87e2bc9573392d5f4458393375328cf2}h4ck1t{87e2bc9573392d5f4458393375328cf2}8183ce2902ef71ac62ab02a7c8ec762e6b14e318h4ck1t{87e2bc9573392d5f4458393375328cf2}h4ck1t{87e2bc9573392d5f4458393375328cf2}h4ck1t{87e2bc9573392d5f4458393375328cf2}h4ck1t{87e2bc9573392d5f4458393375328cf2}

And we got the flag. Easy, right?

Flag: h4ck1t{87e2bc9573392d5f4458393375328cf2}

megabeets_inline_logoEat Veggies

[H4CK1T 2016] 1magePr1son- Mozambique Writeup

Standard

Description:

Task: 1magePr1son- Nozambique- Stego- 150

Implementing of the latest encryption system as always brought a set of problems for one of the known FSI services: they have lost the module which is responsible for decoding information. And some information has been already ciphered! Your task for today: to define a cryptoalgorithm and decode the message.
https://ctf.com.ua/data/attachments/planet_982680d78ab9718f5a335ec05ebc4ea2.png.zip
h4ck1t{str(flag).upper()}
https://ctf.com.ua/data/attachments/planet_982680d78ab9718f5a335ec05ebc4ea2.png.zip

For the start we are given with a wallpaper image named planet.png (2560×1850)

h4ck1t_mozambiqu1

Looking carefully at the image we can see a pattern of strange dots, such dots may be connected to the cryptosystem. Those are pixels in different colors that probably belongs to another image. My thought is that the pixels of the flag image was splitted into the wallpaper.

h4ck1t_mozambiqu2

The dots exists every 24 pixels so I wrote a short pythons script in order to combine them into one image:

from PIL import Image

original = Image.open("planet.png")
p_orig = original.load()
width, height = original.size
new_image = Image.new('RGBA',(width,height)) # The original image dimensions
p_flag = new_image.load()
cord_x, cord_y = 0, 0

# Collect the pixels and add them to the new image 
for j in range(0,height,24):
    for i in range(0,width,24):
        p_flag[cord_x,cord_y] = p_orig[i,j]
        cord_x+=1
    cord_y+=1
    cord_x=0
	
new_image.save('flag.png', 'PNG')

I ran it and got a big image (the wallpaper size) with this tiny image inside that contains the flag:

h4ck1t_mozambiqu3

Flag: h4ck1t{SPACE_IS_THE_KEY}

megabeets_inline_logoEat Veggies

[H4CK1T 2016] v01c3_0f_7h3_fu7ur3 – Australia Writeup

Standard

Description:

v01c3_0f_7h3_fu7ur3 – Australia – 300 – Network
The captured data contains encrypted information. Decrypt it.
http://ctf.com.ua/data/attachments/wireshark_8764d640d217fd346e2db2b5c38dde13.pcap

The first thing I do when I face a pcap challenge is, of course, open it in Wireshark. If it looks normal (and not, for example, Bluetooth traffic) I then run ‘foremost‘ on the file. ‘foremost‘ is searching for a known files in a given file by file headers, footers etc, and then extract it to ‘output’ folder in the directory.
So foremost found several files in the PCAP from several sources like http and ftp traffic

  • png
  • gif
  • jpg
  • rar
  • (…)

I opened the rar archive and found a file named ‘key.enc’ which contained “Salted_<GIBBERISH>” . I opened it in hex editor:

h4ck1t_australia_1

At the first, as the name says, I thought I found the key of some encryption and now I need to find the encrypted file and the cipher. But in a second thought I said to myself that ‘*.enc’ is usually for the encrypted files! So that file isn’t a key, it’s encrypted and we need to decrypt it. But what is the key and the cipher?

So, I figured out that file that starting with “Salted_” is file that was encrypted using ‘openssl’ application.
I then went to read the task again, I saw that the name of the challenge is “v01c3_0f_7h3_fu7ur3” so I thought maybe it involves some audio. Searched for ‘mp3’ or ‘aud’ in the pcap (queries: ‘tcp contains mp3’ , ‘tcp contains aud’) and found the following url:
http://priyom.org/scripts/audioplayer.min.js

It’s an innocent javascript file. I entered the “priyom” site and read it’s description:

“Priyom is an international organization intending to research and bring to light the mysterious reality of intelligence, military and diplomatic communication via shortwave radio: number stations”

Sounds interesting. So I looked up again in the pcap and saw a request to this specific url:
http://priyom.org/number-stations/english/e06

There is a robotic voice that reads out numbers.
75975975948648631317369873698599905999017212172126397363973486486313100000

So I now have what seems like a key, so what is the encryption?
A bit research about the encryption made me think it’s AES so I ran:

openssl aes-256-cbc -d -in key.enc -k <the long key>

-d is for decrypt
-k is for keyphrase

Failed. So I read about the structure of the voice record in the website and took only the Message part from the numbers: 7369859990172126397300000
this is the actual Message part (5-digit paired groups) and 5 zeroes at the end. without the Intro, Outro, Premable, Postmable and the Duplicate 5-digits.

Failed again. Tried it with all the possible openssl  encryptions (20+) but failed again.
So I got mad and tried to decrypt it using all possible encryptions with all possible substrings of the original number from the record.
Pseudo code:

for sb in all_possible_substrings(key)
{
	for enc in all_possible_encryptions:
	(
		openssl encr -d -in key.enc -k sb
	)
}

And how it was really looks like:

h4ck1t_australia_2
it took 30 minutes to run.
BUT FAILED. No flag.

At this point I think that 3 or 4 teams already solved it.
So I tried more and more combinations and this stupid one finally worked:

Megabeets:/tmp/h4ckit/australia# openssl aes-256-cbc -d -in key.enc -k 75948631736985999017212639734863100000
h4ck1t{Nic3_7ry}

It’s the full number from the recording but delete the duplicates pairs (the recording was splitted to group of numbers and the speaker said each group twice or three times).

So the hardest part was actually to figure out the exact keyphrase, the rest was pretty easy.

Flag: h4ck1t{Nic3_7ry}

megabeets_inline_logoEat Veggies

[H4CK1T 2016] Belarus – Electronicon Writeup

Standard

Description:

Belarus – Electronicon – PPC – 250 pts
EN: This task is one of the methods for the psychological attacks. It is intended for people who don’t have heart diseases and reached 18 years 😉

h4ck1t{flag.upper()}

paint.txt

As the attached file says, it was real pain. I opened the file in the browser and saw this horrible thing:

h4ck1t_belarus_1

Looks bad and it crashed my browser. This text file was too big for it to handle. So I opened it on Notepad++ and it was’t any better:

h4ck1t_belarus_2

Still terrifying and it was heavy for notepad++ also. But this time something catched my eye. Look at the rows panel on the left, it says only 1 line. Let’s cancel word wrap (View > Word wrap) and check what it is:

h4ck1t_belarus_3

Aah ah! It was a HUGE ascii-art. How huge? 11 rows of 1830661 chars each! It’s a long hex string. So now we need to parse it. I tried using this module but without any success so I decided to go for the hard way. I parsed it myself.

First, I edited the file in order to make it easy for me to parse it. I wanted that every char will be in it’s own line. I wrote a script to separate the characters:

import os

fin = open('pain.txt','r')
fout = open('out.txt', 'w')

content=fin.read()

splitted=content.split('\n')
width=13
	
print len(content)
for j in xrange(len(splitted[0])/width):
	for i in xrange(len(splitted)):
		fout.write(splitted[i][:width]+"\n")
		splitted[i]=splitted[i][width:]

Now let’s open the edited file with EmEditor that is capable of open large files and see how our file is looking like:

h4ck1t_belarus_4

Good! Looks exactly like I wanted! Now in order to parse it we need to tell the code how every letter or digit is looking like so I started to define variable for each letter or digit with the matching ascii-art. It was something like that:

f_in = open('out.txt', 'r')
ff = open('flag.txt', 'w')
content = f_in.read()
content = content.split("\n")

f = content[0:11] # The letter f
c8 = content[37:48] # The digit 8
... # Another letters and digits
... # Another letters and digits
... # Another letters and digits

index = 0
while True:
     lines=content[index*12:(index+1)*12-1]
     if lines==a:
             ff.write("a")
     elif lines==b:
             ff.write("b")
     elif lines==c:
             ff.write("c")
     elif lines==c0:
             ff.write("0")
     elif lines==c1:
             ff.write("1")
     elif lines==c2:
             ff.write("2")
     elif lines==c3:
             ff.write("3")
     elif lines==c4:
             ff.write("4")
     elif lines==c5:
             ff.write("5")
     elif lines==c6:
             ff.write("6")
     elif lines==c7:
             ff.write("7")
     elif lines==c8:
             ff.write("8")
     elif lines==c9:
             ff.write("9")
     elif lines==d:
             ff.write("d")
     elif lines==e:
             ff.write("e")
     elif lines==f:
             ff.write("f")
     index+=1

I took the long hex-string and paste in hex editor. It was this photo:h4ck1t_belarus_5

Well, that’s it. We got the flag and we now can rest in peace.

Flag: h4ck1t{1_L0V3_3P1C_F0NT$}

megabeets_inline_logoEat Veggies

[H4CK1T 2016] 1n51d3r’5 j0b – Canada Writeup

Standard

Description:

1n51d3r’5 j0b – Canada – 300 – Forensics
Tommy wrote a program. It seems he has hidden from us important information. Find out what Tommy hides.
http://ctf.com.ua/data/attachments/Tommy_2e00c18e3a480959ba5fb4f65ff7f2b7.zip

Oh god, this challenge was so fun. The easiest 300 point I’ve ever got. I’m sure it wasn’t the expected solution but it works so who am I to complain. Three commands, that’s all.

Megabeets:/tmp/h4ckit/canada# unzip Tommy_2e00c18e3a480959ba5fb4f65ff7f2b7.zip
Archive:  Tommy_2e00c18e3a480959ba5fb4f65ff7f2b7.zip
   creating: 300/
  inflating: 300/out.txt
  inflating: 300/parse
Megabeets:/tmp/h4ckit/canada# ll
total 628
drwxrwxrwx 2 root root      0 Oct  3 00:22 ./
drwxrwxrwx 2 root root      0 Oct  2 16:04 ../
drwxrwxrwx 2 root root      0 Sep 24 18:17 300/
-rwxrwxrwx 1 root root 634168 Sep 28 20:42 Tommy_2e00c18e3a480959ba5fb4f65ff7f2b7.zip*
Megabeets:/tmp/h4ckit/canada# strings /300/parse | grep -i h4ck1t{
...h4ck1t{T0mmy_g0t_h1s_Gun}...

I don’t even know what the challenge is about. Just moved to the next challenge without asking any unnecessary questions.

Flag: h4ck1t{T0mmy_g0t_h1s_Gun}

megabeets_inline_logoEat Veggies