CERT-SE Challenge 2020 Write-up

Introduction

CERT-SE Challenge 2020 is a CTF-challenge created by CERT-SE which is the National CERT of Sweden.

Challenge

The challenge consisted of a pcapng file to analyze and find the final flag.

Step 1 – Locate file

I found a FTP-session where someone uploads a file called demo.tar.xz

220 (vsFTPd 3.0.3)
USER sidden
331 Please specify the password.
PASS k3b4bt411rik
230 Login successful.
SYST
215 UNIX Type: L8
TYPE I
200 Switching to Binary mode.
PORT 192,168,122,156,146,217
200 PORT command successful. Consider using PASV.
STOR demo.tar.xz
150 Ok to send data.
226 Transfer complete.
TYPE A
200 Switching to ASCII mode.
PORT 192,168,122,156,167,221
200 PORT command successful. Consider using PASV.
LIST
150 Here comes the directory listing.
226 Directory send OK.
QUIT
221 Goodbye.

After localizing the FTP-DATA-stream I saved the uploaded file and unpacked it. It contained a password-protected zip-file called demo.zip

Step 2 – Locate password

So we need a password to unpack demo.zip, after som more analysis of the capture-file I found an IRC-stream where an “encrypted” password is sent to a user.

:Sp3ccyF4n!user@192.168.122.177 JOIN :#RetroForum
PING LAG1597869899977
:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597869899977
WHO #RetroForum %chtsunfra,152
:retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.177 retro.1337forum.fanboy Sp3ccyF4n H 0 :realname
:retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.156 retro.1337forum.fanboy SID-v1si0uS H@ 0 :realname
:retro.1337forum.fanboy 315 SID-v1si0uS #RetroForum :End of /WHO list.
PING LAG1597869929978
:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597869929978
:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :Yo!
PRIVMSG #RetroForum :Yo!/Sup?
PING LAG1597869959978
:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597869959978
:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :Sup?
PRIVMSG #RetroForum :I was thinking about what you said earlier. I still can't accept that you perfer the Z80?
:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :What now??? The Spectrum is waaaaay faster than the C64!!!
WHO #RetroForum %chtsunfra,152
PING LAG1597869989977
:retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.177 retro.1337forum.fanboy Sp3ccyF4n H 0 :realname
:retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.156 retro.1337forum.fanboy SID-v1si0uS H@ 0 :realname
:retro.1337forum.fanboy 315 SID-v1si0uS #RetroForum :End of /WHO list.
:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597869989977
PING LAG1597870019977
:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597870019977
PRIVMSG #RetroForum :Sure the CPU, yes. But hardware sprites, a soundship that doesn't sound like a cat beeing strangled, and the possibility for for paralax scrolling?
:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :You're just talking about superficial "flair". It's like putting makeup on a pig, it's still slow…
PRIVMSG #RetroForum :Dude you're soooooo wrong!!! Just have a look at the demo I uploaded to the FTP earlier, I'll PM you the password with our usual "encryption".
WHO #RetroForum %chtsunfra,152
PING LAG1597870049977
:retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.177 retro.1337forum.fanboy Sp3ccyF4n H 0 :realname
:retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.156 retro.1337forum.fanboy SID-v1si0uS H@ 0 :realname
:retro.1337forum.fanboy 315 SID-v1si0uS #RetroForum :End of /WHO list.
:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597870049977
PRIVMSG Sp3ccyF4n :The code is: "OC1iaXQtQzBtcHV0M2VyLXcwbmQzciE/".
PING LAG1597870079977
:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597870079977
:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :Thanks… But I don't think it's relevant. You wont convince me! CPU-power is EVERYTHING. My Z80 is kicking your lazy 6502!!!
PRIVMSG #RetroForum :Whatever… All I have to say is SID6581, nuff said!
:Sp3ccyF4n!user@192.168.122.177 PRIVMSG #RetroForum :Like you said… Whatever…
KICK #RetroForum Sp3ccyF4n
:SID-v1si0uS!user@192.168.122.156 KICK #RetroForum Sp3ccyF4n :SID-v1si0uS
WHO #RetroForum %chtsunfra,152
PING LAG1597870109978
:retro.1337forum.fanboy 354 SID-v1si0uS 152 #RetroForum user 192.168.122.156 retro.1337forum.fanboy SID-v1si0uS H@ 0 :realname
:retro.1337forum.fanboy 315 SID-v1si0uS #RetroForum :End of /WHO list.
:retro.1337forum.fanboy PONG retro.1337forum.fanboy :LAG1597870109978

The most interesting parts are the following

PRIVMSG #RetroForum :Dude you're soooooo wrong!!! Just have a look at the demo I uploaded to the FTP earlier, I'll PM you the password with our usual "encryption".
PRIVMSG Sp3ccyF4n :The code is: "OC1iaXQtQzBtcHV0M2VyLXcwbmQzciE/".

After base64 decoding OC1iaXQtQzBtcHV0M2VyLXcwbmQzciE/ we get the password 8-bit-C0mput3er-w0nd3r!?

When we unpack demo.zip we get a file called cert-se ctf2020.tap and opening this file in a hex-editor we find the header C64-TAPE-RAW.

Step 3 – Running the demo

When we run the C64-image in a C64-emulator we get a demo running with a scrolling message and a yellow hint text in the middle.

Step 4 – Last clue

The last clue from the demo is “HTTP 418, what does it mean?”

HTTP status code 418 is ‘I’m a teapot’ so the flag is ‘I’m a teapot’