ShadowCTF 2021 Write-up

valhalla

Cryptography – 50pts

Description

May the power of rune help you.

Solution

This is a futhark rune, so all we need to do is translate this to get the flag.

shadowCTF{odin was here}

Rick and morty on adventure

Cryptography – 50pts

Description

Rick and morty are on a hunt to find the flag.

Solution

This is a cipher from the TV-series Gravity Falls called Bill’s symbol substitution cipher.

When using this key to decode the text we get the flag.

shadowCTF{mortylikessnakejazz}

Monk

Cryptography – 50pts

Description

The flag is hidden in the temple can you find the flag using the scripture that we discovered a while ago….

Solution

This text is encoded using The Ciphers of the Monks.

Using this key to decipher the message we get the following values.

66 111 119 95 84 48 95 84 104 51 95 71 79 100

Converting the values to ASCII characters gets us the flag.

shadowCTF{Bow_T0_Th3_GOd}

What are Semaphores processes ?

Cryptography – 80pts

Description

I was working on some Semaphore programming and was in my night trousers. But code was lost?
The only thing that helped me cheer up was this Photo, Really cheering.
This man was outside my window. :p

Solution

This is a Semaphore trousers cipher. When we decode this we get the flag.

ShadowCTF{thankyouhacker}

DORAEMON

Cryptography – 100pts

Description

Nobita was talking to Doremi and discussing about Gian’s upcoming concerts music notes. They read RE O R LA MI M O N H LA DO K 3 RE.
Dig out whats in for you.

Solution

Here we have some music notes and regular characters, we can convert the music notes to regular characters using the following key.

DO C
RE D
MI E
FA F
SOL G
LA A
SI B

This gives us the flag.

ShadowCTF{D_O_R_A_E_M_O_N_H_A_C_K_3_D}

Colored….P

Cryptography – 100pts

Description

*Color no. Coded **

Solution

Here we have a message encoded with the Hexahue Alphabet. We can use the following key to get the flag.

ShadowCTF{HELL_CS}

Warm-up

Reverse Engineering – 50pts

Description

Ready for some warmup.

Solution

Executing strings Intro prints the flag.

shadowCTF{steppingstone}

Unchallenging

Reverse Engineering – 100pts

Description

The flag is in a cave, the mouth of which is sealed by a huge rock help alibaba to get the flag.

Solution

Executing strings unchallenging reveals both the flag and the password op3n_se5ame which is used to get the flag.

shadowCTF{Ar@b1an_night5}

Key2success

Reverse Engineering – 200pts

Description

What is your key to success………….. –>>>>>>

Solution

When we run strings key2sucess we can find the following strings in the output.

flag{NevH
er_stop_H
learningH

Constant_learning_is_the_key
Hey.
I have a flag for you...
But i need a key in return
Can you give me the key
Great. Well here is your key:
Hmm. This not the key.

Both the flag and the key to get the flag are revealed.

shadowCTF{Never_stop_learning}

Thirsty crow

Reverse Engineering – 300pts

Description

The crow is searching for flag, he needs your help.

Solution

This time strings won’t help us figuring out the flag. So lets disassemble the program and look around.

In the main function we can see that there is a conditional jump to the invalid input location.

Taking a look at the code at the correct path we find out that it generates the flag from a bunch of variables.

Lets find all values of the variables. Some are found at the start of the main function and some are found at the start of the correct value branch.

mov     dword ptr [rbp+part0], 'ihT'
mov     dword ptr [rbp+part1], 'ytr'
mov     dword ptr [rbp+part2], 'i5_'
mov     dword ptr [rbp+part3], 'r_x'
mov     word ptr [rbp+part4], '0'
mov     word ptr [rbp+part5], 'kc'
mov     dword ptr [rbp+part6], 'nis'
mov     dword ptr [rbp+part7], 'ht_'
mov     word ptr [rbp+part8], '_e'
mov     dword ptr [rbp+part9], 't0p'

Concatenating these values gives us the flag.

shadowCTF{Thirty_5ix_r0cksin_the_p0t}

Vault

Reverse Engineering – 400pts

Description

The flag is behind the vault can you break the locker and get the flag?

Solution

Lets start by disassembling the program to find out what it does. At the end of the main function we can see the following code.

So this will print a couple of variables and constants that is the flag. Lets find out what the values of format, part1, part2 and part3 are.

.text:00000000000011E5    mov     dword ptr [rbp+format], 'd@hs'
.text:00000000000011EC    mov     [rbp+var_53], 'w0'
.text:00000000000011F2    mov     [rbp+var_51], 0

.text:000000000000130D    mov     word ptr [rbp+part1], '{'

.text:0000000000001327    mov     rax, 'nisrever'
.text:0000000000001331    mov     qword ptr [rbp+part2], rax
.text:0000000000001338    mov     [rbp+var_99], 'g'

.text:0000000000001362    mov     word ptr [rbp+part3], '}'

So, format has the value sh@d0w, part1 has the value {, part2 has the value reversing and part3 has the value }. Now we can use those values and the others found in the flag printing code to get the flag.

shadowCTF{sh@d0w_reversing_rul3s}

Secure portal

Reverse Engineering – 500pts

Description

A Super Secure portal to challenge your skills.

Solution

For this challenge we have a Windows PE file. When we try to disassemble it we can see a lot of references to Python libraries and no interesting disassembly. So lets try to extract the contents of the file using pyinstxtractor.

python3 pyinstxtractor.py secure_portal\ \(1\).exe 

[*] Processing secure_portal (1).exe
[*] Pyinstaller version: 2.1+
[*] Python version: 37
[*] Length of package: 6199381 bytes
[*] Found 61 files in CArchive
[*] Beginning extraction...please standby
[*] Found 133 files in PYZ archive
[*] Successfully extracted pyinstaller archive: secure_portal (1).exe

You can now use a python decompiler on the pyc files within the extracted directory

Great! But when we take a look at the output we don’t have any interesting pyc files, but we have a file called qw (2) that we might want to take a closer look at. Lets run strings "qw (2)" and see what we can find.

Z	e	
UjBja190aDNfYkA1ZQ==
Ym9i
asciiz
What is the password?
That is the wrong password.)
base64
base64_message
base64_password
encode
base64_bytes
	b64decode
message_bytes
decode
message
password_bytes
passw
input
	userInput
print
z	qw (2).py
<module>

This looks like the code for the flag. Lets decode the base64 encoded string and see what it is.

echo "UjBja190aDNfYkA1ZQ==" | base64 -d
R0ck_th3_b@5e

We found the flag!

shadowCTF{R0ck_th3_b@5e}

Intel Expert

OSINT – 220pts

Description

You are a Cyber Threat Intel expert and you are supposed to find information about an Advanced Persistent Threat group code named as “Office 91”. Can you help find the city they are from.

Solution

Lets start by googling for advanced persistent threat “Office 91” and see what we can find out.

So Office 91 is a North Korean group. Lets change the search query to north korea “Office 91” city and take a look at the results.

So the city they are operating from is Pyongyang.

ShadowCTF{Pyongyang}

valhalla

Description

Solution

Rick and morty on adventure

Description

Solution

Monk

Description

Solution

What are Semaphores processes ?

Description

Solution

DORAEMON

Description

Solution

Colored….P

Description

Solution

Warm-up

Description

Solution

Unchallenging

Description

Solution

Key2success

Description

Solution

Thirsty crow

Description

Solution

Vault

Description

Solution

Secure portal

Description

Solution

Intel Expert

Description

Solution

Share this:

Related

Leave a Reply Cancel reply