Deal Breaking

Cryptography – 50pts

Description

Salva is the secretary of the CEO of a ROTech Pvt Ltd.
Today is an important day because the CEO is going to a meeting to sign a $13 Million Deal with another company.
When Salva went to the office, she finds that the CEO is lying unconscious on his chair. It seems like Salva
gave some wrong medicines to the CEO today. But now for the deal to happen, Salva needs to access the CEO’s laptop and send the details of the Deal to the Vice President.
The laptop was secured with the most modern security service.
One has to decrypt a random text to gain access to the laptop.

cnenprgnzbysbeurnqnpur

Solution

According to the hints in the description this should be a rot13 encoded string. When we use rot13 on the string we get the flag.

Trollcat{paracetamolforheadache}

Lost In Forest

Cryptography – 50pts

Description

Rohit one day went on a solo trip on an adventure to Amazon Forest in Brazil.
But unfortunately, on his adventure, he got lost in the vast Amazonian forest. His cellphone had no reception and even his compass was not working.
After travelling for 6 hours without food and water, he met a tribal man. He was the 64th Tribal Chief of Yanomano tribe of native Amazon.
Rohit was delighted to see him and ran straight to him for seeking help.
The tribal man agreed to help him but only on ONE condition.
That condition was to help the tribal man understand some random text
which was etched on a stone tablet for the last 1000 years!!!
The text etched on the stone tablet is given below :-

TWVyY3VyeVZlbnVzRWFydGhNYXJzSnVwaXRlclNhdHVyblVyYW51c05lcHR1bmU=

Help Rohit to decode this text. Who knows? It might also help you to find your flag 😉

Solution

We get a base64 encoded string, decoding it gets us the flag.

Trollcat{MercuryVenusEarthMarsJupiterSaturnUranusNeptune}

Show your Dedication

Cryptography – 50pts

Description

For the last 11 months, James has been practicing for 5000m Marathon World Championship which is to be organised in Virginia, USA. James has running in his GENES and he has already won many laurels in National Events, but this time he wants to win an international competition. But the day of the race was totally unexpected for him. Unlike normal races, in this race, all the participants were told to run separately and their indvidual time will be recorded. Yet, to his surprise again, there was another rule. The participants were not told about where the finishing line was. The judges handed out a paper to everyone which was encoded in some way and apparantly this text had the destination of the race encoded in it. James is not very good in solving cryptics but he knew that the KEY to this race is RACE itself.

The content of the paper is given below :-

powv wlck zs JICLQaFRNH

Help James to decode the text and win the race.

Solution

Here we have some ciphertext that’s encrypted with a key according to the hints in the description. When we decrypt the text with a vigenere cipher an the key RACE we get the text your flag is HELLOwORLD.

Trollcat{HELLOwORLD}

Change my mind

Steganography – 100pts

Description

Change my mind

Solution

For this challenge we get a PNG image. Since it’s a PNG, lets try zsteg.

b1,rgb,lsb,xy       .. text: "Trollcat{I_L0v3_Tr011C4t}"
b2,g,msb,xy         .. text: "PQDTAEDP"
b3,abgr,msb,xy      .. text: "h_pL_piW"
b4,r,msb,xy         .. text: "gf'sr`P531Ue"
b4,g,msb,xy         .. text: " e5EcBCw6@uarP3da"
b4,b,msb,xy         .. text: "wW32 RWd"
b4,rgb,msb,xy       .. text: "sv bqG@f"
b4,bgr,msb,xy       .. text: "&v#paBwF"
b4,abgr,msb,xy      .. text: "_xOaof/f?w"

There we have the flag.

Trollcat{I_L0v3_Tr011C4t}

Aliens Message

Steganography – 200pts

Description

A Space Agency has got an unknown audio signal they captured it in file. Help them to decode the message.

Solution

Now we get an audio file containing some music. Looking at the wave-form we can see that there’s something else in the middle of the audio file.

Listening to this part we can hear what sounds like morse code. Lets extract this part and try to decode it as morse code. When decoding it we get the following text.

Trollcat{TROLLCATCTFBROUGHTTOYOUBYCSCODERSHUB}

Forbidden

Forensics – 100pts

Description

Agent Troll recieved some file but not able to read the data can you help us?

Solution

Attached is a file called trollcats.car, running file trollcats.car just tells us that it’s data. Lets try binwalk.

binwalk -e trollcats.car 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
50            0x32            bzip2 compressed data, block size = 900k

Great. We extracted some data, lets take a look at what we got.

ls
32

cat 32
Trollcat{M0zilla_Archive_maaaarls}

Rich Orphan

Misc – 100pts

Description

Some rich orphan left me this file, find me the password !

Solution

Here we get a text file with the following contents.

sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::
sys:x:3:3:sys:/dev:/bin/sh

Lets try to crack the password with john the ripper.

Loaded 1 password hash (md5crypt [MD5 32/64 X2])
Press 'q' or Ctrl-C to abort, almost any other key for status
batman           (sys)
1g 0:00:00:00 100% 2/3 7.142g/s 21435p/s 21435c/s 21435C/s batman..boris
Use the "--show" option to display all of the cracked passwords reliably
Session completed

We got the password batman for the sys user.

Trollcat{batman}

FREE WIFI

Networking – 316pts

Description

I left my raspberry at starbucks this morning, here is the captured traffic. Find me the Password of the wifi.

Solution

We get a packet capture file which contains captured WiFi data. Opening the capture in wireshark we can see that we have a complete four-way handshake, so we should be able to crack the password with aircrack. Lets run the following command and wait aircrack-ng hack1-01.cap -w /usr/share/wordlists/rockyou.txt. After a while we get the cracked password.

Aircrack-ng 1.6 

      [00:01:41] 1419069/14344392 keys tested (14205.89 k/s) 

      Time left: 15 minutes, 9 seconds                           9.89%

                    KEY FOUND! [ no1caredformelikejesus ]


      Master Key     : 4B F5 BE 98 7B B1 67 23 A9 CB 68 1C 88 50 76 9D 
                       7D CB 07 21 23 3F 2A 86 AD 26 D9 17 76 D2 16 E0 

      Transient Key  : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

      EAPOL HMAC     : C2 19 FE 8E 23 EA 7C 58 31 AE 90 B6 6A 33 D4 99
Trollcat{no1caredformelikejesus}

solver

Reverse Engineering – 477pts

Description

I love soluchan

Solution

Opening the attached binary in Ghidra we can find the following key check where param_1 is the entered key.

if (param_2 <= (ulong)(long)local_c) {
      if ((int)param_1[3] + (int)*param_1 == 100) {
        if ((int)param_1[0x12] + (int)param_1[1] == 0xd6) {
          if ((int)param_1[4] + (int)param_1[2] == 0xb2) {
            if ((byte)(param_1[6] ^ param_1[5]) == 0x4c) {
              if ((int)param_1[8] - (int)param_1[7] == 0x11) {
                if ((int)param_1[10] - (int)param_1[9] == 0x3b) {
                  if (((int)param_1[0xb] + (int)param_1[0xc]) - (int)param_1[0xd] == 0x45) {
                    if (((int)param_1[0xe] + (int)param_1[0xf]) - (int)param_1[0x10] == 0x1f) {
                      if (((int)param_1[0x11] + (int)param_1[0x10]) - (int)param_1[0x12] == 0x58) {
                        if ((byte)(param_1[0x15] ^ param_1[0x13] ^ param_1[0x14]) == 0x45) {
                          uVar1 = 1;
                        }

Using z3 we should be able to write a solver script to get a valid key using these constraints.

#!/usr/bin/env python3

from z3 import *

def printModel(model):
    found = []

    for idx in range(0, length):
        strVal = str(model[flag[idx]])
        found.append(chr(int(strVal)))

    print(''.join(found))

length = 0x16

s = Solver()
flag = [BitVec(f"flag_{i}", 8) for i in range(0, length)]

for i in range(0, length):
    s.add(flag[i] >= 0x30)
    s.add(flag[i] <=0x7a)
    s.add(flag[i] != 0x3a)
    s.add(flag[i] != 0x3b)
    s.add(flag[i] != 0x3c)
    s.add(flag[i] != 0x3d)
    s.add(flag[i] != 0x3e)
    s.add(flag[i] != 0x3f)
    s.add(flag[i] != 0x40)
    s.add(flag[i] != 0x5b)
    s.add(flag[i] != 0x5c)
    s.add(flag[i] != 0x5d)
    s.add(flag[i] != 0x5e)
    s.add(flag[i] != 0x5f)
    s.add(flag[i] != 0x60)

s.add(flag[3] + flag[0] == 100)
s.add(flag[0x12] + flag[1] == 0xd6)
s.add(flag[4] + flag[2] == 0xb2)
s.add(flag[6] ^ flag[5] == 0x4c)
s.add(flag[8] - flag[7] == 0x11)
s.add(flag[10] - flag[9] == 0x3b)
s.add(flag[0xb] + flag[0xc] - flag[0xd] == 0x45)
s.add(flag[0xe] + flag[0xf] - flag[0x10] == 0x1f)
s.add(flag[0x11] + flag[0x10] - flag[0x12] == 0x58)
s.add(flag[0x15] ^ flag[0x13] ^ flag[0x14] == 0x45)

if s.check() == unsat:
    print("No solution found")
    exit(1)

printModel(s.model())

When we run the solver script we get the key 0lN4dz62C4ok2XE0VljHWZ. Lets connect to the challenge server and try it out.

nc xxx.xxx.xxx.xxx 4444
Enter key: 0lN4dz62C4ok2XE0VljHWZ
Congrats here is your flag: Trollcat{z3_b4by}

Nested exploration

Web – 100pts

Description

Login 69 times and maybe you get lucky

Solution

The web page for this challenge consists only of a login form.

When logging in with any credentials we get two login forms, and subsequent logins adds another login form to the page. Checking the cookies we can see that there’s a cookie called id that’s used by the page.

Changing the value of id tells the server how many login forms to render. When we change it to 68 and refresh the page we get the flag at the bottom of the page.

Trollcat{w3b_scr1pt3rs_b3w4re}