File Bomb
Reverse Engineering – 475pts
Description
One of our members loves bombs, that is why this challenge exists. Your mission is to obtain the password which outputs the flag and defuses the bomb, but be careful activating the bomb.
Solution
Opening the attached binary in Ghidra we can take a look at the main function.
undefined8 main(int param_1,long param_2)
{
print_menu();
if (1 < param_1) {
check_password(*(undefined8 *)(param_2 + 8));
/* WARNING: Subroutine does not return */
exit(0);
}
file_bomb();
return 0;
}
If we provide an argument to the program it will call the check_password function, otherwise it will just run the file_bomb function. Lets take a look at the check_password function.
void check_password(undefined8 input)
{
long i;
undefined8 flag;
undefined check_val [12];
undefined local_23;
undefined4 local_22;
undefined2 local_1e;
undefined local_1c;
undefined4 encoded_check_val;
undefined2 local_17;
undefined local_15;
int equal;
int counter;
int idx;
encoded_check_val = 0x6d4b5969;
local_17 = 0x7773;
local_15 = 0;
local_22 = 0x4f456548;
local_1e = 0x4165;
local_1c = 0;
idx = 0;
counter = 5;
while (-1 < counter) {
i = (long)idx;
idx = idx + 1;
check_val[i] = *(undefined *)((long)&local_22 + (long)counter);
i = (long)idx;
idx = idx + 1;
check_val[i] = *(undefined *)((long)&encoded_check_val + (long)counter);
counter = counter + -1;
}
local_23 = 0;
equal = compare_strings(input,check_val,check_val);
if (equal == 0) {
file_bomb();
}
else {
puts("Bomb defused :D");
flag = base64_decode(Flag);
xor(flag,input,flag);
}
return;
}
After some cleaning up we can take a look at what the function does.
At the start of the function we have two strings assigned, encoded_check_val and local_22. It then creates a the string check_val by taking the chars of each of the assigned strings and adding to the check_val string.
Then it compares the input to the created check_val string, if it’s valid it prints out the decoded flag, if not it runs the function file_bomb. So we should be able to recreate the correct value and run the program to get the flag. Lets write a small python script to decode the value.
#!/usr/bin/env python3
import struct
encoded1 = struct.pack('<IH', 0x4f456548, 0x4165)
encoded2 = struct.pack('<IH', 0x6d4b5969, 0x7773)
decoded = ''
counter = 5
idx = 0
while -1 < counter:
decoded += chr(encoded1[counter])
decoded += chr(encoded2[counter])
counter -= 1
print(decoded)
Running this gives us the decoded password AwesOmEKeYHi. Running the program with the password gives us the flag.
./FileBomb AwesOmEKeYHi
File bomb countdown...
10
9
8
7
6
5
4
3
2
1
0
Bomb defused 😀
NETON{DOING_IT_WAS_HARDER}p:18
Infiltration
Forensics – 183pts
Description
Someone has hacked into our school! Try to find out what happened.
Solution
When we open the provided pcap file in Wireshark, we can see a bunch of HTTP packets. Opening the export HTTP objects we can see that some objects are captured.
When we save all objects we can find the flag in one of the action.php files.
cat action*
Wrong Credentials!email=neton%40neton.neton&password=NetoNiaNo<!DOCTYPE html>
<html lang="es">
<head>
<title>IES</title>
<meta charset="utf-8">
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.5.3/dist/css/bootstrap.min.css" integrity="sha384-TX8t27EcRE3e/ihU7zmQxVncDAy5uIKz4rEkgIXeMed4M0jlfIDPvg6uqKI2xXr2" crossorigin="anonymous">
https://code.jquery.com/jquery-3.5.1.slim.min.js
https://cdn.jsdelivr.net/npm/popper.js@1.16.1/dist/umd/popper.min.js
https://cdn.jsdelivr.net/npm/bootstrap@4.5.3/dist/js/bootstrap.min.js
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body class="bg-dark">
<div class="container-fluid" style="height: 100vh;">
<div class="row" style="padding-top: 20%;">
<div class="col-12 text-center">
<h1 class="display-1 text-white">NETON{N1c3_4n4l1s1s!}</h1>
</div>
</div>
</div>
</body>
</html>
email=potato%40ies.com&password=super_password
NETON{N1c3_4n4l1s1s!}
Picasso01
Forensics – 225pts
Description
I have left a secret file in a place you will never find!
Solution
Here we have a memdump. Running strings -n 8 dump.raw | grep NETON we can find the flag in the output.
NETONCTFJt
C:_USERS_NETONCTF_APPDATA_LOCAL_COMMS_UNISTOREDB_STORE.VOLw
NETON{7h15_w1ll_n07_b3_7h3_ncl}
NETON{7h15_w1ll_n07_b3_7h3_ncl}
NETON{7h15_w1ll_n07_b3_7h3_ncl}
Lost in Lab
Forensics – 479pts
Description
Last week I went into the computers lab and I found a usb drive. I would like to return it to it´s owner but I do not know who is. I made a disk image of its contents.
Would you help me find out who was the last owner?
Solution
For this challenge we get a file called challenge.001, running file challenge.001 tells us that it’s a disk image.
challenge.001: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "MSDOS5.0", sectors/cluster 8, reserved sectors 38, Media descriptor 0xf8, sectors/track 63, heads 255, sectors 7864320 (volumes > 32 MB), FAT (32 bit), sectors/FAT 7665, serial number 0x384328, label: "DISK_IMG "
Lets open the image in Autopsy and see what we can find. If we take a look in the found text-files we see a file called mail.txt.
Dear Mr. Walter, Good afternoon, I'm a student of group B, and I have just submited the practice results of this morning. As you asked in the classs, I submited the .zip archive with the excel file on it with the results. But, before submitting I forgot to read the last part of the instruccions so I didn’t put my name on the name of the Excel file, although the Excel file does have my name since I’m the author of it.
So we are looking for a zip file containing an Excel file. Taking a look at the filesystem we find a zip file in the Alumno folder.
Extracting the file from the image and unzipping it reveals that it’s password protected.
unzip LabPractice.zip Archive: LabPractice.zip [LabPractice.zip] LabPractice.xlsx password:
Taking a look at the deleted files we can find a file called _assword.txt which contains the text password=PrequelIsBetter, using this as the password for the zip we get a file called LabPractice.xlsx.
To get the author of the Excel file we can run exiftool an look for the Creator field.
Creator : Sifo Dyas
NETON{Sifo Dyas}
Picasso02
Forensics – 496pts
Description
In my free time I love to draw, it’s one of my passions 🙂
Solution
This challenge is using the same memory dump as Picasso01. First lets check out what processes were running using Volatility3. When running python3 vol.py -f dump.raw windows.pslist.PsList we can see that mspaint.exe were running.
6376 2684 mspaint.exe 0x8484d3d1c340 5 - 1 False 2021-02-04 14:08:06.000000 N/A Disabled
Lets dump the memory of the process and see if we can recover some image data.
python3 vol.py -f dump.raw windows.vadinfo.VadInfo --pid 6376 --dump
Now we have a bunch of dmp files. We can open those as raw image data in gimp and see if we find something. After checking a couple of files we finally find something interesting.
Looks like the flag!
NETON{p4int_g0d}
PawN PawN
Cryptography – 188pts
Description
A king found this files on his wife’s usb drive. Can you help us discover the secret message?
Solution
For this challenge we get two files, a zip file and an audio file. The zip file is password protected. Listening to the audio we find out that it’s morse code. When running it through a decoder we get the following message.
Using the password 75757575 we can unzip the zip file, which gives us a text file called pawned.txt.
8/1P4P1/1PP3P1/1P1P2P1/1P2P1P1/1P3PP1/1P4P1/8 w - - 0 1 8/1PPPPP2/1P6/1P6/1PPPPP2/1P6/1PPPPP2/8 w - - 0 1 8/1PPPPPP1/1PPPPPP1/3PP3/3PP3/3PP3/3PP3/8 w - - 0 1 8/1PPPPPP1/1P4P1/1P4P1/1P4P1/1P4P1/1PPPPPP1/8 w - - 0 1 8/1P4P1/1PP3P1/1P1P2P1/1P2P1P1/1P3PP1/1P4P1/8 w - - 0 1 5P2/3PP3/3P4/3P4/2PP4/3P4/3PP3/5P2 w - - 0 1 8/1PPPPPP1/1P6/1P6/1P6/1P6/1PPPPPP1/8 w - - 0 1 8/1P4P1/1P4P1/1PPPPPP1/1P4P1/1P4P1/1P4P1/8 w - - 0 1 8/1PPPPPP1/1P6/1P6/1PPPPPP1/1P6/1PPPPPP1/8 w - - 0 1 8/1PPPPPP1/1P6/1P6/1P6/1P6/1PPPPPP1/8 w - - 0 1 8/1P2P3/1P1P4/1PP5/1P1P4/1P2P3/1P3P2/8 w - - 0 1 8/8/8/8/8/8/1PPPPPP1/8 w - - 0 1 8/1P4P1/1PP2PP1/1P1PP1P1/1P1PP1P1/1P4P1/1P4P1/8 w - - 0 1 8/3PP3/2P2P2/1P4P1/1PPPPPP1/1P4P1/1P4P1/8 w - - 0 1 8/1PPPPPP1/1PPPPPP1/3PP3/3PP3/3PP3/3PP3/8 w - - 0 1 8/1PPPPP2/1P6/1P6/1PPPPP2/1P6/1PPPPP2/8 w - - 0 1 3P4/4PP2/5P2/5P2/5PP1/5P2/4PP2/3P4 w - - 0 1
This looks like chess board setups. Using an online tool to generate the board setups we can see that each row equals a character in the flag.
After processing each line we get the flag.
NETON{CHECK_MATE}
Weak xor
Cryptography – 239pts
Description
Will you be able to break the cipher and obtain the flag?
Solution
We get an encrypted flag and the script used to encrypt the flag. Checking out the flag we get an hex string.
Flag : 5bbed19a19234dcbf78a3e0b4abcb5e5330721a4b5a3322a7397b5a22a
Lets check out the python script used to encrypt the flag.
#!/usr/bin/python3
import os
flag = open('flag.txt', 'r').read().strip().encode()
key = os.urandom(6)
xored = b''
for i in range(len(flag)):
xored += bytes([flag[i] ^ key[i % len(key)]])
print(f"Flag : {xored.hex()}")
So the flag is XOR:ed with six random bytes, but since we know that the first six chars of the flag is NETON{ we can recover the bytes used to encrypt the flag.
#!/usr/bin/env python3
crib = b'NETON{'
encoded_flag = bytearray.fromhex('5bbed19a19234dcbf78a3e0b4abcb5e5330721a4b5a3322a7397b5a22a')
key = ''
flag = ''
for idx in range(0, len(crib)):
key += chr(crib[idx] ^ encoded_flag[idx])
for idx in range(0, len(encoded_flag)):
flag += chr(encoded_flag[idx] ^ ord(key[idx % len(key)]))
print(flag)
Running this script gives us the flag.
NETON{X0r_iS_G00d_4_0verfl0w}
BritishScientific
Cryptography – 242pts
Description
An old british scientific is trying to help you with this CTF, he only sent you one of his famous quotes. It seems that he has encripted a message, it could be the flag.
He always signs with his name and surname…
Solution
We have a text file containing a quote and an encrypted message.
Viewing the laws of the electric circuit from the point at which the labours of Ohm has placed us, there is scarcely any branch of experimental science in which so many and such various phenomena are expressed by formulae of such simplicity and generality... QRRXDRPCKESRSNSWWY
A quick google search for the quote reveals the name of the scientist, Charles Wheatstone. We also find out that he invented a cipher called the Playfair cipher. Using this information we can decrypt the message using the Playfair cipher with the key CHARLESWHEATSTONE to get the flag.
NETON{PLAYFAIRISTHEBESTX}
Facts Br0!
Cryptography – 244pts
Description
Not everything should be public.
Solution
For this challenge we get an encrypted flag and a public key.
The flag is : 264927351071199256392067715088101727274736234498820
-----BEGIN PUBLIC KEY----- MDEwDQYJKoZIhvcNAQEBBQADIAAwHQIWAN4vdj9ZJ337BgYayd9cb2tF0QoJAwID AQAB -----END PUBLIC KEY-----
When recovering n and e from the public key we get the following values.
n = 324724323060034233289551751185171379596941511493891 e = 65537
Factoring n we get the values for p and q.
p = 25001545096244227516337 q = 12988170203481337861511552243
Now we have all that we need to decrypt the flag.
#!/usr/bin/env python3
from Crypto.Util.number import inverse
c = 264927351071199256392067715088101727274736234498820
n = 324724323060034233289551751185171379596941511493891
e = 65537
p = 25001545096244227516337
q = 12988170203481337861511552243
phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(c, d, n)
print(bytes.fromhex(hex(m)[2:]).decode('utf-8'))
Running this script returns the flag.
NETON{3z_F4ct0rs}
Not Morse
Cryptography – 249pts
Description
I’m hungry
Solution
For this challenge we get the following message.
oH Hello My fEllOw cTF pLaYEr, i heARD tHat you aRE seaRChiNg foR Some flaGs... im afraiD yoU WoNt FInd Them.
Looks like a Bacon cipher. Decrypting the message using a Bacon cipher we get the flag.
NETON{HIDDENBACON}
Picnicnic
Web – 222pts
Description
Today we are launching the NETON picnic! Try our best donuts and cookies on our website.
Solution
When loading the web page we see some pictures of cookies.
We don’t have any inputs or anything like that. Checking out the cookies we can see a cookie with the name flag and the value TkVUT057MHV. Base64 decoding the value we get what looks like the first part of the flag, NETON{0u.
Refreshing the page gives us a new value for the flag cookie, and if we refresh the page a total of four times we have four parts of the base64 encoded flag, TkVUT057MHVyX2MwMGtpZVNfNHJlXzR3ZXMwbWUhfQ==. Decoding this returns the flag.
NETON{0ur_c00kieS_4re_4wes0me!}
Let me in!
Web – 245pts
Description
Find the way to read the flag.
Solution
All we see on the challenge page is a link.
When clicking on the link we get redirected back to the index page. Lets intercept the response in Burp.
GET /flag.php HTTP/1.1
HTTP/1.1 302 Found
Date: Sat, 06 Mar 2021 00:01:44 GMT
Server: Apache/2.4.38 (Debian)
Set-Cookie: PHPSESSID=qv8rv681f74oacaeaqt2i314p5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: index.php
Content-Length: 387
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
<head>
<title>Try to catch the flag!</title>
</head>
<body>
<form method="POST">
<p>
<label for="captcha">Please Enter the Captcha Text</label><br />
<img src="captcha.php" alt="CAPTCHA" class="captcha-image">
</p>
<p>
<input type="text" id="captcha" name="captcha_challenge">
<input type="submit" value="Send">
</p>
</form>
</body>
</html>
So we have a form with a captcha. Opening the captcha.php page we get a captcha image.
If we use this captcha value and the PHPSESSID from the browser and make a POST request to flag.php, we get the following response.
POST /flag.php HTTP/1.1 Host: 167.99.129.209:8002 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Connection: close Cookie: PHPSESSID=ccg2pr7atoe1rsulr7nroe9n4q Content-Type: application/x-www-form-urlencoded Content-Length: 24 captcha_challenge=zMH1I9
HTTP/1.1 302 Found
Date: Sat, 06 Mar 2021 00:01:07 GMT
Server: Apache/2.4.38 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: index.php
Content-Length: 460
Connection: close
Content-Type: text/html; charset=UTF-8
Nice evade! Take the flag: <b>NETON{7c49af83a2a68304273a8d330cebd93c}</b>
<html>
<head>
<title>Try to catch the flag!</title>
</head>
<body>
<form method="POST">
<p>
<label for="captcha">Please Enter the Captcha Text</label><br />
<img src="captcha.php" alt="CAPTCHA" class="captcha-image">
</p>
<p>
<input type="text" id="captcha" name="captcha_challenge">
<input type="submit" value="Send">
</p>
</form>
</body>
</html>
Great! We got the flag.
NETON{7c49af83a2a68304273a8d330cebd93c}
Grades
Web – 486pts
Description
The end-of-course grades are already available on the UPV website, but apparently a hacker has managed to modify his own grade and randomize the others. He has also encrypted the names of all the students to make it more difficult to identify him, we need your skills to catch him.
Solution
Here we have an index.html file containing some encrypted names and randomized grades.
Taking a look at the source we find an array of the names used to generate the encrypted output, we also find a static table entry.
<tbody>
<tr class="upv_listanon"><td class="alignleft">nUK<,IDt-.bvKL|./EO$%;k}@_</td><td class="alignleft">1337</td></tr>
</tbody>
This is most likely the value we want to decrypt.
Checking out the script we can find an encryption function.
function encrypt(_0x40a681) {
var _0x16b830 = 0x20, _0x561689 = 0x5e, _0x3db275 = 0x0, _0x38a41d = '';
for (var _0x278871 = 0x0; _0x278871 < _0x40a681['length']; _0x278871++) {
_0x38a41d = _0x38a41d + String['fromCharCode']((_0x40a681['charCodeAt'](_0x278871) + _0x3db275) % _0x561689 + _0x16b830), _0x3db275 = _0x3db275 + _0x40a681['charCodeAt'](_0x278871);
}
return _0x38a41d;
}
Cleaning up the obfuscated code a bit we end up with the following function.
function encrypt(name) {
var min = 0x20, max = 0x5e, acc = 0x0, encrypted = '';
for (var idx = 0x0; idx < name.length(); idx++) {
var added = (name.charCodeAt(idx) + acc);
var modulus = added % max + min;
encrypted = encrypted + String.fromCharCode(modulus);
acc = acc + name.charCodeAt(idx);
}
return encrypted;
}
So the names are encrypted using some static values and an accumulator of the original character values. Lets try to reverse this using python.
#!/usr/bin/env python3
mod = 0x5e
add = 0x20
acc = 0
encrypted = 'nUK<,IDt-.bvKL|./EO$%;k}@_'
decrypted = ''
acc = 0
for idx in range(0, len(encrypted)):
curr_char = ord(encrypted[idx]) - add - acc
acc += curr_char
if (curr_char < add):
curr_char += mod
decrypted += chr(curr_char)
print(decrypted)
When running this script we get NETON{Y0_4r3_0_th3_t0p!} which is missing two characters from the encrypted input. But we got enough to figure out the missing characters of the flag.
NETON{Y0u_4r3_0n_th3_t0p!}
Caesar’s Secret
OSINT – 163pts
Description
After years of research, we have managed to find the best kept secret of one of the most powerful men of ancient Rome, the great Julius Caesar.
But we have a problem, we are not able to find the password to open the .zip file and we need your help. We have found his Twitter account: https://twitter.com/EOTREOO
Maybe there is a clue of how to find the password….
Solution
So we got a password protected zip we need to unzip. According to the description the twitter account may hold some clues on how to find the password. Lets take a look at the twitter account.
So some of the tweets are deleted. Lets see if there’s anything stored on the Wayback Machine.
One snapshot is found for february 19, taking a look at the snapshot we can see Julius Caesar’s old profile for the account.
The last text in the profile bio looks interesting, using rot11 on HjqbxiPcndct returns SubmitAnyone. When we use this as the password for the zip file we can unzip it and get a text file.
The secret is that there are 10 types of people in the world, those who know binary and those who do not. flag: 01001110 01000101 01010100 01001111 01001110 01111011 01001010 01110101 01101100 01101001 01110101 01110011 01000011 01100001 01100101 01110011 01100001 01110010 01111101
Now we have the flag binary encoded, decoding it returns the flag.
NETON{JuliusCaesar}
Run Run Run
Coding – 215pts
Description
How fast can you resolve it and encode the result in MD5?
Solution
For this challenge we get a web page with an equation and a input field.
The task is to enter the MD5 hash of the result of the equation. Following is a script to do this.
#!/usr/bin/env python3
import requests
from lxml import html
import hashlib
target = 'http://167.99.129.209:7777/'
r = requests.get(target)
session = r.cookies['PHPSESSID']
tree = html.fromstring(r.content)
calc = tree.xpath('/html/body/form/div/h3/text()')
result = str(eval(calc[0]))
md5hash = hashlib.md5(result.encode()).hexdigest()
cookies = dict(PHPSESSID=session)
r = requests.post(target, data = {'md5':md5hash}, cookies=cookies)
print(r.text)
When we run this we get a response with the flag.
NETON{ScR1pT1ng_5a9522b8a3a9d3e2a3bf373803fa8e6c}
Step by step
Coding – 239pts
Description
Code to get your flag
Solution
For this challenge we get a web page with a input field.
Entering something in the field returns either Sorry, wrong flag! or Hey, you are a bit close than before!. Testing with different characters and the known start of the flag, NETON, we can assume that we get the Hey… message when the input is in the flag string. Lets write a script to see what we can get from the page.
#!/usr/bin/env python3
import requests
import string
target = 'http://167.99.129.209:7788/index.php'
invalid_char_message = 'Sorry, wrong flag!'
correct_char_message = 'Hey, you are a bit close than before!'
found = False
flag = ''
while found == False:
for char in string.printable:
test_flag = flag + char
r = requests.post(target, data = {'flag':test_flag})
if correct_char_message in r.text:
print('found char', char)
flag += char
break
print(flag)
When we run this script we end up with the text 0uLD_b3_vUln3rAbL3 remember to close it inside NETON{}. So it seems that we found something beginning in the middle of the original string. Lets modify our script to retrieve the other characters.
#!/usr/bin/env python3
import requests
import string
target = 'http://167.99.129.209:7788/index.php'
invalid_char_message = 'Sorry, wrong flag!'
correct_char_message = 'Hey, you are a bit close than before!'
found = False
flag = '0uLD_b3_vUln3rAbL3'
while found == False:
for char in string.printable:
test_flag = char + flag
r = requests.post(target, data = {'flag':test_flag})
if correct_char_message in r.text:
print('found char', char)
flag = char + flag
break
print(flag)
After running this script we get the string The flag is: SuBsTr1nGs_4r3_FuN_4nD_C0uLD_b3_vUln3rAbL3.
NETON{SuBsTr1nGs_4r3_FuN_4nD_C0uLD_b3_vUln3rAbL3}
Winter
Steganography – 218pts
Description
Kevin wasn’t able to deliver personally his message due to heavy snows , so he decided to hide it on this file.
Solution
Attached is a text file containing a message, opening the file in a hex editor we can see that it contains a lot of white-space characters.
With this and the hints from the description we can assume that the tool used to hide data is stegsnow.
When we use stegsnow to recover the hidden message we get the flag.
NETON{wh1t3_spac3_tr1cks}
Step by step
Steganography – 250pts
Description
My friend wanted to send me a password but he only sent me one image. Can you help me?
Solution
Attached is a completely gray bmp image. Opening the image in StegSolve we find a code at red plane 1.
If we use that code with steghide to extract data we get a file called xd.txt.
Running file xd.txt reveals that it’s not a text file, it’s an GIF image. Opening the image reveals nothing interesting. When we run strings xd.txt we find an interesting string at the end of the file.
;0111000000110110001110000110001101110001001100010110100001100010
Converting the binary string to ascii returns the flag.
NETON{p68cq1hb}
Crash, crash, crash!
Pwn – 50pts
Description
Crash, crash, crash I’m gonna step on the crash Tonight, I’ll fly (and be your lover) Yeah, yeah, yeah I’ll be so quick as a SIGSEGV And I’ll be your hero
Crash, crash, crash I’m gonna run as a x86_64 ELF binary Tonight, I’ll fight (to be the winner) Yeah, yeah, yeah I’m gonna step on the crash And you’ll see the big crash
Solution
Connecting to the challenge service, all we get is an input prompt. Entering some string closes the connection, but according to the description we should try to crash the service. So when we enter a long string as the input we get the flag.
NETON{Y34h_1_kn0w_th3_cr4sh_cr4sh_cr4sh_j0k3_w45_4_b1t_b4d}
Inception
Misc – 183pts
Description
Try to get the flag :V
Solution
Attached to this challenge is a QR-code. Lets see what it contains.
zbarimg qr.png QR-Code:https://mega.nz/file/MJYmRLya#vR5UPglFNdgDWNhlhKSPWhXgwCo6zNH_PJHusZwBv9M scanned 1 barcode symbols from 1 images in 0.02 seconds
So we get a link to a file download.
Opening the text file we get some base64 encoded data. When decoding it we get a SVG image file depicting a new QR-code. Lets read the new code and see what it contains.
zbarimg flag.svg
QR-Code:NETON{ThatsRoughBuddy}
scanned 1 barcode symbols from 1 images in 0.06 seconds
Photogra.fy
Misc – 227pts
Description
Hi, you had been selected for this job. Don’t worry is pretty easy. We detected something strange with a new photographer whose name is Jack, and he creates a start-up called Photogra.fy. We found him on Twitter, and saw that he is making a web. But it’s strange. I mean, do you think that a photographer can develop a web page well?
If you accept the job here is his Twitter account: https://twitter.com/FyPhotogra
PD: If you don’t, you are death 😀
Signed:
FBI
Solution
So we need to find the web site if the start-up. Checking out the twitter link we got we find a link to the page in the following post.
Checking the source of the page we find a script called login.js which contains the following function.
function validate() {
console.log(String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65'](0x4e, 0x45, 0x54, 0x4f, 0x4e, 0x7b, 0x4e, 0x61, 0x54, 0x69, 0x30, 0x6e, 0x61, 0x31, 0x5f));
}
When we run this function we get NETON{NaTi0na1_, looks like we got the first part of the flag. Checking out the source of the page a bit more we can find the following in the style.css file.
header .introduction {
text-align: center;
/*Maybe some picture has something interesting...*/
}
Ok, lets check out the metadata of the pictures, when checking out im4.jpg we can see what looks like part of the flag in the Make field.
Make : _CiB3rL4gu3}
Putting the two parts together we get the flag.
NETON{NaTi0na1__CiB3rL4gu3}
Kasiski the magician
Misc – 235pts
Description
You must get the ciphered flag stored from this modified and protected file.
Solution
Attached is a file called openme, let’s check what it is.
file openme openme: Zip archive data, made by v?[0x31e], extract using at least v2.0, last modified Tue Sep 24 12:33:24 2013, uncompressed size 104, method=deflate
So it’s a Zip file. But when we try to unzip it we discover that it’s corrupted. Lets open the file in a hex editor and take a look.
It looks like a Zip file, but the two first bytes are wrong. Patching those we get the following header.
Now it’s a valid Zip file, but it’s password protected. When we run fcrackzip with the rockyou wordlist we find the password.
fcrackzip -v -u -D -p rockyou.txt openme.zip found file 'flag.txt', (size cp/uc 103/ 104, flags 9, chk 8694) PASSWORD FOUND!!!!: pw == iloveyou2
When we unzip the file we get a file called flag.txt.
GPKW GEQ N AKQZPC PPCPVILTM CRN M FBXG CYY JVSG MD, LCEM KW ISSE NNEQ RCGWP{JBSK_ZIIMM_XM_PZKTDSEEIRLI}
So we have some encrypted text. As it turns out it’s encrypted with a Vigenere cipher. When we brute-force the key we get NICEKEY. Using this key to decipher the message we get the following.
THIS WAS A SIMPLE CHALLENGE AND I HOPE YOU LIKE IT, HERE IS YOUR FLAG NETON{FROM_MAGIC_TO_CRIPTOGRAPHY}
kza 