Forensics
Broken Files
The challenge provides a challenge
file of unknown type. I ran file
against it, but this wasn’t helpful.
$ file ./challenge
./challenge: data
I looked at the hex dump with xxd
and saw a reference to flag.txt
towards the end, which indicated to me this was some sort of archive format.
00035530: 0102 1e03 0a00 0900 0000 91a1 1e55 cbbe .............U..
00035540: 17b1 2200 0000 1600 0000 0800 1800 0000 ..".............
00035550: 0000 0100 0000 b481 0000 0000 666c 6167 ............flag
00035560: 2e74 7874 5554 0500 0362 990e 6375 780b .txtUT...b..cux.
00035570: 0001 04e8 0300 0004 e803 0000 504b 0506 ............PK..
00035580: 0000 0000 0100 0100 4e00 0000 7400 0000 ........N...t...
00035590: 0000
I tried to unzip
the challenge
file, and it printed a warning but continued on to prompt for a password, so this seemed promising.
Archive: challenge
warning [challenge]: 218298 extra bytes at beginning or within zipfile
(attempting to process anyway)
[challenge] flag.txt password:
Naively extracting the hash with zip2john
didn’t work because of the missing metadata in the previous warning. Stackoverflow provided a solution to repair the metadata.
$ zip -FF challenge --out fixed.zip
Now zip2john
worked as expected.
$ zip2john fixed.zip > challenge.hashes
I tried to crack the hash with johntheripper
and the classic rockyou
wordlist but came up empty. Since the CTF is based in Argentina, I downloaded a Spanish language wordlist and produced the password.
vanamente
This allowed flag.txt
to be extracted, revealing the flag.
flag{_B0rg3S_Th3R43l}
Professional Zip Cracker
This challenge unsurprisingly provides a challenge.zip
. johntheripper
and rockyou
produced the first password.
puck02111987
Which extracted alittlemore.zip
. This was cracked in the same manner, but with a different wordlist of unknown origin, to produce the next password.
gz
What turned out to be the final archive, flag.zip
, was more resistant to wordlists and simple brute forcing. Eventually I became curious about the contents, and searching for pkzip.ps.gz
revealed that it was a part of pkcrack
, a zip cracking utility that requires a known plaintext file be present in the encrypted archive. Since pkzip.ps.gz
is included in the encrypted flag.zip
, and available unencrypted from pkcrack
itself, I had everything I needed for the final step.
In preparation for running pkcrack
I downloaded pkzip.ps.gz
and zipped it up in a new unencrypted zipfile, making sure the compression mode matched afterwards with unzip -v flag.zip
and unzip -v new.zip
.
$ zip new.zip pkzip.ps.gz
$ unzip -v flag.zip
Archive: flag.zip
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
74841 Defl:N 74321 1% 09-01-2022 19:05 11958b6d KP/pkzip.ps.gz
42 Stored 42 0% 08-29-2022 15:26 5dd7a68f flag/flag.txt
-------- ------- --- -------
74883 74363 1% 2 files
$ unzip -v new.zip
Archive: new.zip
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
74841 Defl:N 74321 1% 09-27-2022 16:07 11958b6d pkzip.ps.gz
-------- ------- --- -------
74841 74321 1% 1 file
Then pkcrack
decrypted the contents of flag.zip
.
$ pkcrack -C flag.zip -c KP/pkzip.ps.gz -P new.zip -p pkzip.ps.gz
The flag was revealed.
flag{YouU_4r3_Th3_R34L_z1p_Cr444ck333r!!}
My Secret Tunnel
The challenge provides file.pcapng
. Opened in wireshark
, it contains some DNS traffic. Given the challenge name and the capture contents, this seemed likely to be DNS tunneling, and the appearance of dnscat
references confirmed the theory.
I researched dnscat
and found that the first 9 bytes of each transmission are not part of the payload, the rest is the hex encoded message.
I ultimately overcomplicated this one, and messed about with various scapy
based python scripts to splice the various dnscat
messages together and decode the result. In the end I just needed to decode the one message that was notably longer than the others.
$ echo 5a6d78685a337445626c4e6664485675626a4d7a4d.3278734d5446755a32646e66516f3d0a | xxd -r -p
ZmxhZ3tEblNfdHVubjMzM2xsMTFuZ2dnfQo=
And base64 decode it
$ echo ZmxhZ3tEblNfdHVubjMzM2xsMTFuZ2dnfQo= | base64 -d
flag{DnS_tunn333ll11nggg}
Crypto
Omelette du fromage Cipher
The challenge provides an encrypted flag.
hlrv{X1g3ett3_2_34sp_bcae}
Searching for the phrase Omelette du fromage
brought me to an episode of Dexter’s Laboratory in which the phrase is repeated over and over. This felt like a clue that the cipher would use repetition. I tried a Vigenere cipher first. Since the first part of the ciphertext is known to say flag
, I played around with adding key characters to an online Vigenere solver until I got flag
to be produced in the plaintext output. Thankfully, that was the full key: carp
, and the flag was revealed.
flag{V1g3ner3_2_34sy_maan}
Web
Basics
The challenge provides a URL to a domain with a file that simply contains the text Nothing
. After poking around a bit at headers and cookies, I started on enumeration and checked the classic /robots.txt
. Sure enough, this led me to /sup3rsecr3T.txt
which had the flag in a flag
response header.
flag{Header_HTTP_Rulessss}
Prog
Calculator
The challenge provides a domain and port to connect to with nc
. Upon connection, you are prompted to solve some simple math problems, but the timeout is too quick to reasonably do so manually. I wrote a script to evaluate each of the provided expressions.
#!/usr/bin/env python3
from pwn import *
# the connection is terminated before a final newline, this prints the buffer contents
context.log_level = "debug"
conn = remote("calculator.ctf.cert.unlp.edu.ar", 15002)
conn.recvuntil(b":\n")
while True:
line = conn.recvline().strip()
try:
result = str(eval(line)).encode("utf-8")
except Exception:
print("COMPLETE")
while(True):
print(line)
line = conn.recvline()
conn.sendline(result)
print(conn.recvline())
I didn’t write down the flag :p