[Pragyan CTF] New Avenger

Standard

Description:

New Avenger | Stego 300 pts
The Avengers are scouting for a new member. They have travelled all around the world, looking for suitable candidates for the new position.
Finally, they have found the perfect candidate. But, they are in a bad situation. They do not know who the guy is behind the mask.
Can you help the Avengers to uncover the identity of the person behind the mask ?
Those of you who read my blog frequently are already know how much I’m into superheroes. Give me a challenge with superheroes and you bought me. Although I’m more DC guy, this challenge was with the Marvels and still it was awesome! We’re given with a gif file. I ran binwalk on it to find whether it contains another files within.

Yep, the gif file contains two more files within, lets unzip the image:

Nice! We now have two more files: image_2.zip and 1_image.jpg. Now lets try to unzip image_2.zip.

Oh-no, it requires a password. Lets have a look at 1_image.jpg.
Haha, funny image. Now I want to have a deeper look at this picture, I opened it in hex editor and found the password:

So the password is “sgtgFhswhfrighaulmvCavmpsb”, lets unzip the file:

Again?! We got 2 more files, and the password to the new zip was at the end of the new image, and the new zip contained another zip and an image. Well, I see where it going to, so I opened python and automate the process:

Ta-dah! We extracted all the zip files and gםt 16 images and 15 passwords. This was the last image:

lol.

So now we have 15 passwords, each contains 26 characters:

The password looks like garbage, it’s not Base64 or some known encoding. The first thing to pop up is the capital letter inside each password. Every password contains one or two capital letters. I know that the English alphabet contains 26 letters, so maybe I can map the location of each capital to the matching letter in the alphabet. i.e, if ‘F’ is in passw[4] i’ll take alphabet[4] which is ‘e’ and so on. I added this code to my script:

I ran the script and got meaningless string: “etitgepgztgxhiwthexstgbpc”. Damn! I was so sure that the mapping is the solution, how can’t it be?! All the facts point towards mapping the alphabet. I decided not to give up and ran Caesar Cipher on the string:

YAY! I was so happy to find Spidey is the new Avenger!

Here’s the full script:

The flag was: pragyanctf{peterparkeristhespiderman}

Share

[Pragyan CTF] Roller Coaster Ride

Standard

Description:

Bobby has been into Reverse Engineering and Binary Exploitation lately.
One day, he went to an amusement park in his city. It was very famouse for its Roller Coaster Rides.
But, Bobby, being 12 years old, was not allowed on those rides, as it was open for people who were 14 years or older.
This made Bobby very angry. On reaching home, he hacked into the servers of the amusement park, got hold of the validation software for the Roller Coaster rides, and modified it, so that nobody is allowed to have a ride on those Roller Coasters.

validation

 

We are given with a file, lets run file command on it determine its type.

Okay, it’s an ELF file. Lets execute it:

 

Okay let’s disassemble the file and look at the functions call tree:

Oh, we have lot of functions. All of them looks something like this:

An hex value is moved to r9 (smetimes r8) and then xord with hex value that was moved to rax. I manually xord all the values by order of calls, turn the results to characters and end up with the flag:

The flag was pragyanctf{r01l+th3m_411-up/@nd~4w@y}

Share

[Pragyan CTF] The Vault

Standard

Description:

[!@# a-z $%^ A-Z &* 0-9] [1,3]
All we got is a file and regular expression.
Lets run file command on the file to determine its type:

The file is KDB file which is Keepass password database. Keepass is a famous opensource password manager.

I tried open it using KeePassX for windows, but we need a password to open the database. The password probably should match the regex, so I generated a dictionary with all the possible passwords (more then 300,000 words).

 

And I the ran John the Ripper to crack the password and went to eat lunch.

When I came back I saw that John found the password, now lets open the file:

 

The flag was pragyanctf{closed_no_more}

Share

[Pragyan CTF] Lost Friends

Standard

Description:

Lost Friends Stego 300

Moana and her friends were out on a sea voyage, spending their summer joyously.
Unfortnately, they came across Charybdis, the sea monster. Charybdis, furious over having
unknown visitors, wreaked havoc on their ship. The ship was lost.

Luckily, Moana survived, and she was swept to a nearby island. But, since then, she has not seen her
friends. Moana has come to you for help. She believes that her friends are still alive, and that you are the
only one who can help her find them

lost_friends.png

Moana has lost her friends and we need to help her find them. We are given with an image which is absolutely blank. I opened it in Photoshop and saw that it’s completely transparent. So I grabbed python and Pillow and canceled the alpha channel (which is responsible for transparency).

I got this image:

Wooho, Chipmunks! It seems like every chipmunk is on another channel, lets split the channels:

Now we have three images of chipmunks:

I played with them, trying to find the flag but found nothing. So I got back to the original image and opened it with Hex Editor. At the bottom of the file I found this hint: “Psssst, Director, maybe ??”. So the flag is probably the name of the director of chipmunks. According to Wikipedia, Chipmunks has 4 movies, I tried to submit with each director and found that the director of the third movie is the flag.

The flag was praganctf{MikeMitchell}

Share

[Pragyan CTF] Evil Corp

Standard

Description:

fsociety has launched another attack at Evil Corp. However, Evil Corp has decided to encrypt the .dat file with a CBC cipher. Reports reveal that it is not AES and the key is relatively simple, but the IV might be long. And remember, fsociety and evilcorp are closely linked.

Hint! Snakes serve the fsociety. Hmmm.

Hint! fsociety and evilcorp are too close, even 16 characters long together. Damn

fsociety_new.dat

This challenge was tricky for lot of people, the riddle was hiding in the questions itself. The challenge doesn’t require high skills, just understanding the meaning behind the words and hints.

From the question we know it’s a CBC cipher, but which? I got it just after the first hint was released, something to do with snakes. hmm… Serpent! Serpent is another term for Snake, and there’s Serpent-CBC cipher.

What about the IV? We know several things about the IV:

  1. The length of Serpent-CBC IV must be 32 bytes,
    2. Most of the Serpent decrypters are taking the IV as hex sequence
    3. in the question: “but the IV might be long”
    4. in the Hint: “even 16 characters long together…fsociety and evilcorp are closely linked”.

So, this made me believe that the IV is “fsocietyevilcorp” because len(hex("fsocietyevilcorp"))==32.

So we now know the algorithm and the IV, what is the Key? The question says “the key is relatively simple”. So I tried online with some simple and “obvious” keys until I recognize a valid header of file and found that the key was “fsociety“.

 

We got a leet JPEG image with the flag:

The flag was pragyanctf{hellofriend}

Share