CSAW CTF 2016

[CSAW 2016] Clams Don’t Dance Writeup

Standard

Description:

Find the clam and open it to find the pearl.
out.img

We are given with a file. I ran file command on it to figure it’s file type:

[Megabeets] /tmp/CSAW/clam# file out.img
out.img: x86 boot sector

Ok, we have raw image file which will probably contain file/s with the flag. I’ll show 2 methods, choose your preferred one.

Method 1: Autopsy

Open Autopsy (my favorite forensics software, it’s free and heartily recommended) and choose the “Create New Case” on the Welcome window. You can also create a new case from the “File” menu.

autopsy_open

Fill the requested details and press “Finish”. Now add input data source to the case. Click “Case” > “Add Data Source…” or on the “Add Data Source” button (  autopsy_add_data_source ) on the main window and choose our file, out.img.

I cannot teach you about all the features of this great software so I’ll just show the path to the flag. If you’re not familiar with Autopsy I recommend you again to start working with it.

In the right panel you can find plenty of features, I will use only the directory viewer. Clicking on the data source (out.img) will show the files in the main directory of the image.

autopsy_view_dir

 

Do you see it? As it says in the description, we found the clam(.pptx)! The X on it’s icon means that this file was deleted from the  operation system (but not from the disk). Double clicking it and you’ll see bunch of image files, one of them, called image0.gif, is looking like a MaxiCode. Is it?

clam_image0

Scan it either online or offline to reveal the flag. I was scanning it with this site.
flag{TH1NK ABOUT 1T B1LL. 1F U D13D, WOULD ANY1 CARE??}

 

Method 2: Foremost

This is less elegant way to solve the challenge. Run foremost on the file:

[Megabeets]$ foremost out.img

You’ll get a folder named output with zip file, movie file and pptx file. Extract the pptx file using 7-zip (PPTX is an archive file), go to the /ppt/media folder and you’ll find the MaxiCode image mentioned before.

megabeets_inline_logoEat Veggies

[CSAW 2016] Regexpire Writeup

Standard

Description:

I thought I found a perfect match but she ended up being my regEx girlfriend.

nc misc.chal.csaw.io 8001

It wasn’t so hard, I asked google for the best way to generate matched string to a given pattern and wrote the following script. The only headache was when my generator used newlines (“\n”) so I removed them.

from pwn import *
import rstr
import exrex
from time import sleep
import re

# conect to server
r = remote('misc.chal.csaw.io', 8001)

# Print the question string
print r.recvline()

# Counter
i=1

while True:
	# Recieve the regex pattern
    reg = r.recvline()[:-1]
    print "%d -------\n"%i
    print reg
    print "-------\n"
    ans=rstr.xeger(reg).replace('\n','') # Remove newlines!
    # ans=exrex.getone(reg).replace('\n','')  # Another possible option
    r.sendline(ans)
    i+=1
	sleep(0.2)

And after 1000 tests we got the flag: flag{^regularly_express_yourself$}

megabeets_inline_logoEat Veggies

[CSAW 2016] Coinslot Writeup

Standard

Description:

#Hope #Change #Obama2008

nc misc.chal.csaw.io 8000

Let’s connect to the server and see what will happen:

[Megabeets] /tmp/CSAW/Coinslot# nc misc.chal.csaw.io 8000
$0.07
$10,000 bills: 0
$5,000 bills: 0
$1,000 bills: 0
$500 bills: 0
$100 bills: 0
...
...

So, the server is displaying a wanted amount of money and we need to calculate the number of bills and coins given the amount. All we need is writing a simple python script and a coffee break because it will take about 10 minutes for the flag to come up 🙁

from pwn import *

r = remote('misc.chal.csaw.io',8000)

# Create an array of dollars and coins values
money = [10000.0, 5000.0, 1000.0, 500.0, 100.0, 50.0, 20.0, 10.0, 5.0, 1.0, 0.5, 0.25, 0.1, 0.05, 0.01]
count = 0

while(True):
	count += 1
	amount = 0.0
	
	# Recieve the wanted amount of money
	amount = float(r.recvline()[1:])
	print "Wanted amount is " + str(amount)

	# Send the number of dollars and coins for each value
	for m in money:
		print r.recv()
		ans = int(amount/m)
		print "Sending %d" %ans
		r.sendline(str(ans))
		amount = round((amount - (ans*m)), 2)
		print "Left with " + str(amount)
	print "[+] Finished %d" %count
	print r.recvline()

 

The flag is: flag{started-from-the-bottom-now-my-whole-team-fucking-here}

megabeets_inline_logoEat Veggies

[CSAW 2016] Kill Writeup

Standard

Description:

Is kill can fix? Sign the autopsy file?
kill.pcapng

This challenge was the first in the Forensics category and was very very simple. We are given with what seems like a corrupted pcapng file, I wasn’t able to open it in Wireshark nor Tcpdump. I ran strings on it with a hope to find the flag:

[Megabeets] /tmp/CSAW/kill# strings kill.pcapng | grep -i flag
=flag{roses_r_blue_violets_r_r3d_mayb3_harambae_is_not_kill}

And to my great surprise I got it, the flag was written plain-text in the file.

megabeets_inline_logoEat Veggies