[H4CK1T 2016] Crypt00perator – Ethiopia Writeup



Long time ago one security module has been written. But for now its sources have been missed somehow. We have forgotten th3 access k3y, which, as we remember, has been hardcoded inside the module. Help us to recollect th3 k3y!11


This is a pretty basic reverse challenge. We can solve it in many different ways but I will show you only two of them. The first one is the quickest method that will work only for this challenge, and the second is for those of you who want to understand better how to solve such challenges in the future.

So, we got an exe file and we need to find the access key. We are given with a hint that the key is somehow hardcoded in the file itself. Let’s run the file and see what will happen.

Seems like all it does is to ask for the key, let’s take a deeper look and see if we the key is stored clear-text in the file. Open the file in IDA pro and press Shift+F12 to open the Strings subview. The strings that written by the programmer will usually be stored in close adresses. Her’e are snip of the strings. I marked the most meaningful:

We can easily notice the strings which we already faced when executing the program: ‘Denied’ and ‘Enter th3 k3y :’. The ‘Allowed’ string will probably be printed after entering the right key. But what is this strange string: ‘o3dl6s|41a42344d110746d574e35c2f77ab6>3z’? Is it the key? Let’s try.

No luck. It is not the key, but what is it? It should be meaningful somehow but I don’t yet know how the program is using this string. I decided to debug the program and set a breakpoint before the decision whether the input is the right key or not is made.

Let’s go to the main function and set a breakpoint before the calling to the Checker method:



Now let’s run the program with that long string as the input and look at the registers. We can see that RAX is pushed to the Checker function. The checker function is comparing RAX with the long string and if RAX==long_string we get the Allowed message. But our RAX is different then the long string although we use the long string as our input what means that the inputted string is being manipulated and then compared to the original long string. So, what is our RAX? Let’s hover RAX with the cursor.



Well, RAX is looking like the flag. We will get the Denied message but at least we now have the flag.


So we solved the challenge but now let’s see what is happening behind the scenes of this program. We can find out what the program is doing without getting too deep into the assembly code. We already know that the program is taking our input and perform some manipulation on it. After that it compares the manipulated string to this long string ‘o3dl6s|41a42344d110746d574e35c2f77ab6>3z’. The best approach in this cases is to see what is the result of different inputs, I’ll show few examples that can teach us about the program:




As you can see, this is probably a Substitution cipher implementation. Every character is replaced  always with the same another character. We can write a short python script to figure out what is the key using our a-z0-9{} input and the matching RAX string:


We got the flag 🙂

If you have any questions feel free to ask and I’ll explain more.

Flag: h4ck1t{36f35433c667031c203b42d5a00fe194}


[H4CK1T 2016] QRb00k – Russia Writeup



Task: QRb00k – Russia – W3b – 400
The secured messenger was developed in Canada, it’s using systems with qr keys for communicating, it allows to read other people’s messages only to this key holders. But is it true? And you have to figure it out …

This was a very good web challenge. It took me quite a time to fully understand it but was absolutely worth of its 400 points.

Starting the challenge we are given with a messenger site that uses QR codes to communicate. The site has two main pages:

  • Create – which creates QR code from a given name and message
  • Read – an upload form to upload QR code and read the message inside

So let’s create a message:

We got a QR code which is the key to read our message:

Now let’s read the message using the QR code:


Ok, it all worked as it supposed to. I used the zxing service to view the content of the QR code:


Look at the raw text. It’s a short string that looks like it was base64 encoded. But wait, base64 can’t begin with “==”! Those characters usually appear at the end of base64 encoded strings. Is it reversed? Let’s check:

Yes! it indeed was reversed. our key (QR code) is created by: QR(Reverse(Base64(name))).

Ok, now that we understand the mechanics we can let the party begin and start playing with SQL Injection. In order to create the QR codes I used this site, It was faster than using the challenge site.

I began with the obvious: ‘ or 1=1–


Whoops, Busted. The system recognized my SQLi attack. I tried some filter bypassing methods and succeeded with this input:

Reverse(Base64(input)) == “==wc0VWZiF2Zl10JvoiLuoyL0NWZsV2cvoiLuoyLu9WauV3Lq4iLq8SKoU2chJWY0FGZvoiLuoyL0NWZsV2cvoiLuoyLu9WauV3Lq4iLq8yJ”


It worked! now let’s find the correct table (“messages”) and column by using some queries to map the database:

QR(Reverse(Base64(input))) == “zRXZlJWYnVWTn8iKu4iKvQ3YlxWZz9iKu4iKv42bp5WdvoiLuoyLnMXZnF2czVWbn8iKu4iKvU2apx2Lq4iLq8SZtFmbfVGbiFGdvoiLuoyLlJXZod3Lq4iLq8ycu1Wds92YuEWblh2Yz9lbvlGdh1mcvZmbp9iKu4iKv02byZ2Lq4iLq8SKl1WYu9lbtVHbvNGK0F2Yu92YfBXdvJ3ZvoiLuoyL0NWZsV2cvoiLuoyLu9WauV3Lq4iLq8yJ”


“secret_field”? Sounds suspicious. Let’s query it and see what it contains:


And we got the flag! I honestly really enjoyed this challenge.

Flag: h4ck1t{I_h@ck3d_qR_m3Ss@g3r}


If you have any questions feel free to ask 🙂

[H4CK1T 2016] ch17ch47 – Germany Writeup



ch17ch47 – Germany – 200 – Forensics
Find out who is the recipient of the information from the agent.

This challenge was second in this CTF which took me no more then five simple and basic commands in order to get the flag.

I roughly follow the same simple system whenever I face a new challenge. This system has prove itself again and again in almost any kind of challenge in different levels.

  1. Examine the file types that are given to you: An image, pcap, pe, etc. You can do it using the file command or just by open it
  2. Run ‘strings’ command on it.
  3. Run foremost (and binwalk) on the file
  4. Run strings on all the extracted files
This time we are given with a zip file. First, we want to unzip it in order to examine the files inside. It has a lot of file so I don’t paste here the full output.


We have a lot of files of different types from what seems like Windows machine (AppData, Favorites, Downloads, Desktop…). We can start step 2 that I mentioned before and recursively search for the flag in the strings of the files.

This command iterates recursively all the files in the directory and the sub-directories and grep for the string ‘h4ck’. The command returned that there is a database file that is containing part of the flag. Now let’s strings command on the file:

And we got the flag. Easy, right?

Flag: h4ck1t{87e2bc9573392d5f4458393375328cf2}

[H4CK1T 2016] 1magePr1son- Mozambique Writeup



Task: 1magePr1son- Nozambique- Stego- 150

Implementing of the latest encryption system as always brought a set of problems for one of the known FSI services: they have lost the module which is responsible for decoding information. And some information has been already ciphered! Your task for today: to define a cryptoalgorithm and decode the message.

For the start we are given with a wallpaper image named planet.png (2560×1850)


Looking carefully at the image we can see a pattern of strange dots, such dots may be connected to the cryptosystem. Those are pixels in different colors that probably belongs to another image. My thought is that the pixels of the flag image was splitted into the wallpaper.


The dots exists every 24 pixels so I wrote a short pythons script in order to combine them into one image:

I ran it and got a big image (the wallpaper size) with this tiny image inside that contains the flag:


Flag: h4ck1t{SPACE_IS_THE_KEY}

[H4CK1T 2016] v01c3_0f_7h3_fu7ur3 – Australia Writeup



v01c3_0f_7h3_fu7ur3 – Australia – 300 – Network
The captured data contains encrypted information. Decrypt it.

The first thing I do when I face a pcap challenge is, of course, open it in Wireshark. If it looks normal (and not, for example, Bluetooth traffic) I then run ‘foremost‘ on the file. ‘foremost‘ is searching for a known files in a given file by file headers, footers etc, and then extract it to ‘output’ folder in the directory.
So foremost found several files in the PCAP from several sources like http and ftp traffic

  • png
  • gif
  • jpg
  • rar
  • (…)

I opened the rar archive and found a file named ‘key.enc’ which contained “Salted_<GIBBERISH>” . I opened it in hex editor:


At the first, as the name says, I thought I found the key of some encryption and now I need to find the encrypted file and the cipher. But in a second thought I said to myself that ‘*.enc’ is usually for the encrypted files! So that file isn’t a key, it’s encrypted and we need to decrypt it. But what is the key and the cipher?

So, I figured out that file that starting with “Salted_” is file that was encrypted using ‘openssl’ application.
I then went to read the task again, I saw that the name of the challenge is “v01c3_0f_7h3_fu7ur3” so I thought maybe it involves some audio. Searched for ‘mp3’ or ‘aud’ in the pcap (queries: ‘tcp contains mp3’ , ‘tcp contains aud’) and found the following url:

It’s an innocent javascript file. I entered the “priyom” site and read it’s description:

“Priyom is an international organization intending to research and bring to light the mysterious reality of intelligence, military and diplomatic communication via shortwave radio: number stations”

Sounds interesting. So I looked up again in the pcap and saw a request to this specific url:

There is a robotic voice that reads out numbers.

So I now have what seems like a key, so what is the encryption?
A bit research about the encryption made me think it’s AES so I ran:

-d is for decrypt
-k is for keyphrase

Failed. So I read about the structure of the voice record in the website and took only the Message part from the numbers: 7369859990172126397300000
this is the actual Message part (5-digit paired groups) and 5 zeroes at the end. without the Intro, Outro, Premable, Postmable and the Duplicate 5-digits.

Failed again. Tried it with all the possible openssl  encryptions (20+) but failed again.
So I got mad and tried to decrypt it using all possible encryptions with all possible substrings of the original number from the record.
Pseudo code:

And how it was really looks like:

it took 30 minutes to run.
BUT FAILED. No flag.

At this point I think that 3 or 4 teams already solved it.
So I tried more and more combinations and this stupid one finally worked:

It’s the full number from the recording but delete the duplicates pairs (the recording was splitted to group of numbers and the speaker said each group twice or three times).

So the hardest part was actually to figure out the exact keyphrase, the rest was pretty easy.

Flag: h4ck1t{Nic3_7ry}

[H4CK1T 2016] Belarus – Electronicon Writeup



Belarus – Electronicon – PPC – 250 pts
EN: This task is one of the methods for the psychological attacks. It is intended for people who don’t have heart diseases and reached 18 years 😉



As the attached file says, it was real pain. I opened the file in the browser and saw this horrible thing:


Looks bad and it crashed my browser. This text file was too big for it to handle. So I opened it on Notepad++ and it was’t any better:


Still terrifying and it was heavy for notepad++ also. But this time something catched my eye. Look at the rows panel on the left, it says only 1 line. Let’s cancel word wrap (View > Word wrap) and check what it is:


Aah ah! It was a HUGE ascii-art. How huge? 11 rows of 1830661 chars each! It’s a long hex string. So now we need to parse it. I tried using this module but without any success so I decided to go for the hard way. I parsed it myself.

First, I edited the file in order to make it easy for me to parse it. I wanted that every char will be in it’s own line. I wrote a script to separate the characters:

Now let’s open the edited file with EmEditor that is capable of open large files and see how our file is looking like:


Good! Looks exactly like I wanted! Now in order to parse it we need to tell the code how every letter or digit is looking like so I started to define variable for each letter or digit with the matching ascii-art. It was something like that:

I took the long hex-string and paste in hex editor. It was this photo:h4ck1t_belarus_5

Well, that’s it. We got the flag and we now can rest in peace.

Flag: h4ck1t{1_L0V3_3P1C_F0NT$}

[H4CK1T 2016] 1n51d3r’5 j0b – Canada Writeup



1n51d3r’5 j0b – Canada – 300 – Forensics
Tommy wrote a program. It seems he has hidden from us important information. Find out what Tommy hides.

Oh god, this challenge was so fun. The easiest 300 point I’ve ever got. I’m sure it wasn’t the expected solution but it works so who am I to complain. Three commands, that’s all.

I don’t even know what the challenge is about. Just moved to the next challenge without asking any unnecessary questions.

Flag: h4ck1t{T0mmy_g0t_h1s_Gun}

[H4CK1T 2016] HellMath – Mongolia Writeup



HellMath – Mongolia – 100 – PPC – NEW

EN: Somebody thinks that you are able to calculate well. Is it true? Pass this task, prove the abilities and maybe we will recommend you to one of the most secret missions in this war.

# nc ctf.com.ua 9988 #

This one was a tricky question. Sometime we tend to think too complicated that we forget the basics of the basics.

Let’s begin. We are given with a netcat command. Let’s run it and see what will happen:

Well, We are given with a number C and we need to find numbers A and B that A^B (Power, not XOR) gives C.

At the beginning I tried to find algorithms online, “Such algorithms must exist!” I thought to myself. I found nothing and gave up for the day because it was late and I wanted to sleep. I was in my bed while message a friend the question and he simply answered:
“Did you tried 1?”
– “What 1?”
 “You know, every number power 1 equals the number” (i.e C = C^1)
– “OMG! It is so simple! You are the smartest person on earth!”


So I ran to my computer and wrote this short python script that gave me the flag:

Flag: h4ck1t{R4ND0M_1S_MY_F4V0UR1T3_W34P0N}


[H4CK1T 2016] Pentest – Mexico Writeup



Task: Remote pentest – Mexico – 150 – Web

Our foreign partners have some problems with qualified staff in the field of information technology, we decided to help them and to conduct remote testing of their new website. Your task is to find a hole in the system and grab some information to confirm the hack .Good luck !

YAY! Web challenge! If you are following my blog (If not, the subscribe form is on left) you already know how much I love web challenges, It’s either easy points or great puzzle.

Let’s open the website and see what we have:


WOW! JUSTICE LEAGUE! Did I mentioned that I love comic books and especially Batman? Oh, Not yet?

Well, this challenge is going to be awesome. No. It’s already awesome!

OK, deep breath. Let’s start. See that menu on the bottom? Let’s click on some link to see what will happen.


Look at the URL, the “about” page is included by the “index.php” using php commands ‘require’ or ‘include’. When we see something like that in a challenge we can check if the site is vulnerable to LFI attack. In Local File Inclusion attack we can include pages from the local server. Let’s try to include /etc/passwd to check for the existence of the vulnerability

Didn’t work. Let’s try to add null byte at the end


It worked! We successfully got the /etc/passwd file. So what now? Let’s try to read the pure php file to see if the flag is in the php pages.

We can use php://filter to print the content of index.php in base64 format. We need to encode the content because we don’t want the php engine to compile the php parts of the code.

We got encoding page, now let’s decode it and see if we find a flag . I deleted some content to decrease the size of the code in the post.


Nope. No flag. The “flag{…}” thing isn’t really the flag because the flag in this CTF should be in h4ck1t{…} format.
Also the other pages like ‘about’ and ‘contact’ is not contain any flag. So we probably need to perform LFI to RCE (Remote Code Execution) attack. We can use the php://input method to send php commands through Post requests. Using Firefox Hackbar plugin we can do it easily.
Put the URL to be  And the POST data to be


Success. We got the RCE and we now know about a new secret file. Let’s read it using the same way but this time with

And we got the flag 🙂

Flag: h4ck1t{g00d_rfi_its_y0ur_fl@g}

[H4CK1T 2016] PhParanoid – Malaysia Writeup




Task: PhParanoid – Malaysia – 225 – Rever$e

EN: I am so paranoid! I try to hide everything from this mad world! I have already obfuscated my calculator sources, my javascript site sources and I`m not going to stop! And u will never know what I hide, haha!

In this challenge we got Phb, i.e php file that compiled using BCompiler (PHP Bytecode Compiler). We can Decompile it using this.

The decompilation process is very simple and we easily got this php file (I deleted repeated parts to decrease size):


So what we have here is a manipulation on char codes to check if the secret variable is valid. Let’s find out which char codes we need to use in order to find the flag.

Every if statement in the code looks like the following code. I added a comments for explanation

So, from this we can assume that the flag starts with chr(20+84) which is ‘h’. Make sense because we know that the flag is starting with “h4ck1t{“. I made some manipulation on the script (Lot of replaces in Notepad++ to keep only the relevant char codes) to create a list of the char codes and then converted them to chars with python.