Monday, September 29, 2014

SU-CTF Quals 2014 - Write-ups

This weekend I've played Sharif University CTF (SU-CTF) Quals 2014.
Here are some of my write-ups:

What is this [20]
We have two images. Need to find the flag! It's steganography task.
Using the next simple Python code we'll get difference between the two images.
from PIL import Image, ImageChops
image1 ='pic1.jpg')
image2 ='pic2.jpg')
diff = ImageChops.difference(image1, image2)'diff.jpg')

And the resulting image is with a flag:

Guess the number [30]
It's Reverse task. Need to guess the number and find the flag.
We have guess.jar file. 
Decompile the file.

import java.math.BigInteger;

public class guess

    public guess()

    static String XOR(String _str_one, String _str_two)
        BigInteger i1 = new BigInteger(_str_one, 16);
        BigInteger i2 = new BigInteger(_str_two, 16);
        BigInteger res = i1.xor(i2);
        String result = res.toString(16);
        return result;

    public static void main(String args[])
        int guess_number = 0;
        int my_num = 0x14d8f707;
        int my_number = 0x5c214f6c;
        int flag = 0x149b861a;
        if(args.length > 0)
                guess_number = Integer.parseInt(args[0]);
                if(my_number / 5 == guess_number)
                    String str_one = "4b64ca12ace755516c178f72d05d7061";
                    String str_two = "ecd44646cfe5994ebeb35bf922e25dba";
                    my_num += flag;
                    String answer = XOR(str_one, str_two);
                    System.out.println((new StringBuilder("your flag is: ")).append(answer).toString());
                } else
                    System.err.println("wrong guess!");
            catch(NumberFormatException e)
                System.err.println("please enter an integer \nexample: java -jar guess 12");
        } else
            System.err.println("wrong guess!");
            int num = 0xf4240;
So to get a flag we just need to xor two hex numbers.
print '%x' % (0x4b64ca12ace755516c178f72d05d7061 ^ 0xecd44646cfe5994ebeb35bf922e25dba)
Flag: a7b08c546302cc1fd2a4d48bf2bf2ddb

Recover deleted file [40]
Forensics task. Need to recover the disk and find the flag.
After a quick analysis of disk-image. I've found that elf file is present in the image.
After cutting this file out, and using radare2 to disassemble it, I've got a flag:
Convert bytes to chars using Python:
print ''.join(map(chr, [0x20, 0x64, 0x65, 0x36, 0x38, 0x33, 0x38, 0x32, 0x35, 0x32, 0x66, 0x39, 0x35, 0x64, 0x33, 0x62, 0x39, 0x65, 0x38, 0x30, 0x33, 0x62, 0x32, 0x38, 0x64, 0x66, 0x33, 0x33, 0x62, 0x34, 0x62, 0x61, 0x61, 0x00]))
Flag: de6838252f95d3b9e803b28df33b4baa

Hidden Message [40]
Steganography task. What is the hidden message?
We have captured network traffic (80 packets) in pcap file.

Ok. I've assumed that 80 packets are 80 bits, or 10 bytes.
And if source port is 3401 then it is "0" bit, otherwise (if port is 3400) - add "1" bit.
And finally I've got the next binary sequence:
After splitting into 8-bit chunks (bytes) and converting each byte to ascii, I've got a flag.
Here is my code for getting flag from hidden-message.pcap file.

# read data
data = []
with open('hidden-message.pcap', 'rb') as f:
 data =

# get bits
bits = ''
for i in xrange(75, len(data), 81):
 bits += '0' if data[i:i+1]=='I' else '1'
# convert to chars
flag = ''
for i in xrange(0, len(bits), 8):
 flag += chr(int(bits[i:i+8], 2))
print flag
Flag: Heisenberg

Sudoku image encryption [40]
Need to solve sudoku to get a flag.

Solved sudoku:

Need to set appropriate image in the row, according to the number (column index). Repeat this operation for each row.
Using the next Python script, I've got the flag:
from PIL import Image

# solved sudoku
s = '''
s = s.replace('\n', '')

image ='image.png').convert('RGB')
out_image ='RGB', image.size)
for j in xrange(0, 9):
 for i in xrange(0, 9):
  img_cell = image.crop((i * 50, j * 50, i * 50 + 50, j * 50 + 50))
  # get pos (column)
  column = (int(s[j * 9 + i]) - 1) * 50
  out_image.paste(img_cell, (column, j * 50))'out_image.png')

The image with the flag:

Flag: d41d8cd98f00b204e9800998ecf8427e3

Hear With Your Eyes [100]
It's steganography task.
We have sound.wav file.
I've opened a spectrogram view of this file in Audacity and got the flag.

Flag: e5353bb7b57578bd4da1c898a8e2d767

Cafe-1 [150]
Recon task.
Nice coffee shop, much better than Starbucks! Do you know a professional Logo Designer?!
Flag: md5(Nickname)
We have a photo cafeteria.jpg with QR code.

I've a little bit modified QR code image (rotated and scaled). Then I've tried to draw random points in the missing area until it recognized the QR code:
After successful scanning of QR code, I've got the next data from it:
Good! I've opened this page. Here it is:
After that I've looked inside the logo:
But no useful info about designer was there.
After that I've checked the parent directory and opened the next url:
Only logo (logo_6a47d39b77f1b182147fa51fe444ac58.png) of coffee shop was on this page, so I've looked inside of it and found this:
Designed by: nooneonemore
Good! Flag is found. md5(nooneonemore)
Flag: 8fb02613df9e1ff165ccc161329fa661

Cafe-2 [150]
Recon task.
What was the quote of the day? (see cafe-1)
Firstly I've checked QR code on site About page. There was the next data:
A friend cannot be considered a friend until he is tested in three occasions: in timeof need, behind your back, and after your death.
But I've checked this quote, it's incorrect.
Then I've checked the quote from first task QR code:
And it was correct! So flag is md5 from this quote.
Flag: 9ff2cda61c87fedf687efd9ec84d0600