This weekend I've played Sharif University CTF (SU-CTF) Quals 2014.
Here are some of my write-ups:
What is this [20]
We have two images. Need to find the flag! It's steganography task.
Using the next simple Python code we'll get difference between the two images.
And the resulting image is with a flag:
Flag: AZADI TOWER
Guess the number [30]
It's Reverse task. Need to guess the number and find the flag.
We have guess.jar file.
Decompile the file.
So to get a flag we just need to xor two hex numbers.
Flag: a7b08c546302cc1fd2a4d48bf2bf2ddb
After cutting this file out, and using radare2 to disassemble it, I've got a flag:
Convert bytes to chars using Python:
Flag: de6838252f95d3b9e803b28df33b4baa
Hidden Message [40]
Steganography task. What is the hidden message?
We have captured network traffic (80 packets) in pcap file.
Ok. I've assumed that 80 packets are 80 bits, or 10 bytes.
And if source port is 3401 then it is "0" bit, otherwise (if port is 3400) - add "1" bit.
And finally I've got the next binary sequence:
01001000011001010110100101110011011001010110111001100010011001010111001001100111
After splitting into 8-bit chunks (bytes) and converting each byte to ascii, I've got a flag.
Here is my code for getting flag from hidden-message.pcap file.
Flag: Heisenberg
Sudoku image encryption [40]
Need to solve sudoku to get a flag.
Solved sudoku:
964127538
712385694
385496712
491578263
238614975
576239841
627843159
153962487
849751326
Need to set appropriate image in the row, according to the number (column index). Repeat this operation for each row.
Using the next Python script, I've got the flag:
The image with the flag:
Flag: d41d8cd98f00b204e9800998ecf8427e3
Hear With Your Eyes [100]
It's steganography task.
We have sound.wav file.
I've opened a spectrogram view of this file in Audacity and got the flag.
Flag: e5353bb7b57578bd4da1c898a8e2d767
Cafe-1 [150]
Recon task.
Nice coffee shop, much better than Starbucks! Do you know a professional Logo Designer?!
Flag: md5(Nickname)
We have a photo cafeteria.jpg with QR code.
I've a little bit modified QR code image (rotated and scaled). Then I've tried to draw random points in the missing area until it recognized the QR code:
After successful scanning of QR code, I've got the next data from it:
GodForgives,AllYouHaveToDoIsAsk
suctf.com/cce1/d393
Good! I've opened this page. Here it is:
After that I've looked inside the logo:
http://suctf.com/cce1/d393/images/sharifnosh.png
But no useful info about designer was there.
After that I've checked the parent directory and opened the next url:
http://suctf.com/cce1/
Only logo (logo_6a47d39b77f1b182147fa51fe444ac58.png) of coffee shop was on this page, so I've looked inside of it and found this:
Designed by: nooneonemore
For: http://suctf.com/cce1/d393
Good! Flag is found. md5(nooneonemore)
Flag: 8fb02613df9e1ff165ccc161329fa661
Cafe-2 [150]
Recon task.
What was the quote of the day? (see cafe-1)
Flag:md5(Quote)
Firstly I've checked QR code on site About page. There was the next data:
A friend cannot be considered a friend until he is tested in three occasions: in timeof need, behind your back, and after your death.
http://www.suctf.com/cce1ef795f762eab3fde5eeb2e6293d5/d3930f9805f8ba9d2a81a96bec3
But I've checked this quote, it's incorrect.
Then I've checked the quote from first task QR code:
GodForgives,AllYouHaveToDoIsAsk
And it was correct! So flag is md5 from this quote.
Flag: 9ff2cda61c87fedf687efd9ec84d0600
Here are some of my write-ups:
What is this [20]
We have two images. Need to find the flag! It's steganography task.
Using the next simple Python code we'll get difference between the two images.
from PIL import Image, ImageChops image1 = Image.open('pic1.jpg') image2 = Image.open('pic2.jpg') diff = ImageChops.difference(image1, image2) diff.save('diff.jpg')
And the resulting image is with a flag:
Flag: AZADI TOWER
Guess the number [30]
It's Reverse task. Need to guess the number and find the flag.
We have guess.jar file.
Decompile the file.
import java.io.PrintStream; import java.math.BigInteger; public class guess { public guess() { } static String XOR(String _str_one, String _str_two) { BigInteger i1 = new BigInteger(_str_one, 16); BigInteger i2 = new BigInteger(_str_two, 16); BigInteger res = i1.xor(i2); String result = res.toString(16); return result; } public static void main(String args[]) { int guess_number = 0; int my_num = 0x14d8f707; int my_number = 0x5c214f6c; int flag = 0x149b861a; if(args.length > 0) { try { guess_number = Integer.parseInt(args[0]); if(my_number / 5 == guess_number) { String str_one = "4b64ca12ace755516c178f72d05d7061"; String str_two = "ecd44646cfe5994ebeb35bf922e25dba"; my_num += flag; String answer = XOR(str_one, str_two); System.out.println((new StringBuilder("your flag is: ")).append(answer).toString()); } else { System.err.println("wrong guess!"); System.exit(1); } } catch(NumberFormatException e) { System.err.println("please enter an integer \nexample: java -jar guess 12"); System.exit(1); } } else { System.err.println("wrong guess!"); int num = 0xf4240; num++; System.exit(1); } } }
print '%x' % (0x4b64ca12ace755516c178f72d05d7061 ^ 0xecd44646cfe5994ebeb35bf922e25dba)
Recover deleted file [40]
Forensics task. Need to recover the disk and find the flag.
After a quick analysis of disk-image. I've found that elf file is present in the image.Forensics task. Need to recover the disk and find the flag.
After cutting this file out, and using radare2 to disassemble it, I've got a flag:
Convert bytes to chars using Python:
print ''.join(map(chr, [0x20, 0x64, 0x65, 0x36, 0x38, 0x33, 0x38, 0x32, 0x35, 0x32, 0x66, 0x39, 0x35, 0x64, 0x33, 0x62, 0x39, 0x65, 0x38, 0x30, 0x33, 0x62, 0x32, 0x38, 0x64, 0x66, 0x33, 0x33, 0x62, 0x34, 0x62, 0x61, 0x61, 0x00]))
Hidden Message [40]
Steganography task. What is the hidden message?
We have captured network traffic (80 packets) in pcap file.
Ok. I've assumed that 80 packets are 80 bits, or 10 bytes.
And if source port is 3401 then it is "0" bit, otherwise (if port is 3400) - add "1" bit.
And finally I've got the next binary sequence:
01001000011001010110100101110011011001010110111001100010011001010111001001100111
After splitting into 8-bit chunks (bytes) and converting each byte to ascii, I've got a flag.
Here is my code for getting flag from hidden-message.pcap file.
# read data data = [] with open('hidden-message.pcap', 'rb') as f: data = f.read() # get bits bits = '' for i in xrange(75, len(data), 81): bits += '0' if data[i:i+1]=='I' else '1' # convert to chars flag = '' for i in xrange(0, len(bits), 8): flag += chr(int(bits[i:i+8], 2)) print flag
Need to solve sudoku to get a flag.
Solved sudoku:
964127538
712385694
385496712
491578263
238614975
576239841
627843159
153962487
849751326
Need to set appropriate image in the row, according to the number (column index). Repeat this operation for each row.
Using the next Python script, I've got the flag:
from PIL import Image # solved sudoku s = ''' 964127538 712385694 385496712 491578263 238614975 576239841 627843159 153962487 849751326 ''' s = s.replace('\n', '') image = Image.open('image.png').convert('RGB') out_image = Image.new('RGB', image.size) for j in xrange(0, 9): for i in xrange(0, 9): img_cell = image.crop((i * 50, j * 50, i * 50 + 50, j * 50 + 50)) # get pos (column) column = (int(s[j * 9 + i]) - 1) * 50 out_image.paste(img_cell, (column, j * 50)) out_image.save('out_image.png')
The image with the flag:
Flag: d41d8cd98f00b204e9800998ecf8427e3
Hear With Your Eyes [100]
It's steganography task.
We have sound.wav file.
I've opened a spectrogram view of this file in Audacity and got the flag.
Flag: e5353bb7b57578bd4da1c898a8e2d767
Cafe-1 [150]
Recon task.
Nice coffee shop, much better than Starbucks! Do you know a professional Logo Designer?!
Flag: md5(Nickname)
We have a photo cafeteria.jpg with QR code.
I've a little bit modified QR code image (rotated and scaled). Then I've tried to draw random points in the missing area until it recognized the QR code:
After successful scanning of QR code, I've got the next data from it:
GodForgives,AllYouHaveToDoIsAsk
suctf.com/cce1/d393
Good! I've opened this page. Here it is:
After that I've looked inside the logo:
http://suctf.com/cce1/d393/images/sharifnosh.png
But no useful info about designer was there.
After that I've checked the parent directory and opened the next url:
http://suctf.com/cce1/
Only logo (logo_6a47d39b77f1b182147fa51fe444ac58.png) of coffee shop was on this page, so I've looked inside of it and found this:
Designed by: nooneonemore
For: http://suctf.com/cce1/d393
Good! Flag is found. md5(nooneonemore)
Flag: 8fb02613df9e1ff165ccc161329fa661
Cafe-2 [150]
Recon task.
What was the quote of the day? (see cafe-1)
Flag:md5(Quote)
Firstly I've checked QR code on site About page. There was the next data:
A friend cannot be considered a friend until he is tested in three occasions: in timeof need, behind your back, and after your death.
http://www.suctf.com/cce1ef795f762eab3fde5eeb2e6293d5/d3930f9805f8ba9d2a81a96bec3
But I've checked this quote, it's incorrect.
Then I've checked the quote from first task QR code:
GodForgives,AllYouHaveToDoIsAsk
And it was correct! So flag is md5 from this quote.
Flag: 9ff2cda61c87fedf687efd9ec84d0600
What QR code scanner did you use to scan the QR Code (In cafe-1) ?
ReplyDeleteI just can't get mine to scan it.
I've used barcode scanner for Android, but I've a little bit modified QR code image (rotated and scaled). Then I've tried to draw random points in the missing area until it recognized the QR code.
Deletewe cropped the logo on the cup and searched it in Google, lead to http://suctf.com/cce1/
Deletethe site had several versions of logo which had hidden info in it. on of them was http://suctf.com/cce1/d393/ which had a healthy QR inside.
Nice! I've seen similar solution among writeups on ctftime :)
DeleteI used Android scanner aswell, didn't rotate and scale, however, did randomly add some points for missing section.
DeleteI've added restored QR code image to write-up.
DeleteGreat write-ups! Thanks :)
ReplyDeleteThank you!
DeleteSorry, I''m a newbie, and I can't understand this:
ReplyDelete"so I've looked inside of it and found this:
Designed by: nooneonemore
For: http://suctf.com/cce1/d393"
Can you help me?
The simplest way - to open the photo with any text editor, but better to use any hex editor.
DeleteOr if you know that your file is a photo or image (like in this task), you can read meta information inside of it using ExifTool.
А можно по-подробнее про задание "Hear With Your Eyes"? Как получить флаг?
ReplyDeleteВот видео как получить спектрограмму звуковой дорожки в Audacity:
Deletehttp://www.youtube.com/watch?v=VZbZa99ocPU