Monday, September 29, 2014

SU-CTF Quals 2014 - Write-ups

This weekend I've played Sharif University CTF (SU-CTF) Quals 2014.
Here are some of my write-ups:

What is this [20]
We have two images. Need to find the flag! It's steganography task.
Using the next simple Python code we'll get difference between the two images.
from PIL import Image, ImageChops
image1 = Image.open('pic1.jpg')
image2 = Image.open('pic2.jpg')
diff = ImageChops.difference(image1, image2)
diff.save('diff.jpg')

And the resulting image is with a flag:
Flag: AZADI TOWER

Guess the number [30]
It's Reverse task. Need to guess the number and find the flag.
We have guess.jar file. 
Decompile the file.

import java.io.PrintStream;
import java.math.BigInteger;

public class guess
{

    public guess()
    {
    }

    static String XOR(String _str_one, String _str_two)
    {
        BigInteger i1 = new BigInteger(_str_one, 16);
        BigInteger i2 = new BigInteger(_str_two, 16);
        BigInteger res = i1.xor(i2);
        String result = res.toString(16);
        return result;
    }

    public static void main(String args[])
    {
        int guess_number = 0;
        int my_num = 0x14d8f707;
        int my_number = 0x5c214f6c;
        int flag = 0x149b861a;
        if(args.length > 0)
        {
            try
            {
                guess_number = Integer.parseInt(args[0]);
                if(my_number / 5 == guess_number)
                {
                    String str_one = "4b64ca12ace755516c178f72d05d7061";
                    String str_two = "ecd44646cfe5994ebeb35bf922e25dba";
                    my_num += flag;
                    String answer = XOR(str_one, str_two);
                    System.out.println((new StringBuilder("your flag is: ")).append(answer).toString());
                } else
                {
                    System.err.println("wrong guess!");
                    System.exit(1);
                }
            }
            catch(NumberFormatException e)
            {
                System.err.println("please enter an integer \nexample: java -jar guess 12");
                System.exit(1);
            }
        } else
        {
            System.err.println("wrong guess!");
            int num = 0xf4240;
            num++;
            System.exit(1);
        }
    }
}
So to get a flag we just need to xor two hex numbers.
print '%x' % (0x4b64ca12ace755516c178f72d05d7061 ^ 0xecd44646cfe5994ebeb35bf922e25dba)
Flag: a7b08c546302cc1fd2a4d48bf2bf2ddb

Recover deleted file [40]
Forensics task. Need to recover the disk and find the flag.
After a quick analysis of disk-image. I've found that elf file is present in the image.
After cutting this file out, and using radare2 to disassemble it, I've got a flag:
Convert bytes to chars using Python:
print ''.join(map(chr, [0x20, 0x64, 0x65, 0x36, 0x38, 0x33, 0x38, 0x32, 0x35, 0x32, 0x66, 0x39, 0x35, 0x64, 0x33, 0x62, 0x39, 0x65, 0x38, 0x30, 0x33, 0x62, 0x32, 0x38, 0x64, 0x66, 0x33, 0x33, 0x62, 0x34, 0x62, 0x61, 0x61, 0x00]))
Flag: de6838252f95d3b9e803b28df33b4baa

Hidden Message [40]
Steganography task. What is the hidden message?
We have captured network traffic (80 packets) in pcap file.

Ok. I've assumed that 80 packets are 80 bits, or 10 bytes.
And if source port is 3401 then it is "0" bit, otherwise (if port is 3400) - add "1" bit.
And finally I've got the next binary sequence:
01001000011001010110100101110011011001010110111001100010011001010111001001100111
After splitting into 8-bit chunks (bytes) and converting each byte to ascii, I've got a flag.
Here is my code for getting flag from hidden-message.pcap file.

# read data
data = []
with open('hidden-message.pcap', 'rb') as f:
 data = f.read()

# get bits
bits = ''
for i in xrange(75, len(data), 81):
 bits += '0' if data[i:i+1]=='I' else '1'
# convert to chars
flag = ''
for i in xrange(0, len(bits), 8):
 flag += chr(int(bits[i:i+8], 2))
print flag
Flag: Heisenberg

Sudoku image encryption [40]
Need to solve sudoku to get a flag.

Solved sudoku:
964127538
712385694
385496712
491578263
238614975
576239841
627843159
153962487
849751326

Need to set appropriate image in the row, according to the number (column index). Repeat this operation for each row.
Using the next Python script, I've got the flag:
from PIL import Image

# solved sudoku
s = '''
964127538
712385694
385496712
491578263
238614975
576239841
627843159
153962487
849751326
'''
s = s.replace('\n', '')

image = Image.open('image.png').convert('RGB')
out_image = Image.new('RGB', image.size)
for j in xrange(0, 9):
 for i in xrange(0, 9):
  img_cell = image.crop((i * 50, j * 50, i * 50 + 50, j * 50 + 50))
  # get pos (column)
  column = (int(s[j * 9 + i]) - 1) * 50
  out_image.paste(img_cell, (column, j * 50))
out_image.save('out_image.png')

The image with the flag:

Flag: d41d8cd98f00b204e9800998ecf8427e3

Hear With Your Eyes [100]
It's steganography task.
We have sound.wav file.
I've opened a spectrogram view of this file in Audacity and got the flag.

Flag: e5353bb7b57578bd4da1c898a8e2d767

Cafe-1 [150]
Recon task.
Nice coffee shop, much better than Starbucks! Do you know a professional Logo Designer?!
Flag: md5(Nickname)
We have a photo cafeteria.jpg with QR code.

I've a little bit modified QR code image (rotated and scaled). Then I've tried to draw random points in the missing area until it recognized the QR code:
After successful scanning of QR code, I've got the next data from it:
GodForgives,AllYouHaveToDoIsAsk
suctf.com/cce1/d393
Good! I've opened this page. Here it is:
After that I've looked inside the logo:
http://suctf.com/cce1/d393/images/sharifnosh.png
But no useful info about designer was there.
After that I've checked the parent directory and opened the next url:
http://suctf.com/cce1/
Only logo (logo_6a47d39b77f1b182147fa51fe444ac58.png) of coffee shop was on this page, so I've looked inside of it and found this:
Designed by: nooneonemore
For: http://suctf.com/cce1/d393
Good! Flag is found. md5(nooneonemore)
Flag: 8fb02613df9e1ff165ccc161329fa661

Cafe-2 [150]
Recon task.
What was the quote of the day? (see cafe-1)
Flag:md5(Quote)
Firstly I've checked QR code on site About page. There was the next data:
A friend cannot be considered a friend until he is tested in three occasions: in timeof need, behind your back, and after your death.
http://www.suctf.com/cce1ef795f762eab3fde5eeb2e6293d5/d3930f9805f8ba9d2a81a96bec3
But I've checked this quote, it's incorrect.
Then I've checked the quote from first task QR code:
GodForgives,AllYouHaveToDoIsAsk
And it was correct! So flag is md5 from this quote.
Flag: 9ff2cda61c87fedf687efd9ec84d0600

12 comments:

  1. What QR code scanner did you use to scan the QR Code (In cafe-1) ?
    I just can't get mine to scan it.

    ReplyDelete
    Replies
    1. I've used barcode scanner for Android, but I've a little bit modified QR code image (rotated and scaled). Then I've tried to draw random points in the missing area until it recognized the QR code.

      Delete
    2. we cropped the logo on the cup and searched it in Google, lead to http://suctf.com/cce1/
      the site had several versions of logo which had hidden info in it. on of them was http://suctf.com/cce1/d393/ which had a healthy QR inside.

      Delete
    3. Nice! I've seen similar solution among writeups on ctftime :)

      Delete
    4. I used Android scanner aswell, didn't rotate and scale, however, did randomly add some points for missing section.

      Delete
    5. I've added restored QR code image to write-up.

      Delete
  2. Great write-ups! Thanks :)

    ReplyDelete
  3. Sorry, I''m a newbie, and I can't understand this:
    "so I've looked inside of it and found this:
    Designed by: nooneonemore
    For: http://suctf.com/cce1/d393"

    Can you help me?

    ReplyDelete
    Replies
    1. The simplest way - to open the photo with any text editor, but better to use any hex editor.
      Or if you know that your file is a photo or image (like in this task), you can read meta information inside of it using ExifTool.

      Delete
  4. А можно по-подробнее про задание "Hear With Your Eyes"? Как получить флаг?

    ReplyDelete
    Replies
    1. Вот видео как получить спектрограмму звуковой дорожки в Audacity:
      http://www.youtube.com/watch?v=VZbZa99ocPU

      Delete