Month: November 2016

Hack The Vote CTF 2016


Warp Speed 150

Our Trump advertising campaign is incredible, it’s skyrocketing! It’s astronomical! Wait stop!! SLOW DOWN!!!

File: warp_speed.5978d1405660e365872cf72dddc7515603f657f12526bd61e56feacf332cccad.jpg

warp_speed.5978d1405660e365872cf72dddc7515603f657f12526bd61e56feacf332cccad.jpg

As you could clearly see, they have sliced a single image into several slices and split it into two halves. The first part of the challenge is to slice the image into several slices from the left side of the image and right side of the image. We used a slicer script using python PIL: slicer.py. A slice has a height of 7 pixels. Thus we have got 36 slices from the left side and right side of the image.

Now it’s time to join one each from left and right one by one to make a single portrait image.  We wrote another script to join them and make a single image: merge_image.py

flag.jpg

Flag: flag{1337_ph0t0_5k1lls}

Electioneering (250 Points)

We confiscated this poster that was being handed out at polling places. It doesn’t appear to be supporting a candidate, but we’d like you to take a look just to be sure.

poster

Upon receiving the PNG image, I ran the binwalk image over the file. To my surprise, it had a zip file embedded in it which was password protected.

So our task was to find the password for the zip file to extract the flag.txt file.

Upon loading the image in the stegsolve tool, we were able to find some noise in the top left corner in the gray bits of the poster.png file and solved it as gray_bits.bmp

Screenshot_20161125_103214.png

While zooming into the image (using gimp), you could see that the height of the noise is 4 pixels.

screenshot_20161125_103747

And it prints: IrateAnagramCakeImage

This should be the password of the zip file.

Flag: flag{4nd_th3_w1nn3r_15…}

TOPKEK 50

A CNN reporter had only one question that she couldn’t get off her mind

Do we even know, who is this 4 CHAN???

So she set out to find who this 400lb hacker is. During her investigation, she came across this cryptic message on some politically incorrect forum online, can you figure out what it means?

kek

We considered KEK as 0 in binary and TOP as 1 in binary and ‘!’ is number of times zero or one is repeated. We wrote a script to read the flag from the kek script.

Flag: flag{T0o0o0o0o0P______1m_h4V1nG_FuN_r1gHt_n0W_4R3_y0u_h4v1ng_fun______K3K!!!}

 

Advertisements

RC3 CTF


Recently I participated in an entry level CTF and solved few forensics challenges in it.

Somepang (Forensics 50 points)

A pcap file was given : <link to file>

Upon opening the file in Wireshark, you could see that it has ICMP packets. And the interesting fact is that two bytes are unique in each echo-reply packets but repeats several times within the same.

Screenshot_20161124_212516.png

I wrote a python script to extract last two bytes from the pcap.

somepang-flag

Flag: RC3-2016-PANG-ME-LIKE-ONE-OF-YOUR-FRENCH-GORILLAZ

My Lil Droid (Forensics 100 Points)

This is one among the easiest task in the forensics section. A Youtube.apk files was given.

I used strings and searched with RC3 and then with 2016. I was able to find base64 encoded strings which looks like a flag (RC3-2016-SOMESTRING)

Flag: RC3-2016-GOTEM21

Graphic Design (Forensics 200)

A blender object file was given. Upon loading the object file in blender application, a 3D model was dinosaur was opened. I was able to see various layers and disabled all of them except the layer named def_not_the_flag_Text.002

screenshot_20161124_212828screenshot_20161124_212900

Flag: RC3-2016-St3GG3rz

Breaking News (Forensics 300)

A zipfile was given and it contained 20 zip files. Usually, zip file end with a signature PK followed by bunch of 0x00s. But while inspecting the tail of certain zip (4, 9, 10, 12, 15) files, I could see base64 encoded strings.

Flag: RC3-2016-DUKYFBLS

DTrump (Forensics 400 )

File: dtrump.img.zip was given and it contains a ISO 9660 CD-ROM filesystem data ‘CDROM’.

I mounted the ISO into my machine.

I was able to find a folder called secretfiles, which is a git repository. As the ISO is always mounted as read-only, I was not able to checkout the deleted private.key file. There is an excel file called Workbook1.xlsx.gpg which is encrypted using this private key. Hence I copied the secretfiles directory into my filesystem where I can read/write. I used the private key to decrypt the XLSX file.

The LibreOffice opened up with a password prompt and I provided password123 which was determined by examining the document.txt file. The flag was present in the sheet 2.

Screenshot_20161125_160147.png

Flag: RC3-2016-SNEAKY21