Fore3: USB probing (150)
On this challenge we're given a pcap and a description mentioning something is to be found from a USB data transfer. Noticed lots of USB-based pcap challenges on AlexCTF & BITSCTF this year...
One of our agents managed to sniff important piece of data transferred transmitted via USB, he told us that this pcap file contains all what we need to recover the data can you find it ? fore2.pcap
Firing up wireshark and sorting the packets by size, we can see on the largest one there's a familiar segment in the data section:
Looks like there's a png in here! By right clicking and selecting "Leftover Capture Data" > "Copy" > "...as Hex Dump" will give us the bytes we need for this challenge. Throwing that into vim and doing a quick deletion of the first column, then %s/ //g; %s/\n//g will give us one string of hex. Now we can export the binary data (saved as ./raw) with something like this:
cat ./raw | xargs python -c 'import sys; print sys.argv[1].decode("hex")' > out1.png
Now we can check out this png for filetype & exif
$ file out1.png out1.png: PNG image data, 460 x 130, 8-bit/color RGBA, interlaced $ exiftool out1.png ExifTool Version Number : 10.08 File Name : out1.png Directory : . File Size : 60 kB File Modification Date/Time : 2017:02:06 18:09:03-08:00 File Access Date/Time : 2017:02:05 19:13:06-08:00 File Inode Change Date/Time : 2017:02:06 18:09:03-08:00 File Permissions : rw-r--r-- File Type : PNG File Type Extension : png MIME Type : image/png Image Width : 460 Image Height : 130 Bit Depth : 8 Color Type : RGB with Alpha Compression : Deflate/Inflate Filter : Adaptive Interlace : Adam7 Interlace Gamma : 2.2 Background Color : 255 255 255 Pixels Per Unit X : 2835 Pixels Per Unit Y : 2835 Pixel Units : meters Modify Date : 2016:12:31 19:24:31 Comment : Created with GIMP Warning : Corrupted PNG image Image Size : 460x130 Megapixels : 0.060
It worked! It's a little corrupted, but as you can see below as we view the image (with alpha fixed), it's good enough to read the flag:
SC1: Math Bot (100)
It is well known that computers can do tedious math faster than human. nc 195.154.53.62 1337
On this challenge I ended up one of my own tools, PwnUp! It's a CLI utility for pwntools which allows you to scaffold out a quick client for a remote interactive challenge. Here's a sample run setting up the client for this challenge:
pwnup
[*] Running PwnUp 1.0.6
[?] Choose a type.
1) ssh
2> 2) remote
3) local
[*] You Chose: remote
host > 195.154.53.62
port > 1337
[+] Opening connection to 195.154.53.62 on port 1337: Done
[*] Press <Ctrl-D> to stop recording ...
[*] Switching to interactive mode
__________
______/ ________ \______
_/ ____________ \_
_/____________ ____________\_
/ ___________ \ / ___________ \
/ /XXXXXXXXXXX\ \/ /XXXXXXXXXXX\ \
/ /############/ \############\ \
| \XXXXXXXXXXX/ _ _ \XXXXXXXXXXX/ |
__|\_____ ___ // \\ ___ _____/|__
[_ \ \ X X / / _]
__| \ \ / / |__
[____ \ \ \ ____________ / / / ____]
\ \ \ \/||.||.||.||.||\/ / / /
\_ \ \ ||.||.||.||.|| / / _/
\ \ ||.||.||.||.|| / /
\_ ||_||_||_||_|| _/
\ ........ /
\________________/
Our system system has detected human traffic from your IP!
Please prove you are a bot
Question 1 :
218318831115561303988112386917565 / 13366707491950058576832163796786 =
This dumps the client:
#!/usr/bin/env python
from pwn import *
r = remote('195.154.53.62', 1337)
def main():
print(r.recvuntil('66707491950058576832163796786 =\n'))
r.send('16.333029749251356\n')
r.send('\n')
if __name__ == "__main__":
main()
The initial client setup has been done, now we just have to generalize the maths. Through a couple iterations, it ended up looking something like this:
#!/usr/bin/env python
from pwn import *
r = remote('195.154.53.62', 1337)
def main():
for x in range(250):
print r.recvuntil(' :\n')
x = r.recvuntil('=\n').replace('=', '')
print 'Q: {}'.format(x)
value = 0
_l, op, _r, _ = x.split(' ')
_l = int(_l)
_r = int(_r)
if op is '+':
value = _l + _r
elif op is '-':
value = _l - _r
elif op is '*':
value = _l * _r
elif op is '%':
value = _l % _r
elif op is '/':
value = _l / _r
print 'R: {}'.format(value)
r.sendline('{}'.format(value))
print r.recvline()
print r.recvline()
print r.recvline()
print r.recvline()
r.interactive();
if __name__ == "__main__":
main()
Running this script gives us:
......
Q: 174942629367119018977343151908382 - 15526770931750616720349747677112
R: 159415858435368402256993404231270
Question 247 :
Q: 60323767070161082714762485861860 + 233868579061398884615403732403639
R: 294192346131559967330166218265499
Question 248 :
Q: 249001744992309701987741377654436 + 119589169821601639702529040150239
R: 368590914813911341690270417804675
Question 249 :
Q: 186075071179272307783795940653753 + 205359634338042277068417382152009
R: 391434705517314584852213322805762
Question 250 :
Q: 103090646436160362683705207412345 + 111725961983915005271322948765063
R: 214816608420075367955028156177408
Well no human got time to solve 500 ridiculous math challenges
Congrats MR bot!
Tell your human operator flag is: ALEXCTF{1_4M_l33t_b0t}
Dropping the flag around question 250:
ALEXCTF{1_4M_l33t_b0t}
SC2: Cutie Cat (150)
Usually steganography challenges give me confidence, this one however, did not. It was still a fun challenge, but I ended up coming back to it and the hint gave away the answer for me. Initially I had tried many methods, alpha masks, lsb, threshold tweaking / bit layers, xor, etc. Here is the description with the hint:
yeah steganography challenges are the worst... that's why we got only ~~one ~~ two steganography challenges . Hint: It scripting because we need a python library to solve the challenge, one that is made in japan.
Searching a bit through the internets for python libraries made in japan, lead me to this page - https://pypi.python.org/pypi?%3Aaction=search&term=japanese
On here, if you search for stego, you find this library - https://pypi.python.org/pypi/steganography/0.1.1
After installing it and running it against the image, it was instant gratification:
$ steganography -d cat_with_secrets.png
ALEXCTF{CATS_HIDE_SECRETS_DONT_THEY}
Again, not the most exciting stego challenge, but I was happy it lead to a moment of recon : )
