Hey there Folks!! Long time no see Huh …
It’s Christmas time and I’m back again with another set of writeups of X-MAS CTF btw we ended 32nd overall and 1st in India :).
Thanks to HTsP for organising this gr8 CTF.
Here are some of the challs.
Santa’s Forensics 101
A trip to grandma’s house
Ddosing the XMAS
Public Key (n,e) and Ciphertext has been given to us. So this is a typical RSA challenge.
n would give us four factors. ie. p,p,q,q.
So n=p*p*q*q. I wrote a short lines of code for this.
Santa’s Forensics 101
A zip has been given to us which contains a png or something that looks like a png :confused:.
file cmd clears that tho.
[badboy17@badboy17-pc Downloads]$ file X-MAS_Flag2.png X-MAS_Flag2.png: Zip archive data, at least v2.0 to extract
Huh a zip again. Extracting it gives the png (a real one :P).
strings on it.
[badboy17@badboy17-pc hidden_data_dt]$ strings logo2.png
Gives the flag in the bottom.
So another Forensics chall with a png.
The Description tho hints us a lot about what to do . But due to our noobism we spent a lot of time on this chall :sweat_smile: .
It seems that Santa may have used some Invisible Ink to write this letter... he is surely playing Hide&Seek.
invisible Ink part in the desc leads us tohttp://diit.sourceforge.net a steganography tool Digital Invisible Toolkit.
It writes the decoded part to a file . Opening the file gives us the flag.
A trip to grandma’s house
A VM forensics chall with a .vdi file. So this chall was super long and it took us three days to figure out and complete the chall.
First we loaded the vdi in the virtual box to see what it was and surprisingly it was a WIN98 image. Boii that’s super Retro.
Booting the VM it asks for the password to login to
The hint did no good to us as we couldn’t find the password anywhere.
The Second approach I did was to boot in the safe mode and create a new account and copy the files into the new account and changed the Network logon to Windows logon.
Logging in gives this.
That’s a lot of files Damm. Out of these 3 things caught my eye.
yeah that's the password. The last file didn’t help much .
Now opening the secret gave us gibberish text. So assuming the fact that it was encrypted with TrueCrypt we still needed the password to decrypt it. The rest of the files in the Desktop actually made something. This was figured by my teammate. It actually spelled out the password for TrueCrypt.
The resolution changed the arrangement of these files. So later a hint was also added .
Hint! Try to login to the desktop without changing the resolution of the VM.
The complete password was
Now that we had everything all it was left to fire the TrueCrypt .
Now the decrypted secret gave us a several other bunch of files.
So these files were actually a Minecraft world save. So I transferred the files to my machine.
Now loading the save in the Minecraft gave us the flag. (phewwww.)
Also the flag can be found by a Map renderer.
[badboy17@badboy17-pc Downloads]$ java -jar TMCMR-2017.09.07b.jar ./mine/region/ -o .
That’s a super awesome chall and also super awesome teammates. :smile:
A file was given to us which was abnormal in someway. Later my teammate figured that it was Xored with (ELF Header)
key=0x24, 0x32, 0x50, 0x52, 0xB2, 0x8C, 0x96
xoring it back again with it gave the Original file. Running
file command revealed that it was an ELF binary.
[badboy17@badboy17-pc Downloads]$ file xmas_out xmas_out: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, not stripped
Upon static analysis, it did not gave much of a info. But I do liked the idea of binary :sweat_smile:.
____ __,-~~/~ `---. _/_,---( , ) __ / < / ) \___ - ------===;;;'====------------------===;;;===----- - - \/ ~"~"~"~"~"~\~"~)~"/ (_ ( \ ( > \) \_( _ < >_>' ~ `-i' ::>|--" I;|.|.| <|i::|i|`. (` ^'"`-' ")
BOOM !!! It just ddosed the XMAS.
To see what the binary was actually doing behind the scenes I ran it with
ltrace . One of the comparison instruction checks arg ie. the name if the binary and it was comparing to
HOIC . So I renamed it HOIC.
Again running HOIC with ltrace. The previous check was passed tho but another one came. Now it was opening a file with name
Creating a file with name
KILL_SW1TCH with random contents again fired it with ltrace. It now checks the contents of file
These were actually in Bytes form which I figured later. So used python to write in the file.
python2 -c “print ‘\336\255\276\357\312\376\272\276’ “ >
A last run gave us the flag.
l0ic . That’s the tool
anonymous used for DDOSing. :P
A jpg was given.
strings gave this long base encoded string.
base64 -> base32 -> HEX. Decoding it gave a clear text.
Maybe B.F. stands for something other than best friend :)
Huh. No other clue so as it was a jpg assuming something was hidden with
steghide. But there was no password string anywhere. So running
rockyou gave us the password in a couple of seconds.
Opening the decoded file :
Maybe increasing the alphabet will make the encryption better ==m65;gVJW1O3>K5^?^YBJag<1i?Yd8RF2n?Sl,'<GaR1F'iB4F*(c$E\V-CA7&hUA79"\AMGqo2Dd*J@:O]
Trying several other decryption methods this turned out to be