[ HackYou CTF 2012 : Secure&Safe - Halloween ]

For this particular challenge, I am given this image below.

It reminded me of an old challenge used in one of the Korean CTF where i just fill the Black colour with another colour. Immediately, i used MS Paint (yeah as i am a poor chap. :( ) and filled the Black area with White colour and i got back the following image.

Hmmm...what is the dots representing? After analysing for some time, my gut feel tells me that it's not morse code nor Braille. The 2 dots could represent 1 and 1 dot represent 0 like Binary.
But wait a minute, there are only 7 of it for each character? Well, it could be 7-bit ascii.


1100001 1101001 1101110 1110100 1011111 1100001
1100110 1110010 1100001 1101001 1100100 1011111 1101111 1100110 1011111 1101110
1101111 1011111 1100111 1101000 1101111 1110011 1110100 1110011

So i developed a Python script just to decode this.

import sys,os

'''

We are only interested in the following 7-bit ascii

1100001 1101001 1101110 1110100 1011111 1100001

1100110 1110010 1100001 1101001 1100100 1011111 1101111 1100110 1011111 1101110

1101111 1011111 1100111 1101000 1101111 1110011 1110100 1110011

'''

string = "" 

string = chr(int('1100001',2))

string += chr(int('1101001',2))

string += chr(int('1101110',2))

string += chr(int('1110100',2))

string += chr(int('1011111',2))

string += chr(int('1100001',2))

string += chr(int('1100110',2))

string += chr(int('1110010',2))

string += chr(int('1100001',2))

string += chr(int('1101001',2))

string += chr(int('1100100',2))

string += chr(int('1011111',2))

string += chr(int('1101111',2))

string += chr(int('1100110',2))

string += chr(int('1011111',2))

string += chr(int('1101110',2))

string += chr(int('1101111',2))

string += chr(int('1011111',2))

string += chr(int('1100111',2))

string += chr(int('1101000',2))

string += chr(int('1101111',2))

string += chr(int('1110011',2))

string += chr(int('1110100',2))

string += chr(int('1110011',2))

print("%s\n" % string)

The result from this Python script is "aint_afraid_of_no_ghosts" and that is the key to this challenge.

Cheers,
Jacob Soo

[ HackYou CTF 2012 : Secure&Safe - Perfect Concealment ]

I don't have the direct link to the .txt file but inside the .txt file you will see this.

The giant panda (Ailuropoda melanoleuca, meaning "black and white cat-foot") is a type of bear. It lives in bamboo forests in central China. The giant panda is an endangered animal. In November 2007, China had 239 giant pandas who lived in captivity. There are 27 giant pandas which live in zoos outside of China. The exact number of giant pandas in the wild is not known. Some sources say there are about 1,590, other sources give a number between 2,000 and 3,000. The number of giant pandas in the wild seems to be increasing.

Giant pandas are about 1.2–1.5 m long and about 75 cm high. They weigh between 75 and 160 kg. Giant pandas have white fur on their bodies and black fur on their legs and shoulders. They also have black ears and black patches around their eyes. Pandas can climb and swim well.

Giant pandas are born with pink skin, with black areas on the legs, ears, and eyes. They are usually born with a small amount of white fur. They get more fur when they are about nine months old.

Giant pandas live alone. Females have a territory which they deFend against other females. When female pandas are ready to mate, they give off a special scent and make a loud bLeating noise to tell the males that they are ready. Giant pandAs mate between the months of March and May which is the Summer months in China. If there are several males, they fight each other. The one who wins – the stronGest male, then mates with the female. In August or September, the female gIves birth to one or two babies. If she has two babies, she will only raise one baby, and the other baby dies, no-one really knows how the female panda chooSe between the two. Giant panda babies are very small, and weigh only 90–130 grams, which is about 1/900 of its mother's weight. The baby drinks milk until it is 8–9 months old. Young pandas live with their mothers until they are 18–24 months old. They become mature when they are 5–7 years old. They live around 20 years in the wild and up to 30 years in captivity (e.g. in zoos). Unlike other bears, pandas do not hibernate.

Today, the giant panda is seen as a symbol for China. It is also protected by the ChineSe government, and killing a panda is a crime. ThE giant panda is now under the threat of eXtinction, and it will die out if the forests of bamboo continue to disappear.

People outside of eastern Asia did not know about the giant panda until 1869. The first "Westerner" to see a live panda was a German zoologist in 1916. In 1936, Ruth Harkness became the first Westerner to bring a live giant panda out of China. It was a cub (babY panda) named Su-Lin. The cub was taken to live at the Brookfield Zoo in Chicago.

In the 1970s, China began showing giant pandaS in zoos in the UniTed States and Japan as a type of diplomacy. This happened until 1984, when China changEd how this was done. Starting in 1984, China would allow zoos to keep the giant pandas for 10 years, but the zoo would have to pay China up to $1,000,000 each year. Also, the zoo would have to aGree that any cubs born would belong to China.

Although their bodies are made to eat meat, giant pandas are mostly herbivOrous. Their main source of food is bamboo. Because pandas have the digestive system of carnivores and can not digest cellulose very well, they get little energy and protein from the bamboo they eat. Because they get very little nutrition from bamboo, they must eat a lot. Pandas commonly eat 20 to 30 pounds of bamboo a day to get the nutrition they need. Although there are more than 200 different varieties of bamboo the Panda will only eat 20 varieties. Pandas sometimes run out of food, as a tyPe of bamboo flowers, die, and regrow again at the same time.

As of 2008, the giant bear is an endangered animal. The main problem they have is habitat loss. Habitat loss is when the places they live in are ruined. Humans often ruin the places where pandas live, such as for the construction of buildings. Pandas cAn also lose their habitat because of pollution. Pollution means that less bamboo grows, or that bamboo stops growing completely in a certain place. Giant pandas also have a low birth rate, which makes the problem worse.

TraditioNal Chinese stories about the giant pandas say that the animal can be very powerful. Some people believe that sleeping on a panda skin can protect them from ghost and predict their future. These tales are one of the reasons why people would spend lots of money for the skin and fur of this precious animal.

In former times, the panDas were also hunted. The Western people who came to China were soon unable to hunt the pandas, because of different wars. Local people continued though. PandAs were mainly hunted for their fur. Today, hunting pandas is not allowed.

In 1963, China set up a nature reserve for pandas, the Wolong National Nature Reserve. This was the firSt, other nature reserves followed. China did this to fight the number of pandas going down. In 2006, there were 40 panda reserves, compared to 13, two decades ago.

After looking through for a while, i can see that some words had Capital letters in between a word.
Probably those "Capital letters" are what we are looking for.
Using the python script that i've developed, we can see what does the special "Capital letters" form.

import re
# Read the file into a string
text = open('stg100.txt', 'r').read()
key = re.findall('\w\w*([A-Z])\w*', text)
print("%s\n" % key)

The output from my script is:

['F', 'L', 'A', 'G', 'I', 'S', 'S', 'E', 'X', 'Y', 'S', 'T', 'E', 'G', 'O', 'P', 'A', 'N', 'D', 'A', 'S']

The key to this challenge is "SEXYSTEGOPANDAS"

Cheers,
Jacob Soo

[ HackYou CTF 2012 : Wikitap - Oscaderp Forensic ]

I'm only given the following as hint.

What's the md5 of the file being transferred?

Downloading the link that was given to me and doing a check, it's another PCAP file.
Ok, let's load it up with Wireshark and analyse it.
After analysing it, it seems like a FTP session.
In Wireshark, there is a filter, "ftp-data" for all data that is being transferred.
So let's use that filter and we will be able to get something like the image shown below.

The important FTP data packets are the last 3 in the image which is for tcp_serv.beam.
So if we do a "Right-Click"->"Follow TCP Stream" to retrieve the file.
Then do a "Save As" to save the file. Now just use m5sum or any of your favourite md5 tool to check the md5 of the file which we just saved.
We will get "77f92edb199815b17e2ff8da36e200df" which is the key to this challenge. :P

Cheers,
Jacob Soo

[ HackYou CTF 2012 : Wikitap - EpikArc ]

Initially, i thought this could be a more forensics type of challenges. It turned out to be more of Network Forensics.

Mister You is willing to hire someone who can repeat his investigation.
Arc starts from here
The above link will give you a PCAP file.
Find the secret link in this conversation.

After analysing the the .pcap file for a while using Wireshark, it seems that the conversation is via HTTP POST.
So what i did was use the in-built filter in Wireshark to search for all the conversation in the .pcap file like the image shown below.

Then we find the following message.

As we can see the key to this particular challenge is "tinyurl.com/8pdox5a"

P.S: Going to the above link will give us the file for the Mystery Challenge. :P

Cheers,
Jacob Soo

[ HackYou CTF 2012 : Binary - Open-Source ]

Next up is Open-Source.
All i've got is an Open Source C code that was given to me here.
The source code looks like this.

#include <stdio.h>

#include <string.h>

int main(int argc, char *argv[]) {

    if (argc != 4) {

    printf("what?\n");

    exit(1);

    }

    unsigned int first = atoi(argv[1]);

    if (first != 0xcafe) {

    printf("you are wrong, sorry.\n");

    exit(2);

    }

    unsigned int second = atoi(argv[2]);

    if (second % 5 == 3 || second % 17 != 8) {

    printf("ha, you won't get it!\n");

    exit(3);

    }

    if (strcmp("h4cky0u", argv[3])) {

    printf("so close, dude!\n");

    exit(4);

    }

    printf("Brr wrrr grr\n");

    unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;

    printf("Get your key: ");

    printf("%x\n", hash);

    return 0;

}

Well, looking at the source code. We can deduce a few things.
first == 0xcafe == 51966
second == 25
argv[3] must be different from h4cky0u but i believe the strlen should be the same.

Finally, hash should be
hash = 51966 * 31337 + (25%17)*11+7 -1615810207
hash will eventually be 1628458637 - 1615810207 -> 12648430

As the results is printed in hexadecimal, the key is c0ffee

Cheers,
Jacob Soo

[ HackYou CTF 2012 : Crypto - Schneier's Algorithm ]

For this particular challenge, all i've got is an image from here.
http://misteryou.ru/cry100/cry100.jpg

From first glance, i think the arrow is trying to tell me to read backwards.
So reading backwards from top to bottom, i saw these words.
hackyouisthebestestctfftw
And that is our flag. :D

Cheers,
Jacob Soo

[ CSAW CTF Quals 2012 - Forensics 200 #0x02 ]

Initially, it seems like for Forensics 200 Challenge #2 was the same as Challenge #1 when i saw the image below.

So immediately, i whipped out pngcheck again and i got back the following result.

I've tried "hughes connie" as the key but sadly it's not.
Then i relooked at the options for pngcheck and found out that it will stop checking after it found the first error.

Options:
   -7  print contents of tEXt chunks, escape chars >=128 (for 7-bit terminals)
   -c  colorize output (for ANSI terminals)
   -f  force continuation even after major errors
   -p  print contents of PLTE, tRNS, hIST, sPLT and PPLT (can be used with -q)
   -q  test quietly (output only errors)
   -s  search for PNGs within another file
   -t  print contents of tEXt chunks (can be used with -q)
   -v  test verbosely (print most chunk data)
   -vv test very verbosely (decode & print line filters)
   -w  suppress windowBits test (more-stringent compression check)
   -x  search for PNGs within another file and extract them when found

So in order for it to continue, i needed to add in the "-f" option.
But once i added that, it seems that the entire file is full of CRC errors.
Hmmm...could it be like what the words on the image implied? "One of these things xs not like the other" Thus, one of the tEXt chunks is not having CRC error.

Okay, let me pipe out the output into a text file.
Since there could be only be 1 without CRC error, i load up the output file and after looking at it for a minute. I realised there are too many entries to manually find the one that i'm looking for.
Then i realised that all i have to do is to do a quick search in Notepad++ for "}\r\ncomment:\r\n    key{" as this is the sequence for checking the entry with no error. :D

Finally, we could find this.

There you go, the key to this particular challenge is "johnnie tigger"

Cheers,
Jacob Soo

[ CSAW CTF Quals 2012 - Forensics 200 #0x01 ]

For Forensics 200 Challenge #0x01, we were given an image as shown below:

Original link to image:
https://csawctf.poly.edu/challenges/45b963397aa40d4a0063e0d85e4fe7a1/961c734bdd95c5b1e06cbae8c548ac04/version1.png

Using PNGCheck against the given image, we found that there is a CRC error in the tEXt chunk.

So running pngcheck.exe -7 version1.png, we found out where is the CRC error.

Using "takeuchi gregory" as the key, we solved this particular challenge. :D

Cheers,
Jacob Soo

[ CSAW CTF Quals 2012 - Networking 200 ]

This is my solution for Networking 200 for CSAW CTF 2012 Qualifiers.
We are given some clues and a pcap file

“Some dude I know is planning a party at some bar in New York! I really want to go but he’s really strict about who gets let in to the party. I managed to find this packet capture of when the dude registered the party but I don’t know what else to do. Do you think there’s any way you can find out the secret password to get into the party for me? By the way, my favorite hockey player ever is mario lemieux.”

Original link to pcap:
https://csawctf.poly.edu/challenges/45b963397aa40d4a0063e0d85e4fe7a1/23dce85a4e96a87028cc9a3e662663ce/lemieux.pcap

Mirror to pcap:
http://repo.shell-storm.org/CTF/CSAW-2012/Networking/200/lemieux.pcap

Immediately, Wireshark to my rescue. But as the pcap file is huge....64MB
But as the clue was "...registered the pary..." so my instinct told me that most probably that it should be a HTTP POST method that was being used to register for the party.

So i tried filtering the traffic with http.request.method==POST and i got back the following results.

The POST to /parties-events/ seems to be what i'm looking for.
If i do a "Follow TCP Stream", i will see something like the following image.

Well, judging from the entire text string, it seems like the key to this particular challenge is "brooklyn beat box" That's it. :P

Cheers,
Jacob Soo

[ CSAW CTF Quals 2012 - Networking 100 ]

Well, i haven't got a blog since long ago as time is always not on my side.
Hopefully, this time round i will get to blog more often and not let the blog die.

This blog of mine will mainly focus on solving CTF challenges that I solved during or after the competition.

This time round, I was lucky to be invited to play in the recently concluded CSAW CTF qualifiers.
I was working on Networking 100 and i was given a pcap containing a telnet session.
You could grab a mirror copy of it here.
http://repo.shell-storm.org/CTF/CSAW-2012/Networking/100/telnet.pcap

Well, my very first instinct was to use Wireshark to load the pcap.
Immediately, i could see the telnet session and Telnet by default do not encrypt any data sent over the connection. Thus, if we "Follow TCP Stream". We will be able to see the password as indicated in the image below.

That was pretty easy.

The key to this challenge is "welcome to 1969"


Cheers,
Jacob Soo