© 2018 Synopsys, Inc. 1

CTF Workshop – Solutions

Crim2018 – 2.11.2018

© 2018 Synopsys, Inc. 2

Germany - Keylog

esc h e l a s p k esc i e a esc e o f r i h u n d return

esc a n d esc o up a esc G m a s t e r esc 0 i h u n

esc : % s / h u n / e n / g return esc : 1 return 4 g J

Solution:

Write the above sequence in vi/vim –editor.

Note:

For arrow keys to work as expected, in some

linux distributions you neet to add line: ”set

nocompatible” to configuration file.

vim = ~/.vimrc

vi = ~/.exrc

© 2018 Synopsys, Inc. 3

© 2018 Synopsys, Inc. 4

Canada – Erase/Rewind

Solution:

1. Identify the file format (file -command)

2. Unzip

3. Identify the file format (file -command)

4. Look for hints with strings -command

5. Mount

6. Here be dragons

7. extundelete

8. Open image2_new.jpg on your favorite

image viewer for the flag

© 2018 Synopsys, Inc. 5

© 2018 Synopsys, Inc. 6

© 2018 Synopsys, Inc. 7

Brazil – Hidden message

Solution:

1. Look for hints with strings –command

2. Spot the suspicious string in the end of file.

3. Identify the encoding (Base32)

4. Locate some online base32 decoder

5. Decode x times and strip the plain text

6. Flag is: all_your_base32_are_belong_to_us

© 2018 Synopsys, Inc. 8

© 2018 Synopsys, Inc. 9

Turkey – DoD

Solution:

1. Identify the encoding in the text file (base64)

2. Decode -> see the results

3. Decode x times (online or create a script)

-> Flag is revealed

© 2018 Synopsys, Inc. 10

© 2018 Synopsys, Inc. 11

Greenland – Hidden message 2

Solution:

1. Identify the file format

Looks like animated gif

2. Open it with gimp (frames can be seen as

layers)

3. Last frame reveals text written in black:

ByYourCommand

© 2018 Synopsys, Inc. 12

Alternative tool to use StegSolve, which has a Frame Browser

© 2018 Synopsys, Inc. 13

Greece – Python or not to python

Solution:

1. Identify the file format

(python 2.7 byte-compiled)

2. Rename the file as some versions of

uncompyle6 fails to decompile the file

otherwise (Challenge7.py ->

Challenge7.pyc)

3. Uncompyle6 Challenge7.pyc -> password

and flag is revelead

1. Password = Party0nDud3s!

2. Flag = BeExcellentToEachOther

© 2018 Synopsys, Inc. 14

© 2018 Synopsys, Inc. 15

India – Fix me

Solution:

1. Identify the file format (extension suggest

.png, but the file command thinks it’s .jpg)

© 2018 Synopsys, Inc. 16

2. Closer look with hex editor reveals first three bytes to be JPG header, and bytes after

that are header for a PNG

© 2018 Synopsys, Inc. 17

3. Edit the first three bytes of file from JPG to PNG (FF D8 FF -> 89 50 4e)

4. Open the file, and the flag is revealed

© 2018 Synopsys, Inc. 18

Australia – Fix me 2

Solution:

1. Opening the picture shows blank screen

© 2018 Synopsys, Inc. 19

2. Opening the file in xml editor reveals one block to to be commented out

© 2018 Synopsys, Inc. 20

3. Removing the comments and reopening the file in picture viewer shows still blank screen.

4. In addition text color seems to be black. Changing the color (000000 -> FFFFFF) and reopening the file in

picture viewer reveals string: ”57 61 78 30 6E 57 61 78 30 66 66”

5. Looks like a ASCII codes!

6. Command: ”echo "57 61 78 30 6E 57 61 78 30 66 66" |

xxd -r –p” reveals the flag: Wax0nWax0ff

© 2018 Synopsys, Inc. 21

Argentina – Reversing 1

Solution:

1. Identify the file format

2. (execute the file)

3. Look for hints with strings –command

4. Spot the password & the flag

5. Password is: s3cr3t!

6. Flag is: ThatWasEasy!

© 2018 Synopsys, Inc. 22

© 2018 Synopsys, Inc. 23

Russia – Reversing 2

Solution:

1. Identify the file format

2. (execute the file)

© 2018 Synopsys, Inc. 24

3. Disassemble with objdump

© 2018 Synopsys, Inc. 25

4. Extract everything else besides the lines where there is comparison made

© 2018 Synopsys, Inc. 26

5. Actually remove everything else besides the ASCII codes and save it to a file

© 2018 Synopsys, Inc. 27

6. Use the xxd to get out the strings

© 2018 Synopsys, Inc. 28

© 2018 Synopsys, Inc. 29

© 2018 Synopsys, Inc. 30

Italy – Reversing 3

Solution:

1. Identify the file format

2. (execute the file)

3. Disassemble with objdump

4. This executable is stripped, so when

debuggin with gdb, we need to:

1. Start the debugger (gdb challenge5)

2. Locate the .text area (info file)

3. Add break point there

(b *0x400950)

4. Run until the break point (run)

5. Disassemble with (x/20i $pc)

© 2018 Synopsys, Inc. 31

© 2018 Synopsys, Inc. 32

1. Print text (”Password:”)

2. Input password

3. Check 2nd char = f (0x66)

4. If not -> jump to exit

5. Check len = 9 chars

6. If not -> jump to exit

7. Check 5th char = r (0x72)

8. Check 6th char = e (0x65)

9. Check 8th char = t (0x74)

© 2018 Synopsys, Inc. 33

10. Compare 1st and 9th char to

each other

11. If not the same -> jump to exit

12. Check 3rd char = o (0x6f)

13. Check 7th char = s (0x73)

13.Check 4th char = r (0x72)

14.Check 1st char = 1 (0x31)

Passwd = 1forrest1

© 2018 Synopsys, Inc. 34

United States – Network traffic 1

Solution:

1. Identify the file format (pcapng)

© 2018 Synopsys, Inc. 35

2. Open the file with Wireshark -> Looks like HTTP traffic

3. File -> Export Objects -> HTTP -> Save All

4. Open the picture -> easy –button is revealed

5. Flag is: easy

© 2018 Synopsys, Inc. 36

United Kingdom – Network traffic 2

Solution:

1. Identify the file format (cap)

© 2018 Synopsys, Inc. 37

2. Open the file with Wireshark -> Looks like a WEP encrypted WIFI traffic

© 2018 Synopsys, Inc. 38

3. Use aircrack-ng to crack the key: ”aircrack-ng Challenge11.cap” = qwert

© 2018 Synopsys, Inc. 39

4. Enable decryption in Wireshark -> Edit -> Preferences -> Protocols -> IEEE 802.11

1. Add the decryption key as ascii code(Edit...)

5. Network traffic is now decrypted and some HTTP traffic can now be seen

6. The flag is found from the index.html: ”WinterIsComing”

© 2018 Synopsys, Inc. 40

Finland – Network traffic 3

Solution:

1. Unzip Challenge13.zip

2. Open wpa_challenge_part1.pcap in

wireshark

© 2018 Synopsys, Inc. 41

2. Hmm... Looks like a wifi router setup pages

3. Locate the wifi password. Search for keywords like ”password, encryption, key, PSK etc.”

1. Password is salasana12345

2. SSID = WIFI_CHALLENGE

© 2018 Synopsys, Inc. 42

4. Open the wpa_challenge_part2.pcap on Wireshark -> Looks like WPA2 encrypted wifi traffic

© 2018 Synopsys, Inc. 43

5. Decrypt with airdecap-ng

© 2018 Synopsys, Inc. 44

6. Open and analyze the decrypted pcap in wireshark -> There is something scetchy in ICMP Ping packets...

Looks like, there is some base64 encoded data in the data field

© 2018 Synopsys, Inc. 45

7. Create a script that reads the decrypted pcap file and each ICMP packet, decodes the data and saves it to binary

file.

© 2018 Synopsys, Inc. 46

8. Identify the file format of the outputfile (zip)

9. Unzip the file & Identify the file format (java class)

10. Rename the file to class and try to run it -> class name is wrong

11. Rename it as the error message suggest and try to run it -> runs ok.

12. Decompile with jad

© 2018 Synopsys, Inc. 47

13. Pick up the password from the source code

© 2018 Synopsys, Inc. 48

14. Execute the program and use the password

Flag is: HolyHandGrenadeOfAntioch

© 2018 Synopsys, Inc. 49

https://ctftime.org/

© 2018 Synopsys, Inc. 50

© 2018 Synopsys, Inc. 51

https://www.holidayhackchallenge.com/2018/

© 2018 Synopsys, Inc. 52

© 2018 Synopsys, Inc. 53