Cookie Consent by PrivacyPolicies.com

Latest entries | Category CTF writeups | Page 8


CTF writeups

DownUnderCTF 2020: rot-i

rot-i

100 points

Author: joseph

ROT13 is boring!

Attached files:

  • challenge.txt (sha256: ab443133665f34333aa712ab881b6d99b4b01bdbc8bb77d06ba032f8b1b6d62d)

challenge.txt

Ypw'zj zwufpp hwu txadjkcq dtbtyu kqkwxrbvu! Mbz cjzg kv IAJBO{ndldie_al_aqk_jjrnsxee}. Xzi utj gnn olkd qgq ftk ykaqe uei mbz ocrt qi ynlu, etrm mff'n wij bf wlny mjcj :).

Solution

I wrote below python script to decode the message:

characters_upper = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
characters_lower = "abcdefghijklmnopqrstuvwxyz"
flag = "Ypw'zj zwufpp hwu txadjkcq dtbtyu kqkwxrbvu! Mbz cjzg kv IAJBO{ndldie_al_aqk_jjrnsxee}. Xzi utj gnn olkd qgq ftk ykaqe uei mbz ocrt qi ynlu, etrm mff'n wij bf wlny mjcj :)."
counter1 = 1
counter2 = 27

for i, j in enumerate(flag):
counter1 -= 1
counter2 -= 1
if j.islower():
characters = characters_lower
elif j.isupper():
characters = characters_upper
else:
print(j, end='')
continue
if (i % 2) == 0:
encoded_index = characters.index(j) + counter1
else:
encoded_index = characters.index(j) + counter2
while encoded_index > len(characters) - 1:
encoded_index -= len(characters)
while encoded_index < 0:
encoded_index += len(characters)
print(characters[encoded_index], end='')

Output:
You've solved the beginner crypto challenge! The flag is DUCTF{crypto_is_fun_kjqlptzy}. Now get out some pen and paper for the rest of them, they won't all be this easy :).

DUCTF{crypto_is_fun_kjqlptzy}

DownUnderCTF 2020: Leggos

Leggos

100 points

I <3 Pasta! I won't tell you what my special secret sauce is though!

https://chal.duc.tf:30101

Author: Crem

Solution

Under the provided link there's a website which blocks right mouse click ;-)

But if use the combination of CTRL+SHIFT+I or dropdown menu, we can enter browser's developer tools.

The flag was hidden in the source of javascript that blocks the right click ;-)

DUCTF{n0_k37chup_ju57_54uc3_r4w_54uc3_9873984579843} 

DownUnderCTF 2020: fix my pc

fix my pc

500 points

My boss's computer died recently. We managed to dump some of the drive, but can't figure out a way to unlock it.

Download (233MB) https://cloudstor.aarnet.edu.au/plus/s/lIZ7mV36US93DhA

Solution

We start with rescue.zip with two files within: system.bin and crash.bin

The first one is disk image, the second one looks like memory dump.

I’ve started with mounting the disk.

modprobe nbd max_part=8

qemu-nbd –connect=/dev/nbd0 /tmp/system.bin

But I’ve been stopped by disk encryption.

Ok, let’s try to retrieve the key to decrypt those partitions (/dev/nbd0p1 was boot with nothing interesting).

I downloaded findaes tool from https://sourceforge.net/projects/findaes/ and used it to find the keys in memory dump.

Looks like I’ve been lucky today ;-)

I’ve combined two parts of the key together and saved as binary.

echo 094e2adf58cfb17d85f0f6933f7b44efa00a3cda7bbe01873e09ff4ee7a60539ff98d76761147024ebb0c8d4e1141814214d2a83d7936609377755e5180a3c57 | xxd -r -p > /tmp/key

And then tried to use it.

cryptsetup luksAddKey /dev/nbd0p2 --master-key-file /tmp/key

cryptsetup luksOpen /dev/nbd0p2 rescue

lsblk

mount /dev/mapper/rescue /mnt

On mounted partition there were many files with corrupted names, but the content was ok and gave me the hint where’s the key for 2nd partition.

cryptsetup luksOpen /dev/nbd0p3 crypthome --key-file /mnt/etc/crypttab.d/home.key

Interesting parts were ssh keys and .ash_history

So I’ve used bob’s keys to clone the repo and have a look.

export GIT_SSH_COMMAND="ssh -o IdentitiesOnly=yes -i /mnt2/bob/.ssh/id_rsa"

git clone [email protected]:cornochips/configs

cd configs

Checked the content of files with no luck, then suddenly...

for i in `git log --all --oneline | awk -F ' ' '{print $1, $8}'`; do git diff ${i}; done

DUCTF{aT_l3ast_I_had_A_B3ck8p_y4n63xOVX4A}