Monday, March 10, 2014

RuCTF Quals 2014

Another great CTF with many challenges in all categories just ended. Our team was #7. Nana. Not too bad, but it was so annoying that without a network specialist we could not solve admin 200 task "Troubleshooting" which 97 other teams solved with ease.

Below are some write-ups. Hopefully they can give new players an introduction to steganalysis.

stegano 100: Cat's eye

This is an easy GIF stegano, but it took me quite a while analysing the image until I noticed it contained 8 similar frames which wasn't easy to notice in GIMP by default (note to myself: next time check the frames first). It is common sense to combine them and find the differences. The positions of the different pixels are as marked below:

It isn't very straightforward, but the flag is hidden here in binary representation. Using black pixels as 0s and green pixels as 1s give you the flag: RUCTF_e4dd9f5cee307b322c3a27abe66e3df9

stegano 300: Nyan-task

This is a very famous image. By finding and comparing it with the original image it can be concluded that there is no information hidden visually. Analysis with Caesum's StegSolve brought me to the conclusion that the only place to hide the flag is inside the palette. It is also suspicious to see only 14 colors used for the image while the palette contains 256 colors with a lot of repetition.

After extracting the palette I found out that this is actually a DataMatrix barcode (thanks stypr). The rest is easy. The hidden text is, which is a link to the flag: RUCTF_ca8250c2b4b50581afc9ffd1f403f3f2

crypto 200: Mary Queen

The task is to decipher a message written in Chinese characters. The title suggests that this is similar to the cipher used by Mary Queen of Scots, which is a cryptosystem in which simple substitution is used. This cipher is so weak that many tools have been created to solve it automatically, SCBSolvr is one of them. The decrypted text is chapter I of Alice's Adventures in Wonderlands by Lewis Carroll. The name of the book is also the flag.

Sunday, February 9, 2014

Olympic CTF Sochi 2014

The CTF just ended. And by breathtakingly solving a chall at the last minutes we won the silver medals. Banzai!

I was only involved in some parts of the challenges, so no write up this time :P

Update: With this achievement our team qualified for DEFCON 22 CTF. So awesome, but Las Vegas is so far away :(

Monday, January 27, 2014

PHDays CTF Quals 2014

The qualification round just ended today. Our team finished at rank #9. Chinese new year is coming soon so I only managed to catch up with the guys for just a little more than one hour. During that short period of time our team impressed even ourselves by solving 3 challenges and jumped back to top 10. I was involved in 1 of the challs: a ucucuga challenge titled "mp3 me".

The challenge is basically an mp3 stegano. After examining the file we came to a conclusion that there was no where else to hide the flag other than in the id3 part of the file.

Now this is the part where losers are separated from winners. The RGB tags and the presentation of values in triplets make most people try to find a way to get an image, but they are actually just red herrings. The real clue here is the occurrence of NULL. It suggests the end of a message. After trying some conversion, I found out that "78-9c" (hex values of 120-156) was the signature of zlib compressed data, and with that dloser was able to quickly recover the precious flag.

<dloser> >>> zlib.decompress('789ccb8ccf482c498d2f4d06c2f444002a9f05b7'.decode('hex'))
<dloser> 'i_hate_ucucuga'

Solving challenges is fun, and it's even more thrilling when there is a time limit. Oh, it is also good to be able to let everyone know how you solved them, not just limited to the solvers as on normal challenge sites.

Monday, January 20, 2014

Ghost in the Shellcode 2014

Recently, I have been invited to join team penthackon, a team full of veterans, to participate in CTF events.

As someone who only plays for fun, I find the recent Ghost in the Shellcode 2014 CTF quite an enjoyable experience. It's really amazing to see the creators spending a lot of efforts to put up an MMORPG named "Choose Your Pwn Adventure 2", just to be hacked by the players :P

As an uber cheater, I was involved in 2 of the quests: A Boaring Quest and Unbearable. The first quest requires killing over 9000 boars, something not easily done and most cheaters don't want to do it the normal way. jjk was the one who solved it for our team, but his method involved capturing and replaying the kill packet, and it was hard for everyone else to follow the same method.

Because the logic of the game was implemented in .NET, using .NET Reflector with Reflexil plugin I was able to patch the game to send 1001 kills to the server. So only 10 kills were needed to finish the quest (Actually it was possible to send 10000 kills in 1 go but we did it this way to be "nice" to the server :P)

The second quest was a little bit trickier: the treasure chest was protected by a shitload of bears, and after opening it you had to survive for 5 minutes before getting the flag. To make it even more impossible, the bears were armed with guns and they would all shoot you to death. This was actually a fun experience, everyone tried to avoid being hit, killing bears with uber weapons, changing the bear's AI... with no success. In the end, the solution was quite simple and logical. There was this holy item called wine that gave you 10-20% damage protection, however that protection can be patched from the client. I patched it to 100% to become invincible (also because each wine only last for 1 minute, I needed to drink 6 of them :P)

Below is the screenshot of my character after winning both flags

Sunday, January 12, 2014

Ubuntu 14.04 Trusty Tahr

My box was running Ubuntu 12.10 Quantal Quetzal for quite a long time because I was too lazy to upgrade it so recently I had to go through hella lot of upgrades to catch up with the latest technologies :P

The upgrade to 13.04 Raring Ringtail was quite smooth but while I was upgrading to 13.10 Saucy Salamander my laptop was overheating and shut down without a warning (they seriously should give us like 10 seconds to do something first). And that marked the beginning of hell :P

After powering on, Ubuntu couldn't start because of broken packages, but luckily there was no problem with the kernel and it only took me a bit to play around with the recovery menu to get the packages rebuilt.

However because the installation was incomplete there were many features missing and since there was no easy way to get them installed I decided to go a bit further to upgrade to the development version 14.04 Trusty Tahr.

Unsurprisingly, I was caught up in a serious sendmail bug - the installation went into an infinite loop. The bug was said to have been fixed a few months ago, but I don't know for which reason the fix hasn't made it to the Ubuntu repository yet. There was a workaround mentioned in the bug report, but the whole thing was a mess, and someone even suggested something as complicated as modifying the installation package. After some time reading all the available solutions, I got it done in a simple way. Just look for update_db in /usr/share/sendmail/ and replace the following lines:

str=$(echo "$line" | cut -d " " -f 1);
line=$(echo "$line" | cut -d " " -f 2-);


str=$(echo "$line" | head -n 1);
line=$(echo "$line" | tail -n +2);

and after that do a

sudo dpkg --configure -a

to reconfigure the packages :P

The Ubuntu team name their releases after the letters of the alphabet, and they already reached T. I wonder what will happen in a few years when all are used up :P