Monday, January 27, 2014

PHDays CTF Quals 2014

The qualification round just ended today. Our team finished at rank #9. Chinese new year is coming soon so I only managed to catch up with the guys for just a little more than one hour. During that short period of time our team impressed even ourselves by solving 3 challenges and jumped back to top 10. I was involved in 1 of the challs: a ucucuga challenge titled "mp3 me".

The challenge is basically an mp3 stegano. After examining the file we came to a conclusion that there was no where else to hide the flag other than in the id3 part of the file.

Now this is the part where losers are separated from winners. The RGB tags and the presentation of values in triplets make most people try to find a way to get an image, but they are actually just red herrings. The real clue here is the occurrence of NULL. It suggests the end of a message. After trying some conversion, I found out that "78-9c" (hex values of 120-156) was the signature of zlib compressed data, and with that dloser was able to quickly recover the precious flag.

<dloser> >>> zlib.decompress('789ccb8ccf482c498d2f4d06c2f444002a9f05b7'.decode('hex'))
<dloser> 'i_hate_ucucuga'

Solving challenges is fun, and it's even more thrilling when there is a time limit. Oh, it is also good to be able to let everyone know how you solved them, not just limited to the solvers as on normal challenge sites.


Unknown said...

Hi there,

Can you explain for me, how can i convert and detect 78-9c was use by zlib??? Where can i find exactly secret string??? I use Ollydgb to view this file, and ...

quangntenemy said...

Take the numbers in the RGB tags and convert them to hex, you'll get 789ccb8ccf482c498d2f4d06c2f444002a9f05b7. The zlib decompression can be done using the code above (python)

Unknown said...

Thanks for your help! i will try this, have a nice day bro!