Tuesday, May 13, 2014

ASIS CTF Quals 2014

A great CTF with a lot of interesting steganos has ended. Too bad the event took place on workdays, so our team didn't have much time for it (probably many other teams shared the same problem). We ended up at #10, which wasn't too bad :P Below you can find write-ups for a few challs I solved.

Trivia 50: Image

The file was actually an amazing image of the once popular NES game Battle City, and as a fan of Nintendo I had the emulator ready to play it :P Just complete the first stage and you'll get the flag: 8BIT_RULEZ (although it is a bit different from what is written and caused a lot of confusions for everyone :P)

Web 75: Hidden flag

A web challenge with barely any description, however the title suggests that the flag should be hidden somewhere. It didn't take us much time to notice the HTTP header named x-flag with the value ASIS_b6b?244608c2?c2e869cb56?67b64?b1. Now obviously the task was to find the full hash. My first thought was using a dictionary attack to find a string that generates a hash with the same pattern, but because of work I didn't really have any time to try it :P

At one point, some members in our team noticed that when a wrong solution was submitted, the response was almost instant. This suggested that there should be a javascript check somewhere. From here it didn't take much time for us to find the sha256 hash and recover the full flag: ASIS_b6be244608c27c2e869cb56167b649b1

Stego 100: Spy Paper

The image was quite big and it was quite easy for me to overlook every detail :P Fortunately redoc found anomalies in the blue channels and these dots reminded me of punched tape, which was very close to the final solution. We were able to quickly figure out the parity bits and decrypt the second part, however we could not find anything meaningful from the first part:

After a lot of time spending on it, we came to realize that this could be printer steganography, and the first part could be date and time. With that we were able to fully decrypt the flag: 9/6/19 13:22:44 E4sy_0n3.

Crypto 150: Random Image

This isn't a hard chall, the code seems to randomly create a new image based on the flag but in fact there is quite a big correlation between the "random" result and the original one. Specifically, if the value of the pixel is less than 250, the resulting pixel is the result of some operation on the coordinates xored with a random value which is the same for all pixels. We do not know the random value however we know the result of the operation on the coordinates and by xoring the encrypted image with this value all pixels with values less than 250 should stand out. Here is the final result of the decryption:

Stego 175: White noise

This is an easy prey for my powerful Steganabara, and that was the reason why our team quickly became the first solver. A quick histogram analysis shows that the values in the green and blue channels are evenly distributed, and the reason behind this is that they were made to be used as coordinates to rearrange the pixels.

However, the red channel only has 1 value: 128, so it is pointless if you rearrange the whole image, you'll get just a red square. This got me stumped for a little while, until I realized that the order of arrangement could be important too. With this I only used the first 30 lines of the image for rearrangement, and got the flag:


Anonymous said...

Nice solutions ;)

For the last one, what do you mean when you say "rearranged only the first 30 lines"?

I couldn't understand that part, I hope you can explain it :)


quangntenemy said...

That means you only use the data from the first 30 lines of the image as coordinates to arrange the pixels. If you use all the data, the result will be just a red square :P

maz zen said...

How did you do that, thanks :)