[ZeroNights2016] [CTFzone] Debriefing for 50

Well, that, that ended ZeroNights 2016 . I would like to thank the organizers of this event and all its participants: in two days, many amazing digests were sounded, we made alcoholic cocktails for ourselves, thought about how to hack the smart home, proved our intellect in quizzes and, of course, many CTF participants tried to fight for the title " the best in their field ”- and we have become one of such. In connection with the foregoing, this series of articles will be devoted to the WTF CTFzone.

Thanks to the organizers !
Special thanks to GH0st3rs for providing some of the assignments to the raytps.

FORENSIC50 - PCAP Master

AURORA: Lieutenant, how do you read me? You've been intercepted by the pilot's computer. Try to get the password from this traffic.

A PCAP file with a traffic dump was attached to the task. We launch Wireshark for research.
Oh, and here is the key:
')

MISC50 - Cypher Psycho

AURORA: Lieutenant, seems like a left for a message. But I can't decode it. Surely, it is the strongest cipher on the planet: dWdnYzovL2NuZmdyb3ZhLmVoL01MZEZXT0Q5

What we have: a coded string, presumably Base64 - we try to decode: uggc: //cnfgrova.eh/MLdFWOD9. This is very similar to the rotor cipher. It is said - done (using the site ). We get : pastebin.ru/ZYqSJBQ9 . According to the link Morse code:

-.-. - ..-. --.. --- -. . .---- -.. -.. ----. ----- -... ---.. ..-. ..--- -.. ----- -.. ....- ---.. ----- ----. -.... . ---.. ..... . .---- ..... ....- ..-. ---.. ..-. ..-. ----. --... --... ...-- 

After converting the Morse code, we get the flag: ctfzone1dd90b8f2d0d48096e85e154f8ff9773

WEB50 - Make CTF Great Again

Lieutenant (You): AURORA, I'm on board. Captain Picard's cousin. “Trump” Let's see what's in there.

The task was attached to the site address. We go, we see a one-page site. Looking at the source code of the page we understand that we need to look for something else. Other? Well, then definitely robots.txt:

 User-agent: * Disallow: /? Disallow: /404.html Disallow: /about.html Dissallow: /97c97e5a5402c5fdf461555afafafe0d/ 

Wow! We are happy to open and see only one file in the directory: “verysecretfile.txt”. I do not even know what could be there. Really! Key: ctfzone {320bc78efe2a58175bc9d48fcbb5ca10}

OSINT50 - Snail Mail

AURORA: Lieutenant, my memory is letting me down. Do you remember the postal code of this CTF organizer's office?
Flag format is: ctfzone {POSTAL_CODE}

We are required to specify the zip code of the CTF organizers:


Key: ctfzone {105066}

REVERSE50 - Console Version 1.337

AURORA: SCI430422 LED lights are blinking in hypnotic patterns. As you know, this system is renowned for its top-notch security measures. Only the most expert or resourceful hackers are available.

The task is attached file reverse50.exe. Run and see a window with a suggestion to enter a password. Attempts to pick it up display an error message, because he is not true:



Well, proceed to the reverse! Moving on to a function that contains a string stating that the password is correct / incorrect:



What do we see?

• You are prompted to enter a password at: 00401169;
• Then to the address: 0040117E - the line entered by us is read;
• Further to the address: 0040118D - the function is called to which the password entered by us is transmitted. Let's call it CheckPassword;
• If the function returns True, a greeting is displayed.

Let's go to the CheckPassword function.



Here, the first thing I was interested in was: which lines are compared in the strcmp function at: 004010CF. Install the breakpoint there and run it. After BP triggers, we see that in one of the registers our flag just goes on the stack:

Flag: ctfzone {l33t_haxx0r_is_you !! 1}

---

We will continue this series of articles, where we consider the solutions of the remaining tasks of CTFzone 2016.
Stay with us!

---