eid CTF Writeups (2020)

Forensics

Forensics 1

First i got an mp3 sound file called 9923.mp3 When I listened to it i got nothing so i started with looking into it’s meta data using exiftool

I noticed that there is a picture inside this file so i extracted it using Binwalk

so I got a new files contains png file , after using stegsolve i got the flag in filter red plane1

Forensics 2

I got an oop sound file called 5e33f92788d3a8.oop using also exiftool I noticed a comment says password? and a hash in Composer

so i used Hash Analyzer which confirmed that it’s an md5 hash

so I have cracked it using CrackStation and got the value passwd1999ml

which was the flag

forensics 3

we got a txt file called C09NDHFEK343DD3.txt contains weird text First thing got into my mind that it’s base64

so after decodeing it I realised that it’s png file using File Signiture

So I wrote simple script to extract the image file

import base64

f = open('C09NDHFEK343DD3.txt').read()

f = base64.b64decode(f)

x =open('out.png','wb')

x.write(f)
x.close()

the out.png file was empty picture so I used stegsolve again and i found Encoded text in filter Red plane 0

it was a Pigpen ciphered text so I used Characters Mapping

to translate it so I got the flag HACKERSACADEMY{PENGUINS_ARE_CUTE}

Reverse Engineering

i really Joined late so I started with the easy one

re2 (First Blood)

I got an ELF file called m26Basic and output MTPHTIPCKHPXJWTATOQEPHSREMQEOI

After Opening it with Ghidra I got the code in the Decompiler

the Encryption method is Easy its just transferring each character of the flag using this equation : aiStack184[local_c] = aiStack184[local_c] % 0x19 + 0x41;

But this puts 4 possibilities for each Character if we are going to bruteforce it,

So I created Frequency array to Analyze the output

import string
enc = 'MTPHTIPCKHPXJWTATOQEPHSREMQEOI'
m = {}
flag = ''
for i in enc:
    m[i] = []
    for x in string.printable:
        if chr((ord(x) % 0x19) + 65) == i:
            m[i].append(x)
            flag += x
print(m)

I noticed that its always make sense when we use UpperCase Characters without the Z so i bruteforced overthem and got the flag

import string
enc = 'MTPHTIPCKHPXJWTATOQEPHSREMQEOI'
m = {}
flag = ''
for i in enc:
    m[i] = []
    for x in 'ABCDEFGHIJKLMNOPQRSTUVWXY':
        if chr((ord(x) % 0x19) + 65) == i:
            m[i].append(x)
            flag += x
#print(m)
print(flag)

which was HACKERSACADEMY{WEARESAMURAITHEKEYBOARDCOWBOYS}

Web

web 3 by Ebrahim.Mosaad

• Description: ``` Introducing our secure DNS lookup service! This one uses the dig command provided in linux to provide the most accurate results!

And don’t you worry about attacks, we’ve got that all “quoted” up! ```

The Website was using dig to to DNS lookup and returns the result

the first thing got into my mind is using the single quotes to execute another command and get the flag

but when ever i use single quotes or spaces or any thin is not a letter , the whole input will be quoted, For ex:

test -> dig test testspace -> dig ‘test ‘ test’ -> dig ‘test’”’”’’

so I wanted to understand how this filter warks and i found it in stack Overflow

So i knew it’s mpossible to bypass it, the second thing got into my mind is inputing a parameter to dig command Dig

I didn’t know that the space is also making the input rounded with single quotes,

So I spent Alot of time thinking in anotherway to solve it until my friend Ahmed Sherif told me that the arguments doesn’t need spaces :(

So I was using

-f ./flag -> dig ‘-f ./flag’

so It wasnot considered as an argument

so

-f./flag -> dig -f./flag

and I got the flag

HACKERSACADEMY{w47ch0u7f0rc0n7r0lch4r5!!}

It was nice Challanges I really wanted to solve all of them but I Got joined late XD and Hope you enjoyed reading this writeup.