Planet DesKel

DesKel's official page for CTF write-up, Electronic tutorial, review and etc.

8 August 2020

THM write-up: CaptureTheFlag

22 minutes to read

titlecard

Link: https://tryhackme.com/room/functf

CTF or Capture the Flag is a special kind of information security competition. There are three common types of CTFs: Jeopardy, Attack-Defence and mixed (by ctftime). The challenge involves the knowledge of cryptography, steganography, reverse engineering and web hack. What can you gain from CTF challenge? The purpose of the CTF challenge is to improve skills such as digital forensics and penetration testing. Most importantly, it is fun and satisfies.

This challenge is created by falconfeast. Trust me, this CTF challenge is really fun. Without further ado, let’s dive in.

Task 1: Text inside image

Part 1: Flag

This task is the easiest challenge, open the image as .txt file and scroll to the bottom of the page.

text flag

Part 2: Flag

For this part, you need to find the metadata or EXIF of the image file. I used the binary viewer to analyze the image file and came across with the following encoded flag.

image flag

This is a base64 encoded string (dHJ5aGFja21lezRsd2F5NV9jaDNja19tM3Q0ZGE3NH0K). Decoding the string to reveal the flag.

base64

Task 2: Binwalk

As suggested by the title “walk the bin out”, a simple google will reveal a tool called Binwalk. This tool analyzes and extracting information/file from an image. Analyze the image with the following command:

binwalk -B walk.png

Look like we have a gzip file and TIFF image files inside the image.

binwalk

Then, we can extract the files using the following command:

binwalk -e walk.png

After the extraction, open up the “29A72” file as .txt and reveal the encoded flag (T1JaSFMyREJNTlZXMlpMM01JWVc0NVpVTlJWVjZNRFNMNVREQTRSVE5WWFRLNUQ1Qkk9PT09PT0K).

file

extracted file

The flag is encoded twice with 2 different bases. You have to decode the flag with base64 and then base32 and reveal the following flag:

base flag

Task 3: Steghide

The answer for the tool is on the title. However, the title is encoded with base85/ACSII 85. Decoding the string reveals the tool called steghide. Steghide is another stenography tool to hide various data inside an image. The data can be extracted by entering the following command:

steghide extract -sf hide.jpg 

However, you are prompted to enter the passphrase and where the hell is the passphrase?

steghide

Refer to the Task 1, part 2. The passphrase is hidden as EXIF.

steg pass

This passphrase is encoded with base32 (The room’s author sure love bases). Decoding it yield ‘tryh4ckm3’. Enter the passphrase and get the flag in .txt file.

steg flag

Task 4: zsteg

The tool’s name is somehow ciphered using ROT cipher and we are not sure which ROT is used. The only thing we can do is brute force it using ROT cipher.

Rot

The cipher reveals a tool called zsteg. Another hint (the ‘lsb’ or least significant bit) is given and we can launch our zsteg with the following command:

zsteg flag

We get another encoded flag (credit to the author, 4wbWyHV1VA43QJtvWdw8pLCwkADDQ7ZdYkz39KsKaXUeLtPy9DShWSp). The flag looks like a base64 but actually, it is not. The flag is encoded as base58. However, it is not the end, the flag is encoded twice with different bases. After base58, you still need to decode it with base32 and reveal to the following flag.

zsteg true flag

Task 5: Broken PNG?

There is a big hint given in this task, the “HEADER”. The first eight byte of PNG file should be :

89 50 4e 47 0d 0a 1a 0a

Referring to the corrupted PNG, the first eight bytes look like this

fix it

Changing the first 4 bytes into “89 50 4e 47” to reveal the flag.

fixed

Task 6: Flag spectrum

The flag is somehow hidden in the .wav file and the only hint given is “the spectrum”. This task can be solved by any tool and for this case, I going to use wavepad to analyze the wave file. First and foremost, locate tools>TFFT and reveal the flag.

wavepad

Task 7: Ciphers

You can finish this task by using the brute force ROT cipher (except part 4) method and then choose the right technique to decipher the text.

Part 1

Technique: Ceaser chipher

Part 2

Technique: ROT 13

Part 3

Technique: ROT 47

Part 4

Technique: Vigenere cipher

You cannot use ROT cipher for this part as the text is ciphered as vigenere cipher. You have to refer to the table to complete the task. The first 9 characters of the cipher text is known, given that “rbcfkgiwi” = “tryhackme”. The key can be obtained using the known cipher and the key is yke. With both key and the cipher text, we can get the flag.

Task 8: Pigpen cipher

Don’t worry, this is not an alien text! This is the pigpen cipher using tic-tac-toe and cross X. Simply input the image characters and reveal the flag.

Task 9: DNA cryptography

This task is little bit tricky. At first glance, I’m used the real DNA codon table to solve the challenge but ended with failure. This is because the real DNA codon table missed some alphabet and all the numbering. Thanks to the GitHub user, John who gave me an idea to solve the challenge. The answer is shown on the table below:

DNA

As you can see, each 3 letters of the cipher text represent 1 English letter/number. You can either do it by easy way (coding) or hard way (trace it one-by-one). For me, i created a python script for the challenge.

#!/usr/bin/env python

import sys

mappings = {
	'AAA' : 'a',
	'AAC' : 'b',
	'AAG' : 'c',
	'AAT' : 'd', 
	'ACA' : 'e',
	'ACC' : 'f',
	'ACG' : 'g',
	'ACT' : 'h',
	'AGA' : 'i',
	'AGC' : 'j',
	'AGG' : 'k',
	'AGT' : 'l',
	'ATA' : 'm',
	'ATC' : 'n',
	'ATG' : 'o',
	'ATT' : 'p',
	'CAA' : 'q',
	'CAC' : 'r',
	'CAG' : 's',
	'CAT' : 't',
	'CCA' : 'u',
	'CCC' : 'v',
	'CCG' : 'w',
	'CCT' : 'x',
	'CGA' : 'y',
	'CGC' : 'z',
	'CGG' : 'A',
	'CGT' : 'B',
	'CTA' : 'C',
	'CTC' : 'D',
	'CTG' : 'E',
	'CTT' : 'F',
	'GAA' : 'G',
	'GAC' : 'H',
	'GAG' : 'I',
	'GAT' : 'J',
	'GCA' : 'K',
	'GCC' : 'L',
	'GCG' : 'M',
	'GCT' : 'N',
	'GGA' : 'O',
	'GGC' : 'P',
	'GGG' : 'Q',
	'GGT' : 'R',
	'GTA' : 'S',
	'GTC' : 'T',
	'GTG' : 'U',
	'GTT' : 'V',
	'TAA' : 'W',
	'TAC' : 'X',
	'TAG' : 'Y',
	'TAT' : 'Z',
	'TCA' : '1',
	'TCC' : '2',
	'TCG' : '3',
	'TCT' : '4',
	'TGA' : '5',
	'TGC' : '6',
	'TGG' : '7',
	'TGT' : '8',
	'TTA' : '9',
	'TTC' : '0',
	'TTG' : ' ',
	'TTT' : '.'
	}

#open file
f = open(sys.argv[1]).read().strip()

#flag array
flag = []

#Mapping
for x in range(0,len(f),3):
	piece = f[x:x+3]
	flag.append(mappings[piece])
	
print (''.join(flag))

Task 10: Exclusive or

Exclusive or (XOR) is a well known bit-wise operation in programming. It was originate from semiconductor called XOR gate.

xor

Xortool is used to solve the challenge. The objective of this challenge is to decrypt the XOR cipher in brute force way. Save the hex code as .hex and punch in the following command:

xortool -x -b XOR.hex

xortool

Do not let the output fool you. The actual key length is not 5 because you can’t find 100% valid char in the report. The second possibility is the key length with 1. Punch in the following command:

xortool -x -b XOR.hex -l 1

Then, visit the file called “filename-char_used-perc_valid.csv”. There are 4 files showing 100% valid characters.

xortool output

xortool flag

Task 11: Morse code

This task is easy, you just needed to replace the following:

The final outcome should be like this:

. … -.-- / .-- / .-.. … --. . ---- / - / .-.. -. -.- / - / --. --- / -- / .- / ..- / -. .- / .-.. . ---- / -- / .- / ..- / . … - / .- / .-.- / -.- / .-.. -..- / . . ---- / - / --- / - / .-- / -. .-.. --- / -.-.-. --.- / -.-- / -. ..- / -- / --- / -- / .- / . ---.. -.- / .- / ----. . -- / ….. .- / ----. -.-- / .. ….. -.- / --- / ---.. .-.- / ….. .-- / ---..

Putting to code into the Morse code translator and the flag will be revealed.

Task 12: Reverse engineer (Part 1)

The challenge can be solved in two ways:

I would like to solve this challenge using the IDA pro because the tool will be handy in the next challenge. Boot up the IDA pro and open the flag file. After that, go to view –> open subviews –> strings until you come across with two encrypted messages.

IDA string

Both messages are encrypted with Base64 and the first message is basically trolling you. The real flag is on the second red box.

Task 13: Inverse mapping

The long string can be decrypted using base58 and you will come across with the following output.

base58 decode

The output looked like a script and a hint: “reverse this”. For me, I’m only interested with the mapping. The script is rewritten using python.

#!/usr/bin/env python

import sys

mappings = {'a':'! ', 'b':'@ ', 'c':'/ ', 'd':'# ', 'e':'$ ', 'f':'% ', 'g':'^ ', 'h':'& ', 'i':'* ', 'j':'(', 'k':') ', 'l':'- ', 'm':'_ ', 'n':'+ ', 'o':'= ', 'p':'{ ', 'q':'} ', 'r':'[ ', 's':'] ', 't':': ', 'u':'; ', 'v':'< ', 'w':'> ', 'y':'? ', 'x':'" ', 'z':'| ', '{':'-?', '}':'?-', '1': "!@", "2":"@#", "3":"#$", "4":"$%", "5": "%^", "6":"^&", "7":'&*', "8":"*(", "9":")_","0":"[]", ' ': "<>", "_":"~ "}

#inverse mappings
if(sys.version_info[0] < 3):
	inv_mappings = {v:k for k, v in mappings.iteritems()}
else:
	inv_mappings = {v:k for k, v in mappings.items()}

#open file
f = open(sys.argv[1]).read().strip()

#flag array
flag = []

#Mapping
for x in range(0,len(f),2):
	piece = f[x:x+2]
	flag.append(inv_mappings[piece])
	print(''.join(flag))
	
print (''.join(flag))

Also, I have to rearrange the cipher text into:

@ = = <>[ $ < $ [ ] * + ^ <>> * : & = ; : <>@ * + ! [ ? <>@ = = <>] & = > <>; ] <>] = _ $ <>] : ! / ) <>@ = ? <>= & <>! + # <>^ * < $ <>_ $ <>_ ? <># ! _ + <>% - ! ^ <>: [ ? & ! / ) _ $ -?> #$[ !@# ~ ] ? _ @ []- %^?-

Because I’m reusing the code from the DNA cryptography by assuming two characters is equivalent to 1 English word or number.

Task 14: Reverse engineer (Part 2)

This task is quite challenging and requires basic knowledge on reverse engineering. You can visit this video tutorial. The explanation is simple and clear. Now, time to boot up our IDA pro again!

Using the method from the previous task (searching for the string), you will come across with this:

strings

You think the flag just sitting there for you to pick up? NO, that is not the flag we looking for and it was deep inside it. Now, visit jump –> jump to entry point and we have the following function:

flag

As you can see, we found a suspicious function called ‘flag’ and you can check it out. From now on, i will gone through block by block and all comments is written inside the block.

Block 1: Initialization block

init block

The first block storing the 21 bytes encrypted flag into the stack and initialize the counter value.

Block 2: Compare string length

compare block

The second block is comparing the string length.

Block 3: Decode the flag

decode block

From the figure above, the flag can be decoded using XOR of 0x10. The decoded flag can be written as:

52 33 76 33 72 33 64 5F 74 68 31 73 5F 6C 31 6B 33 5F 67 30 64

Convert the flag into ASCII and reveal the flag.

Task 15: Trivial question

Part 1: Who stop the worst ransomware?

The ransomware here is referred as wanna-cry and the person who stop it is known as Marcus Hutchins a.k.a MalwareTech.

Part 2: Who used by all devices to send error messages?

The answer is ICMP (Internet Control Message Protocol) and the hint is provided by non other than The Author!!!

Part 3: Which CTF team is open for all?

The CTF team is known as OpenToAll, visit them now.

Task 16: Brainfuck

The downloaded text is encoded with base64. Decode the text in result of:

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>++++++++++++++++.--.+++++++.-----------------.-------.++.++++++++.++.--------.++++++++++++++++++++++.<+++++++++++++++++.+++++++++++++++++.<++++++++++++++++++++++++++++++++++.>>-------.<---------.<---------.+++++++++++++++++.---------------------.>.<+++++++++++++++++++++.---------------------.>-------------------..+++++++++++++++++++.++++++++++.<++.>----------.>.<+++++++++.+.>-.++++++++++.

What the freak is this? This is a program called brainfuck and it only consists of 8 characters and hard to learn with. One can run this code by copying the text into brainfuck compiler.

Task 17: Web

This challenge required the user connected to tryhackme openVPN service. After that, launch your browser and copy given IP address into the URL. The task consists of 2 parts.

Part 1: URL (IP:17000)

After punched in the URL, you will be direct to this page:

webpage

Clicking the button will redirect you to the flag. However, you will received an 404 error page.

404

The URL should be /g#me_me_the_d#mn_fl#g but the error showing /g instead. From URL point of view, # is used as fragment_identifier or an id to direct the user to specific section without scrolling through the page which make the character after # an id instead of an element of URL directory. Now, we have identified the problem and how we represent the # as part of the URL directory instead of id? URL encoder might come in handy for this scenario. The encoded # can be represented by %23. Input the following URL to reveal the flag

http://<machine IP>:17000/g%23ve_me_the_d%23mn_fl%23g

Part 2: PHP (IP:17001)

You will be redirect to the following page:

webpage php

Clicking the link will simply redirect you to php script and that is the hint. Your objective is to get the flag() function. There are two conditions to get the flag

Simply putting the url “IP:17001/?golden_word=nevergiveup” will not work because there are one function called “preg_replace” which replace the string ‘nevergiveup’ into an empty string (second condition cannot fulfilled). Changing ‘nevergiveup’ to hex only work for operand “==” but not for “===”. The only way is changing ‘nevergiveup’ into ‘nnevergiveupenevergiveupvnevergiveupenevergiveuprnevergiveupgnevergiveupinevergiveupvnevergiveupenevergiveupunevergiveupp’.

Did you see it? All the non-bold text will be removed by the function and the bold text will join up as ‘nevergiveup’. The input URL should be:

http://<machine IP>:17001/index.php?golden_word=nnevergiveupenevergiveupvnevergiveupenevergiveuprnevergiveupgnevergiveupinevergiveupvnevergiveupenevergiveupunevergiveupp

Finally, the flag is revealed.

php flag

Task 18: Ook!

Almost similar to brainfuck, this is another esolang called Ook (or oak). Decode the text using base64 and get the following text :

....................!?.?...?.......?...............?....................?.?.?.?.!!?!.?.?.?.?................................!.!!!!!...............!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!.....!.................!.....!.!!!!!!!!!!!!!!!!!.............................................!.?.?.....................................!.!..?.?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!.....................!.?.?...........!..?.?!!!!!!!!!!!!!!!!!!!!!.....!.!!!!!...........................!.!!!!!!!!!!!!!!!!!!!!!!!...........................!.!!!!!!!!!!!!!!!.............................!.?.?.!!!..?.?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!.?.!!!!!!!!!!!!!!!..?................................................!.

Run this code in any compiler and the flag will be revealed.

Conclusion

This is the end of the challenge and hope you can learn something new from this CTF walkthrough. To be honest, it took me almost 5 days to finish up this challenge (of course, with guidance from falconfeast, the creator of the room). However, I’m really enjoy it and feeling satisfy on the completion. Until next time :)

tags: tryhackme - CTF - recon - stego - reverse_engineer - crypto

Thanks for reading. Follow my twitter for latest update

If you like this post, consider a small donation. Much appreciated. :)


Vortex


© 2020 DesKel