Introduction

Took a break between school homework and did some CTF. The follow are the challenges I solved.


Pwn

999 Bottles

We are given a zip file. Unzipping the file gives us 999 ELF files. When executed, it outputs What is my character?, and accepts one ASCII character (according to challenge description). Being lazy, the first idea I thought of was to brute everything. Quick analysis in ghidra tells us the answer to the first executable is letter F, and when fed the correct character it outputs OK!.

Initially I tried to execute the file using os.system(./<file>). However, although I could execute it, python would wait for the process to finish before printing the next line. Hence, I could input anything. Furthermore, I also had no way of retrieving the output. Hence I turned to google, which told me to use subprocesses. After messing around for a few minutes with no success, I remembered that I could do more than just executing the file within the command line. I could also write input using python -c. So our command now looks something like this:

cmd = "python -c 'print" + "\"" + letter + "\"'" + "| ./" + elf

Now we just need a way to read from std output. Then I also remembered, you could redirect stdout to a file… So why not just create a temporary file to store the output and open it in python. Hence our final command is

cmd = "python -c 'print" + "\"" + letter + "\"'" + "| ./" + elf + " > tmpfile"

Now we just need to loop through all ASCII characters. However, we don’t need to loop though all 256 characters, we just just loop through all printable ones hence shortening our execution time. Finally we have the script,

import os

charset='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.!@#$%^&*()1234567890{}'

flag = ''
for i in range(1,1000):
	if i < 10:
		elf = '00' + str(i) + '.c.out'
	elif i <100:
		elf = '0' + str(i) + '.c.out'
	else:
		elf = str(i) + '.c.out'

	for letter in charset:
		cmd = "python -c 'print" + "\"" + letter + "\"'" + "| ./" + elf + " > tmpfile"
		os.system(cmd)
		with open('tmpfile', 'r') as file:
			file.readline()
			result = file.readline()
			if 'OK!'in result:
				flag += letter
				break

print(flag)

We can find the Flag in the bottom half of the output. Flag: RITSEC{AuT057v}

Crypto

Shiny

We are given this weird text: .‡8]5);483‡5;, and a image file: gold-bug.jfif. Opening the image, just shows a picture of a golden bug (what a surprise…). Initially I was quite lost, so I decided to google “shiny crypto” which gave me nothing as expected. So then I tried, “gold bug crypto”, and among the first few results was “Gold-Bug Cipher”. Using the online decoder, and then wrapping in the flag format, we have our flag.

Flag: RITSEC{POEWASTHEGOAT}

Forensics

Take it to the Cleaners

We are given an image file. Using exiftool, we get:

ExifTool Version Number         : 10.80
File Name                       : ritsec_logo2.png
Directory                       : .
File Size                       : 4.3 kB
File Modification Date/Time     : 2019:11:17 22:01:32+08:00
File Access Date/Time           : 2019:11:17 22:01:50+08:00
File Inode Change Date/Time     : 2019:11:17 22:01:48+08:00
File Permissions                : rw-rw-r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 328
Image Height                    : 154
Bit Depth                       : 8
Color Type                      : Palette
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Palette                         : (Binary data 129 bytes, use -b option to extract)
Exif Byte Order                 : Big-endian (Motorola, MM)
Image Description               : Hi there! Looks like youre trying to solve the forensic_fails challenge! Good luck!
Resolution Unit                 : inches
Artist                          : Impos73r
Y Cb Cr Positioning             : Centered
Copyright                       : RITSEC 2018
Exif Version                    : 0231
Components Configuration        : Y, Cb, Cr, -
User Comment                    : RVZHRlJQe1NCRVJBRlZQRl9TTlZZRl9KQkFHX1VSWUNfTEJIX1VSRVJ9
Flashpix Version                : 0100
GPS Latitude Ref                : North
GPS Longitude Ref               : West
Image Size                      : 328x154
Megapixels                      : 0.051

The user comment seems suspicious. Decoding from base64 gives us, EVGFRP{SBERAFVPF_SNVYF_JBAG_URYC_LBH_URER} This looks like a flag, except the letters are all wrong and don’t make sense. Using an online caesar cipher decoder and rotating until we have the flag format, we get:

Flag: RITSEC{FORENSICS_FAILS_WONT_HELP_YOU_HERE}

findme

We are given a pcap file. Opening in wireshark and following the TCP streams, we see something suspicous in the 2nd stream.

aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kUXc0dzlXZ1hjUQo=
H4sIAFSZx10AA+3OMQuCQBiH8Zv9FPcFgrvUcw2kIWgydzG1EkQPvZui757S0lSTRPD8lmd43+F/
6cqrWJmaGRMt1Ums3vtitkKHsdGJDqNtKJSeGwup1h628JMrRymFP/ve+Q9/X+5/Kjvkp316t1Vp
p0KNReuKuq17V9x21jb9IwjSPDtuKukGWXXD1AS/XgwAAAAAAAAAAAAAAAAAWDwB38XEewAoAAA=

CTRL-c to close

They seem to be a base64 stream. Wireshark also tells us the longer string is a server packet. Decoding the base64 string from the server and running file on gives us gzip compressed data, last modified: Sun Nov 10 05:00:04 2019, from Unix. Unzipping it gives us a POSIX tar archive (GNU). Unzipping yet again gives us a file named flag. And it does indeed contain the flag.

Flag: RITSEC{pcaps_0r_it_didnt_h@ppen}

Long Gone

We are given a file named chrommebin. Running file on it tells us it’s a POSIX tar archive (GNU). Unzipping it gives us a folder Chrome. This seems to be someones chrome browser’s files. The challenge title “Long Gone” and challenge description “That data? No it’s long gone. It’s basically history” seems to be suggesting that our flag is in the browser history. We can find the history file in the path, Chrome/User Data/Default/History.

Running file on History tells us it is of type SQLite 3.x database, last written using SQLite version 3029000. We analyze this file with the sqlite3 cli tool. Open the file with sqlite3 History, and dump it’s contents using .dump.

Slowly analyzing each line, we see many weird searches and amongst that there is a suspicous link.

INSERT INTO keyword_search_terms VALUES(2,76,'us-central-1.ritsec.club/l/relaxfizzblur','us-central-1.ritsec.club/l/relaxfizzblur');

Following the link, we get the flag.

Flag: RITSEC{SP00KY_BR0WS3R_H1ST0RY}

Web

Misdirection

We are given a link. Visiting that link on a browser we are stuck waiting, and then we get an error due to too many redirects. Trying to wget the link, we also get a similar error exceeding 20 redirects. However, since wget prints shows you the links redirected to, we notice that appended to the back of the link is a single character. Concatenating all of them gives us the flag. To ensure that we have the full flag, once we exceeded our the max redirects, we simply wget the latest link, and we realised it was an infinite redirect loop.

Flag: RS{4!way5_Ke3p-m0v1ng}