IceCTF 2016 Many Challs by Makhno

Spotlight (Web · 10 pt)

We got an acces to : http://spotlight.vuln.icec.tf/ Black page, but when you move mouse, hale light appears.

Analyzing with firebug

spotlight.js => console.log(“DEBUG: IceCTF{5tup1d_d3v5_w1th_th31r_l095}”); Le flag est :

IceCTF{5tup1d_d3v5_w1th_th31r_l095}

All your Base are belong to us (Misc · 15 pt)

Got a binary file, just translate it to ascii aaaaaand it’s done !

IceCTF{al1_my_bases_are_yours_and_all_y0ur_bases_are_mine}

Rotated!(Cryptography · 20 pt)

1
VprPGS{jnvg_bar_cyhf_1_vf_3?}

Following challenge title, ROT13 ==> : IceCTF{wait_one_plus_1_is_3?}

Time Traveler (Forensics · 45 pt)

‘Time Traveler’ let me think to use archive.org whit address to check : http://time-traveler.icec.tf/ We got 01 June 2016
Flag is IceCTF{Th3y'11_n3v4r_f1||d_m4h_fl3g_1n_th3_p45t}

Move Along (Web · 30 pt)

Using firebug we can see http://move-along.vuln.icec.tf/move_along/

1
2
3
4
Index of /move_along/
../
0f76da769d67e021518f05b552406ff6/                  10-Aug-2016 19:07                   -
nothing-to-see-here.jpg                            10-Aug-2016 19:07               19453

Let’s move to http://move-along.vuln.icec.tf/move_along/0f76da769d67e021518f05b552406ff6/ Got an image secret.jpg contaning the flag

Alien Message (Cryptography · 40 pt)

We got an image with strange alien symbols (https://play.icec.tf/problem-static/alien_message_b84f283848b7f34fd4c7529186e66e120b0a374c9d0f2a225b0a7a215716afb5.png) Let’s use an alien alphabet to decode it, I used the following one http://www.omniglot.com/images/writing/futurama.gif Symbols are differents for upercase and lowercase Flag is : IceCTF{gOOd_n3wZ_3veryon3_1_l1k3_fu7ur4ma_4nd_th3ir_4maz1ng_3as7er_39g5}

Complacent (Reconnaissance · 40 pt)

I used nikto to scan the chall website:

1
2
3
4
5
6
7
8
9
nikto -h https://complacent.vuln.icec.tf - Nikto v2.1.6 
--------------------------------------------------------------------------- + Target IP: 104.154.248.13 + Target 
Hostname: complacent.vuln.icec.tf + Target Port: 443 
--------------------------------------------------------------------------- + SSL Info: Subject: 
/C=IS/ST=Kingdom of IceCTF/L=IceCTF city/O=Secret IceCTF Buisness Corp/OU=Flag: 
IceCTF{this_1nformation_wasnt_h1dd3n_at_a11}/CN=complacent.icec.tf
                   Ciphers: ECDHE-RSA-AES256-GCM-SHA384
                   Issuer: /C=IS/ST=Kingdom of IceCTF/L=IceCTF city/O=Secret IceCTF Buisness Corp/OU=Flag: 
IceCTF{this_1nformation_wasnt_h1dd3n_at_a11}/CN=complacent.icec.tf


Flag was in SSL Certificate : IceCTF{this_1nformation_wasnt_h1dd3n_at_a11}

Search (Misc · 40 pt)

“…maybe its all about the conTEXT.” Hum, let’s dig that txt !

1
2
3
4
5
6
7
8
dig -t txt search.icec.tf ;
<<>> DiG 9.9.5-9+deb8u6-Debian <<>>
-t txt search.icec.tf ;; global options: +cmd ;; Got answer: ;; 
->>HEADER<<- opcode: QUERY, status: NOERROR, id: 
15523 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: 
version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;search.icec.tf.  IN TXT ;; ANSWER SECTION: search.icec.tf.  
300 IN TXT "IceCTF{flag5_all_0v3r_the_Plac3}" 
...

Flag is : IceCTF{flag5_all_0v3r_the_Plac3}

Flag Storage (Web · 50 pt)

Chall hint was “SQLi”, so let’s go ! ‘ OR 1 = 1; – in password field, some bullshit in login one aaaaaand it’s done ! Flag is : IceCTF{why_would_you_even_do_anything_client_side}

Audio Problems (Forensics · 50 pt)

1
2
3
file audio_problems_210b88f2232e1c9d770bb5d2069c47aabb86301b0adc7ad606956394a00f298b.wav 
audio_problems_210b88f2232e1c9d770bb5d2069c47aabb86301b0adc7ad606956394a00f298b.wav: RIFF (little-endian) data, 
WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz

Sonic Vizualizer => Layer => Add Spectrogramm => All Channels mixed

Vape Nation (Stego · 50 pt)

LSB -> Stegsolve.jar -> Green plane 0

Over the Hill (Cryptography · 65 pt)

Explicit title, and nice song by the way :D Hill Matrix http://www.dcode.fr/chiffre-hill Got all details in the file : * alphabet * ciphertext * Matrice I used that WU to solve it https://github.com/ctfs/write-ups-2015/blob/master/ghost-in-the-shellcode-2015/crypto/nikoli/hilly.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
import numpy as np

global debug,alphabet,alphsize
debug=0
alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789_{}"
alphsize=len(alphabet)


def modMatInv(A,p):       # Finds the inverse of matrix A mod p

  n=len(A)
  A=np.matrix(A)
  adj=np.zeros(shape=(n,n))

  for i in range(0,n):
      for j in range(0,n):
          adj[i][j]=((-1)**(i+j)*int(round(np.linalg.det(minor(A,j,i)))))%p
  return (modInv(int(round(np.linalg.det(A))),p)*adj)%p


def modInv(a,p):          # Finds the inverse of a mod p, if it exists

  for i in range(1,p):
      if (i*a)%p==1: return i
  raise ValueError(str(a)+" has no inverse mod "+str(p))


def minor(A,i,j):    # Return matrix A with the ith row and jth column deleted

  A=np.array(A)

  minor=np.zeros(shape=(len(A)-1,len(A)-1))

  p=0

  for s in range(0,len(minor)):
      if p==i: p=p+1
      q=0
      for t in range(0,len(minor)):
          if q==j: q=q+1
          minor[s][t]=A[p][q]
          q=q+1
      p=p+1

  return minor

def encrypt(msg, key, sz):

  triple = [list(msg[i*sz:(i*sz)+sz]) for i in range(0, len (msg)/sz)]
  if debug>0: print triple
  mul = [i[:] for i in triple]
  for x in range(len(triple)):
      for i in range(len(triple[x])):
          # triple[x][i]=ord(triple[x][i])-65
          triple[x][i]=alphabet.find(triple[x][i])

  if debug>0: print triple
  for x in range(len(triple)):
      mul[x] = np.dot(key,triple[x]) % alphsize
  if debug>0: print mul
  enc=""

  for x in range(len(mul)):
      for s in range(0,sz): enc+=alphabet[mul[x][s]]

  return enc


def decrypt(msg, key, sz):
  try: deckey = modMatInv(key,alphsize)
  except ValueError: return
  triple = [list(msg[i*sz:(i*sz)+sz]) for i in range(0, len (msg)/sz)]
  mul = [i[:] for i in triple]

  for x in range(len(triple)):
      for i in range(len(triple[x])):
          # triple[x][i]=ord(triple[x][i])-65
          triple[x][i]=alphabet.find(triple[x][i])

  if debug>0: print triple
  for x in range(len(triple)):
      mul[x] = np.dot(deckey,triple[x]) % alphsize
  if debug>0: print mul
  dec=""
  for x in range(len(mul)):
      for s in range(0,sz): dec+=alphabet[int(mul[x][s])]
  return dec

matrix = [[54, 53, 28, 20, 54, 15, 12, 7],

          [32, 14, 24, 5, 63, 12, 50, 52],

          [63, 59, 40, 18, 55, 33, 17, 3],

          [63, 34, 5, 4, 56, 10, 53, 16],

          [35, 43, 45, 53, 12, 42, 35, 37],

          [20, 59, 42, 10, 46, 56, 12, 61],

          [26, 39, 27, 59, 44, 54, 23, 56],

          [32, 31, 56, 47, 31, 2, 29, 41]]

ciphertext = "7Nv7}dI9hD9qGmP}CR_5wJDdkj4CKxd45rko1cj51DpHPnNDb__EXDotSRCP8ZCQ"
print decrypt(ciphertext,matrix,8)

Flag is : IceCTF{linear_algebra_plus_led_zeppelin_are_a_beautiful_m1xture}