## Information#

### Version#

By | Version | Comment |
---|---|---|

noraj | 1.0 | Creation |

### CTF#

**Name**: HITB CTF Singapore 2017**Website**: hitb.xctf.org.cn**Type**: Online**Format**: Jeopardy**CTF Time**: link

## Cephalopod - Misc#

We've found some strange networktraffic, we suspect it contains a flag.

`binwalk`

always help:

1 | $ binwalk 2a9c1cdd-2ac0-4b2a-828d-269c6e04ebbb.pcap |

So there is probably an image with the flag.

Let's open wireshark:

1 | $ wireshark-gtk 2a9c1cdd-2ac0-4b2a-828d-269c6e04ebbb.pcap |

Let's check Wikipedia, PNG file signature begins with `89 50 4E 47 0D 0A`

.

Press `CTRL + F`

, select **Hex value** as **Display filter**.

That lead us to frame n°126. (Note: if you search `PNG`

as string you'll find a request for `flag.png`

so we are on the good way)

Right click on the frame, click on **Follow TCP Stream**, select **Raw** representation, donc select **Entire conversation** but **10.0.2.7:39618 -> 10.0.2.10:6800 (2412380 bytes)** and then save it as a file.

We can see there is some ceph stuff before the PNG file signature so extract the PNG:

1 | $ foremost ceph_and_png |

Now we can see the flag:

1 | $ display output/png/flag.png |

Flag is `HITB{95700d8aefdc1648b90a92f3a8460a2c}`

.

Note: imgur converted the picture into jpeg.

## Prime - Mobile#

Do you know prime?

Unpack the application.apk file with assets, resources, compiled code, etc...

1 | $ apktool d -r -s ab436242-a5c7-4dd8-b88d-1982be05b3bd.apk |

Convert Dex to java class:

1 | $ d2j-dex2jar ab436242-a5c7-4dd8-b88d-1982be05b3bd/classes.dex |

Now take a look at the source:

1 | $ jd-gui classes-dex2jar.jar |

Or we can also use `jadx-gui`

that give us:

1 | package com.iromise.prime; |

This is calculating the number of prime numbers up to 10000000000000000 (10 quadrillion = 10 million billion = 1 × 10^16). So this will take a while before displaying the toast.

I prefer to use a search engine: Prime number theorem and OEIS.

So the flag appears to be `HITB{279238341033925}`

but it wasn't valid.

**Update**: *Shinji Hirako* point me the following:

The java code also counts all squares of primes less than or equal to

`10000000000000000`

. To calculate the number of squares of primes less than`10000000000000000`

, we take the square root of`10000000000000000`

which is`10**8`

and count how many prime numbers until`10**8`

. From the diagram you posted, this is`5761455`

. So answer is`279238341033925 + 5761455`

and flag is`HITB{279238346795380}`

Edit: The reason squares of primes are included is because when it is a square of a prime, the code never enters the for loop. For example, when

`4`

is passed as the parameter to`isOk()`

, the condition for the for loop is`l =2, l*l < n`

. But`l*l = 4`

and`4`

is not less than 4, hence we never enter the for loop. Same logic for all other squares of primes, but not squares in general.