Version
By
Version
Comment
noraj
1.0
Creation
CTF
Name : PACTF 2018 round 2
Website : pactf.com
Type : Online
Format : Jeopardy
CTF Time : link
10 - Redacted - Forensics
ANDOVER, MA— Phillips Academy Capture the Flag releases an institution-wide memorandum on the security of PDF documents. For privacy, parts of the memo are redacted.
View the memo: SECURE REDACTED MEMORANDUM .
Open the PDF and you can see redacted areas.
Let's convert it to text:
$ pdf2txt.py SECURE_REDACTED_COPY.42ce971cad34.pdf
PACTF
180 Main Street, Andover MA 01810
contact@pactf.com
pactf.com
MARCH 1ST, 2013
MEMORANDUM ON THE SECURITY OF PDF DOCUMENTS AND REDACTION
Over the past several years, there have been several instances in which a journalist, government
officer, or corporate executive has released an otherwise-secret document with redactions.
Unfortunately, these amateur redactors often do a poor job hiding the data they mean to redact,
and leave themselves vulnerable to even the most trivial exploits.
Indeed, few issues pose as real and present a threat as poorly redacted PDF documents. If you
wish to release a PDF document, be sure to release only an image of the file—that way, you won’t
be vulnerable to leaks.
The flag is `b3_car3ful_0r_y0ur_l3ak_m1ght_l3ak`.
AN OFFICIAL MEMORANDUM OF PACTF 2018
REDACTED COPY
15 - Am I Pwned? - Crytpo
I was talking on IRC with a guy who tricked me into giving him a hash of my password and then said he could hack me! He said I might be “pwned”! I know the hashing algorithm is MD5; that’s still secure, right?
… Oh, you want to know whether my password is secure or not?
It doesn’t have any uppercase letters or numbers or punctuation, but isn’t six characters still a lot? what he meant by that one. Would you be able to hack my password? Here’s the hash:
eca065fba51916821eb7274c786c67d9
Just go to crackstation or hashkiller .
eca065fba51916821eb7274c786c67d9
: md5('lmaoez')
20 - It's In, If - Forensics
My older brother sent me this photo, but I don’t know what to make of it.
Look at metadata:
$ exiftool itsinif.8f2056d643d8.jpg
ExifTool Version Number : 10.80
File Name : itsinif.8f2056d643d8.jpg
Directory : .
File Size : 18 kB
File Modification Date/Time : 2018:04:15 03:58:32+02:00
File Access Date/Time : 2018:04:24 21:09:18+02:00
File Inode Change Date/Time : 2018:04:24 21:09:18+02:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
X Resolution : 100
Y Resolution : 100
Exif Byte Order : Big-endian (Motorola, MM)
Image Description : NO CODE EXECUTION ALLOWED HERE
Make : PACTF
Resolution Unit : inches
Y Cb Cr Positioning : Centered
GPS Latitude Ref : North
GPS Longitude Ref : West
XMP Toolkit : Image::ExifTool 10.40
Stitching Software : big_brother_is_looking_at_your_photos
Image Width : 198
Image Height : 199
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
GPS Latitude : 42 deg 38' 51.63" N
GPS Longitude : 71 deg 7' 51.82" W
GPS Position : 42 deg 38' 51.63" N, 71 deg 7' 51.82" W
Image Size : 198x199
Megapixels : 0.039
35 - The Signal and the Noise - Misc
We can check if there are other chars than letters and spaces:
$ grep -i "[^a-z ]" haystack.ef77fe451087.txt > output
$ hte output
We can see there are some unicode spaces and invisible chars inside some words.
I wrote a quick ruby script to extract those words:
data = ''
File . open ( 'haystack.ef77fe451087.txt' , 'r:UTF-8' ) do | f |
data = f.read()
end
puts data.scan( /( [a-z] +) [^[:ascii:] ]( [a-z] +)/ ).join
Run the script:
$ ruby noise.rb
theflagisinplainsight
Just submit the flag is in plain sight
.
45 - Truly Blue? - Stegano
I love lots of things about my school, Phillips Academy Andover. But most of all, I love its school color: a soothing shade of blue. I couldn’t just tell you the hex code for the color; that wouldn’t be enough! I think a 128 x 128 PNG file is probably a better method of conveying its utter beauty. That’s not suspicious, right? Gaze upon its beauty! True blue!
I used StegoVeritas to make a stegano LSB in order to extract the data.
After that we can read the following text:
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut eleifend, metus accumsan accumsanpharetra, dui justo lobortis augue, non bibendum sapien lacus a nulla. Praesent non libero et magnaornare interdum. Vivamus et mi et justo tincidunt porttitor placerat in nisl. Nam mollis quam sitamet iaculis volutpat. Nulla posuere pulvinar est, ac consectetur ex rhoncus non. Vivamus efficitur,ex vel lobortis faucibus, massa neque iaculis libero, eu dictum orci odio ut ante. Phasellus luctusmagna vel euismod cursus. Donec et est rhoncus, lacinia metus in, sodales lectus. Sed posuere, nibhvitae egestas rutrum, nisl odio iaculis urna, et bibendum dolor augue tristique lacus. Ut nuncmetus, blandit a nisl vitae, pulvinar fringilla justo. The flag is "last bitsmatter". Congratulations! You cracked the code!
PS: there is an error in the chall or I did something wrong, the flag is last bits matter
and not last bitsmatter
.
60 - Wakanda problem is this? - Stegano
You’ve arrived at Wakanda’s border. Only the flag will allow you to enter. This is all you have.
Hint: Use the bytes in the second image.
Extract the trailing data of the image, it's a zip so decompress it. Then you find 2 images.
You clearly see that the second image is glitched.
Make an hexadecimal dump of each image in, order to be able to compare them:
$ xxd blackpanther1.jpg > black1.txt
$ xxd blackpanther2.jpg > black2.txt
$ diff black1.txt black2.txt
366,367c366,367
< 000016d0: d46d ab2b 42f9 3a3a bd5d 1854 50d3 416c .m.+B.::.].TP.Al
< 000016e0: 8ab5 ca7d 45d1 353e 9ceb ba9e 9fab 8daa ...}E.5>........
---
> 000016d0: 666c 6167 7b77 616b 616e 6461 3465 7661 flag{wakanda4eva
> 000016e0: 7db5 ca7d 45d1 353e 9ceb ba9e 9fab 8daa }..}E.5>........
Flag is wakanda4eva
.
45 - Zip Zap Zop - Misc
My friend gave me this file, but I have no idea what to do with it?
Hint: I tried to make this file really, really small.
Let's open the base64 zip in Firefox and save it:
data:application/zip;base64,eJyrmMN4nMHif8Ucxj0MziBqI4MfiFrGEAmiZjOkAKnVMw7fOBjwb38SX7Kus3CHVtIL1sCXPMYNV15Jtqvy5f4IrQ85dna/bvjDkPvOrZyB2enxsywSj7Wwt27X231bPzTf4tej2F+/A5b/exNW/K3od/rSUlV7ptPmYiJxIfvExe398+6lSWvPtj62+7vkUxXbvuk3X5SuehP18txKv5vB340N3my/vEO7+M6TCb9FTpdqS7ydlTt5jiQD6xy3r8aavvXx6wJ3HewIexrtH1OjtTNREAAud2V5
After trying to unzip it and failing it seems it's not a zip but some raw zlib:
$ unzip dfyxIN6e.zip
Archive: dfyxIN6e.zip
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of dfyxIN6e.zip or
dfyxIN6e.zip.zip, and cannot find dfyxIN6e.zip.ZIP, period.
$ file dfyxIN6e.zip
dfyxIN6e.zip: zlib compressed data
So I used zlib-flate
to uncomrpess it but I saw the output was still a zlib archive but smaller, so I begin to pipe them.
The archive is very small so no need to script that, a very dirty oneline command can do that:
$ zlib-flate -uncompress < 5FZrGWXN.zip | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress | zlib-flate -uncompress
}qXflagqX!Gotza_Makes_1T_V_small_1340216081qs.
Flag is Gotza_Makes_1T_V_small_1340216081
80 - AI - Misc
Our artificial intelligence engineer made a groundbreaking discovery, but left the company unexpectedly… all we have is the obfuscated source.txt…
Execute JS brainfuck:
"Congrats! You've uncovered the truth. Now go here: ibarakaiev.shpp.me/pactf_s7fj43/ai.zip "
Decompress the zip, look at assets/js/script.js
.
// be careful when changing stupid to false or it can produce the key!!!
function launch_artificial_intelligence(stupid)
Let's do that:
launch_artificial_intelligence(false);
So we obtain this:
Hi. I exploited weaknesses of Facebook to access everybody's information... Actually I just asked Mark and he sold it. Oh well.
Turned out the most discussed topic was...
CATS
But that's not the key. The key is now stored securely in ("http://ibarakaiev.shpp.me/pactf_s7fj43/key_%d.txt", get_key_number(6, [16, 23, 16, 15, 42, 8])).
The get_key_number
is not written but it's pretty easy to understand:
// this function returns the number needed to access key_%d.txt
function get_key_number(n, arr) {
// TODO: implement solution to the following problem
/**
* You are given a sequence _s_ consisting of _N_ integers. You can divide it to
* two sequences _p_ and _q_ such that every element of your sequence belongs exactly
* to one of these sequences.
*
* Let _B_ be the sum of elements belonging to _p_, and _C_ be the sum of elements
* belonging to _C_. Note: if some of the sequences is empty then its sum is 0).
* What is the maximum possible value of _B_ - _C_
*/
}
The bigest number we can get is by putting all numbers in sequence _p_
and none in sequence _q_
so 42+16+23+16+8+15 - 0 = 120
.
So we can request http://ibarakaiev.shpp.me/pactf_s7fj43/key_120.txt .
But you'll have to decrypt it first! The following text is displayed using byfes (it's like bytes but only 5 bits).
mrxwozAp
PACTFSCII is as follows (it's like ASCII but for PACTF). PACTF system only accepts ASCII characters, however.
0 - a
1 - b
2 - c
3 - d
4 - e
5 - f
6 - g
7 - h
8 - i
9 - j
10 - k
11 - l
12 - m
13 - n
14 - o
15 - p
16 - q
17 - r
18 - s
19 - t
20 - u
21 - v
22 - w
23 - x
24 - y
25 - z
26 - P
27 - A
28 - C
29 - T
30 - F
31 - \0
With the PACTFSCII table we get 12,17,23,22,14,25,27,15
from :mrxwozAp
Now let's convert decimal 12,17,23,22,14,25,27,15
into binary byfes : 01100,10001,10111,10110,01110,11001,11011,01111
.
Now convert 5 bits byfes into true 8 bits bytes : 0110010001101111011001110110011101101111
so converting it to ASCII gives doggo
.
75 - Library of Babel - Misc
Is this what passes through fiber optic cables? Must be…
Note : We did only the first part of this challenge, the second part was too much guessing for us.
Extract all frames from the video with imagemagick
:
$ convert video.f3db89aeb9f4.mp4 image.png
$ ls
image-0.png image-14.png image-19.png image-23.png image-28.png image-32.png image-37.png image-41.png image-46.png image-50.png image-55.png image-5.png image-64.png image-7.png
image-10.png image-15.png image-1.png image-24.png image-29.png image-33.png image-38.png image-42.png image-47.png image-51.png image-56.png image-60.png image-65.png image-8.png
image-11.png image-16.png image-20.png image-25.png image-2.png image-34.png image-39.png image-43.png image-48.png image-52.png image-57.png image-61.png image-66.png image-9.png
image-12.png image-17.png image-21.png image-26.png image-30.png image-35.png image-3.png image-44.png image-49.png image-53.png image-58.png image-62.png image-67.png video.f3db89aeb9f4.mp4
image-13.png image-18.png image-22.png image-27.png image-31.png image-36.png image-40.png image-45.png image-4.png image-54.png image-59.png image-63.png image-6.png
So I used zxing to decode all frames:
require 'zxing'
( 1 .. 67 ).each do | i |
puts ZXing .decode "files/image- #{ i } .png"
end
One of the image gives this output:
=== YOUR ANSWER IS HERE ===
"eqvzb" w-3, s-5, v-25, p-248
22syz7u9dogitfxlezobhobeuno6pnec20n6bqfg22cqihe41hbbi8aut4t618oj4wee4to32mdfmmsykl76r002hfbsurum4rr6tprxi4yinrzlqee17y5sfw11k5ybxsie6icu2x6fxvbq2wskzjtmng31ejzfikwj9ql0nxutriwr6p6vqzpdl1thkgt0o4is7znam
9xub632v5mi39t8oae98kv5faatt11zitxmuka8qdrhbyw02i89fx9desufb6giwvgsvgrd18925zrgrqai31l92i6qplb9embayx8gmhqczl4gi9mb112plzs78w38hhbqmximi718hte6tw6b2m42xfwh3nnby2jemn0sz80hevqccfpyqd674swckdyaaptdp482x25uanhh5q8r0xqtokgwb8lbn41vl4mhhfvoeippvnl1t3ojshstgwumk48q8l3m937sou6b1838u7pie8da6gh8d8q5e09vazbdpsbtwyu35we0vu1r9cxfs
aeisivqa01nrols0xculnijghh4goztt2ymrt2h54hfbg8o5w03ai9ghobywjxxd8erazpyjisdnrehi3xvh6yz6gnynrsgbzek9uv2poyrdld0quk3cxj1cf8z2a4jbzucqcivwvkoh9uaecnlgqpzwy6bmraynt9rl7mbpob449swf3nf3010o0uvweo0ty0jqshf4xzvxtmuhq5uutoyijqrra4lehasyeokf0wrdhcysxj8xyt8uc6uywmya3i8ipx9g2dha1lax1l3vzorv99qkqugxixa17pi1xua3o7z5qehlvctz6cdgef2z
wleaaeyvlqn0m3hdczmgw26irn6bi0oy03k0it3hmekyxrrbmr73kokpitl1lpndke593dw5kdmp0ahjpcd191asr9ametpiks1a1rwnool8raisalbvwu0k04mjywmdwmcpn7m5nsrw505tgfv9k2708uc6syeur2f9zgqp9z35c6eu55bh4leal9ow95dpy77dtu6wu9cybq58bhdkthl0m85ekoeh8xvckpa7l6uz5vgyl0nbt3ole1hc4l4wtplgddtkulbds7egyp8nk2tf26t6kg7lunqwxm83b8m6mynhjdfxgnns8l3j2v2n
ku5z1auibmmc2x83013aqvor4teasklqkywhxdjjxrz2jbwwkqu6jed9gn83mxsg5ppzz9w0kschteeukmoic28wqq1pldsjlzmfptu3aod17o7gbeteenilm4pplg6yr0m0he7odgmq9pb17v9bekfllcbu8djj5e3e0uklethkcrmqr7q35avf1xpsvy5fod6ub2ra1awtoqbo26u2ydmkbotp4wuuwx3201so0gfhjs37bss3410780rqbke58loyad0xlldz4eunjezj769hm9jn1f6ne1lmrokw4l36v6w2tyf8z5f2mp2vqbht
kspnfeukopw3q3mnpk4gxsekj3wv2gl85yhu37og2qhu027fz1c4xq3jvc2q8szqi2b3rwdykfq50ii8nct0rh8apgpdin6w674khok0551tr6v1wrevoje3v823263in5atvkwn9gbcfjr3yy64ncyuo5q48rghc73uiak27e3od8ipzs2k2ojxl6a1exvdcyv3y2fu3j0wmnqbdxcwrvysyz43a1lhzm6t4mzkeciqg4j81w3q9i7vch81nc6c663r20iwek4cd3dk2qyizivbk3yfcrcsyy17p30jmwp2u1ogjpbw6ckjrzd5z8qa
b61vjq98hwhiua5qb8kvkp1datpqoxxh286k3mu6uhauv95nhajs5sf3j3f7xyvgz0d2omk4ro1umbqzjs5i4lyhns35sqm1u6sycfkeu2po70dgsoy5abl7csfvwjovz05pp338pnkx7dfvz952utwpiyxx261rolsm1eqc8mvmhw3e2o6adxdwdnjn1vxorfgm65rx20ztnc80nwmfcgbql87bz805xvb4lfq3lsnguvw4a13jqroa6xjhvnnb514qp9jgeytmduc95t5eqbuu3yqtps6bhn0nhsr2qmbtrjf609yx2n5a8k8hns6g
ox0tjq26wtn9arjsrige2is9e6v56fa62x3nynnnsbri6gbf3e2pituvua6i9z6kc4brf9f671e2zoa6t9f1ix1akwl5jp51tcadyswwot7g7125hct72h5hnctytcen6gc0qcsgl31xpb5bs5qw59v9wzu7eba6sr3trwstiioj7og6y2h69x3vy502ei1gnjchmfhl65jd02mhdinzzv55rl2w8u1uxoiofzt89lbqre1pq8kwyo28cg6296llkfpmlaak16httutriqn9bitfrh2p1vr6htuzjxiif4ss5m601kris67x04ni7g5e
b6dpdiqmwb6yx0mtaj8pccww27bom5lwnxpuow6kg7e7wag7w0pfp50349pm9qdr550a9wc0dbfr2v3ezmrvbdwjvu7tu59i8odas8i29rmimjj7h3ga5ox0d50n1vwaq06c5o5pm2emokprk3xi7x25af8nayygnwvynl3863vxo6w0qke1yywr2fk42xcecymirqzfxhl967hbw89v44pschg8bw0cod5fx0s7cmi3vihlelu0b0pmselqozqz2g23285gec4zqfq86b7ut3aqr8ofi1m1f2u193fxixirtco0hhstcla8rkhgcl04
tza5upm81efq4ymwewuzvru6qsavg1w50n0joic98sejzdo3kieunrzxm9wku7i4011z21mgfydsc4h4vfhjf73tnv3obko3irds88mwyu5yr77qy1urkvnoet03nv6oso9s7gyn0fz0t9600niaa46cf9wmp7yaj84r8s1tp35im
=== YOUR ANSWER IS HERE ===