ANDOVER, MA— Phillips Academy Capture the Flag releases an institution-wide memorandum on the security of PDF documents. For privacy, parts of the memo are redacted.
180 Main Street, Andover MA 01810 contact@pactf.com pactf.com
MARCH 1ST, 2013
MEMORANDUM ON THE SECURITY OF PDF DOCUMENTS AND REDACTION
Over the past several years, there have been several instances in which a journalist, government officer, or corporate executive has released an otherwise-secret document with redactions. Unfortunately, these amateur redactors often do a poor job hiding the data they mean to redact, and leave themselves vulnerable to even the most trivial exploits.
Indeed, few issues pose as real and present a threat as poorly redacted PDF documents. If you wish to release a PDF document, be sure to release only an image of the file—that way, you won’t be vulnerable to leaks.
The flag is `b3_car3ful_0r_y0ur_l3ak_m1ght_l3ak`. AN OFFICIAL MEMORANDUM OF PACTF 2018
I was talking on IRC with a guy who tricked me into giving him a hash of my password and then said he could hack me! He said I might be “pwned”! I know the hashing algorithm is MD5; that’s still secure, right?
… Oh, you want to know whether my password is secure or not?
It doesn’t have any uppercase letters or numbers or punctuation, but isn’t six characters still a lot? what he meant by that one. Would you be able to hack my password? Here’s the hash:
I love lots of things about my school, Phillips Academy Andover. But most of all, I love its school color: a soothing shade of blue. I couldn’t just tell you the hex code for the color; that wouldn’t be enough! I think a 128 x 128 PNG file is probably a better method of conveying its utter beauty. That’s not suspicious, right? Gaze upon its beauty! True blue!
I used StegoVeritas to make a stegano LSB in order to extract the data.
After that we can read the following text:
1
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut eleifend, metus accumsan accumsanpharetra, dui justo lobortis augue, non bibendum sapien lacus a nulla. Praesent non libero et magnaornare interdum. Vivamus et mi et justo tincidunt porttitor placerat in nisl. Nam mollis quam sitamet iaculis volutpat. Nulla posuere pulvinar est, ac consectetur ex rhoncus non. Vivamus efficitur,ex vel lobortis faucibus, massa neque iaculis libero, eu dictum orci odio ut ante. Phasellus luctusmagna vel euismod cursus. Donec et est rhoncus, lacinia metus in, sodales lectus. Sed posuere, nibhvitae egestas rutrum, nisl odio iaculis urna, et bibendum dolor augue tristique lacus. Ut nuncmetus, blandit a nisl vitae, pulvinar fringilla justo. The flag is "last bitsmatter". Congratulations! You cracked the code!
PS: there is an error in the chall or I did something wrong, the flag is last bits matter and not last bitsmatter.
After trying to unzip it and failing it seems it's not a zip but some raw zlib:
1 2 3 4 5 6 7 8 9 10 11
$ unzip dfyxIN6e.zip Archive: dfyxIN6e.zip End-of-central-directory signature not found. Either this file is not a zipfile, or it constitutes one disk of a multi-part archive. In the latter case the central directory and zipfile comment will be found on the last disk(s) of this archive. unzip: cannot find zipfile directory in one of dfyxIN6e.zip or dfyxIN6e.zip.zip, and cannot find dfyxIN6e.zip.ZIP, period.
$ file dfyxIN6e.zip dfyxIN6e.zip: zlib compressed data
So I used zlib-flate to uncomrpess it but I saw the output was still a zlib archive but smaller, so I begin to pipe them.
The archive is very small so no need to script that, a very dirty oneline command can do that:
// be careful when changing stupid to false or it can produce the key!!! function launch_artificial_intelligence(stupid)
Let's do that:
1
launch_artificial_intelligence(false);
So we obtain this:
1 2 3 4 5 6 7
Hi. I exploited weaknesses of Facebook to access everybody's information... Actually I just asked Mark and he sold it. Oh well.
Turned out the most discussed topic was...
CATS
But that's not the key. The key is now stored securely in ("http://ibarakaiev.shpp.me/pactf_s7fj43/key_%d.txt", get_key_number(6, [16, 23, 16, 15, 42, 8])).
The get_key_number is not written but it's pretty easy to understand:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
// this function returns the number needed to access key_%d.txt function get_key_number(n, arr) { // TODO: implement solution to the following problem
/** * You are given a sequence _s_ consisting of _N_ integers. You can divide it to * two sequences _p_ and _q_ such that every element of your sequence belongs exactly * to one of these sequences. * * Let _B_ be the sum of elements belonging to _p_, and _C_ be the sum of elements * belonging to _C_. Note: if some of the sequences is empty then its sum is 0). * What is the maximum possible value of _B_ - _C_ */ }
The bigest number we can get is by putting all numbers in sequence _p_ and none in sequence _q_ so 42+16+23+16+8+15 - 0 = 120.
But you'll have to decrypt it first! The following text is displayed using byfes (it's like bytes but only 5 bits).
mrxwozAp
PACTFSCII is as follows (it's like ASCII but for PACTF). PACTF system only accepts ASCII characters, however. 0 - a 1 - b 2 - c 3 - d 4 - e 5 - f 6 - g 7 - h 8 - i 9 - j 10 - k 11 - l 12 - m 13 - n 14 - o 15 - p 16 - q 17 - r 18 - s 19 - t 20 - u 21 - v 22 - w 23 - x 24 - y 25 - z 26 - P 27 - A 28 - C 29 - T 30 - F 31 - \0
With the PACTFSCII table we get 12,17,23,22,14,25,27,15 from :mrxwozAp
Now let's convert decimal 12,17,23,22,14,25,27,15 into binary byfes: 01100,10001,10111,10110,01110,11001,11011,01111.
Now convert 5 bits byfes into true 8 bits bytes: 0110010001101111011001110110011101101111 so converting it to ASCII gives doggo.
(1..67).each do |i| puts ZXing.decode "files/image-#{i}.png" end
One of the image gives this output:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
=== YOUR ANSWER IS HERE === "eqvzb" w-3, s-5, v-25, p-248 22syz7u9dogitfxlezobhobeuno6pnec20n6bqfg22cqihe41hbbi8aut4t618oj4wee4to32mdfmmsykl76r002hfbsurum4rr6tprxi4yinrzlqee17y5sfw11k5ybxsie6icu2x6fxvbq2wskzjtmng31ejzfikwj9ql0nxutriwr6p6vqzpdl1thkgt0o4is7znam 9xub632v5mi39t8oae98kv5faatt11zitxmuka8qdrhbyw02i89fx9desufb6giwvgsvgrd18925zrgrqai31l92i6qplb9embayx8gmhqczl4gi9mb112plzs78w38hhbqmximi718hte6tw6b2m42xfwh3nnby2jemn0sz80hevqccfpyqd674swckdyaaptdp482x25uanhh5q8r0xqtokgwb8lbn41vl4mhhfvoeippvnl1t3ojshstgwumk48q8l3m937sou6b1838u7pie8da6gh8d8q5e09vazbdpsbtwyu35we0vu1r9cxfs aeisivqa01nrols0xculnijghh4goztt2ymrt2h54hfbg8o5w03ai9ghobywjxxd8erazpyjisdnrehi3xvh6yz6gnynrsgbzek9uv2poyrdld0quk3cxj1cf8z2a4jbzucqcivwvkoh9uaecnlgqpzwy6bmraynt9rl7mbpob449swf3nf3010o0uvweo0ty0jqshf4xzvxtmuhq5uutoyijqrra4lehasyeokf0wrdhcysxj8xyt8uc6uywmya3i8ipx9g2dha1lax1l3vzorv99qkqugxixa17pi1xua3o7z5qehlvctz6cdgef2z wleaaeyvlqn0m3hdczmgw26irn6bi0oy03k0it3hmekyxrrbmr73kokpitl1lpndke593dw5kdmp0ahjpcd191asr9ametpiks1a1rwnool8raisalbvwu0k04mjywmdwmcpn7m5nsrw505tgfv9k2708uc6syeur2f9zgqp9z35c6eu55bh4leal9ow95dpy77dtu6wu9cybq58bhdkthl0m85ekoeh8xvckpa7l6uz5vgyl0nbt3ole1hc4l4wtplgddtkulbds7egyp8nk2tf26t6kg7lunqwxm83b8m6mynhjdfxgnns8l3j2v2n ku5z1auibmmc2x83013aqvor4teasklqkywhxdjjxrz2jbwwkqu6jed9gn83mxsg5ppzz9w0kschteeukmoic28wqq1pldsjlzmfptu3aod17o7gbeteenilm4pplg6yr0m0he7odgmq9pb17v9bekfllcbu8djj5e3e0uklethkcrmqr7q35avf1xpsvy5fod6ub2ra1awtoqbo26u2ydmkbotp4wuuwx3201so0gfhjs37bss3410780rqbke58loyad0xlldz4eunjezj769hm9jn1f6ne1lmrokw4l36v6w2tyf8z5f2mp2vqbht kspnfeukopw3q3mnpk4gxsekj3wv2gl85yhu37og2qhu027fz1c4xq3jvc2q8szqi2b3rwdykfq50ii8nct0rh8apgpdin6w674khok0551tr6v1wrevoje3v823263in5atvkwn9gbcfjr3yy64ncyuo5q48rghc73uiak27e3od8ipzs2k2ojxl6a1exvdcyv3y2fu3j0wmnqbdxcwrvysyz43a1lhzm6t4mzkeciqg4j81w3q9i7vch81nc6c663r20iwek4cd3dk2qyizivbk3yfcrcsyy17p30jmwp2u1ogjpbw6ckjrzd5z8qa b61vjq98hwhiua5qb8kvkp1datpqoxxh286k3mu6uhauv95nhajs5sf3j3f7xyvgz0d2omk4ro1umbqzjs5i4lyhns35sqm1u6sycfkeu2po70dgsoy5abl7csfvwjovz05pp338pnkx7dfvz952utwpiyxx261rolsm1eqc8mvmhw3e2o6adxdwdnjn1vxorfgm65rx20ztnc80nwmfcgbql87bz805xvb4lfq3lsnguvw4a13jqroa6xjhvnnb514qp9jgeytmduc95t5eqbuu3yqtps6bhn0nhsr2qmbtrjf609yx2n5a8k8hns6g ox0tjq26wtn9arjsrige2is9e6v56fa62x3nynnnsbri6gbf3e2pituvua6i9z6kc4brf9f671e2zoa6t9f1ix1akwl5jp51tcadyswwot7g7125hct72h5hnctytcen6gc0qcsgl31xpb5bs5qw59v9wzu7eba6sr3trwstiioj7og6y2h69x3vy502ei1gnjchmfhl65jd02mhdinzzv55rl2w8u1uxoiofzt89lbqre1pq8kwyo28cg6296llkfpmlaak16httutriqn9bitfrh2p1vr6htuzjxiif4ss5m601kris67x04ni7g5e b6dpdiqmwb6yx0mtaj8pccww27bom5lwnxpuow6kg7e7wag7w0pfp50349pm9qdr550a9wc0dbfr2v3ezmrvbdwjvu7tu59i8odas8i29rmimjj7h3ga5ox0d50n1vwaq06c5o5pm2emokprk3xi7x25af8nayygnwvynl3863vxo6w0qke1yywr2fk42xcecymirqzfxhl967hbw89v44pschg8bw0cod5fx0s7cmi3vihlelu0b0pmselqozqz2g23285gec4zqfq86b7ut3aqr8ofi1m1f2u193fxixirtco0hhstcla8rkhgcl04
tza5upm81efq4ymwewuzvru6qsavg1w50n0joic98sejzdo3kieunrzxm9wku7i4011z21mgfydsc4h4vfhjf73tnv3obko3irds88mwyu5yr77qy1urkvnoet03nv6oso9s7gyn0fz0t9600niaa46cf9wmp7yaj84r8s1tp35im === YOUR ANSWER IS HERE ===