20170624_TMCTF

20170624_TMCTF

 

TMCTF has many Windows based chall and network chall, So I learned about windows reverse method in this ctf. I got 4challs and writeup are below.

 

Reverse 100

 

At first, I get zip file. Using file command, I realize that this file is rar file. So change extension of the file to .rar and extract it.

Then exitract, 2 files is given, biscuit1, biscuit2. biscuit1 is PE32 file and Biscuit2 is password locked zip file. 

$ file biscuit*
biscuit1:     PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
biscuit2:     Zip archive data, at least v2.0 to extract

 

First execute biscuit1.exe, and output is below. I think password of biscuit2.zip is in biscuit1.exe.

>biscuit1.exe
Please find sweets name starting from m for biscuit2.

 

Let’s see this in Ida Pro.

 

 

I understand that I break near leave and can see password in x64dbg.

 

I got password of this. Then I extract 3files and file command to each file.

$ file biscuit*
biscuit3:     JPEG image data, JFIF standard 1.01, aspect ratio, density 1×1, segment length 16, comment: “Optimized by JPEGmini 3.13.3.15 0x411b5876”, baseline, precision 8, 150×150, frames 3
biscuit4:     ASCII text, with CRLF line terminators
biscuit5:     PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows

 

First biscuit3 is JPG, but some odd data(Zip file) is in last part. After extraction, There is 1 text file “cream”

 

Biscuit4 is txt file, “Flag = TMCTF{biscuit3_ biscuit5}”

 

Biscuit5 is PE file too, So analyze file by the same way of biscuit1 and get the string, So finally get the flag.

(TMCTF{biscuit3_ biscuit5} is wrong, TMCTF{biscuit5_biscuit3} is correct, I spend some time to realize that :-()

 

Analysis-Offensive 100

 

I’m given Forensic_Encyption file, and this file is zip file. Then extract it, there are 3 files.

File1 is jpg, fille2 is password locked zip file, file3 is pcap fille. At first, I survey file1, there is some odd string as below. 

 

 

Bese64 decode this string, and put it into fille2 password form, I can extract key.txt. Key.txt seems ESP encryption/Authentication key.

$ echo “VHVyaW5nX01hY2hpbmVfYXV0b21hdG9u” | base64 -d
Turing_Machine_automaton
 
$ cat key.tet
src 192.168.30.211 dst 192.168.30.251
        proto esp spi 0xc300fae7 reqid 1 mode transport
        replay-window 32
        auth hmac(sha1) 0x2f279b853294aad4547d5773e5108de7717f5284
        enc cbc(aes) 0x9d1d2cfa9fa8be81f3e735090c7bd272
        sel src 192.168.30.211/32 dst 192.168.30.251/32
src 192.168.30.251 dst 192.168.30.211
        proto esp spi 0xce66f4fa reqid 1 mode transport
        replay-window 32
        auth hmac(sha1) 0x3bf9c1a31f707731a762ea45a85e21a2192797a3
        enc cbc(aes) 0x886f7e33d21c79ea5bac61e3e17c0422
        sel src 192.168.30.251/32 dst 192.168.30.211/32

 

So I put those information into file3 by wireshark as below.

 

Then ESP packets are decrypted, and I can find below information.

 

After some investigation, I find that those information is related to enigma crypto. So I decode it by using below site.

https://people.physik.hu-berlin.de/~palloks/js/enigma/enigma-m4_v16_en.html

 

 

 

 

misc100

I get 1 pcap file but header of the file is wrong, so I change first 4byte of header A1B2C3D4 to D4C3B2A1.

To do so, I can open wireshark.First I find that some SSL/FTP packets. In traffic of FTP, SSL pre-master secret log is sent, so I save this file and decrypt SSL traffic by using below way.

In the Wireshark configuration menu Edit -> Preferences -> Protocols -> SSL,
    1. In the “Pre-Shared-Key” field, enter Kpsa, i.e. 1a2b3c4d5e6f7a8b
    2. In the (Pre)-Master-Secret log filename field, enter the name of a text file which includes Client Random (32 bytes as 64 hex characters) and the Master          
       Secret (48 bytes as 96 hex characters) as a text line as follows:
             CLIENT_RANDOM <space> 64-characters-random <space> 96-characters-Master-Secret
 
After decryption, I find some html /jpg / css. When I open this html, I can see below page.

 

In this page’s source, There is some odd string ” <samp>HINT: visual cryptgraphy</samp>”.  I realize that I need to decode the flag by using visual cryptography 2 pictures seem like mosaic.

Finally I got flag. (To extract, I use the site to extract base64-ed image: http://ift.tt/2t9HzQj)

Reverse 200

 

I can get some odd text file. After some investigation (by googling “ASK/Manchester Clock 64″), I realize that this is output of RFID tag’s bit stream.

How can I get tag number? Accoding to this site http://ift.tt/2t9Qcuq, Output bitstream is repeated tag information by dividing “111111111”, so I extract tag information (part of green letters in below) and calculate it.

Using Clock:64, Invert:0, Bits Found:625
ASK/Manchester – Clock: 64 – Decoded bitstream:
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101
1110111110111000
1010011110111010
1100111111111111
1011101111011101

 

Below script is calculating method.

str = [0b11110 ,0b11101 ,0b11101 ,0b11011 ,0b11011 ,0b11101 ,0b11000 ,0b10100 ,0b11110 ,0b11101]
for i in str:
    print hex(i>>1)

 

12 thoughts on “20170624_TMCTF”

      1. Thanks.
        Can you also upload file_3 of analysis-offensive(100).I always get crc32 error. I dont know why.

        Like

    2. Sorry I didn’t explain about this. Forensic_Encyption is recognized as PE32 file by file command, because first 2byte of this file is “MZ(4D 5A)”. So you need to fix this file to replace MZ(4D 5A) -> PK(50 4B).
      To do so, You can extract file :-).

      Like

      Reply

      1. i know this trick and i changed the first 2byte,and i even try to fix the crc32
        it is still broken.
        i really dont know why

        Like

  2. When I extract Forensic_Encyption of Analysis-Offensive 100, I just got file_1 and file_2, my file_3 have been broken.

    Like

    Reply

    1. Sorry I didn’t explain about this. Forensic_Encyption is recognized as PE32 file by file command, because first 2byte of this file is “MZ(4D 5A)”. So you need to fix this file to replace MZ(4D 5A) -> PK(50 4B).
      To do so, You can extract file :-).

      Like

      Reply

  3. Dear nacayoshi00,

    thanks for your great writeup, in misc100 i tried to extract the full html2 page from wireshark but i couldn’t so i extract each object one by one and i just found one encoded image . the other one was not in the capture file . my question is how you got the full html page with the two pictures .

    Best Regards,
    Ahmed Khlief

    Like

    Reply

    1. Thanks for comment :-). You have already extract 2 html/1 css/2 image from pcap file, right?
      To get 2 encoded image, you need to check css file, you can see below code in it.

      —(snip)—
      .sp-0 {
      width: 440px;
      height: 53px;
      background-position: 0 0;
      }

      .sp-1 {
      width: 440px;
      height: 53px;
      background-position: 0 -53px;
      }
      —(snip)—

      And encoded image's size is 440 x 106 pixel, So you need to split this image to first 440 x 53 and next 440 x 53.
      I split and combined both images by using GIMP 🙂 (take care not to collapse PNG alpha data.)

      Like

      Reply

Leave a comment