20170624_TMCTF
TMCTF has many Windows based chall and network chall, So I learned about windows reverse method in this ctf. I got 4challs and writeup are below.
Reverse 100
At first, I get zip file. Using file command, I realize that this file is rar file. So change extension of the file to .rar and extract it.
Then exitract, 2 files is given, biscuit1, biscuit2. biscuit1 is PE32 file and Biscuit2 is password locked zip file.
First execute biscuit1.exe, and output is below. I think password of biscuit2.zip is in biscuit1.exe.
Let’s see this in Ida Pro.
I understand that I break near leave and can see password in x64dbg.
I got password of this. Then I extract 3files and file command to each file.
First biscuit3 is JPG, but some odd data(Zip file) is in last part. After extraction, There is 1 text file “cream”
Biscuit4 is txt file, “Flag = TMCTF{biscuit3_ biscuit5}”
Biscuit5 is PE file too, So analyze file by the same way of biscuit1 and get the string, So finally get the flag.
(TMCTF{biscuit3_ biscuit5} is wrong, TMCTF{biscuit5_biscuit3} is correct, I spend some time to realize that :-()
Analysis-Offensive 100
I’m given Forensic_Encyption file, and this file is zip file. Then extract it, there are 3 files.
File1 is jpg, fille2 is password locked zip file, file3 is pcap fille. At first, I survey file1, there is some odd string as below.
Bese64 decode this string, and put it into fille2 password form, I can extract key.txt. Key.txt seems ESP encryption/Authentication key.
So I put those information into file3 by wireshark as below.
Then ESP packets are decrypted, and I can find below information.
After some investigation, I find that those information is related to enigma crypto. So I decode it by using below site.
https://people.physik.hu-berlin.de/~palloks/js/enigma/enigma-m4_v16_en.html
misc100
I get 1 pcap file but header of the file is wrong, so I change first 4byte of header A1B2C3D4 to D4C3B2A1.
To do so, I can open wireshark.First I find that some SSL/FTP packets. In traffic of FTP, SSL pre-master secret log is sent, so I save this file and decrypt SSL traffic by using below way.
In this page’s source, There is some odd string ” <samp>HINT: visual cryptgraphy</samp>”. I realize that I need to decode the flag by using visual cryptography 2 pictures seem like mosaic.
Finally I got flag. (To extract, I use the site to extract base64-ed image: http://ift.tt/2t9HzQj)
Reverse 200
I can get some odd text file. After some investigation (by googling “ASK/Manchester Clock 64″), I realize that this is output of RFID tag’s bit stream.
How can I get tag number? Accoding to this site http://ift.tt/2t9Qcuq, Output bitstream is repeated tag information by dividing “111111111”, so I extract tag information (part of green letters in below) and calculate it.
Below script is calculating method.
is biscuit5 “choux”?
When i uncompress the zip file of analysis-offensive, i got crc32 wrong for file3
LikeLike
Yes, you say is correct. I uploaded biscuit3/biscuit5 file and debug snapshot of biscuit5 to below URL.
https://github.com/nacayoshi00/CTF-writeup/tree/master/20170624_TMCTF/rev100
LikeLike
Thanks.
Can you also upload file_3 of analysis-offensive(100).I always get crc32 error. I dont know why.
LikeLike
Sorry I didn’t explain about this. Forensic_Encyption is recognized as PE32 file by file command, because first 2byte of this file is “MZ(4D 5A)”. So you need to fix this file to replace MZ(4D 5A) -> PK(50 4B).
To do so, You can extract file :-).
LikeLike
i know this trick and i changed the first 2byte,and i even try to fix the crc32
it is still broken.
i really dont know why
LikeLike
I don’t know why your file can’t extract. I uploaded original file in github. You can try with it 🙂
https://github.com/nacayoshi00/CTF-writeup/tree/master/20170624_TMCTF/attack-offensive100
LikeLike
When I extract Forensic_Encyption of Analysis-Offensive 100, I just got file_1 and file_2, my file_3 have been broken.
LikeLike
Sorry I didn’t explain about this. Forensic_Encyption is recognized as PE32 file by file command, because first 2byte of this file is “MZ(4D 5A)”. So you need to fix this file to replace MZ(4D 5A) -> PK(50 4B).
To do so, You can extract file :-).
LikeLike
Thank you
LikeLike
Dear nacayoshi00,
thanks for your great writeup, in misc100 i tried to extract the full html2 page from wireshark but i couldn’t so i extract each object one by one and i just found one encoded image . the other one was not in the capture file . my question is how you got the full html page with the two pictures .
Best Regards,
Ahmed Khlief
LikeLike
And what tool you used to combine them to get the decoded iamge .
LikeLike
Thanks for comment :-). You have already extract 2 html/1 css/2 image from pcap file, right?
To get 2 encoded image, you need to check css file, you can see below code in it.
—(snip)—
.sp-0 {
width: 440px;
height: 53px;
background-position: 0 0;
}
.sp-1 {
width: 440px;
height: 53px;
background-position: 0 -53px;
}
—(snip)—
And encoded image's size is 440 x 106 pixel, So you need to split this image to first 440 x 53 and next 440 x 53.
I split and combined both images by using GIMP 🙂 (take care not to collapse PNG alpha data.)
LikeLike