1CAT CTF Write-ups (Մաս #1) — — Granny, MorisoCodvoram, Quack
Ահա, երկար սպասումից հետո հրապարակում ենք 1CAT CTF մրցույթի մասնակիցների կողմից գրված խնդիրների լուծումները։ Այս մասում Granny, MorisoCodvoram և Quack թասքերի լուծումներն են՝ գրված uxtankyun թիմի անդամների կողմից, ովքեր մրցույթում զբաղեցրին 2-րդ տեղը։
Մաս #2֊ը՝ շուտով․․․․․
# Team name: uxtankyun
1. First, we found routes /db /source /flag using DIRP tool.
3. We authenticated with username test and password 240610708 then accessed the /db route and got the admin username Super_Admin1337.
4. The next big insight was that instead of trying to figure out how to make a request to the server vrom 127.0.0.1 we needed to focus on the other side of the condition.
The trick was to pass superadmin value as an array, that way sqlite query would complete just fine however the condition would fail and authorize us.
5. There is no need to pass password check because it is possible to obtain authenticated user with first call to /grandma and save the admin user with second call.
6. Finally, we use /flag route to get the flag.
# Team name: uxtankyun
The problem stated
```https://files.2020.ctf.cyhub.am/static/—. -. — . . — — .. — — … — ```
So combining the url and the title of the problem it is pretty obvious that we are dealing with morse code here.
Decoding it was easy but a bit tricky.
We found a website that could decode it to “GNG123” which looked very promising.
Notice that dashes don’t use the regular ascii ‘-’ they use utf-8 character with key codes 8212 and 8211.
It was weird and threw us of the scent for a minute.
After trying a few different variations of the url we were about to give up on the problem and move on, when we noticed something very weird while working on another problem; the robots.txt file of another url (`https://ctf.cyhub.am/robots.txt`) contains `Disallow: / — . -. — . . — — .. — — … — ` this line. Looks very much like our code. The url in fact contained a picture of no one other than Morse himself.
The image was black and white and obviously edited in some way.
Finding the image was very good news and we thought that the worst was behind us.
We set out to try different steganography techniques on the image.
We were sure that `steghide` will reveal something using the code `GNG123` because why else would we be given a code like that?
Well we did not have much luck there and `steghide` did absolutely nothing.
After trying some 20 other steganography tools without any results, we tried analyzing the image by hand.
Using python we figured out that the image was in fact pure black and white and did not contain any colors but black, white, and levels of gray. Levels of gray were weird because inspecting the image you could see that sides were edited with a brush tool. We thought that this was a clue but it was not, not at all.
We thought that maybe the areas under the brush were markers for a qr code and we needed to restore those in order to be able to decode the image. The pixels on the image would be too small for a qr, however, we found on the internet that you could actually encode images of any pixel size in a qr code, since the decoder looks only at markers in the corners for size.
After thinking about the problem for literally several hours we asked for some hints. One of the hints was that the flag was encoded in the image itself.
We tried analyzing the pixels from top to down several times. Finally, we asked for another hint. The hint was to read about morse code. We did! The key was understanding the difference between spaces between words and spaces between characters.
This was the most important quote
```Each Morse code symbol is formed by a sequence of dits and dahs. The dit duration is the basic unit of time measurement in Morse code transmission. The duration of a dah is three times the duration of a dit. Each dit or dah within an encoded character is followed by a period of signal absence, called a space, equal to the dit duration.```
We decided to try the most basic form of this, basically, we treated pixel colors on the image as buttons on the transmitter being pressed or not pressed. This would mean that short black parts of the image are spaces between letters, large black parts are spaces between words, short white parts are ‘,’ and finally long white parts are ‘-’.
This was the key, however distinguishing between “short” and “long” parts did seem very easy. We wrote a code that would do this and take thresholds as input. However, we were able to decode the data in one try with the initial values of our thresholds being 1 so we removed all that business altogether.
The code basically extracts a sequence of morse code characters (‘,’, ‘-’) from the image which needs to be decoded later.
This is the code that we used to decode the image;
import numpy as np
from matplotlib import pyplot as plt
img = cv2.imread(‘/Users/gor/Downloads/ — . -. — . . — — .. — — … — .png’)
img = img[:,:,2]
img[img < 255] = 0
img[img == 255] = 1
cur = x
c = 1
res = 
for i in x[1:]:
if i == cur:
c += 1
cur = i
c = 1
for i in res:
if i == 1 and i > 1:
i = ‘ ‘
if i == 0 and i == 1:
i = ‘.’
if i == 0 and i > 1:
i = ‘-’
res = [i for i in res if i in [‘ ‘, ‘.’, ‘-’]]
return ‘’.join([i for i in res])
with open(‘out.txt’, ‘w’) as f:
f.write(‘’.join([convert(i) for i in img]))
# Team name: uxtankyun
Given the problem name and inject.bin file, we figured out that the file is Usb Rubber Ducky compiled script file. After reading what usb rubbery ducky was and ordering one we dissembled the inject.bin file using the web tool. After inspecting the script we figured out that it uses some sort of power shell magic to generate a variable of an ftp website where it would later upload some data. At first, we were going to create windows vm and simulate the ducky to figure out the url, however, we opted for executing the power shell commands in an online power shell emulator. After tinkering with the commands a bit we extracted the correct ftp address. It was a link to an ftp website containing an archive of a supposed prior upload. After inspecting the archive we noticed that there was CTF key in one of the wifi connection xml files.