Capture The Flag evening - Part 21

• 7 July, 2014 - 7 PM
• Please bring along a laptop with you!!!

General CTF Info

• See the page for the Ctf-evenings
• Link to the Tech Inc Challenge Website Scoreboard

Pwnium CTF Retrospective

• Link to Dimitris' Etherpad
  • https://pad.riseup.net/p/7fe081c3612b3dbd33ff954fe378826d

• Link to download the challenges:
  • https://pad.riseup.net/redirect#https%3A//t.co/0IW2JAehKR

Walk throughs

• Dimitris is discussing the challenges solved by Team Knuffelhackers in the Pwnium CTF last weekend
• Kernel land (150 points):
  • Static binary - Dimitris loaded it into QEMU
  • When he runs it it produces ticks - the hint: the flag is on the 3rd ticket
  • He added a debugger to the VM
  • He put a breakpoint on timer tick - and there's also a variable called 'flag'
  • He needed to add the symbols to GDB
  • He single stepped through the "ticks" , through the 3rd tick, and then examine the flag variable in memory at Tick 3
• USB is fun (100 points):
  • We're given a pcap file with a USB transaction
  • He was able to find the flag just by running strings on it!
• Look closer (50 points)
  • We got a rar file that is actually a jpeg
  • If you look at the jpg file, you can see the flag
• Break me (100 points)
  • Dimitris base 64 decoded it - it's a bzip2 file
  • Dimitris decompressed it w/ bunzip
  • This gave the flag value
• So basic (75 points)
  • He is given a zip file containing 2 byte strings
  • Each of these hashes represents a number 1-40
  • He wrote a bash script that puts these things in order
  • It's a chain of MD5 hashes
  • If it's present in the directory, you copy this to flag.txt
  • If you hex decode this (i.e. in Python) then you get the flag value
• Altered code
  • We're given a main.c file with some computations, rotations, and a secret code
  • He noticed 2 places where indentation was broken (somebody had modified the files)
  • He commented these lines out, and then the program gave the flag when run
• ROT (300 points)
  • A URL and port # gave a base 64 string, it expected an answer for about 5 seconds, and then closed down
  • If he decodes the string, it gives you a string - but you only have 5 seconds to extract the text and submit it as a flag!
  • He started looking into image transformations w/ Python
  • He used Python to clean up the image - then he needed OCR to extract the text
  • He converted the image to black and white
  • He was using an OCR program called "cuneiform"(?)
• Baybe crackme
  • You get the flag by adding an arbitrary command line parameter
• Find the owner:
  • This binary was connecting to a Tunesian government website
  • He concatenated the ip address and port, and that was a flag
• Be a robot
  • Buffer overflow - jump to a function - get a shell from there
  • Dimitris solved it locally but not remotely

• Esoteric programming language used in one of the challenges: http://compsoc.dur.ac.uk/whitespace/
  • Another (unrelated) esoteric programming language: http://www.dangermouse.net/esoteric/hq9plusplus.html