HACON CTF 2020 Writeups

0awawa0
7 min readSep 27, 2020

--

  1. [Reverse] Chopdown
  2. [MISC] MISC 2
  3. [MISC] MISC 3
  4. [MISC] Handshakes
  5. [MISC] B4sh
  6. [MISC] MISC 4
  7. [Cryptography] THE SHIFT
  8. [Cryptography] BiG BrAiN
  9. [Cryptography] Baby RSA
  10. [Cryptography] Recovery
  11. [Forensic] BEEP
  12. [Forensic] Wizard
  13. [Forensic] THE MATRIX

[Reverse] Chopdown

Not too much to explain. We are given the file ‘chopdown’ which is an ELF. So we open it in IDA and decompile it:

Oh, there are some fascinating numbers. Let’s represent them as ASCII characters:

And the flag is hac{b1t_by_b1t}

[MISC] MISC 2

Now we have file ‘zippppp.zip’. Unpacking it gives us a folder with 1000 files in it.

Seems like it is time to grep some flags!

And the flag is HACSEC{z1ppppitnice}

[MISC] MISC 3

Well, it’s almost the same as the previous task. Although there are more files and they lay in different folders

So I just add ‘-r’ option to grep and get the flag:

The flag is HACSEC{Z1ppv2}

[MISC] Handshakes

In this task we get the network traffic dump ‘capture.cap’. Let’s look at it in wireshark:

So it is a WiFi traffic. And I am pretty sure I know what is ‘Handshakes’ about. So I try to open it with aircrack-ng:

Aha, there is one WPA handshake in the dump. Now I guess the password to CYB3RARC is a flag to the challenge. Let’s crack it. But I need the wordlist, therefore I change the command to

aircrack-ng -w ~/Documents/rockyou.txt capture.cap

and choose the first BSSID to attack. Now aircrack starts search for the password:

And about two minutes latter I got the flag:

HACSEC{christinal}

[MISC] B4sh

I literally hated this challenge, because there are not much work to do, but it takes a lot of time to find the flag.

So I have file ‘93531.zip’ and it is password protected. I tried to unzip it with password 93531 and got the file 33919.zip:

Guess I have to write the script to extract all the archives. It’ll look like this:

Simple script, right? But it took more than an hour to unzip all the archives. I know Python is not so fast, but there are a lot of files. Hundreds? Thousands? I don’t know. Anyway I don’t think it is really necessary to pack so many archives.

After all I got the exception:

The flag is HACSEC{SH3LL_SCRIP71NG_!S_FUN}

[MISC] MISC 4

Now we are given the file ‘File330k.zip’, and guess what. It is password protected too. ‘File330k’ is not the password. It’s time to blow the dust from JohnTheRipper.

The password is ‘shizzledizzle’. After unpacking the archive we got text file that says the following:

It looks like a hint to zero length steganography methods. Let’s try one on https://330k.github.io/misc_tools/unicode_steganography.html

The flag is HACSEC{Fl4g4you!}

[Cryptography] THE SHIFT

Here we have ciphertext: “OAEKIE{S4P_C_Z0R_AH3_UWGT37}”. Task name gives us a hint about some shift. Maybe it is a ROT13? Nope, not a single key is able to decrypt this. So maybe it is a Vigenere Cipher, as it is actually polyalphabetic ROT13. Let’s try it. But we don’t have enough text to decrypt it with frequency analysis. Therefore we have to determine the key.

As long as we know the flag starts with “HACSES” we can find first 6 characters of the key:

Now we decrypted first 6 characters of the flag, but other characters wasn’t decrypted. That means the key length is bigger than 6. Now we can determine key lenght by adding random character to the key until some part of the flag won’t be decrypted:

All right, so there are 5 characters of the key to be determined. I guess, that “Z0R” should be the word “G0T”. So I pick two last characters of the key such that this word will be decrypted correct:

Now the “C”. What could it be? Perhaps it is “U”, so the flag ends with “U_G0T_TH3_SECR37”. Seems ok.

And the last word to be decrypted is “S4P”. I would never guessed it as this word is “Y4Y”. But looking at the key now I can guess it is a word “HACSECURITY”. Let’s try it.

And the flag is “HACSEC{Y4Y_U_G0T_TH3_SECR37}

[Cryptography] BiG BrAiN

This is not really the crypto task as the ciphertext we were given is obviously the Brainfuck program: https://pastebin.com/gpf0WdrS

So all we’ve got to do is to find online compiler and run this:

The flag is HACSEC{y3s_y0u_n33d_br4in_t0_Cr4Ck_Br4inf#ck}

[Cryptography] Baby RSA

This is just a simple RSA problem. We are given n, e, ct and p. As long as we know p, we can calculate q:

Now, knowing p, q and e it is pretty easy to calculate d and decrypt the ct. I used Cryptool Online to do so (https://www.cryptool.org/en/cto-highlights/rsa-step-by-step):

The flag is HACSEC{R54_baBy_i5_35Sy}

[Cryptography] Recovery

Another one RSA problem. Now we have the script:

This script just takes the flag and encrypts each character of it with RSA. All the parameters we know for RSA is n and e. That would not be enough to decrypt the flag if there was not a weakness. The weakness is that n seems pretty short. So, probably we can factorize it:

Now that we have p and q we have all the parameters to calculate d and decrypt the flag:

The flag is HACSEC{F0unD_A11_ch4rS_@$}

[Forensic] BEEP

In this task we are provided with file “audio.wav”. Opening it with Audacity we can see the following:

So this is obviously the Morse code. Let’s decode it:

The flag is HACSEC{M0RS3C0D3_1S_W4Y_T0O_CONV3N7ION4L}

[Forensic] Wizard

This one is really easy. We’ve got the png image that won’t open. Open it with hex editor and discover that the signature seems broken:

So just recover bytes and save changes:

The flag is HACSEC{w1Z4rD_u53_M4giC_byT3S}

[Forensic] THE MATRIX

Now we have an image:

Nothing interesting. Let’s feed it to some tools and see what happens:

exiftool says there is some trailer data. So I use foremost to extract it:

foremost extracted .zip archive from the image, unzipping it gives us one more archive “world.zip”, but it is password protected. So let’s use john with rockyou.txt to crack it:

So the password is “steven”. Unzipping the archive returns some traffic dump. Let’s open it in wireshark and watch ‘Expert Information’ (Analyze -> Expert Information):

There are some HTTP requests. Let’s see it:

There is some message, seems ROT13 encrypted, so let’s decrypt it now:

And following the instruction in brackets we cat decode the Base64:

The flag is HAC{y0uarethech0sen0ne}

--

--

No responses yet