StandCon 2023 CTF Writeup
Introduction
This is our first CTF Competition hosted by n0h4ts. We managed to complete 3 challenges which was a decent accomplishment for our first attempt. This is a small writeup of the challenges that my team and I completed.
Fetus Crypto
A ROT encryption
Featus Crypto was an easy one. The hint given had the keyword "ROT", hinting at a ROT Cipher. There are many cipher decryptors online and this challenge was cracked quickly upon release.
Within a short amount of time, the cipher was cracked with ROT47
Baby Web
This was a relatively challenging one for a beginner. It features a connectivity checker where an IP Address is the input and the app pings the IP and displays the output
The deployment files were provided, including a DockerFile, the .go
source and the binary used. A test flag.txt
was generated for texting of exploit. Looking at the source, there are some interesting lines of codes that limits the input.
if len(ip) > 15 {
fmt.Fprint(w, "IP address has exceeded the maximum length")
return
}
if strings.ContainsAny(ip, "!\"#%&'+,-/:;<=>?@[\\]^_`|~ ") {
fmt.Fprint(w, "IP address contains bad characters")
return
}
The first if
block limits the input to 15 characters long. The second block prevents some special characters in the input. This proved to be challenging.
if runtime.GOOS == "windows" {
cmd = exec.Command("cmd", "/c", "ping "+ip)
} else {
cmd = exec.Command("sh", "-c", "ping -c 4 "+ip)
}
out, err := cmd.CombinedOutput()
if err != nil {
fmt.Fprintf(w, "An error has occurred: %s\n", err.Error())
w.Write(out)
return
}
This block of code seems to be doing command concatenation by appending ip
to the back of the command and executing the full command. Seems like it is vulnerable to command injection.
COPY baby_web flag.txt /
RUN adduser -D baby_web \
&& chmod 755 baby_web flag.txt \
&& chmod u+s /bin/ping
This is part of the DockerFile, looking at this flag.txt
and the go binary resides in the root directory of the container. Meaning that cat flag.txt
could be possible to get the flag. This contains 12 characters and the space
character which was part of the filter -We needed to find another way to get the flag.
The attack
Hacking the Xbox: An Introduction to Reverse Engineering 1st Edition -Andrew Huang
Looking through similar CTF writeups, it was apparent that this challenge limits command concatenation due to its length and special character filter. Here are some inputs that were tried but failed due to the 2 conditions:
;cat flag.txt # Space, Semicolon
;cat * # Space, Semicolon
cat * # Space
# Other similar ones..
Looking at this writeup, and the ctf writeups, a notable input was ${IFS}
to replace blankspaces.
The final input used was \$(tac\${IFS}f*)
. This executes tac
and list the contents of f*
-A wildcard for file.txt
. Finally, we got the flag
Baby Crypto
Another challenging one for beginners like us. This was the textfile
Let's start with something easy: Abg onq, lbh xabj gur onfvpf. Ubj nobhg guvf: D29fo3IlVT1yVTygpUWyp3AyMP4tFKDaplOiozk5VTqyqUEcozptqT91M2uypvOzpz9gVTuypzH6VQDkAzZ3ZwL5Awp2BQp0ZzZlZQMzAzH2AGVjAzZ2ZGpmAmDlZQpmAmN3AGplAmDmLGVjATHlZQAxZwNmZwZ0ZmVmZmZlZmZmAwZjZmVmBGZjZmDmZQZ5ZmpmZGZ3ZmVmAGZkZmNmZmZkZmRmBGZ1ZmxmAwZ1ZmHmZGZ0ZmLmZwZlZmpmZGZlZmRmBQZ3ZmVmZmZ2ZmDmAwZ2ZmRmZmZ2ZmZmAwZ1ZmDmBQZ2ZmZmAGZ4ZmNmAQZ4ZmpmZwZ5ZmNmZmZkZmxmAGZ5ZmpmAGZjZmxmZQZ5ZmpmZmZjZmZmAwZ4ZmLmZGZ2ZmNmZmZ4ZmpmAQZ2ZmVmAQZ2ZmLmZQZ1ZmLmBQZ4ZmxmAwZ4ZmDmZGZkZmZmAGZ4ZmRmAwZjZmRmZGZmZmHmZGZ4ZmHmAmZ2ZmtmZmZ2ZmtmZmZ5ZmHmZmZ1ZmZmZGZ5ZmLmZQZ3ZmtmAmZ1ZmNmAmZjZmLmAGZkZmZmZQZ2ZmHmAmZlZmpmAQZ0ZmLmZmZjZmLmAQZ3ZmLmAwZjZmxmZwZlZmZmAwZ5ZmVmZmZ2ZmtmAQZlZmZmAQZmZmpmZQZ1ZmtmZGZkZmZmZGZ5ZmRmBQZ0ZmDmBQZ4ZmVmAmZmZmHmAQZ1ZmtmZGZlZmVmBGZjZmpmAmZ5ZmNmAQZ0ZmtmBQZ2ZmVmAwZ3ZmNmZQZ2ZmHmZGZ4ZmxmAwZlZmHmZGZmZmVmZmZlZmHmAGZ2ZmtmBQZ1ZmLmZwZ3ZmLmAGZ3ZmtmZQZ2ZmZmAQZmZmpmBGZ5ZmpmAmZ4ZmVmAmZlZmLmBGZkZmVmAmZmZmHmAmZ2ZmHmAGZ2ZmtmAmZjZmxmZmZ4ZmtmAmZlZmDmAwZ5ZmpmAwZmZmZmBQZ2ZmtmZQZkZmpmBQZ0ZmLmBGZlZmVmZwZ1ZmDmAQZjZmDmAmZ1ZmHmAGZ0ZmLmAmZ5ZmtmAmZ0ZmpmAGZjZmHmZGZ5ZmNmZmZ4ZmpmZQZ3ZmtmAGZ3ZmRmZwZ5ZmxmZGZkZmxmZwZ2ZmVmZmZ3ZmLmAQZmZmZmBGZ2ZmRmZmZjZmVmBGZ4ZmLmAGZjZmxmZGZmZmRmAwZ1ZmRmBGZ2ZmpmAQZ1ZmDmAGZ4ZmxmAGZ1ZmZmBQZmZmtmAwZ2ZmVmZmZ5ZmRmZwZ1ZmNmZGZ1ZmLmBQZ1ZmtmBGZ1ZmZmAwZkZmRmBQZ0ZmVmBGZmZmtmAwZ5ZmHmAmZ4ZmNmBQZ2ZmVmAwZmZmpmZGZ0ZmNmAmZ3ZmDmBGZjZmNmZQZ3ZmpmAwZkZmDmAGZ2ZmpmAGZ2ZmpmZGZlZmtmAQZlZmVmZGZ4ZmpmAQZlZmVmAwZlZmpmAQZ0ZmZmAmZ2ZmHmZGZ5ZmRmAGZ0ZmRmAQZmZmNmBGZ3ZmLmAmZ2ZmNmAwZ3ZmNmZQZ3ZmRmAwZ2ZmLmAQZ3ZmNmZwZ4ZmZmZmZkZmxmZGZkZmpmAQZmZmNmZmZ2ZmxmZwZ0ZmNmBQZ3ZmRmAmZ5ZmVmBGZkZmVmBGZlZmxmAwZ5ZmVmZQZ5ZmxmBGZjZmHmBGZkZmxmAGZjZmNmBGZ1ZmxmZmZ5ZmpmAQZ3ZmtmZwZ2ZmVmZwZjZmpmAmZ4ZmHmZmZkZmHmAwZmZmpmZmZ4ZmLmZmZ4ZmVmBQZ3ZmpmBQZ2ZmVmZQZ3ZmDmAQZ3ZmDmAGZ3ZmNmAmZ4ZmRmAGZ3ZmNmAQZkZmxmBGZmZmVmBGZmZmpmAGZ2ZmVmAGZkZmpmZGZjZmVmAQZ3ZmZmZwZ5ZmpmAGZ4ZmDmZQZ4ZmZmAGZ3ZzZlZQL1ZmRlZQAxZwNmAwZ1ZmHmZmZ3ZzZlZQLmZmRlZQAxZwNmZwZmZmDmZGZ3ZmRmAwZ5ZmtmZQZmZmpmZQZlZmZmBQZ0ZmLmBQZ3ZmRmAGZ0ZmpmZGZjZmRmZmZkZmxmZQZ5ZmRmZmZ4ZmNmAQZ1ZmpmBQZ3ZmxmAwZ3ZmRmZQZ3ZmDmBQZ5ZmNmZmZ3ZmxmAwZ1ZmtmBQZ4ZmxmAmZ4ZmHmZwZ3ZmVmZQZ0ZmLmZGZmZmZmAmZ5ZmZmZQZjZmNmBQZkZmxmAmZlZmDmAGZlZmpmZmZmZmxmAGZjZmpmZQZ5ZmHmBGZkZmtmAGZ0ZmDmBQZkZmHmBQZjZmVmZmZ4ZmpmZmZ2ZmZmZQZ1ZmtmBGZmZmxmAQZjZmxmBGZkZmHmAQZjZmxmAmZ5ZmDmAQZ4ZmpmZwZ3ZmDmBGZ3ZmVmZQZ0ZmxmZQZkZmNmAGZ4ZmLmZwZ2ZmtmBGZ3ZmNmBQZ4ZmVmAmZjZmLmAmZ0ZmDmAmZjZmtmBQZ2ZmHmAGZ1ZmHmBGZ5ZmVmZmZ1ZmpmZwZ2ZmtmAGZmZmDmZwZ2ZmLmZQZ5ZmxmAGZ4ZmVmZwZ3ZmDmAGZmZmDmAGZmZmZmBGZ3ZmZmAwZkZmZmBGZjZmNmBQZ4ZmDmAwZkZmxmZQZ0ZmNmAGZ0ZmHmAQZ4ZmxmAQZ1ZmNmBGZkZmpmAGZlZmDmZwZkZmHmZmZmZmLmZGZmZmRmZmZ3ZmNmBGZkZmtmZGZ5ZmHmAmZmZmLmAGZ0ZmVmAGZ5ZmVmZwZ1ZmtmAGZmZmVmAmZ5ZmZmBQZlZmpmAGZ1ZmtmAwZ4ZmtmAmZkZmZmAwZ2ZmHmZwZkZmZmBQZ1ZmZmBGZ2ZmNmBGZmZmtmAmZjZmxmAGZ2ZmtmZGZ4ZmNmBQZkZmtmAQZ0ZmLmZmZ4ZmVmZGZ1ZmZmBQZ2ZmDmZGZ3ZmVmBQZ4ZmHmAQZ0ZmHmZQZ2ZmtmZmZjZmpmBGZmZmLmBGZmZmtmAGZ3ZmDmAmZ0ZmVmAwZ0ZmLmBGZ0ZmtmAGZjZmtmZmZ2ZmxmAwZkZmDmAGZ5ZmVmZmZmZmDmAQZjZmpmZwZlZmHmAGZ1ZmHmZQZ0ZmZmAGZjZmVmAQZ5ZmxmZwZ4ZmLmZwZlZmtmBGZjZmNmAGZmZmpmZGZ4ZmHmZGZ5ZmpmZQZ5ZmRmBGZ4ZmtmAQZjZmZmZmZ3ZmHmZQZ2ZmpmAQZ0ZmVmZQZ3ZmHmAwZ3ZmRmAmZmZmxmAGZ1ZmDmZQZkZmxmZmZlZmpmAmZ1ZmDmAwZ5ZmxmAwZkZmDmBQZkZmLmZmZ5ZmHmAQZmZmNmAmZ3ZmxmAQZlZmRmZmZ3ZmxmAGZ3ZmDmZwZjZmZmZwZlZmVmZGZ0ZmtmAmZkZmZmAwZ3ZmDmAmZlZmRmZQZ0ZmVmAGZkZmDmAmZ5ZmNmZmZ1ZmNmZGZ4ZmHmZmZ4ZmLmAmZ5ZmNmZQZjZmNmZGZ0ZmRmBQZjZmZmZmZ2ZmtmZQZlZmVmAwZ3ZmZmBQZ2ZmLmBQZ4ZmLmAwZlZmRmZGZ4ZmDmBQZkZmVmZGZjZmNmBGZkZmNmZQZlZmRmAQZ1ZmRmZGZ0ZmxmZmZkZmZmAmZjZmVmZGZ0ZmZmAwZ1ZmNmZwZmZmtmAwZ5ZmHmZwZkZmNmBGZjZmRmAmZ4ZmDmBQZ5ZmNmZGZ4ZmVmAmZkZmVmBGZkZmHmZGZlZmpmZwZ1ZmZmBGZlZmDmBGZmZmHmZwZlZzZlZQL1ZmVlZQAxZwNmZmWwZwN2ZmZlZwNmMQVjZmRmAGZ4ZmpmZGZ3ZmxmAQZ3ZmLmZQZkZmNmZGZ3ZmNmAGZ4ZmpmZmZ0ZmLmAGZ3ZmpmBGZjZmxmZmZ5ZmxmBGZkZmDmAQZmZmLmZGZjZmtmBGZjZmVmZwZmZmDmZGZ1ZmZmAmZ2ZmNmZGZ2ZmtmZQZkZmLmAQZmZmZmAwZ5ZmxmZwZ5ZmLmBGZkZmDmZGZlZmRmBQZkZmVmBGZjZmtmAGZlZmpmBGZ2ZmLmZmZ0ZmZmZQZ5ZmRmZGZ0ZmtmZQZ0ZmNmZwZ3ZmxmBQZjZmZmZQZ4ZmpmZmZkZmpmBQZ5ZmHmAQZmZmxmZmZmZmtmZmZ5ZmxmAmZmZmHmBQZjZmtmZmZkZmpmZmZmZmZmBQZmZmLmAQZkZmDmAQZkZmtmZQZmZmHmAwZkZmtmAmZ2ZmRmAGZ3ZmxmZQZ5ZmDmAGZ1ZmVmZmZjZmHmZwZ2ZmZmZQZ0ZmLmZwZ3ZmRmZmZlZmpmAQZ2ZmNmAQZ1ZmZmZQZ3ZmxmAwZ5ZmNmAQZ4ZmHmAmZ1ZmpmZmZ2ZmtmBQZkZmDmZQZkZmHmAmZ2ZmHmBGZmZmRmAwZjZmLmZwZ1ZmLmAmZ1ZmLmZwZlZmDmZGZ1ZmtmBQZ3ZmHmZGZ0ZmVmZQZ5ZmHmAQZ2ZmpmBQZ2ZmRmAmZ3ZmLmAmZ1ZmDmZwZjZmDmZGZ2ZmDmZGZjZmVmAmZ5ZmNmZwZ5ZmRmZwZkZmZmZQZ1ZmxmAwZ1ZmNmAmZlZmLmAwZ2ZmtmAQZlZmRmAQZ0ZmpmBGZ1ZmNmZmZ5ZmxmAwZ2ZmHmZwZkZmRmZwZ1ZmVmAGZ1ZmVmZGZjZmHmZmZ3ZmNmAmZ3ZmHmZGZ0ZmR=
The first portion Abg onq, lbh xabj gur onfvpf. Ubj nobhg guvf
was easily cracked with Cesar Cipher with key = 13.
Not bad, you know the basics. How about this:
The next portion (body) was done via Base64 decode with N-ZA-Mn-za-m0-9+/=
as the alphabet list. This was done at CyberChef
Giving this as the results:
Colour me impressed. It's only getting tougher from here: 416c72696768742c206f6e65206c6173742073707572743a204e203dc206531203d2036353533372c206331203dc206532203d20332c206332203d
Next, it was time to crack the rest, I used quipquip to solve the rest
Alright, one last spurt: N = 24232360290409717251031195965514622712187236466136365486358048729031959750909730368616038746246605688968411358160113518576836839535319607875070651306572744630647660922369236842343705811319184488273545812290779044886267006518962513232556885627657806343799778272691273576556870938872469763386801784692225440475554679874750519038707857129911926237643396130298650913165196745458955383866239125015685895361184293869578086263714077490007761456756712842218742262744376519154143097676067007166647028331911743036924087179291292969209990591950095939747826220778531563738638287786207447457078157041993293756251710247329758408357, e1 = 65537, c1 = 23417169803702384687154710131909138045787967107489037965888978527204613379300081972452733950709591854481580238736305893940991540979448727497204901058626897088270674470886555599235726853426609958227453453397361390088461904054548945091752421533613137091819573654259225853279382755868871366521385396093870956818081844638215386417288544506830793693857474264694850836961459233440722555504350249928622890053718519709198840337506744207567173955401932775469961481639543077942137957420322214871367472104251479035018538679000014180336802267386688662118481210091002145114931370214365023869521090178489018271291512725392493522, e2 = 3, c2 = 1587179476010170587346577909399914436108902234153760168016433699296914121812908527966343091148040279803087317895439338399735808317333836414418035618761579094552305263046271327460453079690485757368814015765931606256756224158875142095467861776754204164102790291213059650726668421447950399665211252552105370775141
Looking at this, it looks like RSA
or similar encryption technologies. Given N, e1, c1, e2, c2
, the plaintext needed to be retrieved.
Scouring the internet again, It looks like a Common Modulus Attack
can be done to get the plaintext. I found this site with a source that looks like something I need. Translating the lua
code to python
:
#!/usr/bin/env python3
def exGCD(a, b):
if b == 0:
return 1, 0, a
x, y, d = exGCD(b, a % b)
x, y = y, x - (a // b) * y
print("(x, y, d) =", (x, y, d))
return x, y, d
def commonModulusAttack(n, e1, c1, e2, c2):
s1, s2, d = exGCD(e1, e2)
print("(s1, s2) =", (s1, s2))
result = (pow(c1, s1, n) * pow(c2, s2, n)) % n
print("Result of common modulus attack (hex):", hex(result))
ascii_result = bytes.fromhex(hex(result)[2:]).decode('utf-8')
print("Result of common modulus attack (ASCII):", ascii_result)
return ascii_result
n = 24232360290409717251031195965514622712187236466136365486358048729031959750909730368616038746246605688968411358160113518576836839535319607875070651306572744630647660922369236842343705811319184488273545812290779044886267006518962513232556885627657806343799778272691273576556870938872469763386801784692225440475554679874750519038707857129911926237643396130298650913165196745458955383866239125015685895361184293869578086263714077490007761456756712842218742262744376519154143097676067007166647028331911743036924087179291292969209990591950095939747826220778531563738638287786207447457078157041993293756251710247329758408357
e1 = 65537
c1 = 23417169803702384687154710131909138045787967107489037965888978527204613379300081972452733950709591854481580238736305893940991540979448727497204901058626897088270674470886555599235726853426609958227453453397361390088461904054548945091752421533613137091819573654259225853279382755868871366521385396093870956818081844638215386417288544506830793693857474264694850836961459233440722555504350249928622890053718519709198840337506744207567173955401932775469961481639543077942137957420322214871367472104251479035018538679000014180336802267386688662118481210091002145114931370214365023869521090178489018271291512725392493522
e2 = 3
c2 = 1587179476010170587346577909399914436108902234153760168016433699296914121812908527966343091148040279803087317895439338399735808317333836414418035618761579094552305263046271327460453079690485757368814015765931606256756224158875142095467861776754204164102790291213059650726668421447950399665211252552105370775141
print("m =", commonModulusAttack(n, e1, c1, e2, c2))
This script is modified to translate the results from hex to string at the end, printing out the results:
(x, y, d) = (0, 1, 1)
(x, y, d) = (1, -1, 1)
(x, y, d) = (-1, 21846, 1)
(s1, s2) = (-1, 21846)
Result of common modulus attack (hex): 0x5354414e44434f4e7b756e6433723574406e64316e675f793075725f6372797074305f615f625f635f737d
Result of common modulus attack (ASCII): STANDCON{und3r5t@nd1ng_y0ur_crypt0_a_b_c_s}
m = STANDCON{und3r5t@nd1ng_y0ur_crypt0_a_b_c_s}
The flag was finally retrieved.
References
Conclusions
In navigating this CTF, our team strategically employed a diverse set of tools. We honed our skills in Scripting, Cryptographic Cracking, and more. Effective collaboration platforms and a well-rounded tool arsenal proved essential. This experience reinforced the importance of adaptability and continuous learning in the dynamic field of cybersecurity.
Team: Pure
- MayDay
- xrando
- t43d3vel0p3r (Myself)
Comments ()