CTF Writeups

Winja - Nullcon Berlin 2022

Benito Antoñanzas

Description: You can’t find it, until you search deep.
Points: 300
Difficulty Level: Medium
Category: Forensic

File: 1. benito_antonanzas.raw

Writeup

volatility_2.6_win64_standalone.exe -f .\benito_antonanzas.raw imageinfo

.\volatility_2.6_win64_standalone.exe -f benito_antonanzas.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000007e754d30 --name file -D ./

Hint is a Bellaso Cipher

Decrypting will give Offset and width and height which can be used to retrieve the flag.

volatility_2.6_win64_standalone.exe -f .\benito_antonanzas.raw --profile=Win7SP1x64 pslist

move dmp to data and open using gimp

and apply those offset, width and height

flip the image to get the flag

Flag

César Gandía

Points: 300
Difficulty Level: Medium
Category: Rev

wget "https://raw.githubusercontent.com/extremecoders-re/pyinstxtractor/master/pyinstxtractor.py"
python3 pyinstxtractor.py chall
cd chall_extracted
strings chall.pyc

since chall binary is compiled using python3.9 where uncompyle6 is not supported for that so we use strings to get code functions to reverse the logic behind it. We find decode, marshal, decode, decompress and get the source code. Now you should be able to get the flag.

import sys
actual_flag = "f0dd841e3b8f971e111166a6{aag1109la_ASSa$51N}Nc17_h3'S_a"

def encode(flag):
	new_flag = list(flag)

	for i in range(len(flag)-1,len(flag)-11,-1):
		new_flag[i],new_flag[i-11] = flag[i-11],flag[i]
	for i in range(22,34):
		new_flag[(i^2)%11],new_flag[i] = flag[i],flag[(i^2)%11]
	for i in range(33,45):
		new_flag[i//4],new_flag[i//2] = flag[i//2],flag[i//4]

	return "".join(new_flag)

if len(sys.argv) == 1:
    print(f"Required Parameter: <flag>")
    sys.exit()
    
if len(sys.argv[1]) != len(actual_flag):
	print(f"Incorrect Flag Length")
	sys.exit()

if encode(str(sys.argv[1])) == actual_flag:
    print("Correct!")
else:
    print("Incorrect!! Try Again")

Francisco Torres

Description: Server of Printing Counterfeit Banknotes
Points: 150
Difficulty Level: Easy
Category: PWN

This is a PWN and Miscellaneous category challenge where the server replies with QR codes that give parts of the flag. So just with python code, you can decode it.

from pwn import *
import pyscreenshot
import subprocess, time

host = "192.168.0.112"
port = 41879

r = remote(host,port)

try:
	while True:
		data = r.recvuntil(b"Enter the Flag you got till now >")
		print(data.decode("utf-8"))

		image = pyscreenshot.grab()
		image.save("qr-image.png")

		result = subprocess.run("zbarimg qr-image.png".split(), stdout=subprocess.PIPE,stderr=subprocess.PIPE)
		result = result.stdout.decode('utf-8').split(":")[1]

		print(result)
		r.send(result.encode("utf-8"))
except:
	pass

r.close()

Manila

Description: You can’t find it until you search deep.
Points: 200
Difficulty Level: Easy
Category: Forensic

hostage.pdf is damaged but even if you try to fix and recover the file it has nothing inside.

but checking strings hostage.pdf | grep DNEI which end of png. So you have reversed the given file and you should see a png file inside it

removing the above bytes should give you the flag.

Mercedes Colmenar

Points: 150
Difficulty Level: Medium
Category: Rev

Analyzing binary file through binary ninja kind of disassembler will show the code logic which just shuffles and concatation the string to verify the flag. Ghidra would be a better option to get the source code and join the flag.

Shakir

Description: Find the l33t.
Points: 150
Difficulty Level: Easy
Category: Rev

./Shakir                                                                      
Enter flag: l
Flag length did not match

When you execute the binary it shows flag length does not match, you can brute force for length but disassembling the binary will give you the decimals numbers with some logic that was undergone.