EGCTF 2019 - Qualification Round

Introduction

I participated in EG-CTF 2019 qualification round which was held in Friday November 15 2019 and lasted for 26 hours, These are my quick write-ups for some of the challenges.

Starter: Decode me :)

Solution:

This was a very easy one, we’re given an encoded string and we need to decode it to retrieve the flag, I tried some of the known encoding methods and found that it was base-58 encoded:

Starter: JS CryptoMiner

Solution:

I used beautifier.io to beautify the javascript code:

By looking at the end of the code we’ll see this function:

So what I did was to paste the code in the js console, call the function and read the flag:

Starter: Rotten Code

Solution:

By looking at the text it’s easily recognizable that this is the flag but the letters are substituted.
We know that the flag starts with EGCTF so C is E and E is G, which means that the offset is 2. I used rot13.com to decode the flag:

Misc: QR c0d3

Solution:

We’re given an image called QR.png:

I used onlinebarcodereader.com to read the qr code, but I only got a small part of the flag:

I tried rotating the image by 90 degrees to see if I’ll get any different results, which actually worked:

QR_2.png:

Let’s get the other 2 images:

QR_3.png:

QR_4.png:

Final message:

Web: Hold Up

Solution:

The index page only had an image saying “SITE UNDER CONSTRUCTION” and nothing else:

I ran gobuster to check for sub directories and found a git directory:

/.git:

I used wget to download it:

I checked the reflog to see the commits:

The commit NewFeature (89329fa) revealed a secret path (/S3cR3tPaTh):

/S3cR3tPaTh:

I could also find the credentials in one of the commits (DelCr (5b9e491)):

Web: Tamp3rat0r

Solution:

This was the easiest web challenge, by visiting the site we get asked for authentication:

As the description said, the password is strong so bruteforcing the basic auth is not the solution, the challenge name is Tamp3rat0r so I tried tampering with the request method:

Crypto: Des amies

Solution:

By connecting to that port we get asked for a name, then we get an encrypted output:

From the challenge name I assumed that the message is DES encrypted so I tried getting an encrypted message then sending it back again to see if I’ll get the decrypted result.
I sent 1, then I saved the output to a file and called it out.1

I opened the file in vi and removed Name: Here is your personalized message: and Bye:

Then I sent the encrypted message as an input, and I successfully got back the decrypted message, that’s when I knew that my approach wasn’t intended because it wants the decryption key as the flag:

The hint said Strong key!, so it’s probably a weak one, and DES is known for some weak keys. I searched for weak DES keys and found this Wikipedia page. I used des.online-domain-tools.com and started trying some of the keys, 0xFEFEFEFEFEFEFEFE worked:

Forensics: Data Leakage

Solution:

We’re given a memory image called memdump.mem.
First thing I did was to check the image info (I used volatility):

Then I checked the processes:

And I dumped the files:

I ran the file command on all the dumped files and found 2 RAR archives:

Both of them had an image called flag.png and both of them were password protected:

Earlier when I ran psscan there was a WinRAR process running (PID : 1308 ):

I checked the environment variables of that process and found the password there:

flag.png:

Forensics: Oh My Salary!

Solution:

We’re given a pcapng file called salary_traffic.pcapng, by looking at the capture in wireshark and sorting the packets according to their protocol I noticed a bunch of weird DNS queries:

All of them were looking up the same domain example.test with different base-64 encoded strings as subdomains.
I used tshark to extract all of these DNS queries and I saved them into a file:

Then by using a text editor I removed the ip address, .example.test and the new lines:

If you look carefully you’ll notice that it has a lot of new line escapes, so I used python to print the final base-64 data and save them into a file:

After decoding the data I used file to check the type of the new file, it was a 7z archive:

I tried to extract it, but it was password protected:

I checked the network capture again and found an HTTP request to a file called key.txt:

The response was a base-64 encoded string so I decoded it then I used the result as a password:

And finally I got the flag:

Forensics: Secret Agent

Solution

We’re given a pcapng file called SecretMessage.pcapng, by looking at the capture in wireshark and sorting the packets according to their protocol I noticed a bunch of ICMP requests with weird ttlnumbers:

These numbers were ASCII characters codes, I tried decoding the first 5 ones and I got EGCTF:

Doing it manually will take some time so I exported the ICMP packets as a txt:

I used grep to get only the lines with ttl:

Then by using cut I got the ttl numbers only:

We don’t need 128 because that’s the ttl number from the response packets so we’ll remove it by piping to grep -v "128", then finally will use echo -n on the output to produce a single line output:

I used the ASCII code tool from dcode.fr to decode the flag:

That’s it , Feedback is appreciated !