The Nope Sleds : CTF Write-Ups

Forensics – 1. Picasso Author: 5ynax and Valrkey Worth:  $150 Description: The challenge involved a GIF that we needed to extract a message from. So, for this challenge, we had two ways that we solved it at almost the same time. We have the long (5ynax) way and we have the fast (valrkey) way. The Long Way In the long way, I decided to extract each frame of the automated GIF and then import them into GIMP to layer them on top of one another. I used an online tool to get all of the frames, there was a lot of them, I used https://ezgif.com/split. After I got the frames split up, I downloaded them and moved them to my box with GIMP ready for analysis. I later learned that I could have just imported the GIF into GIMP directly using the open as layers routine, but that's neither here nor there. For each layer there is an Alpha Channel. In GIMP under the colors menu, you can select the Color to Alpha Routine to get this box: This allows you to choose a color an

Forensics – 3. Lost in the Forest Authors: 5ynax and valrkey Worth:  $50 Description To start the challenge, you are able to download a zipped archive called fs.zip. You can unzip the archive and list out the contents to see the full directory includes all the directories you would expect to see on a Linux or Unix style machine. Checking the home directory, you will see there is only one user profile, hkr. Navigating to the hkr directory and listing contents, we see the normal user profile contents, as well as a randomly named file. Using the file command, we check on the file type and then cat the contents once we realize that it ASCII text. The contents of the hzpxbsklqvboyou file are encoded in some way, looks like some variation of base64 at this point. The strings are repeated, so we suspect string manipulation and obfuscation at this point. Let's take a gander around the rest of the user directories and see if we can find anything else intere

Miscellaneous – 2. Anticaptcha Author: valrkey Worth: $250 Description:  Wow, this is a big captcha. Who has enough time to solve this? Seems like a lot of effort to me! As you can tell by the tiny scroll bar, there were a large number of questions (609) to be answered. To make things more difficult, each time the question was visited, the order and numeric value would be randomized. The questions generally followed one of three formats: What is the # word in the following line: ...? Is # a prime number? What is the greatest common divisor of # and #? For each of these question formats, I wrote a PowerShell function to determine the answer. Word in Line This function takes in the INDEX of the word requested and the LINE to take the word from. I added a line word length check just in case the IceCTF staff are jerks and give a too-large index. Everything should be accounted for the after mapping the 1st word" to the 0th array index and getting rid of any

Web - 2. Lights Out! Author: 5ynax Worth:  $75 Description I will be the first person to admit that getting this flag was dirty and there was no grace used whatsoever. At the end of the day, we got the flag, so I will take what I can get.  The challenge was obviously focused on finding the flag that was hidden directly in the page and my initial thought was that it was hidden in the CSS of the site. Pulling up the CSS source using Chrome's developer tools, I saw the following: Overall, this looked a bit out of place so I figured this is where I would start looking. After beautifying the CSS, I started looking through the contents quickly. I first came across content: "eCTF{" in the CSS so I figured I was on to something. I quickly searched through the rest of the CSS and found the following strings: "Ic" "the_lights}" "turned" "styles" "_" "eCTF{" With a little bit of logic, we were a

Binary Exploitation – 2. Cave Author: 5k33tz, v alrkey Worth:  $50 Description:  You stumbled upon a cave! I've heard some caves hold secrets.. can you find the secrets hidden within its depths? The start of the challenge establishes an SSH connection for you. The only directory you're presented with is a directory called "cave". CD'ing into the cave directory shows the following files: The challenge is nice enough to leave the original source code used to compile the binary: This appears to be a standard buffer-overflow question, but I notice that the shell function will need to be called  separately. Running the following command we can see the the shell() function is called at a static address (0x0804850b): objdump -d ./shout | grep -A25 shell 0804850b <shell>:  804850b: 55                    push   %ebp  804850c: 89 e5                mov    %esp,%ebp  804850e: 53                    push   %ebx  804850f: 83 ec 14   

Garfeld - 1. Cryptography Author: 5ynax Worth:  $100 Description At the start of the challenge you are provided with the following image: Based on the picture, you can see that there is an encrypted message at the bottom of the picture. You will also notice that there is a number in the upper right corner of the image that looks like a date. If you google "07271978" you will find the following Garfield cartoon strip: This shows the date is relevant in some way shape or form. Plus, its a great example of a good old fashioned Garfield cartoon strip.  Back to the cryptographic message, we notice that the format is already in the IceCTF{flag} format that we are looking for so we can confidently say this is the encrypted flag. If you look at the first part of the encrypted string "IjgJUO" you will see that it is the same amount of letters as IceCTF. It is probably safe to assumed that the number of letters is not changed during the encryption