Aug 6, 2017 - SHA2017 CTF : asby

Author: aagallag

Publish Date: 2017-08-06

Category: Binary

Points: 100

Description:

Eindbazen team member asby has by far been putting the most energy and time in creating the SHA2017 CTF. To honor his dedication and all his effort we created this challenge as an ode to him.

You can choose to reverse engineer this challenge or you can "asby" it. Good luck with the option you choose.

asby.tgz - 7422948a4034252d45cee02753b3d13b

This challenge didn’t require much reversing. I opened up the binary in IDA Pro only long enough for me to realize that the binary checks the supplied flag one character at a time and it will report if each character is correct. Then, I checked the home page of the CTF and noticed that the flag format is very predictable.

All flags will have the layout of flag{MD5} and are case insensitive.

Both of these facts combined makes the flag very easy to bruteforce. Since MD5 hashes are base-16 hex, we know each character only has 16 possibilites. So I wrote a quick python script to brute force the flag, one character at a time.

import subprocess

def getp():
    p=subprocess.Popen(['asby.exe'],stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE)
    return p

def tryflag(p, possible_flag):
    command = possible_flag + '\r\n'
    p.stdin.write(command)
    for i in range(len(possible_flag)):
        response=p.stdout.readline()
        if 'WRONG!' in response:
            return False
    return True

p = getp()
assert(tryflag(p, 'flag{'))
assert(tryflag(p, 'flag{0'))

flag = 'flag{'

for x in range(32):
    for y in range(16):
        c = '%x' % y
        if tryflag(p, flag + c):
        	print(flag)
            flag += c
            break

flag += '}'
print(flag)

And the output from the script:

flag{
flag{0
flag{02
flag{024
flag{024b
flag{024ba
flag{024baa
flag{024baa8
flag{024baa8a
flag{024baa8ac
flag{024baa8ac0
flag{024baa8ac03
flag{024baa8ac03e
flag{024baa8ac03ef
flag{024baa8ac03ef2
flag{024baa8ac03ef22
flag{024baa8ac03ef22f
flag{024baa8ac03ef22fd
flag{024baa8ac03ef22fdd
flag{024baa8ac03ef22fdde
flag{024baa8ac03ef22fdde6
flag{024baa8ac03ef22fdde61
flag{024baa8ac03ef22fdde61c
flag{024baa8ac03ef22fdde61c0
flag{024baa8ac03ef22fdde61c0f
flag{024baa8ac03ef22fdde61c0f1
flag{024baa8ac03ef22fdde61c0f11
flag{024baa8ac03ef22fdde61c0f110
flag{024baa8ac03ef22fdde61c0f1106
flag{024baa8ac03ef22fdde61c0f11069
flag{024baa8ac03ef22fdde61c0f11069f
flag{024baa8ac03ef22fdde61c0f11069f2
flag{024baa8ac03ef22fdde61c0f11069f2f}

Flag

flag{024baa8ac03ef22fdde61c0f11069f2f}

Aug 6, 2017 - SHA2017 CTF - Junior : Zipfile Two

Author: aagallag

Publish Date: 2017-08-06

Category: Misc

Points: 2

Description:

We received another zip file, which also requires a password. All we know is that the password is an existing English word with a length of 6 and all lowercase. Can you crack this password?

zipfiletwo.zip - 72bac30689c07b30cf9a4c6f74bcbdd9

Very similar to Zipfile Two, we are provided with enough information about the file that brute-forcing it will be rather quick. Again, I used fcrackzip but tweaked the parameters to match this challenge.

$ fcrackzip -c a -b -l 6-6 -u zipfiletwo.zip


PASSWORD FOUND!!!!: pw == future

And again, unzip the file with the password future to reveal a text file containing the flag.

Flag

flag{7128d78caf1e3297386a09afae0f8ea4}

Aug 6, 2017 - SHA2017 CTF - Junior : Zipfile One

Author: aagallag

Publish Date: 2017-08-06

Category: Misc

Points: 1

Description:

We received this zip file, but is asking for a password. All we know is that the password exists of 5 numbers, can you crack this password to get the hidden information?

zipfileone.zip - 8caeb32d9716898f9af223f9762c8b27

You are provided with a standard, password-protected zip file. We are given enough information about the file that brute-forcing it will be rather quick. I decided to use fcrackzip.

$ fcrackzip -c 1 -b -l 5-5 -u zipfileone.zip


PASSWORD FOUND!!!!: pw == 42831

Then simply unzip the file with the password 42831 to reveal a text file containing the flag.

Flag

flag{d6f56ae046bb241cc61f9d26f8e525d9}