Sunshine CTF 2016 writeups

This weeked was Sunshine CTF 2016. I didn't spend much time on this CTF, because there were two other CTFs running at the same time. So this blogpost is about the writeups for two easy forensic challenges:

Butterfly Effect

Butterfly Effect

Points: 50

judges: meowmeow

Link: http://ctf.bsidesorlando.org/static/uploads/5676ebc69d9abdf9df4a39728f558100/butterfly.png

After downloading the image, neither file nor binwalk show suspicious things like hidden data. Opening the file with GIMP shows us a butterfly.

Using the Colors->Curves menu we open the color curves. Adjusting the first 'value' curve to the right hand bottom corner reveals the flag on the image.
Color curve

Flag:

sun{RE4DY_THE_4CID_M4GNET!}

That's No Moon

That's No Moon

Points: 50

judges: meowmeow

http://ctf.bsidesorlando.org/static/uploads/213d461c72e1db462eb6e54c612f3fcf/moon.png

After downloading the file, we see that it's a PNG file:

$> file moon.png 
moon.png: PNG image data, 600 x 593, 8-bit/color RGB, non-interlaced

However, viewing it doesn't really show us interesting things and applying the tricks from Butterfly doesn't help either.
Let's see if there is anything hidden in the file:

$> strings moon.png | grep flag 
flag.txtUT	
flag.txtUT

Okay, so there's definitely more than just a PNG file. Using binwalk we find a zip file:

$> binwalk moon.png 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 600 x 593, 8-bit/color RGB, non-interlaced
290           0x122           Unix path: /www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef=
944           0x3B0           Zlib compressed data, best compression
411781        0x64885         Zip archive data, encrypted at least v1.0 to extract, compressed size: 35, uncompressed size: 23, name: flag.txt
411976        0x64948         End of Zip archive

All data from 0 to 411781 is part of the PNG, but a zip file starts at 411781. Let's extract it:

$> dd if=./moon.png of=./moon.zip skip=411781 bs=1
217+0 Datensätze ein
217+0 Datensätze aus
217 bytes copied, 0,00834137 s, 26,0 kB/s
$> file moon.zip 
moon.zip: Zip archive data, at least v1.0 to extract

When trying to extract the contents, it asks us for a password, but moon is a good guess.

$> unzip moon.zip 
Archive:  moon.zip
[moon.zip] flag.txt password: 
 extracting: flag.txt                
$> cat flag.txt 
sun{0kay_it_is_a_m00n}

Get Gud Kid

Get Gud Kid

Points: 300

Judges: lessneaky

Find the flag. It'll only match the format after some work.

Hint: Read between the structs

When I started the challenge, there was no hint and I didn't finish it. Binwalk will detect several zip files:

$> binwalk get_gud_kid.dat 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
179           0xB3            Zip archive data, at least v2.0 to extract, compressed size: 368461, uncompressed size: 368461, name: cat1.jpg
368732        0x5A05C         End of Zip archive
368775        0x5A087         Zip archive data, at least v2.0 to extract, compressed size: 410227, uncompressed size: 410227, name: cat2.jpg
779094        0xBE356         End of Zip archive
779137        0xBE381         Zip archive data, at least v2.0 to extract, compressed size: 149229, uncompressed size: 149229, name: cat3.jpg
928458        0xE2ACA         End of Zip archive
928501        0xE2AF5         Zip archive data, at least v2.0 to extract, compressed size: 617166, uncompressed size: 617166, name: cat4.jpg
1545759       0x17961F        End of Zip archive
1545802       0x17964A        Zip archive data, at least v2.0 to extract, compressed size: 375400, uncompressed size: 375400, name: cat5.jpg
1921294       0x1D510E        End of Zip archive
1921337       0x1D5139        Zip archive data, at least v2.0 to extract, compressed size: 361267, uncompressed size: 361267, name: cat6.jpg
2282696       0x22D4C8        End of Zip archive
2282739       0x22D4F3        Zip archive data, at least v2.0 to extract, compressed size: 509269, uncompressed size: 509269, name: cat7.jpg
2792100       0x2A9AA4        End of Zip archive
2792123       0x2A9ABB        End of Zip archive

I started to extract all zip files using dd:

dd if=./get_gut_kid.dat of=./catX.zip skip=Y bs=1 count=Z

where:

  • X is the i-th zip file
  • Y is a zip's starting point
  • Z = Q - Y, where Q is a zip's ending point

Opening a zipfile leads to even more cat picutres, but no flag.
So I grepped for flag and got this result:

$>  grep -r flag ./* 
Übereinstimmungen in Binärdatei ./cat2.zip.
Übereinstimmungen in Binärdatei ./cat4.zip.
Übereinstimmungen in Binärdatei ./cat5.zip.
Übereinstimmungen in Binärdatei ./cat6.zip.
Übereinstimmungen in Binärdatei ./get_gud_kid.dat.

I just realized, that I made a mistake while extracting the zips and this grep may be incorrect as well as the following part of this writeup :(

Binwalk to the rescue!

$>DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, at least v2.0 to extract, compressed size: 410227, uncompressed size: 410227, name: cat2.jpg
410319        0x642CF         End of Zip archive
410362        0x642FA         Zip archive data, at least v2.0 to extract, compressed size: 149229, uncompressed size: 149229, name: cat3.jpg
559683        0x88A43         End of Zip archive
559764        0x88A94         JPEG image data, JFIF standard 1.01

At point it started to get boring and I didn't want to extract even more zips and cat pictures. I did it one last time, but the archives only contained the cat pictures. But grep found 'flag' somewhere in the cat2.zip file. Maybe a hexdump will help us:

$> hexdump -C cat2.zip   | grep "agg" -A 0 -B 3
000642c0  00 b6 81 00 00 00 00 63  61 74 32 2e 6a 70 67 50  |.......cat2.jpgP|
000642d0  4b 05 06 00 00 00 00 01  00 01 00 36 00 00 00 99  |K..........6....|
000642e0  42 06 00 00 00 00 1d 00  00 00 0b 00 00 00 66 6c  |B.............fl|
000642f0  61 67 67 65 64 2e 74 78  74 63 50 4b 03 04 14 00  |agged.txtcPK....|

Okay, there's our flagged.txt and we see PK or 50 4b 05 06. That's the magic hash for an empty zip archive.

I tried to extract all four flag-zip files, but either I made a mistake doing so or I didn't figure out how to work with the extracted zip files. I decided to move on and work on the other CTFs again.

-=-