Sunshine CTF 2016 writeups
This weeked was Sunshine CTF 2016. I didn't spend much time on this CTF, because there were two other CTFs running at the same time. So this blogpost is about the writeups for two easy forensic challenges:
- Butterfly Effect
- That's No Moon
- Idea for Get Gut Kid
Butterfly Effect
Butterfly Effect
Points: 50
judges: meowmeow
Link: http://ctf.bsidesorlando.org/static/uploads/5676ebc69d9abdf9df4a39728f558100/butterfly.png
After downloading the image, neither file nor binwalk show suspicious things like hidden data. Opening the file with GIMP shows us a butterfly.
Using the Colors->Curves menu we open the color curves. Adjusting the first 'value' curve to the right hand bottom corner reveals the flag on the image.
Flag:
sun{RE4DY_THE_4CID_M4GNET!}
That's No Moon
That's No Moon
Points: 50
judges: meowmeow
http://ctf.bsidesorlando.org/static/uploads/213d461c72e1db462eb6e54c612f3fcf/moon.png
After downloading the file, we see that it's a PNG file:
$> file moon.png
moon.png: PNG image data, 600 x 593, 8-bit/color RGB, non-interlaced
However, viewing it doesn't really show us interesting things and applying the tricks from Butterfly doesn't help either.
Let's see if there is anything hidden in the file:
$> strings moon.png | grep flag
flag.txtUT
flag.txtUT
Okay, so there's definitely more than just a PNG file. Using binwalk we find a zip file:
$> binwalk moon.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 600 x 593, 8-bit/color RGB, non-interlaced
290 0x122 Unix path: /www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef=
944 0x3B0 Zlib compressed data, best compression
411781 0x64885 Zip archive data, encrypted at least v1.0 to extract, compressed size: 35, uncompressed size: 23, name: flag.txt
411976 0x64948 End of Zip archive
All data from 0 to 411781 is part of the PNG, but a zip file starts at 411781. Let's extract it:
$> dd if=./moon.png of=./moon.zip skip=411781 bs=1
217+0 Datensätze ein
217+0 Datensätze aus
217 bytes copied, 0,00834137 s, 26,0 kB/s
$> file moon.zip
moon.zip: Zip archive data, at least v1.0 to extract
When trying to extract the contents, it asks us for a password, but moon is a good guess.
$> unzip moon.zip
Archive: moon.zip
[moon.zip] flag.txt password:
extracting: flag.txt
$> cat flag.txt
sun{0kay_it_is_a_m00n}
Get Gud Kid
Get Gud Kid
Points: 300
Judges: lessneaky
Find the flag. It'll only match the format after some work.
Hint: Read between the structs
When I started the challenge, there was no hint and I didn't finish it. Binwalk will detect several zip files:
$> binwalk get_gud_kid.dat
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
179 0xB3 Zip archive data, at least v2.0 to extract, compressed size: 368461, uncompressed size: 368461, name: cat1.jpg
368732 0x5A05C End of Zip archive
368775 0x5A087 Zip archive data, at least v2.0 to extract, compressed size: 410227, uncompressed size: 410227, name: cat2.jpg
779094 0xBE356 End of Zip archive
779137 0xBE381 Zip archive data, at least v2.0 to extract, compressed size: 149229, uncompressed size: 149229, name: cat3.jpg
928458 0xE2ACA End of Zip archive
928501 0xE2AF5 Zip archive data, at least v2.0 to extract, compressed size: 617166, uncompressed size: 617166, name: cat4.jpg
1545759 0x17961F End of Zip archive
1545802 0x17964A Zip archive data, at least v2.0 to extract, compressed size: 375400, uncompressed size: 375400, name: cat5.jpg
1921294 0x1D510E End of Zip archive
1921337 0x1D5139 Zip archive data, at least v2.0 to extract, compressed size: 361267, uncompressed size: 361267, name: cat6.jpg
2282696 0x22D4C8 End of Zip archive
2282739 0x22D4F3 Zip archive data, at least v2.0 to extract, compressed size: 509269, uncompressed size: 509269, name: cat7.jpg
2792100 0x2A9AA4 End of Zip archive
2792123 0x2A9ABB End of Zip archive
I started to extract all zip files using dd:
dd if=./get_gut_kid.dat of=./catX.zip skip=Y bs=1 count=Z
where:
Xis the i-th zip fileYis a zip's starting pointZ = Q - Y, where Q is a zip's ending point
Opening a zipfile leads to even more cat picutres, but no flag.
So I grepped for flag and got this result:
$> grep -r flag ./*
Übereinstimmungen in Binärdatei ./cat2.zip.
Übereinstimmungen in Binärdatei ./cat4.zip.
Übereinstimmungen in Binärdatei ./cat5.zip.
Übereinstimmungen in Binärdatei ./cat6.zip.
Übereinstimmungen in Binärdatei ./get_gud_kid.dat.
I just realized, that I made a mistake while extracting the zips and this grep may be incorrect as well as the following part of this writeup :(
Binwalk to the rescue!
$>DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Zip archive data, at least v2.0 to extract, compressed size: 410227, uncompressed size: 410227, name: cat2.jpg
410319 0x642CF End of Zip archive
410362 0x642FA Zip archive data, at least v2.0 to extract, compressed size: 149229, uncompressed size: 149229, name: cat3.jpg
559683 0x88A43 End of Zip archive
559764 0x88A94 JPEG image data, JFIF standard 1.01
At point it started to get boring and I didn't want to extract even more zips and cat pictures. I did it one last time, but the archives only contained the cat pictures. But grep found 'flag' somewhere in the cat2.zip file. Maybe a hexdump will help us:
$> hexdump -C cat2.zip | grep "agg" -A 0 -B 3
000642c0 00 b6 81 00 00 00 00 63 61 74 32 2e 6a 70 67 50 |.......cat2.jpgP|
000642d0 4b 05 06 00 00 00 00 01 00 01 00 36 00 00 00 99 |K..........6....|
000642e0 42 06 00 00 00 00 1d 00 00 00 0b 00 00 00 66 6c |B.............fl|
000642f0 61 67 67 65 64 2e 74 78 74 63 50 4b 03 04 14 00 |agged.txtcPK....|
Okay, there's our flagged.txt and we see PK or 50 4b 05 06. That's the magic hash for an empty zip archive.
I tried to extract all four flag-zip files, but either I made a mistake doing so or I didn't figure out how to work with the extracted zip files. I decided to move on and work on the other CTFs again.
-=-