DUCTF Writeups
Last weekend, I heard that there was a Capture The Flag event taking place - Down Under CTF. Although I had made other plans, I spent a few hours completing some of the "Easy" challenges for fun. Below are some challenge solution writeups.
Forensics
How To Pronounce GIF
The official writeup can be viewed at this link.
The challenge description is as follows:
Our machine that makes QR Codes started playing up then it just said
"PC LOAD LETTER" and died. This is all we could recover...
Author: xXl33t_h@x0rXx
A lone file was provided - challenge.gif.
This file contains multiple QR codes, split over separate frames. The first
step is to extract these. Starting in a directory containing
challenge.gif
, I used
imagemagik -coalesce
to split the file into individual frames, with zero padding for the frame numbers.
$ mkdir frames; cd frames
$ convert -coalesce ../challenge.gif "qr-%03d.png"
$ ls | wc -l
120
$ ls | head -n1
qr-000.png
$ ls | tail -n1
qr-119.png
There were 120 frames within the GIF file, which were numbered 000
through 119
in the output file names.
After viewing these frames, I determined that there were exactly 10 QR codes present, interleaved in order. This made the following steps easier to complete.
I wrote a quick Bash loop to perform two steps for each QR code.
- Firstly, separate each QR code's frames into a directory for each. This can be done using only the last digit of the number in the filename, since we are dividing by 10.
- Next, enter that directory, and merge the QR code using
imagemagik -smush
. The files are appended to each other vertically in the correct order thanks to the zero padding of the number in the filenames. If that zero padding were not added, the files would be appended in the orderqr-1.png
,qr-101.png
,qr-11.png
,qr-111.png
,qr-21.png
, and so on, which would shuffle the first few lines of the output image around.
$ for num in {0..9}; do
convert qr-*$num.png -smush -1 ../out-qr-$num.jpg;
rm qr-*$num.png;
done
This assembles the ten QR
code images. In order to decode them,
I used the zbarimg
tool, which can usually be installed on linux as a part
of the zbar
or zbar-tools
package provided by your distribution.
$ zbarimg -q --raw out-qr-*.jpg
The princess is in another castle
https://bit.ly/3Afouex
f0ll0w 7h3 wh173 r4bb17
https://bitly.com/98K8eH
(\(\
( -.-)
o_(")(")
RFVDVEZ7YU1
https://bit.ly/2YOdoPM
fMV9oYVhYMHJfbjB3P30=
( )( )
(O.O)
o_(")(")
https://www.youtube.com/watch?v=N1AL2EMvVy0
Two sequences of characters stand out as being encoded text. Specifically,
they look like base64
. Separately, they do not produce the entire flag,
but together...
$ base64 -d <(printf "RFVDVEZ7YU1fMV9oYVhYMHJfbjB3P30=")
DUCTF{aM_1_haXX0r_n0w?}
Misc
Rabbit
The official solution can be viewed at this link.
The challenge description is as follows:
Can you find Babushka's missing vodka? It's buried pretty deep, like 1000 steps, deep.
Author: Crem + z3kxTa
A file called flag.txt was provided.
The file provided was a bzip2
encoded archive, which contained many more
archives, with a flag as the reward for reaching the end. The layered archives
used a random assortment of xz
, gzip
, bzip2
, and zip
encodings.
I completed this challenge with a Bash one-liner, starting in a directory
containing only flag.txt
. This is thanks to the
wonderful and extremely useful multi-format support of p7zip
.
Note that it is worth completing these types of challenges within a tmpfs
,
in order to prevent wear and tear on your storage device.
$ while 7z x flag.txt -so > flag 2>/dev/null; do
mv flag flag.txt;
done && base64 -d flag.txt && rm flag
DUCTF{babushkas_v0dka_was_h3r3}
This loop uses the -so
flag of 7z
to continually extract any file
contained within the archive flag.txt
into a file called flag
, and
replaces the flag.txt
file with the new flag
file. This continues
until the 7z
command returns an error code. Since 7z
can extract all
four archive formats in use, any error will be due to file.txt
no longer
containing an archive file. At that point, the loop breaks, and the base64
encoded flag is printed, while the empty flag
file is removed.
That's all I have written about so far. Unfortunately, I missed out on completing the more challenging puzzles available in this competition this year. I still enjoyed the time I spent on this CTF, and look forward to competing again in future.