DUCTF Writeups

Published on 2021-10-02 by molzy

Last weekend, I heard that there was a Capture The Flag event taking place - Down Under CTF. Although I had made other plans, I spent a few hours completing some of the "Easy" challenges for fun. Below are some challenge solution writeups.

Forensics

How To Pronounce GIF

The official writeup can be viewed at this link.

The challenge description is as follows:

Our machine that makes QR Codes started playing up then it just said 
"PC LOAD LETTER" and died. This is all we could recover...

Author: xXl33t_h@x0rXx

A lone file was provided - challenge.gif.

This file contains multiple QR codes, split over separate frames. The first step is to extract these. Starting in a directory containing challenge.gif, I used imagemagik -coalesce to split the file into individual frames, with zero padding for the frame numbers.

bash
$ mkdir frames; cd frames
$ convert -coalesce ../challenge.gif "qr-%03d.png"
$ ls | wc -l
120
$ ls | head -n1
qr-000.png
$ ls | tail -n1
qr-119.png

There were 120 frames within the GIF file, which were numbered 000 through 119 in the output file names.

After viewing these frames, I determined that there were exactly 10 QR codes present, interleaved in order. This made the following steps easier to complete.

I wrote a quick Bash loop to perform two steps for each QR code.

bash
$ for num in {0..9}; do
      convert qr-*$num.png -smush -1 ../out-qr-$num.jpg; 
      rm qr-*$num.png;
  done

This assembles the ten QR code images. In order to decode them, I used the zbarimg tool, which can usually be installed on linux as a part of the zbar or zbar-tools package provided by your distribution.

bash
$ zbarimg -q --raw out-qr-*.jpg
The princess is in another castle
https://bit.ly/3Afouex
f0ll0w 7h3 wh173 r4bb17
https://bitly.com/98K8eH
(\(\
( -.-)
o_(")(")
RFVDVEZ7YU1
https://bit.ly/2YOdoPM
fMV9oYVhYMHJfbjB3P30=
( )( )
(O.O)
o_(")(")
https://www.youtube.com/watch?v=N1AL2EMvVy0

Two sequences of characters stand out as being encoded text. Specifically, they look like base64. Separately, they do not produce the entire flag, but together...

bash
$ base64 -d <(printf "RFVDVEZ7YU1fMV9oYVhYMHJfbjB3P30=")
DUCTF{aM_1_haXX0r_n0w?}

Misc

Rabbit

The official solution can be viewed at this link.

The challenge description is as follows:

Can you find Babushka's missing vodka? It's buried pretty deep, like 1000 steps, deep.

Author: Crem + z3kxTa

A file called flag.txt was provided.

The file provided was a bzip2 encoded archive, which contained many more archives, with a flag as the reward for reaching the end. The layered archives used a random assortment of xz, gzip, bzip2, and zip encodings.

I completed this challenge with a Bash one-liner, starting in a directory containing only flag.txt. This is thanks to the wonderful and extremely useful multi-format support of p7zip. Note that it is worth completing these types of challenges within a tmpfs, in order to prevent wear and tear on your storage device.

bash
$ while 7z x flag.txt -so > flag 2>/dev/null; do 
      mv flag flag.txt;
  done && base64 -d flag.txt && rm flag
DUCTF{babushkas_v0dka_was_h3r3}

This loop uses the -so flag of 7z to continually extract any file contained within the archive flag.txt into a file called flag, and replaces the flag.txt file with the new flag file. This continues until the 7z command returns an error code. Since 7z can extract all four archive formats in use, any error will be due to file.txt no longer containing an archive file. At that point, the loop breaks, and the base64 encoded flag is printed, while the empty flag file is removed.

That's all I have written about so far. Unfortunately, I missed out on completing the more challenging puzzles available in this competition this year. I still enjoyed the time I spent on this CTF, and look forward to competing again in future.