NcN 2013 CTF Quals – Level 3

To access “Level 3” of the NcN CTF we first need to download the file (level.elf) the server offers. Running the program for the first time shows the following output:

NcN 2013 Quals - level 3 - program first run

The binary waits for user input. After pressing one key, it denies access with the message “I DON’T THINK SO”. Maybe we need to press another key to that one I pressed before. I tried all keys and finally got this result when pressing “SPACE”.

NcN 2013 Quals - Level 3 - First character found

It displays an additional star to indicate that our first character (SPACE) was right. Pressing SPACE again leads to program failure again. What we need to do is just gaining the full passphrase. This can be achieved by brute forcing it – the same way we found the first character – or by analyzing the binary code.

A first look into the assembler code of the binary shows some obfuscation inside. So I decided that brute forcing the key will be much faster. The following PERL Script does the job for us:

#!/usr/bin/perl -w

$found = $ARGV[0];

for ($i = 0x20; $i<=0x7f; $i++) {
  $try = $found . chr($i);
  print "TRYING: $try ($i)\n";

  open(CRACK, "| ./level.elf");
  print CRACK $try;
  close(CRACK);
}

At first it takes one argument that contains the beginning of the string, we already verified. Afterwards the script just tries to append all human-readable characters to the string and passes it to the binary. The result is printed on the screen.
Continue reading

NcN 2013 CTF Quals – Level 2

Level 2 of NcN CTF offers a “level.apk” file for downloading. After fetching and extracting it’s contents, the folder res arrested my attention.

There are 16 png-files , each one is a part of a qr code.

NcN 2013 Quals - Level 2 - QR Image

The easiest way to solve the puzzle is to arrange the parts on one’s own without writing a script. After finishing the puzzle …

NcN 2013 Quals - Level 2 - Final QR Code

… you only need to scan the qr code with any tool you like (in my case it was a smart phone) , and there it is, the flag:

 788f5ff85d370646d4caa9af0a103b338dbe4c4bb9ccbd816b585c69de96d9da

Of course I could have written a script. But in my opinion it was only worth if I would have to solve not only one puzzle. Concluding it is only a diligent but routine piece of work.

NcN 2013 CTF Quals – Level 1

NcN 2013 Qualification - Level 1 - Task Description

To get the key for “Access Level 1” we need to pass an authentication form. When trying to submit a key, we get the following reply:

NcN 2013 Quals - Level 1 - Invalid Password

So we need to have a look into the source code of the password validation functions. At first we are going to see the HTML lines (index.php). The interesting ones are these:

<script type="text/javascript" src="crypto.js"></script>

<form action="login.php" method="POST" onsubmit="return encrypt(this);">
  <input id="key" type="hidden" name="key" value="" />
  <input id="verification" type="hidden" name="verification" value="yes" />
</form>

As we can see the page uses an external JavaScript file to calculate the validation of the password. Next step will be to examine this script file (crypto.js). It looks like this:

var _0x52ae=["\x66\x20\x6F\x28\x38\x29\x7B\x63\x20\x69...
...,"\x67"];eval(function (_0x7038x1,_0x7038x2,_0x7038x3..
...toString(36));};if(!_0x52ae[4][_0x52ae[6]](/^/,String)..
...[0],46,46,_0x52ae[3][_0x52ae[2]](_0x52ae[1]),0,{}));

The JavaScript itself uses many “eval” (evaluation) functions, confusing variable names and is incredible obfuscated at all. It cannot be read this way! So we need make it readable again – at best evaluate the “eval” function to get the real plain source code. It very good way to do so is using raw SpiderMonkey – the Mozilla JavaScript engine:

Continue reading