NcN 2013 CTF Quals – Level 2

Level 2 of NcN CTF offers a “level.apk” file for downloading. After fetching and extracting it’s contents, the folder res arrested my attention.

There are 16 png-files , each one is a part of a qr code.

NcN 2013 Quals - Level 2 - QR Image

The easiest way to solve the puzzle is to arrange the parts on one’s own without writing a script. After finishing the puzzle …

NcN 2013 Quals - Level 2 - Final QR Code

… you only need to scan the qr code with any tool you like (in my case it was a smart phone) , and there it is, the flag:

 788f5ff85d370646d4caa9af0a103b338dbe4c4bb9ccbd816b585c69de96d9da

Of course I could have written a script. But in my opinion it was only worth if I would have to solve not only one puzzle. Concluding it is only a diligent but routine piece of work.

NcN 2013 CTF Quals – Level 1

NcN 2013 Qualification - Level 1 - Task Description

To get the key for “Access Level 1” we need to pass an authentication form. When trying to submit a key, we get the following reply:

NcN 2013 Quals - Level 1 - Invalid Password

So we need to have a look into the source code of the password validation functions. At first we are going to see the HTML lines (index.php). The interesting ones are these:

<script type="text/javascript" src="crypto.js"></script>

<form action="login.php" method="POST" onsubmit="return encrypt(this);">
  <input id="key" type="hidden" name="key" value="" />
  <input id="verification" type="hidden" name="verification" value="yes" />
</form>

As we can see the page uses an external JavaScript file to calculate the validation of the password. Next step will be to examine this script file (crypto.js). It looks like this:

var _0x52ae=["\x66\x20\x6F\x28\x38\x29\x7B\x63\x20\x69...
...,"\x67"];eval(function (_0x7038x1,_0x7038x2,_0x7038x3..
...toString(36));};if(!_0x52ae[4][_0x52ae[6]](/^/,String)..
...[0],46,46,_0x52ae[3][_0x52ae[2]](_0x52ae[1]),0,{}));

The JavaScript itself uses many “eval” (evaluation) functions, confusing variable names and is incredible obfuscated at all. It cannot be read this way! So we need make it readable again – at best evaluate the “eval” function to get the real plain source code. It very good way to do so is using raw SpiderMonkey – the Mozilla JavaScript engine:

Continue reading