PoliCTF 2012 – Bin-Pwn 100

Für die “Bin-Pwn 100” Challenge wird uns ein Archiv bereit gestellt sowie die recht simple Aufgabenbeschreibung:

Retrieve the key!


Wir arbeiten uns also langsam vor, entpacken als erstes die Datei und sehen uns den Inhalt genauer an:

rup0rt@linux:~/PoliCTF2012$ tar xfvz umad.tar.gz 

Im Archiv befinden sich Header-Dateien der JPEG-Bibliothek, die statisch kompilierte JPEG-Bibliothek selbst (libjpeg.a) sowie eine C++-Quellcodedatei “umad.cpp” und deren Makefile. Wir kompilieren zunächst den Quellcode mit Hilfe der “Makefile” um so das Verhalten abzuschätzen.

rup0rt@linux:~/PoliCTF2012$ make
g++ -o umad umad.cpp -L. -ljpeg

rup0rt@linux:~/PoliCTF2012$ ./umad 

rup0rt@linux:~/PoliCTF2012$ ls -lh
drwxr-xr-x 2 creeq creeq 4.0K May 26 00:23 jpeg
-rw-r--r-- 1 creeq creeq 1.4M Aug  8 16:11 libjpeg.a
-rw-r--r-- 1 creeq creeq   56 May 26 00:30 Makefile
-rw-r--r-- 1 creeq creeq  13K Nov 21 17:15 out.jpeg
-rwxr-xr-x 1 creeq creeq 422K Nov 21 17:15 umad
-rw-r--r-- 1 creeq creeq 3.3K May 26 10:51 umad.cpp

Anhand der Kompilierungszeile der Makefile erkennen wir, dass sowohl die JPEG-Header-Dateien (-l) als auch die statische JPEG-Library (-L) tatsächlich für die Kompilierung verwendet werden. Die Ausführung des erstellten Programmes “umad” liefert eine weitere Datei “out.jpeg”, die wir uns als nächstes ansehen.

PoliCTF 2012 - Bin-Pwn 100 - library image output

Bis auf die Frage “U MAD ?” ist an diesem Bild nichts besonderes erkennbar. Auch nach binärer Betrachtung scheint es sich um ein herkömmliches JPEG-Bild zu handeln. Das Betrachten des C++-Quellcodes sowie der Header-Dateien lässt uns ebenfalls keine besonderen Auffälligkeiten vorfinden.
Continue reading

PoliCTF 2012 – Forensics 100

This challenge (Forensics 100) was a little bit weird but solvable. It said:

Retrieve the key.

Remember to write it in capital letters.

Attachment:45141181944a722.tbz2.gpg (password: 310b44aab74809c6ec9dd026b9e8e59a5e401083 )

After unpacking the attachment we got a challenge.pcap file. Opening it using wireshark presented us the capture of a SSH session to a (probably) Juniper device. Some Juniper devices tend to use SSHv1 until told otherwise, so the first shot would be to somehow break the encryption and use the provided key as flag. There is a great tool for analyzing packet captures called Chaosreader, we use that to meet with the pcap file in private. Unfortunately, just submitting the extracted data did not work out, but half way through we got a perl script named session_0001.textSSH.replay. Here is what it looks like when we execute the script:

PoliCTF 2012 - Forensics 100 - timing

replaying captured packets (click me, i’m anim00ted!)

Looks like a pattern, doesn’t it? We take the 320 seconds it lasts to watch astonished and write down the pattern in a more simple way. Short transmissions become “.” and longer ones we write down as “-“. We now have:


This must be morse code! Since morse code is one of the codes where timing is everything, we have to watch the replay again to get the transmission pauses right. This is essential for decoding. We lean back for 320 seconds once again and are rewarded with:

…. — .–. . -.– — ..- …- . -… . . -. .- –. — — -.. -… — -.– … -.-. — ..- –

After translating the morse code to characters we fiinally got our flag:


Yes, we were good boy scouts, the flag is ours!

Note: This challenge was downgraded to 75 points after a while.

PoliCTF 2012 – GrabBag 100

GrabBag 100 was this CTF’s loss leader and an easy  one if you are familiar with the legendary Hackers movie from 1995 starring Jonny Lee Miller, Angelina Jolie and Jesse Bradford. The assignment read:

We need your help to hack the planet!!! Somehow we have lost a little chunck of the garbage file. We just need 4 byte starting from address 0x000020. Please help us!!!

(Hint: in hex, lowercase,without leading 0x)

To solve the challenge just grab your old copy of Hackers you’re still hiding somewhere, power up the VHS recorder and forward to the scene were Cereal Killer opens Plague’s garbage file. The file gets hexdumped for a blink of an eye, here’s a shot:

PoliCTF 2012 - GrabBag 100 - Hackers movie garbage file

hexdumping the garbage file

Starting from 0x20 we read four bytes as advised: 3dc6032c was the flag.

Never send a boy to do a woman’s job. (Kate)