nopedawn

ARA CTF 2023

https://www.its-ara.com/public/


Team

UDP1P

  • usr
  • gochujjang
  • kacang ijooo

Challs

CategoryChallenge
ForensicsThinker
CryptographyOne Time Password
CryptographySecret Behind a Letter
CryptographyL0v32x0r
CryptographySH4-32
Cryptographybabychall
MiscTruth

Thinker

Deskripsi

I always overthink about finding other part of myself, can you help me?
Attachments
Author: Zangetsu#2398

Diberikan sebuah file gambar confused.png

Setelah kami cek isi stringnya ternyata setelah diakhir segment IEND ada beberapa file berekstensi .zip .txt dan .png

bash
$ strings confused.png
IEND
        _GV
didyou/UT
=GFV
didyou/e.txtUT
QVJBMjAyM3s=
didyou/find.zipUT
find/UT
HFV/C
find/a.txtUT
35216D706C335F
find/something.zipUT
something/UT
something/s.txtUT
p^GV
something/suspicious.zipUT
4^GV
suspicious/UT
suspicious/y.pngUT

Maka dari itu kami mencoba meng-extract menggunakan binwalk berikut command ketika meng-extractnya

bash
$ binwalk -e confused.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 720 x 881, 8-bit/color RGB, non-interlaced
6170          0x181A          Zlib compressed data, best compression
321663        0x4E87F         TIFF image data, big-endian, offset of first image directory: 8
321693        0x4E89D         Zip archive data, at least v1.0 to extract, name: didyou/
321758        0x4E8DE         Zip archive data, at least v1.0 to extract, compressed size: 13, uncompressed size: 13, name: didyou/e.txt
321841        0x4E931         Zip archive data, at least v1.0 to extract, compressed size: 10568, uncompressed size: 10568, name: didyou/find.zip
332460        0x512AC         End of Zip archive, footer length: 22
332726        0x513B6         End of Zip archive, footer length: 22

Terdapat zipfile 4E89D.zip berisi folder didyou didalamnya, langsung saja di extract lagi

Setelah di extract terdapat zipfile find.zip dan juga ada file e.txt berisi string base64, jika di decode hasil outputnya ARA2023{

bash
$ echo 'QVJBMjAyM3s=' | base64 -d
ARA2023{

Kemudian ada zipfile lagi 🙃 something.zip dan juga ada file a.txt berisi hexstring jika didecode 5!mpl3_

bash
$ python3
>>> bytes.fromhex('35216D706C335F').decode('utf-8')
'5!mpl3_'
>>>

lagi-lagi… ada zipfile suspicious.zip dan file s.txt berisi 8 bits binary didecode hasil didecodenya C0rrupt3d_

bash
$ python3
>>> bin = '01000011 00110000 01110010 01110010 01110101 01110000 01110100 00110011 01100100 01011111'
>>> ascii_str = ''
>>> for i in bin.split():
...     decimal = int(i, 2)
...     ascii_char = chr(decimal)
...     ascii_str += ascii_char
...
>>> print(ascii_str)
C0rrupt3d_
>>>

Dan pada zipfile terakhir suspicious.zip berisi file gambar y.png yang ternyata gambarnya corrupted

Setelah kami cek menggunakan hex editor, berikut hex value segment header yang corrupted

bash
$ xxd y.png
00000000: 215a 7852 0d0a 1a0a 0000 000d 5252 485c  !ZxR........RRH\

File signature dan segment headernya ternyata !ZxR yang dimana seharunya %PNG dan RRH\ seharusnya IHDR

Berikut perbandingan dengan header png yang normal

00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452  .PNG........IHDR

Kita bisa mengubah file signature 1 bit hex value 21 5a 78 52 menjadi 89 50 5e 52
Lalu ubah segment header 1 bit hex value 52 52 48 5c menjadi 49 48 44 52 seperti berikut

bash
$ hexedit y.png
00000000   89 50 4E 47  0D 0A 1A 0A  00 00 00 0D  49 48 44 52  00 00 02 BD  00 00 00 90  .PNG........IHDR........

Setelah diubah file signature dan header gambar kemudian file png dapat di display, pada gambar berisi angka decimal 49 109 52 103 101 53 125 jika di decode hasilnya _1m4ge5}

bash
$ python3
>>> dec = '49 109 52 103 101 53 125'
>>> dec_list = dec.split()
>>> ascii_list = [chr(int(i)) for i in dec_list]
>>> ascii_str = ''.join(ascii_list)
>>> print(ascii_str)
1m4ge5}
>>>
Flag

ARA2023{5!mpl3_C0rrupt3d_1m4ge5}


One Time Password

Deskripsi

bwoah, some innovative challenges
Attachments
Author: circlebytes#5520

Diberikan sebuah chall crypto xor dengan A, B key dan xor key ber-value hexadecimal yang mana bisa gunakan untuk mendapatkan flagnya

Sebenarnya jika kita decode XOR key, maka kita langsung dapat flagnya

bash
$ python3
>>> bytes.fromhex('415241323032337b7468335f705f3574346e64355f6630725f7034647a7a7d').decode('ascii')
'ARA2023{th3_p_5t4nd5_f0r_p4dzz}'
>>>
Flag

ARA2023{th3_p_5t4nd5_f0r_p4dzz}


Secret Behind a Letter

Deskripsi

Melon and Edith went to an labyrinth and they should break the code written on a letter in a box in order to escape the labyrinth.
Open the letter and break the code
Attachments
Author: L e n s#1048

Challenge basic RSA yang diberikan (p, q, c) key yg sudah ada implementasi dari dekripsi RSA untuk mendekripsi encrypted text c dengan menggunakan private key yang terdiri dari nilai (p, q, dan d) serta nilai (e) sebagai private keynya.

solver.py
 1from Crypto.Util.number import inverse
 2
 3p = 12575333694121267690521971855691638144136810331188248236770880338905811883485064104865649834927819725617695554472100341361896162022311653301532810101344273 
 4q = 12497483426175072465852167936960526232284891876787981080671162783561411521675809112204573617358389742732546293502709585129205885726078492417109867512398747 
 5c = 36062934495731792908639535062833180651022813589535592851802572264328299027406413927346852454217627793315144892942026886980823622240157405717499787959943040540734122142838898482767541272677837091303824669912963572714656139422011853028133556111405072526509839846701570133437746102727644982344712571844332280218
 6e = 65537
 7
 8n = p*q
 9phi_n = (p-1)*(q-1)
10d = inverse(e, phi_n)
11
12m = pow(c, d, n)
13print(m.to_bytes((m.bit_length() + 7) // 8, 'big').decode())
Flag

ARA2023{1t_turn5_0ut_to_b3_an_rsa}


L0v32x0r

Deskripsi

Vonny and Zee were having a treasure hunt game until they realized that one of the clues was a not alike the other clues as it has a random text written on the clue.
The clue was “001300737173723a70321e3971331e352975351e247574387e3c”.
Help them to find what the hidden clue means!
Author: L e n s#1048

Penyelesaian, kita diminta untuk men decrypt encrypted text yang diberikan, tanpa XOR key nya, kita bisa saja mem brute-force kemungkinan range 0-256 key

solver.py
 1encrypted_text = "001300737173723a70321e3971331e352975351e247574387e3c"
 2encrypted_bytes = bytes.fromhex(encrypted_text)
 3
 4for key in range(256):
 5    decrypted_bytes = bytes([b ^ key for b in encrypted_bytes])
 6    try:
 7        decrypted_text = decrypted_bytes.decode('utf-8')
 8    except UnicodeDecodeError:
 9        continue
10
11    print(f"Key: {key}, Decrypted text: {decrypted_text}")

Maka didapatlah key yang cocok yaitu 65

Flag

ARA2023{1s_x0r_th4t_e45y?}


SH4-32

Deskripsi

Sze received an ecnrypted file and a message containing the clue of the file password from her friend.
The clue was a hash value : 9be9f4182c157b8d77f97d3b20f68ed6b8533175831837c761e759c44f6feeb8
Decrypt the file password!
Attachments
Author: L e n s#1048

Kita diminta untuk men decrypt encrypted text sebuah hash value dengan file text berisi list Dictionary.txt

solver.py
 1import hashlib
 2import codecs
 3
 4target_hash = '9be9f4182c157b8d77f97d3b20f68ed6b8533175831837c761e759c44f6feeb8'
 5
 6with open('Dictionary.txt', 'r', encoding='utf-8', errors='ignore') as f:
 7    passwords = f.readlines()
 8
 9for password in passwords:
10    password = password.strip()
11    hashed_password = hashlib.sha256(password.encode()).hexdigest()
12
13    if hashed_password == target_hash:
14        print(f"Password found: {password}")
15        output = password
16        break
17
18decoded = codecs.decode(output, 'hex').decode()
19
20print(decoded)

Atau kita bisa saja langsung men decode hex value yang ada pada file Dictionary.txt maka akan di decode menjadi flag langsung

bash
$ python3
>>> bytes.fromhex('415241323032337b6834736833645f30525f6e4f545f6834736833647d').decode('utf-8')
'ARA2023{h4sh3d_0R_nOT_h4sh3d}'
>>>
Flag

ARA2023{h4sh3d_0R_nOT_h4sh3d}


babychall

Deskripsi

Welcome to ARACTF! To start the CTF, please translate this flag that I get from display banner! Good Morning
Format : ARA2023{lowercase_flag}
Attachments
Author: circlebytes#5520

Diberikan challenge RSA, kita mencari dua bilangan prima acak (p dan q), dan menentukan modulus (N=pq). Pesan dienkripsi dengan C=Me(mod N) dan di decrypt dengan M=Cd(mod N), dimana (e,N) adalah encrypt key dan (d,N) adalah decrypt key. Kita dapat mendapatkan RSA menggunakan Chinese Remainder Theorem (CRT), dimana kita mencari 3 cipher key dengan message yang sama dan 3 cipher key yang berbeda.

solver.py
 1from Crypto.Util.number import bytes_to_long, long_to_bytes
 2from Crypto import Random
 3import Crypto
 4import sys
 5import libnum
 6
 7c1=50996973104845663108379751131203085432412490198312714663656823648233038479298192861451834246930208140110173699058527919020115432586705400467345647806522331396447650847650133013246673390879222719169248862420278256322967718701700458729207793124758166438641448112314489945863231881982352790765130535004090053677
 8c2=2675086354476975422055414666795504683242305948200761348250028401266882028494792724072473530888031343997988485639367375927974100307107406775103695198800703704181414736281388464205429123159605048186634852771717909704864647112817586024682299987868607933059634279556321476204813521201682662328510086496215821461
 9c3=37230658243252590743608571105027357862790972987208833213017941171448753815654839901699526651433771324826895355671255944414893947963934979068257310367315935701270804390799121669635153012916402271190722618997500392911737767143316552376495882986935695146970853914275481717400268832644987157988727575513351441919
10
11n1=105481127267218260612156871017757694550142735824087150106750403579877495059230413046181301355871045357138033343315900732228502875706659244844711538497850413046440270578916645981161000807526427004236918404837363404678029443944950655102252423415631977020625826867728898231382737396728896847618010577420408630133
12n2=93105621059686474816890215494554802831518948420160941703522759121619785851270608634130307450227557987976818162331982289634215037184075864787223681218982602092806757888533587126974091077190242797461318907280759075612577475534626062060960739269828789274137274363970056276139434039315860052556417340696998509271
13n3=65918509650742278494971363290874849181268364316012656769339120004000702945271942533097529884964063109377036715847176196280943807261986848593000424143320280053279021411394267268255337783494901606319687457351586915314662800434632332988978858085931586830283694881538759008360486661936884202274973387108214754101
14
15if (len(sys.argv)>1):
16    c1=int(sys.argv[1])
17if (len(sys.argv)>2):
18    c2=int(sys.argv[2])
19if (len(sys.argv)>3):
20    c3=int(sys.argv[3])
21if (len(sys.argv)>4):
22    n1=int(sys.argv[4])
23if (len(sys.argv)>5):
24    n2=int(sys.argv[5])
25if (len(sys.argv)>6):
26    n3=int(sys.argv[6])
27
28e=65537
29
30mod=[n1,n2,n3]
31rem=[c1,c2,c3]
32
33res=libnum.solve_crt(rem,mod)
34val=libnum.nroot(res,3)
35
36print(f"{long_to_bytes(val)}")
Flag

ARA2023{s00000_much_c1ph3r_but_5m4ll_e_5t1ll_d0_th3_j0b}


Truth

Deskripsi

Kuronushi traveled far away from his country to learn something about himself. He never sure about his identity. Untill One day, he met a sage who gave him a book of truth. The sage said " To understand about yourself,Erase the title and find the Bigger case"
Submit the flag on this format ARA2023{} Separate the sentences with _
Attachments
Author: Zangetsu#2398

Diberikan sebuah file pdf berpassword, kita bisa saja membrute-force untuk mendapatkan passwordnya dengan menggunakan tools pdf2john atau John The Ripper

bash
$ pdf2john Truth.pdf
Truth.pdf:$pdf$4*4*128*-1060*1*16*077e10eba516a741a6285385b42f5b27*32*df507156115f50098c3d8c6fdb1d662200000000000000000000000000000000*32*7a46addd4179a8ab90812ae8876369522d5facc72245be4f28b3559473767d57

Kita simpan hasil hash nya ke dalam sebuah file .hash

bash
$ pdf2john Truth.pdf > pdf.hash

Lalu gunakan command john nama_file untuk crack hashnya menggunakan default wordlist dari library nya

bash
$ john pdf.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])
No password hashes left to crack (see FAQ)

Sebelumnya kami sudah meng crack dan mendapatkan passwordnya, kita bisa langsung saja menggunakan parameter –-show untuk melihat password yg telah di crack tersimpan

bash
$ john --show pdf.hash
Truth.pdf:subarukun

1 password hash cracked, 0 left

Password untuk membuka file pdfnya yaitu subarukun

Sesuai deskripsi soal yaitu kita diminta untuk mencari Letter yang Uppercase dan menghapus titlenya, didapatlah text yang Uppercase berikut SOUNDSLIKEFANDAGO kemudian pisahkan dengan _

Flag

ARA2023{SOUNDS_LIKE_FANDAGO}

Prev
Nullcon CTF 2023
Next
ByteBandits CTF 2023