Title here
Summary here
ByteBandits CTF 2023
https://ctftime.org/event/1877
CHALL’S SOLVED
| Category | Challenge |
|---|---|
| WEB | Hi-Score |
| FORENSICS | Vastness of Space |
| FORENSICS | Random Requests |
| FORENSICS | Memory Dump |
Hi-Score
Description :
Reach 100 clicks per second for a reward.
Given the website for this challenge http://web.bbctf.fluxus.co.in:1003
Inscpect the JS file,
TheScript.js
1(function (_0x52c9b1, _0x4f9b4c) {
2 var _0x4fb32a = _0x1a8b,
3 _0x216299 = _0x52c9b1();
4 while (!![]) {
5 try {
6 var _0x3f71ce =
7 (-parseInt(_0x4fb32a(0x1fa)) / 0x1) *
8 (parseInt(_0x4fb32a(0x1ff)) / 0x2) +
9 parseInt(_0x4fb32a(0x202)) / 0x3 +
10 (parseInt(_0x4fb32a(0x201)) / 0x4) *
11 (parseInt(_0x4fb32a(0x205)) / 0x5) +
12 (-parseInt(_0x4fb32a(0x1fb)) / 0x6) *
13 (-parseInt(_0x4fb32a(0x1f7)) / 0x7) +
14 parseInt(_0x4fb32a(0x206)) / 0x8 +
15 (-parseInt(_0x4fb32a(0x1f9)) / 0x9) *
16 (-parseInt(_0x4fb32a(0x203)) / 0xa) +
17 (parseInt(_0x4fb32a(0x208)) / 0xb) *
18 (-parseInt(_0x4fb32a(0x1f6)) / 0xc);
19 if (_0x3f71ce === _0x4f9b4c) break;
20 else _0x216299["push"](_0x216299["shift"]());
21 } catch (_0x1d9b38) {
22 _0x216299["push"](_0x216299["shift"]());
23 }
24 }
25})(_0x59a2, 0xa9a43);
26var klicks = 0x0,
27 score = 0x0,
28 start = new Date()["getTime"](),
29 end = 0x0,
30 end1 = 0x1;
31function _0x1a8b(_0x4264e5, _0x39be1a) {
32 var _0x59a27e = _0x59a2();
33 return (
34 (_0x1a8b = function (_0x1a8bf4, _0x24b49c) {
35 _0x1a8bf4 = _0x1a8bf4 - 0x1f4;
36 var _0x117e3e = _0x59a27e[_0x1a8bf4];
37 return _0x117e3e;
38 }),
39 _0x1a8b(_0x4264e5, _0x39be1a)
40 );
41}
42function Clicks() {
43 var _0x287a2f = _0x1a8b;
44 if (klicks == 0x0) end = new Date()[_0x287a2f(0x1f5)]();
45 (end1 = new Date()[_0x287a2f(0x1f5)]() - end),
46 (klicks += 0x1),
47 (score = (klicks / end1) * 0x3e8);
48 if (score == Infinity) score = 0x0;
49 (score = score[_0x287a2f(0x204)](0x3)),
50 (document[_0x287a2f(0x1f4)](_0x287a2f(0x1fd))["innerHTML"] =
51 _0x287a2f(0x207) + score + _0x287a2f(0x1fc));
52 if (score >= 0x64) _0x125e1a();
53 else document["getElementById"](_0x287a2f(0x1f8))[_0x287a2f(0x200)] = "";
54 function _0x125e1a() {
55 var _0x162e81 = _0x287a2f;
56 document["getElementById"](_0x162e81(0x1f8))[_0x162e81(0x200)] =
57 _0x162e81(0x1fe);
58 }
59}
60function Reset() {
61 (klicks = 0x0),
62 (score = 0x0),
63 (start = new Date()["getTime"]()),
64 (end = 0x0),
65 (end1 = 0x1),
66 Clicks();
67}
68function _0x59a2() {
69 var _0x78411b = [
70 "\x20cps",
71 "clicks",
72 "\x20Your\x20Reward\x20:\x20<a\x20href=\x22" +
73 "2f2e736563726574696f6e2f666c6167"
74 .match(/[\da-f]{2}/gi)
75 .map((h) => String.fromCharCode(parseInt(h, 16)))
76 .join("") +
77 "\x22\x20download=\x22flag\x22>Reward</a>",
78 "3526ccMajJ",
79 "innerHTML",
80 "4263236HVNRoh",
81 "3656895VkgrIX",
82 "503210VEeXpc",
83 "toFixed",
84 "5NfzyuJ",
85 "8399912tBbEFu",
86 "SCORE:\x20",
87 "6379703kdfIqT",
88 "getElementById",
89 "getTime",
90 "48bKPhCj",
91 "14Xmxuhh",
92 "reward",
93 "9wOTYQU",
94 "597OMUzhx",
95 "2046510XnQiaG",
96 ];
97 _0x59a2 = function () {
98 return _0x78411b;
99 };
100 return _0x59a2();
101}- Inside the
_0x59a2()function that has a array value in hexadecimal in2f2e736563726574696f6e2f666c6167, decode that
$ python3
>>> hexstring = '2f2e736563726574696f6e2f666c6167'
>>> result = bytes.fromhex(hexstring).decode('utf-8')
>>> print(result)
/.secretion/flag
>>>The result is
/.secretion/flag, go to the webpage http://web.bbctf.fluxus.co.in:1003/.secretion/flagGot the flag inside
flagfile,
FLAG :
flag{THAtS_15_A_SM4rT_m0ve}
Vastness of Space
Description :
Is space really that empty?
Empty_Space.jpg
Given the image file Empty_Space.jpg first You can get the password by checking the metadata by using Exiftool
$ exiftool Empty_Space.jpghere’s the password xp_comment: The password is "BBCTF"
Use steghide to extract the embedded text file and enter passphrase as the password you got from exifdata
$ steghide extract -sf Empty_Space.jpgGot the somedata.txt then make a script to convert those numbers from somedata.txt into an image, here’s the python3 script that I’ve coded
1from PIL import Image
2
3width = None
4height = None
5data = []
6with open("somedata.txt") as f:
7 for line in f:
8 x, y = map(int, line.split(","))
9 data.append((x, y))
10 if width is None or x > width:
11 width = x
12 if height is None or y > height:
13 height = y
14
15width += 20
16height += 20
17image = Image.new("RGB", (width, height), (255, 255, 255))
18pixels = image.load()
19
20for point in data:
21 pixels[point[0]+5, point[1]+5] = (0, 0, 0)
22
23image = image.resize((500,500), Image.NEAREST)
24image.save("output.png")Got the result in qr code output.png then scan it
FLAG :
flag{qUiCk_R3sP0nse_c0d3}
Random Requests
Description :
I captured these very random http requests. Can you help me decode them?
random_requests.pcapng
Using the protocol layer statistics to understand the types of recorded packets and looking at them in various ways, you can see http && ip.src_host == 142.250.67.132 characteristic requests.
GET /flag=0 or 1 or %20 is recorded after.
If you take them all in chronological order and change %20 to a line break instead of a blank, it looks like the base64 encoded in 8 byte binary representation.
$ python3
>>> chr(int('01011010', 2))
'Z'
>>> chr(int('01101101', 2))
'm'
>>> chr(int('01111000', 2))
'x'We need to extract that binary representated with this script, then save into file text
1#!/usr/bin/env python3
2from scapy.all import *
3from base64 import *
4
5packets = rdpcap("random_requests.pcapng")
6
7binary_output = ""
8
9for packet in packets:
10 if packet[IP].dst == "142.250.67.132" and packet.haslayer(Raw):
11 binary_output += packet[Raw].load.split(b" ")[1].decode().split("=")[1]
12
13output = binary_output.replace("%20", " ")
14
15with open("output.txt", "w") as file:
16 file.write(output)Convert with CyberChef. If you use CyberChef’s Magic roughly it’s base64 , so if you add it a flag will appear. From Binary & From Base64, ZmxhZ3tuT1RfU29fcjRuZG9tX2g3N3BfcjNxdTM1dHN9
$ echo 'ZmxhZ3tuT1RfU29fcjRuZG9tX2g3N3BfcjNxdTM1dHN9' | base64 -d
flag{nOT_So_r4ndom_h77p_r3qu35ts}FLAG :
flag{nOT_So_r4ndom_h77p_r3qu35ts}
Memory Dump
Description :
I was learning powershell when my pc suddenly crashed. Can you retrieve my bash history?
Download link
Given an memory image file named Memdump.raw, at the first i was using Volatility 2 but when I check the imageinfo to retrieve profile the suggested profile cannot appeared,
Then I switch to Volatility 3, this memory image file can be able to analyze using Volatility 3
Now check with windows.info to get an information of memory file
$ vol -f Memdump.raw windows.info
Volatility 3 Framework 2.4.1
Progress: 100.00 PDB scanning finished
Variable Value
Kernel Base 0xf8025ea03000
DTB 0x1aa000
Symbols file:///home/nopedawn/.local/lib/python3.10/site-packages/volatility3/symbols/windows/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A583-1.json.xz
Is64Bit True
IsPAE False
layer_name 0 WindowsIntel32e
memory_layer 1 FileLayer
KdVersionBlock 0xf8025f612398
Major/Minor 15.19041
MachineType 34404
KeNumberProcessors 1
SystemTime 2022-12-16 10:41:11
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 10
NtMinorVersion 0
PE MajorOperatingSystemVersion 10
PE MinorOperatingSystemVersion 0
PE Machine 34404
PE TimeDateStamp Wed Jun 28 04:14:26 1995To get an information process tree of Powershell
$ vol -f Memdump.raw windows.pstree
*** 1324 2104 powershell.exe 0xc88f237da080 9 - 1 False 2022-12-16 10:36:27.000000 N/AAccording to the description of the challenge to find commands executed in Powershell. After some googling, found that the powershell history is stored in a .txt file, which specifically in ConsoleHost_history.txt
$ vol -f Memdump.raw windows.filescan | grep "ConsoleHost_history.txt"
0xc88f21961af0.0\Users\bbctf\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt 216After we get the Offset (virtaddr), we can retrieve the ConsoleHost_history.txt file with windows.dumpfiles
$ vol -f Memdump.raw windows.dumpfiles --pid 1324 --virtaddr 0xc88f21961af0
Volatility 3 Framework 2.4.1
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xc88f21961af0 ConsoleHost_history.txt file.0xc88f21961af0.0xc88f1e9b5570.DataSectionObject.ConsoleHost_history.txt.datAfter extracting, rename the file to make it easier to read, then cat the file
$ mv file.0xc88f21961af0.0xc88f1e9b5570.DataSectionObject.ConsoleHost_history.txt.dat ConsoleHost_history.txt
$ cat ConsoleHost_history.txt
$xorkey = bbctf
$xorkey = "bbctf"
$aescipherkey = "ByteBandits-CTF Jan 2023"
$encrypted_flag = "m74/XKCNkHmzJHEPAOHvegV96AOubRnSUQBpJnG4tHg="We must decode the encrypted flag using base64 and then decrypt it using AES ECB mode with the AES cipher key. To obtain the flag we can use CyberChef, and here’s the result
FLAG :
flag{V0L@tiLiTy_4_da_w1N}
CHALL’S UNSOLVED
| Category | Challenge |
|---|---|
| FORENSICS | ImageCeption |
ImageCeption
Description :
“The painter has the universe in his mind and hands.”
-Leonardo Da Vinci
Download link
Given the memory image of named imageception.raw, and I will use Volatility 3 to analysis memory image,
We check the image info with windows.info first, it looks like a Windows 10 memory dump.
$ vol -f imageception.raw windows.info
Volatility 3 Framework 2.4.1
Progress: 100.00 PDB scanning finished
Variable Value
Kernel Base 0xf80778a18000
DTB 0x1aa000
Symbols file:///home/nopedawn/.local/lib/python3.10/site-packages/volatility3/symbols/windows/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A583-1.json.xz
Is64Bit True
IsPAE False
layer_name 0 WindowsIntel32e
memory_layer 1 FileLayer
KdVersionBlock 0xf80779627398
Major/Minor 15.19041
MachineType 34404
KeNumberProcessors 1
SystemTime 2022-12-16 08:28:29
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 10
NtMinorVersion 0
PE MajorOperatingSystemVersion 10
PE MinorOperatingSystemVersion 0
PE Machine 34404
PE TimeDateStamp Wed Jun 28 04:14:26 1995If we take a look windows.pstree there’s a process mspaint.exe are running, by the challenge description let’s just check that process
$ vol -f imageception.raw windows.pstree
Volatility 3 Framework 2.4.1
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime
*** 4448 3044 mspaint.exe 0xa08f6e45b080 8 - 1 False 2022-12-16 08:27:45.000000 N/AThen I run windows.cmdline to check lists process command line arguments. And there’s an imageception.png is opened with mspaint.exe process
$ vol -f imageception.raw windows.cmdline`,
Volatility 3 Framework 2.4.1
Progress: 100.00 PDB scanning finished
PID Process Args
4448 mspaint.exe "C:\Windows\system32\mspaint.exe" "C:\Users\bbctf\Desktop\imageception.png"Catch the Offset (virtaddr) to retrive that imageception.png file with windows.filescan to scans for file objects present in a particular windows memory image.
$ vol -f imageception.raw windows.filescan | grep png
0xa08f6ca23200.0\Users\bbctf\Desktop\imageception.png 216Got the Offset (virtaddr) 0xa08f6ca23200 of imageception.png now dump the file
$ vol -f imageception.raw windows.dumpfiles --pid 4448 --virtaddr 0xa08f6ca23200
Volatility 3 Framework 2.4.1
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0xa08f6ca23200 imageception.png Error dumping fileGot the dump result in .dat file just change into .png extension, and we got the flag imageception.png
$ mv file.0xa08f6ca23200.0xa08f6c9d1350.DataSectionObject.imageception.png.dat imageception.pngFLAG :
flag{!m@g3_w1tHin_1M4ge}
Prev
ARA CTF 2023Next
LA CTF 2023