Title here
Summary here
LA CTF 2023
https://ctftime.org/event/1732
CHALL’S SOLVED
| Category | Challenge |
|---|---|
| CRYPTOGRAPHY | one-more-time-pad |
| WEB | college-tour |
| REVERSING | string-cheese |
| MISC | CATS! |
one-more-time-pad
Description
I heard the onetime pad is perfectly secure so I used it to send an important message to a friend, but now a UCLA competition is asking for the key? I threw that out a long time ago! Can you help me recover it?
chall.py
This cryptographic challenge is to encrypt a plain text Long ago, the four nations lived together in harmony ...
Then XOR it with hexadecimal key 200e0d13461a055b4e592b0054543902462d1000042b045f1c407f18581b56194c150c13030f0a5110593606111c3e1f5e305e174571431e
Here’s a solver script
1plaintext = b"Long ago, the four nations lived together in harmony ..."
2ciphertext = bytes.fromhex("200e0d13461a055b4e592b0054543902462d1000042b045f1c407f18581b56194c150c13030f0a5110593606111c3e1f5e305e174571431e")
3
4assert len(plaintext) == len(ciphertext)
5
6for (x,z) in zip(ciphertext,plaintext):
7 if chr(x^z) == "}" :
8 print(chr(x^z))
9 break
10 else:
11 print(chr(x^z), end="")And this another solver using CyberChef
FLAG
lactf{b4by_h1t_m3_0ne_m0r3_t1m3}
college-tour
Description
Welcome to UCLA! To explore the #1 public college, we have prepared a scavenger hunt for you to walk all around the beautiful campus.
college-tour.lac.tf
Just inspect the sourcecode file on html, css, js then you get 6 part of the flag
On html sourcecode
- part-1
j03_4 - part-2
nd_j0 - part-4
n3_bR
1<!DOCTYPE html>
2<html lang="en">
3 <head>
4 <meta charset="UTF-8"/>
5 <title>A tour of UCLA</title>
6 <link rel="stylesheet" href="index.css">
7 <script src="script.js"></script>
8 </head>
9 <body>
10 <h1>A tour of UCLA</h1>
11 <button id="dark_mode_button" onclick="dark_mode()">Click me for Light Mode!</button>
12 <p>
13 After finally setting foot on UCLA's campus, you're excited to explore it. However, the new student advisors have hidden <b>six</b>
14 clues in the format lactf{number_text} all across UCLA. To complete the scavenger hunt, you must merge all the parts into one in order. For example, if you find the clues lactf{1_lOsT}, lactf{2__!N_b} (note the repeated underscore), and lactf{3_03LT3r}, the answer is lactf{lOsT_!N_b03LT3r}. Have fun exploring!
15 </p>
16 <!-- lactf{1_j03_4}-->
17 <img src="royce.jpg" alt="lactf{2_nd_j0}" height="400px">
18 <iframe src="lactf{4_n3_bR}.pdf" width="100%" height="500px"></iframe>
19 </body>On css sourcecode
- part-3
S3phI
.secret {
font-family: "lactf{3_S3phI}"
}And js sourcecode
- part-5
U1n_s - part-6
AY_hi
function dark_mode() {
dark = 1 - dark;
var element = document.body;
element.classList.toggle("dark-mode");
if (dark === 1) {
document.getElementById("dark_mode_button").textContent = "Click me for Light Mode!";
}
else if (dark === 0) {
document.getElementById("dark_mode_button").textContent = "Click me for Dark Mode!";
}
else {
document.getElementById("dark_mode_button").textContent = "Click me for lactf{6_AY_hi} Mode!";
}
}
window.addEventListener("load", (event) => {
document.cookie = "cookie=lactf{5_U1n_s}";
});FLAG
lactf{j03_4nd_j0S3phIn3_bRU1n_sAY_hi}
string-cheese
Description
I’m something of a cheese connoisseur myself. If you can guess my favorite flavor of string cheese, I’ll even give you a flag. Of course, since I’m lazy and socially inept, I slapped together a program to do the verification for me.
Connect to my service at
nc lac.tf 31131
Note: The attached binary is the exact same as the one executing on the remote server.
string_cheese
When the program is run it will ask for a password, by the challenge name it’s string then we can check that there is a string stored in the program
I’m using IDA Disassembler to analyze the given binary-elf file, and get the string value blueberry to answering that’s input statement, or you can just use strings command
$ nc lac.tf 31131
What's my favorite flavor of string cheese? blueberry
...how did you know? That isn't even a real flavor...
Well I guess I should give you the flag now...
lactf{d0n7_m4k3_fun_0f_my_t4st3_1n_ch33s3}FLAG
lactf{d0n7_m4k3_fun_0f_my_t4st3_1n_ch33s3}
CATS!
Description
CATS OMG I CAN’T BELIEVE HOW MANY CATS ARE IN THIS IMAGE I NEED TO VISIT CAN YOU FIGURE OUT THE NAME OF THIS CAT HEAVEN?
Answer is the domain of the website for this location. For example, if the answer was ucla, the flag would be lactf{ucla.edu}.
CATS.jpeg
Check the metadata file using Exiftool and got the bunch of information, we’re dominant to Location : Lanai Cat Sanctuary
$ exiftool CATS.jpeg
ExifTool Version Number : 12.40
File Name : CATS.jpeg
Directory : .
File Size : 4.7 MiB
File Modification Date/Time : 2023:02:11 11:05:45+07:00
File Access Date/Time : 2023:02:16 05:57:29+07:00
File Inode Change Date/Time : 2023:02:11 11:05:45+07:00
File Permissions : -rwxrwxrwx
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Exif Byte Order : Big-endian (Motorola, MM)
Make : Apple
Camera Model Name : iPhone SE (2nd generation)
Orientation : Rotate 90 CW
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Software : 15.5
Modify Date : 2022:06:17 12:52:05
Host Computer : iPhone SE (2nd generation)
Y Cb Cr Positioning : Centered
Exposure Time : 1/144
F Number : 1.8
Exposure Program : Program AE
ISO : 20
Exif Version : 0232
Date/Time Original : 2022:06:17 12:52:05
Create Date : 2022:06:17 12:52:05
Offset Time : -10:00
Offset Time Original : -10:00
Offset Time Digitized : -10:00
Components Configuration : Y, Cb, Cr, -
Shutter Speed Value : 1/144
Aperture Value : 1.8
Brightness Value : 6.672492018
Exposure Compensation : 0
Metering Mode : Multi-segment
Flash : Off, Did not fire
Focal Length : 4.0 mm
Subject Area : 2013 1511 2217 1330
Run Time Flags : Valid
Run Time Value : 526663128177750
Run Time Scale : 1000000000
Run Time Epoch : 0
Acceleration Vector : -0.06026777624 -0.8702277539 -0.4827761948
Sub Sec Time Original : 057
Sub Sec Time Digitized : 057
Flashpix Version : 0100
Color Space : Uncalibrated
Exif Image Width : 4032
Exif Image Height : 3024
Sensing Method : One-chip color area
Scene Type : Directly photographed
Exposure Mode : Auto
White Balance : Auto
Focal Length In 35mm Format : 28 mm
Scene Capture Type : Standard
Lens Info : 3.99000001mm f/1.8
Lens Make : Apple
Lens Model : iPhone SE (2nd generation) back camera 3.99mm f/1.8
Composite Image : General Composite Image
GPS Version ID : 2.3.0.0
GPS Map Datum : WGS-84
Compression : JPEG (old-style)
Thumbnail Offset : 2478
Thumbnail Length : 11136
Current IPTC Digest : 50350e5c967628d3532b5317912bff65
Coded Character Set : UTF8
Envelope Record Version : 4
Sub-location : Lanai Cat Sanctuary
Province-State : HI
Country-Primary Location Code : US
Country-Primary Location Name : United States
Application Record Version : 4
XMP Toolkit : Image::ExifTool 12.42
Country Code : US
Location : Lanai Cat Sanctuary
Location Created City : Lanai City
Location Created Country Code : US
Location Created Country Name : United States
Location Created Province State : HI
Location Created Sublocation : Lanai Cat Sanctuary
City : Lanai City
Country : United States
State : HI
Metadata Date : 2023:02:09 15:48:44-08:00
Profile CMM Type : Apple Computer Inc.
Profile Version : 4.0.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 2022:01:01 00:00:00
Profile File Signature : acsp
Primary Platform : Apple Computer Inc.
CMM Flags : Not Embedded, Independent
Device Manufacturer : Apple Computer Inc.
Device Model :
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Perceptual
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : Apple Computer Inc.
Profile ID : ecfda38e388547c36db4bd4f7ada182f
Profile Description : Display P3
Profile Copyright : Copyright Apple Inc., 2022
Media White Point : 0.96419 1 0.82489
Red Matrix Column : 0.51512 0.2412 -0.00105
Green Matrix Column : 0.29198 0.69225 0.04189
Blue Matrix Column : 0.1571 0.06657 0.78407
Red Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract)
Chromatic Adaptation : 1.04788 0.02292 -0.0502 0.02959 0.99048 -0.01706 -0.00923 0.01508 0.75168
Blue Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 32 bytes, use -b option to extract)
Image Width : 4032
Image Height : 3024
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Run Time Since Power Up : 6 days 2:17:43
Aperture : 1.8
Image Size : 4032x3024
Megapixels : 12.2
Scale Factor To 35 mm Equivalent: 7.0
Shutter Speed : 1/144
Create Date : 2022:06:17 12:52:05.057-10:00
Date/Time Original : 2022:06:17 12:52:05.057-10:00
Modify Date : 2022:06:17 12:52:05-10:00
Thumbnail Image : (Binary data 11136 bytes, use -b option to extract)
GPS Latitude : 20 deg 47' 27.52" N
GPS Longitude : 156 deg 57' 50.03" W
GPS Latitude Ref : North
GPS Longitude Ref : West
Circle Of Confusion : 0.004 mm
Field Of View : 65.5 deg
Focal Length : 4.0 mm (35 mm equivalent: 28.0 mm)
GPS Position : 20 deg 47' 27.52" N, 156 deg 57' 50.03" W
Hyperfocal Distance : 2.07 m
Light Value : 11.2
Lens ID : iPhone SE (2nd generation) back camera 3.99mm f/1.8Then you can just googling it, got the domain for a flag is lanaicatsanctuary.org
FLAG
lactf{lanaicatsanctuary.org}
CHALL’S UNSOLVED
| Category | Challenge |
|---|---|
| MISC | ebe |
| CRYPTOGRAPHY | rolling-in-the-mud |
| PWN | gatekeep |
ebe
Description
I was trying to send a flag to my friend over UDP, one character at a time, but it got corrupted! I think someone else was messing around with me and sent extra bytes, though it seems like they actually abided by RFC 3514 for once. Can you get the flag?
EBE.pcap
Given the packet capture file we can use wireshark to analyze it
After we check the Statistics > Protocol Hierarchy it just show UDP packet and that has 1 byte of each packet bytes
Now check the UDP Stream Right Click on 1 packet > Follow > UDP Stream, and we got this some string
Lpy5lUKeaVcg3XTtQVftv{Vx_wk4T7ZMKLaaydWM3AO6R8V_1gvLuT6fqeuvxb_sd8ZnqNGSMSu8T8}JDeO8wXQU1ZeJ7_pZE3gCWx}MhJMf1YWVra}SDW8_PBUhXlgYJKcTN767REmwM6wtO4Z6R7QPiV9qJ7In_1UAC45V0wNv6OW{_hDnyXV}lS4w04_m7HQcqt2ZvfcV3qFAd1iWo_LMWQOvE1NOd_HqnZf2uXF9gfEkY51DVcUDQuNduX4RP{J30}czrL8U0s9PuNgF0}0j5063aA4mLdSFm7e08j4c7gUqZb4}By the challenge descripttion that gives some hint RFC 3514. After some googling stuff, those are known as Evil Bit - The Security Flag in the IPv4 Header
The bit field is laid out as follows:
0
+-+
|E|
+-+
Currently-assigned values are defined as follows:
0x0 If the bit is set to 0, the packet has no evil intent. Hosts,
network elements, etc., SHOULD assume that the packet is
harmless, and SHOULD NOT take any defensive measures. (We note
that this part of the spec is already implemented by many common
desktop operating systems.)
0x1 If the bit is set to 1, the packet has evil intent. Secure
systems SHOULD try to defend themselves against such packets.
Insecure systems MAY chose to crash, be penetrated, etc.We can assume that each packet that we have to check does not contain packet 0x01 or 1 bit, and must be 0 bit.. then we can filter packets on wireshark with the following keywords ip.flags.rb != 1 or ip .flags.rb == 0
Then check every single packet that we have filtered, then assemble it to get the flag
FLAG
lactf{3V1L_817_3xf1l7R4710N_4_7H3_W1N_51D43c8000034d0c}
rolling-in-the-mud
Description
uugh, these pigs in my pen are making a complete mess! They’re rolling all over the place!
Anyway, can you decode this cipher they gave me, almost throwing it at me while rolling around?
Answer in lowercase with symbols. In the image, { and } are characters that should appear in your flag, and replace spaces with_.
cipher.png
We’re given an image, this image looks like the pigpen cipher, but after we decode it with dcode.fr the result it’s not make sense
EOMB MC VCAL
EBU PAUNT
CNAPPPJ FNI
CNAPPPJ FNI
CNAPPPJ DUGIPBy the challenge name and description rolling, we can assumed to flipped the image horizontally 180 degrees, and get perfect results then wrap it to make it lowercase
LACTF ROLLING
AND ROLLING
AND ROLLING
UNTIL THE
PIGS GO HOMEFLAG
lactf{rolling_and_rolling_and_rolling_until_the_pigs_go_home}
gatekeep
Description
If I gaslight you enough, you won’t be able to get my flag! :)
nc lac.tf 31121
Note: The attached binary is the exact same as the one executing on the remote server.
Dockerfile
gatekeep.c
gatekeep
This one is the basic pwn challenges, we can analyze a given binary-elf file using the IDA Disassembler.
So it’s just a buffer overflow checking to see if the input is the same as the program variables in the stacks. We just need to send as many A as possible then the program will overwrite the input, and we get the flags.
$ nc lac.tf 31121
If I gaslight you enough, you won't be able to guess my password! :)
Password:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
I swore that was the right password ...
Guess I couldn't gaslight you!
lactf{sCr3am1nG_cRy1Ng_tHr0w1ng_uP}Or we can use these payload python3 -c 'print("a"*50)' | {{nc}} that was given by the official challenges archive repo
$ nc lac.tf 31121
If I gaslight you enough, you won't be able to guess my password! :)
Password:
python3 -c 'print("a"*50)' | {{nc}}
I swore that was the right password ...
Guess I couldn't gaslight you!
lactf{sCr3am1nG_cRy1Ng_tHr0w1ng_uP}FLAG
lactf{sCr3am1nG_cRy1Ng_tHr0w1ng_uP}