Title here
Summary here
BSidesSF CTF 2024
https://ctftime.org/event/2357
CHALL’S SOLVED
| Category | Challenge |
|---|---|
| Forensics | doctor |
| Forensics | javai |
| Forensics | sgai-1 |
| Forensics | undelete |
| Forensics | ztxt |
Forensics
doctor
Overview
Author: ansh
Description: This doc seems to be hiding something. Can you find what’s hidden? Flag is in the form
CTF{-----_----_----}.
From the provided docx file, we have to find the flag inside this file.
$ file SuperSecretWordDoc.docx
SuperSecretWordDoc.docx: Microsoft Word 2007+I thought it was a docx macro, but when I checked using exiftool, it made me curious.. there’s ZIP segment and XML
$ exiftool SuperSecretWordDoc.docx
ExifTool Version Number : 12.40
File Name : SuperSecretWordDoc.docx
Directory : .
File Size : 3.3 MiB
File Modification Date/Time : 2024:05:04 06:40:24+07:00
File Access Date/Time : 2024:05:06 18:26:50+07:00
File Inode Change Date/Time : 2024:05:05 14:01:50+07:00
File Permissions : -rw-r--r--
File Type : DOCX
File Type Extension : docx
MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version : 20
Zip Bit Flag : 0
Zip Compression : Deflated
Zip Modify Date : 2021:10:04 23:57:02
Zip CRC : 0xd470ebcf
Zip Compressed Size : 314
Zip Uncompressed Size : 1119
Zip File Name : [Content_Types].xmlThen I tried checking using hexedit, it turned out that the ZIP signature (PK) appeared in this docx file
$ hexedit SuperSecretWordDoc.docx
00000000 50 4B 03 04 14 00 00 00 08 00 21 BF 44 53 CF EB 70 D4 3A 01 PK........!.DS..p.:.
00000014 00 00 5F 04 00 00 13 00 1C 00 5B 43 6F 6E 74 65 6E 74 5F 54 .._.......[Content_T
00000028 79 70 65 73 5D 2E 78 6D 6C 55 54 09 00 03 3E F7 5B 61 3E F7 ypes].xmlUT...>.[a>.
0000003C 5B 61 75 78 0B 00 01 04 F5 01 00 00 04 14 00 00 00 B5 94 4D [aux...............M
00000050 4E C3 30 10 85 4F C0 1D 22 6F 51 E3 96 05 42 A8 69 17 FC 2C N.0..O.."oQ...B.i..,
00000064 81 45 39 C0 D4 99 A4 16 FE 93 3D 2D ED ED 19 A7 6D 04 A8 59 .E9.......=-....m..Y
00000078 20 91 4D E4 F1 9B 79 EF D3 44 C9 7C B9 B7 A6 D8 61 4C DA BB .M...y..D.|....aL..
0000008C 4A CC CA A9 28 D0 29 5F 6B D7 56 E2 7D F5 3C B9 13 45 22 70 J...(.)_k.V.}.<..E"p
000000A0 35 18 EF B0 12 07 4C 62 B9 B8 9A AF 0E 01 53 C1 C3 2E 55 62 5.....Lb......S...Ub
000000B4 43 14 EE A5 4C 6A 83 16 52 E9 03 3A 56 1A 1F 2D 10 97 B1 95 C...Lj..R..:V..-....
000000C8 01 D4 07 B4 28 6F A6 D3 5B A9 BC 23 74 34 A1 EC 21 16 F3 47 ....(o..[..#t4..!..G
000000DC 6C 60 6B A8 78 38 DE 67 EB 4A 40 08 46 2B 20 E6 92 6C 26 8A l`k.x8.g.J@.F+ ..l&.
000000F0 A7 3D 8B 47 CC 5C CB 81 39 6D 73 4E 70 ED 8F 89 5C 0F 4D 7C .=.G.\..9msNp...\.M|
00000104 4F DA B9 FA 17 FE E4 84 5E 46 34 5D 4F DA E8 90 AE 7F 23 B1 O.......^F4]O.....#.
00000118 9A 72 C2 2B EF 32 EA 1A FF 14 E1 9B 46 2B AC BD DA 5A 1E 29 .r.+.2......F+...Z.)
0000012C 3F 7D AC 43 F4 0A 53 E2 D7 60 4D 99 90 88 4F A7 D4 37 88 F4 ?}.C..S..`M...O..7..
00000140 02 96 6D 65 EE 94 67 B5 3C AD 65 1C 04 3A 18 1C 02 E8 B4 51 ..me..g.<.e..:.....Q
00000154 E3 1B F6 5A C1 DA E0 65 82 5E 1E 15 C2 6D ED 1A 23 9F 2F 43 ...Z...e.^...m..#./C
00000168 F4 F2 A8 10 BD 62 41 BB CB 20 7D CB 3F 72 10 7F DA 03 CB EF .....bA.. }.?r......
0000017C A4 E3 73 76 8E 94 DD FF 61 F1 05 50 4B 03 04 0A 00 00 00 00 ..sv....a..PK.......
00000190 00 47 37 45 53 00 00 00 00 00 00 00 00 00 00 00 00 06 00 1C .G7ES...............
000001A4 00 5F 72 65 6C 73 2F 55 54 09 00 03 F5 59 5C 61 E0 5B 5C 61 ._rels/UT....Y\a.[\a
000001B8 75 78 0B 00 01 04 F5 01 00 00 04 14 00 00 00 50 4B 03 04 14 ux.............PK...
000001CC 00 00 00 08 00 21 BF 44 53 2D 68 CF 22 B1 00 00 00 2A 01 00 .....!.DS-h."....*..
000001E0 00 0B 00 1C 00 5F 72 65 6C 73 2F 2E 72 65 6C 73 55 54 09 00 ....._rels/.relsUT..
000001F4 03 3E F7 5B 61 3E F7 5B 61 75 78 0B 00 01 04 F5 01 00 00 04 .>.[a>.[aux.........
--- SuperSecretWordDoc.docx --0x0/0x35566D--0%-------------------------------------------How about we unzip it
$ unzip SuperSecretWordDoc.docx
Archive: SuperSecretWordDoc.docx
inflating: [Content_Types].xml
creating: _rels/
inflating: _rels/.rels
creating: word/
inflating: word/fontTable.xml
inflating: word/document.xml
inflating: word/settings.xml
inflating: word/numbering.xml
inflating: word/styles.xml
creating: word/theme/
inflating: word/theme/theme1.xml
creating: word/_rels/
inflating: word/_rels/document.xml.rels
creating: word/media/
inflating: word/media/image4.png
inflating: word/media/image1.png
inflating: word/media/image0.png
inflating: word/media/image2.png
inflating: word/media/image3.pngThere’s some images, we found the flag in image0.png
FLAG
CTF{st0ck_cut3_p1c5}
javai
Overview
Author: symmetric
Description: Please look over this marketing document on our new JavAI mascot.
Another docx forensics file
$ file JavAI.docx
JavAI.docx: Microsoft Word 2007+when I check again using, hexedit it gave me the same PK signature
$ hexedit JavAI.docx
00000000 50 4B 03 04 14 00 00 08 08 00 47 B3 9D 58 AE B8 AA F1 73 02 PK........G..X....s.
00000014 00 00 0A 0D 00 00 12 00 00 00 77 6F 72 64 2F 6E 75 6D 62 65 ..........word/numbe
00000028 72 69 6E 67 2E 78 6D 6C B5 57 5B 8E 9B 30 14 5D 41 F7 80 90 ring.xml.W[..0.]A...
0000003C FA 99 00 09 79 14 0D 99 8F 8E A6 6A 35 AA AA E9 74 01 8E 71 ....y......j5...t..q
00000050 C0 1A 3F D0 B5 81 99 35 74 01 DD 5F 57 52 03 01 26 69 54 41 ..?....5t.._WR..&iTA
00000064 0A 3F 58 DC C7 B9 F7 D8 87 6B 71 73 FB C2 99 95 13 50 54 8A .?X......kqs.....PT.
00000078 D0 F6 E6 AE 6D 11 81 65 44 45 1C DA 3F 9E EE 67 5B DB 52 1A ....m..eDE..?..g[.R.
0000008C 89 08 31 29 48 68 BF 12 65 DF EE DE DD 14 81 C8 F8 9E 80 89 ..1)Hh..e...........
000000A0 B3 0C 84 50 01 C7 A1 9D 68 9D 06 8E A3 70 42 38 52 73 99 12 ...P....h....pB8Rs..
000000B4 61 9C 07 09 1C 69 F3 0A B1 C3 11 3C 67 E9 0C 4B 9E 22 4D F7 a....i.....<g..K."M.
000000C8 94 51 FD EA 2C 5C 77 6D 1F 61 64 68 67 20 82 23 C4 8C 53 0C .Q..,\wm.adhg .#..S.
000000DC 52 C9 83 2E 53 02 79 38 50 4C 8E 4B 93 01 7D EA D6 29 77 12 R...S.y8PL.K..}..)w.
000000F0 67 9C 08 5D 55 74 80 30 D3 83 14 2A A1 A9 6A D0 F8 B5 68 C6 g..]Ut.0...*..j...h.
00000104 99 34 20 F9 BF 48 E4 9C 35 71 45 DA A7 5A 04 A8 30 FB CC 59 .4 ..H..5qE..Z..0..Y
00000118 5D A8 90 10 A5 20 31 51 CA 58 EF 6A 67 8B E8 B9 3D 36 B0 84 ].... 1Q.X.jg...=6..
0000012C 68 33 FA B4 70 5A B3 E9 84 23 2A 5A 98 52 1D 67 40 6D ED B9 h3..pZ...#*Z.R.g@m..
00000140 A9 7D DC B4 0A AA 23 D2 ED 85 62 7D 1A A9 5D 0F 74 0F 08 5E .}....#...b}..].t..^
00000154 FF EE 02 5D B1 9F 6F F3 53 DA 4B C5 67 08 26 4B 67 D0 0A F2 ...]..o.S.K.g.&Kg...
00000168 1A 08 9C 20 D0 0D 00 BB 06 81 49 FC 4C A2 8F 48 E4 A8 15 73 ... ......I.L..H...s
0000017C 14 F7 92 F3 19 52 44 51 0C 88 77 22 55 83 4E D6 73 CF E4 F2 .....RDQ..w"U.N.s...
00000190 3D 41 29 E9 D0 E2 FF 43 FB 04 32 4B 3B B9 FB D7 A0 BD F9 02 =A)....C..2K;.......
000001A4 BD D5 30 80 45 03 B0 33 33 10 ED 95 06 84 F5 D7 8C 5B 27 6F ..0.E..33........['o
000001B8 9F 23 33 4C AB 10 96 33 E3 A2 66 09 6D B7 B2 98 71 0A DA D8 .#3L...3..f.m...q...
000001CC 72 C4 CA 20 67 57 0F D3 7B DE 1A 23 82 29 47 AC 76 99 CC 27 r.. gW..{..#.)G.v..'
000001E0 F2 D2 FA DE 7B F3 D6 FE 05 37 56 46 0E BA 36 A7 DF A0 5C A8 ....{....7VF..6...\.
000001F4 88 8C AF 34 87 F6 66 61 A6 7A 11 24 48 C4 D5 58 5F AE DD 32 ...4..fa.z.$H..X_..2
--- JavAI.docx --0x0/0x368DF--0%---------------------------------------------------------how about unzip again?
$ unzip JavAI.docx
Archive: JavAI.docx
inflating: word/numbering.xml
inflating: word/settings.xml
inflating: word/fontTable.xml
inflating: word/styles.xml
inflating: word/document.xml
inflating: word/_rels/document.xml.rels
inflating: _rels/.rels
inflating: word/theme/theme1.xml
inflating: word/media/image1.jpg
inflating: [Content_Types].xml
creating: META-INF/
extracting: META-INF/MANIFEST.MF
inflating: getflag.classNice! there’s a .class file
We gonna use jd-cli to decompile the java .class file
Before that, here’s my cheatsheet to simplifly execute jd-cli script command and added into ~/.bashrc environment.
Clone & Download JAR jd-cli Github Repo & jd-cli-1.2.1.jar
Add
jd-clito.bashrcenvironmentsudo nano ~/.bashrc
#jd-cli
function dec() {
java -jar ~/jd-cli-1.2.1/jd-cli.jar "$@";
}- Decompile & Run
dec JavAI.jar -od decompiled -ocAnd after that (here’s the optional, we can rename it .docx to .jar) if you want, or just execute it straight away
$ dec JavAI.jar -od decompiled -oc
18:55:24.925 INFO com.github.kwart.jd.cli.Main - Decompiling JavAI.docx
18:55:24.930 INFO com.github.kwart.jd.output.DirOutput - Directory output will be initialized for path decompiled2
public class getflag {
public static void main(String[] paramArrayOfString) {
System.out.println("CTF{javai_java_with_100x_ai}");
}
}
18:55:25.066 INFO com.github.kwart.jd.output.DirOutput - Finished with 1 class file(s) and 11 resource file(s) written.FLAG
CTF{javai_java_with_100x_ai}
sgai-1
Overview
Author: symmetric
Description: This image from the past may hold the key to our future survival if you can find the hidden flag! (This is flag 1 of 4)
I only solve this part one, and it just strings command
$ strings sgai.sgi | head
CTF{i_name_thee_flag}
" !
# !
> ? >
# % &
% # %
" $ #
!
! "
" "FLAG
CTF{i_name_thee_flag}
undelete
Overview
Author: symmetric
Description: Try out this file ‘undelete’ challenge! It comes with a walkthrough :-)
There are 3 ways for me to complete this challenge
- The first way is create a script to take the offset
PNGtoIENDfrom the chall file, here’s my script
1def extract_png(filename, start, end):
2 with open(filename, 'rb') as f:
3 f.seek(start)
4 png = f.read(end - start)
5 return png
6
7def save_png(png, output_filename):
8 with open(output_filename, 'wb') as f:
9 f.write(png)
10
11def main():
12 filename = 'floppy.img'
13 output_filename = 'floppy.png' # Output file name
14
15 # Offsets for the PNG file
16 start = 0x00004400 # PNG header offset
17 end = 0x0000ba00 # IEND chunk offset
18
19 png = extract_png(filename, start, end)
20 save_png(png, output_filename)
21
22if __name__ == '__main__':
23 main()- The second way is using FTK Imager to immediately gain the image, here’s the way I should do
- Open FTK Imager
- Add Evidence Item
- Select Source > Image File >
Next - Browse the
floppy.img>Finish - And expand all in Evidence tree section
- And the last of third way is, one and only CyberChef Extract Files Operation, this will produce the of
extracted_at_0x4400.pngfile
FLAG
CTF{144_mb_enough_for_anybody}
ztxt
And the last one that I solve is using exiftool or zsteg
Exiftool
$ exiftool ztxt.png
ExifTool Version Number : 12.40
File Name : ztxt.png
Directory : .
File Size : 39 KiB
File Modification Date/Time : 2024:05:04 05:14:08+07:00
File Access Date/Time : 2024:05:05 15:03:21+07:00
File Inode Change Date/Time : 2024:05:05 15:03:11+07:00
File Permissions : -rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 994
Image Height : 317
Bit Depth : 4
Color Type : Palette
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Palette : (Binary data 24 bytes, use -b option to extract)
Warning : [minor] Text/EXIF chunk(s) found after PNG IDAT (may be ignored by some readers)
Flag : CTF{zhis_zis_zhe_zlag}
Image Size : 994x317
Megapixels : 0.315using zsteg
$ zsteg ztxt.png
meta flag .. text: "CTF{zhis_zis_zhe_zlag}"
imagedata .. text: "UUUUUUUUUUUUUUVfffffwvfffffUUUVfUfffUUUUUUUUUEUVeUUUUUUfefeUVfffffVfffffffffffwvUUfffffgvfgvfffffVfgeUUfffUUfffffffffffffVfeUVfffgfffffffgvfffffgvgwwwwfgfwwwwwwwvfffgwvvffwwwwwwvffvffffffggegwvwffeUVfefffUUUVffffffffVfffffffffeUVgfgwffeVffffUUUVfffffffffffUUUfffeUVfffUUVffffUUUUUfffeUfffeUUUVfffffffffffVfVffeUVUUfffffffgfffffffgvfffffeVfffffffveUUffffffffffffefffUUUUUVUUUfeUVUVfgfwgwffffffUfUUUffffeUUffgveffeVffffVffffffwffeUUUUUUUUVfffffffffffffgwffffffffffffUffUfffffeUUfffffwffffffffffUUUff"
b2,r,lsb,xy .. file: 5View capture file
b2,r,msb,xy .. file: VISX image file
b2,b,lsb,xy .. text: "UUUUUUU]U"
b4,r,lsb,xy .. text: "UUUUUUU\\"
b4,r,msb,xy .. text: "wwwwwwwwwwwwww733333"
b4,g,lsb,xy .. text: ["3" repeated 20 times]
b4,b,lsb,xy .. text: "wwwwwwwwwwwwwwy"$ cat solve.sh
zsteg ztxt.png | grep -o 'CTF{[^}]*}'
exiftool ztxt.png | grep -o 'CTF{[^}]*}'
$ chmod +x solve.sh
$ ./solve.sh
CTF{zhis_zis_zhe_zlag}
CTF{zhis_zis_zhe_zlag}FLAG
CTF{zhis_zis_zhe_zlag}
Next
UTCTF 2024