M4ndU의 만두만두한 블로그

A png file is at the end of jpg file.

flag{0n3_1m4g3_1s_n0t_3n0ugh}

search "flag{"

usbhid.data

https://github.com/TeamRocketIst/ctf-usb-keyboard-parser

base64

hex to ascii

magic hash

?hash=QNKCDZO

change cookie value

base64 encoded

guest -> admin

base64 decode

Use Image search engine.

find a similar one.

Get keyword; Berlin, TV TOP.

Then find a building with a flag on top.

View the surroundings through Google Maps Roadview near TV Top.

good

Secret Document - Forensics

A Classified.docx file is given.

However, this files is not docx file.

This file is pcap file.

Rename .docx to .pcapng, then convert pcapng to pcap (https://pcapng.com/) (for using networkminer).

Open a Projan.pcap with networkminer.

The windows Defender detect a malware.

Upload goog1e_born_help.exe to virustotal.

ponmocup

ImposterApp - forensics

A memdump file is given.

Win8SP0x64

chrome, ie ,cmd, powershell, calc

-> chromehistory, iehistory, cmdscan, clipboard ... : nothing

calc.exe is suspicious.

procdump -p 2816

flag.

Forensics

What App is on Fire?

Open chall.E01 with FTK Imager

In Recycle.Bin, i found meaningful data in two txt files.

and

But there is a flag.txt (not flaag.txt) in Desktop/ and it has fake flag.

Likewise, there is only zero size flag.bmp in Documents/my content/ .

So, I used NTFS log tracker to find location where flaag.txt and credentials.txt were moved.

$RVL2F46.txt was flaag.txt

and it's fake flag :) hehe.

Next!

credentials.txt was zipped and renamed to $R002W8L.txt (moved to Recycle.BIN).

credentilas.zip was deleted.

and $R002W8L.txt is zero size in given E01 file.

flag.bmp is meaningless.

haha :)

IE history modified log between credentials.txt logs.

IE history :

hmmmmmm..............

--------

[add something after ctf ends.]

왜 저 credentials.zip .txt 를 붙잡고 있었지.. 문제 제목에서도 whatsapp 써먹는거 알 수 있는데..

at first, Investigate chats from WhatsApp messages DB.

--------

Next! i checked firefox history.

I think flag is in there.

But it need id and pw.

id and pw were stored in logins.json and they were encrypted.

To decrypt them, 

create new profile

move logins.json and key4.db to new profile folder

start firefox

yeah!

?????????????

oh, another login page is at ./ and i use same account to login.

then i got half of flag.

babycrypto1

영어로 쓸려 했는데 뭔가 쉽게 안써진다..

test command cipher text가 주어지고,

동일한 aes key를 사용하는, vi를 입력해서 cipher text를 만들 수 있는 거가 있다.

50행에서 토큰은 그대로 사용되기 때문에 앞쪽 블록은 그대로 사용하고 command만 들어가있는 마지막 블록만 생각하면 된다.

마지막 블록을 변화시키면 cipher text의 마지막 블록에만 변화가 생기는데, 이를 이용하여 "show" 가 들어간 암호화된 블록을 만들어 바꿔치면 된다.

마지막 블록을 만들 때  plain text와 xor 하는 것을 vi로 보면, vi는 cipher text N-1번째 블록값이 된다.

plain text 를 "show"로, vi를 cipher text 마지막 블록을 넣어 cipher text 한 블록을 만들어서

처음 주어진 test command cipher text의 마지막 블록과 바꾸어서 넣어주면

복호화 과정에서 앞 블록은 그대로이기 때문에 token은 그대로 복호화가 되고 마지막 블록은 show로 복호화가 이루어 진다.

babycrypto2

1과 다른 점은 COMMAND가 맨 처음 블록으로 이동하였고, encryption 과정이 없다는 것이다.

어차피 cipher text의 앞 블록이 바뀌면 그 다음 블록에도 영향을 주기 때문에 블록 바꿔치기는 안된다.

다만 decryption 과정을 보면, 맨 앞블록은 block cipher decryption 이후에 IV와 xor을 수행한다.

그리고 복호화에 사용할 IV값은 우리가 넣어줄 수 있다. 이 IV 값을 바꿔주어 맨 앞 plaintext가 우리가 원하는 값이 되도록 하면 된다. ciphertext는 그대로 사용할 것이기 때문에, block cipher decryption의 결과값은 고정이다.

원래의 복호화 과정을 생각한다면, IV에는 처음 제공되는 IV값이 들어가며, block cipher decryption의 결과값은 IV xor plaintext(test)이며, 우리가 원하는 plaintext로 만들어주는 IV값은 IV xor plaintext(test) xor plaintext(show) 가 된다.

다만 plaintext(show)를 만들 때 앞의 PREFIX값과 뒤에 token 3byte를 생각해야 한다.

그렇게 해서 IV값을 만들어서 IV + data 복호화 돌려주면 된다.

Forensics

스테가노

Anime is love

There is a zip file at end of jpg file (jpg file footer signature).

Fix the header signature.

it is encrypted. So, find password using ARCHRP with rockyou.txt which is dictionary file for dictionary attack.

flag.txt

it is pdf file

and it's locked.

good.

Telephone

github.com/ribt/dtmf-decoder

convert m4a to wav to use dtmf-decoder

hmm...

b1n4rY

bin to hex

make a file "a.data"

open with GIMP

scan it!

Web

Sanity Check 2

at ./

base64 -> ascii -> caesar cipher

C is hard

bof

ez

Forensics

SHIFT

anyconv.com/ko/png-to-raw-byeonhwangi/

png to bmp

rename .bmp to .data

open with GIMP

width 5261

Doubly Deleted Data

Sandwiched

You can see that there are several pdf files, and you can see that there is a jpg file in between.

However, jpg's footer signature can be found far away.

There are parts of the jpg file between the pdf files.

The extracted jpg file had a flag.

OSINT Part 1

search name in twitter

OSINT Part 2

google image search

Small P Problems

Diffie–Hellman

github.com/DrMMZ/Attack-Diffie-Hellman/blob/master/AttackDH.py

Beginner

Various Vernacular

quipqiup.com/

Forensics

Barcode Scanner

play.google.com/store/apps/details?id=com.teacapps.barcodescanner

General

Treasure Hunt

hmm

Warmup

Discord-bot

ㄹ

Henpeck

github.com/TeamRocketIst/ctf-usb-keyboard-parser

Shoelaces

Veebee

just excute it

Buzz

rename .tar

Forensics

Art Gallery

Flag_sur_fond_de.jpg is a file that we need to decrypt.

hmm

Reverse

Rocca Pia

ex.py :

Crackme

Crypto

quipqiup.com/

Bootless RSA

small e

dec 2 hex 2 ascii

Decode

www.scopulus.co.uk/tools/hexconverter.htm

The more, the less

www.alpertron.com.ar/ECM.HTM

Stega

Read

magiceye.ecksdee.co.uk/

Pidieff

OSINT

Janus

archive.org/