BHIS CTF@Shmoocon 2019 - Feeling Blue?

-
I was lucky enough to score tickets to Shmoocon again and of course I was looking forward to working on a CTF while I was there. Black Hills Information Security had organized a CTF to run at Shmoo which made me super happy as I have a lot of respect for them and was excited to see what they had in store for us players.

Unfortunately, I had to work most of Friday and leave first thing Sunday morning. This left me with only a handful of hours on Saturday to compete as I balanced my time with other con activities.

My coworker, Wole, joined the team and together we reached as high as 13th place in just a few hours. The final scoreboard was still hidden at the time of this writing, but I have a feeling we got knocked down a few spots.

The CTF was powered by MetaCTF and the challenges were categorized as follows:
  • Cryptography
  • Reconnaissance
  • Web Exploitation
  • Reverse Engineering
  • Forensics
  • Other
One challenge that I thought would make for a good blog post to write on the train home was called: "Feeling Blue?"

The challenge provided picasso.zip file that contained the following five images:

picasso.zip contents.

Each image contained a flag and after finding them all you had to put them together to solve the challenge. 

Let's go over them in order.

le_block.jpg

# binwalk le_bock.jpg 

 DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, EXIF standard
12            0xC             TIFF image data, big-endian, offset of first image directory: 8

 # dd if=le_bock.jpg of=le_block.1 skip=12 bs=1

 # strings le_block.1 | head
flag-part1{azul_}
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
#3R
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
[i76
Dra#
4}SX
#?gX5
j7Vw

portrait_of_soler.jpg

This one was obtained simply by looking at it. I'm guessing that I could have made it easier on myself by adjusting the images colors or adding a filter in gimp, but I was able to make out the flag by looking at it.

See it? 

the_old_guitarist.jpg

For this one I used binwalk again, to find the offset to skip, and then ran the following dd command:
# dd if=the_old_guitarist.jpg of=out.exe skip=809472 bs=1
I then copied out.exe to a Windows machine and then ran it.

Flag

the_blindmans_meal.jpg

After staring at this image for far too long, I figured one of the images would be a stego challenge.
I ran through a few different stego tools but had success with the check_jpg.sh script that came with stego-toolkit.

To install it, I simply ran: # git clone https://github.com/DominicBreuker/stego-toolkit.git
I then used the check_jpg.sh script under the scripts directory and ran it against the_blindmans_meal.jpg as seen below:
# ./check_jpg.sh ../../Downloads/blue/the_blindmans_meal.jpg
<snip>
##############################
########## steghide ##########
##############################
wrote extracted data to "flag.txt".
<snip>

# cat flag.txt 
flag-part4{v!si0n_}

the_tragedy.gif

# binwalk the_tragedy.gif 

 DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             GIF image data, version "87a", 1778 x 2731
4054838       0x3DDF36        Zip archive data, at least v2.0 to extract, compressed size: 60, uncompressed size: 64, name: flag.txt
4054990       0x3DDFCE        End of Zip archive, footer length: 22

 # cp the_tragedy.gif the_tragedy.zip
# unzip the_tragedy.zip 
Archive:  the_tragedy.zip
warning [the_tragedy.zip]:  4054838 extra bytes at beginning or within zipfile
  (attempting to process anyway)
  inflating: flag.txt                
# cat flag.txt 
R29vZCBqb2IhIEhlcmUgaXMgdGhlIGZsYWc6IGZsYWctcGFydDV7dHI0ZyFjfQ==
# cat flag.txt | base64 -d 
Good job! Here is the flag: flag-part5{tr4g!c}

Now that we had all five parts, I put them together to make: azu1_barc3lona_str1ng5_v!si0n_tr4g!c for 300 points.

Thanks to Black Hills for putting on this CTF. I wish I had more time to dedicate to it, but I had a lot of fun and even got some practice in using volatility.

-strupo_

Popular posts from this blog

The Audacity of Some CTFs

-
Image
2021 Update : This is currently the most read post on our blog. Chances are that you are here because you are working on an audio challenge. If you see something looking like a digital signal, be sure to also check out our Radioactive Man write-up. I have stumbled across a few audio files while competing in CTFs over the last few years and I thought covering spectrograms would make a nice and quick blog post. Flags can manifest themselves in many ways when dealing with media files. One of the most common ways I have seen is by hiding them, or clues to find them, in the file's audio spectrogram. According to wikipedia: "a spectrogram is a visual representation of the spectrum of frequencies of sound, or other signals, as they vary with time." Basically, it is a method to visualize sound and signals. I first learned that you can embed hidden messages and images in a spectrogram when a friend showed me an image from an Aphex Twin song some years ago. Equation by ...
Read more

2020 HTH CTF - Cloud Challenges

-
Image
Last weekend, @strupo_ joined team NiSec to participate in the HTH 2020 CTF  and together they got on the podium in third place! 2020 HTH CTF - Final Scoreboard The challenge categories included:  Cloud Crypto Forensics Kali 101  Misc Pwnables Recon Reverse Engineering Steganography Web Recently, strupo_ was fortunate enough to remotely attend  Breaching the Cloud Perimeter w/Beau Bullock . As cloud testing is still very new to him, and this blog tends to focus on introductory concepts and challenges, we thought it would be appropriate to try and tackle all of the cloud challenges in this post. Okay, let's get into it. The Cloud category had three challenges: BucketList (100) OhSnap! (150) Serving Less (250) BucketList Hey guys! I set up an AWS bucket for this year's hth that we can use to store our flags for the ctf. I think I made the bucket private but I'm not very good at this cloud stuff. Send me a message if I need to edit the permissions. Hint:...
Read more

DEF CON 26 - IoT Village - SOHOpelessly Broken CTF

-
Image
Welcome Thrillhouse Group competed in the SOHOpelessly Broken CTF in the IoT Village at DEF CON 26 this year. None of the actual team, aside from myself, was able to make it this year. So, I requested the help of my colleagues and "Mitch" was keen to help. Together, we reached 14th place by the end of Saturday with 9k points. WTG's Score by End of Saturday As you can see, we had a couple issues submitting flags. For this CTF, flags were typically the MD5 of something under /dev or something like a clear text password. When our flags failed to submit, we worked with the organizers and chalked it up to someone modifying the flag files so that the MD5 would change. These issues had no impact on our score, accomplished nothing, was a jerk-move, and as can be seen below; was against the rules: IoT CTF Rules and Hints The CTF consisted of 22 challenges based on the 22 devices seen below: IoT CTF Device Challenges WTG successfully completed the challe...
Read more