BHIS CTF@Shmoocon 2019 - Feeling Blue?

I was lucky enough to score tickets to Shmoocon again and of course I was looking forward to working on a CTF while I was there. Black Hills Information Security had organized a CTF to run at Shmoo which made me super happy as I have a lot of respect for them and was excited to see what they had in store for us players.

Unfortunately, I had to work most of Friday and leave first thing Sunday morning. This left me with only a handful of hours on Saturday to compete as I balanced my time with other con activities.

My coworker, Wole, joined the team and together we reached as high as 13th place in just a few hours. The final scoreboard was still hidden at the time of this writing, but I have a feeling we got knocked down a few spots.

The CTF was powered by MetaCTF and the challenges were categorized as follows:
  • Cryptography
  • Reconnaissance
  • Web Exploitation
  • Reverse Engineering
  • Forensics
  • Other
One challenge that I thought would make for a good blog post to write on the train home was called: "Feeling Blue?"

The challenge provided picasso.zip file that contained the following five images:

picasso.zip contents.

Each image contained a flag and after finding them all you had to put them together to solve the challenge. 

Let's go over them in order.

le_block.jpg

# binwalk le_bock.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, EXIF standard
12            0xC             TIFF image data, big-endian, offset of first image directory: 8

# dd if=le_bock.jpg of=le_block.1 skip=12 bs=1

# strings le_block.1 | head
flag-part1{azul_}
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
#3R
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
[i76
Dra#
4}SX
#?gX5
j7Vw

portrait_of_soler.jpg

This one was obtained simply by looking at it. I'm guessing that I could have made it easier on myself by adjusting the images colors or adding a filter in gimp, but I was able to make out the flag by looking at it.

See it? 

the_old_guitarist.jpg

For this one I used binwalk again, to find the offset to skip, and then ran the following dd command:
# dd if=the_old_guitarist.jpg of=out.exe skip=809472 bs=1
I then copied out.exe to a Windows machine and then ran it.

Flag

the_blindmans_meal.jpg

After staring at this image for far too long, I figured one of the images would be a stego challenge.
I ran through a few different stego tools but had success with the check_jpg.sh script that came with stego-toolkit.

To install it, I simply ran: # git clone https://github.com/DominicBreuker/stego-toolkit.git
I then used the check_jpg.sh script under the scripts directory and ran it against the_blindmans_meal.jpg as seen below:
# ./check_jpg.sh ../../Downloads/blue/the_blindmans_meal.jpg
<snip>
##############################
########## steghide ##########
##############################
wrote extracted data to "flag.txt".
<snip>

# cat flag.txt 
flag-part4{v!si0n_}

the_tragedy.gif

# binwalk the_tragedy.gif 

DECIMAL       HEXADECIMAL     DESCRIPTION

--------------------------------------------------------------------------------
0             0x0             GIF image data, version "87a", 1778 x 2731
4054838       0x3DDF36        Zip archive data, at least v2.0 to extract, compressed size: 60, uncompressed size: 64, name: flag.txt
4054990       0x3DDFCE        End of Zip archive, footer length: 22

# cp the_tragedy.gif the_tragedy.zip

# unzip the_tragedy.zip 
Archive:  the_tragedy.zip
warning [the_tragedy.zip]:  4054838 extra bytes at beginning or within zipfile
  (attempting to process anyway)
  inflating: flag.txt                
# cat flag.txt 
R29vZCBqb2IhIEhlcmUgaXMgdGhlIGZsYWc6IGZsYWctcGFydDV7dHI0ZyFjfQ==
# cat flag.txt | base64 -d 
Good job! Here is the flag: flag-part5{tr4g!c}

Now that we had all five parts, I put them together to make: azu1_barc3lona_str1ng5_v!si0n_tr4g!c for 300 points.

Thanks to Black Hills for putting on this CTF. I wish I had more time to dedicate to it, but I had a lot of fun and even got some practice in using volatility.

-strupo_

Popular posts from this blog

A Primer for On-Site CTFs

DEF CON 27 - Our Car Hacking CTF Experience