2019 Stonecutters - The Bus that Couldn't Slow Down

-
This year has been...something else. Our CTF participation has almost completely evaporated with the exception of joining Neutrino_Cannon for the 2020 RTV CTF at Defcon 28. That was an experience we won't soon forget. We also won 6 months of HTB Pro Labs access. Now, if only we had more time to do it!

Also, the Stonecutters CTF creator left to start a company or something and so our annual private CTF as we have known and loved is no more. A replacement was established, however, we don't think that we have permission to write anything up yet. 

It has been hard to juggle work/home life during the pandemic and find time to dedicate towards CTFs and off-the-clock professional development that's worth blogging about. We certainly don't want this blog to die anytime soon so we went through our drafts and found a few posts that we should clean up and publish pretty soon. So, without further ado, here is one of them!

I forget what the name of the challenge was exactly but I think it was called the bus that couldn't slow down. 

The Bus That Couldn't Slow Down

Let's get into it.

This challenge was an animated gif that flashed QR codes in a loop.

The first goal was to break up the gif into individual frames so that we could scan each QR code. A quick google search later and we found how to do it with convert. The following command created a total of 83 png files:

# convert -coalesce qr.gif out.png

Then, we needed a CLI tool that would read each QR code and append the text to a file.
For that task, we found and used zbarimg.

To install: # apt-get install zbar-tools

Then, we tested it by reading the out-82.png file which looked like this:

# zbarimg out-82.png
QR-Code:0L+AjS39CixqeFrAAAAAElFTkSuQmCC
scanned 1 barcode symbols from 1 images in 0.07 seconds

The help information for zbarimg informed us that we could clean up the output by using the --raw and -q options to remove the "QR-Code:" prefix as well as the timing information. 

To produce a file that contained all of the strings, we used the following for-loop:

# for i in {0..82}; do zbarimg --raw -q out-$i.png >> qr.txt;done

Then, we removed all of the new lines from the output file to make it one long line with the following command: 

# sed ':a;N;$!ba;s/\n//g' qr.txt

The output looked like base64 encoded data, and though we could have easily piped it to base64 -d -w0, we expected a more CTFy challenge with multiple encoding types so we pasted the base64 blob into Cyberchef and decoded it. The output looked like this:

.PNG
.
...
IHDR... ... .....ó.;Å....IDATx.í.KvâH.EI3À3.
<SNIP>

The magic bytes indicated that this was a PNG file with no other encoding/encryption done to it, so we used Cyberchef's save output feature to obtain the final image:

83 QR Codes Read, Stitched, and Decoded.

To wrap this one up, we simply used zbarimg again to capture the flag:

# zbarimg quick.png
QR-Code:flag{Look into my QR codes. You are getting sleepy. Sleepy. Sleeeeeeeeepy.}
scanned 1 barcode symbols from 1 images in 0.08 seconds

Though this was an easier challenge, it is important to note that QR codes coupled with command line tools can impact offensive security tests in a meaningful way. For example using them to circumvent DLP solutions, bridge air-gapped systems, or to add a twist to a social-engineering campaign. A CTF challenge like this can get the creative juices flowing! 

Thanks for reading!
@strupo_

Find us on Twitter: @teamWTG

Popular posts from this blog

The Audacity of Some CTFs

-
Image
2021 Update : This is currently the most read post on our blog. Chances are that you are here because you are working on an audio challenge. If you see something looking like a digital signal, be sure to also check out our Radioactive Man write-up. I have stumbled across a few audio files while competing in CTFs over the last few years and I thought covering spectrograms would make a nice and quick blog post. Flags can manifest themselves in many ways when dealing with media files. One of the most common ways I have seen is by hiding them, or clues to find them, in the file's audio spectrogram. According to wikipedia: "a spectrogram is a visual representation of the spectrum of frequencies of sound, or other signals, as they vary with time." Basically, it is a method to visualize sound and signals. I first learned that you can embed hidden messages and images in a spectrogram when a friend showed me an image from an Aphex Twin song some years ago. Equation by
Read more

Code Name: Treehouse of Horror CTF

-
Image
A friend of mine asked me if I wanted to participate, on the sly, in an internal CTF that he put together for his employer. My score wouldn't be shown, and for all intents and purposes I did not compete. I figured I'd give it a code name incase I need to refer to this event. Let's call it the Treehouse of Horror CTF. The Treehouse of Horror CTF! The scoreboard appeared to be similar to the one used at the Defcon 26 IoT CTF, however this one was organized by challenge which made things nice for tracking your own progress versus one huge board of challenges.  I think this is called Jeopardy style. There were some odd moments at times because different challenge groups shared a target, so you had to identify which flag went with which challenge. Really not that big of a deal and I actually really enjoyed the format rather than just a single submit field like at derby or Eversec's CTF as it helped me track my progress with ease. The challenges were: FreePBX Re
Read more

DEF CON 26 - IoT Village - SOHOpelessly Broken CTF

-
Image
Welcome Thrillhouse Group competed in the SOHOpelessly Broken CTF in the IoT Village at DEF CON 26 this year. None of the actual team, aside from myself, was able to make it this year. So, I requested the help of my colleagues and "Mitch" was keen to help. Together, we reached 14th place by the end of Saturday with 9k points. WTG's Score by End of Saturday As you can see, we had a couple issues submitting flags. For this CTF, flags were typically the MD5 of something under /dev or something like a clear text password. When our flags failed to submit, we worked with the organizers and chalked it up to someone modifying the flag files so that the MD5 would change. These issues had no impact on our score, accomplished nothing, was a jerk-move, and as can be seen below; was against the rules: IoT CTF Rules and Hints The CTF consisted of 22 challenges based on the 22 devices seen below: IoT CTF Device Challenges WTG successfully completed the challe
Read more