IEEE CTF 3.0 Reverse Engineering, OSINT, and Misc
w3lcome (RE) :
first of all download the file and check for its type :
It seems like it’s a PE32 Mono/.Net assembly, So go disassemble it to know
more details using Ghidra :
So there is nothing useful in the entry function, so we are gonna put it in
dnSpy to show the main function in C# :
The main function :
using System;
using System.Text;
namespace w3lcome
{
// Token: 0x02000002 RID: 2
internal class Program
{
// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
private static void Main(string[] args)
{
Console.WriteLine("Welcome to IEEE authenticator v1.0.0");
Console.Write("Enter your password: ");
string text = Console.ReadLine();
if (text.Length != 15)
{
Console.WriteLine("Sorry, wrong password!");
return;
}
int num = 0;
foreach (char value in text)
{
num += Convert.ToInt32(value);
}
int num2 = (new Random().Next() + text.Length * num) % 255;
Program program = new Program();
byte[] array = new byte[program.secret.Length];
for (int j = 0; j < array.Length; j++)
{
array[j] = (byte)((int)program.secret[j] ^ num2);
}
Console.WriteLine("Here is your token " + Encoding.UTF8.GetString(array));
}
// Token: 0x04000001 RID: 1
public byte[] secret = new byte[]
{
210,
222,
222,
222,
224,
byte.MaxValue,
171,
239,
245,
168,
239,
196,
254,
168,
225,
226,
196,
227,
171,
233,
196,
236,
170,
239,
243,
196,
247,
170,
246,
170,
239,
168,
byte.MaxValue,
196,
240,
168,
226,
232,
235,
250,
248,
254,
230
};
}
}As it seems the password should be 15 chars, Converts each character to an integer using Convert.ToInt32(), and adds it to num, Calculates a value num2 by adding the random number to the product of the password length and num, and then taking the result modulo 255
iterates through each element of the secret field and performs an XOR operation with num, storing the result in the corresponding element of the array
I did some kinda script in python to brute force the password to give me the right token :
import random
secret = [
210, 222, 222, 222, 224, 255, 171, 239, 245, 168,
239, 196, 254, 168, 225, 226, 196, 227, 171, 233,
196, 236, 170, 239, 243, 196, 247, 170, 246, 170,
239, 168, 255, 196, 240, 168, 226, 232, 235, 250,
248, 254, 230
]
def generate_passwords():
import itertools
import string
for password_tuple in itertools.product(string.ascii_letters + string.digits, repeat=15):
yield ''.join(password_tuple)
for password in generate_passwords():
if len(password) != 15:
continue
num = sum(ord(c) for c in password)
random_value = random.randint(0, 255)
num2 = (random_value + len(password) * num) % 255
token = ''.join(chr(secret[i] ^ num2) for i in range(len(secret)))
if token.startswith("IEEE{") and token.endswith("}"):
print(f"Found flag: {token}")
breakAnd I got the Flag !!
The flag is :
IEEE{d0tn3t_e3zy_x0r_w1th_l1m1t3d_k3yspace}secret (Misc) :
I downloaded a zip file and it was locked I wanted to see the encryption method of the zip file I used 7z tool and this command
7z l -slt secret.zipand I got this :
The method is ZipCrypto Store, So I used a tool called bkcrack and got the keys:
And then I used them to crack the zip file and take the flag :
The flag is :
IEEE{H0W_Y0U_G0T_M33333333333333?}Kataceto (OSINT):
The challenge was all about where the last place, the hacker was in
and I downloaded the following photo :
After using all OSINT framework tools, I got nothing useful but if you focus you will see bazooka and some Arabic words, So mostly the pic is in Egypt, and after some searching on bazooka, I got nothing useful, but after searching on Cup&Task I got this :
So It’s in Al-Shorouk and after trying to submit it that way I got wrong answer so I tried EL Shorouk and Got it right !!!
The flag is :
IEEE{EL-Shorouk}I hope you enjoyed it !!
