ROOTCON Easter Egg Hunt 2017–Write-Up


Hello!

Hey, readers!

After a gruesome yet fulfilling week at work, I finally found the time to write again! This time, I’ll write about an Easter Egg Hunt that I participated in last 15th of April, 2017.

This “egg hunt” was made by the awesome people from ROOTCON in preparation for ROOTCON 11 which will be held in Taal Vista Hotel-Tagaytay on September 21–22, 2017. (I’m attending, so see you there!)


Introduction

I arranged this write-up according to their order of completion. I started egg hunting on the evening of April 15 (Saturday) and completed it on the morning of Easter Sunday — April 16.

Welcome to my write-up!

To start, browsing the URL of the egg hunt gives us this page:

So I proceeded to download everything I could download from the links that were provided.


Egg 1

First things first, let’s identify the file egg1

$ file egg1

…and run strings on it:

$ strings egg1
It looks like a base64-encoded string, doesn’t it

Converting it using the following command:

$ echo "ZmxhZyBpc3tzNGJ5Y2dxb2hqfQ==" | base64 -d

Results in the following string, which is the first flag:

flag_is{s4bycgqohj}

Egg 2

As per usual routine, I ran the file command on the file egg2

$ file egg2

The strings command gave me the following strings of interest (if I may):

N U M B E R S A N D L E T T E R S

Since it’s an ELF file, let’s give it the necessary permissions to run:

$ chmod +x egg2

Before anything else, let’s disassemble it using this command:

$ objdump -D egg2 > egg2.asm

(which translates to: disassemble all sections of egg2 and output it into an assembly file: egg2.asm)

Open the file using my favorite text editor:

$ nano egg2.asm
The flag functions
The main function

Take note of the addresses of the functions as they will be useful later.

Now that we took note of the addresses, let’s try to run and trace the program:

$ gdb egg2

A series of j (jump) commands will help us get the fragments of our flag:

666c61675f69737b336d62716f317671726a7d

Converting it using this command:

$ echo "666c61675f69737b336d62716f317671726a7d" | xxd -r -p

Gives us our second flag:

flag_is{3mbqo1vqrj}

Egg 5

Let’s run file then strings

$ file egg5
$ strings egg5
Damn dinos

Since it’s an ELF file, let’s try to disassemble it again:

$ objdump -D egg5 > egg5.asm

Open the .asm file using my favorite text editor:

$ nano egg5.asm
The main function
The easterEggs function

Set breakpoints and step accordingly:

The flag for this egg is:

flagis............e4st3r

Egg 4

Egg 4 is awesome because it contains the main ingredient for a true easter egg hunt — an egg (albeit, a picture).

BEHOLD THE PRIMORDIAL EGG
$ file ff1uzunvp4rad0x.jpg
I know this, I’ve seen this before. Whenever a challenge shows you a blank page with just a picture on it — with no clues or whatsoever, it’s a stego (see: steganography) problem.

Oh, how wrong I was.

$ binwalk -e ff1uzunvp4rad0x.jpg
Nope
$ strings ff1uzunvp4rad0x.jpg
A glimmer of hope

I told you it was a stego problem! That looks like a password!

$ steghide extract -sf ff1uzunvp4rad0x.jpg

Use the password IlovemasterSifu :

Crap. I tried though.

And…nothing. It wasn’t a stego problem, after all.

It was at this moment that I remembered that there were characters written on the primordial egg picture:

uzgpPr_iz.zip

So I appended that to egg4 ‘s URL and got this:

S N E A K Y

Once you’ve extracted the .zip file down to its last folder, you’d be prompted with this:

Enter the string we found earlier: IlovemasterSifu and you’ll be greeted by this file:

Listening to the audio file revealed the flag in binary format:

110111110 10101100 11010110 00101110 00001110 11101110 11010110 10011110 00001110 1100111

Converting that results to gibberish:

¾¬Ö.î֞g

I remembered that the audio file also recited the alphabet in reverse order so I decided to reverse the binary string that I acquired earlier — using a quick ‘n dirty python trick:

Dangggggggggggg
1110011 01110000 01111001 01101011 01110111 01110000 01110100 01101011 00110101 01111101

Converting that string would result to this:

spykwptk5}

Therefore:

flag_is{spykwptk5}

Egg 3

Egg3 tested my patience. Accessing its URL only gave us this page:

After hours of trying the following methods:

  • Checking the cookies
  • Checking for common directories
  • Inspecting the source
  • Extracting/Inspecting the SVG file from the page (which was awesome, btw)

I found nothing. Nothing.

So I accepted the old man’s advice and went to sleep.

On the morning of Easter Sunday, I woke up and casually browsed to egg3’s URL — expecting nothing.

I did it like our ancestors do — the ancient way of doing a screen shot

And there it was — the coveted Master Sifu flag!

flag_is{hviup2ggrt}
All the time I spent on that page was worth it. (Repeat x100000000000)

I got all the flags, so I sent them immediately after some checks.


Conclusion

I participated in this egg hunt expecting nothing but experience and fun (because I nothing else better to do), so I was surprised that I even got third place + a discount to the ROOTCON 11 Post-Con Party :D

Thanks for the discount and the fun, ROOTCON!


ROOTCON 11 will be held at the Taal Vista Hotel-Tagaytay on September 21–22, 2017. Hoping to see you at the conference, reader!