Reply Cyber Security Challenge Sandbox Write-ups

George O
George O
Oct 5, 2018 · 8 min read

The following solutions were part of the practice challenges for Reply Cyber Security Challenge. These were released on 18/09/2018, with the main event starting on 05/10/2018. I will eventually also release a write-up for the actual event.

WEB ONE: Stranger Code

In this challenge, we were presented with a zip file named “jsp4ck.zip”. Once unzipped, we can find two files:

blob.js & jsp4ck.html

We can open the HTML file in our browser to see:

A simple login form.

Let’s now take a look at the JS to try and find the password:

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('j l(s){m(!s)g\'\';d a=\'\';t(i=s.p-1;i>=0;i--){a+=s.Y(i)}g a};j h(){d a=\'\';d b="1e";b+="1b";b+="1a";b+="Z";b+="17";b+="N";b+="w";b+="w";b+="o";b+="18";b+="e";b+="19";b+="X";b+="r";b+="k";b+="k";b+="r";b+="A";b+="B";b+="o";b+="e";b+="C";b+="y";b+="e";b+="M";b+="J";b+="I";t(d i=0;i<b.p;i+=2){a+=G.F(E(b.H(i,2),16))}g a};j L(){d a=K D();a[14]=\'x\';a[3]=\'u\';a[11]=\'z\';a[0]=\'0\';a[4]=\'5\';a[15]=\'5\';a[7]=\'7\';a[1]=\'b\';a[13]=\'u\';a[8]=\'1\';a[12]=\'5\';a[2]=\'f\';a[6]=\'4\';a[10]=\'n\';a[5]=\'c\';a[9]=\'0\';d b=\'\';d c=v.q("1d").1c;c=l(c);m(c==a.R("")){b="Q! P h O: "+h()}S{b="T W :("}v.q("V").U=b};',62,77,'|||||||||||||var|74||return|flag||function|73|strrev|if||53|length|getElementById|31||for||document|6c||72|_|4f|6e|61|Array|parseInt|fromCharCode|String|substr|7d|64|new|magic|33|41|is|The|Congratulation|join|else|Try|innerHTML|result|again|4d|charAt|47||||||||3a|65|2e|4c|46|value|pw|7b'.split('|'),0,{}))

It looks like we’ve been given some heavily obfuscated JavaScript. We can use an online tool (such as jsnice.org) to help us understand the code.

I’m not going to dump the entire prettified code here, but there are two important functions that we can see; flag() and magic().

Let’s try running these two in the chrome console:

By doing this, we are given the flag: “{FLG:AllSet.M1ss1OnStart3d}”!


WEB TWO: Type It

For this one, we have a file named “ Js4u7h.html”. Let’s take a look at it:

Another login form.

Since there’s definitely something going on behind the scenes, let’s also take a look at the source code:

We seem to have a full-JS login form, and so should be able to find our way in.

The parts of the code relevant to the username are as follows:

  • var u = document.getElementById(“user”).value;
  • if(u == “\x68\x34\x63\x6b\x33\x72”) { [etc…]}

We can very easily turn the hex into ASCII to find the username:

h4ck3r

However, finding the password isn’t quite as simple.

In order to reverse the encryption, we have to bruteforce the final byte which is said to be missing. I ended up adjusting the given code to do this, by using CryptoJS’ decrypt function:

We can run this to find the following:

So for this challenge, the flag is “{FLG:PassW0RD!289%!*}” (and it turns out the username wasn’t needed at all).


MISC ONE: Dig Into The Blood

In this challenge, we are given the following image:

Initially, I tried using binwalk to find any embedded files, but couldn’t find anything.

I then turned to Stegsolve.jar to see if there was a flag hidden in one of the planes:

We can see the start of the flag!

Now that we know where the flag is, we can try to make this a little clearer.

I used Gimp 2 to mess around with the color saturation/contrast for a little bit, and ended up with this:

We can now clearly see the flag: “{FLG:TargetBuilding.dxf}”.


MISC TWO: Matrioska

The file that we’re given for this challenge doesn’t have an extension, we we have to use file to find it ourselves:

Let’s open this in 7Zip to see whats inside…

It looks like we just have files inside of files.

I imagine that the intended solution was to write a script that recursively extracts these files, but I figured that it would be far more simple if I just clicked through them all.

As such, I installed an automatic mouse clicker that should do the job. I set the clicker to click every 1 millisecond, and let it run:

After 30 seconds (as shown^), we find a file named README.txt, which contains the following:

Ah-ah, too late! I've already deleted the secret file!

From this, we can assume that that the parent file has a deleted file somewhere in it. Checking the file type of it confirms my suspicion:

We can use testdisk to recover the deleted file:

We can then obtain flag.txt by pressing c, and cat it:

…and finally Base64:

And so, the flag is “{FLG:D3crypt1ngC0de}”.


CRYPTO ONE: Warmap

This challenge was extremely simple to do — we are given the following:

We just captured this secret message. Can you help us to decrypt it?MDEwMTEwMDEgMDExMDEwMDEgMDExMDEwMTEgMDExMDAxMDEgMDExMTAwMTEgMDAxMDExMDAgMDAxMDAwMDAgMDExMTEwMDEgMDExMDExMTEgMDExMTAxMDEgMDAxMDAwMDAgMDExMDAxMDAgMDExMDEwMDEgMDExMDAxMDAgMDAxMDAwMDAgMDExMDEwMDEgMDExMTAxMDAgMDAxMDAwMDEgMDAxMDAwMDAgMDEwMTEwMDEgMDExMDExMTEgMDExMTAxMDEgMDExMTAwMTAgMDAxMDAwMDAgMDExMDAxMTAgMDExMDExMDAgMDExMDAwMDEgMDExMDAxMTEgMDAxMDAwMDAgMDExMDEwMDEgMDExMTAwMTEgMDAxMTEwMTAgMDAxMDAwMDAgMDExMTEwMTEgMDEwMDAxMTAgMDEwMDExMDAgMDEwMDAxMTEgMDAxMTEwMTAgMDEwMTEwMDEgMDExMDExMTEgMDExMTAxMDEgMDEwMDAwMTEgMDExMDAwMDEgMDExMDExMTAgMDEwMDAxMTAgMDExMDEwMDEgMDExMDExMTAgMDExMDAxMDAgMDEwMTAxMDAgMDExMDAwMDEgMDExMTAwMTAgMDExMDAxMTEgMDExMDAxMDEgMDExMTAxMDAgMDEwMDEwMDAgMDExMDExMTEgMDExMTAwMTEgMDExMTAxMDAgMDExMTAwMTEgMDEwMDExMTEgMDExMDExMTAgMDEwMTAxMDAgMDExMDEwMDAgMDExMDAxMDEgMDAxMTAxMDAgMDExMTAxMDAgMDExMDEwMDAgMDEwMDAxMTAgMDExMDExMDAgMDExMDExMTEgMDExMDExMTEgMDExMTAwMTAgMDEwMDExMTEgMDExMDAxMTAgMDEwMTAxMDAgMDExMDEwMDAgMDExMDAxMDEgMDEwMDAwMTAgMDExMTAxMDEgMDExMDEwMDEgMDExMDExMDAgMDExMDAxMDAgMDExMDEwMDEgMDExMDExMTAgMDExMDAxMTEgMDExMTExMDE=

We can solve it with CyberChef by Base64 decoding it and then decoding the binary (as shown here), to find the flag: “{FLG:YouCanFindTargetHostsOnThe4thFloorOfTheBuilding}”.


CRYPTO TWO: Please Don’t RFC

For this, we’re given a file called “Please Don’t RFC.pcap”. We can open it in Wireshark to view it. The TCP streams reveal this:

  • A public key.
  • An encrypted message.

In order to decrypt this, we first need to obtain the private key. There is a very useful tool for doing similar things, which can be found here.

We now have the private key.

Let’s now decrypt the message:

We now have the flag: “{FLG: EndOfN00bSimulation}”!


CODING ONE: Scrambled Words

The challenge description tells us:

The SHA-256 hash of the concatenated unscrambled words will be *the content* of the flag and it needs to be converted to lowercase.To get the complete flag, insert the lowercase string obtained between “{FLG:” and “}” without any blank space after the “:” and before the “}”.

We are also given two files:

  • scrambled-words.txt
  • dictionary.txt

Scrambled-words.txt contains 512 lines similar to this…

The start of Scrambled-words.txt.

…and dictionary.txt contains 8929 lines similar to this:

The start of dictionary.txt.

We can assume that our task will be to de-scramble all scrambled words, and then send them in as the flag.

To do this, I wrote a script that would alphabetically sort the entries in dictionary.txt for each word in Scrambled-words.txt, and if they were identical, add it to a list.

Finally, the script puts the list into the format specified in the challenge description:

Running the script then gives us the flag…

…“{FLG:70c42b6d6818f3141865f10d1608f7a9763138554f6d5120662222189854231c}”.


REPLY TWO:

The challenge description here is as follows:

The SHA-256 hash of all the characters composing the complete sudoku will be *the content* of the flag and it needs to be converted to lowercase.To get the complete flag, insert the lowercase string obtained between “{FLG:” and “}” without any blank space after the “:” and before the “}”.

We are also given this image:

We can simply use this to solve the sudoku:

Now we have to turn this into the flag format…

…which means that the flag is “{FLG:3f01e689524cd7abb8c6751490dae3f22dea0b3f1867594c7549cad23efb60184ebf31c8650da27919d8be56ac720f3460acd927fb3485e1523740fa89e1bdc6fb5d946c238e710a862efdb37a10c495a49087e1c65f2bd3c17352a04db9f68ee36bac4d0795182f0cf5289bd1a34e6797126f05e4c83abdda84137ebf269c50}”.


BINARY ONE: Malware In a Bottle

The file that we’re given is called “Malware in a Bottle.bin”. We can check the file type like so:

Now that we know that it’s a compiled python file, we can decompile it uncompyle6:

george@kali:~/Desktop$ mv "Malware in a Bottle.bin" Malware.pyc
george@kali:~/Desktop$ uncompyle6 Malware.pyc > Malware.py

We can now read the python code! Out of all the visible code, this part is particularly interesting:

An expert from Malware.py

It looks like the C&C hostname is decrypted and then used. Let’s add a print statement to print the hostname here, and then run the file:

As shown, the flag is “{FLG:Po1ntofContr0l.cm}”.


BINARY TWO: Great Host!

For this challenge, we are given a 32-bit ELF. Running it shows this:

Now that we roughly know what the server is doing, let’s take a look at the file in Binary Ninja. Here are some of the most ‘interesting’ blocks in main:

We can very quickly see “s3cR3t_p4sSw0rD”, but typing this just ends up with “This is not the solution you are looking for :)”.

It seems like there is no reference of a password anywhere in this main function.

Whilst browsing the other functions, I stumbled across this:

This continues for a bit until:

I pieced all of the separate bytes into one string:

[2, 93, 2, 103, 108, 7, 93, 119, 108, 117, 2, 93, 2, 108, 7, 65, 97, 7, 106, 64, 108, 7, 65, 0, 108, 96, 3, 108, 0, 7, 64, 106, 18, 18, 0, 112, 92, 93, 84, 65, 82, 71, 70, 95, 82, 71, 90, 92, 93, 64, 18, 19, 106, 92, 70, 19, 89, 70, 64, 71, 19, 68, 92, 93, 19, 9, 67, 0]

Turning these to ASCII results in completely unreadable text.

However, later on in the text we can see the following:

During part of this, the xor opcode is used, with the key 0x33. Let’s try XORing all of the characters in the string:

We now just have to put this into the flag format:

{FLG:1n1T_4nD_F1n1_4rR4Ys_4r3_S0_34sY!!}”.

Thanks Danny for the help on this one.


CTF Writeups

A collection of write-ups for various systems.

George O

Written by

George O

https://georgeom.net

CTF Writeups

A collection of write-ups for various systems.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade