[RootersCTF 2019] — Writeup
Writeup for RootersCTF 2019 by Nicholas, Munir, & Kak Um.
The RootersCTF is being organized by members from ‘Abs0lut3Pwn4g3’, an Indian CTF team. Under the annual technical fest, InfoXpression of USICT, GGSIP University in New Delhi, India.
Honestly, RootersCTF is running on my exams week. But I got bored and lazy when studying for it, so my friends and I try to works on this CTF which is turn out to be pretty fun even though some challenge need r̶e̶c̶o̶n̶ guessing 😂😂😂. So I will explain some challenges that we solved on this CTF.
Btw, My team, Djavaa, finished at 3rd place 😁😁😁. Kudos to my teammate Munir and kak Um because this is the first time that we solved all the challenge (full score) and place 3rd on ctftime contest 😭.
Table Of Contents
• Crypto: Digene — 481 points
• Crypto: Really Silly Algorithm LIBrary — 454 points
• Forensics: Mind Awake Body Asleep — 499 points
• Forensics: Frames per Story — 473 points
• Forensics: Cunning Black Cow — 417 points
• Misc: The Lost One — 489 points
• Web: imgXweb — 482 points
• Web: I ❤ Flask — 405 points
• Words from Author
Crypto: Digene — 481 points
I wish there was something Italian to cure me!
One of the most guessing challenge. We spend a lot of time trying to googling the correct cipher. Trying to googling about digene, turn out it is a digestive medicine for stomach. So we try to search Italian cure digestive stomach and found out about Amari. Trying to google Amari Italian, I found an article in wikipedia about Amaro. Reading through the wiki, I found the variant of Amaro liqueur called fernet, which is seems familiar to us. We realized that it has the same name with fernet encryption. Using python, We solve the challenge.
Flag: rooters{d!g3st!f_th4t_d!g3sts_y0ur_m3ss4g3s}ctfCrypto: Really Silly Algorithm LIBrary — 454 points
What were they thinking while making this library? “It’ll make it faster.”. Yeah. NO SH*T! Forgot about the security. Silly people
On this challenge, we were given an encrypt.py and flag.enc that contains ciphertext, n, and e.
As we can see, this challenge generate n from a value p and q that was generated by some library that is obfuscated by the author called sillyLibrary. Taking the Capital from the challenge title (RSALIB), I try to look for its vulnerability and found an article that the generated p and q by RSALib is weak. Okay, let’s try check if the n is vulnerable to ROCA attack (Return of Coppersmith Attack).
Okay, so it is vulnerable. Using neca, we could find the factors of n. After finding the factor, we just need to use normal decryption with RSA. Here is the full script.
Flag: rooter{H0W_0DD_W45_17}ctfForensics: Mind Awake Body Asleep! — 499 points
Everything visible has a flip side, like a coin. https://mega.nz/#!DKhjQQRB!JclxIeRNGnFOuCNEqM3Z3QUHm4p5Avh2_5Ck7dbn-m4
After downloading the file, turn out it is a challenge.wav. Trying to see its spectogram on audacity, I found nothing. Okay, so I will do my basic step when getting the wav file, extracting it LSB (I read this article that give me basic information about how does audio steganography works). Using the LSB script on that article, I extract the hidden text.
Sucessfully decoded: Mr. Robot is an American drama thriller television series created by Sam Esmail. http://tiny.cc/72nwdzOpen the link, I got a file called new which contains hex string. Struggling around and guessing around for a few hours and reading carefully the challenge description. It said that Everything visible has a flip side. Okay, we use our imagination by transforming it to binary, flip its binary, convert it back to hex, and STUCK. Turn out the flip meaning is reverse, so we reverse the given hex string. Surprisingly, it show us a signature of png file. So we just need to reverse the given hex string (Thanks to python that make it very easy to reverse a string using [::-1]), use the reverse string to create the png file, and we get the flag.
Flag: rooters{pyth0n_is_aw3s0m3}ctfForensics: Frames per Story — 473 points
Finally, Toby is out of the frames. I hope he never returns again. Frames:https://mega.nz/#F!PCZXRQCY!pFQwZpifHdwlz9l9wQtpVw
So, we were given a zip file that contains frames of a gif. Checking it EXIF data with exiftool, each frame contains a comment of a transcript. Extracting all the comment will give us a transcript that contains a link.
Opening the link, we got a file called final.png. Notice that there is a strange line on the wall. It is a 1x15 pixel line. When I try to zoom and open it in photoshop, I try to extract the R,G,B code of each color in that strange line. Convert the RGB number into char and you will get the flag.
Flag: rooters{WHY_4R3_TH3_W4Y_TH4T_Y0U_4R3!}ctfForensics: Cunning Black Cow — 417 points
<hahahahahahahhah>
Wrap the flag in rooters{}ctf
We were given two zip file, flag.zip and cunningBlackCow.zip. Extract the blackCow.zip, we got two png file. When we try to extract flag.zip, it is protected with password. Somehow, we need to get the password from the two image file. Checking the EXIF data, we found that each file contains a comment data.
The CunningBlackCow1.png comment is base64 string that if we decode will print y0uw@ntk3y?AESe_K@iS3_D3_DuUuU!!. This string just tell us loudly that we need decrypt the other comment string with AES.
Decrypting and we got n0ty0ur4l@6OOPS! as our result. Use that as the password of the zip file, and we got the flag!!
Flag: rooters{D7d_U_L3k3_Th4_Ch@l73ng3?}ctfMisc: The Lost One — 489 points
Haha.. I have kept the flag hidden among millions of records. You can’t find it. Can you ? IP Address : 35.188.87.124
Okay, so this is most likely a recon challenge, so my first step is using nmap to check the open port on that IP Address. I found that there is an open port at 9200, which is an elasticsearch docker. Reading through the elasticsearch documentation, I found that we could use endpoint _search to search for some query. Struggling for hours looking for a record that contain the flag, I try using the Tamil language of flag because some record contains text on Tamil language. Turn out, we found the flag. This is our query: http://35.188.87.124:9200/_search?q=கொடி
Decoding the base64 will give us the flag :)
Flag: rooters{oldest_languauge_with_the_flag}ctfWeb: imgXweb — 482 points
Image hosting. Soo boring, I know.
Challenge Link: https://imgxweb.rootersctf.in/
So we were given a website that allow us to register and upload our file. We try to upload an image, php file, but found nothing. Checking the cookie, it seems that this challenge use JWT. Trying to access the robots.txt, turn out it contains a secret path (/static/secretkey.txt)that will lead us to the JWT Secret. That means we could forge our cookie and sign it. Just change our user to admin, sign the cookie with secret from the robots.txt, set the cookie (which mean we will be admin), and we will see that the admin upload their flag.png. Here is the script to forge the cookie:
Flag: rooters{I_hope_you_got_rick_rolled_but_you_made_it_so_hoorayyy}ctfWeb: I❤Flask — 405 points
meme. Challenge Link: iloveflask
On this challenge we were given a web that looks like “static” flask. Trying to access robots.txt and found nothing. After a few hours, we try to use Arjun to find whether there is hidden parameter that we could actually use. Turn out, there is one hidden parameter that we could use.
When we try to pass the name parameter, turn out it is a classic SSTI challenge. See below:
Welp, another recon challenge because we didn’t know there is a parameter. Thanks to Arjun!!
Flag: rooters{I_still_love_flask_fd02a527ca93ff0a}ctfWords from Author
We have some deadline assignments for our university life 😓 and decided not to writing all the writeup 🙏🙏🙏. Thank you for reading our writeup! And Thanks for RootersCTF for making this CTF 😁.
