Sudan National CTF 2020 Writeups [reverse, crypto, forensics]

Overview

This write-up is about Sudan National CTF 2020 final round organized by Cybertalents Platform and Trend Micro. We will solve and complete all the given challenges in [reverse, crypto, forensics, networks] category, challenges are ordered by difficulty. So let’s dive in !!!

!! Writeups for web challenges: here

1. Sharp (Digital Forensics) Medium 100pt

Challenge description: You need to look sharper to get the flag!

This challenge was fairly simple, we have a 7z file contains 46 JPEG image, so let’s start to think like a real forensic investigator 😎

To solve this challenge I just use ExifTool, I find an interesting hex value in “Comment” after extracting the metadata of all images via ExifTool ex:

One-liner :::: let’s start to write a small bash line to solve this challenge directly 😇

2. TCP (Network Security) Medium 100pt

Challenge description: I’m sure the connection was working

Right, a Network Packet Capture or PCAP challenge, let’s get to it I guess, after opening it with Wireshark we don’t find any things interesting except Seq, Ack (Sequence and Acknowledgment Numbers), let’s open the file with Wireshark and us this filter: tcp.seq>2 to filter all data with Sequence greater than 2.

Now keep calm to get the flag, at first let’s start manually to find the right way that gives us the flag 😋 :: we are sure the flag formate is: flag{………….}

when we try with the first packet 1.[Seq=46, Ack=58 ] let’s add Seq to Ack

Seq + Ack ::> [46+ 58 = 104] , but 104 = h character not equal f ! but after we Subtract 2 from 104 we got 102= f (the first character of the flag) 😎

Let’s try with the second packet 2. [Seq=64, Ack=46]

Seq + Ack — 2::> [64+ 46 — 2 = 108], 108 =L (the secund character of the flag) 😎

After understanding how to get the flag manually, let’s complete it automatically with Scapy python library :)

3. Exponential-rot (Crypto) Medium 100pt

wdjzkhy trsz paxwjvkkw zg aqc wgcow rtqngdo wm dsx!. sfb afty yh sxlq{kyeuxr_js_llp_nask_woep_afmhyidae}. wlqm lwthth elfnl ax itpm cqamhtd bdgf

In this challenge, we have Unreadable String , let’s focus on the interesting part ::: sxlq{kyeuxr_js_llp_nask_woep_afmhyidae} it’s look like a flag formate flag{xxxxxxxxxxxxxxxxxxxxxxxx} :)

At first, we say Yess! 😻 it’s a rot13 ( rotation 13) Let's decode it 😂

rot13 ::: fkyd{xlrhke_wf_yyc_anfx_jbrc_nszulvqnr} ::: rotation 13 gives us the first character of the flag (f) but other characters were wrong !! , mmm it looks like a costume transpositions 😮!!, each character was rotated with a way that differs from other character’s 😂

After some time we find a very useful tool named CyberChef with this tool, we found the correct rotation of the first character of the flag which is rot39, and we start the solution from here, now keep calm and follow this video to understand the manual solution 😌

Let’s add some automation and stop thinking like Script Kiddies :)

Flag : flag{crypto_**_***_****_****_*********}………..

4. Deadlock (Reverse Engineering) Hard 200pt

Challenge description: Can you play with me?

Finally, we have a Reverse Engineering challenge, this challenge is very simple, but at the same time quite interesting 😇, we have 3 files:

Deadlock.exe, data.win, options.ini

I double-clicked at the Deadlock.exe icon for the first time, and suddenly the music starts playing 😳

This is a game made with Game Maker Studio, in this challenge we don’t need to use any reverse engineering tools; like [IDA, Ghidra, Hopper…etc], let’s understand the files of the challenge at first to solve this challenge like a boss 😎

Let’s focus on data.win (the file that contains the data of games made with Game Maker Studio GMS which is a game engine created by Mark Overmars in 1999 and developed by YoYo Games since 2007.), this file contains everything we need to solve this challenge 😜

I find a very useful tool that helps me to achieve my goal, so let’s download it to your machine right now UndertaleModTool (this is a helpful tool for modding, decompiling, and unpacking Game Maker Studio games).

After download UndertaleModTool in your machine open it, and from the menu select :::::> File :::::> Open and load data.win file

In the Rooms section, we have 2 rooms [room0, Secret], room0 content the default UI of the game like when we open Deadlock.exe for the first time, Secret room content the Flag!! 😎

Let’s keep calm and get the flag by drag and drop the Secret room before room0

Now scroll to the General info section and click on Sync with room list to Synchronize all changes, then save the file and replace the old one.

Back to the game launcher and open it again!! congrats you got the flag 😎

./done

Summary

I hope this clarified some concepts regarding reverse engineering, forensics, and cryptography. If anyone has any questions feel free to contact me at https://t.me/BlackSud0

we as “ScriptKiddies” team scored the first place with 825 points.