Craptolocker 3

The 3rd step is to create a decryption program by reversing the encryption routines in the source code. I have attached one of the encrypted files for you to test your decryption.
The flag is contained in the decrypted file.

Here is the entire encryption program from PasteBin.

import string
import random
# written by dr0ppyb3@r_h@ck3r
# v0.3 - The release version will be much better
# Updated flag: flag{h1d3_0n_p@steb1n}

def xor_c(a):
return bytearray([b^0xA8 for b in bytearray(a)])

alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ., 1234567890-!{}"
tmp_alphabet = list(alphabet)
random.shuffle(tmp_alphabet, lambda: 0.97444187175646646) # Shuffle the list into random order (but the same order every time)
shuffled_alphabet = ''.join(tmp_alphabet)

shuffleit = string.maketrans(alphabet,shuffled_alphabet)

handler = open("original_file",'rb')
handler2 = open("encrypted_file",'wb')
contents = handler.read()
handler2.write(xor_c(string.translate(contents,shuffleit)))

The main focus points are the XOR and the alphabet shuffle. Essentially to encrypt a file, use a substitution cipher and then an XOR. What makes this task simple is that the random number used for the shuffle is not random, its hard coded as 0.97444187175646646, therefore the shuffle is the same every time you encrypt a file.

To decrypt this we need to write a program which reverses the XOR first, then reverses the shuffling.

We can reuse much of the original code, and just reverse the order of execution.

import string
import random
import sys

def xor_c(a):
return bytearray([b^0xA8 for b in bytearray(a)])

alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ., 1234567890-!{}"
tmp_alphabet = list(alphabet)
random.shuffle(tmp_alphabet, lambda: 0.97444187175646646) # Shuffle the list into random order (but the same order every time)

reverse_map = {key: value for (key, value) in zip(tmp_alphabet, alphabet)}

with open(sys.argv[1]) as file:
encrypted = file.read()

reversed_xor = xor_c(encrypted)
print(reversed_xor)
plaintext = ''.join(map(lambda x: reverse_map[chr(x)] if chr(x) in reverse_map else chr(x), reversed_xor))
print(plaintext)

Using this program on the encrypted file gives us our flag.

$ python crapto.py encrypted_file
Congrats-,Xou,found,itZ,flag!d2cr@pt92d_n9_b-tc9-n_3_y2ws{

Congrats! You found it. flag{d3cr@pt03d_n0_b!tc0!n_4_y3ws}

Craptolocker 2

The 2nd step is to find the source code of Craptolocker.
The source code contains the flag. (Look on the Internet)

We can search for Cr@pT0l0cK3r but this didn’t give any meaningful results. Instead, lets search for the hackers handle dr0ppyb3@r_h@ck3r.

Lo and behold, the code is on pastebin.

http://103.1.172.112/archieves/index.php?q=aHR0cDovL3Bhc3RlYmluLmNvbS9aZHU0aWJnZQ%3D%3D

# written by dr0ppyb3@r_h@ck3r
# v0.3 - The release version will be much better
# Updated flag: flag{h1d3_0n_p@steb1n}

Craptolocker 1

The following web page was left by a hacker, who is using ransomware to hold my web site hostage. I am a poor student and can't affort to pay the ransom. Can you help?

http://ctf.crikeycon.com:1234
The 1st step of this challenge is to identify the hacker.
Submit the flag as: flag{hacker_handle}

Oh no! Its been craptolocked!

Screenshot from 2017-03-07 16-02-06.png

The hackers name doesn’t appear on the front end of this website, however I’m going to use an old trick that I learnt from my hacker friend who goes by the name “Alex”.

CpPFpd3VMAA7Hx0

And we find the hackers name written in an HTML comment.

<!-- Page made by dr0ppyb3@r_h@ck3r ->

Pragyan – Steganography

ctf.pragyan.org

Lost Friends – 300

Moana and her friends were out on a sea voyage, spending their summer joyously.
Unfortnately, they came across Charybdis, the sea monster. Charybdis, furious over having unknown visitors, wreaked havoc on their ship. The ship was lost.
 
Luckily, Moana survived, and she was swept to a nearby island. But, since then, she has not seen her friends. Moana has come to you for help. She believes that her friends are still alive, and that you are the only one who can help her find them.
lost_friends
Nothing here O_O

The image looks empty. But, play around on GIMP (using our decompose trick we learnt earlier) we see that the RGB channels are pictures of Alvin and the Chipmunks!

The story in the challenge describes a shipwreck, so I’m assuming Alvin and the Chipmunks were in a shipwreck. Coincidentally there is a move about that, called Alvin and the Chipmunks: Chipwrecked.

lost_friends-RGBA.png

We still need some more information to go on, after looking at hex dump of the image we can see the following hidden message.

 Psssst, Director, maybe ??

So the flag is the Director’s name of the move Alvin and the Chipmunks: Chipwrecked?

Yep. -_-

Pragyan – Forensics

ctf.pragyan.org

Look Harder – 50

There are rumours that in the Great Sahara Desert, a great treasure has been buried deep inside the ground, but the map for the exact location of the treasure over the years, has not been preserved properly.
You have got hold of the map, but it looks nothing more than a plain white sheet of paper. Can you make sense out of it ??

The image appears to be all white, except when titling the screen there is a faint contrast between two similar colours giving the outline of what seems to be a QR code.

Can you see it?

Opening the image up in GIMP we see the image is in indexed mode so lets change the main colour from faint yellow to black. Windows -> Dockable Dialogs -> Colourmap.This makes our QR code visible enough to scan and get the flag.

treasure_map_bold
Gimp is the best.

Interstellar – 150

Dr. Cooper, on another one of his endless journeys encounter a mysterious planet. However when he tried to land on it, the ship gave way and he was left stranded on the planet. Desperate for help, he relays a message to the mothership containing the details of the people with him. Their HyperPhotonic transmission is 10 times the speed of light, so there is no delay in the message. However, a few photons and magnetic particles interefered with the transmission, causing it to become as shown in the picture. Can you help the scientists on the mothership get back the original image.

The image appears to be corrupted in some what – modified heavily from the original. It almost looks like there is destructive interference or value inversion, because I can see a tree and what looks like the moon, but a tree is definitely not purple and white.

transmission
When the moon hits your eye…

After playing around with many different tools, I came across Colors -> Components -> Decompose. This separates an image into its channel components, in this case we want RGBA. On the red channel we can clearly see our flag hiding in plain sight.

transmission2-rgba
Seriously, just mess around on Gimp.

The Karaboudjan – 150

Captain Haddock is on one of his ship sailing journeys when he gets stranded off the coast of North Korea. He finds shelter off a used nuke and decides to use the seashells to engrave a message on a piece of paper. Decrypt the message and save Captain Haddock.
 
->-.>-.---.-->-.>.>+.-->--..++++.
.+++.
.->-.->-.++++++++++.+>+++.++.-[->+++<]>+.+++++.++++++++++..++++[->+++<]>.--.->--.>.

The following symbols are Brainfuck code, which when executed output the following data, shown here as a hex string.

ffff fcff 0001 fefe 0202 0505 ffff 0903
050d 121c 1c60 5efe 00

I did not work out how to massage this data into a key for the zip file. Instead, I used a tool called fcrackzip to enumerate through a dictionary of words to try and crack the zip file. Luckily, the password for the zip was an English word.

fcrackzip clue.zip -D -p english.txt -u

The pcap file inside the zip just has a simple packet which has the flag hidden in the frame.

Virtual Box 5 (Virtual Series) – 75

Description

I accidentally closed out this odd message I found. Can you get it back?

Solution

 

After searching around we open internet explorer and see the history open, a page was opened 10 days ago.

http://i.imgur.com/FQJ4JtO.png

Looks like some windings font, let’s convert it into english using this table

http://speakingppt.com/wp-content/uploads/2011/10/webdings-wingdings-character-map-speakingppt.png

ABCTF{ITS_C00L_L00KING_BACK}

Old RSA (Cryptography) – 70

Description

I’m sure you can retrieve the flag from this file.

Solution

We can lookup the factorization of N as it isn’t a very big number (comparatively)

http://www.factordb.com/index.php?query=70736025239265239976315088690174594021646654881626421461009089480870633400973

N =
70736025239265239976315088690174594021646654881626421461009089480870633400973

p =  238324208831434331628131715304428889871
q = 296805874594538235115008173244022912163

We can calulate Z from the formula

z = (p -1) * (q -1)

z = 70736025239265239976315088690174594021111524798200448894265949592322181598940
e = 3

We can calculate d from the formula

ed -1 = 0 (mod z)

d = 47157350159510159984210059126783062680741016532133632596177299728214787732627

And our message is C

c = 29846947519214575162497413725060412546119233216851184246267357770082463030225

The easiest way is to use the pycrypto library for python which will calculate all this very fast for us.

#!/usr/bin/python3

from Crypto.PublicKey import RSA

p = 238324208831434331628131715304428889871
q = 296805874594538235115008173244022912163

n = p * q
z = (p-1)*(q-1)

e = long(3)
d = 47157350159510159984210059126783062680741016532133632596177299728214787732627
c = 29846947519214575162497413725060412546119233216851184246267357770082463030225

key = RSA.construct((n, e, d, p, q))
decrypted = key.decrypt(c)
decrypted = hex(decrypted)
decrypted = decrypted.lstrip('0x')
decrypted = decrypted[:-1]
ascii_bytes = bytearray.fromhex(str(decrypted))
print(ascii_bytes)

ABCTF{th1s_was_h4rd_in_1980}

L33t H4xx0r (Web Exploitation) – 70

Description

If you could bypass the login you could get the flag. Link

Solution

Looking inside the source,we are directed to source.txt to look at the password comparison code.

http://yrmyzscnvh.abctf.xyz/web6/source.txt

The password is the flag itself! So we can’t be expected to guess it, we need to use the hint that there is a vulnerability in the code. After googling about php strcmp vulnerabilities we see that when comparing a string and an array, the result is always 0. So we need to set password to be an array in the URL.

http://yrmyzscnvh.abctf.xyz/web6/?password[]=oops

abctf{always_know_whats_going_on}

 

WordPress.com.

Up ↑