This page looks best with JavaScript enabled

DawgCTF 2021 Writeups

Hosted by UMBC CyberDawgs (UMBCCD) from 7 May - 8 May

 ·  ☕ 9 min read  ·  🌈🕊️ rainbowpigeon

Thanks organizers! I enjoyed the Binary Bomb reversing challenges. We got 13th place. Sadly solved less for this one but it was fun trying some RE which I usually avoid. My 9 failed solves were because of Toilet Humor 5.
🎵 Armin van Buuren feat. RBVLN - Weight Of The World (Club Mix) powered me during this CTF :)

Graph of challenge solves over time
Category breakdown of challenge solves

Details Links
CTFtime.org Event Page https://ctftime.org/event/1319/

Reversing

Who am I?

I hid my flag in this program but it seems to have forgot who it is?

Author: Percival

Attached: who_am_i.exe

Rough pseudocode generated by IDA with some variables renamed by me:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
if ( argc == 2 )
  {
    input_int[0] = 0;
    scan((char *)argv[1], "%d", (char)input_int);
    flag_buf = 0;
    case_select = 5;
    needs_to_be_42_init_5 = 5;
    while ( case_select )
    {
      switch ( case_select )
      {
        case 2:
          if ( needs_to_be_42_init_5 == 42 )
          {
            print("flag: %s\n", (char)flag_buf);
            print("\n", v4);
            case_select = 0;
          }
          break;
        case 4:
          print("that's not who i am..\n", v4);
          case_select = 0;
          break;
        case 5:
          needs_to_be_42_init_5 = case_select;
          if ( getpid() == input_int[0] )       // 1: pid check from input
            case_select = 8;
          else
            case_select = 4;
          break;
        case 8:
          if ( needs_to_be_42_init_5 == 5 )
          {
            case_select = 10;
            flag_buf = calloc(256u, 1u);        // 2: calloc
          }
          needs_to_be_42_init_5 = 8;
          break;
        case 10:
          if ( needs_to_be_42_init_5 == 8 )
            xor_flag_1((int)flag_buf);
          needs_to_be_42_init_5 = case_select;  // 3:
          case_select = 20;
          break;
        case 20:
          if ( needs_to_be_42_init_5 == 10 )
            xor_flag_2((int)flag_buf);          // 4:
          needs_to_be_42_init_5 = 42;
          case_select = 2;
          break;
        default:
          case_select = 0;
          break;
      }
    }
    result = 0;
  }
  else
  {
    print("who am i?!?\n", v4);
    result = -1;
  }
  return result;
}

The flag is stored in flag_buf as shown in line 15, and is written to by the xor_flag_1 and xor_flag_2 functions in line 41 and 47 respectively. .
xor_flag_2 retrieves bytes from byte_4F7B40:

1
2
3
  for ( i = 0; i < 9; ++i )
    *(_BYTE *)(i + a1 + 10) = byte_4F7B40[i] ^ 0x78;
  return 0;

which shows up as byte_4F7B40 db 27h, 4Ch, 35h, 55h, 4Bh, 1, 4Bh, 47h, 5, 7 dup(0). xor_flag_1 also retrieves bytes from another location. While we could figure out what kind of inputs to give to manoeuvre through the switch cases, we can just assemble the bytes from both locations and xor them again with 0x78 to get the flag:

1
2
3
4
>>> hex = [0x3c,0x19,0x0f,0x1f,0x3b,0x2c,0x3e,0x03,0x10,0x2d,0x27,0x4c,0x35,0x55,0x4b,0x01,0x4b,0x47,0x05]
>>> flag = "".join([chr(d ^ 0x78) for d in hex])
>>> flag
'DawgCTF{hU_4M-3y3?}'

Flag: DawgCTF{hU_4M-3y3?}

Binary Bomb

BBomb - Phase 6

Oh no… I lost the key to my string again :(

Author: treap_treap

Generated pseudocode with IDA and variables renamed by me. I also redefined the 24 variables at the beginning to be part of a single string structure:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
  puts("\nOh no... I lost the key to my string again :(");
  dont_want_0 = 1;
  str[0] = 0x40;
  str[1] = 0x77;
  str[2] = 0x23;
  str[3] = 0x91;
  str[4] = 0xB0;
  str[5] = 0x72;
  str[6] = 0x82;
  str[7] = 0x77;
  str[8] = 0x63;
  str[9] = 0x31;
  str[10] = 0xA2;
  str[11] = 0x72;
  str[12] = 0x21;
  str[13] = 0xF2;
  str[14] = 0x67;
  str[15] = 0x82;
  str[16] = 0x91;
  str[17] = 0x77;
  str[18] = 0x26;
  str[19] = 0x91;
  str[20] = 0;
  str[21] = 0x33;
  str[22] = 0x82;
  str[23] = 0xC4;
  calloc_buf = (char *)calloc(0x29uLL, 1uLL);
  getInput(6u, (char *)a1, (unsigned int)"%s", (unsigned int)calloc_buf, v1, v2);
  for ( iterator = 0; iterator < strlen(str) && iterator < strlen(calloc_buf); ++iterator )
  {
    calloc_buf[iterator] = ((unsigned __int8)(calloc_buf[iterator] & 0xF0) >> 4) | (16 * calloc_buf[iterator]);
    calloc_buf[iterator] ^= 0x64u;
    if ( calloc_buf[iterator] != str[iterator] )
      dont_want_0 = 0;
  }
  if ( iterator != strlen(str) )
    dont_want_0 = 0;
  free(calloc_buf);
  return dont_want_0;

It’s just mainly some simple bitwise operations in lines 31-32, so we can replicate the decoding routine in Python except that we will additionally bruteforce for each char to match each byte in string. This is basically finding out what input given to calloc_buf gives back the bytes stored in the str structure in the C code.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
flag = "DawgCTF{"
mask = 2 ** 8 - 1
string = [0x40, 0x77, 0x23, 0x91, 0xB0, 0x72, 0x82, 0x77, 0x63, 0x31, 0xA2, 0x72, 0x21, 0xF2, 0x67, 0x82, 0x91, 0x77, 0x26, 0x91, 0, 0x33, 0x82, 0xC4]
for byte in string:
    for char in range(0x00, 0xff+1):
        a = char & 0xfffffff0
        a = a >> 4
        b = (char << 4 ) & mask 
        temp = (a | b) % 0xff
        if (temp ^ 0x64) == byte:
            if char:
                flag += chr(char)
            break
flag += "}"
print(flag)

Flag: DawgCTF{B1t_Man1pUlaTi0n_1$_Fun}

Binary Bomb - Bonus Phase!

But wait… there’s more!

Author: treap_treap

strings the binary with any tool of your preference (I used IDA) and you could probably find the flag somehow.

Flag: Pr3e7Y_57E4ltHy_Fl4g

Fwn (Forensics/Web/Network)

These Ladies Paved Your Way

Per womenintech.co.uk, these 10 women paved your way as technologists. One of them holds more than 100 issued patents and is known for writing understandable textbooks about network security protocols. What other secrets does she hold?

Author: Clearedge

Attached: WomenInTech.zip

Zip file contains various images of prominent women in fields of technology:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
24/04/2021  07:11 AM            24,154 220px-ElizabethFeinler-2011.jpg
24/04/2021  07:11 AM            11,718 220px-Karen_Spärck.jpg
24/04/2021  07:11 AM            10,080 220px-Mary_Allen_Wilkes_Portrait.jpeg
24/04/2021  07:11 AM            15,084 6-7-Sister-Keller-205x300.jpg
24/04/2021  07:11 AM            82,478 ada_lovelace_portrait_by_chalon_1838-e1539075430995.jpg
24/04/2021  07:11 AM            49,910 Annie_Easley_in_NASA_cropped_2-500x703.jpg
24/04/2021  07:11 AM            17,217 Hopper-3-square.jpg
24/04/2021  07:11 AM            27,926 katherine-g-johnson-nasa_1600jpg-500x500.jpg
24/04/2021  07:11 AM            29,535 Portrait_Adele_Goldberg-500x502.jpg
24/04/2021  07:11 AM            10,382 radia_perlman.jpg

Google searching for the woman who holds more than 100 issued patents and knows much about network security protocols leads us to Radia Perlman.
Viewing the Exif metadata with http://exif.regex.info/exif.cgi, we get a Base64-encoded string under Credit and what seems to be the enciphered flag under Keywords:

IPTC
Credit U3Bhbm5pbmdUcmVlVmlnCg==
Application Record Version 4
Keywords VpwtPBS{r0m5 0W t4x3IB5}

The Base64-decoded string is SpanningTreeVig, which hints us to Vigenère-decode the flag with a key of SpanningTreeVig.

Flag:DawgCTF{l0t5 0F p4t3NT5}

Crack IFS

The accounts in this QNX IFS have insecure passwords. Crack them to assemble the flag.

https://www.qnx.com/developers/docs/7.0.0/#com.qnx.doc.neutrino.building/topic/intro/intro_ifs.html

DawgCTF.ifs: hxxps://drive.google.com/file/d/1imS0_LQTWg67bwZucoSSa9US28C1uAI2/view?usp=sharing

Author: Percival

We can use this dumpifs tool https://github.com/askac/dumpifs to dump files. Command line switches are detailed here: http://www.qnx.com/developers/docs/7.0.0/index.html#com.qnx.doc.neutrino.utilities/topic/d/dumpifs.html . -x and -b extracts the files while -d specifies the output directory.

1
./dumpifs ~/Downloads/DawgCTF.ifs -d dawg/ -x -b

We now have the /etc/shadow file dumped which contains the password hashes:

1
2
3
4
5
6
cat shadow
root:7BdwYWpqXnY4E:1620082957:0:0
user:J7KYxY.GQNu8Q:1620011262:0:0
guest:4J4ZDAgsm0m5M:1620011331:0:0
joe:HNPzLUBaDdJ1E:1620083038:0:0
bob:HL99o4s12Kyzo:1620083025:0:0

Looking at the various hash formats listed on https://hashcat.net/wiki/doku.php?id=example_hashes , I guessed the format to be 1500 descrypt, DES (Unix), Traditional DES 48c/R8JAv757A. Through my initial dictionary attack attempts using rockyou.txt which failed to recover all the passwords, I found out that the passwords were just 4-letter segments so I switched to a hashcat bruteforce mask attack with the charset of printable characters and a length of 4.

1
2
3
4
5
6
7
hashcat -m 1500 qnx.txt -a 3 ?a?a?a?a

7BdwYWpqXnY4E:cram
HNPzLUBaDdJ1E:un_s
HL99o4s12Kyzo:Dawg
J7KYxY.GQNu8Q:CTF{
4J4ZDAgsm0m5M:ble}

Flag: DawgCTF{un_scramble}

Misc

Identifications

Hey man. I’m standing in front of this Verizon central office building. What’s its CLLI code?

What? No, I don’t know where I am, my GPS is broken. I tried to connect to some Wi-Fi so I could download a map or something, but I don’t know the password to any of these networks.

identifications.7z: hxxps://drive.google.com/file/d/1YkzVIwbNKWKG4I0K8F_J8DCC9mqBn2ET/view?usp=sharing

Once you figure out the CLLI code, make sure to wrap it in DawgCTF{}.

Author: nb

The .7z contains two images: 1 of the supposed Verizon central office building and 1 of a screen listing details of various Wi-Fi access points nearby.

Verizon central office building

List of Wi-Fi access points details on laptop screen

Google searching the Dr Cappuccino SSID sends us to https://www.drcappuccino.com/ which is located at 1304 South Main St. | Mount Airy, MD 21771 as listed under their contact page.
Plugging that address into Google Maps, we can confirm that other stores like Katana Sushi Bar, Carroll Counseling Center LLC and Dunkin' Donuts displayed in the image of Wi-Fi details are located here too.

Various stores in Mount Airy on Google Maps

Looking up for Verizon Central Offices in the city of Mount Airy gives us this nice table https://www22.verizon.com/wholesale/attachments/space-exhaust/WebUpdateSouth.pdf where we can search for Mount Airy and get the corresponding CLLI code in the 3rd column.

Table of Verizon Central Offices details in the South-East

Flag: DawgCTF{MTARMDMA}

Toilet Humor 5

The flag is five poops

Author: toomanybananas

Self-explanatory and pretty dumb.

Flag: DawgCTF{5️⃣💩}

The Rain in Spain

I installed this cool IoT-enabled weathervane on my boat for sailing around Málaga, but the sensors seem to be giving erratic readings…

Author: Noodle

Attached: spain.csv

Plot a graph with the given .csv file using https://www.csvplot.com/ and play around with the axes to display the flag nicely.

Flag from plotted graph points online

Flag: DawgCTF{p10ts_n3at1y_0n_th3_p1an3}

Audio/Radio

Moses

If you can find a way to part the waves, you might find something on the seafloor.

moses.zip: hxxps://drive.google.com/file/d/1c6uEmcRssq2FKmQqNYNJ3NRvK6t_KVAd/view?usp=sharing

Author: Noodle

The .zip file contains moses1.flac and moses2.flac with almost identical spectrograms. This is viewed using Spek.

Comparing spectrograms of moses1.flac and moses2.flac side-by-side

To find out the difference between these 2 audios, we can do a phase inversion in Audacity.

  1. Import both tracks into Audaciity
  2. Select one track and apply the Invert Effect on it.
  3. Select both tracks and Mix and Render
  4. Export the new track

Applying Audacity's Invert Effect on one track

Selecting both tracks and hitting Mix and Render in Audacity

Exporting the new track out of Audacity

The flag is now at the bottom of the spectrogram of the new track.

Visual flag in the spectrogram

Flag: DawgCTF{sunk3n_tr3asur3s}

Deserted Island Toolkit

What would a drunken sailor do? (Wrap the output in DawgCTF{ })

DesertedIslandToolkit.zip: hxxps://drive.google.com/file/d/1vYUIAPIeQgE6x781tH6SU3uU0YSx5Yxv/view?usp=sharing

Author: Eyeclept

The .zip contains these standard CD files:

1
2
dawgTunes.cdda
.checksum.md5

The .cdda file contains audio data so let’s convert it to a listenable format with https://convertio.co/cdda-wav/
The audio is then a series of short and long tones which we can immediately suspect to be Morse Code:

Audio waveform of morse code tones

which was transcribed as... ----- ... .. ... -. --- - - .... . .- -. ..... .-- ...-- .-. and decoded to be S0SISNOTTHEAN5W3R

Flag: DawgCTF{S0SISNOTTHEAN5W3R}


That’s all! Hope you enjoyed :)

Share on

rainbowpigeon
WRITTEN BY
rainbowpigeon
OSCP