Defcamp 2017

No that kind of network - Forensics [1 pt]

I like to write and move all around the world. But do you know my story?

Opening up the file with Wireshark and searching through the packets for DCTF came back with 1 result.

Flag: DCTF{2d9895ecea1081b2241398d1b2c94eaf5be3bfaffec1ad946ed0a68ae95f8ed9}

Too Easy - Junior [1 pt]

Ah man... I hate when I forget my password... Do you know it?

When typing strings on the program you can find above the line above "Enter password" is the password of strongpassword_as_a_pro. When running the program with that password will give the following response444354467b366436653137363063316133616539653465646532343537643864323462306263663230376561383337653833646362346430396532643734656639353862327d ... now decrypt hex.Which it tells to decrypt in hex which gives the flag.

Flag: DCTF{6d6e1760c1a3ae9e4ede2457d8d24b0bcf207ea837e83dcb4d09e2d74ef958b2}

a thousand words - Junior [2 pts]

I bet your eye can spot the original photo! Note: I got rid of duplicate files to be able to include the files in 1 zip file under 15 mb]

All the photos look the same and I happen to have software that I use when I have files that are identical. I opened up DupeGuru and ran to delete duplicate files. This narrowed down the results to 278 files which still isn't good enough. I did look through k4DirStat and find file 1024.png was the biggest file so I did Exiftool on it and it appeared it was in the copyright flag. ALTERNATIVELY The problem was supposed to be solved using the command grep "DCTF" to go through all the files. In that case, I used the command grep -iRl "DCTF{" ./ to return which file had the flag.

Flag: DCTF{162d6e3865b2be32851fb8bd3cca73bdc1a052f9da75d8680c471eb45af522df}

Hex Warm Up - Warmup [1 pts]

A friend of mine is learning about encryption and now is challenging me to break it! Can you give it a go? 

buf += "831a34cdf478f76ad054f38c9aee6abd6a9dbff98ab7becca233aa7c3c9d25ef220beb5020d3263f57f3f6fd975ee63421eb266d85c0d4ae6c4f10670ea9b5f43e1df9558fdc6dc3fe761e1105d7bc5ba0e21fe3463cf045197e44119828c8a311b7ed91a12e927cf666eb0484a41a066c8d975b9f2217a1afee27d98383f4fc6a753e86f7284c1973809cfed2fca6660351c7bc27eaab75d33a70995d946ffabe0abce545eb87b63aa687f47ca316719b21a44d808ea97f9077b97e2997c4031d5240f5910dc6bddb785b49d07eaeb9456ffe0ba034c8a40d9b7a39a9e96df302cd486f6d4a14d08730a74bc9149da7de5fadbd1cb77e0c02c0597cf3cc182ef2e78951003a280428c2e0ac70bbc95e6fa56c6bf2e0dd9313c7e97742e38ac6386dbc8fe48bd51bfc1f31039dbdc594f6316cc99935fa8c8117c1562f148d1af6f7f44d4af96a51771daf842cc40c3e808ec1b22e186cddc8f8fe79f7a1ace0e79cf40886d9b55fc613948696e990b0eb9e996a5d82db2ea204493b89a30ee1ed39e79346410bf2aa0e85193af1075ff4dc25f74aae592408547d6c03047c03a0162f18132728af17249ed59e85c334461589865af8c3930580cee174132cfb02781604b68ae0b112118af9b92d063e00000000504e75f476f7b4eb0001be7b80f00100ac83112cb1c467fb020000000004595a"
bu1 += "fd377a585a000004e6d6b4460200210116000000742fe5a3e077ff3da25d00399a49fbe6f3258112f39ac0202a0738550af98257012a427133cc7d214b8429da5aa757f76ce21bb9f2f97ac72174cee4b15cf7dcd62ab56c4908c112c463d0b9f01431fc196327480ba3466a55642402"
buf = bu1 + buf

Simplifying the code a little bit I determined these 3 lines meant that bu1 was a header and buf was the data. By working backwards I read in the lock.iso file and determined it was split into 3 parts. bu1 [header], backup.zip [data], buf [buffer data] By removing the extra data I can write the leftover data to a zip file which hopefully would contain the flag. This was indeed the case as we are given index.txt containing flag and some more buffer data. Note it says you can change the extension. I tried and that doesn't work

Solution Code

g = open("lock.iso", "r")
b = g.read()
g.close()
buf = ""
bu1 = ""
buf += "831a34cdf478f76ad054f38c9aee6abd6a9dbff98ab7becca233aa7c3c9d25ef220beb5020d3263f57f3f6fd975ee63421eb266d85c0d4ae6c4f10670ea9b5f43e1df9558fdc6dc3fe761e1105d7bc5ba0e21fe3463cf045197e44119828c8a311b7ed91a12e927cf666eb0484a41a066c8d975b9f2217a1afee27d98383f4fc6a753e86f7284c1973809cfed2fca6660351c7bc27eaab75d33a70995d946ffabe0abce545eb87b63aa687f47ca316719b21a44d808ea97f9077b97e2997c4031d5240f5910dc6bddb785b49d07eaeb9456ffe0ba034c8a40d9b7a39a9e96df302cd486f6d4a14d08730a74bc9149da7de5fadbd1cb77e0c02c0597cf3cc182ef2e78951003a280428c2e0ac70bbc95e6fa56c6bf2e0dd9313c7e97742e38ac6386dbc8fe48bd51bfc1f31039dbdc594f6316cc99935fa8c8117c1562f148d1af6f7f44d4af96a51771daf842cc40c3e808ec1b22e186cddc8f8fe79f7a1ace0e79cf40886d9b55fc613948696e990b0eb9e996a5d82db2ea204493b89a30ee1ed39e79346410bf2aa0e85193af1075ff4dc25f74aae592408547d6c03047c03a0162f18132728af17249ed59e85c334461589865af8c3930580cee174132cfb02781604b68ae0b112118af9b92d063e00000000504e75f476f7b4eb0001be7b80f00100ac83112cb1c467fb020000000004595a"
bu1 += "fd377a585a000004e6d6b4460200210116000000742fe5a3e077ff3da25d00399a49fbe6f3258112f39ac0202a0738550af98257012a427133cc7d214b8429da5aa757f76ce21bb9f2f97ac72174cee4b15cf7dcd62ab56c4908c112c463d0b9f01431fc196327480ba3466a55642402"
b = b.replace(bu1.decode('hex'), "")
b = b.replace(buf.decode('hex'), "")
print(b)
f = open("backup.zip" ,"w")
f.write(b)
f.close()

Flag: DCTF{474dac08d29d013515a312d1a8460050634f9b3cb6a696a4c73652d1802a1872}

HitandSplit - Forensics [2 pts]

Are you a forensic?

Searching through the pcapng file for DCTF{ a couple of results come up. When you focus on the packets with 81 bytes you get the flag. I used the set of packets 676, 685, 690, 697, 703

Flag: DCTF{71f15f9abbd6b4f57ca13114fddef7499b34cb93b35e3ac725cd273ea40cb769}

Inception - Steg [?? pts]

Do you like our logo?

Start out with binwalk to find that the logo has 13 images hidden in it. Of those 13 images. 1E042 contains the flag.

Flag: DCTF{61c9183bf4e872b61d71697891e0a451eff0b07bcd3373d4aac94aa74baccb9f}

forgotmykeys - Crypto [50 pts] [Not Solved]

I forgot my flag & key. Help me recover them.

Solution

Flag:

Loyal Book - Misc [99 pts]

Every book is unique in its own way! Go and read the story of a brave man!

From the reference to unique, I do diff 0001.txt 0002.txt to return a line difference of DC, so I did that for each file comparing it to the base file of 0001.txt getting this text combined. which was the flag.

< glimpse last summer at the Palais-Royal. Some of > glimpse last summer DC at the Palais-Royal. Some of

< benches ranged along the walls, and in the centre of > benches ranged along TFthe walls, and in the centre of

< And it must have been very strong to endure after > And it must h{ave been very strong to endure after

< And it must have been very strong to endure after > And it must have been 7ba61 very strong to endure after

< and Frederick, feeling sleepy, was in no great haste > and Frederick, feeling sleepy, wa0cc5ds in no great haste

< communicated to him ; and he had only two phrases : > communicated to him ; aa3966nd he had only two phrases :

< derstand. She longed for wealth, in order to crush > derstand. She longed fob7c64r wealth, in order to crush

< They all took advantage of the occasion to denounce > They all took advantage a81c3 of the occasion to denounce

< " Ha ! your chum ! " said Madame Moreau, with a > " Ha ! your chum ! " said Madame Morcfcdbeau, with a

< barely maintained him. Made bitter by continuous > barely maintained him. 1b1d0 Made bitter by continuous

< 82 GUSTAVE FLAUBERT > 82 GUSTAVE FLAUBERT 9e3de

< and the 'longshore-woman exclaimed : > and the 'longshore-woman exclaimed : 5ad11

< The advocate went on : > The advocate 89268 went on :

< ceive either. > ceive either. bf0e6

< places at which the principals in the duel were to > places at 18ff7 which the principals in the duel were to

< deur. > deur. 1f08}

Flag: DCTF{7ba610cc5da3966b7c64a81c3cfcdb1b1d09e3de5ad1189268bf0e618ff71f08}

Collaboration is key - Category [99 pts] [Not Solved]

What do you think about this algorithm? I worked with my good friend to push it to the repository.

Solution

Flag:

Chio - Rev [360 pts] [Not Solved]

Too lazy to make the flag in DCTF{SHA256} format. Download Find the flag, and make it compatible yourself.

Solution

Flag:

PreviousHackCon 2017NextSquare CTF 2017

Last updated