# Defcamp 2017
## No that kind of network - Forensics \[1 pt]
> I like to write and move all around the world. But do you know my story?
{% file src="" %}
Kingofstone
{% endfile %}
Opening up the file with Wireshark and searching through the packets for DCTF came back with 1 result.
Flag: DCTF{2d9895ecea1081b2241398d1b2c94eaf5be3bfaffec1ad946ed0a68ae95f8ed9}
## Too Easy - Junior \[1 pt]
> Ah man... I hate when I forget my password... Do you know it?
{% file src="" %}
Too Easy
{% endfile %}
When typing strings on the program you can find above the line above "Enter password" is the password of `strongpassword_as_a_pro`. When running the program with that password will give the following response`444354467b366436653137363063316133616539653465646532343537643864323462306263663230376561383337653833646362346430396532643734656639353862327d ... now decrypt hex.`Which it tells to decrypt in hex which gives the flag.
Flag: DCTF{6d6e1760c1a3ae9e4ede2457d8d24b0bcf207ea837e83dcb4d09e2d74ef958b2}
## a thousand words - Junior \[2 pts]
> I bet your eye can spot the original photo! \
> Note: I got rid of duplicate files to be able to include the files in 1 zip file under 15 mb]
{% file src="" %}
Download
{% endfile %}
All the photos look the same and I happen to have software that I use when I have files that are identical. I opened up DupeGuru and ran to delete duplicate files. This narrowed down the results to 278 files which still isn't good enough. I did look through k4DirStat and find file 1024.png was the biggest file so I did Exiftool on it and it appeared it was in the copyright flag. \
ALTERNATIVELY\
The problem was supposed to be solved using the command `grep "DCTF"` to go through all the files. In that case, I used the command `grep -iRl "DCTF{" ./` to return which file had the flag.
**Flag: DCTF{162d6e3865b2be32851fb8bd3cca73bdc1a052f9da75d8680c471eb45af522df}**
## Hex Warm Up - Warmup \[1 pts]
> A friend of mine is learning about encryption and now is challenging me to break it! Can you give it a go?
{% file src="" %}
Warmup
{% endfile %}
```python
buf += "831a34cdf478f76ad054f38c9aee6abd6a9dbff98ab7becca233aa7c3c9d25ef220beb5020d3263f57f3f6fd975ee63421eb266d85c0d4ae6c4f10670ea9b5f43e1df9558fdc6dc3fe761e1105d7bc5ba0e21fe3463cf045197e44119828c8a311b7ed91a12e927cf666eb0484a41a066c8d975b9f2217a1afee27d98383f4fc6a753e86f7284c1973809cfed2fca6660351c7bc27eaab75d33a70995d946ffabe0abce545eb87b63aa687f47ca316719b21a44d808ea97f9077b97e2997c4031d5240f5910dc6bddb785b49d07eaeb9456ffe0ba034c8a40d9b7a39a9e96df302cd486f6d4a14d08730a74bc9149da7de5fadbd1cb77e0c02c0597cf3cc182ef2e78951003a280428c2e0ac70bbc95e6fa56c6bf2e0dd9313c7e97742e38ac6386dbc8fe48bd51bfc1f31039dbdc594f6316cc99935fa8c8117c1562f148d1af6f7f44d4af96a51771daf842cc40c3e808ec1b22e186cddc8f8fe79f7a1ace0e79cf40886d9b55fc613948696e990b0eb9e996a5d82db2ea204493b89a30ee1ed39e79346410bf2aa0e85193af1075ff4dc25f74aae592408547d6c03047c03a0162f18132728af17249ed59e85c334461589865af8c3930580cee174132cfb02781604b68ae0b112118af9b92d063e00000000504e75f476f7b4eb0001be7b80f00100ac83112cb1c467fb020000000004595a"
bu1 += "fd377a585a000004e6d6b4460200210116000000742fe5a3e077ff3da25d00399a49fbe6f3258112f39ac0202a0738550af98257012a427133cc7d214b8429da5aa757f76ce21bb9f2f97ac72174cee4b15cf7dcd62ab56c4908c112c463d0b9f01431fc196327480ba3466a55642402"
buf = bu1 + buf
```
Simplifying the code a little bit I determined these 3 lines meant that bu1 was a header and buf was the data. By working backwards I read in the lock.iso file and determined it was split into 3 parts. bu1 \[header], backup.zip \[data], buf \[buffer data]\
By removing the extra data I can write the leftover data to a zip file which hopefully would contain the flag. This was indeed the case as we are given index.txt containing flag and some more buffer data.\
Note it says you can change the extension. I tried and that doesn't work
Solution Code
```python
g = open("lock.iso", "r")
b = g.read()
g.close()
buf = ""
bu1 = ""
buf += "831a34cdf478f76ad054f38c9aee6abd6a9dbff98ab7becca233aa7c3c9d25ef220beb5020d3263f57f3f6fd975ee63421eb266d85c0d4ae6c4f10670ea9b5f43e1df9558fdc6dc3fe761e1105d7bc5ba0e21fe3463cf045197e44119828c8a311b7ed91a12e927cf666eb0484a41a066c8d975b9f2217a1afee27d98383f4fc6a753e86f7284c1973809cfed2fca6660351c7bc27eaab75d33a70995d946ffabe0abce545eb87b63aa687f47ca316719b21a44d808ea97f9077b97e2997c4031d5240f5910dc6bddb785b49d07eaeb9456ffe0ba034c8a40d9b7a39a9e96df302cd486f6d4a14d08730a74bc9149da7de5fadbd1cb77e0c02c0597cf3cc182ef2e78951003a280428c2e0ac70bbc95e6fa56c6bf2e0dd9313c7e97742e38ac6386dbc8fe48bd51bfc1f31039dbdc594f6316cc99935fa8c8117c1562f148d1af6f7f44d4af96a51771daf842cc40c3e808ec1b22e186cddc8f8fe79f7a1ace0e79cf40886d9b55fc613948696e990b0eb9e996a5d82db2ea204493b89a30ee1ed39e79346410bf2aa0e85193af1075ff4dc25f74aae592408547d6c03047c03a0162f18132728af17249ed59e85c334461589865af8c3930580cee174132cfb02781604b68ae0b112118af9b92d063e00000000504e75f476f7b4eb0001be7b80f00100ac83112cb1c467fb020000000004595a"
bu1 += "fd377a585a000004e6d6b4460200210116000000742fe5a3e077ff3da25d00399a49fbe6f3258112f39ac0202a0738550af98257012a427133cc7d214b8429da5aa757f76ce21bb9f2f97ac72174cee4b15cf7dcd62ab56c4908c112c463d0b9f01431fc196327480ba3466a55642402"
b = b.replace(bu1.decode('hex'), "")
b = b.replace(buf.decode('hex'), "")
print(b)
f = open("backup.zip" ,"w")
f.write(b)
f.close()
```
**Flag: DCTF{474dac08d29d013515a312d1a8460050634f9b3cb6a696a4c73652d1802a1872}**
## HitandSplit - Forensics \[2 pts]
> Are you a forensic?
{% file src="" %}
hit and split
{% endfile %}
Searching through the pcapng file for DCTF{ a couple of results come up. When you focus on the packets with 81 bytes you get the flag. I used the set of packets 676, 685, 690, 697, 703
**Flag: DCTF{71f15f9abbd6b4f57ca13114fddef7499b34cb93b35e3ac725cd273ea40cb769}**
## Inception - Steg \[?? pts]
> Do you like our logo?
{% file src="" %}
logo
{% endfile %}
Start out with `binwalk` to find that the logo has 13 images hidden in it.\
Of those 13 images. 1E042 contains the flag.
Flag: DCTF{61c9183bf4e872b61d71697891e0a451eff0b07bcd3373d4aac94aa74baccb9f}
## forgotmykeys - Crypto \[50 pts] \[Not Solved]
> I forgot my flag & key. Help me recover them.
{% file src="" %}
code
{% endfile %}
Solution
Flag:
## Loyal Book - Misc \[99 pts]
> Every book is unique in its own way! Go and read the story of a brave man!
{% file src="" %}
book
{% endfile %}
From the reference to unique, I do diff 0001.txt 0002.txt to return a line difference of DC, so I did that for each file comparing it to the base file of 0001.txt getting this text combined. which was the flag.
> < glimpse last summer at the Palais-Royal. Some of\
> \> glimpse last summer **DC** at the Palais-Royal. Some of
>
> < benches ranged along the walls, and in the centre of\
> \> benches ranged along **TF**the walls, and in the centre of
>
> < And it must have been very strong to endure after\
> \> And it must h**{**ave been very strong to endure after
>
> < And it must have been very strong to endure after\
> \> And it must have been **7ba61** very strong to endure after
>
> < and Frederick, feeling sleepy, was in no great haste\
> \> and Frederick, feeling sleepy, wa**0cc5d**s in no great haste
>
> < communicated to him ; and he had only two phrases :\
> \> communicated to him ; a**a3966**nd he had only two phrases :
>
> < derstand. She longed for wealth, in order to crush\
> \> derstand. She longed fo**b7c64**r wealth, in order to crush
>
> < They all took advantage of the occasion to denounce\
> \> They all took advantage **a81c3** of the occasion to denounce
>
> < " Ha ! your chum ! " said Madame Moreau, with a\
> \> " Ha ! your chum ! " said Madame Mor**cfcdb**eau, with a
>
> < barely maintained him. Made bitter by continuous\
> \> barely maintained him. **1b1d0** Made bitter by continuous
>
> < 82 GUSTAVE FLAUBERT\
> \> 82 GUSTAVE FLAUBERT **9e3de**
>
> < and the 'longshore-woman exclaimed :\
> **>** and the 'longshore-woman exclaimed : **5ad11**
>
> < The advocate went on :\
> **>** The advocate **89268** went on :
>
> < ceive either.\
> \> ceive either. **bf0e6**
>
> < places at which the principals in the duel were to\
> \> places at **18ff7** which the principals in the duel were to
>
> < deur.\
> \> deur. **1f08}**
**Flag: DCTF{7ba610cc5da3966b7c64a81c3cfcdb1b1d09e3de5ad1189268bf0e618ff71f08}**
## Collaboration is key - Category \[99 pts] \[Not Solved]
> What do you think about this algorithm? I worked with my good friend to push it to the repository.
{% file src="" %}
collaboration
{% endfile %}
Solution
Flag:
## Chio - Rev \[360 pts] \[Not Solved]
> Too lazy to make the flag in DCTF{SHA256} format. Download Find the flag, and make it compatible yourself.
{% file src="" %}
public crack
{% endfile %}
Solution
Flag: