# CSAW Qualifiers 2021 ## Lazy Leaks > **Description** > > Someone at a company was supposedly using an unsecured communication channel. A dump of company communications was created to find any sensitive info leaks. See if you can find anything suspicious or concerning. {% file src="" %} Lazy Leaks {% endfile %} **Solution** Ran the cmd `strings Lazy_leaks.pcap | grep flag` **Flag: flag{T00\_*****L\@ZY\_4\_*****$3CUR1TY}** ## Weak Password > **Description** > > Can you crack Aaron’s password hash? \ > He seems to like simple passwords. I’m sure he’ll use his name and birthday in it. Hint: Aaron writes important dates as YYYYMMDD rather than YYYY-MM-DD or any other special character separator. Once you crack the password, prepend it with flag{ and append it with } to submit the flag with our standard format. \ > Hash: 7f4986da7d7b52fa81f98278e6ec9dcb. **Solution** The program I built was a little bit overkill when it came to the name, but I started out with the date and just "aaron" and didn't come back with a result. Because of that, I decided to do every variation I could think of to make sure I get it the next time I run the program. ```python import hashlib def pad(year, month, day): date = str(year) + "" if month < 10: date += "0" date += str(month) if day < 10: date += "0" date += str(day) return date def hashing(password): return hashlib.md5(password.encode()) year = 1800 day = 1 month = 1 a = ['a', 'A', '@'] r = ['r', 'R'] o = ['o', 'O','0'] n = ['n', 'N'] #variables = ['a', 'r', 'o', 'n', 'A', 'R', 'O', 'N', '0' ,'@'] name = ["aaron", "AARON"] for i1 in a: for i2 in a: for i3 in r: for i4 in o: for i5 in n: curName = i1 + i2 + i3 + i4 + i5 name.append(curName) #goalHash = "2cf2481031af7347b0be175f64cd39a7" goalHash = "7f4986da7d7b52fa81f98278e6ec9dcb" while year < 2021: while month <= 12: while day <= 31: for n in name: password = pad(year, month, day) if (hashing(n + password).hexdigest() == goalHash): print("I FUCKING FOUND IT" , n, year, month, day) day += 1 month += 1 day = 1 year += 1 day = 1 month = 1 ``` **Flag: flag{Aaron19800321}** ## Contact Us > **Description** > > Veronica sent a message to her client via their website's Contact Us page. Can you find the message? \ > Author: moat, Pacific Northwest National Laboratory {% file src="" %} **Solution** Given the two files, I saw that the encrypted traffic was where the focus needed to be. I opened up Wireshark and went blank. How do I import the key? After some searching on the internet, I found that I had to go to`Edit -> Preferences -> Protocols -> TLS -> (Pre)-Master-Secret log filename` and select the sslkeyfile.txt. Bam then the whole file was decrypted and I just had to go in and search for the flag. **Flag: flag{m\@r$hm3ll0w$}** ## Gotta Decrypt Em All \[175 pts] (Pwnaday Solution) > **Description** > > You are stuck in another dimension while you were riding Solgaleo. You have Rotom-dex with you to contact your friends but he won't activate the GPS unless you can prove yourself to him. He is going to give you a series of phrases that only you should be able to decrypt and you have a limited amount of time to do so. Can you decrypt them all? > > nc crypto.chal.csaw\.io 5001 **Solution** This problem was simple in my opinion but a pain in the butt.\ First up is the morse code which was a quick copy and paste from the internet. That then was decoded into a weird ASCII which was identified as Base64. That Base64 Spit out an RSA key with N, e, c, and when decoded put through ROT13 It creates a word to send to the server. ```python from pwn import * import time import base64 from owiener import attack,isqrt from Crypto.Util.number import inverse,bytes_to_long,long_to_bytes,GCD # Dictionary representing the morse code chart MORSE_CODE_DICT = { 'A':'.-', 'B':'-...', 'C':'-.-.', 'D':'-..', 'E':'.', 'F':'..-.', 'G':'--.', 'H':'....', 'I':'..', 'J':'.---', 'K':'-.-', 'L':'.-..', 'M':'--', 'N':'-.', 'O':'---', 'P':'.--.', 'Q':'--.-', 'R':'.-.', 'S':'...', 'T':'-', 'U':'..-', 'V':'...-', 'W':'.--', 'X':'-..-', 'Y':'-.--', 'Z':'--..', '1':'.----', '2':'..---', '3':'...--', '4':'....-', '5':'.....', '6':'-....', '7':'--...', '8':'---..', '9':'----.', '0':'-----', ', ':'--..--', '.':'.-.-.-', '?':'..--..', '/':'-..-.', '-':'-....-', '(':'-.--.', ')':'-.--.-'} def decrypt(message): # extra space added at the end to access the # last morse code message += ' ' decipher = '' citext = '' for letter in message: # checks for space if (letter != ' '): # counter to keep track of space i = 0 # storing morae code of a single character citext += letter # in case of space else: # if i = 1 that indicates a new character i += 1 # if i = 2 that indicates a new word if i == 2 : # adding space to separate words decipher += ' ' else: # accessing the keys using their values (reverse of encryption) decipher += list(MORSE_CODE_DICT.keys())[list(MORSE_CODE_DICT .values()).index(citext)] citext = '' return decipher def rot(s, k): alphabet = list('abcdefghijklmnopqrstuvwxyz') s = list(s) for i in range(len(s)): e = s[i] is_upper = e.isupper() if e in [' ','.','_']: continue idx = alphabet.index(e.lower()) new_idx = (idx+k)%len(alphabet) if is_upper: s[i] = alphabet[new_idx].upper() else: s[i] = alphabet[new_idx] return ''.join(e for e in s) def iroot(k,n): u,s = n,n+1 while u < s: s = u t = (k-1)*s+n // pow(s,k-1) u = t//k return s binary = remote("crypto.chal.csaw.io", 5001) done = False while not done: try: print(binary.recvuntil(bytes("mean?", "utf-8"))) more = (binary.recvuntil(bytes(">>", "utf-8"))) # Morse code morseCode = str(more, 'utf-8').replace('>>' ,"") morseCode = morseCode.replace('\n', "").replace('\r', '') words = morseCode.split('/') text = "" for word in words: text += chr(int(decrypt(word))) based = base64.b64decode(text).split(b'\n') N = int(based[0].decode()[4:]) e = int(based[1].decode()[4:]) c = int(based[2].decode()[4:]) cube_root = iroot(3,c) root_bytes = long_to_bytes(cube_root) rot_bytes = rot(root_bytes.decode(),13).encode() binary.sendline(rot_bytes) except Exception as e: print('exception: {}'.format(e)) done = True binary.recvuntil(b'friends: ') buf = binary.recvuntil(b'\r\n')[:-2].decode() print('flag: {}'.format(buf)) ``` ## Mic > **Description** > > My Epson InkJet printer is mysteriously printing blank pages. Is it trying to tell me something? {% file src="" %} **Solution** We were stumped on this one until we found something on the printer. We looked at the PDF with analysis. Nothing showed up until someone saw dots. I thought at first we were just seeing something but he wasn't lying. This lead to a great trail and by using [deda ](https://github.com/dfd-tud/deda)we produced the report below with the serial numbers being the flag. {% file src="" %} Results {% endfile %} **Flag: flag{watchoutforthepoisonedcoffee}**