museifu > blog

rgbCTF 2020 Write-up

Introduction

Challenge Name Category Solves Points
Name a more iconic band Beginner 89 411
I Love Rainbows Cryptography 408 50
Penguins Misc 135 295
Tic Tac Toe Web 333 50
vaporwave1 [ZTC] 166 190

Name a more iconic band

Category: Beginner | Solves: 89 | Points: 411

Name a more iconic band challenge description

We download the “data.7z” file and extract the contents:

$ file data_1 data_1: ELF 64-bit LSB core file, x86-64, version 1 (SYSV)

Running strings on this “ELF” file we become immediately aware that this is not in fact an ELF file. This file contains a Windows memory coredump. We will need to extract the raw data and then analyze it with Volatility. We use objdump with egrep to locate the size and offset of the first LOAD section.

Name-a-more-iconic-band-objdump

This section contains the RAM information we care about. We remove the bytes we don’t need.

Name-a-more-iconic-band-offset

Next, we use volatility to determine the image information from our data.raw file.

name-a-more-iconic-band-volatility-imageinfo

Then, we use hivelist to locate the SAM and SYSTEM Virtual memory locations.

name-a-more-iconic-band-volatility-hivelist

Next, using these locations we dump the NTLM hashes stored in memory from this file.

name-a-more-iconic-band-volatility-hashdump

Now all we have to do is crack the NTLM hashes, sort the passwords alphabetically, create an MD5 hash of the result, and submit the flag.

name-a-more-iconic-band-hashcrack

Lastly, we use the following command to generate our flag:

name-a-more-iconic-band-md5sum

Flag: rgbCTF{cf271c074989f6073af976de00098fc4}

I Love Rainbows

Category: Cryptography | Solves: 408 | Points: 50

i-love-rainbows

We download the rainbows.txt file and list the contents.

i-love-rainbows-contents

From the name of the challenge we are given a hint that we may be looking at a rainbow table attack using this list of hashes.

We run hash-identifier on the first two hashes to determine their hash type.

i-love-rainbows-hash

i-love-rainbows-sha256

Okay, so the first hash 4b43b0aee35624cd95b910189b3dc231 is an MD5 hash and the second cd0aa9856147b6c5b4ff2b7dfee5da20aa38253099ef1b4a64aced233c9afe29 is SHA-256. We will assume the shorter hashes are MD5 and the longer hashes are SHA-256. Assuming these hashes are not salted, we could attempt to crack these locally. I even considered generating my own rainbow tables (yikes) for the sake of the challenge, but instead let’s see if we can use an online password cracker that already has rainbow table lists generated and likely has the plain-text results.

We’ll use Crackstation. A limit of 20 hashes can be submitted at once, we’ll submit the first 20 hashes and then the last 4 separately.

i-love-rainbows-crackstation

i-love-rainbows-crackstation2

Awesome, the plain-text value of these hashes were previously cracked, let’s submit our flag!

Flag: rgbCTF{4lw4ys_us3_s4lt_wh3n_h4shing}

Penguins

Category: Misc | Solves: 135 | Points: 295

penguins-challenge

We download and unzip the file.

penguin-unzip

Ah, a git challenge. Let’s explore the contents and see if we can find any useful information.

penguin-git

lol..

After some digging around the .git folder I decided to take a look at the git log history.

penguins-git-history

Commit 57adeae7 looks interesting. Let’s check out the “relevant file” change.

penguins-git-ls

After checking the new files we find the following:

penguins-base64

We base64 decode this string with base64 -d < perhaps_relevant_v2 to receive the following output:

as yoda once told me "reward you i must" and then he gave me this ---- rgbctf{d4ngl1ng_c0mm17s_4r3_uNf0r7un473}

Flag: rgbctf{d4ngl1ng_c0mm17s_4r3_uNf0r7un473}

Tic Tac Toe

Category: Web | Solves: 333 | Points: 50

tic-tac-toe

We navigate to http://challenge.rgbsec.xyz:8974 and are presented with the following:

tic-tac-toe-web

As the player we are given uwu as our mark, the script uses owo.

I played a few games to determine the behavior of the script running this site. I soon realized that the script was making a logic error when presented with the following condition: In the case that the human player makes a move that sets up a winning condition the following round, the script will prevent the player from winning on the following round even if the script can win on that same exact round. See image below:

tic-tac-toe-uwus

If we place our uwu marker on the middle bottom row, the script will prioritize blocking our next move versus winning itself on the top row. See image:

tic-tac-toe-winning-on-next-move

The trick here is to set ourselves up to win on the middle column. Thus, we are winning on the next move, top middle square.

tic-tac-toe-base64

We base64 decode this string and retrieve the flag!

tic-tac-toe-flag

Note: I’m sure there was another way to solve this by modifying the javascript, but why work hard?

Flag: rgbCTF{h4h4_j4v42cr1p7_ev3n72_AR3_c00L}

vaporwave1

Category: [ZTC] | Solves: 166 | Points: 190

vaporwave1-challenge

We download the vaporwave1.mp3 file and open it using Audacity. My first thoughts on this challenge were that this file is likely encoded, as is common with steganography challenges.

ZTC brought some great tunes this year, I especially had fun working on the third installment of this challenge in “vaporwave3”. Shoutout to ZTC for the summoning salt/speedrunning homage.

Now back to the challenge.

In Audacity we choose “spectrogram” and modify the spectrogram settings to include ranges up to 22000Hz frequency. By viewing the spectogram at this range we see a message between 15kHZ and 22kHz. We have found our flag.

vaporwave1-challenge

Flag: rgbCTF{s331ng_s0undz}