Table of Contents
Hello, today we will be taking a look at some of the warmup challenges from VirSecCon CTF 2020. While I was not able to spend as much time on this CTF as I would have liked, I still had a great time, grabbed some flags, made some friends, and learned some new tricks. VirSecCon 2020 was a ton of fun and I look forward to checking out more upcoming virtual conferences in the future!
Now, let’s delve into some of the warmup challenges in this CTF!
Challenge: Read The Rules
We’ll start things off with the easiest challenge.
We begin by navigating to http://ctf.virseccon.com/rules and viewing the source of the page.
Reviewing the source reveals the flag is located in a comment on lines 144 and 145:
With our first flag captured, we’re ready to hack the planet!
Challenge: Believe Your Eyes
Our next challenge starts off by serving us a .rar file titled ‘believe_your_eyes.rar‘.
We download the .rar file to our machine and run the file command on it:
file believe_your_eyes.rar
believe_your_eyes.rar: PNG image data, 600 x 200, 8-bit grayscale, non-interlaced
We further our investigation by running the strings command on the file to see what interesting data might be inside:
IHDR
gAMA
bKGD
tIME
IDATx
|1)XbB
KL(XbB
KL(XbB
KL(XbB
KL(XbB
KL(XbB
KL(XbB
KL(XbB
KL(XbB
KL(XbB
o8:w@F
=N]x
zf&lp
1Xkt
un##Mrr
EAA?
~E/=W
q.,j
Iw#n
8N1t
`Y%<
s-aIxK
MNE%\
X<jk
#MrrfC
yi4Pu
thS~
n:5>
[v”f
%Pt=
UZNX
W9]Q
W3rL
UG^G
;8Ui
q]/9Yz
“n!*
y.M7
1GZ-_
‘X9]
\]LG,
KL(XbB
KL(XbB
KL(XbB
KL(XbB
KL(XbB
KL(XbB
KL(XbB
KL(XbB
KL(XbB
KL(XbB
%tEXtcaption
LLS{if_ten_million_fireflies}
%tEXtdate:create
2020-03-31T14:34:08+00:00
%tEXtdate:modify
2020-03-31T14:34:08+00:00
IEND
Analyzing the output of the strings command reveals our flag!
Challenge: Puppo
Moving on to the next challenge, we are presented a .jpg image:
We download the .jpg file to our host and run the strings command on it:
strings woofer.jpg
JFIF
ICC_PROFILE
lcms
mntrRGB XYZ
acspAPPL
-lcms
desc
8cprt
Nwtpt
chad
,rXYZ
bXYZ
gXYZ
rTRC
gTRC
bTRC
chrm
$mluc
enUS
mluc
enUS
XYZ
-sf32
XYZ
XYZ
XYZ
para
[para
[para
[chrm
5b’TExTe2RvZ2dvX3NheXNfc3VjaF9iYXNlNjRfdmVyeV93b3d9′
“AQ2aq
i-n[[
y\{t’N
k_h_
3;su
1U$Z
abfR9
=DGM
jxJ<
V{z:e
n>Z+
4rv6
n!it
U[Wuz
.nO7>>+m(
iI`L
t]j5
&|=|^
*/6Rv c=|6
N-wo
X7 }
7k{N
(t05
e=M U
nh+X
IAYX
O’.~
#i~;
8hSSu
8`}f^
oy_e
~+iiF
Doh`
2ujw2
B kn{G
.kH7
YV9y
<KIR
t^24
]OOJ
imMm&
^*z[
+*5B
>wjV*i
fR&L
xzzq
z0Q(
nw0)
.\]O
%”‘)
=BTd8
UgEj
G#”D
wS9b
53k_
rNR-
>$A73
YV)M
(ekr
6kzN
SGQ5
q$JL
>(/x
5PEJ
SVL]
/[Ejq
\ftM
ja/%
HJZRI
:E+.
TeW
tjYf
9XNy
q<1Xi
<.”)
^{=/
va{X
B{CS
e}f+On
w645]L
9TZJ2\d
GK}e
55,i
RT_1
‘Cy&G
HZ)K
q@\,
EKpz
=”[N
<5%H\
iPU_/
Kv\D
M%3b}c*
#Y?*
Z{~)
Ewj;
hjeXr
{,-:
,m54
a M-rdh
‘/iW
-jtC
KC%K
cq+4
^_Ya
NsX}>
K%6U3
o0zo
XL1NH
ZUyRXP
OI5P:CR
=Mv&n?cK6
Z}1+
jPE_
jcSY
z%2rzW
gz%>oxj
D?t9
Zv\l[xJl
||Eoy=><
B*&|
pj+n~^
y[QJ
8mNU?C<
=(?(
hjZok
OMUL(
p9r\
q:M>
\?#NG
U-+5
Wm5Z
^FGfg
zH]ZV!P
(u:7
|d/^Uz
l>S2gc2
l|^t
koiVX
kJsU
+t_/
5MK?
YMSz`
EO[
Nc Qq
mhDoyl?$
RnlXOv
]u*U
uUhT
l/>~
iU*q
FN%r
c:fU[
uzK<
SWCF
ygaZ
7)uR
`Jy,
5hS5
8u~5
q3GF
j’]nF
EJd\
N*e’
yo%8
‘5n[
‘b$r
3&Xz H*
Ti)X
0L/%
[x*o{
M%Ef
SUUT
Nf25
>%gW
|0lG
mEGaJ
EmX^ZE~
i*]
5X)S
krc”
.|%a
ZrP’
^Er-o
@bw{
@UcI|
Y8VS
M(%H
ASLo
e+s-
-M3{
“6lc b9bU(SPp=$)
QO[F
.+]v
oyqKD
bT[!
^izU:
)[o’C
L%6$
=g^:q
K :k
O#4v
4uQokN~G
ttuf
eMzZ
$2Z1+
Pjyc
+e<S
ZNUv
,)33x
3C%:@f
+fqlc
}`|6[
Af^i
iScj
H’/_KC>
Ryn?
q7^kC
cE[S$
;{FQ
$\&&
^S4@r3
QjIiv
US:m
[OeZY)
f::+
>-6+.|
vH.!W[
%AY3
:lNG
U<2n
$I2S*w
XEj9
p}$M}
go=PI
[19S
3RlOy
^%=vDe
7XYc
zjZc
z^/Q
sjh_
YZPnC
H1-s
Sx’r
S@~;o
x6fU?
Td;}.`n
+|^~J
M=7V
T5UU
ZKUK)
cOMK
)s+sNi
5(aK
A;d R
^B:9’w
SVe0
-Eje.
\”6Qj
\}’I
I|6lfP
JkjW
=3stmt
Juu4
‘uEn
!SP*u
Ma”j-
7H74
Z3`~
m!UA
1jZz
?xjT
KU\i
jS9o
vS”>
.=2o
v]%:
?j\U
S9%J
<xM*
r_4_
q/$9V
KI5A
9W-~
bbuZ
L1cf
ZiO[
,.4c*
y_Qn
#%fn
U_f3
#SOU(TR
ML.CQ
hzZZe/6
cq)]v^CPp
HRU_
5K”Z
8/gMjR
%5Pr
%/DSq7
k@(7
-Tee
#_$%N
@Cw31V
O%eCf8
37Xz
k~ld
3AQy
4)EJg
X4-=F
Og)j
i*}O
>B}#Z
oC&c
E+0\j
*t)3
#zz;~
,4ZS5
d3T]
zs`o
T+~/
{ZEi
Nt0:2
X6m6
poi7*
UR:t
X *y
b,-&vR
H=+;1
djkP
E(Sb
^Kp}q
3.[w
iNh{
Q+vV
auaq
#rFxvR
|NQj
MMyH
ME+V
Owo:
TXZI
8YlWnh
hU o
t,”Z
-‘KP
M7S$
ohX*uA
7ss!B
MUnY
zz ZQ>I
nohkF
t*l`
p]@;
Bl%Rk
m458
0KU
V\om
SunXk
Y>*E
jm-tt
itUq8
-4D&
{M7H
`I;
(YlE
^=@m
^Sb>
A^nY
2I{s_
?vu7-
zWlZoOU
5KJS
qcf,c
[!Wh
d&uD
‘GKt9Fi
1U!z
_Icv
6CxjL
qp{
6R\Y_
}1 e
rU-6
w?`x
+.RkD
e_+}
x*R7
#hClRTBx
== ,Z
S!W+
“D.)
hM’U
`*u?I
&@X”
3&MQB
2d?D@
Examining the output from strings, we notice a specific string that appears to stand out:
5b’TExTe2RvZ2dvX3NheXNfc3VjaF9iYXNlNjRfdmVyeV93b3d9′
This string seems to be Base64 encoded, let’s attempt to decode it and see what happens.
First we’ll need to remove the bad characters from the string which leaves us with this:
TExTe2RvZ2dvX3NheXNfc3VjaF9iYXNlNjRfdmVyeV93b3d9
Now we’ll attempt to decode the Base64 string with a handy little tool called CyberChef:
Ta-dah! The string is decoded and we collect another flag!
LLS{doggo_says_such_base64_very_wow}
CyberChef is a wonderful project filled to the brim with helpful tools! It is a great addition to any hacker’s arsenal and I highly recommend it.
You can check out CyberChef here:
Challenge: Pack'd
The next challenge serves us another file to download.
Once downloaded to our host machine, we kick things off by running the file command:
file packd
packd: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
Next, we’ll run strings on the file to get a look inside:
$Info: This file is packed with the UPX executable packer http://upx.sf.net $
$Id: UPX 3.96 Copyright (C) 1996-2020 the UPX Team. All Rights Reserved. $
As the name of the challenge gestured to, this string confirms that the binary file was packed with the UPX tool.
Now that we have confirmed that the file has been packed with UPX, we’ll run UPX on the file again with the -d option to decompress the binary:
upx -d packd
Ultimate Packer for eXecutables
Copyright (C) 1996 – 2018
UPX 3.95 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 26th 2018
File size Ratio Format Name
——————– —— ———– ———–
657616 <- 276068 41.98% linux/i386 packd
Unpacked 1 file.
Finally, we will run the strings command once more and analyze the output for anything of interest:
Oh! This package must have been shipped to the wrong address!
HOME
something_unnecessary
LLS{packing_an_executable_can_hide_some_data}
Congratulations! You’ve won!
This rewards us with yet another flag!
Conclusion
That concludes our review of the VirSecCon 2020 CTF warmup challenges.
In the next post, we’ll explore some of the forensic challenges in this CTF!
Until next time,
Happy Hacking!