This is a write-ups on how my team solved the challenges in the APU Battle of Hackers 2019 (APUBoH) capture the flags in the final round. We were ranked 9 at the end of the CTF and managed to solve 3 questions, 2 forensic questions and 1 steganography.
The challenges can be download on github:
https://github.com/mfrashad/apuboh19
So, onto the writeups.
Steganography
Nyanyanyanya
When we download the attached file in the challenges, we are given an mp3 file called All_Star_-_Smash_Mouth.mp3. Opening the file, it was a song, however one peculiar thing is that it has a cover image.
Afterwards, we tried out common tricks like strings command, and seeing the spectogram of the file, but it doesn’t lead us to any clue.
However, we found that a png file is embedded in the file when we use binwalk to carve out the file.
Next, we proceed to extract the image, and opening it unsurprisingly give us the same cover image we previously seen.
But now, since we have a png file to work on, we can try various image steganography programs. So, the first thing we did is opening the image in Stegsolve.jar, a java program that will apply various operation to the image such as inverse, xor, or noise etc. And surprisingly it revealed the flag for us in red plane 1 straight away.
The flag is apuboh2019{s0m3b0dy_h1d_th3_fl@g}.
Forensics
Neighbors
For this challenge, we are given a pcapng file neighbors.pcapng. Since it’s a pcap file, we proceeded to open it in wireshark. Next, we just start searching for some keyword in the flag format which in this case is ‘apu’ , and it luckily gave us the flag straight away.
The flag is apuboh2019{cdp_spoofed}.
Zip it
The next challenge was also a network forensic challenge, and we are given zipit.pcapng, a pcapng file again. However this time, searching for strings doesn’t lead us to anything. After looking around, we found some suspicious HTTP packets that might be the clue. So, we use the export objects function in wiresharks.
After exporting the files. We ran file command to check the files.
Based on the output, the smss.doc file stood out as it is a zip file, which is related to the title. Therefore, we tried to extract the smss.doc file, but it asks for a password. By this time, we know we are on the right track and this might be the file that have the flag. Next, we started searching for the passwords, and we found a lead in one of the exported files, share.
We found a text about rockyou.txt, a very well known password list used for cracking. Therefore, we tried to bruteforce the zip file using fcrackzip, a zip file cracking tool, and the rockyou.txt dictionary.
However, it gave us an error that it is not a zipfile. After some searching around, we found that the file is not the usual PKzip file but 7zip and fcrackzip cannot work with 7zip file (Took me quite a long time to figure out this, I thought I just need to use different version). Hence, we searched for other cracking tool and found 7zip-crack.
https://github.com/Goron/7zip-crack
Then, we start cracking the file using rockyou.txt dictionary with the 7zip-crack. After a while it finally give us the password godisgood, yay!.
Extracting the zip file with the password will give us a PE32 Windows executable file smss. The first thing we tried is always strings, but sadly it does not give any result.
As this is an executable file, we thought that this will be a reverse engineering challenge, and tried to run and reverse engineer this. But we didn't manage to run the program even in dos mode, as it give some error. And trying to reverse engineer the program in IDA pro just confused us even more, since we can only do static analysis, but cannot debug the program.
Fortunately, we tried to hexedit the file.
$ hexedit smss
And yay, we found the flag! We suspect the reason that strings command didn't pick up the flag is because the characters are not adjacent and spaced. This challenge really took us quite a long time, and quite frustrating as well. We are really lucky to open the file in hexeditor, else we would have missed out the flag.
The flag is apuboh2019{7z1PIsuS3Fu|}
Conclusion
Although the challenges above may look simple, we really spent a lot of times doing other challenges, although we did made some progress, we still didn't manage to solve those, hence our struggles for those challenge are not written here.
One regret that I have, is that I didn't study binary exploitation topic more thoroughly before coming to the competition. I was expecting basic reverse engineering challenge, but was given binary exploitation challenge such as basic stack overflow or buffer overflow instead. We could have boosted our ranking a lot more if I studied those beforehand.
Overall, it was a great experience and we learnt a lot from the competition. Also, I'd like to thank my teammates Faris Rosly and Tan Li Tung for performing well during the competition and spending time to practice for the competition. And thank you also to APU (Asia Pacific University) for hosting the event! There should be more CTFs around here!
For other participants of APU BoH 2019, feel free to post your solutions or link to your writeup on the comments!
Top comments (0)