Writeup

SECCON security contest 2017 writeups

noras noras |

Tags: #CTF #Forensics #Steganography

After more than 6 month of not playing any CTF… I decided to join ChalmersCTF to play SECCON. After giving it about 2+ hours I could solve 4 challenges. And here is how I did it.

Run me! (Programming 100 points)

Run me!
—– RunMe.py
import sys
sys.setrecursionlimit(99999)
def f(n):
return n if n < 2 else f(n-2) + f(n-1)

print “SECCON{” + str(f(11011))[:32] + “}”
—–

Solution

Looking at the method given I could see that there are a double recursive operation f(n-2) + f(n-1) to find f(n).
So running it even with not a very big number like 11011 could take a while. But then I was like.. wait I’ve seen the part f(n-2) + f(n-1) before, Fibonacci numbers. Looks like the this is trying to find the Fibonacci number 11011 and the flag is the first 32 digits of that Fibonacci number. Just for the sake of it I tried to find the Fibonacci number for 11011 using an online tool, which returned a quite long number.

Using the first 32 digits of the number as flag, gave me my first easy and lazy 100 points.
SECCON{65076140832331717667772761541872}

putchar music (Programming 100 points)

This one line of C program works on Linux Desktop. What is this movie’s title?
Please answer the flag as SECCON{MOVIES_TITLE}, replace all alphabets with capital letters, and spaces with underscores.

main(t,i,j){unsigned char p[]=”###<f_YM\204g_YM\204g_Y_H #<f_YM\204g_YM\204g_Y_H #+-?[WKAMYJ/7 #+-?[WKgH #+-?[WKAMYJ/7hk\206\203tk\\YJAfkkk”;for(i=0;t=1;i=(i+1)%(sizeof(p)-1)){double x=pow(1.05946309435931,p[i]/6+13);for(j=1+p[i]%6;t++%(8192/j);)putchar(t>>5|(int)(t*x));}}

Solution

This was one interesting challenge I’ve never done something similar to it before. Well the first thing I did was to run the code on my debian machine. So I started by opening my editor copying the code and trying to add the libraries as following:

#include <stdio.h>
#include <math.h>
int main(int t,int i,int j){
   unsigned char p[]="###<f_YM\204g_YM\204g_Y_H #<f_YM\204g_YM\204g_Y_H #+-?[WKAMYJ/7 #+-?[WKgH #+-?[WKAMYJ/7hk\206\203tk\\YJAfkkk"; 

   for(i=0;t=1;i=(i+1)%(sizeof(p)-1)){ 
      double x=pow(1.05946309435931,p[i]/6+13); 
      for(j=1+p[i]%6;t++%(8192/j);) 
         putchar(t>>5|(int)(t*x));
      }
}

After that I had to compile it using the linking flags -lm .

gcc seccon.c -lm -o seccon

Running the resulting binary using ./seccon resulted in some random binary data. I tried to dump this data to a file called raw.

./seccon > raw

Doing so gave nothing interesting when running commands like file and binwalk ..etc. I went back to the challenge description again to try to collect some more info. The title referred to the word music. I remembered that I’ve seen some video on youtube about how to play PCM data generated by c or c++. The video goes like this :


Ok.. then, lets try to play the raw data as audio. For this I used ffmpeg audio player ffplay and since I suspected that it was a PCM raw data I added the flag u16be.

ffplay -autoexit -f u16be -ar 8000 -ac 1 raw

I started playing the audio by choosing the bitrate 44100 and YEAH!! … I got some wired very fast playing 8 bit music. I reduced the rate to 8000 and I got the following audio. You can check the file here starwars_challenge_seccon2017



I couldn’t recognize it from the first time. So I went to ask my teammates which they thought it sounds like the starwars music. Well, now we have a movie name. Lets change it to all caps and add some underscores and submit.
SECCON{STAR_WARS} gave our second 100 points.

JPEG file (Binary 100 points)

JPEG file
Read this JPEG is broken.
It will be fixed if you change somewhere by 1 bit.

PS: There was an attached image file see below.


Solution

This was a bit tricky but also straight forward according to the description . My friend tried to solve this by inspecting headers and the JPEG structure but I guess he got tried of it. So I decided to take my lazy approach by scripting everything.

I came up with this python script that goes thorough every bit of the file, flips it then generates a new file.

def flip(ff,idx):
	print idx
	binary=format(ord(ff[idx]), '#010b')[2:]
	place=0
	for b in binary:
		temp = list(binary)
		if b=='0':
			temp[place]='1'
		else:
			temp[place]='0'
		place+=1
		temp = ''.join(temp)
		replaceAndCheck(place,ff,chr(int(temp, 2)),idx)

def replaceAndCheck(place,ff,val,index):
	temp = list(ff)
	temp[index]=val
	ff=''.join(temp)
	out=open(str(place)+'-'+str(index)+'.jpg','wb')
	out.write(ff)
	out.close()
	
	
f=open('tktk-892009a0993d079214efa167cda2e7afc85e6b9cb38588cba9dab23eb6eb3d46.jpg','rb').read()

for idx, val in enumerate(f):
	flip(f,idx)

This script resulted in 93,024 files dumped in the directory i was running the script from. Yeah but after only looking at the thumbnails I noticed that some images doesn’t have that ugly gray corrupted image color. More specifically looking at the image 8-623.jpg which is the image resulted from flipping the 8th bit in the 623rd byte, had a readable flag.


About the author

noras

"Senior Software Engineer. MSc in Computer systems and Networks with big interest in security. Loves to play with Android code and does security research for fun and profit. Speaks 4 languages and codes in much more."

Related articles

Tags: #CTF #Forensics #Steganography




Copyright © 2020 - nindoda.com