Image for post
Image for post

RITSEC Fall 2018 CTF — Week 7

The seventh week of RITSEC’s Fall 2018 CTF has concluded. I post detailed write-ups here each week for the challenges I am able to solve. I do this because as a freshman, when I read the challenge write-ups they often went step-by-step but never elaborated on why a certain command was run or the strategy the user followed when solving the challenges. This is my effort to elaborate on the reasoning to the process. As always, let me know of any errors. RITSEC’s tech lead can also walk anyone through solving any of the expired flags if necessary.

Topic

This week’s topic is crypto. We learned about cryptography and cryptanalysis, encryption and ciphers, encoding, hashing, and covert communication strategies. Most of the challenge files were provided in text files, which are available in the writeup or as a download from the club website. Points are earned by decrypting the contents of the files to find the flags!

Easy 1 — Shifts aren’t always Caesar you know!

The provided encoded flag is:

23[M/0TW%.T9?3)8?AR%.T?%N/UGH]

By looking at the format of the flag, it is easy to tell that =, =, =, and =. The remaining characters in the string are most likely a combination of letters and numbers that create words, and it seems that letters and numbers can become symbols and vice versa. Therefore, this is likely a form of ASCII shift, called a ROT (rotation) cipher.

ASCII is a character representation of a number generally between 0 and 127, but can extend up to 255. To decode this cipher, calculate the number of ASCII characters between 2 and R using the ASCII table. The decimal representation of 2 is 50 and R is 82. Since 82–50=32, this is a shift of +32. Shifting the remaining characters each 32 places forward gives the flag:

RS{mOPtwENtY_SIX_arENt_EnOugh}

Easy 2 — What’s the magical bitwise operator used for encryption? What’s the key? Think about what you KNOW first.

The given string is in hexadecimal. Adding spaces makes it a bit more readable:

a1 a0 88 c0 8b 90 c2 86 80 c2 85 c0 ac c3 81 ac 80 c3 9e c0 87 9b c2 9d 94 8e

The magical bitwise operator is exclusive or, or . It’s easiest to do operations when the string is in binary, so convert it to that form using any tool.

1010000110100000100010001100000010001011100100001100001010000110100000001100001010000101110000001010110011000011100000011010110010000000110000111001111011000000100001111001101111000010100111011001010010001110

It is known that the flag will start with and end with . So the first 8 bytes, , should be XORed with the binary translation for the letter R, to give the key used to encode the flag. This is possible because XOR is the reverse of itself, and XORing the encrypted string against the known plaintext will give the key:

((text) xor (key)) xor (text) = (key)

XORing with R () gives the key . Next, XOR the entire string with the key.

0101001001010011011110110011001101111000011000110011000101110101011100110011000101110110001100110101111100110000011100100101111101110011001100000110110100110011011101000110100000110001011011100110011101111101

Convert from binary to text. The flag is .

Medium 1 — Encoding is NOT encryption

The provided encoded string is:

MDEwMDAxMDAgMDExMDExMTEgMDExMTAxMTEgMDExMDExMTAgMDExMDExMDAgMDExMDExMTEgMDExMDAwMDEgMDExMDAxMDAgMDAxMDAwMDAgMDExMTAxMDAgMDExMDEwMDAgMDExMDAxMDEgMDAxMDAwMDAgMDExMDEwMDEgMDExMDExMDEgMDExMDAwMDEgMDExMDAxMTEgMDExMDAxMDEgMDAxMDAwMDAgMDExMDAwMDEgMDExMDExMTAgMDExMDAxMDAgMDAxMDAwMDAgMDExMDAxMTAgMDExMDEwMDEgMDExMDExMTAgMDExMDAxMDAgMDAxMDAwMDAgMDExMTAxMDAgMDExMDEwMDAgMDExMDAxMDEgMDAxMDAwMDAgMDExMDAxMTAgMDExMDExMDAgMDExMDAwMDEgMDExMDAxMTEgMDAxMDAwMDEgMDAxMDAwMDAgMDExMTAwMTEgMDExMDAxMDEgMDExMDAwMTEgMDExMTAwMTAgMDExMDAxMDEgMDExMTAxMDAgMDExMDEwMDAgMDExMDEwMDEgMDExMDAxMDAgMDExMDAxMDAgMDExMDAxMDEgMDExMDExMTAgMDExMDAxMDAgMDExMDExMTEgMDExMDExMDEgMDExMDAwMDEgMDExMDEwMDEgMDExMDExMTAgMDAxMDExMTAgMDExMTAwMTAgMDExMDEwMDEgMDExMTAxMDAgMDExMTAwMTEgMDExMDAxMDEgMDExMDAwMTEgMDAxMDExMTAgMDExMDAwMTEgMDExMDExMDAgMDExMTAxMDEgMDExMDAwMTAK

There was no hint provided about what kind of encoding this is, so use a tool to try to guess the encoding.

Image for post
Image for post
Image for post
Image for post
Results of checking hash type with md5hashing.net

Based on the results, attempt to decode the string with a Base64 decoder.

01000100 01101111 01110111 01101110 01101100 01101111 01100001 01100100 00100000 01110100 01101000 01100101 00100000 01101001 01101101 01100001 01100111 01100101 00100000 01100001 01101110 01100100 00100000 01100110 01101001 01101110 01100100 00100000 01110100 01101000 01100101 00100000 01100110 01101100 01100001 01100111 00100001 00100000 01110011 01100101 01100011 01110010 01100101 01110100 01101000 01101001 01100100 01100100 01100101 01101110 01100100 01101111 01101101 01100001 01101001 01101110 00101110 01110010 01101001 01110100 01110011 01100101 01100011 00101110 01100011 01101100 01110101 01100010

This output is interesting, as it is not common to get a perfectly formatted binary string unless it was intentionally encoded this way. Convert the binary to text.

Download the image and find the flag! secrethiddendomain.ritsec.club

Visiting the domain gives an image, :

Image for post
Image for post
File obtained from secrethiddendomain.ritsec.club

Inspecting the metadata or viewing the hex dump of the file shows a message.

Image for post
Image for post
Partial text of hex dump for doge.jpg

This probably means there is a file of some sort (most likely ) steganographized inside the image. Steganography is the practice of embedding hidden information inside a medium that is generally meant for another purpose, such as audio or images, making it harder to detect. Using (or another program for image and audio steganography), check to see if there is a file inside . When running, will prompt for a password in order to inspect the file. The password in this case is most likely .

Image for post
Image for post
Results of the “steghide info doge.jpg” command

There is a file embedded in this image, . Using , extract the image.

Image for post
Image for post
Results of the “steghide extract -sf doge.jpg” command

The flag just allows for specifying the name of the stego file. After the file is extracted, view it.

Image for post
Image for post
Results of the “cat not_super_duper_secret.txt” command

The flag is .

Medium 2 — Who needs spaces anyways?

The provided string is:

.-.---......---.....-.---.....---...-.---...-..---.....---...-.---...--.---.....--.----....--.---....----...----...----....---....-.---...-.---......---.....--.----.....---......---.....--.----...-.----....---...-.-----.....--.----.....-.---...------....-.---.....--.----...-.-.---....-.---...-.-----....--.---...----...---

This is Morse code. Importantly, it is missing spaces, which means that the message is ambiguous and can have an incredibly large number of possible solutions. However, like with both Easy challenges, it is known that the start of the string will be (there are no braces in Morse code). The letter encoded is and the letter encoded is. By inspecting the file, a pattern can be determined:

.-. ---... ... ---...

The characters possibly represent spaces. Replace the recurring characters with spaces in a text editor and attempt to decode the message.

.-. ... ..-. .. -. -.. .. -. --. ..--.- .--. .- - - . .-. -. ... ..--.- .. ... ..--.- -.- . -.-- ..--.- ..-. --- .-. ..--.- -.-. .-. -.-- .--. - ---

The result is . Adding the braces makes the flag .

Conclusion

Here are a bunch of excellent tools to help with solving cryptographic challenges:

  • dcode.fr — This site can encode, decode, and brute force many different ciphers, and can even determine the most likely keys. It’s a great tool if you know what the encoding method is, but I don’t recommend using it unless you understand how the cipher works in the first place, because the purpose of a lot of these challenges is to learn.
  • CTF Resources — These documents have great cryptography and steganography tutorials.
  • Cryptography Stack Exchange — If you have a question about something, it’s likely that someone has already answered it. There are a lot of great, in-depth explanations about encryption methods and ciphers, as well as strategy suggestions available here. Just don’t ask questions about active CTFs!

RIT also offers many classes in this area, such as Introduction to Cryptography (CSCI-462), which Computing Security students typically take in their third year, and electives such as Covert Communications (CSEC-470) and Codes and Ciphers (MATH-367).

There will be 8 more weeks of challenges coming from RITSEC this semester! If you want to know more about RITSEC check out their website or attend a meeting if you’re on RIT’s campus — 12–4 PM in GOL-2410 for the CTF and presentations. Until next week!

Written by

DFIR, CTFs, disinformation, STEM education, and pretty much anything else that comes to mind. RIT Computing Security ’22. wyatttauber.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store