RC3 CTF 2016 Write-ups

Hello,

Welcome back ! So recently i played RC3 CTF 2016 as a solo participant in a Team CTF event ! The over-all experience was awesome, great challenges and good learning experience. I scored 3015 points and finished at 41st place at the end of 2 days of the event.

Let’s Begin

FORENSICS 50

This was the First Forensics challenge, when they provided a pcap traffic capture file. I initially opened it in Wireshark and as we can see the content is about Captured ICMP pings. There are over 98,000 packets. I started from the bottom and saw the Data (24 bytes) of each requests and replies.

iseemp

It felt to me that it might be in Base64 format. Then, the struggle begun. I had a clear idea to extract the packets using tshark . I fired up my tshark to get the packet Data. For that, i used a logic where i choose first 4 characters of the Data in hexadecimal and then decode it to get a Base64 & further decode Base64 to get the flag. But, there was a issue. Some of the data were duplicate. That said, i needed to extract packets of source or either destination. I wasted few minutes before figuring that and I filtered out packets from ip.src==192.168.1.1 . But when you look at the packets, not all packets you get in hexadecimal would be of same length. Most of them are 48 but few ain’t ! But that’s not an issue, I planned to code to counter every issue automatically. So, i used scapy and automated the process.

#! /usr/bin/env python
from scapy.all import *
import base64
chunk=""
readthis = PcapReader('somepang.pcap')          # Read the pcap
readthis = PacketList([p for p in readthis if p[IP].src == '192.168.1.1']) #filter 
print '[+] Source Packets Filtered'
for p in readthis:
    ip= IP(p[Raw].load)
    chunk=chunk + str(ip)[-16:-14]
print 'writing'      #JFIF Headers so it's an Image
target= open('flag.jpg','w')
target.write(base64.b64decode(chunk))
target.close()

And Ta-Da you get the flag !    RC3-2016-PANG-ME-LIKE-ONE-OF-YOUR-FRENCH-GORILLAZ

base

 

FORENSICS 100

This was the next challenge i did, it was about an Android decompilation and finding Flag from it. The Hint said “Don’t do dynamic analysis”. That means the first thing you would do is to turn of the emulator and turn on the Decompilers. I decompiled the Application. And started looking at potential suspicious files. And flag was RC3-2016-GOTEM21 inside properties file.

FORENSICS 200

This was a fun challenge which includes 3-D Image analysis, which i mean is the most awesome portion in Forensics. The Obj file were given and we have to carry out analysis. I used Auto-Desk for that from my Mac. I analyzed the the 3D model, than i cut off the X-Axis at a particular body-part of the dinosaur. Some Text was visible, i rotated the 3D Model 180 degrees and place a Cut on X-Axis there and zoomed it. Getting the exact position, i was able to determine what was the text and it was RC3-2016-St3GG3rz

I will update this space as soon because the CTF Site is currently down so i am unable to see the Questions . Once up i will update some other solutions too  🙂

I have Kept Solutions for WEB 300 and PWN150 on my twitter as they was one-liner exploits 🙂

.. Anyways, I solved

4/4 Web Challenges

4/5 Forensics Challenges

5/5 Trivia Challenges

3/5 MISC Challenges

2/4 Pwn & Reverse Challenges

4/6 Cryptography Challenges

Follow Me : https://twitter.com/aaditya_purani

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s