Capture the Flag FTW!


Last weekend I completed and won my first capture the flag (CTF) game. The game was hosted on the SecDSM user group page and it proved to be pretty challenging. I don’t think I win anything but I don’t care I’m just satisfied I completed it.

So let me walk you through what the challenge was and how I solved it. If you aren’t familiar with a CTF it’s really easy to understand. Someone creates a challenge and hides a password somewhere and you have to find the password to win.

The Challenge

Here’s what it looks like

CTF

Now you might think to yourself WHERE WOULD THERE BE A PASSWORD IN THIS?

Well it’s starring right at you!

Strings

I first looked at the request and viewed the source of the website and I didn’t find anything unusual. Then I decided to look at this image. I downloaded it and looked to see if there was any data that might be stored in the image.

I ran this image through the string command it output some really interesting information.

$ strings -a -n 7 minictf.png
6Bz*cp!
LU"B #%+
jI7;;;D
>VU2]/_
1d9rP}Sz
Sjzk
&2 YX{?
sO=YVuHI
6w/U#-#
Q8F&!-r
#Iis"#m
f>_fg])
O?=Z2D|
vvv4#Qe
;oo,ZC"
qUED`HC;
agR92UU
&+=Z"20YX3Y
l'5M&M]
FK\m,s&
fJUDDa-^
{af k'U=
mJ"]rr}
"F4(l p
H*%eJ))
Neuvv~vff
.yS)Z6:U
w|||xxtzz
[pQ'?|b
L0NBnvp
^=880=S+
4l:-"n{
jO;`M)G
|f0te@W
RbI,)@s
ID."$*"
1	BJPB[<s
VADT6ku
B" %2Sfq`
{i{0U7B
j"bn::se
	cj[m ,
zHY$?yz
Hr"P"XNr
b<:::::L\j52
-m'Pf"J
[2wWe3V
L[qvCZsK
 "J28<gQ-p%'
km`D*6_
JCfrIl<9
2`0'&7wrf
/3S-g*G3
p&s_M%'
0sra"!N
+sJ9|v@DI
-sp!I%.
;HYk0OL:
s&@7/2s
Df1X <'%
M3*JaD	i
Dbs~ek)B
e"&-R(#
Ok5UY.+
]$f:W7R
[8c	hao
CD"2O8u
Qd\tEmsso
sxP*oR9F
xW$ja1o
D"ZX2Qa[-"
@,9MZh9
 ZO[lTta
aoQV)-b
GZxBhcn
2;O:D"\
Or^ad>E
S0|(%;e
ZH4TUUK
gwO&C0V
PUxtr|zzn
LUM-P`,
;===88899y
snggoww7
eY6M}trRU
!(2	z`"
CVXmM)!
 P`rN41
VQ%("m8
V8?9#zD
r]2+.?y
J##o2ng
<|X=|Byok
>zo||T8
Xf9zWsZ
No6=	!,
`0H)]\\
K.|89>:=:B5
t:;88^,
*N18r!0
bEt!#ru
awwwgg'
~xtttpp
*sP7sf5
:c 8$$i5
NNNNOOONN
=ztxxh'
t:;;;ggg
svvv||l
1rU5.k
u~~~qqq
x~~~pp0
IP[DV@A
4F&{^dlc
$*$\1GJ
i*@GD*1
p5Jl3}
\FDA8!*9Gd
8?:9>8<|vr
rY?Gcf-
u}~qur|
8tE&(bi
^W1Fp^b
kDDUUGGG
M]7MSUM
k"N[{XE#
I$p`&2"
DwA\G.o7tF
M]5Muyyy||rqqa-
*9peYVu
>9xKxkM
nu8;X\W
u JQHAC
;&d&oTc$G;
@.SfQp.
Gtxxxpp0
bqzzzuue
Ez+>VtA
gN4((9R
UuqqutwSN|S
z}yqu'?
L&)q?|@
O'c?Mo0
TrD/.#u
$pw6:o|
2rD$,1FS
U(3@lC@
RlC[72f
|]oT"*;
mkRYU5S!f
\
 DR_OqXMe
0V5Y\i/0JQz
IDATf,z
6d\InS-y7
dVwQ>::R(VD
s;y>(F
H03v4CL
tDTPxiaq
hnb7}|h
nw}}}mm
dqqyymy}cuii
drppPyF"6I
resssmmcqqQ{
tyui}}}uuyie
;wnss{my%K
<88X\\T
]{5k,`@(
$fckcu}
rqs{cei
W_moo/--
sgiiiqq
loo'&=>:@
:a@neY+
Mmfisssiiiyyyq
Y[[;9>v
s*;Y?huoY
x|tttxxxxx
`08888<<
_XXX]ZN
u.8CD	L
o!kcwaqeuc<r
B?\LSU%
c >szwoo
dSDb5co
f*BDjF!
,3	f3S@4
L`f|"?0
d9!T	jP
fQhf`BD
~=4Mspp0
fJ)eU"J
	#V-b./K
\G5nOY<
p5,DOQM
|]43US`5
ffb*Ugr
&$wDu#
;;;GGG>
5X4CP4C
]J	1N<V
 C4;88X
rAvj5,*LLDZ
!P)NM#C
.vkno<2
h.C@L9=
m$*9wM
4{3w^ g
>TWGb9?
XmTPpS_t
%^%Zg:mx
{d$Ddpa
dBtfA"da
MZ%X7)
,%T;Q$UD5
fA'trB@w
vHubrAb
A:34G4F,u
9Li{,l\
CqO808!@!\
%tEXtdate:create
2019-11-13T16:45:30+00:00-lX.
%tEXtdate:modify
2019-11-13T16:45:11+00:00
9tEXtDocument
UEsDBAoACQAAAONVbU87lgOALgAAACIAAAAIABwAZmxhZy50eHRVVAkAA4kzzF2fM8xddXgLAAEE6AMAAARkAAAAt+mveOkPZnEcaHbeaP4kI0SQ9QySINRF1RqujJ4n4sxaElAAo6utNCpfRWfH6FBLBwg7lgOALgAAACIAAABQSwECHgMKAAkAAADjVW1PO5YDgC4AAAAiAAAACAAYAAAAAAABAAAApIEAAAAAZmxhZy50eHRVVAUAA4kzzF11eAsAAQToAwAABGQAAABQSwUGAAAAAAEAAQBOAAAAgAAAAAAA
zTXtDescription
coLbYmFsbApiYXQKYmVkCmJvb2sKYm95CmJ1bgpjYW4KY2FrZQpjYXAKY2FyCmNhdApjb3cKY3ViCmN1
cApkYWQKZGF5CmRvZwpkb2xsCmR1c3QKZmFuCmZlZXQKZ2lybApndW4KaGFsbApoYXQKaGVuCmph
cgpraXRlCm1hbgptYXAKbWVuCm1vbQpwYW4KcGV0CnBpZQpwaWcKcG90CnJhdApzb24Kc3VuCnRv
ZQpjb2x1bW4KdHViCnZhbgphcHBsZQphcm0KYmFuYW5hCmJpa2UKYmlyZApib29rCmNoaW4KY2xh
bQpjbGFzcwpjbG92ZXIKY2x1Ygpjb3JuCmNyYXlvbgpjcm93CmNyb3duCmNyb3dkCmNyaWIKZGVz
awpkaW1lCmRpcnQKZHJlc3MKZmFuZwpmaWVsZApmbGFnCmZsb3dlcgpmb2cKZ2FtZQpoZWF0Cmhp
bGwKaG9tZQpob3JuCmhvc2UKam9rZQpqdWljZQpraXRlCmxha2UKbWFpZAptYXNrCm1pY2UKbWls
awptaW50Cm1lYWwKbWVhdAptb29uCm1vdGhlcgptb3JuaW5nCm5hbWUKbmVzdApub3NlCnBlYXI

I scrolled through to the bottom and realized we had some base64 encoded strings stored inside the exif information.

EXIF Information

When I used to be into photography I learned how image information was stored. They call this info exif information. Usually when you take a picture with your camera, your camera can store information about the picture. It varies but what caught my eye was the base64 strings that were in the image.

I ran another tool called exiftool and it displayed it in a little better form.

$ exiftool minictf.png
ExifTool Version Number         : 11.76
File Name                       : minictf.png
Directory                       : .
File Size                       : 228 kB
File Modification Date/Time     : 2019:11:14 22:35:56-06:00
File Access Date/Time           : 2019:11:17 19:08:14-06:00
File Inode Change Date/Time     : 2019:11:17 22:38:12-06:00
File Permissions                : rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 460
Image Height                    : 387
Bit Depth                       : 8
Color Type                      : RGB
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Gamma                           : 2.2
White Point X                   : 0.3127
White Point Y                   : 0.329
Red X                           : 0.64
Red Y                           : 0.33
Green X                         : 0.3
Green Y                         : 0.6
Blue X                          : 0.15
Blue Y                          : 0.06
Background Color                : 255 255 255
Warning                         : [minor] Text chunk(s) found after PNG IDAT (may be ignored by some readers)
Datecreate                      : 2019-11-13T16:45:30+00:00
Datemodify                      : 2019-11-13T16:45:11+00:00
Document                        : UEsDBAoACQAAAONVbU87lgOALgAAACIAAAAIABwAZmxhZy50eHRVVAkAA4kzzF2fM8xddXgLAAEE6AMAAARkAAAAt+mveOkPZnEcaHbeaP4kI0SQ9QySINRF1RqujJ4n4sxaElAAo6utNCpfRWfH6FBLBwg7lgOALgAAACIAAABQSwECHgMKAAkAAADjVW1PO5YDgC4AAAAiAAAACAAYAAAAAAABAAAApIEAAAAAZmxhZy50eHRVVAUAA4kzzF11eAsAAQToAwAABGQAAABQSwUGAAAAAAEAAQBOAAAAgAAAAAAA
Description                     : quizzical.highfalutin.dynamic.wakeful.cheerful.thoughtful.cooperative.questionable.abundant.uneven.yummy.juicy.vacuous.concerned.young.sparkling.abhorrent.sweltering.late.macho.scrawny.friendly.kaput.divergent.busy.charming.protective.premium.puzzled.waggish.rambunctious.puffy.hard.fat.sedate.yellow.resonant.dapper.courageous.vast.cool.elated.wary.bewildered.level.wooden.ceaseless.tearful.cloudy.other.gullible.flashy.trite.quick.nondescript.round.slow.spiritual.brave.tenuous.abstracted.colossal.sloppy.obsolete.elegant.fabulous.vivacious.exuberant.faithful.helpless.odd.sordid.blue.imported.ugly.ruthless.deeply.eminent.reminiscent.rotten.sour.volatile.succinct.judicious.abrupt.learned.stereotyped.evanescent.efficacious.festive.loose.torpid.condemned.selective.strong.momentous.ordinary.dry.great.ultra
Image Size                      : 460x387
Megapixels                      : 0.178

Well look at this we have a base64 string inside the Document attribute and inside the description field we have what looks like a word list. This is weird.

Base64 Decode

The next step was seeing what was inside the base64 string. I googled base64 decoder and saw this

CTF

Now this looks weird right? This isn’t any text or password. This looks like some sort of binary file. The PK at the top reminded me of the file header of a zip file. I can’t remember how I know what the PK stands for but after googling file signatures I confirmed it was.

File Signatures

So I wrote a ruby script to output the decoded base64 string to a zip file.

require 'rmagick'
require "base64"

img = Magick::Image.read('minictf.png').first
File.open('flag.zip', 'wb') do |f|
  f.write(Base64.decode64(img.properties['Document']))
end

Flag.zip

The next step, I ran unzip to unzip the flag.zip and it asked for a password. But here’s the other interesting thing even though I didn’t have the password it told me it had a file named flag.txt in it. I knew this was it at this point but how do I find the password for the zip file?

Earlier when I was looking at the exif information I found a wordlist. So I ran fcrackzip to see if any of those words were the password.

$ fcrackzip -v -D -u -m 2 -p wordlist.txt flag.zip
found file 'flag.txt', (size cp/uc     46/    34, flags 9, chk 55e3)

Nope. No password. Shit.

I took another look at the strings output from earlier and discovered another base64 string

coLbYmFsbApiYXQKYmVkCmJvb2sKYm95CmJ1bgpjYW4KY2FrZQpjYXAKY2FyCmNhdApjb3cKY3ViCmN1
cApkYWQKZGF5CmRvZwpkb2xsCmR1c3QKZmFuCmZlZXQKZ2lybApndW4KaGFsbApoYXQKaGVuCmph
cgpraXRlCm1hbgptYXAKbWVuCm1vbQpwYW4KcGV0CnBpZQpwaWcKcG90CnJhdApzb24Kc3VuCnRv
ZQpjb2x1bW4KdHViCnZhbgphcHBsZQphcm0KYmFuYW5hCmJpa2UKYmlyZApib29rCmNoaW4KY2xh
bQpjbGFzcwpjbG92ZXIKY2x1Ygpjb3JuCmNyYXlvbgpjcm93CmNyb3duCmNyb3dkCmNyaWIKZGVz
awpkaW1lCmRpcnQKZHJlc3MKZmFuZwpmaWVsZApmbGFnCmZsb3dlcgpmb2cKZ2FtZQpoZWF0Cmhp
bGwKaG9tZQpob3JuCmhvc2UKam9rZQpqdWljZQpraXRlCmxha2UKbWFpZAptYXNrCm1pY2UKbWls
awptaW50Cm1lYWwKbWVhdAptb29uCm1vdGhlcgptb3JuaW5nCm5hbWUKbmVzdApub3NlCnBlYXI

Which translates into another wordlist!!

rball
bat
bed
book
boy
bun
can
cake
cap
car
cat
cow
cub
cup
dad
day
dog
doll
dust
fan
feet
girl
gun
hall
hat
hen
jar
kite
man
map
men
mom
pan
pet
pie
pig
pot
rat
son
sun
toe
column
tub
van
apple
arm
banana
bike
bird
book
chin
clam
class
clover
club
corn
crayon
crow
crown
crowd
crib
desk
dime
dirt
dress
fang
field
flag
flower
fog
game
heat
hill
home
horn
hose
joke
juice
kite
lake
maid
mask
mice
milk
mint
meal
meat
moon
mother
morning
name
nest
nose
pear

I ran the password cracker again on this new wordlist

$ fcrackzip -v -D -u -m 2 -p wordlist2.txt flag.zip
found file 'flag.txt', (size cp/uc     46/    34, flags 9, chk 55e3)

Shit, still no password. I took a break and went to the store. I was talking about my problems to my wife and kids and I kept coming to the same question.

WHY would they hide two wordlists in the same image?

I got home and got settled, pulled up the ctf page again.

CTF

Then it dawned on me. I have two lists, 1 list is column A and the other list is column B sooo maybe I should combine the wordlists and see if that works. I wrote another ruby script cause I CAN.

wordlist1 = File.open('wordlist.txt', 'r')
wordlist2 = File.open('wordlist2.txt', 'r')

wContents = wordlist1.read
w2Contents = wordlist2.read

wordlist = File.open('wordlist3.txt', 'w')

File.open('wordlist.txt', 'r').each do |w|
  File.open('wordlist2.txt', 'r').each do |w2|
    wordlist.write(w.chomp + "" + w2)
  end
end
wordlist.close

Now this ruby script combined each word with each word from wordlist 2 and gave me a new wordlist to try.

Capturing the Flag

I ran the new wordlist through frackzip and….drum roll plz

$ fcrackzip -v -D -u -m 2 -p wordlist3.txt flag.zip
found file 'flag.txt', (size cp/uc     46/    34, flags 9, chk 55e3)


PASSWORD FOUND!!!!: pw == othercolumn

OH SHIT IT FOUND A PASSWORD!!

$ unzip flag.zip
Archive:  flag.zip
[flag.zip] flag.txt password: othercolumn
replace flag.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
 extracting: flag.txt
$ cat flag.txt
SecDSM{all_sorts_of_ways_to_hide}

We got the password!

HappyDance

I seriously danced at my desk when I got the password. I sent out a message to SecDSM. I wasn’t sure if the CTF was open to everyone or just members or maybe it was a team thing. I didn’t get a response so I logged on the slack channel and asked.

They said it was open to anyone so I sent the password to them and they confirmed it was right.

Tweet

Conclusion

Well my first CTF was completed. I had a lot of fun completing the challenge. I was happy to get back into some computer security and it kind of confirmed to me that might be my next step in my career. I’ve really done nothing but web development and don’t get me wrong I still like it but I find computer security just as fascinating. Maybe it’s time to side step into another area of computers and see where that takes me. Anyways I’ll update more on this in my annual new years resolution post. That’s it for now. If you don’t hear from me till next year, happy holidays and happy new year!