US Cyber Games - Write UPs

Great CTF, lots of challenging ones especially in the Competitive side with Web, Reverse, Crypto and PWN categories. I am relatively new to CTFs, IT, and Cyber with this being my 4th competition to take a part in. Here are my write ups:

The Email Where It Happens [Forensics] -150

Howdy Truth Seekers! It seems that some malware that was strategically shared has begun to phone back home! We believe that this might have some very important information that could help lead us to finally getting to the bottom of this conspiracy regarding extraterrestrial life. Unfortunately the original developer of this tool was recently promoted to customer status and is no longer on good terms with the orginization. This means that we don't have any information on how to decode this traffic. Unfortunately all I have is a PCAP. Can you help us out here?

Downloads: intercepted_communication.pcap

• Basic steps are always open it right up into Wireshark, It looks like some kind of DNS packets. After some digging, parsing through the packets, I figured out it has to do with Data exfiltration.

• Communication is flowing between 192.168.1.199 to 8.8.8.8

• We can follow the UDP stream which shows a meowcorp.cloud email with what seems to be some type of sequence of numbers and letters, hash or base.
  

• First action is to save this stream!
  

• Next we can hop over onto Cyberchef and run the following:

• Fork

• Find & Replace (remove .meowcorp.cloud)

• Find & Replace (remove \..*

• Merge

• Remove white space

• From base32

FLAG: SIVBGR{wh0_n33ds_32_b4s3s}

Tubes [Forensics] - 100

File name: id_uscg

The challenge question stated something about messages travel through the network

I did not capture the question unfortunately.

• Our first step is to change the file permission

  • chmod 600 id_uscg

  • I did run some recon to find port 22 being open to allow for:

    • ssh -i id_uscg uscg@tubes.challs.uscybgergames.com -p 22

  • Went through all the directories to find some type of file with numbers and letters. I later learned this was to throw us into a loop, there wasn't much useful in this. However looking back this points to the fact that these letters and numbers are used within the flag we find.

• If we run compgen -c we can learn what commands are available in the shell of any machine we are SSHing into, very important for CTFs when having to SSH into VMs that are made for CTFs

• We are presented with this hint within one of the directories:

• Passing through? Some tubes?

• Interesting

• So far I hit a roadblock but with the hint I realized to go to the folder with tcpdump file and run tcp dump.

• Running tcpdump showed a ton of general conversation between IPs but one stood out which was 255.255.255.255

• Came up with the following:

  • tcpdump -A -vv -nn dst 255.255.255.255

• The tcp dump shows interactions of 192 ip with 255. If you look closely hidden within that each packet dump is the flag with markers and pipes.

• Took a few tries but figured out the full flag FLAG: SIVUSCG{t0t4lly_tub4l4r}

Certified [Forensics] - 100

file: certified.pcapng

One of our machines was recently hit with malware and appears to have opened a backdoor. We were able to get this PCAP from around the time when it was accessed but aren't sure what was exfiltrated from the network. Take a look and see if you can make sense of it!

• New Challenge for me not too difficult. I did a little digging into PCAP files, figured out that we can find TLS keys within the capture and decided to check the export objects

• Upon exporting the file we see a file that pulls up as backdoor.php

• cat backdoor.php & find:

  • RSA private key

  • Certificate

• We can then go to edit > preferences > protocols > TLS

• We can separate the keys and put them into its own file such as key.pem with VIM

• Upload both the certificate and the RSA key into Wireshark
  

Check the TCP stream, Check the TLS stream and you will get the flag.

FLAG: SIVUSCG{c3rtif1abl3_h4ck3rs}

Redundant [Forensics] -100

My meme got corrupted somehow and cut off the punchline. Can you help?

File: redundant.png

• Opened the image with ristretto redundant.png

• I did the usual here, checked the file name, checked the Exif with exiftool
  

• Nothing out of the ordinary

• The magic bytes check out for PNG

• so what is hidden here?

• We can see under the gray there is something hidden

• After a lot of tool searching, attempting to read the magic bytes, I eventually came across a video from John Hammond using a tool called stegsolve.jar

• Installed it and opened the image with stegsolve using:

• ./stegsolve.jar redundant.png and viola!

FLAG: SIVUSCG{1nv41id_chunk5_l0l}

Hunt - Web

Agent, it looks like ARIA has spun up a simple website. Is there anything you can find to give more information about it's plans?

Link: https://uscybercombine-s4-hunt.chals.io/

• The goal was to find the complete flag for the web challenge.

• Opened this one up in Burpsuite and began to check the proxy caught Requests and responses.

• Initial page load has a GET request that is interesting:

• Within the text of the Responses included at the bottom of the response of the html java code broken up into three responses was the answer.

FLAG: SIVBGR{r1s3_0f_th3_r0bots!}

xorcellent flag checker [Crypto] - 200

Can you successfully figure out the flag to correctly pass this checker?

• Took the program to dogbold to get a decompilation

  • https://dogbolt.org/?id=2b7114b0-e4cb-406b-9de2-7913828e8d13#Hex-Rays=233

• Analyzed the program it is c++ with xor function

• The program asks for a flag

• Input is captured and stored in a string variable v6

• Flag then goes for verification (sub_11A9 Function)

• Function 11A9 checks if lenght of input is 22 characters long

• Then performs a XOR operation between corresponding bytes of 2 predefined byte arrays:

  • byte_4050 and byte_4070

• Result of each XOR operation is compared to corresponding character in the input string.

• If comparisons match, function returns 1 indicating correct flag or 0 for wrong

• The output is based on the verification correct or sorry

• So basically program performs XOR based validation of entered flag against predefined byte arrays and provides feedback based on the result

• We can find the exact character for the input, each i in the input string where i ranges from 0 to 21 position i should = XOR operation between the bytes 4050 4070

• We can write a python script for this since the Bytes are given to us in the rev code:

byte_4050[32] = {-83, 117, -1, -125, -43, -64, 115, 22, 44, 42, -9, 46, 123, 69, -76, -106, -5, -127, -87, 123, 105, 105, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};

byte_4070[24] = {-2, 60, -87, -63, -110, -110, 8, 110, 28, 88, -88, 108, 59, 54, -123, -11, -120, -34,-5, 72, 31, 20, 0, 0}

FLAG: SIVBGR{x0r_B@s1cs_R3v}

Whats Diffie [Crypto] - 150

Alice and Bob have been experimenting with a way to send flags back and forth securely. Can you intercept their messages?

nc 0.cloud.chals.io 32820

• We can start by connecting with Netcat

  • nc 0.cloud.chals.io 32820
    

• Diffie-Hellman is a key exchange where two parties both agree on multiplicative inverse of integers and a modulo prime p as well as a generator g as a primitive root modulo of p.

• We can write a script for this:
  

• Netcat back into the shell and input 47 we then get:

• I then created a python script to handle the bitwise XOR operation on the hex values, which I cleaned up with CyberChef. (XOR can be done in Cyberchef too).

• For python practice the script goes:

• This gives us:
  

Prime Time [Crypto]

file: challenge.txt

• We are given these values with the challenge:
  

• I recently foundout about RsaCtfTool and put that to use.
  

FLAG: SIVBGR{h1dd3n_f4c70r5}

Let Em Cook [Crypto] - 150

file: challenge.txt

• We are given the cryptic file above. I took this to Cyber chef:

  • remove whitespace

  • aligned everything and did the following steps before figuring out ROT47

Baby's First RSA [Crypto] - 150

File: main.py

I learned just learned about RSA and I am pretty sure that I implemented it right. It should be impossible to get my flag.

• Main.py has the following:

• The program gives us:

• Again to practice with python i made a script:

Flag: SIVBGR{D0nt_F0rg37_T0_P4D!!!}

I Want to believe [Forensics] - 150

We've received a GIFt from what appears to be a signal coming from extraterrestrial life! Although, it appears they've used steganography to hide it inside of this .gif file. All we know is that it's in the form of a text file named 'iwanttobelieve.txt'. Can you recover it?

file type: gift.gif: GIF image data, version 89a, 602 x 588

• This GIFt file is to have hidden file in it which has iwanttobelieve.txt in it

• Okay crazy one, need to download git clone https://github.com/dtmsecurity/gift.git

• From there we run the recover files command:

python3 ./gift-cli.py --source /home/meditated/CTFs/US_CyberGames/Forensics/I_Want_to_Believe/gift.gif recover iwanttobelieve.txt

• This tool results in an output file recovering the text that they provided to us in the original gif. After that we can cat into that file and get the results.

You Have Mail [Forensics]

• We are given a file:

• URGENT_Proof_of_UFO_Read_in_a_secure_location.eml

• This file contains a zip

• Have to extract the zip file from the given .eml.

• Once that is done you have to cat or strings the email and get the password and then use the hex of the given keys to input into command specified order like: unzip -P Secure_Code:Order_66 evidence.zip

• Only then does it extract otherwise it does not take pw

AE-no [MISC] - 150

We are given a out.txt and a main.py python program

• We can cat the out.txt
  

• The python file contains:

• It is basic CBC AES with a XOR decryption and IV, that we have.

• We already know that the text contains 'here is the flag'.. This is written in the def main() function as msg = b'Here is the flag for you: '

• This helps us figuring out the remainder.

• I create a python script:

• Run the python program and done

Flag: SIVBGR{IV_B33n_H3r3_B3f0r3}

Math Reversal [Reverse Engineering] - 150

• I did not write up much for this challenge but from what I do know is that the decomplication from dogbolt mainly shows us a C++ program with:
  

• Further there is a boolean check flag function happening, this is checking if the provided flag meets certain conditions based on the flagCheck array.

We need to calculate each character of the flag based on the above relationship:

1. For i=0i = 0i=0: a1[0]=128−45=83→a1[0]=′S′\text{a1}[0] = 128 - 45 = 83 \rightarrow \text{a1}[0] = 'S'a1[0]=128−45=83→a1[0]=′S′

2. For i=1i = 1i=1: a1[1]=128−55=73→a1[1]=′I′\text{a1}[1] = 128 - 55 = 73 \rightarrow \text{a1}[1] = 'I'a1[1]=128−55=73→a1[1]=′I′

3. For i=2i = 2i=2: a1[2]=128−42=86→a1[2]=′V′\text{a1}[2] = 128 - 42 = 86 \rightarrow \text{a1}[2] = 'V'a1[2]=128−42=86→a1[2]=′V′

4. For i=3i = 3i=3: a1[3]=128−62=66→a1[3]=′B′\text{a1}[3] = 128 - 62 = 66 \rightarrow \text{a1}[3] = 'B'a1[3]=128−62=66→a1[3]=′B′

5. For i=4i = 4i=4: a1[4]=128−57=71→a1[4]=′G′\text{a1}[4] = 128 - 57 = 71 \rightarrow \text{a1}[4] = 'G'a1[4]=128−57=71→a1[4]=′G′

6. For i=5i = 5i=5: a1[5]=128−46=82→a1[5]=′R′\text{a1}[5] = 128 - 46 = 82 \rightarrow \text{a1}[5] = 'R'a1[5]=128−46=82→a1[5]=′R′

7. For i=6i = 6i=6: \text{a1}[6] = 128 - 5 = 123 \rightarrow \text{a1}[6] = '{'

8. For i=7i = 7i=7: a1[7]=128−10=118→a1[7]=′v′\text{a1}[7] = 128 - 10 = 118 \rightarrow \text{a1}[7] = 'v'a1[7]=128−10=118→a1[7]=′v′

9. For i=8i = 8i=8: a1[8]=128−77=51→a1[8]=′3′\text{a1}[8] = 128 - 77 = 51 \rightarrow \text{a1}[8] = '3'a1[8]=128−77=51→a1[8]=′3′

10. For i=9i = 9i=9: a1[9]=128−14=114→a1[9]=′r′\text{a1}[9] = 128 - 14 = 114 \rightarrow \text{a1}[9] = 'r'a1[9]=128−14=114→a1[9]=′r′

11. For i=10i = 10i=10: a1[10]=128−7=121→a1[10]=′y′\text{a1}[10] = 128 - 7 = 121 \rightarrow \text{a1}[10] = 'y'a1[10]=128−7=121→a1[10]=′y′

12. For i=11i = 11i=11: \text{a1}[11] = 128 - 33 = 95 \rightarrow \text{a1}[11] = '_'

13. For i=12i = 12i=12: a1[12]=128−28=100→a1[12]=′d′\text{a1}[12] = 128 - 28 = 100 \rightarrow \text{a1}[12] = 'd'a1[12]=128−28=100→a1[12]=′d′

14. For i=13i = 13i=13: a1[13]=128−79=49→a1[13]=′1′\text{a1}[13] = 128 - 79 = 49 \rightarrow \text{a1}[13] = '1'a1[13]=128−79=49→a1[13]=′1′

15. For i=14i = 14i=14: a1[14]=128−26=102→a1[14]=′f′\text{a1}[14] = 128 - 26 = 102 \rightarrow \text{a1}[14] = 'f'a1[14]=128−26=102→a1[14]=′f′

16. For i=15i = 15i=15: a1[15]=128−26=102→a1[15]=′f′\text{a1}[15] = 128 - 26 = 102 \rightarrow \text{a1}[15] = 'f'a1[15]=128−26=102→a1[15]=′f′

17. For i=16i = 16i=16: a1[16]=128−79=49→a1[16]=′1′\text{a1}[16] = 128 - 79 = 49 \rightarrow \text{a1}[16] = '1'a1[16]=128−79=49→a1[16]=′1′

18. For i=17i = 17i=17: a1[17]=128−29=99→a1[17]=′c′\text{a1}[17] = 128 - 29 = 99 \rightarrow \text{a1}[17] = 'c'a1[17]=128−29=99→a1[17]=′c′

19. For i=18i = 18i=18: a1[18]=128−11=117→a1[18]=′u′\text{a1}[18] = 128 - 11 = 117 \rightarrow \text{a1}[18] = 'u'a1[18]=128−11=117→a1[18]=′u′

20. For i=19i = 19i=19: a1[19]=128−20=108→a1[19]=′l′\text{a1}[19] = 128 - 20 = 108 \rightarrow \text{a1}[19] = 'l'a1[19]=128−20=108→a1[19]=′l′

21. For i=20i = 20i=20: a1[20]=128−12=116→a1[20]=′t′\text{a1}[20] = 128 - 12 = 116 \rightarrow \text{a1}[20] = 't'a1[20]=128−12=116→a1[20]=′t′

22. For i=21i = 21i=21: \text{a1}[21] = 128 - 33 = 95 \rightarrow \text{a1}[21] = '_'

23. For i=22i = 22i=22: a1[22]=128−16=112→a1[22]=′p′\text{a1}[22] = 128 - 16 = 112 \rightarrow \text{a1}[22] = 'p'a1[22]=128−16=112→a1[22]=′p′

24. For i=23i = 23i=23: a1[23]=128−31=97→a1[23]=′a′\text{a1}[23] = 128 - 31 = 97 \rightarrow \text{a1}[23] = 'a'a1[23]=128−31=97→a1[23]=′a′

25. For i=24i = 24i=24: a1[24]=128−13=115→a1[24]=′s′\text{a1}[24] = 128 - 13 = 115 \rightarrow \text{a1}[24] = 's'a1[24]=128−13=115→a1[24]=′s′

26. For i=25i = 25i=25: a1[25]=128−13=115→a1[25]=′s′\text{a1}[25] = 128 - 13 = 115 \rightarrow \text{a1}[25] = 's'a1[25]=128−13=115→a1[25]=′s′

27. For i=26i = 26i=26: a1[26]=128−9=119→a1[26]=′w′\text{a1}[26] = 128 - 9 = 119 \rightarrow \text{a1}[26] = 'w'a1[26]=128−9=119→a1[26]=′w′

28. For i=27i = 27i=27: a1[27]=128−80=48→a1[27]=′0′\text{a1}[27] = 128 - 80 = 48 \rightarrow \text{a1}[27] = '0'a1[27]=128−80=48→a1[27]=′0′

29. For i=28i = 28i=28: a1[28]=128−14=114→a1[28]=′r′\text{a1}[28] = 128 - 14 = 114 \rightarrow \text{a1}[28] = 'r'a1[28]=128−14=114→a1[28]=′r′

30. For i=29i = 29i=29: a1[29]=128−28=100→a1[29]=′d′\text{a1}[29] = 128 - 28 = 100 \rightarrow \text{a1}[29] = 'd'a1[29]=128−28=100→a1[29]=′d′

31. For i=30i = 30i=30: \text{a1}[30] = 128 - 3 = 125 \rightarrow \text{a1}[30] = '}'

• This was a quick copy paste into ChatGPT which solved it for me:

  • SIVBGR{v3ry_d1ff1cult_p@ssw0rd}

Flag Chevker [Reverse Engineering] - 150

• This came with the File: pyrev.py that looks like this:

• This python file runs checks on the input, determining if it is the flag or not.

• The input flag must be the same length as 'phonesteak' 28 total characters

• XOR the transformation process and invert the ASCII values

• We can make a quick python program with chat gpt's help.

• Run the program and viola:

Secret [Forensics] - 150

File: Secret.pdf

• Relatively easy challenge

• I took this file to Firefox

• Uploaded or dropped it onto the url browser which opened up the file for me like so:

• Copy all and paste into notepad or word or document reader of choice and get:

Flag: SIVBGR{C0nta1n_Th3_Al13ns}

Note: Careful with the syntax!

I do have all of the files if anyone needs any, please feel free to reach out the contact page on my site comes right to my email!

Final Thoughts

I unfortunately did not record notes on all of the challenges, I missed some notes on a few but ultimately ended up with 2500 points, placed 135/1353, and I am happy with that. I do want to mention the syntax errors when inputting the flag were probably the most annoying part. I don't understand the need for oddball syntax.