ØxOPOSɆC Mɇɇtuᵽ Summer Challenge 2020

September 23, 2020 oposec infosec ctf 12 minutes to read

“Based in Porto, the ØxOPOSɆC group was started by g33ks who are passionate about security. The meetup primary mission is to discuss and tackle upsurging security issues by leveraging the expertise and know-how of members of the group.” This year edition of the Summer Challenge consisted of 13 challenges belonging to 4 different categories, namely: Misc (3), Crypto (3), Web (3) and Trivia (4).

Scoreboard

This was the scoreboard by the end of the competition which had 46 participants. So let’s get to the challenges, per category.

Index

Misc

My Paste (100 pts)

Oh no! I forgot where I left my paste. 🗑 Perhaps you can help me find it?

There was a string in the body of the challenge description on the CTFd platform. Opening the browser inspector and changing the colour from white to black revealed the secret: 2WvYM5Qx.

The char sequence looked like a Pastebin paste link, so using this key to visit https://pastebin.com/2WvYM5Qx, revealed the flag:

Good job!

flag{f1n0_5Up3r_b0ck_fr3squ1nho}

Slowly But Surely (200 pts)

I think aliens may be trying to communicate. What are they trying to say?

A zip file containing a raw radio transmission was given.

Downloading the file and opening it in Audacity with spectrogram view would review something like the following image.

This challenge took me a while to figure out how. Nevertheless, this should be some kind of satellite/space transmission (aliens). After a lot of reading and scrolling on sigidwiki, SSTV looked promising.

There are some scheduled transmissions of SSTV from the International Space Station. As it can be read from here: “Slow Scan Television (SSTV) is transmitted by the ARISS Russia Team from the amateur radio station in the Russian Service Module of the International Space Station using the callsign RS0ISS. The equipment used is a Kenwood D710 transceiver running about 25 watts output which provides a very strong signal enabling reception using simple equipment.”

From Wiki: Slow Scan television (SSTV) is a picture transmission method used mainly by amateur radio operators, to transmit and receive static pictures via radio in monochrome or colour.

So, what about decoding? I did solve this challenge on a Windows 10 machine with the following setup:

  • Setup of a Virtual Audio Cable for connecting the sound output to the microphone, using VB-CABLE.
  • Using RX-SSTV for decoding the signal incoming from the microphone.

Answer: flag{s4rD1nha_no_P4o}

Run (300 pts)

This was, for me, one of the most demanding challenges in the whole CTF (and the last to be solved). Since it is an image, all I could think about was around steganography, however, after playing around with all the typical culprits, no luck. All the time, the name of the file, run.png, seemed like a hint but not very helpful.

Only three days later (as you can see by the scoreboard), I finally managed it thanks to my friend and PhD supervisor Hugo, that with his in-depth knowledge of esoteric programming languages, mentioned that it could be Piet.

From Wiki: “Piet is a language designed by David Morgan-Mar, whose programs are bitmaps that look like abstract art. The compilation is guided by a pointer that moves around the image, from one continuous coloured region to the next. Procedures are carried through when the pointer exits a region.”

A quick search revealed an online npiet interpreter. Upload the image, run, and we get the flag.

piet

Answer: flag{S4L4dA_d3-P0lV0}

Crypto

Knock Knock (100 pts)

21311122 { 32114415454342344315 }

This challenge was a weird one. By guessing that this sequence corresponded to a formated flag{<stuff>}, I fired up Excel and started matching numbers and letters to see if any pattern appeared.

A pattern made itself visible, with each letter, following the alphabet order, being associated with a two-digit number. After some trial and error, it was found out that the first digit went from 1 to 5 and the second digit also from 1 and 5. The letters marked in yellow correspond to the word flag since that was the only knowledge at the beginning of this solution.

Later on, Miguel told me that this was indeed a known way of cyphering messages knonw as Tap Code. There’s an online decoder that was able to easily decyphered the message (just set the code type to numbers).

Answer: flag{mateusrose}

Pancetta (200 pts)

`S`ome`th`in`g` `i`s `hi`dden w`it`hin this `m`essag`e`. 
When y`o`u find it, ma`k`e `su`re `t`o wr`a`p `i`t i`n` `c`u`rly` `b`ra`ces`,
p`rep`en`d` `’f`la`g’` `t`o i`t,` `t`he`n` `su`bm`it` `i`t!

Filtering out only the letters within quotation marks did not help at all.

Sthgihiitmeoksutaincrlybcesrepdfgtttnsuiti

Reading more about common cyphers, and the challenge name something popped out: Pancetta is unsmoked bacon used especially in Italian cuisine.

So this could be a Baconian cypher, “a method of message encoding devised by Francis Bacon in 1605. A message is concealed in the presentation of text, rather than its content.”

Typically Baconian cyphers have two symbols, so the next move was to translate the above message into something binary. By replacing the letters in quotation marks by As and the others by Bs, this was the result:

ABBBAABBA AB AABBBB BAABBB BBBB ABBBBBAB BBBB BAB BBBB BBB BBAB AABB AB BBAB AB BA ABAAA ABBAAAB BAAABBA AABBAA ABBAA ABBA AABBAA AB!

Using Cyberchef to decipher the message did result in something: SUNDAECARAMELO????????. By following the text instructions, we got the flag.

Answer: flag{SUNDAECARAMELO}

Streamside (300 pts)

No one will give you the flag this time. You will find it out by yourself. Take your time. https://streamside.example.com

A webpage was given with an input box for the flag. By playing around a bit, and guessing that the flag started by the word flag, it was observable that requests with correct letters did take longer to the response. This point towards a timing attack. Making a quick and dirty Python script did the job (seeing what letters took longer to answer).

Answer: flag{c4l1Po_de_l1M4o}

Web

Passive-Aggressive Flask (100 pts)

I can give you a flag, but you’ll have to be nice. Remember to say it LOUD, so I can hear you. https://passiveaggressive.example.com

A webpage was given with the following content:

Not so fast. 
You think you can just boss me around? 😠 
Be *polite*!    

After searching a bit, this reminded me of a challenge at Pixels Camp 2020 Quiz Qualifiers.

The challenge consisted of sending a non-standard HTTP request to the server, namely defining the method as PLEASE instead of, e.g., GET. This would give us the flag.

please

Answer: flag{g4spach0_n0_t4ch0}

2020 (200 pts)

Just represent the number 2020. Easy, right? No digits allowed. https://2020.example.com

The web page had the following content, followed by an input box.

Hello.

Here, you can execute JavaScript code which only contains [a-z().].

So this was a revamp from a previous ØxOPOSɆC Mɇɇtuᵽ monthly challenge (and from HarekazeCTF), where you have to craft an output using only a subset of Javascript valid chars. And, per the available source code, it should have less than 300 chars.

My solution was the following:

eval.name.repeat(eval.name.link().link().link().link().link().link().link().link().link().link().link().link().link().link().link().link().link().link().link().link().strike().length).concat(eval.name).concat(eval.name).concat(eval.name).concat(eval.name).length

Answer: flag{B0L4_d3_berlim}

Extensible Risky Language (300 pts)

Your flag is securely stored in /etc/passwd. https://risky.example.com Go get it!

The webpage was a generic bootstrap page with a search box for shoe size. By analysing the requests made by the search box we could see the following payload:

xml: "<stock><size>12</size></stock>"

Taking into account that the request form data is specified as XML, this probably is an issue related to XML External Entity (XXE) Processing.

By modifying the request to get the contents of /etc/passwd we get the flag.

<!DOCTYPE a [  
<!ELEMENT a ANY>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<stock><size>&xxe;</size></stock>

xml

Answer: flag{g3lat1na_r0y4l_m0raNg0}

Trivia

The Temper Trap (50 pts)

What HTTP header can be used by a web server to indicate the web browser to save the response into a file, instead of rendering it? Note: enter the name of the header only, no values.

From MDN web docs: “In a regular HTTP response, the Content-Disposition response header is a header indicating if the content is expected to be displayed inline in the browser, that is, as a Web page or as part of a Web page, or as an attachment, that is downloaded and saved locally.”

Answer: Content-Disposition

Assembly (75 pts)

What is the Wi-Fi password used in the parliament of Portugal? (Assembleia da República)

This was a known case in Portugal were some news channel captured a weak password displayed amongst the seats of the Portuguese parliament.

ar-pass

Answer: a123b123a1.

Thousands (100 pts)

You wanted to handle a ton of connections, so I was born.

After some trial and error, nginx was the solution. However, as per the official solution, this was related to the C10k problem to which the nginx was the first to be released that addressed it.

Answer: nginx

Curiosity (150 pts)

A story of The Mentor.

The Mentor is one of the most cited names in the history of hacking who wrote the essay The Conscience of a Hacker which became later known as the The Hacker Manifesto.

Per Wikipedia: “The Conscience of a Hacker (also known as The Hacker Manifesto) is a small essay written January 8, 1986 by a computer security hacker who went by the handle (or pseudonym) of The Mentor (born Loyd Blankenship), who belonged to the 2nd generation of hacker group Legion of Doom.”

If you’re curious, you can read the original article in the ezine Phrack along with other good essays of the time.

Answer: The Conscience of a Hacker

Wrap-up!

Another year, another fun Summer Challenge. This one with a lot of weird challenges and a pint of esoteric knowledge. Kudos to ØxOPOSɆC Mɇɇtuᵽ and to @_nunohumberto for the challenges.

welcome