Sunday, 20 September 2015

[Write-up] CSAW CTF 2015 - Recon Alexander Taylor 100

18:24 Posted by Matnacian , , , No comments

We start with:

CSAW 2015 FUZYLL RECON PART 1 OF ?: Oh, good, you can use HTTP! The next part is at /csaw2015/<the acronym for my university's hacking club>.

OK, let's google "fuzyll".
I don't see anything helpful, so I keep googling.
With "alexander taylor fuzyll", I found his LinkedIn.
You can see in Education, his university is University of South Florida.

With "University of South Florida hacking club", easily you can find this link:
Whitehatters Computer Security Club -

CSAW 2015 FUZYLL RECON PART 2 OF ?: TmljZSB3b3JrISBUaGUgbmV4dCBwYXJ0IGlzIGF0IC9jc2F3MjAxNS88bXkgc3VwZXIgc21hc2ggYnJvdGhlcnMgbWFpbj4uCg==

Decode base64 this string:
Nice work! The next part is at /csaw2015/<my super smash brothers main>.
With "fuzyll super smash brothers", you can find "yoshi" is the answer.
Very cute, right? Save this image and: $ strings yoshi.txt CSAW 2015 FUZYLL RECON PART 3 OF ?: Isn't Yoshi the best?! The next egg in your hunt can be found at /csaw2015/<the cryptosystem I had to break in my first defcon qualifier>.
This part really makes me crazy. "the cryptosystem first defcon qualifier"? Is it a crypto challenge in DEFCON? What is his first defcon qualifier? Back to his LinkedIn,
I think "DEFCON 19 qualification" is the answer.
I googled something likes "DEFCON 19 qualification challenges", "DEFCON 19 write up", but got nothing. Stuck! Stuck! Stuck!
Time to go 2 bed Zz.
After waking up, I continue googling, I continue getting nothing. To tired! So I want to try my luck. Let's check some possible cryptosystems.
CSAW 2015 FUZYLL RECON PART 4 OF 5: Okay, okay. This isn't Engima, but the next location was "encrypted" with the JavaScript below: Pla$ja|p$wpkt$kj$}kqv$uqawp$mw>$+gwes6451+pla}[waa[ia[vkhhmj

var c = ""
for (i = 0; i < s.length; i++) {
    c += String.fromCharCode((s[i]).charCodeAt(0) ^ 0x4);

Just xor!
So you can run the script again to get plain text.

Press F12 and open Console (Chrome, Firefox...)

var s = "Pla$ja|p$wpkt$kj$}kqv$uqawp$mw>$+gwes6451+pla}[waa[ia[vkhhmj"
var c = ""
for (i = 0; i < s.length; i++) {
    c += String.fromCharCode((s[i]).charCodeAt(0) ^ 0x4);
The next stop on your quest is: /csaw2015/they_see_me_rollin
CSAW 2015 FUZYLL RECON PART 5 OF 5: Congratulations! Here's your flag{I_S3ARCH3D_HI6H_4ND_L0W_4ND_4LL_I_F0UND_W4S_TH1S_L0USY_FL4G}!
--- matnacian ---
--- ctf for beginners ---

Saturday, 19 September 2015

[Write-up] CSAW CTF 2015 - Crypto notesy 100

10:03 Posted by Matnacian , , , No comments



The flag is not in the flag{} format.

I'm happy when I didn't spend too much time with this challenge. Poor you :v
We were given a link. Try some inputs and I can see it's just a substitute cipher.
And google for an alphabet english:
(because I'm very lazy to fill in the input form).

Booom! Can't believe this is our flag :D

--- matnacian ---
--- ctf for beginners ---

Tuesday, 8 September 2015

[Write-up] MMA CTF 2015 - QR code recovery challenge 400

23:23 Posted by Matnacian , , , 3 comments


You picked up teared QR code fragments. Recover the flag.
Flag is 12 characters without MMA{...}.

During the opening time  of MMA CTF, I don't know what to do with this picture.
When the CTF ended, I googled "QR code recovery challenge" to find the write-up of this chal, and found this link:


We will solve problem2.png first!
It looks easier, right? I opened GIMP and try to recover it but failed.
After googling, I found a tool named strong-qr-decoder, it can decode corrupted QR code, but only in txt file.
So I tried hard, and found a tool named qr2txt, it can change a bitmap file QR code to a txt file QR code.

Yeah! Go go go!
1. Change problem2.png to problem2.bmp with GIMP, and rename it to qr.bmp
2. $ ./qr2txt
Save it to a text file: $ ./qr2txt > qr.txt

3. User strong-qr-decoder to decode it:
$ python qr.txt -e 2 -m 4


Yeah, we got the flag of problem2.png. Can we do these steps with problem.png

"Flag is 12 characters without MMA{...}."
Submit flag "000000000000"! Failed!!!

Did I miss something?

--- matnacian ---
--- ctf for beginners ---

[Write-up] MMA CTF 2015 - Splitted 30

01:53 Posted by Matnacian , , , 2 comments
This is an "El Clásico" challenge of forensic, but I found it a little bit difficult to solve. Poor me! T.T

We got a pcap file here, but like a habit, when waiting Wireshark open the splitted.pcap, I foremost it:

Really, easy???
I went to /splitted/output/zip and open the zip file, but it was corrupted.
OK, back to Wireshark.

Sorting packets by Length, you can see some zip files like this:

Export them to files: File > Export Objects > HTTP:
Click Save All. Now we have 1, 2, ... 8 files.
We can guess that the zip file contain flag was splitted into 8 files, and we must join these files to capture the flag. Let's try:
$ cat flag* >
Extact file! Waiting... Still corrupted.

I used an hex editor to inspect these zip files, and relized they weren't in order.
Example, the flag(1).zip has the header PK of zip file >> It must be the first file when joining.
So the biggest mission in this challenge is arrange 8 splitted files in the right order to join them.
How can we do this?

Back to Wireshark again. Randomly, I chose packet No. 86 and "Follow TCP Stream".
Aha, "Range: bytes=1876-2344"

Can you guess that what should we do know?
Right! We have this table:

Now, we rename flag*.zip files to final0*.zip files base on the order above.
Example flag(1).zip ->, flag(7).zip ->
Join these files with command: $ cat final* >
Extract it. Bingo. We get the flag.psd. Open it with Photoshop or GIMP:

Blank? Don't worry. On the right panel, you will see 2 layers. Hide/Delete the 背景 layer.
Boom!!! Flag is:

Thanks for reading! ^^ And happy CTF! :D
--- matnacian ---
--- ctf for beginners ---

Monday, 7 September 2015

[Write-up] MMA CTF 2015 - Nagoya Castle 100

22:42 Posted by Matnacian , , , No comments
I can't understand this 100-challenge :D

We are given an image:

Use a stego tool named Stegsolve:
Open this "awesome" image and view it in "Red plane 0". Bingo!

--- matnacian ---
--- ctf for beginners ---

[Write-up] MMA CTF 2015 - Pattern Lock 20

22:28 Posted by Matnacian , , , 1 comment


In android smartphone, you can use "pattern lock".
Pattern lock use 9 dots(3x3) on the screen in the figure below.
The following figures are examples of lock pattern.
image:image2 image:image3
Lock pattern must satisfy following three conditions.
  • Use at most once each dot.
  • Use at least 4 dots.
  • Cannot skip the dot on the segment.
(Flag 1) Flag is the number of lock patterns in decimal without MMA{...}.
(Flag 2) Flag is the maximum length of lock patterns on 4x4 dots. Assume the length of two neighbor dot is 1. Please answer rounded to four decimal places without MMA{...}. (XX.XXXX)
Just google "number of lock patterns".
You will find this:

Combinations of the Android pattern lock screen would not be from 1-9. Instead, they would be 4-9, as the lock pattern needs a minimum of four inputs, and anything below that is invalid (at least 2.3 onwards. I believe 2.2 and below allowed 3 point locks). Here's the breakdown of the combinations:
Moves = 4, combinations = 1624
Moves = 5, combinations = 7152
Moves = 6, combinations = 26016
Moves = 7, combinations = 72912
Moves = 8, combinations = 140704
Moves = 9, combinations = 140704

Total possibilities: 1624 + 7152 + 26016 + 72912 + 140704 + 140704 = 389112
So flag 1 is 389112!

--- matnacian ---
--- ctf for beginners ---