NULLCON 2020 Winja CTF Write-up

NULLCON 2020

NULLCON is an annual International Security Conference held at Goa, India for Security enthusiasts, researchers and academia. It was the 11th edition of NULLCON this year. For details checkout their website.

As an upcoming Security Engineer, it was an amazing experience to be at NULLCON. NULLCON is one of the perfect places to meet awesome hackers from around the world, know their stories and learn various ideas from them over some food and drinks. Also there are various CTF events held at Nullcon (HackIM, Winja CTF, Battle Underground, Hardware CTF, SCADA CTF) and I happened to play the Winja CTF. I’m glad that Shoeb Patel (a.k.a CaptainFreak) had encouraged me to register and participate in Winja. Great thanks to him :D

CTF Write-up

Here is my write-up for all the challenges that I had solved during the CTF and also after it was made open for all.

The challenges in the CTF where partitioned into chapters or levels and the next chapter unlocks once either one of the challenges in preceding chapter has been solved. Higher the chapter, higher will be points gained in those challenges.

Chapter 1 - A spy is born

hackcha2

This was a web challenge and upon inspecting the HTML source code I found there was a call made to a function, secretFunction(). The secretFunction() could be found upon looking at the js script files.

1
2
3
var secretFunction = function() {
var secret = "ZmxhZ3t3ZWxjb21lX203aXc3aGlES1RfTXJHcmlubnlXYW50c1RvU2VlWW91fQ==";
}

The variable secret contained a base64 encoded value. The flag was revealed when it was base64 decoded.

Format Your Computer

This was a simple challenge which involved downloading an executable file and searching flag in its content. The strings command did its magic and revealed the flag.

Decrypt the Chiffrer

Here the encrypted text of the flag was given atgk{OqkqMXBz08_XsipvQyMaQrvnmopyi}. The description of the challenge was in French and when I translated it to English it stated “know the number, know the key”. That meant the flag was encrypted using Vigenere Cipher and we need to find the key to decrypt the given text.

After that I tried to guess the possible key. I knew the first four letters of the encrypted text “atgk” are “flag”. So using an online tool for decryption I tried to guess the first four letters one by one. And the first four letters of the key were then “vige”. And so I thought the possible key would be “vigenere”, which worked.

Chapter 2 - With love from Moscow

Face Reveal

This was a small steganography challenge with an image provided to us. The description was encrypted with Caesar cipher. After decrypting it stated that Openstego has been used and that the password to recover the secret from the given image is a common password.

Openstego is a free software that can be used for steganography. One can easily select the file and extract hidden data if the password for hiding that data is known. And thus I applied a set of common passwords and got the flag.

Korla’s past

This was another easy challenge. There was a piece of encoded text provided which seemed base64 encoded. When I decoded it resulted in another base64 encoded text. And so I decoded it again and found the flag.

XL Mastery

This challenge provided a zip file which contained various files and the flag was hidden in one of them.

Chapter 3 - A friend in need

Find me

Find me was another web challenge it had a commented section in the HTML source code of the webpage. The section contained navigation links for nav-bar.

1
2
3
4
5
6
<!--- 
<ul<b<body text="black"<font size="5"LINKS</font</b
<li<a href="FIND" style = "color: rgb(255,255,255)"<font face="ARIAL" size="5"PROGRAM.htm</font</a
</ul
</body>
--->

So when visiting the endpoint by adding /FIND in the url I obtained a file with hex code. The hex code was an encoded C++ code which on execution revealed the flag.

A “weird” person!

This challenge required a little knowledge about Esoteric programming languages. The text file given for the challenge contained JSFuck code. JSFuck is an esoteric programming style of JavaScript, where code is written using only six characters: [, ], (, ), !, and +. I then decoded the text file and got the javascript code which contained the flag in a console.log() code line.

Chapter 4 - In a hopeless place

Exfiltrate John

A forensics challenge in which the author gave three files alcohol.jpg, encrypted, real_programmers.jpg. The challenge asks to decrypt the encrypted data. The encrypted data seemed to be encrypted by using a public-key encryption algorithm which meant that the details of the public/private key was in the png images provided. So this involves steganography again. The very first step I did (and which was also provided as one of the hints for the challenge) was to check the metadata of the two images using an online exiftool.

From the first image alcohol.jpg I got the following data:

1
2
3
4
5
6
EXIF
DocumentName Wonk Wonk !
ImageDescription The private key is encrypted! I know
PageName OpenSSL
Artist https://futureboy.us/stegano/decinput.html
HostComputer RSA

and from the second image real_programmers.jpg I got:

1
2
3
4
5
EXIF 
DocumentName So you found something!!
ImageDescription This has the private key !!
Artist https://futureboy.us/stegano/decinput.html
HostComputer RSA

From the above data I was able to figure out three pieces of information. First, the encryption algorithm used is RSA algorithm. Second, to extract information from the images I needed to use the link https://futureboy.us/stegano/decinput.html. Third, the private key present in the image real_programmers.jpg is encrypted using OpenSSL. So I need the password to decrypt it which is extracted from the image alcohol.png.

To decrypt the private key, I saved the encrypted private key in a file, enc.key. Then I used the following command and the password from image alcohol.png.

1
$ openssl rsa -in enc.key -out dec.key

Once the private key was obtained I decrypted the contents of the encrypted file which revealed the flag.


Playing CTFs is an awesome way to trigger our brains that leads us to enjoy and immerse ourselves into researching and finding the solutions. I have learned some new stuff while playing Winja CTF and also touched upon previously known knowledge. Glad to post this blog. And a huge shoutout to CaptainFreak for encouraging me to play Winja CTF.

Thanks for reading.

Happy Hacking B)
CaptainNick.