Writeup – Invest (NDH)

Posted on April 3, 2016 by Norman

This weekend, I took part in the Nuit du Hack quals. Running over 24 hours (Saturday in my timezone), this CTF was a sobering reminder of the effect of time limits: I easily burned 4 hours (25% of productive time!) on a challenge I wouldn’t realistically solve.

Of this CTF, the most interesting – though barely worth any points – challenge I found was the “invest” forensics challenge – it’s not an area I have any actual experience. The challenge starts off with you being provided a pcap file, and a little few ~words~ about someone having built an encryption system.

Taking the pcap, we quickly notice HTTP objects being retrieved from a web server. We can use Wireshark to quickly dump all the files, and we end up with a stack of “encryptxx” files, as well as a logic gate diagram and “key.txt”:

:o so many files

😮 so many files

I didn’t know at first what to do with the “encryptxx” files, so I set them aside and looked at the diagram and key.txt. At a glance, the logic gate setup turns 8 inputs into a single output, and the length of “key.txt” is disivible by 8, and the result is divisible by 8 again (i.e. if we pass it through the logic gates, it should come out as a clean series of bytes). I quickly built a Python representation of this diagram:

these symbols, how do i logic

these symbols, how do i logic

Running this provides the key “4Ukz95F2YqPi”. Submitting this didn’t work, so I went back to the encryptxx files.

All the encryptxx files look like they’re base64’ed, so I cat’ed them together (cat * > out.bin works – your shell handles expansion of the wildcard, so everything is already in alphabetical order). Decrypting the resulting file gives this:

yes hello this is dog

yes hello this is dog

Almost there! A quick Google search on the “Salted__” header reveals that this is an OpenSSL encrypted file, and a bit of fiddling around with OpenSSL reveals how to decrypt it:

openssl enc -d -aes-256-cbc -a -salt -in encrypt_total -out file.bin

“file” reveals the output file to be Microsoft Word document, with a picture that you can move aside to reveal the key:

peekaboo motherfucker

peekaboo motherfucker

This challenge was a lot of fun, and didn’t get solved by many people until later in the CTF. Props to the Nuit du Hack team for putting this one together, looking forward to next year’s CTF!

 

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Food. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.