Writeup – EscapeFromHell 1-4 (TUCTF)

Special thanks to our friends at CaptureTheSwag for giving me the 5-minute version of how2play LVM and saving heaps of time fucking around setting this challenge up, and for the helpful hint with Level 3.

This weekend, I participated in the TUCTF competition. In this competition, I did part of the EscapeFromHell challenge. The challenge was presented in 9 parts – each part had a clue, and was presented in a VM.

This challenge was presented initially as a 7z file at just over 1GB of size, unzipping to what appears to be a VMware Virtual Machine:

dont download this over 4g

dont download this over 4g

I didn’t have VMWare installed, so I first tried creating a new virtual machine and booting from the existing hard-drive: unfortunately, this wanted a disk encryption password, which I didn’t have at this stage.

My next approach was to try to mount the vmdk files in an existing virtual machine – I started a new Ubuntu virtual machine, and attached the EscapeFromHell-cl1.vmdk file to it as an additional hard-drive.

This time, the Ubuntu virtual machine started cleanly, and showed a bunch of virtual drives, one of which came pre-mounted:

level 0

level 0

A quick “file” indicated that README.EXE was actually a text file, and this contained the password to decrypt the first of the challenge volumes (in the LVM sense).

Interlude – LVM and You, the Untold Story

I didn’t know how to mount additional encrypted LVM volumes at this point, but after 15 minutes of fiddling around and a bit of Google, I had a solution which worked:

  • cryptsetup luksOpen /dev/sdb{x} sdb{x} (x started at 5 for me to unlock challenge volumes, will depend on existing drive setup).
  • vgchange -ay
  • lvscan to confirm

Level 1: Lust/Meowcode

The first level of this challenge was a text file, containing a variant of Ook!.

Ook has three tokens (Ook. / Ook? / Ook!), and this thing has three tokens (Purr! / Mew! / Meow!). From here, it’s simply a matter of brute forcing which token maps to which, and then passing it through an Ook interpreter / converting Ook to brainfuck and passing it through a brainfuck interpreter, giving us our first flag:

i like brute forcing

i like brute forcing

The inside of this flag “meowcode>ookanyday” was the decryption key for /dev/sdb6, leading us to level 2.

Level 2: Greed/Maze

Level 2’s volume showed up with a story text file, and “findthekey.jpg”. A quick “file” showed that this was a 64-bit executable, so off to IDA Pro it went. A quick analysis showed that it wanted you to play a game… but first, we needed to build the ncurses with wide character support:


./configure; make; make install

Once the program was working, we quickly realized that it would actually crash with a segfault when you reached the “door”:

mother fucker

mother fucker

A bit of further analysis in IDA Pro shows a function called printFlag, which included a simple check to see if you just called it directly, a reference to the actual flag and a static xor decryption routine:

fuck the crypto key,we'lldo it live!

fuck the crypto key,we’lldo it live!

We didn’t know the decryption key, but we knew the encrypted flag, the first few characters of the decrypted flag and the fact that cipher xor key = plain, key = cipher xor plain. All we then had to do was xor the first character of ciphertext (2EEh) with the known plaintext ( ord(‘t’) ) to get the decryption key (666), and then xor the rest of the ciphertext with this for the flag:



Level 3: glowing.gem

Level 3 presented us with a a story file, “glowing.gem” and “flag.txt”. A quick “file” once again shows that this is a Linux executable, not a traditional Ruby gem. On the advice of a fellow explorer of the internet, I cheesed this level by dumping the contents of memory, and running strings across it for the flag:


Onwards, to Level 4!

Level 4: rage.exe

Upon decryption, level 4 gives us a LVM with “rage.exe” in it’s root. “file” shows that this is once again a Linux executable. This is a “check-only” executable: that is, it doesn’t contain the key, it simply checks your input and tells you if you entered the correct key.

Fortunately, the executable is reasonably structured and symbols are left in (though names like compareMeow are less than optimal), so we can quickly get to the area around 0x400FDA, which is the “check” routine:


too many maths operations


Following the spider’s web from here, we quickly find ourselves at two interesting bits of data: mewOne, and compareMeow (cleaned up as arrays for neatness):

.data:00000000006018C0 mewOne dd 't', 'c', 'f', 'A', 'd', 'e', 'p', 'r', 'e', 'o', 6 dup(0)
.data:0000000000601900 compareMeow dd 10h, 0F9h, 0Ch, 0CBh, 13h, 0F4h, 16h, 99h, 6, 0AEh
.data:0000000000601900 dd 42h, 88h, 9, 0DEh, 18h, 0B1h, 2Ah, 0D6h, 51h, 9Bh

mewOne is quickly apparent as every second character of the flag, while compareMeow is a series of tuples (offset, sum):

  • For even characters, next_char = sum + offset – next_char
  • For odd characters, next_char = sum – offset – next_char

From here, 10 minutes of Python leads us to the flag, which we can check with the executable:



At this point, I stopped because I wasn’t able to solve level 5 before I went to sleep, and the CTF had concluded by the time I woke up (and the servers are down =[).

Thanks again to the TUCTF crew for putting together this event. I think this challenge was structured in a very innovative way, and hope to see more of this type of challenge in future.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s