Writeups – Shane and the Binary Files, MI6 (Pragyan CTF)

Over the past few weeks, numerous side projects (including starting lecturing for the COMP6443 course at UNSW, as well as attempting to unravel the fucking magic carpet ride that is OpenBTS) have significantly reduced the time I’ve been able to spend playing CTFs. This weekend, I was happy to at least participate in the Pragyan CTF.

I have documented two of the challenges I was able to complete in the time allocated. Without further ado:

Shane and the Binary Files

This challenge was presented as an archive, containing three Java class files. You can download this here.

Upon unzipping the archive, we are met with three Java .class files. These are obfuscated to a trivial degree, and could be decompiled using jd-gui. The most interesting code was found in nq2eige2ig2323f.class:

parallel_magic

This appeared to show as simple comparison test – that is, the user entered a “key”, and if it matched the program’s expectation, it would print out the flag (or at least something useful) We could emulate this condition by placing the “win” condition into an empty Java application. A few moments of Java later, and we have the flag:

parallel_solve

You can download the final Java solution used here.

MI6

This challenge was presented as an executable file, which you can download here. Furthermore, we were provided with a ciphertext, which we were to decrypt. This was as follows:

"26 25 30 28 22 25 20 23 21 29 22 24 26 23 21 26 27 20 28 22 25 23
 30 29 23 28 24 20 21 26 25 20 23 27 23 29 25 22 23 26 27 29 24 23
 30 21 25 24 26 20 24 22 21 30 26 20 25 24 21 23 27 29 26 22 20 21
 23 22 30 26 29 26 28 27 22 20 27 29 26 30 28 27 26 23 29 21 22 25
 27 24 21 29 25 24 20 25 23 22 30 28 27 29 25 20 24 21 23 20 23 21
 29 26"

Upon initial inspection, it is clear that not all is as it seems – this is a Linux executable bash script, rather than a Windows executable. On further inspection, this appears to unpack and install a piece of Ruby code. By commenting out the installation operation, we are able to retrieve the Ruby script, reverse_1.rb:

mi6_nops

For me, this was an interesting challenge, as I have minimal experience with Ruby, having used it a grand total of once previously. As such, I began Googling various bits of Ruby syntax in order to understand the code.

At this point, a helpful hint from our comrades at CaptureTheSwag shortened the process – the code was from StackOverflow, and was being used without attribution.

This helped put context around the code. A little bit of Googling later, and I understood the concept it was trying to implement:

mi6-wikipedia

In a nutshell, the code would:

  • xor each character by 61 (decimal 61, not the usual 0x61)
  • “partition” the resulting number, using only numbers between 20 and 30
  • print out all the integer partitions together

From a decryption standpoint, the challenge would be to automatically determine how many numbers made up one partitioned character – especially considering that in certain circumstances, there could be multiple options. Given the time constraint, I built a Python script which allowed me to manually try various combinations until I got the flag:

mi6

You can download the Python script here.

I’d like to thank the Pragyan CTF organisers for hosting this event, and while it could be argued that the clues for this event were too cryptic / the challenges did not “lead the player through” a logical sequence (evidenced by the extremely low – near 10% – solve rate of most challenges), I enjoyed solving some of these challenges nonetheless.

See you in the 0CTF qualifiers in two weeks 🙂

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Bards, Computers, Jesting and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s