DarkCTF — 2020 Writeups

RDxR10

·

Follow

6 min read

·

Oct 3, 2020

52

Listen

Share

Here are the writeups of some challenges from DarkCTF which was held on September(25–27) [authored by me + collabs.].

1. Crypto/Ee See Bee

This was a DES-ECB challenge. A subtle hint/idea can be derived from the fact that the challenge name signifies: “ECB” and “des” in desk. File(s) included a .enc file and a key. Decrypting the .enc file twice would lead us to the flag.

The text file:

Flag : darkCTF{pr377y_0utd473d_3ncryp710n_574nd4rd}

2. Crypto/Embrace The Climb

This was a classic Hill Cipher challenge with the modulo being 40. Now, looking at the ciphertext, one may see that letters aren’t in capital and numbers are in the range [0,9]. One may also notice that the ciphertext has {} and space.

The tricky part: A typical flag consists of underscores i.e “_”(unless completely numeric). So the scheme/format for alphanumeric characters could be :

“abcdefghijklmnopqrstuvwxyz0123456789{}_ “

For confusion one may refer : https://stackoverflow.com/questions/8509262/will-alphanumeric-contain-and-space

Running the script would yield :

Decrypted message: {h1ll_cl1mb1n9_15_h4rd_bu7_n07_7h3_c1ph3r__7h3_b357_v13w_c0m35_4f73r_7h3_h4rd357_cl1mb}

Flag: darkCTF{h1ll_cl1mb1n9_15_h4rd_bu7_n07_7h3_c1ph3r__7h3_b357_v13w_c0m35_4f73r_7h3_h4rd357_cl1mb}

3. Crypto/Duplicacy Within

The challenge contains a link showing a case of Bitcoin Transaction: https://www.blockchain.com/btc/tx/83415dded4757181c6e1c55104e2742a6f8cff05a9a46fbf029ae47b0054d511

Here, “r” values are duplicate i.e they are the same.

An explanation is provided in the comments of the following script:

Running the script gives us :

791198f7b09c5e63fc5798df41c4090d2265d8066e4d4a917a9d604f17ccf856

Flag : darkCTF{791198f7b09c5e63fc5798df41c4090d2265d8066e4d4a917a9d604f17ccf856}

4. Misc/Secret Of The Contract

This challenge was based on info hidden in the transaction history of the associated contract. Info can be extracted from https://ropsten.etherscan.io/

My teammate - Catamob has provided the writeup for this challenge here: https://mukhilan.com/Writeups/darkctf-official-secret-contract/

Flag : darkCTF{3th3r3um_570r4g3_7r4n54c710n}

5. Misc/Amidst Bits and Bases

Looking at the file given along with the challenge we see the message:

• This hints to the fact that there is no such “decoding” required.
• The phrase 200 x 200 = 40,000 is another clue hinting to an image of size 200x200.
• by replacing each 1 with (255,255,255,255) and each 0 with (0,0,0,255) we get a QR code.
• This can be achieved with the PIL module in python

Script :

• This script converts the given pixel data and saves a png as qrcode.png.
• This QR code leads to a go file link.
• To scan the QR code, the tool zbarimg (under zbar-tools) can be used.
• To download the zbarimg tool:

sudo apt install zbar-tools

and to decode the QR code:

zbarimg qrcode.png

• The link: https://gofile.io/d/kZhYQt
• Now, we have some qubit states and bases.
• The Quantum Key Distribution Protocol is based on the fact that a qubit can change its state. Qubit measurement is dependent on bases.
• Eve(the interceptor) has guessed the bases(which the sender used). So the information is not private anymore.
• The bits are encoded in X and Z bases which are formed by their respective eigenstates. Reference: https://qiskit.org/textbook/ch-algorithms/quantum-key-distribution.html
• The Mapping:

So the mapping is simple and finally, we just need to convert the zeros and ones into ASCII text. A script may not be required for it, but here it is:

Flag: darkCTF{quan7um_k3y_d1stribu7ion_pr0t0c0l_/0/1_}

6. Misc/Disbanded Covert Unit

Initially one had to run strings on the given image file.

strings img_.jpg

Output:

We don’t see anything here(as the phrase correctly describes). So we open up an editor to view the text.

Looking at this won’‌‌‌​‌‌‌⁠‌‌​​‌​‌⁠‌‌​‌‌​​⁠‌‌​‌‌​​⁠‌​‌‌​​⁠‌​​​​​⁠‌‌‌‌​​‌⁠‌‌​‌‌‌‌⁠‌‌‌​‌​‌⁠‌​​​​​⁠‌‌​​‌‌​⁠‌‌​‌‌‌‌⁠‌‌‌​‌​‌⁠‌‌​‌‌‌​⁠‌‌​​‌​​⁠‌​​​​​⁠‌‌​‌​​‌⁠‌‌‌​‌​​⁠‌​​​​​⁠‌‌​​‌‌‌⁠‌‌​‌‌‌‌⁠‌‌​‌‌‌‌⁠‌‌​​‌​​⁠‌​​​​​⁠‌‌​‌‌​​⁠‌‌‌​‌​‌⁠‌‌​​​‌‌⁠‌‌​‌​‌‌⁠‌​​​​‌⁠‌​​​​​⁠‌‌‌​‌​⁠‌​​​​​⁠‌‌‌​‌‌​⁠‌‌​‌​​‌⁠‌‌‌​​‌‌⁠‌‌​‌​​‌⁠‌‌​​​‌​⁠‌‌​‌‌​​⁠‌‌‌‌​​‌⁠‌‌​‌​​‌⁠‌‌​‌‌‌​⁠‌‌‌​‌‌​⁠‌‌​‌​​‌⁠‌‌‌​​‌‌⁠‌‌​‌​​‌⁠‌‌​​​‌​⁠‌‌​‌‌​​⁠‌‌​​‌​‌t be useful enough

Zero-width steganography is involved here; so we “desteganographize” the text here: https://neatnik.net/steganographr/

We get:

The other part of this challenge is based on outguess(without any password involved).

outguess -r img_.jpg text.txt

We get utf-8 encoded strings. Upon decoding, we get a link at the end of the text file which is https://bit.ly/3hGT3Qk.

The link leads to 3 broken QR codes(All in png format). Some basics of photo editing using GIMP or Photoshop would do the job for us.

The following are the steps to be followed:

• So, first step: open them all separately and remove the background white from them. You must get a transparent background with the black part of the QR code remaining in all 3.
• Now choose the one which is in the normal orientation of the QR (getting an idea from the small and big squares at the corners) and add 2 new transparent layers on the top of it.
• Copy the other QR and paste it on the new layer, rotating layers when needed to match the stuff so that some part of the QR is patched up.
• Do the same with the last part until the QR seems to be ready.
• Finally, merge all the layers into one, select the background, and color it white.
• Scan it directly to get to the next part or export as a png.

Scanning the QR would lead to a final link:
https://mega.nz/file/y0kViAZL#HDt0LBB7MLIiWt2r-egjIQZIzaIjoMKg2LhpqjK8ui0

Unzipping the zip file would require a password(prompted). We have nothing with us except:

visiblyinvisible

So we use it to unzip our zipped file, to get some images. Parts of the flag can be seen in them.

Flag : darkCTF{y0u_s33_7h3_fl49_n0w_r19h7?}

7. Misc/The Letter Conference

The keys given represent a pattern that is in the "QWERTY" format.
The keys seem to encircle a particular key, that is they seem to be in a "conference"(with some letter/number in the middle). For the given keys, they are right-shifted once in the same layout. So the flag is found by left-shifting the keys once and finding
out the encircled letters.

Using https://www.cross-browser.com/toys/qwertyshifter.html we left shift the keys to get :

8ujko9 rdcvgt   6tghu7 9iklp0 7yhji8   3er5 4edft5 3wsdr4   wazxde 3wsdr4 3wsdr4 8ujko9 bhjm tfvbhy   8ujko9 rfgy   6tghu7 9iklp0 7yhji8   3er5 4edft5 3wsdr4   9iklp0 bhjm   4edft5 8ujko9 tfvbhy ygbnju rfgy   0ol;[- 3er5 rfgy ygbnju   rdcvgt ok,.;p 3er5 tfvbhy   8ujko9 wazxde   tfvbhy 8ujko9 vghn vghn 3wsdr4 4edft5 8ujko9 wazxde ygbnju   ijm,lo 3wsdr4 6tghu7 vghn 9iklp0 3er5 4edft5 esxcfr
7ui9 9op- 6yu8 8io0 

Encircled letters/numbers : ifyou4reseeingityou4reonrightp4thfl4gisgibberishkeybo4rd8079

Flag : darkCTF{gibberishkeybo4rd8079}

8. OSINT/The Bait

For this challenge, one may find the articles by NeeP on https://neep.ml/ displayed on his twitter account and look for the relevant keywords to get the article on PayPal scam, or directly go to https://www.scammer.info/u/NeeP for information.

Two of the articles which lead to the flag are :

Flag : darkCTF{9911834488_Navkar_Infotech_mayurply.com}