Really Small Algorithm

[Cryptography – 150 pts ]

This problem is titled Really Small Algorithm. Since the title has the initials R-S-A, I assumed it was an RSA challenge.

Lets open the address in netcat:

It opens up to a very familiar set of numbers, N, E, and C (or in this case, CT. C or CT stands for Cipher or CipherText).

 So, since we have everything, this shouldn’t be that hard to decipher.

After a few minutes of online searching, I came across a stack overflow post where one guy suggested using a tool called RsaCtfTool.

Here is the link to it:
https://github.com/Ganapati/RsaCtfTool

After I git cloned it to my desktop on kali linux, I opened up a terminal. I cd into the directory of the tool.

 Lets go back to the post to see how to format our command

Which explains to do it as python RSACtfTool – n {n} -e {e} – -uncipher {c}

I replicate the command using the numbers we got from the challenge (However, I substituted python3 for python, as that was the version of python I had installed on my machine.

Lets try it:

 It worked! Even though we had some errors, the tool ‘unciphered’ the cipher. (Down there at the bottom)

Flag: ractf{S0m3t1mesS1zeDoesM4773r}

RAirways

[OSINT?? 200 pts]

This 200 point “OSINT” problem kind of strange. I would classify this as more of a Forensics problem, since I generally think that they way you solve this one is forensics based… right?

Part of the description reads: ‘Agent. We found a target posting strange images of boarding passes to his Instagram. None of the guys at base can figure it out, but we think he’s been using the images to exfiltrate data.’

An interesting title for an OSINT problem, but whatever.

Everything looks normal, except instead of a map locator like the 5 others, this one had the standard text Flag format

So right away we know we are looking for an actual flag.
Lets take a look at the attached image.

Immediately I began searching for the details on the flier, but found nothing. RAirway does not seem to be any reference to anything, and the flight numbers and details don’t reveal anything. I spent about 15 minutes searching for a way ti solve this using typical OSINT techniques.

I kept on looking at the Enigma code book under the flier, and the numbers and the barcode and the letters, and my mind kept thinking of forensics and cryptography techniques I might be able to use to extract data from the image – but I kept reminding myself, “No no no, this is a OSINT problem – I’m not gonna be able to extract any data that’s hidden under layers of the image.” So I just left it at that.

After thinking for a while, I thought, ‘hmm I might as well check out that barcode anyway’. and so I did. I opened it in Gimp and turned it into a computer-readable barcode.

rotating the image
cropping the image

Now I went to an online reader, selected the type of barcode this is (it appears to match the PDF417 type), uploaded the image, and let it process it.

However, it detected no barcode. Strange, I thought – until I realized that the colors of the barcode may be different.

Comparing this stock PDF417 barcode to ours, it looks like the the color scheme is inverted.

This image has an empty alt attribute; its file name is image-36.png

White-on-Black background ^ instead of Black-on-White background.

This was easily fixable with Gimp’s color-invert function:

After uploading that to the online barcode-reading site, we get the flag.

…Yep, I solved the OSINT problem using standard Forensic tactics…
(In not sure how Open Source Intelligence was supposed to be used to solve this problem, because I sure didn’t use any)




Flag: ractf{B0ard1ngP4ssD4t4}

Brick by Brick

OSINT [ 400 pts]

The ‘toughest’ OSINT problem at 400pts, didn’t turn out to be too tough.

It appears the story continues, and the man is still on the run. After intercepting an email, we get another photo.

It asks to find the town this is located at. Sounds fair enough, lets get searching.

First off, the red sign on the gate has some text.

I had a lot of guesses as to what it said, but my first original guess was that it said “Portal del Possi” Perhaps “Polsi”. However, this and variants of it resulted in nothing in my google searches.

Taking another look at the photograph, I noticed some flags. This may bring me a clue.

I did not recognize the flag immediately, but after a search I found out it was the flag of “Estelada”

I ended up not clicking the Wikipedia link and simply googled the flag name again, and resulted in this:

My eyes glanced at this particular word, “Països”

Perhaps that is the unidentifiable word on the sign? I thought I would give it a try.

This image has an empty alt attribute; its file name is image-27.png

However, this turned out to be a dead end.

I searched once more for a more detailed description of the image we got, and I included the word “bridge” alongside the search term.

scrolling down, my eyes stumbled across one particular image…

This image is 100% the exact same image and bridge just at a different angle!

Luckily, Wikipedia always has good sources for their images.

After a google maps search, I found the location of this bridge

and put the link into the RACTF maps locator. It was correct.

Remote Retreat

OSINT [250 pts]

This is the first OSINT (Open Source INTelligence) challenge I have done in a while. While I sometimes find these extremely frustrating, I also find them pretty worthwhile to do anyway.

The problem opens up telling us we are to find the location this photo was taken.

To solve the flag is pretty easy – you just have to click somewhere on the map and if its within 500 meters of the correct location, its correct.


Okay, lets get hunting. Right away we can see that there is a sign:

To me that looks like “tbe HAKA ba*” (the last letter was cut off) with the words “créperie snack” in caps below it.

First, I googled “créperie snack” and found some links to tripadvisor, but they pointed to france by the seaside. I entered in that as the flag but it was wrong, as I had figured.

I then started to google tbe HAKA ba, but to no avail. I then googled “HAKA créperie snack” and some somthing promising.

The TripAdvisor link led me to a collection of photos of a snack shop in France.


Taking a look through them, one photo caught my eye.


The HAKA Bar. That may be what I am looking for. His head covers the word, but I believe it also says CREPES, or something along those lines. The rest of the photos look similar too, the area and landscape look very similar to what we saw in the initial ctf image.

So now we just have to figure out where this shop is. Since these photos were taken in Morzine, France, I added that into the search terms.

This could be it, let me open it in google maps.

WIth this, I simply copied the link, and entered it into the location tool in the CTF page. I clicked in the general location of the bar, hit sumbit flag, and it worked.

Zipped Up

Miscellaneous [70 pts]

It appears that the file in question has been zipped many times. Sure enough, when I click the link it downloads me a .zip file.

When unzipped, this file results in a folder named “0” and inside that folder, results another zipped file. This time, ending in .tar.bz2.

When I unzip this file, it results in another folder, named “1” and in that folder there is a file named 1.tar.

When this is unzipped, it reveals a .txt file and yet another file.

When opening the .txt, we get a flag – however, it claims it is not the flag.

It really is not the flag.

When I unzipped the file further, the pattern repeated. Every few unzips, there would be another .txt file with the same message.

Okay, so I have to write a script to make this process automated. Lets jump into linux.

I created a simple bash script that would do some terminal commands over and over. I made bash script, and then I made a loop.

**!bin/bash
MYNUM=1

while [ $MYNUM -le 999 ]
do

MYNUM=$(( $MYNUM + 1 ))
done

^ Basically, every time it loops, the variable MYNUM increases by one. Eventually, it will stop looping. It will repeat about a thousand times.

Okay, lets add some commands. At first I thought I would use the tar command to unzip the files, and gzip and bzip and the rest for their respective file extensions. However, I realized that that would just be troublesome – I don’t want to have to manage 3 or 4 different tools and commands to unzip each file, right? So I thought I might find a single tool that can unzip every file extension type. And of course, my favorite would be 7zip.

On linux, that would be p7zip, as the command line tool. Lets add it into the loop.

Basically, all this command does is it looks for any file in the immediate directory and attempts to unzip it.

7z x *.* -oA – 7z (command) x (extract to full path) *.* (wildcard . wildcard — any file name with any extension) -oA (create a new directory, named “A”)

Then we have to make a way for the terminal to change directory into that new folder. This way, when it repeats, it will unzip the new .zip instead of the old one.

However, notice how I specifically asked 7zip to create a new directory, every time? Wouldn’t the folder they create when unzipped normally be enough? Well, not exactly. I forgot to mention, but every so often, the zips did not contain a folder. They sometimes only contained the next .zip. This messes with my script, because then *.* no longer works, because there are two files. because of this problem, I made 7zip create a new directory every time. However, because of That, I will have to point my script to change directory twice.

cd */ (Changes directory to any immediate folder.)
cd */ (Changes directory to any immediate folder.)

However, we can’t quite run the script yet. Remember the .txt files, which contain a false flag? we need to get rid of those since if 7zip see two files in one directory, it cannot unzip *.*.

To do this, I simply used the mv command to move them into another directory. Since this has to happen before the 7zip command gets activated, I put it first in the loop.

mv *.txt /home/kali/Documents/txts/ (Moves any file that ends in .txt to a folder I created in my Documents directory)

And with that, its ready to run. Lets add all our files into a testing directory.

My script ^

Plus 4.tar.gz (Remember how I unzipped a few by hand to get an understanding of the contents? I still had it, so I just copied the lowest one down I had.)


lets jump into a terminal.

How you run the bash script ^

Now, you can’t see this in my screenshot, but the command is running extremely fast. I’s no more than a blur when I tried to take this screenshot.

After the command stopped working, and I was getting errors because “No such file or directory exists” on 7zip (meaning that I have unzipped them to the very last zip) I went back to examine my .txts.

There are 1001 items (I went back and added the first few, for aesthetics)

Now, lets find the one that does not contain the message “tjctf{n0t_th3_fl4g}”
Some people created yet another script to do this, but instead of doing that, I just sorted by size.

Hmmm, 829.txt has a different file size than the other 1000? how peculiar.

Oh, yeah. Its because it contains the flag.



Flag: tjctf{p3sky_z1p_f1L35}

Hexillology

Forensics [25 pts]

This problem is titled Hexillogoly, so right from the start we know it has something to do with Hex and Hexadecimal.

 Okay, lets open the link in a new tab. Its a png.

 

 Nothing too particular stands out, just some rather bland colors and shapes.

Originally, when I heard the word Hex my mind automatically went to hex editors. So I quickly jumped into my good friend hexed.it and uploaded the image.

 

 Nothing really stands out, I see two repeating lengths in the hex, but I didn’t look too long at that. Of course, I did a quick Ctrl + F to search for the string ‘tjctf’ but found nothing.

 

 After a few minutes of searching and thinking, I nearly facepalmed myself in the head because I missed something really obvious. Hex doesn’t mean just hexadecimal used in files and memory. Hex can also be used as a format to store Colors in, on websites for example. “hurr durr let me open up this image in a hex editor and search the hexadecimal for clues hur durr”

 

Anyway, after my idiot phase ended I quickly opened up the image in Gimp and took a look at the colors it contained.

 

 I used the Color Picker tool to pick out the first greyish color, so I could view the color hex.

 

 In Gimp’s case, the Hex number is shown as ‘HTML notation’:

 

 I went online to color hex lookup site to verify that what I was looking at was the real color.

 

 After that, I simply copied the 6-digit number into a Hex-to-Ascii converter and

 

 ta-da! It begins to spell out the flag!

 Okay, lets repeat the process for the other colors. Grab the HTML notation of the middle shape next and enter it into the converter alongside the first one.

 
 

 It follows the pattern, so I continue.

 

 After I have entered all the colors into the converter, we are left with what appears to be a flag. It doesn’t seem to have a readable message in it, but when I tried it it worked. Here is the flag:

 
 
 
 

Flag: tjctf{pYJrfQK0dbaTPG}

RSABC

 This problem is called RSABC.


I’d assume this problem has something to do with RSA. Just a guess. And It could maybe have something to do with the “ABC’s” of RSA. Who knows.

Lets click the links.

 The first link we get is a link to a very refreshing ASMR video of a medieval battle.  

 After a few minutes of relaxing, I opened the second link.

Here we find a familiar set of numbers, an N, an E, and a C.  

 So since we have everything, this shouldn’t be that hard to decipher.

After a few minutes of online searching, I cam across a stack overflow post where one guy suggested using a tool called RsaCtfTool

https://github.com/Ganapati/RsaCtfTool

 Here is the link to it:

https://github.com/Ganapati/RsaCtfTool

After I cloned it to my desktop on kali linux, I opened up a terminal. I cd into the directory of the tool.

 lets go back to the post to see how to format our command.

which explains to do it as python RSACtfTool – n {n} -e {e} –uncipher {c}

I replicate the command using the numbers we got from the challenge. Then I press enter.

Hmm, we got an error.

I figured I would try the command using python3 instead of python.

 It worked! The tool ‘unciphered’ the cipher. (Down there at the bottom)

Flag: tjctf{BOLm1QMWi3c}

Typewriter

 Okay, this problem is called Typewriter. Right off the bat we can tell its some kind of substitution cipher, as the description contains what looks like a full flag expect the letters have been jumbled.

(A substitution cipher is when one character is substituted for another.)

Substitution ciphers are generally easy because they usually follow some sort of rule.  

 The actual first thing I did was try to have my browser solve it automatically, there are plenty of online solvers. I tried dcode.fr for example, but that resulted in nothing. (I didn’t take any screenshots) 

Well, I guess I actually have to put in some effort. Taking another look at the description, it said that he was pranked and his typewriter’s keys had been re-arranged. As in, some kind of key-layout. So all we have to do is find out what that key layout was and reverse it.

Lets take a look at what we do know:  

 We know that zpezy really should turn into tjctf. So whatever alphabet they are using to substitute the characters, z maps to t and p maps to j etc. 

For a more visual viewing of this keymap, I edited an image of a QWERTYIUOP keyboard.

 taking what we know from above, I drew arrows point to the ‘switched’ keys. T maps to Z and J maps to P, etc.

 However, at this point, I did not notice any pattern whatsoever and I shelved the problem for a day until a hint came out. Regrettably, I had to use the hint to solve the problem, but in my defense, it was a really big hint.

 The hint says that a becomes q, b becomes w, c becomes e, f becomes y, j becomes p, t becomes z, and z becomes m. Did I notice a pattern in my head? I didn’t. So I went back and mapped the keys on my little diagram.

 Wait a second, I notice something – QWE all have letters switching to them. Lets see what they are:

 What, the numbers that replace Q,W, and E, are A,B, and C??? what are the chances??

Well, not really. Its pretty easy to tell at this point. The keyboard mapping had been switched out of the QWERTYIUOP layout and into an alphabetic layout, ABCDEFGEHIJ layout. Not a bad prank.

 So know we know out substitution alphabet. Lets go slam it into the converter.

I open up Cyberchef (Cyberchef OP btw) and paste in the garbled flag. Then I search for substitute and double click it to add it to the recipe.  

Now, we have to craft the recipe just right or it won’t work. I removed alphabets and added in my new ones. I put removed the Uppercase alphabets (there are no uppercase letters in the flag, so cyberchef won’t pick them up) and replaced the ciphertext alphabet with a normal, lowercase alphabet.

 then I added the first row of a QWERTYUIOP keyboard into the Plaintext alphabet. Again, in lowercase)

 And instantly I see some of the letters start to change, for example, I see the zpezy{ turn into zjczf{.

Next, I added the middle row of the qwerty keyboard, and then the lower row of the keyboard into the plaintext alphabet.

And it looks like we have a flag. Some parts of it appear to still be garbled, but I submitted it and it worked.

Flag: tjctf{red_orange_purple_efgrirroiefe_pineapple_fruit_auhsdeuhfn}

Circles

 This problem is titled “Circles” for 10 points. The flag evaded me for a while as did it many other teams, I’ve heard, resulting in it having fewer solves than many of the ‘tougher’ problems.

Lets have a look at the image. It appears to be some sort of substitution cipher where the letters have been replaced with circles. I can’t determine any hidden meaning within the circles, there doesn’t seem to be any remnants of English letters in them.

 A quick google search for circle cipher or circle text results in nothing. A Long google search resulted in nothing. These type of symbols being used as characters simply did not exist. (supposedly)

Lets take a look at the problem description. (You know, I actually had to have the hint tell me to do this – I didn’t actually take a good look at the description before this)

 It comprises of a rather strange sentence. That has to have a special meaning. Lets google it.

 Hmm, a Google search matches word for word the description of the problem located on a website  Fonts.com. Lets check it out.

 I searched for ‘circles’ but found nothing among the 8 results.

Okay, maybe there is a better description for the font. I search for ‘circular’ and the first result appears to match our cipher perfectly. Yay.

 After I click the page of the circular font, which I learn is called USF Circular Designs, I type in ‘tjctf’ into the test bar to see if it matches. It does, giving us the same first segment of what we see in the cipher image.

 Unfortunately there appears to be no “USF Circular Designs to Ascii” converter that I can find, so we’ll have to do this by hand.

When I click to see the full character map, to my dismay, I see it maps them to Unicode Code points instead of anything in English. (I can’t read Unicode Code Points)

Now we will have to yet another step by hand.

 Alright, lets look at the first unknown circle. It looks like, well, a circle. Looking back at the character map, my best guess is that it maps to the Unicode Code Point 0042.

 (looks like 0042)

 Okay now lets convert this Unicode Code Point into an ascii character. Unicode-search.net has just what we need. I enter 0042 in, and we get the character B (Capital B) as the result.

 So now we know that the flag starts as tjctf{B

The next character is this skip-sign, which maps to 0033.

 It turns out to really just be the number 3.

  The next one is 0061 and it turns out to be a lowercase a.

So now we have the flag so far as tjctf{B3a

 I repeat this process for the remainder of the circles in the cipher and it comes out as this:

And we have our flag.

Flag: tjctf{B3auT1ful_f0Nt}