BSides Ottawa CTF - Second place!

What makes these two scripts different?

Solving this problem was quite trivial. First I started by analyzing the 3 files, we can see two copies of a script for a show and also a zip file that is encrypted with a password. I came to the conclusion that in the scripts there is likely the password for the zip hidden.

By analyzing the differences between the first and second version of the provided scripts we can see that one of the character’s names PETER is missing from the first script. In the second script we see the addition of the word “backwards”.

Diff of the scripts

Therefore I had concluded that the password to the error.zip file must be PETER backwards: RETEP. After attempting the caps version and it not working I then tried the lowercase version retep and the file extracted revealing:

1
2
3

pcloadletter

WTF does that mean?

What is the filesize so big for such a small image?

To solve this challenge you need to really consider the title of the challenge. Clearly the person is pointing at something but you can’t immediately see what. That indicates that there is more to this image than what we can see. After running binwalk (as per the suggestion of my teammate Nadeem) on the image we can see that there are actually multiple sections.

The results of binwalk on the image

I attempted to run binwalk -e to automatically extract the multiple portions of the file however that failed. So after running dd if=in.jpg of=out.jpg skip=202 bs=1 we get:

jigglypuff

Can’t you hear the flag?

This challenge wasn’t actually solved until after the CTF was over. @t1v0 and Nadeem solved this one afterwords.

When you open the stream in wireshark you can see that is lots of UDP traffic of the same size between multiple IPs. This is a good indication of the Real Time Protocol being used. Since I know this is RTP go into analyze -> Decode As and choose RTP. This will decode all of the data into something that makes more sense:

RTP Decoded

Next you need to analyze the stream, to do that go into Telephony -> RTP -> Stream Analysis. From here you will be prompted to save or play the stream. Here is what it comes out to:

What is stegsolve?

First things first, let’s figure out what type of file harambe is. After a quick file harambe... I determined that it was an image of harambe:

Poor Harambe

My first instinct with the image was to reverse image search it to see what we can find online. Unfortunately that search didn’t reveal much other than there is a strange black line beside his face. After playing around with a few tools such as binwalk and hexeditors my teammates suggested I try using stegsolve which is a simple program used to solve these kinds of problems. Once I opened stegsolve and messed around with a few of the options I noticed that the Alpha Plane 0 had some black bars across the top and then nothing else… This seemed out of place.

Stegsolve alpha plane 0

When I noticed this issue I went to the data extract functionality to extract information for the Alpha Plane 0. Unfortunately I didn’t solve this during the event since the copy of Stegsolve I was using was broken and I was unable to view the alpha plane 0 when attempting to extract data. I relied on the tool too much, I could have just made a script… but had it have worked this is what I would have seen:

The flag has been found!

Mascros, Macros, Macros Everywhere!

Like most other forensics challenges the first thing I needed to do was to determine the file type. By using the file command I was able to determine that this challenge is using a word 2007+ document. After flipping the extension over to .doc and opening the document up I was greeted with a lovely message that went something like: “This document contains macros, we recommend disabling them for your safety”. That was my cue enable macros and view what it is trying to do. When trying to edit the macro your are prompted for a password, so let’s get by this.

I found this nifty little article on stack overflow about bypassing the password by changing DPB to DPx in a hex editor. To do this we first we need to open the .doc in our favourite compression tool AKA winrar and extract word/vbaProject.bin. Next open vbaProject.bin in a hex editor and search for DPB= replacing it with DPx= like so:

Resetting the PW

Lastly just drag the vbaProject.bin back into the same directory in winrar and re-open the document in word. Now when you open up the document in word and enable macros you will get an error and macros will now be editable:

Password error

If you open up the macro you get this code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

Sub SpecialerEvent()
Dim f1, f3, flag, galf
Dim ACK As Integer
Dim f2, f4 As Variant
Dim fl, ag As String
Dim humpty_dumpty As String

humpty_1 = Array("5f", "65", "74", "61", "68", "5f", "65", "79", "65")
humpty_2 = Array(95, 114, 105, 103, 104, 116, 95, 110, 111, 119)
humpty_3 = Array("5f", "73", "6f", "5f")
humpty_4 = Array(95, 115, 111, 114, 99, 97, 109)
humpty_5 = Array(115, 116, 111, 112, 95, 105, 116)
humpty_6 = Array("74", "68", "69", "73", "79", "69", "6e", "67")
humpty_7 = Array(95, 105, 115, 95, 97, 110, 110, 111)

For Each flag In humpty_1
  fl = Chr(Val("&H" & flag))
  humpty_dumpty = humpty_dumpty & fl
  If Len(humpty_dumpty) = 4 Then
    For Each galf In humpty_2
      ag = Chr(galf)
      humpty_dumpty = humpty_dumpty & ag
    Next galf
    End If
Next flag
For Each flag In humpty_5
  ag = Chr(flag)
  humpty_dumpty = ag & humpty_dumpty
Next flag
For Each flag In humpty_6
  fl = Chr(Val("&H" & flag))
  humpty_dumpty = humpty_dumpty & fl
  If Len(humpty_dumpty) = 27 Then
    For Each galf In humpty_7
      ag = Chr(galf)
      humpty_dumpty = humpty_dumpty & ag
    Next galf
    End If
Next flag
For Each flag In humpty_3
  ag = Chr(Val("&H" & flag))
  humpty_dumpty = ag & humpty_dumpty
  If Len(humpty_dumpty) = 37 Then
    For Each galf In humpty_4
      ag = Chr(galf)
      humpty_dumpty = humpty_dumpty & ag
    Next galf
    End If
Next flag
MsgBox ("All the kings men didn't put humpty together properly again :(" & vbNewLine & vbNewLine & vbNewLine & humpty_dumpty)
End Sub

And executing the macro gives:

Macro execution

From the output and some close examination I determined that the arrays were either hex or integers representing letters, so looking at the arrays converted to letters I get:

1
2
3
4
5
6
7

humpty_1 = Array("_", "e", "t", "a", "h", "_", "e", "y", "e")
humpty_2 = Array("_", "r", "i", "g", "h", "t", "_", "n", "o", "w")
humpty_3 = Array("_", "s", "o", "_")
humpty_4 = Array("_", "s", "s", "r", "c", "a", "m")
humpty_5 = Array("s", "t", "o", "p", "_", "i", "t")
humpty_6 = Array("t", "h", "i", "s", "y", "i", "n", "g")
humpty_7 = Array("_", "i", "s", "_", "a", "n", "n", "o")

It appears that 1 is reversed, 2 is fine, 3 is fine, 4 is reversed, 5 is fine but 6 & 7 don’t seem to make sense. By analyzing the code I determined that 7 is inserted into 6 making “this_is_annoying”

So now we have eye_hate_right_now_macros_stop_it_this_is_annoying. I don’t remember exactly what the flag was, but it was some variation of that.

Somethings not right with the ending music…

I attempted to solve this during the CTF but was unable to. Credits go to my teammate Nadeem for solving this forensics challenge after the CTF was over.

If you watch the video around 33 seconds into the video you start to hear odd sounds that don’t go with the flow of the music. So if you open the video up in something such as audacity or audition and then press the Spectrogram button (audition it is called “show spectral frequency display”) you will see that the flag has been encoded into the audio:

Sneaky...

Is that some ASCII art?

Copying the text and pasting it into a text editor and then zooming out revealed that there is some ASCII art:

He-Man and Masters

During the CTF that was as far as we got. He-man and Masters was not the flag. After the CTF was over the organizers said they found an app which enables encoding a message into an image and then generating ASCII art as the output. This picturesworththousandwords was the app they were talking about. After decoding the text we get: The Flag IS: YoU_Will_NEvEr_FinD_TH1S