UIUCTF 2017: salted wounds

● 200 Points
● forensics
● By: Eric Hennenfent

There are some challenges I'd rather forget.


So to start, it’s a pdf, which could have any amount of craziness hidden inside it. A year or two ago, I watched a talk from an unknown infosec conference about how insane pdf is as a file format. I can’t find the talk, but it stuck with me. Anyway, we’re given what appears to be the USENIX paper on zmap. Downloading the original paper to compare, we can see that the original is 712246 bytes smaller than what we’ve been given – definitely something going on in there.

foremost is satisfied that it’s just a pdf, at least at first glance. Running binwalk -e to attempt extracting all visible files gives us 32 files of varying contents, and 32 zlib streams. Discarding the zlib streams, here’s what we have to work with:

[tkerr@pro _zmap.pdf.extracted]$ file *
10F72:  ASCII text, with very long lines
11B8F7: data
11CD6B: data
14210:  ASCII text, with very long lines
1D19D:  ASCII text, with very long lines
1E790:  ASCII text
21038:  ASCII text
2114A:  ASCII text, with very long lines
2244A:  ASCII text, with very long lines
252CD:  ASCII text, with very long lines
2B6F4:  ASCII text, with very long lines
30029:  data
3746:   ASCII text, with very long lines
409C8:  ASCII text, with very long lines
41E42:  ISO-8859 text, with very long lines, with no line terminators
42598:  ASCII text, with very long lines
43D53:  ASCII text, with very long lines, with no line terminators
454E5:  ASCII text, with very long lines
46AB0:  ASCII text, with very long lines
48227:  ASCII text, with very long lines
49714:  PostScript Type 1 font text (CMMI10 003.002)
4B316:  PostScript Type 1 font text (CMR10 003.002)
4CFCF:  PostScript Type 1 font text (CMSY10 003.002)
4EF8D:  PostScript Type 1 font text (MSBM10 003.002)
4F825:  PostScript Type 1 font program data
5062:   ASCII text, with very long lines
53EDE:  PostScript Type 1 font text (StandardSymL 001.005)
549FA:  PostScript Type 1 font text (NimbusRomNo9L-Medi 1.05)
5873D:  PostScript Type 1 font text (NimbusRomNo9L-Regu 1.05)
5D74E:  PostScript Type 1 font text (NimbusRomNo9L-ReguItal 1.05)
6212B:  ASCII text, with very long lines
EC5:    ASCII text, with very long lines

Some of these are straightforward (fonts), and most of the ASCII files are innocent-looking pdf payloads. I happened to start from the bottom of the list, and noticed that 6212B comprises one large block of base64. Decoding it gives us a .png:

The easy first steps of strings, foremost, binwalk, and stegsolve don’t immediately give me anything promising. I reverse image search it and find an imgur album by @SwiftOnSecurity that contains the original. The dimensions of both images are the same (1221×651), but the filesizes are different, so clearly something’s been done to the file. Using imagemagick’s compare, we can see that the entire image is identical except for the very first column, at the top left:

Very suspicious. My first glance in stegsolve only involved checking the LSB data of each color channel, row-wise. Setting stegsolve to extract LSBs from all channels column-wise gives us the flag:

UIUCTF 2017: eula

● 400 Points 
● crypto
● By: JP Smith

nc challenge.uiuc.tf 11345

throwback to when the aztecs sacked mitlan


Taking a look at the provided python, it looks like we somehow need to forge a signature for the message ‘right below’. Luckily for me, some of the T&C helped me immediately recognize the specific vulnerability they’re going for. Specifically:

    “we must use the latest versions of all libraries”,
    “we must use 2048-bit keys with e = 3”, and
    “DATED: 2015-07-29”

tell me that the intended solution uses Bleichenbacher’s signature forgery on e=3 and PKCS#1 v1.5, which python-rsa was vulnerable to until early 2016. I was at 33c3 a few months ago where one of my crypto role models, Filippo Valsorda, gave a session on implementing this specific attack against python-rsa. I didn’t find out about the session until after it happened, but I did end up reading his excellent article on the attack, which includes an example implementation.

Using Filippo’s example, we just have to change the target message to ‘right below’ and we have a fully functional forgery generator. Using it is straightforward:

I have no idea what “aztecs sacked mitlan” refers to, though. A really obtuse hint towards ASN.1?

UIUCTF 2017: crackme?

This was a fun one – I was the only person to solve this during the CTF yesterday. Here’s how I did it:

    ● crackme? ● 300 Points ● misc ● By: Dillon Korman
I'm trying to crack this guy's password, but I haven't had any luck so far. I heard he likes that Overwatch game and thinks he's some cool hacker. Think you can help me out? Hash: 55370b6cd985e7132c4e789224066bde Note: does not follow the flag{} format Hint: automated password cracking tools are good Hint: https://twitter.com/abrekke83/status/842513875337695235

A teammate from DC416 made a run at this with some fairly comprehensive custom Overwatch-themed wordlists with no luck. I first tried the usual easy tricks: googling the hash, Gromweb, and an exhaustive search of all printable ASCII up to 7 chars (since it only takes ~30 seconds). No luck.

My next step was to grab a list of all of the playable Overwatch characters from here. Since a couple of the characters (Lúcio, Torbjörn) have non-latin characters, I also added latinized versions (Lucio, Torbjorn) to the list. I added alternate versions of a few other characters’ names to account for different stylings and capitalizations (Soldier: 76, D.Va, McCree), and then duplicated the entire list as lowercase via
tr '[:upper:]' '[:lower:]' < owchars.txt | uniq >> owchars.txt
This gave me this list.

Running that through hashcat gave me no hits, both on its own and using best64.rule (which permuted 59 candidates into 4543).

With that exhausted, I looked at the Twitter hint – it seemed pretty apparent that we’re intended to try adding some variation of ‘main’ to a character name. In the interest of being thorough, I wrote a quick python script to append variants of ‘main’ to each character name variant, using multiple different joining characters. That resulted in this 1593-line list.

Running that list through hashcat with best64.rule (122661 total candidates) gave no hits. I looked at the challenge again to make sure I was on the right track, and noticed “and thinks he’s some cool hacker” for the first time. That seems straightforward – do some leetspeak character substitution (l1k3 th!5). Luckily hashcat includes a very thorough leetspeak rule (1593 lines became 4892103 candidates), and passing owmains.txt through it gave us a successful crack.

[tyler@tower hashcat-3.5.0]$ ./hashcat64.exe -m 0 -a 0 -r rules/unix-ninja-leetspeak.rule 55370b6cd985e7132c4e789224066bde owmains.txt
hashcat (v3.5.0) starting...

OpenCL Platform #1: NVIDIA Corporation
* Device #1: GeForce GTX 960, 1024/4096 MB allocatable, 8MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 3071


Session..........: hashcat
Status...........: Cracked
Hash.Type........: MD5
Hash.Target......: 55370b6cd985e7132c4e789224066bde
Time.Started.....: Sat Apr 29 15:13:08 2017 (0 secs)
Time.Estimated...: Sat Apr 29 15:13:08 2017 (0 secs)
Guess.Base.......: File (owmains.txt)
Guess.Mod........: Rules (rules/unix-ninja-leetspeak.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   160.9 MH/s (0.27ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 3297510/4892103 (67.40%)
Rejected.........: 0/3297510 (0.00%)
Restore.Point....: 0/1593 (0.00%)
Candidates.#1....: Genjimain -> z3ny@tt@~MAIN
HWMon.Dev.#1.....: Temp: 50c Fan:  0% Util: 99% Core:1404MHz Mem:3004MHz Bus:8