D-CTF 2017 Final

5 minute read

In 2017 November, I attended D-CTF final in Bucharest, Romania, with my lab members. Our CTF team is called Balsn . This is the first time for me to participate an international competition. Additionally, I have never been to Europe before. I’m very lucky to have this opportunity. Although our team didn’t do well in the competition — 9th place of 11 teams, it’s still a great experience.

Challenges

Blockchain

Yes, that buzzword is a new type of challenge. There are totally 3 problems called spock-lizard-{alpha,beta,omega} in the final, but only the alpha version has been solved by one team. I guess to set up the blockchain environment is a little complex, or most teams, including us, are unfamiliar the vulnerability of blockchain:) All I know is the DAO attack……

Rev

As I’m not good at reverse, pwn challenges, I didn’t focus on this one.

  • Silent: This problem seems not so hard. We have a method to retrieve the flag byte-by-byte. However, because the organizer uses socat to forward the port, the payload will first me modified by this evil socat. One of the teams also complained about this. Though we solved it eventually, it wastes us lots of time.
  • dotnet 2.0: An unsafe deserialization bug. We spent some time to get the RCE, but the real problem — the OS is Windows. We spent LOTS OF time to exploit the Windows shell, even with RCE……… Come on, let me ask you: how to create a reverse shell in Windows?

Misc

  • Private communication: A file contains garbled text. We spent 4 to 5 hours to come up with the idea of XOR encryption. Because the original file is an image, xortool might not work as expected. Finally my teammate solved it.

  • Sad kitten (not solved): We got a LUKS encrypted disk file (not XOR again!) and an image. The objective is obvious: find the password of the encrypted LUKS file. Then, we inspect the image, only to find the comments “Edited with GIMP” and 4 characters in the tail. We tried the whole file, the comments, and weak passwords as the key, but they failed :( The solution: open the image with GIMP. You’ll see more comment in the GIMP “file properties”. It’s the password of the encrypted LUKS disk file.

  • Caesar’s favorite song: The flag is encoded in to Do, Re, Mi …. of piano. Fortunately, one of our teammate has the “absolute sound sensation” , a.k.a the “human decoder”XD. Therefore we got the firstblood in this challenge :)

  • Audio-captcha (not solved): Yeah the question asks us to solve the audio Captcha problem. Of course, we have to automate the procedure. However, we didn’t have the time to implement a decoder. Some other teams just match the raw bytes of the number in the captcha, and it works…….. it’s a pity that we didn’t come up with this simple solution.

  • Adversarial: A simple challenge related to logistic regression. All teams solve this one if my memory serves well.

  • Security CCTV (not solved):

    In the task, we have to recover the QR code in the image, so we open GIMP, Photoshop to do this task. Finally, we recover it. To our disappointment, the official told us this is a CCTV image — it changed EVERY 30 SECONDS! Therefore, we try to create an automated tool (imagemagick or openCV) to do this, but the time is up :(

Web

  • State agency (not solved): The Host HTTP header is injectable, though the WAF filters some keywords. The UNION keyword is not filtered. Also, procedure analyse() can be used to retrieve the name of the table. The last step is to bypass the flag filter with base64. We totally forgot the procedure analyse() trick……… Reference: P4’s writeup
  • DNS API: It seems that the author forgot to add an if-else statement. Every team got the flag after a few hours.
  • DNS API 2 (not solved): The author fixed it, but we don’t have time to focus on this problem. If my memory serves me correctly, the solution is to create a NS record pointing to our evil server, and then create other record to trick the server.
  • hack-tac-toe: Another XOR challenges. The tac-toe game state, as well as the flag, will be put in the cookies and encrypted with an XOR key. The key can be simply recovered with a very long username aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.
  • infinify (not solved): The challenge description says the problem is allowed to use nmap, but the scan result is not interesting. All those opening ports contain a Fortinet firewall API error. Then the official releases another hint: check the Wikipedia, but we still got confused what to do next. The solution: Just access the port 0. Yeah I’m not kidding, there is port zero exactly. WTF…
  • Fedora shop (we almost solved): There is a obvious XSS vulnerability in the field, but the admin has enabled some protection. Only the same origin is allowed. However, we notice that the HttpOnly header is not set, so we can replace the admin’s cookie with mine, forging the request to POST the flag in the page. We’re creating the payload, but the time is up. What a pity :(

Result

Although we got 9th place of 11 teams, it’s still a precious experience. I think we can do much better next time. At least I have a long way to go, and to learn.

Place Team
1 dcua
2 p4
3 HackingForSoju
4 [TechnoPandas]
5 0x90r00t
6 The Northern Coalition
7 wild
8 naegokdonglabs
9 Balsn
10 Pwnium
11 h2x

Balsn sucks.

– 2017 in Bucharest, Romania, by many Balsn team members