Secuinside 2012 write up - iu (500)

sqall's blog

Monday, June 11. 2012

Posted by sqall in CTF

Comments (0)
Trackbacks (0)

Secuinside 2012 write up - iu (500)

The "iu" challenge in the Secuinside 2012 CTF was a trivia challenge.

The description:


Hints:

1. hex

2. [-3:]



Challenge text:

-----

the message was decoded:

11111011 11101111 10001110 10000110 00011000 01100001

10000110 00011000 01011000 10100010 11100011 01011010

10111010 00001000 01101101 11001000 00010000 00010010

00010011 10101110 00111110 11111011 10111010 01011110

01100100



First we followed the hint and convert the binary code to hex:


fbef8e861861861858a2e35aba086dc8101213ae3efbba5e64



When we look at the second hint, it looks like python for the last three characters, so we took a look at the last six hex values (one byte = two hex values):


ba5e64



This is a good hint. When we convert the hex to characters and this to base64:


+++OhhhhhhhYouNaughtyBASE64++7peZA==



It looks like a flag. Unfortunately, it wasn't. So we tried to convert the hex values to characters and that to base64 without the last 6 values (remember hint 2):


+++OhhhhhhhYouNaughtyBASE64++w==



Still no flag.


Now we tried a lot but nothing worked. After a while some new hints were released:


\\"inverse\\"


more hints:

1. you have 25 bytes, you work on 22 bytes and 3 bytes separately.
2. flag format = e(22bytes) + e(3bytes)
3. which means d(e(22bytes)) + d(e(3bytes)) must be the same with the binary words. (have you checked this before? ;-)
4. it\\\'s base64, there is a possibility that d(x) == d(y)
5. we know you\\\'re confused!


Ok, you have to work seperately on 22 bytes and the last 3 bytes. That's a good hint. The first 22 bytes converted in base64 looks like:


+++OhhhhhhhYouNaughtyBASE64++w==



and the last 3 bytes:


ul5k



For hint two and three we wrote functions that cover it, but we didn't need them. Hint four looks like a collision in base64. After some reading we found out that base64 has collisions in the padding.

Ok, the last 3 bytes didn't have any padding because there are no "=". The first 22 bytes have padding. So we wrote this script:


#!/usr/bin/env python
import binascii
import base64

compareto = d("+++OhhhhhhhYouNaughtyBASE64++w==")

for i in ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q',
 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l',
 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '1', '2', '3', '4', '5', '6', '7',
 '8', '9', '0', '+', '/']:
                for j in ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q',
                'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l',
                'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '1', '2', '3', '4', '5', '6', '7',
                '8', '9', '0', '+', '/']:
                                for k in ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q',
                                'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l',
                                'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '1', '2', '3', '4', '5', '6', '7',
                                '8', '9', '0', '+', '/']:
                                temp = "+++OhhhhhhhYouNaughtyBASE64" + i + j + k + "=="
                                try:
                                                if compareto == d(temp):
                                                                print "FOUND: %s" % temp
                                except:
                                                pass
 


and got this output:



FOUND: +++OhhhhhhhYouNaughtyBASE64++w==

FOUND: +++OhhhhhhhYouNaughtyBASE64++x==

FOUND: +++OhhhhhhhYouNaughtyBASE64++y==

FOUND: +++OhhhhhhhYouNaughtyBASE64++z==

FOUND: +++OhhhhhhhYouNaughtyBASE64++1==

FOUND: +++OhhhhhhhYouNaughtyBASE64++2==

FOUND: +++OhhhhhhhYouNaughtyBASE64++3==

FOUND: +++OhhhhhhhYouNaughtyBASE64++4==

FOUND: +++OhhhhhhhYouNaughtyBASE64++5==

FOUND: +++OhhhhhhhYouNaughtyBASE64++6==

FOUND: +++OhhhhhhhYouNaughtyBASE64++7==

FOUND: +++OhhhhhhhYouNaughtyBASE64++8==

FOUND: +++OhhhhhhhYouNaughtyBASE64++9==

FOUND: +++OhhhhhhhYouNaughtyBASE64++0==

FOUND: +++OhhhhhhhYouNaughtyBASE64+++==

FOUND: +++OhhhhhhhYouNaughtyBASE64++/==



The found result


+++OhhhhhhhYouNaughtyBASE64+++==



looked good. So we submitted the flag


+++OhhhhhhhYouNaughtyBASE64+++==ul5k



and finally it worked.

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.
 

Frontpage - Top level

Navigation

Quicksearch

Calendar

Back May '13
Mon Tue Wed Thu Fri Sat Sun
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

Archives

Kategorien


All categories

Creative Commons

Dieser Inhalt ist unter einer
Creative Commons-Lizenz lizenziert.

Creative Commons License

Verzeichnisse

Dieser Blog ist Eingetragen bei
Blogverzeichnis - Blog Verzeichnis bloggerei.de