Nullcon CTF 2012 Crypto Writeup

Level 1

Oexjwok -333 lauiljt bwxylexk hilyruik krbf lk yfi frzlx jekbeqaexi bwzqwxixy. ofiui yfi QB blx kixj lx iaibyueb kfwbs yfuwrgf yfi sitcwluj eh yfi frzlx jwik kwziyfexg yfly jwik xwy qailki Oexjwok, 2 Ceaa Glyik

The web source contains a link to a mirror

Mirror all key by looking at your keyboard
q = p
a = l
z = m
. = ,
- = 2
3 = 0


WINDOWS 1999 ALREADY CONTAINS FEATURES SUCH AS THE HUMAN DISCIPLINE COMPONENT. WHERE THE PC CAN SEND AN ELECTRIC SHOCK THROUgH THE KEYBOARD IF THE HUMAN DOES SOMETHINg THAT DOES NOT PLEASE WINDOWS, 0 BILL gATES

Flag: Windows 2000 already contains features such as the human discipline component, where the PC can send an electric shock through the keyboard if the human does something that does not please Windows. - Bill Gates

Level2: White Noise

File contains only tabulators and spaces. Two bytes could be the code for binary?

using \t=0
4572726F72204D6573736167653A20596F75722050617373776F7264204D757374204265206174204C65617374203138373730204368617261637465727320616E642043616E6E6F742052657065617420416E79206F6620596F75722050726576696F75732033303638392050617373776F726473202D204D53204B4220323736333034
using \t = 1
BA8D8D908DDFB29A8C8C9E989AC5DFA6908A8DDFAF9E8C8C88908D9BDFB28A8C8BDFBD9ADF9E8BDFB39A9E8C8BDFCEC7C8C8CFDFBC979E8D9E9C8B9A8D8CDF9E919BDFBC9E9191908BDFAD9A8F9A9E8BDFBE9186DF9099DFA6908A8DDFAF8D9A8996908A8CDFCCCFC9C7C6DFAF9E8C8C88908D9B8CDFD2DFB2ACDFB4BDDFCDC8C9CCCFCB

The first one looks like printable ascii and decodes to the following, which is the flag.

Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your Previous 30689 Passwords - MS KB 276304

Level 3: The Base Test

Inside HTML Source will find this string:

====5JP2T6UH5JR4UKRJSZTOEEJKN2TYUMFLXKUMFHJJTJVWULRIGSTGFCZKWZVEDJVJ====

Looks like A-Z0-6 could be everthing above BASE31

RFC for Base encoding: http://tools.ietf.org/html/rfc4648
http://www.unitconversion.org/unit_converter/numbers-ex.html

http://tomeko.net/online_tools/base32.php?lang=en

Why does it have padding on both sides?
After reversing the string to
JVJDEVZWKZCFGTSGIRLUWVJTJJHFMUKXLFMUYT2NKJEEOTZSJRKU4RJ5HU6T2PJ5
and base32 decoding we get
MR2W6VDSNFDWKU3JNVQWYYLOMRHGO2LUNE======
after base32 decoding this, we get the flag
duoTriGeSimalandNgiti

Level 4: Elucidate

File
Obfuscated PHP file with 3 stages.

1. Stage was evaling a base64 decoded php script.
2. Stage had a if check that executed the following code

gzinflate(
base64_decode( str_rot13("yIIgnkcORC4eT5SRD0cho3s2WqMVXWozH4hRSSXY7B0YBDtdngd0cs+9f96rZnyjS/jj7hmZZ8+87M2sTxT1NWZoRJljzDMMXNUXppQ/rLQG89Uy+9UlsxyVrWmoGozLR7ilMhAai8gyemgw0aVKsNMFMeoj3UOjhsR6TP2Z4WVZvIzgmX9r/6j7l6mw1agjlawTPb9kZk08qlP08gXt8pxW2txJNVWt1uyqrZoOHyAjLA4Xd6lanOsZj9e3lE9Fuy4bU/mZC5KemoeKUXECwb/WHKBDPY7lz8sIiNb2VU9Wq+MfSvwmzzxnphJxlvz3XtCOsSRLmc/mUHEd5KcJUMfe1L8OjjXYn+/oSAnfxD7jKTxVNLWEmuLDzZL7omK1VavnU6kDb1C0nx7123qZguxg1v3+xVMqCZ43iJoxENOxGzaOAA5zDFxXwzMZOthn+4XYQZCC/H9lIl6iIin+/BSG0Mf9310hya7rLywnQBBV3S1/hMc8+UE9B764+Uj7aalqKA+ZlpHY/LsW+Bcz3PqUjlUMeO79bsS67a7wzYKhscgvTBp+4bF0TV2mSxTeEJzBnu8J623YhwZrQTZf94R5de1JCTAXpfLY5KVyIrk0M/bxjcFPDTzaISXHrMXb5/a0FGXHtOY1VgecMP/kmSRdCAAxk/ojrAVaJrfy+bSRPFu5MIsw1UT2RiRRIYmvsGkUC+Fj8ks5Uu76Nni47+ARaclzp4jQFIY0MkIrUFslxscIUvmcVqaeINrbpVI/unqFCWUlwirlfd9krZYM+r3k2gLeF/nv4uUmSP7Sf8/8EA0KyhkGsI7HZ/fsQ2QiGQhQ3p687p2CZ+yklj4fKEmJcfq2JQ3vaqGGBwsxkhu0F81tXcT67WlED2M5BmZ2eDq2dkLqMC6z720S66eSxPLAAunJ1jgEAKN737geMYA9xjMxqCxC"))

3. Stage had zip routine but it was not nessesary to decrypt.

var1=array( "file1.jpg", "file2.jpg", "file3.gif");
create_zip( var1, "myzipfile.zip", true);

The flag was in an unused variable

$_4fa3332ef3d19e9840387434b8d28780 = "\x6f\156\x6c\171\x62\171\x6f\142\x73\145\x72\166\x69\156\x67\164\x68\151\x73\143\x6f\156\x64\151\x74\151\x6f\156\x77\157\x75\154\x64\164\x68\145\x72\145\x73\165\x6c\164\x73\157\x66\157\x75\162\x77\157\x72\153\x62\145\x72\145\x67\141\x72\144\x65\144\x61\163\x66\165\x6c\154\x79\143\x6f\156\x63\154\x75\163\x69\166\x65\141\x6e\144\x61\163\x68\141\x76\151\x6e\147\x65\154\x75\143\x69\144\x61\164\x65\144\x74\150\x65\156\x6f\162\x6d\141\x6c\143\x6f\165\x72\163\x65\157\x66\164\x68\145\x70\150\x65\156\x6f\155\x65\156\x61";

Flag: onlybyobservingthisconditionwouldtheresultsofourworkberegardedasfullyconclusiveandashavingelucidatedthenormalcourseofthephenomena

Level 5: Llun Saving Bank

Llun Saving Bank is fed up with known encryption standards to store the data. They decided to reinvent the wheel. Can you decode the data?

Inside the HTML Source you will find:

Hs Foe vhmmhng un!qrdvdot!Ewhl!btu!nou!@ble> Thdn!id!hr NOU Omoipouenu/!Hs!Id!@ble- cuu!NNU vhllhof>!Thdn!Id!hr!Lamdvoldnu/ Hs Id Cnth @bme and!Vimliog> Tidn Vhdobe Bnldui Ewhl>!Ir hd!Neitidr!@cmd!Oor Villhnf>!Tidn!WHY!ball!him FOE? -!Dqhbtrusongnd

After decrypting it, you will get this text
"Is God willing to prevent Evil but not Able? Then he is NOT Omnipotent. Is He Able, but NOT willing? Then He is Malevolent. Is He Both Able and Willing? Then Whence Cometh Evil? Is he Neither Able Nor Willing? Then WHY call him GOD? - Epicurusongod"


If you diff the characters you will get that the bytes only differ with at most one value (+1/0/-1).

Seems like that the last bit matters. So print out the last bit of every character of the crypted text.

01001100011001010110000101110010011011100010000001101000011011110111011101110100011011110010000001001000011010010110010001100101001000000110100101101110001000000101000001101100011000010110100101101110001000000101001101101001011001110110100001110100

This decodes to the Flag: "Learn howto Hide in Plain Sight"


For corrections and other feedback send me an e-mail to bashrc at intruded dot net