Published on

de.ci.phe.red Lab CTF 2023

Authors

CTF 2023

I participated in a Capture the Flag event conducted by de.ci.phe.red Labs as a team Kind Pandas alongside my teammates Aditya Sankhla and Ravinder Sharma.

Format

  • 22 hours hacking phase
  • 10 total questions
  • team of 3
  • Dynamic scoring based on first to solve

Anecdote Time!

We were so much caught by the spirit of doubting and over analysing everything present, that when the organising team circulated a doubt form in which we had to submit if we had any issues regarding the problem statements.

We were dead sure that a hint would be present somewhere or the other.

In the form an image was present randomly outta nowhere and we smirked collectively as all of us synchonously thought that a hint or a secret flag must be present inside.

We binwalk-ed the image and a zlib folder was present but the special part about this was that the folder name was 29. (Spoiler alert) 29 was something closely related to the PRESENT problem statement.

So we thought something must be present inside. We unzipped the zlib using the command zlib-flate -uncompress < your_file.zlib > output_file but the file was matching no format.

We opened the file in hexedit and found the format to be .Apw an extension used in Windows for a password manager!

One of my teammate quickly switched from Ubuntu to Windows and bought a paid password manager decryptor tool for free using fake credit card bins.

When he opened the tool said that the file requires a password to open. Then in the form for doubts, we confidently asked the question What is the password to the .Apw file and felt like Sherlock :)

But when I called the organising team and told them about the whole anecdote, they started laughing nomadically and told us that it was a RANDOM SCREENSHOT from internet and we should calm down a bit with these conspiracy theories and and called it a day :(

Though it was very fun for sure, lol. )

Challenges

  • PRESENT : I am officially Doronophobic now.
  • Time Schedule : All teammates had prior commitments so were not able to devote a lot of time, even if wanting too.

PRESENT

The hardest question by far in the whole contest was PRESENT, which made me Doronophobic.

Here's the problem statement for anyone wanting to try it out.

Present
100
Problem Statement
You are given a ciphertext that has been encrypted with 31 rounds of PRESENT
Can you find the flag hiding inside the present :gift:

HINT 1
Use the oracle to get potential values of the masterkey

Get the docker image here

About the PS

In the given environment all these were present:

  • ciphertext.txt (Most prob the encoded flag)
  • an executable oracle file which took an integer input and gave a master key accordingly.
  • AmIaHint Folder which consisted of:
    • a riddle
    • 64 folders of this-that with a number inside eveyone.

Here's the riddle text

In the realm of bytes, I'm a bit askew
Different in number, maybe its true

I dance with fewer, just seven in line
Give me more space, for a total of nine

If a byte of mine, is not eight bits wide
Where in this world, would I be able to hide

Somewhere in the middle, me you would discover
But alas, I need to leave behind a brother
Our approach
  • We figured out that in those this-that folders, 7, 9, 63 were marked as executable. So these numbers are important.
  • From the riddle it was observable that the 7-bit thingey must be ASCII.
  • So 63 must be the number to input to the oracle for masterkey.
  • From the title of the problem, we got to know that PRESENT encoder has been used.
  • We wrote down the code for PRESENT decoder by referring to this research paper
  • The code was working fine for the test cases.
  • We took the masterkey and the ciphertext and decoded it with rounds set as 31.

Now after this is where we went wrong.

  • We interpreted that the somewhere in the middle line of the riddle symbolizes that we gotta filter some bits out of the binary that we generated, we tried out removing bits, adding paddings, using caeser ciphers (flipping bits in parts), etc.
  • Apparently, the riddle symbolized that we need to stop somewhere in the middle of the PRESENT cipher and try and test our way out.

Results

We ended up winning! Results

That too with a decent lead of 5 points, which is significant considering the number of questions were relatively low. Shout out to RTFM (Readers of the friendly manual) and Team !Flag for the tight contest though, and congrats for finishing on the top, just behind us though :)

Tips and Tricks

In case you are going to participate in a CTF any time soon, here are some tools and tricks I found useful.

  • If you have received a file in the PS, do these first atleast:

    • cat filename (See the data in case there are any hints)
    • file filename (Maybe the metadata might help)
    • binwalk filename (see if something is hidding binwalk -e for extracting)
    • strings filename

  • If you received a file is corrupted or the above didnt help.

    • Open the file using this tool hexed.it , and try to extract info from the header

  • any thing ending with == might potentially be base64 encoded. fiddle with this tool

  • If you have a pcap file open with Wireshark and try to find anything unusual, do keep in mind if the about packet length and see if it is matching or not.

  • A lot of questions are just about basic manipulation with the scripts. So do have command over basic scripting.

  • Practice here

Discuss on TwitterView on GitHub