I participated in WPI 2020 with my team P1rates and I was
able to solve some cool challenges with them. This is my writeup about some of them that I managed to
solve during the competition.
Stego
1. Luna
They say the full moon makes people go crazy… hopefully this stego won’t have the same effect on you!
This challenge was the most interesting one I solved during the competition.
It gives us an archive Luna.tar.xz and it contains a 1.png image and another password protected archive
so you take the moon.zip.
I tried to extract the password hash to crack it with john but it seems it was uncrackable password, so
let’s look at the image.
It’s just an empty white image nothing usefull in it, so let’s try to run exiftool to see any hidden text.
The image contains some useful info but there is one thing that made me pay attentionStudy Physician: awcIsALegendAndIHopeThisIsAStrongPasswordJackTheRipperBegone.
So when I tried to unzip the archive with that password it worked and gave me 2 another files Just In Case.png and jut.
The image wasn’t useful for me maybe there is another solution i don’t know, but the other file seems
interesting. The file command didn’t recognize
it so let see the magic bytes.
First I assumed that maybe a Photoshop PSD file
since the magic bytes look similar. However I’ve tried to add the missing bytes and open it with
Photoshop, but the file looks corrupted. I struggled at this point for some time, so let’s run binwalk to see any hidden files.
There is a zlib file at position 0x2d let’s extract it.
Now, we have zlib compressed file the goal is
to extract and see if it contains any data. I wrote a bash line code to take the file and extract the data
using zlib library in python.
It looks interesting some hex bytes and I noticed that the last 2 bytes ff d9, so I assumed it’s a jpg image I searched for the first magic bytes ff d8 ff I found it at line 12 so let’s put those values into a new hex editor
and save it as flag.jpg.
Thanks to Jutin the creator of this challenge.
the flag: WPI{M00N_mOOn}
Crypto
1. Illuminati Confirmed
I’ve intercepted multiple copies of an encrypted message from the leader of the Worcester chapter of
the Illuminati. I think it contains the time of their next meeting. Can you help me decrypt them?
The challenge very obvious it gives us some c1 c2 c3 and n1 n2 n3 with e=3 I know it’s a RSA challenge with very famouse Chinese Remainder Theorem and Coppermith
Attack.
Now, the goal is to find M such that C = M^3 mod(n1*n2*n3) and we know that M < Ni so C = M^3 and M is our message (flag).
Hopefully, there is a method in sympy library
to compute C and get the flag.
And I got ascii integer values for the flag: WPI{Ch1n3s3_R3M@ind3R_Th30r3m_!_}.
Reverse
1. NotWannasigh
Please help! An evil script-kiddie (seriously, this is some bad code) was able to get this ransomware
“NotWannasigh” onto one of our computers. The program ran and encrypted our file “flag.gif”.
These are the resources we were able to gather for you:
the note left behind by the ransomware. I’m not sure you’ll find anything usefull here
ransomNote.txt
a packet capture that our IDS isolated, it seems that the program has some weird form of data
exfiltration
192-168-1-11_potential-malware.pcap
We need you to reverse the malware and recover our flag.gif file. Good luck!
A note from the creator: Shoutout to Demonslay335 for challenge inspiration - he’s done some awesome
work in fighting ransomware. Also, the ransomware in this challenge is programmed to only target files
named “flag.gif” so you shouldn’t need to worry about the accidental execution, I just zipped it out
of habit/good practice. Have fun and happy hacking!
The challenge was a little bit easy for me it gives us some network traffic pcap file, a binary, a text note, and the encrypted
flag file. The goal here is to debug the binary and see what it does and reverse the process of
encryption. Let’s open the binary in IDA and see
what it looks like.
I noticed there is a main function with some heavy code, so let’s analyze it. From line 26 to 52 it’s just seeds the srand with the current time, trying to connect to
the socket with address 108.61.127.136, send the
seed value and thats so interesting because the same seed produce the same random values.
From line 54 to 58 it opens the flag.gif file in the read mode, save the file size
at v19 and print it.
From 63 to 66 it produces the random values and put them into
an integer array v17 of the same size of the
flag.gif.
At lines 72 to 80 it gets the current value from the file, do
bitwise xor with the current random value of
array v17, append the result into an array v15, close the file, and remove it.
The last lines 81 to 92 it opens a new file flag-gif.EnCiPhErEd in the write mode, put each
value of the aray v15 into the file, close the
file, open another file to write the text note.
Now, let’s see the seed value in the pcap file.
I assumed the seed value is 1585599106 and I
checked with date it tells me the acual time
when the program ran.
After that I have the seed and the encrypted flag file, so let’s wrote some code the reverse the process
and get the file.gif.
And the flag: WPI{It_always_feels_a_little_weird_writing_malware}