E-CTF writeup
===
E-CTF have lots of OSINT and it's a unique challenge, I like it a lot.
[TOC]
# Crypto
## Hashes Binder
```
└─$ office2john parts.xlsx > hash.txt
└─$ john --wordlist=wordlist.txt hash.txt
dolphin (parts.xlsx)
```
```
part1 is a sha256, plaintext is spooky
part2 is a base58, plaintext is digestive
part3 is a base64, plaintext is prescription
```
After that, I can't open the **Format:excelPassword_Part1_Part2_Part3.zip** with zip.
Searching for a while,I found that if the zip is encrypted with AES, We need to use **7z** to open or it will said **unsupported compression method 99**
I thought the password was dolphin_spooky_digestive_prescription.zip at first,then found out that the password for 7z is:
```dolphin_spooky_digestive_prescription```
And I get the flag
```ECTF{J0nH_tH3_Cr4ck3R_95234826}```
## Never two without three
First caesar than base64 than base58
I brute-force the caesar cipher and decode as base64
```
import base64
def caesar(text,s):
result = ""
# traverse text
for i in range(len(text)):
char = text[i]
# Encrypt uppercase characters
if (char.isupper()):
result += chr((ord(char) + s-65) % 26 + 65)
# Encrypt lowercase characters
elif char.islower():
result += chr((ord(char) + s - 97) % 26 + 97)
else :
result+=char
return result
#check the above function
for i in range(1,27):
s=caesar(strs,i)
# print(s)
print(base64.b64decode(s))
#
```
I get this **ADeyMxwfsMLjPNnAgTUkMnEvT6gKMs41F7qKoryxG8LhK5SYY4gRKKKu96LtyZN** base64 decode thing during other garbage.Then get some try and found out that it is base58.
```The flag is: ectf{D0_u_l0v3_t4e_crypt0grap413}```
## ASCII me anything but not the flag
```
108 100 111 109 123 85 99 49 122 95 106 53 95 79 111 51 95 88 52 116 95 48 109 95 51 111 88 121 90 107 97 106 48 105 125 10 10 69 98 111 98 32 102 112 32 118 108 114 111 32 104 98 118 44 32 100 108 108 97 32 105 114 122 104 32 58 32 72 66 86 72 66 86 10 10 87 101 108 108 32 100 111 110 101 44 32 98 117 116 32 110 111 119 32 100 111 32 121 111 117 32 107 110 111 119 32 97 98 111 117 116 32 116 104 101 32 103 117 121 32 119 104 111 32 103 111 116 32 115 116 97 98 98 101 100 32 50 51 32 116 105 109 101 115 32 63
```
turn it to ascii get
```
ldom{Uc1z_j5_Oo3_X4t_0m_3oXyZkaj0i}
Ebob fp vlro hbv, dlla irzh : HBVHBV
Well done, but now do you know about the guy who got stabbed 23 times ?
```
Caesar was stabbed 23 times, so it is caesar cipher.
Shift three and get:
Use vigenere cipher and get the flag
```ectf{Th1s_i5_Th3_W4y_0f_3nCrYpti0n}```
## OIIAIOIIIAI 😼
I use rail fence cipher to decode **}eYcbt4fB{_yD0nUu_05Rp_1TNh_GM13R_**, because I see eXcXtXfX{ seems like rail fence cipher **key=2**
reverse the first string **}Yb4B_Dnu0R_ThG1R** to **R1GhT_R0unD_B4bY}**, and get the flag
```ectf{y0U_5p1N_M3_R1GhT_R0unD_B4bY}```
## Cracking the Vault
All of the random, padding thing wasn't use, so we just need to focus on here
```
for i, char in enumerate(text):
print(text,i)
char_code = ord(char)
shift = (i + 1) * 3
transformed = (char_code + shift + 67) % 256
encrypted.append(chr(transformed))
return ''.join(encrypted), seed
```
This is my exploit
```
flag=[]
with open('VaultKey_encrypted.txt', 'r') as f:
text = f.read()
for i, char in enumerate(text):
val=ord(char)
shift=(i+1)*3
val=val-67-shift
while val<0:
val+=256
flag.append(chr(val))
print(''.join(flag))
```
Decode message is:
```
Well done! I bet you're great at math. Here's your flag, buddy: ectf{1t_W45_ju5T_4_m1nu5}
```
## RSA intro
Use factordb to break N,then generate the d to decipher
```
from Crypto.Util.number import *
n=1184757578872726401875541948122658312538049254193811194706693679652903378440466755792536161053191231432973156335040510349121778456628168943028766026325269453310699198719079556693102485413885649073042144349442001704335216057511775363148519784811675479570531670763418634378774880394019792620389776531074083392140830437849497447329664549296428813777546855940919082901504207170768426813757805483319503728328687467699567371168782338826298888423104758901089557046371665629255777197328691825066749074347103563098441361558833400318385188377678083115037778182654607468940072820501076215527837271902427707151244226579090790964814802124666768804586924537209470827885832840263287617652116022064863681106011820233657970964986092799261540575771674176693421056457946384672759579487892764356140012868139174882562700663398653410810939857286089056807943991134484292518274473171647231470366805379774254724269612848224383658855657086251162811678080812135302264683778545807214278668333366983221748107612374568726991332801566415332661851729896598399859186545014999769601615937310266497300349207439222706313193098254004197684614395013043216709335205659801602035088735521560206321305834999363607988482888525092210585343868702766655032190348593070756595867719633492847013620378010952424253098519859359544101947494405255181048550165119679168071637363387551385352023888031983210940358096667928019837327581681936262186049576626435407253113152851511562799379477905913074052917135254673527350886619693800827592241738185465519368503599267554966329609741719839452532720121891782656000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001
q=5054843
p=234380687762750772254557055109853720983628819766273887182389973269773834408005699839250429944746301998493950521319952043836332494724004077481489736936492281424111332185604885590532185750157947353269358583331272940491963065422956828362131085933168543428654791209819698530453840088410222161279742324553716780549035932045663425615724276559416150764236763820541821556377558545491606131735012439223038920957324978777692476535627780887813704287770116480588923740336082768397708335813534035590571076954735006230350054701764901564378001132315698650786538411312598129939955171802779278313458453982137072734255886202418312688408878796961007256721311529796171874751764365433958605173714796298295254888433096781375399980768164866695472159228619796241628287259949791649861247814797168647204277732886891814951067849861737231168394321502386732250228937107341274994747507127649114219841606431648669350219109247947836096760207406293561009051731342028882452864268691590859355803599313961525956020318014737297872818760457330788050558984699742088895577280049053901298540021383506173643840017867859141483364191183386743699975329602332499092322987214400447656848834973026898426183728159185875404732231747868768740264310623053308486967913463003847319465257305418357605492470886029976450920141309900138164913825099069383766924148805349477337206588490988025810499730265011833392324568076185159427766120863088381218971504481234215830860256758026226096315845597165544815717745388862429031106726696318921792871062105285074010904710446507431848943625295551108616572289563055203890605504463739032053023209622929930761449959969083114945409778305676358296390214295478613282351202599170735866573897547362005110742311877935674757851035136007191519103560684278423682001597280073782707
e=65537
c=393830705821083872264416484945379590743951209334251680140561629963083955435155434968501995173717065691853716117413549060471633713246813706134614822460487831949312719410922980049951577395596254279195364667821988767675462852220254638390252652391863031378262058213973374365653466528787640726441241664538814924465041415751207617994829099967542528845558372954608772395722055861369383117996161988362298650918468621344968162697585757444815069821774651095279049590140325395770490299618719676066106689396243767847620065054763147901166291755102218540290732819710294120101688593205036339603152228827861450774360237006971191234350634731104643779249017990427055169232234892324512234471025984131134122883594190002695857381320761826426970820621555957081409595866374650139218172798735536295519361258955868218458841069870611367807353745731928726480481254620623949030522228724677423429285228917983167742866068764059333196595815029550909470984427785123479796787934189869159245455191142352654087327876642690754428041545205764160668875253155015956045237338532248073834631989395905208181116526111301051883717335829373670674970007067708289628731972707477338551521585672558157829354894929466723788269911067380887281008564055766243843557738727000164255990684153972958815292767702154995098383096546576559199090417518282978657504210433584144451378874050676287588884988934683793378300065910040270282398699691108573435112129408980056605713259535036581461672565785674329469547540861581715756111296028940885214170609934085009608200810707122173370006290459841638659407675519141544675968270051746963709729460531469035621873301953785282870733516854080405064440750450304537433849449545664331761838457477121677018421695909336075840076436991397964264703526101810961378256559625011198775706699
phi = (q - 1) * (p - 1)
d = inverse(e , phi)
print(long_to_bytes(pow(c , d , n)).decode())
```
```ectf{b4sic_F4cT0rDb_rS4}```
# OSINT
## Project-153-Q1
After Google Lens, I get the location of Falls Caramy in French.I tried several place such as:
```
cascades_du_caramy
Chute du Caramy
Chutes du Caramy
```
Then get the final answer
```ectf{Chutes_du_Caramy}```
## Project-153-Q2
After 47 times try, I finally get the position that the photo was taken
```
my attempt:
Anthéor
Massif_de_l'Esterel
Gorges_du_Blavet
massif de l'Esterel
Mandelieu-la-Napoule
Saint-Raphaël
cap Roux
la_corniche_de_l_esterel
Le_Trayas
...
```
```ectf{Pointe_de_l'Observatoire}```
## Project-153-Q4
After searching **GR90 french** a find [this website](https://www.gr-infos.com/en/gr90.htm)
It end in **Le Lavandou**
From the city, I can see two island, one of bigger is **Île du Levan**.
```ectf{Île_du_Levant}```
## Project-153-Q5
I focus on the turning point and find [this blog](https://lespetitsaventuriers.fr/spip.php?article1415)
After trying several times, I get the flag that is:
```ectf{Gros_Cerveau}```
## Project-153-Q6
The location is **Chapelle notre dame de beauvoir**
I found it by goolge len, and got the address **04360**
I get the address
``` 04360 Moustiers-Sainte-Marie```
In tourist's comment, I saw that there is 262 steps
so the flag is
```ectf{262_04360}```
## Project-153-Bonus-2
At the [youtube video](https://www.youtube.com/watch?v=0BB4Y_OuBUQ) 13:49 , there is a pizza shop and I search for it's information
[The website](https://restaurants-de-france.fr/en/l-italienne-lorgues-1313389.html) is the information of the pizza shop.
The village is Lorgues
```ectf{Lorgues}```
# Forensic
## My dearest
I used exiftool to see the docx's information and found the creator
```ectf{MichelTeller}```
## Just a PCAP
After **right-click->Follow->UDP stream** open the stream, I saw this
I know the png file signiture start with **89 52 41 47...**, so I remove the 2 in the front,After tring a found that every stream start with '2'.
That's weird, so I remove all the '2' and run my python code.
[png format](https://bjun.tech/blog/xphp/109)
```
with open('hexstr','r') as pic:
hex_data=pic.read()
hex_data=hex_data.replace('\n','')
# print(hex_data)
# print("------")
bin_data=bytes.fromhex(hex_data)
with open('flag.png','wb') as f:
f.write(bin_data)
```
Then I get the flag.
```ectf{DN5_3xf1ltr@t10n_15_f1nd3d}```
# HARDWARE
## ORbit
This is a combanation of **Not and,or, not xor** gate
[chinese website](https://hackmd.io/@sqcs/SyPL9AvP0)
Besides,this need to turn **0->1 ; 1->0**, I don't know the reason,just try and get it
```ectf{0101011}```
## It's trivial !
35bit: 11100011000101001000100101010101110
so I add one '0' at the front 011100011000101001000100101010101110
this is the variable's name.I sort it into 6 part, the first part is different, so I write if seperately, the other 4 part in the middle is same meaning, the last part have one key point don't need to do Not gate.
This is my python code:
```
def AND(a, b):
return a & b
def NAND(a, b):
return 1-(a & b)
def OR(a, b):
return a | b
def XOR(a, b):
return a ^ b
def NXOR(a, b):
return 1-(a ^ b)
def NOT(a):
return 1 - a
def logic_circuit(input_bits):
if len(input_bits) != 36:
raise ValueError("Input must be 36 bits long")
x = [int(bit) for bit in input_bits] # Convert input string to list of integers
y = [0] * 12 # Initialize output list
to_next=x[0]
num=0
for i in range(0,36,6):
if i==0:
k1=NAND(NOT(x[i+1]),x[i+2])
k2=XOR(x[i],k1)
k3=XOR(k1,NOT(k2))
k4=NXOR(x[i],NOT(k2))
k5=NXOR(x[i],k4)
k6=NXOR(x[i],k5)
y[num]=NXOR(k3,k6)
num+=1
# get first y
q1=AND(NOT(x[i+4]),x[i+5])
q2=XOR(x[i+3],q1)
q3=XOR(q1,NOT(q2))
to_next=q3
q4=NXOR(NOT(k2),x[i+3])
q5=NXOR(q4,q3)
q6=NXOR(q5,q3)
y[num]=NXOR(q6,k3)
num+=1
else:
k1=NAND(NOT(x[i+1]),x[i+2])
k2=XOR(x[i],k1)
k3=XOR(k1,NOT(k2))
k4=NXOR(x[i],to_next)
k5=NXOR(x[i],k4)
k6=NXOR(to_next,k5)
if i==30:
y[num]=NXOR(k3,k6)
else:
y[num]=NXOR(NOT(k3),k6)
num+=1
# get first y
q1=AND(NOT(x[i+4]),x[i+5])
q2=XOR(x[i+3],q1)
q3=XOR(q1,NOT(q2))
to_next=q3
q4=NXOR(x[i],x[i+3])
q5=NXOR(q4,q3)
q6=NXOR(q5,q3)
if i==30:
y[num]=NXOR(k3,q6)
else:
y[num]=NXOR(NOT(k3),q6)
num+=1
return "".join(map(str, y)) # Convert output list to binary string
input_bits = "011100011000101001000100101010101110" # 36-bit input
# input_bits = "100000000000000000000000000000000000"
output_bits = logic_circuit(input_bits)
print("Output:", output_bits)
```
```ectf{100010011000}```
# WEB
## Java Weak Token
I use JWT_Tool to crack the secret,and the secret is 1234
I change the JWT token to username to admin and secret key=1234,then I get the flag
```ectf{JwT_T0keN_cR34t0r}```
# Steganography
## The island treasure
The island's string show's a strange string maybe (base64 encoding)
```
strange string
UnNPcGJHbGphWFJoZEdsdmJuTWdJU0JVZFNCaGN5QjBjbTkxZHNPcElHeGhJR05zdzZrZ2JzS3dNU0JrZFNCamIyWm1jbVVnSVEwS1EyOXVaM0poZEhWc1lYUnBiMjV6SUNFZ1dXOTFJR1p2ZFc1a0lIUm9aU0JyWlhrZ2JzS3dNU0J2WmlCMGFHVWdZMmhsYzNRZ0lRMEtRMnpEcVRvZ1RUTjBOR1EwZERSZk1UVmZiakIwWHpWaFpqTU5Da3RsZVRvZ1RUTjBOR1EwZERSZk1UVmZiakIwWHpWaFpqTT0=
base64 decode get:
RsOpbGljaXRhdGlvbnMgISBUdSBhcyB0cm91dsOpIGxhIGNsw6kgbsKwMSBkdSBjb2ZmcmUgIQ0KQ29uZ3JhdHVsYXRpb25zICEgWW91IGZvdW5kIHRoZSBrZXkgbsKwMSBvZiB0aGUgY2hlc3QgIQ0KQ2zDqTogTTN0NGQ0dDRfMTVfbjB0XzVhZjMNCktleTogTTN0NGQ0dDRfMTVfbjB0XzVhZjM=
```
```
decode again get:
Félicitations ! Tu as trouvé la clé n°1 du coffre !
Congratulations ! You found the key n°1 of the chest !
Clé: M3t4d4t4_15_n0t_5af3
Key: M3t4d4t4_15_n0t_5af3
```
Superimposed another picture by [this website](https://www.aperisolve.com/)
```
key1:key2
M3t4d4t4_15_n0t_5af3:Hidd3n_p1ctur3
```
I use [OpenStego](https://github.com/syvaidya/openstego/releases) to decrypt
get flag.png
```ECTF{You_found_th3_tr3asur3}```
Sign in with Wallet
Connect another wallet