# BCACTF 5.0 ## Misc ### 1. Discord: - Flag:`bcactf{w3lc0m3_t0_bC@c7F_5_fby4uf4dijreferuvg}` ## Forensics ### 1. Sea Scavenger: - Link : http://challs.bcactf.com:31314/ - http://challs.bcactf.com:31314/shark - `<!-- You found the shark! Part 1 of the flag: "bcactf{b3" -->` - http://challs.bcactf.com:31314/squid - `console.log("You found it! Here's the second part of the flag: \"t_y0u_d1\"");` - http://challs.bcactf.com:31314/clam - `dnt_f1n` - http://challs.bcactf.com:31314/shipwreck - `Flag_Part_4: d_th3_tr` - http://challs.bcactf.com:31314/whale - `Part 5 of the flag: "e4sur3"` - http://challs.bcactf.com:31314/treasure - `Maybe this treasure was left here by robots...` - Access to robots.txt: - `You found the rest of the flag! _t336e3}` - Flag: `bcactf{b3t_y0u_d1dnt_f1nd_th3_tre4sur3_t336e3}` ### 2. 23-719: - https://arcs-s3-repo.nyc3.cdn.digitaloceanspaces.com/23-719/23-719_19m2.pdf - Download file and open it: - It's a PDF Document with 20 page. - Ctrl + F to find the flag: - ![Screenshot from 2024-06-14 23-12-47](https://hackmd.io/_uploads/SJmznJ9r0.png) - Double click we can see that : - ![Screenshot from 2024-06-14 23-14-19](https://hackmd.io/_uploads/Bykt3JcBC.png) ![Screenshot from 2024-06-14 23-14-30](https://hackmd.io/_uploads/SJlc3kqrC.png) - Two part of the flag is encrypted. - Double click on it and copy. - Flag: `bcactf{rEAl_WOrLd_appLIc4t1ons_Of_cTf_ad04cc78601d5da8}` ## Rev ### 1. Flagtureiser: - https://arcs-s3-repo.nyc3.cdn.digitaloceanspaces.com/flagtureiser/flagtureiser-4.2.0.6.9.jar - Use jadx-gui to decompile it: - ![Screenshot from 2024-06-14 22-29-54](https://hackmd.io/_uploads/HyOWG1cr0.png) - Flag: `bcactf{fRaCtur31s3R_sT8gE_z3R0}` ### 2. XOR: - https://arcs-s3-repo.nyc3.cdn.digitaloceanspaces.com/xor/xor - `nc challs.bcactf.com 32411` - Use Ghidra: ``` undefined8 main(void) { FILE *__stream; undefined8 uVar1; size_t __n; void *__ptr; void *__ptr_00; __stream = fopen("flag.txt","r"); if (__stream == (FILE *)0x0) { puts("Failed to open flag file. Make sure flag.txt exists."); uVar1 = 1; } else { fseek(__stream,0,2); __n = ftell(__stream); fseek(__stream,0,0); __ptr = malloc(__n + 1); if (__ptr == (void *)0x0) { puts("Memory allocation failed for input."); fclose(__stream); uVar1 = 1; } else { fread(__ptr,1,__n,__stream); *(undefined *)((long)__ptr + __n) = 0; fclose(__stream); __ptr_00 = malloc(__n * 3 + 1); if (__ptr_00 == (void *)0x0) { puts("Memory allocation failed for output."); free(__ptr); uVar1 = 1; } else { xorEncrypt(__ptr,__ptr_00,__n); printf("Encrypted flag: %s\n",__ptr_00); free(__ptr); free(__ptr_00); uVar1 = 0; } } } return uVar1; } void xorEncrypt(long param_1,long param_2,ulong param_3) { ulong local_18; for (local_18 = 0; local_18 < param_3; local_18 = local_18 + 1) { sprintf((char *)(param_2 + local_18 * 3),"%02X ", (ulong)(uint)(int)(char)("ClkvKOR8JQA1JB731LeGkU7J4d2khDvrOPI63mM7"[local_18 % 0x28] ^ *(byte *)(local_18 + param_1))); } *(undefined *)(param_2 + param_3 * 3) = 0; return; } ``` - After use netcat we have: - `Encrypted flag: 21 0F 0A 15 3F 29 29 6B 13 1C 2C 74 7D 30 5E 50 6E 29 2B 24 19 0C 67 7D 05 54 7C 34 5C 13 32 42 29 62 7B 0F 4E` - Look at the string 'ClkvKOR8JQA1JB731LeGkU7J4d2khDvrOPI63mM7', if we xor it with the Encrypted flag, we can find the flag. ``` enc = '21 0F 0A 15 3F 29 29 6B 13 1C 2C 74 7D 30 5E 50 6E 29 2B 24 19 0C 67 7D 05 54 7C 34 5C 13 32 42 29 62 7B 0F 4E' enc = enc.split(' ') str = 'ClkvKOR8JQA1JB731LeGkU7J4d2khDvrOPI63mM7' flag = '' for i, c in enumerate(enc): flag += chr(int(c, 16) ^ ord(str[i % len(str)])) print(flag) ``` - Flag: `bcactf{SYMmE7ric_eNcrYP710N_4WD0f229}`