Try   HackMD

ArpCon CTF Misc Challenge

Name: Git The Flag

Points: 700

tags: CTF arpconctf misc git log history

Challenge

At the time of this write up, the Arpcon CTF has ended and I no longer have access to the challenge details for screenshot.

Solution

We were provided with a secret.zip file. Extracting the file with unzip secret.zip and navigating to the extracted folder, looks like we got ourselves a git repo.

We start by checking the commits using git log and we can find some interesting commits.

First we checked out the added bin commit and we have the flag.bin, which is the encrypted flag

That's seems to be all in that commit, so we check another one. Checking out the some codes commit, we have a main.py 

import pyaes
import base64
import os
from dotenv import load_dotenv


load_dotenv()
SECRET = os.getenv("SECRET")

flag=open("flag.txt").read()

aes = pyaes.AESModeOfOperationCTR(SECRET.encode())
ciphertext = aes.encrypt(flag)
base_cipher = base64.b64encode(ciphertext)

with open("flag.bin","wb") as file:
  file.write(base_cipher)

Now it looks like we can reverse the code and get our flag, but first we need to find the secret, so we move to checkout another commit. Checking out the remove flag.py commit,we have the .env file which contains the secret.

Now, let's get started. Import the necessary stuff first.

import pyaes
import base64

Then set our secret

SECRET = "qyrJxvPFAbo8YDYNrCzSSj1DkHjGpLtW"

You can take the flag.bin and read from it, here I will just set it directly in the script.

flag_enc = "/A8Mm2hbkL5yEuss8EelU8xaBsELiJOpilIqpp8="

Next the actual reversing

aes = pyaes.AESModeOfOperationCTR(SECRET.decode())
flag_plaintext = aes.decrypt(base64.b64decode(flag_enc.encode()))
print("FLAG: %s " % flag_plaintext)

We set the aes mode to decode, then base64 decode the encrypted flag and then use aes to decrypt. The full script is

import pyaes
import base64

SECRET = "qyrJxvPFAbo8YDYNrCzSSj1DkHjGpLtW"

flag_enc = "/A8Mm2hbkL5yEuss8EelU8xaBsELiJOpilIqpp8="

aes = pyaes.AESModeOfOperationCTR(SECRET.decode())

flag_plaintext = aes.decrypt(base64.b64decode(flag_enc.encode()))

print("FLAG: %s " % flag_plaintext)

Flag

And we have the flag as: arpcon{h1570RY_4lw4Y5_M4773R}

FLAG: arpcon{h1570RY_4lw4Y5_M4773R}
Last changed by 
rudefish
I'm into cyber security and all its madness, whenever I participate in CTFs the write ups goes here
0
1
457

Read more

Symfonos: 2 - Walkthrough

Machine Details Name: Symfonos 2 OS: Linux Platform: Vulnhub Download Link: Symfonos 2 Getting started I booted up the machine and got assigned an IP addres of 192.168.50.130. Similar to symfonos1, I added symfonos2.local to my hosts file. 192.168.50.130 symfonos2.local

Mar 11, 2022
Symfonos: 3 - Walkthrough

Machine Details Name: Symfonos: 3 OS: Linux Platform: Vulnhub Download Link: Symfonos 3 Getting started After obtaining an IP address for the machine, 192.168.50.137 in my case. I addeed it to mu hosts file. 192.168.50.137 symfonos3.local

Mar 8, 2022
Symfonos: 1 - Walkthrough

Machine Details Name: Symfonos 1 OS: Linux Platform: Vulnhub Machine Link: Download Symfonos 1 Obtaining the assigned machine IP address After setting up the machine on VMWare, the first step is to find the IP address assigned to the machine. To do this, we can use several methods. The two I use often is shown below: sudo netdiscover -r 192.168.50.0/24

Mar 8, 2022
HTB Writeup - Search

Machine Details Name: Search OS: Windows IP address: 10.10.11.129 Difficulty: Hard Points: 40 Initial Enumeration As always, I started with an nmap scan to find out what services are running on the box.

Feb 17, 2022
Read more from rudefish
Published on HackMD