{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-tfcctf-2023-en","result":{"data":{"markdownRemark":{"id":"0170bc53-75c9-5f25-a478-f1f76764e90e","html":"
\n

This page has been machine-translated from the original page.

\n
\n

We participated in TFCCTF, which started on July 28, as 0nePadding and placed 35th out of 1,429 teams.

\n

\n \n \n \n \n \n \n \n \n

\n

Personally, I found the Rev challenges so difficult that I could barely solve any of them, so it was a pretty hard CTF for me. Still, my teammates solved a lot of challenges, which helped us end up with a respectable rank despite the large number of participating teams.

\n\n

Table of Contents

\n\n

PASS(Rev)

\n
\n

Can you get the right password?

\n
\n

When I decompiled the challenge binary with Ghidra, it turned out to be a program that checks whether the password is correct by evaluating the input one character at a time.

\n

This is exactly the kind of problem angr is good at, so I used the following solver to obtain the flag.

\n
import angr\n\nproj = angr.Project(\"pass\", auto_load_libs=False)\nobj = proj.loader.main_object\nprint(\"Entry\", hex(obj.entry))\n\nfind = 0x4019b0\navoids = [0x401981]\n\ninit_state = proj.factory.entry_state()\nsimgr = proj.factory.simgr(init_state)\nsimgr.explore(find=find, avoid=avoids)\n\n# Output\nsimgr.found[0].posix.dumps(0)\n\n# TFCCTF{f0und_th3_p44sv0rd}
\n

PROCESS-MONITOR(Rev)

\n
\n

Just a simple process monitor. Or is it?

\n
\n

The challenge binary consisted of the usual three-piece kernel-driver set: a .sys, .inf, and .cat file.

\n

For now, I right-clicked the INF file to install the driver into a Windows VM, and at the same time continued analyzing it with Ghidra.

\n

After working through the analysis, I found that the challenge binary hooks process activity and runs its own callback function.

\n

Following the callback processing further, I found that it collects multiple pieces of information such as the hooked process’s executable name and path, checks whether they satisfy certain conditions, and, if all of the conditions are met, writes some string to C:\\flag.txt.

\n

By the time I got this far, the logic that writes the string to C:\\flag.txt was a bit too complicated to pin down statically, so I decided to set up kernel debugging.

\n

While attaching a kernel debugger to a VM running in test mode, I ran the following commands.

\n
\n

bp ProcessMonitor+0x1410\nbp ProcessMonitor+0x1426\nbp ProcessMonitor+0x1435\nbp ProcessMonitor+0x1446

\n

.while(1){g;r zf=1;g;r zf=1;g;? poi(rcx);g;? poi(rcx)}

\n
\n

Reference: Building a Windows Kernel Driver and Analyzing It with WinDbg - Frog’s Secret Base

\n

This caused the string 0967ce7f7c9e7e2e28bcab79c921398ba92dd3d9fc6045a546f4c4130252bf9 to be written to C:\\flag.txt, so by submitting TFCCTF{0967ce7f7c9e7e2e28bcab79c921398ba92dd3d9fc6045a546f4c4130252bf9} I was able to obtain the flag.

\n

DOWN BAD(Forensic)

\n
\n

The flag is right there!

\n
\n

The file down_bad.png provided as the challenge binary could not be opened normally.

\n

Running pngcheck on it showed that there was a CRC mismatch.

\n
pngcheck down_bad.png\n>\ndown_bad.png  CRC error in chunk IHDR (computed 1d9c52c0, expected a9d5455b)\nERROR: down_bad.png
\n

Because of that, I used the following solver to brute-force the correct CRC value.

\n
from binascii import crc32\ncorrect_crc = int.from_bytes(b'\\xa9\\xd5\\x45\\x5b',byteorder='big')\nfor h in range(2000):\n    for w in range(2000):\n        crc=b\"\\x49\\x48\\x44\\x52\"+w.to_bytes(4,byteorder='big')+h.to_bytes(4,byteorder='big')+b\"\\x08\\x06\\x00\\x00\\x00\"\n        if crc32(crc) % (1<<32) == correct_crc:\n            print ('FOUND!')\n            print ('Width: ',end=\"\")\n            print (hex(w))\n            print ('Height :',end=\"\")\n            print (hex(h))\n            exit()
\n

By rewriting the image binary with the Height and Width identified here, I was able to recover an image that included the previously cropped-out flag portion.

\n
from zlib import crc32\nimport argparse\nimport struct\n\npng = bytearray(open(\"down_bad.png\", 'rb').read())\nwidth = 0x780\nheight = 0x540\npng[0x10:0x14] = struct.pack(\">I\",width)\npng[0x14:0x18] = struct.pack(\">I\",height)\ncalculatedCrc = crc32(png[12:29])\n\nwith open(\"solve.png\",'wb') as file:\n    file.write(png)
\n

\n \n \n \n \n \n \n \n \n

\n

MCTEENX(Forensic)

\n
\n

I fly in the sky, I got wings on my feet.

\n
\n

The encrypted ZIP file given as the challenge binary seemed to contain a file called script.sh, but I could not obtain the password.

\n

One of my teammates had already solved it, and apparently even without knowing the entire script, you can guess the shebang (#!/bin/bash\\n) and use a known-plaintext attack to break the ZIP password.

\n

In practice, the attack goes like this.

\n
# Write #!/bin/bash\\n into partial_script.sh\n# Generate the three keys with bkcrack\n./bkcrack -C red.zip -c script.sh -p partial_script.sh\n\n# Decrypt the file using the three keys\nbkcrack -C red.zip  -c script.sh -k c0b1bc78 c3206dfc e7e5bae1 -d decipheredfile.sh
\n

Reference: kimci86/bkcrack: Crack legacy zip encryption with Biham and Kocher’s known plaintext attack.

\n

Running the decrypted script produces the following image.

\n

\n \n