Codefest’19 CTF Writeups

The Capture the Flag event for Codefest’19 was hosted from 8 pm, 23rd August 2019 to 12 noon, 24th August 2019 on Hackerrank.

Codefest 2019

The Capture the Flag event for Codefest’19 was hosted from 8 pm, 23rd August 2019 to 12 noon, 24th August 2019 on Hackerrank.

The contest link can be found here. There were a total of 1532 registrations and 518 people who were successful in solving atleast one challenge.

So, onto the writeups.

Welcome to Codefest 19! (Intro Challenge — 100pts)

This was the introductory challenge. I had tried to make it a bit difficult than the normal introductory challenges, but I felt that it proved to be a bit difficult for the beginners.

The challenge

Here, first you had to join the telegram group linked in the proble. There you got the first half of the flag — CodefestCTF{G3tr3ady. For the other half there was a pinned message on the group.

The other half of the flag was uploaded on the contest page yesterday by accident. It has now been removed. Can you find it?

For this you had to use, there was a snapshot of the contest page created on 23rd Aug 2019. Viewing the snapshot got you the second half of the flag —f0r_C0def3stCTF-8fb34fjr4bs43ur8}.

So, the final flag is — CodefestCTF{G3t_r3ady_f0r_C0def3stCTF-8fb34fjr4bs43ur8}


What language is this? (Misc — 100pts)

This was basically a esoteric language question. The given text was —


The language was Deadfish. You could use an online decoder for that language, something like this.

The final flag was — CodefestCTF{Welc0me_t0_C0defest19}


Gibberish file (Misc — 100pts)

The challenge

The hint was in the problem statement. You had to reverse the file to find the flag. A simple one-line script could do it

open("output2.txt", "wb").write(open("output.txt", "rb").read()[::-1])

The resulting had some text like

𝝩𝗵𝙚 𝗳𝒍𝙖𝗴 𝒊𝙨 𝐋𝒊𝐓𝚬𝐫𝚨𝐋﹏𝕽𝜠𝓥Eℜ𝕊𝐢𝙣𝓖ꓸ 𝝩𝗵𝙚 𝗳𝒍𝙖𝗴 𝒊𝙨 𝐋𝒊𝐓𝚬𝐫𝚨𝐋﹏𝕽𝜠𝓥Eℜ𝕊𝐢𝙣𝓖ꓸ 𝝩𝗵𝙚 𝗳𝒍𝙖𝗴 𝒊𝙨 𝐋𝒊𝐓𝚬𝐫𝚨𝐋﹏𝕽𝜠𝓥Eℜ𝕊𝐢𝙣𝓖ꓸ 𝝩𝗵𝙚 𝗳𝒍𝙖𝗴 𝒊𝙨 𝐋𝒊𝐓𝚬𝐫𝚨𝐋﹏𝕽𝜠𝓥Eℜ𝕊𝐢𝙣𝓖ꓸ 𝝩𝗵𝙚 𝗳𝒍𝙖𝗴 𝒊𝙨 𝐋𝒊𝐓𝚬𝐫𝚨𝐋﹏𝕽𝜠𝓥Eℜ𝕊𝐢𝙣𝓖ꓸ 𝝩𝗵𝙚 𝗳𝒍𝙖𝗴 𝒊𝙨 𝐋𝒊𝐓𝚬𝐫𝚨𝐋﹏𝕽𝜠𝓥Eℜ𝕊𝐢𝙣𝓖ꓸ 𝝩𝗵𝙚 𝗳𝒍𝙖𝗴 𝒊𝙨 𝐋𝒊𝐓𝚬𝐫𝚨𝐋﹏𝕽𝜠𝓥Eℜ𝕊𝐢𝙣𝓖ꓸ 𝝩𝗵𝙚 𝗳𝒍𝙖𝗴 𝒊𝙨 𝐋𝒊𝐓𝚬𝐫𝚨𝐋﹏𝕽𝜠𝓥Eℜ𝕊𝐢𝙣𝓖ꓸ 𝝩𝗵𝙚 𝗳𝒍𝙖𝗴 𝒊𝙨 𝐋𝒊𝐓𝚬𝐫𝚨𝐋﹏𝕽𝜠𝓥Eℜ𝕊𝐢𝙣𝓖ꓸ 𝝩𝗵𝙚 𝗳𝒍𝙖𝗴 𝒊𝙨 𝐋𝒊𝐓𝚬𝐫𝚨𝐋﹏𝕽𝜠𝓥Eℜ𝕊𝐢𝙣𝓖ꓸ 𝝩𝗵𝙚 𝗳𝒍𝙖𝗴 𝒊𝙨 𝐋𝒊𝐓𝚬𝐫𝚨𝐋﹏𝕽𝜠𝓥Eℜ𝕊𝐢𝙣𝓖ꓸ 𝝩𝗵𝙚 𝗳𝒍𝙖𝗴 𝒊𝙨 𝐋𝒊𝐓𝚬𝐫𝚨𝐋﹏𝕽𝜠𝓥Eℜ𝕊𝐢𝙣𝓖ꓸ 𝝩𝗵𝙚 𝗳𝒍𝙖𝗴 𝒊𝙨 𝐋𝒊𝐓𝚬𝐫𝚨𝐋﹏𝕽𝜠𝓥Eℜ𝕊𝐢𝙣𝓖ꓸ 𝝩𝗵𝙚 𝗳𝒍𝙖𝗴 𝒊𝙨 𝐋𝒊𝐓𝚬𝐫𝚨𝐋﹏𝕽𝜠𝓥Eℜ𝕊𝐢𝙣𝓖ꓸ 𝝩𝗵𝙚 𝗳𝒍𝙖𝗴 𝒊𝙨 𝐋𝒊𝐓𝚬𝐫𝚨𝐋﹏𝕽𝜠𝓥Eℜ𝕊𝐢𝙣𝓖ꓸ

The flag was the ASCII analog of each unicode character.

The flag was — CodefestCTF{LiTErAL_REVERSinG}


Image Corruption (Forensics — 100pts)

In the challenge, you were given a link to a corrupted .bmp file. On viewing the file in a hex editor, and also checking the magic bytes —

Hex view of the image

We know there is something to do with “matrix”. Also for a normal .bmp file the initial magic bytes are 424d 8a44 1300. XORing this with the first six bytes of the given file also gives you “matrix”. So to solve the challenge, we XOR the whole image with “matrix”.

Run the script, and you obtain the correct file.

The correct file

The flag is — CodefestCTF{f1l35_h4v3_m461c_by735}


Mail capture (Steganography— 100pts)

You are presented with a “email friendly text”. This was encoded to unicode by a tool called uuencode. It can be decoded by using uudecode, a decoder for such formats. Running uudecode with the file gives an output file called “flag_encoded”. The contents are the flag — CodefestCTF{7h15_15_4_c001_3nc0d1n9}


Cats are innocent, right? (Steganography— 500pts)

This challenge was based on LSB steganography. I had used a tool called stegify.

The challenge image -

Challenge image

On running the command - > stegify -op decode -carrier cute_kittens.jpg -result hello

We get a file which was embedded in the LSBs of the image. The zip file had a file inside it but that was of no use. The flag was appended at the end of the zip file.

The flag is appended at the end of the zip file

The flag is — CodefestCTF{h1d1ng_b3h1nd_1nn0c3nt_k1tt3n5}


Weird encoding (Misc— 200pts)

The challenge

We are given the following “encoding”


Here a bit of observation was required to figure out that the “x” symbol mean concatenation n number of a character, like 0x5 will mean 00000. And “+” would mean concatenation of two strings of different type. Also, one will also have to decide on 0 representing 255 255 255 i.e. the color white and 1 representing 0 0 0 , i.e. the color black. You could have experimented with both combinations but eventually you would get the correct mapping.

The following script can help generate the image.

The obtained image is this -

You may want to zoom in a bit

The flag is — CodefestCTF{This_15_7h3_f14g}.


Linux RE 1 (Reversing — 300pts)

This challenge was a bit difficult to solve using a debugger due to some anti-debugging techniques that were implemented. Also, initially the ELF was packed using UPX, which was visible as a string when you would have run the strings command. So, first use > upx -d

with the ELF to decompress it.

For the next part, You could use a disassembler or a decompiler to get the source code and eventually reverse the binary. The executable was generated from a C++ file hence it was a bit messy to view in a decompiler.

The decompiled view (using Ghidra) of the main function (the interesting part) is the following -

Decompiled main function

The _keyint and _encint are global variables. The main logic of the ELF is in the rahasya function.

Decompiled rahasya function

This basically takes two strings and XORs them and returns the XORd string. The two strings it takes as input are the user input and the key_int string. The XORd data is matched with the enc_int data.

So, basically to reverse the binary you have to XOR both the _keyint and _encint data.

enc_int data
key_int data

Basically, > int enc_int[] = {80, 93, 3, 67, 3, 86, 11, 110, 64, 2, 90, 27, 84, 28, 110, 75, 3, 69, 52, 6, 11, 5, 80, 88, 90, 88};

int key_int[] = {49, 51, 51, 55, 107, 101, 121};

XOR both of them, and you get _an0th3r_s1mp1e_x0rcr4ckm3

So, the flag is CodefestCTF{an0th3r_s1mp1e_x0r_cr4ckm3}


Linux RE 2 (Reversing — 500pts)

Again we open the file in IDA or any disassembler and/or decompiler we see that the input should satisfy a set of conditions on the letters of the input.

The conditions can be translated as

We can use some kind of SMT solver like z3 to find the password.

The obtained password is — _shouldve_used_sometool

The flag, hence, is CodefestCTF{shouldve_used_some_tool}


Windows RE (Reversing — 500pts)

In this problem, the Windows exe file (actually a .NET file) that was provided, was packed with ConfuserEx. We can use NoFuserEx, which is a free deobfuscator for this packer.

Then, open the executable in any .NET decompiler like dnSpy and check the Form function to get the password as well as the flag. > Password — thisisa1337password

The flag — CodefestCTF{51mp13_1npu7_v411d4710n_8u7_w17h_4_7w157}


No Fatshaming (Web — 600pts)

I’ll cheat a bit here xD. You can read my friend Yashit’s awesome writeup on the challenge.

Flag is — CodefestCTF{1AmTeHHHAX00Rr4uj8rfi4e$%y5yhrf}

Hope you had a great time solving the challenges and that it was a good learning experience for beginners.

Follow me on Twitter, Github or connect on LinkedIn.

Shreyansh Singh
Senior Undergraduate in Computer Science and Engineering

My research interests include information security, specially binary analysis and also application of Machine Learning in security.

comments powered by Disqus