A disturbing lack of taste. Just another WordPress site

21May/120

BaltCTF 2012 – Europe300 writeup

Hello,
My team and I participated in BaltCTF 2012 and this is the first challenge I solved - Europe 300.

We were given a list of few MD5 hashes. I have tried cracking some but it didn't work...
So, I started looking for other solutions and saw there are exactly 32 different hashes!
A lightbulb appeared over my head - first real hash is made of first characters in list,second is made of second characters in list and so forth.
Here is little PHP script I made to get new hashes (I am sucky coder :)):
http://pastebin.com/uAcTw4eY

It echo'd 32 new hashes.
http://pastebin.com/33YXPYPy
Now, this looked like some cipher - and I was right, it is Caesar cipher with alphabet shift of 12 characters.

Kqe kag pup uf mzp kqe iq wzai odmlk. YP5 dqmxk ymk nq tmdp. Zai ftue ue kagd wqk YP5 ue zaf rgz ngf hqdk hqdk hqdk qhux.

deciphers to

Yes you did it and yes we know crazy. MD5 realy may be hard. Now this is your key MD5 is not fun but very very very evil.

The flag:
"MD5 is not fun but very very very evil"

Pretty easy task, +300 for Tasteless!

Plitvix

Filed under: Uncategorized No Comments
21May/120

BaltCTF 2012 – Asia 400 Writeup

Well, I came home yesterday quite late, so I only had time to "play" for about ~4 hours. Meanwhile, my team solved some other challenges, but I solved the Asia 400 challenge.

In this challenge you got a zipped file called "images.rar". Inside were lots of .gifs, either black or white. It was immediately obvious that this was a QR code, since there were 626 pictures [25*25 QR Version 2 code, ??+1 seeming random image??].

Stitching them together wasn't hard, I just used the standard PIL library to handle straightforward image manipulation.

The only real "tricky" part here was figuring out the name-convention used to name the gifs. They were named like this

  • 11.gif
  • 12.gif
  • ...
  • 2512.gif
  • 111.gif
  • 11(1).gif

{see for yourself in the .rar  - LINKHERE}

At first I tried sorting them alphabetically, but no cigar. I also tried using a natural sorting script for python (sorting them the same way explorer.exe does, e.g. Team 1  [Team 101 Team 12 Team 21] -> [Team 1 Team 12 Team 21 Team 101] instead of the alphabetically [Team 1 Team 101 Team 12 Team 21]http://www.codinghorror.com/blog/2007/12/sorting-for-humans-natural-sort-order.html), but nothing seemed to work.

After some thinking I figured out that they just concanted the "x" and "y" coordinates of each "pixel" in the QR code without any concantetor - e.g. x=2, y=12 would become 212. Obviously this would introduce collisions at x=5, y=12 and x=21, y=2, so they solved this by putting the "y" into brackets if a collision arose. This explained the strange numbering scheme. Instead of wasting hours on regex and complicated scripts to parse the existing names, I just went for a script that "recreated" this numbering scheme in the right order from scratch, which worked out pretty well - "if you can't bring mohammed to the mountain bring the mountain to mohammed" and all that...

Any, without further ado, here is the final script used to generate the QR codes - http://pastebin.com/J8MFZTUW or:

import Image, os, math

#Start by scanning the directory and getting results

fakelist = []
for x in range(1, 26):
	for y in range(1, 26):
		if((20<x<25 and 0<y<10) or (10<x<13 and 0<y<10)): #Since the existing file names seem to regard the entire series 20-25 as collisions, we'll do that to :|
			fakelist.append(str(x) + "(" + str(y) + ")" + ".gif")
		elif((str(x) + str(y) + ".gif") in fakelist):
			print "we fd up!!!!"
			os.exit()
		else:
			fakelist.append(str(x) + str(y) + ".gif")
print fakelist

finalimage = Image.new('RGB', (300, 300))

for imageno, imagename in enumerate(fakelist):
	print str(imageno) + " and name: " + imagename + "\n"
	tempimage = Image.open('images/' + imagename)
	pixel = tempimage.crop((0, 0, 12, 12))
	row = int((math.floor(imageno/25)))
	column = int(((imageno) % 25))
	print str(row) + ":" + str(column)
	finalimage.paste(pixel, (column*12, row*12, (column+1)*12, (row+1)*12))
	del tempimage

finalimage.save("output.jpg")

 

See you at defcon CTF! :D

Filed under: Uncategorized No Comments