Rootcon CTF 2017 Update + BinForCry Write-up/Walkthrough (Part 1 of x)

This year, my team — Team Harambae — and I tried to defend our title as the Capture the Flag winners of the Rootcon Hacking Conference. Unfortunately, we fell short of that goal. But all is well since we still luckily placed second this year :D

We have no regrets though, as we definitely gave it our best shot and lost to a much better team. We promise to come back better and wiser next year! 💪

On this post, I’ll write about the BinForCry 200. I’ll keep on posting our other solutions later or in the coming days, as I might be a little bit busy soon!

BinForCry — 200

Accessing the challenge will give us a link to a .pdf file (transcript.pdf — md5- d0bd246bc350a9ab49a11f280d576a80)

Looking at the .pdf file, however, doesn’t give us any clue at all.

What the hell is that..

I’m really weirded out by this, so let’s go to our safe place — the command line.

Let’s use my favorite .pdf analyzer — peepdf — to give us an idea about the contents of this file.

The output shows us that the objects 1 and 8 are suspicious, let’s check it out.

I omitted parts of object 8 because it was too long. “that’s” (she, 2017)

Decoding the embedded base64 string will give us this .jpg file:

Decoding the string above will give you this link:

https://challenger.rootcon.io/TmCHm91jKEDW/

PS. The link won’t work because it was a local event. :)

Going to that link will give you a webpage displaying this image:

I used stegsolve and other steganalysis tools to no avail. I think I may have lost a lot of time there and felt stupid for doing so because a quick “View Source” of the webpage and scrolling further down will give you this clue:

<!-- hiddensecrets.zip -->

I downloaded the .zip file (md5 — 4fd9ec804d5ea6ff2119b6c319eb3393) via this link: https://challenger.rootcon.io/TmCHm91jKEDW/hiddensecrets.zip

And was greeted by (yet another) a .jpg file:

Creepy af

A quick stegsolve will give us an idea that there is something embedded on this file:

Added a blue circle and that’s what you call art! Image up for auction to fund for my next Rootcon /:)

A quick strings command validates our hypothesis:

Now this is the hard part. I tried decoding, reversing, concatenating and everything to these darn strings but I couldn’t quite get to get a tangible, working file nor string.

After sleuthing the internet for solutions (and memes), I came across this gem — free file camouflage.

This software I downloaded was a gem in its purest and simplest form. Look at that, the donation prompt looks like a Wannacry prompt. I love it :D

10/10 would install again

Option to camouflage a file

Option to de-camouflage a file. That’s what we want.

It prompts a message on the fourth quadrant of the window if all goes well. Like so:

Browsing the destination directory will give you a .txt file called harp_chatlogs.txt

“Encrypted” hmmmmmmmmm

Looking at the chat logs, it mentions a key and passphrase: HARP andBLACKOPERATION.

Since we were given a key and a passphrase, knowledge of ciphers will scream at you to use the Keyed Vignere Cipher, since it requires a key and a passphrase for it to work. Let’s try it out!

*cue CSI music here*

Oh look, another base64 flag! Let’s decrypt it to (finally!) get the flag:

$ echo "IGZsYWdfaXN7aDRScF9ibDRja19vcDNyYXRpdmVzfQ==" | base64 --decode

The resulting string is: flag_is{h4Rp_bl4ck_op3ratives}

That’s it for BinForCry200. Thank you for reading! :)