2013PicoCTF

While studying for a Masters in Digital Forensics I've been liking the Security Analysis aspect, especially at the lower levels (reverse engineering binaries, packet inspection...). To fill in the skills I'm not getting from academics I joined the hackucf club to brush up on lacking CTF skills. Cokesme recommended the 2013picoCTF for starters. This is NOT a walk though, just my notes on some of the flags.

XMLOL

The XML file given gave an error in chrome.

A view of the page source gave the flag, but I wanted to understand why the error. 

There is an error on line three because the parser reads line 2 and is expecting a >. When it reads line 3 and gets <writing>  it throws the error.

Grep is your friend

At first I got the flags by downloading all the files and using grep, but I wanted to try a different way (this is how I learn how shit works). 

I made a ssh connection using putty in powershell, yes this is very bad passing my password in the command line.

$ putty.exe -ssh user7888@shell.picoctf.com -pw 'the_password'

I then looked for a way to grep without having to extract the files to disk. The -O tells tar to send everything to stdout, The -i tells egrep to match case insensitive. The * tells egrep to look in every file in the current directory.

$  tar -xf /problems/grep.tar -O | egrep -i 'secret auth code' *

First Contact

A great option in wireshark is the "follow tcp stream". On a TCP packet right-click --> Follow TCP Stream. 

Bitwise

To solve this I had to parse what was going on in the line below.

user_arr.append( (((ord(char) << 5) | (ord(char) >> 3)) ^ 111) & 255 )

Then do the above line in reverse to get the password from the verify_arr, below

are the steps in order for the user_arr.append above.

Take the character and do bitwise shift left by 5

Take the same character and do bitwise shift right by 3

Take the above two and OR them.

Take result from above and XOR it with 111.

Take the result and AND it with decimal 255.

Now we need to do the above steps in reverse, I'll use the first value (193) in

verify_arr to do the steps by hand, then code it in python.

First take 255 AND 193 = 193. This step can be skipped because 255 in binary = 1111 1111

plus anything AND with 1 returns itself. This step will be used later for bit masking.

Next find 111 XOR something = 193. We are in luck here also. One great thing about

XOR is it's reversible, therefore if AA XOR BB = CC then it follows AA XOR CC = BB. 

But we must convert to binary, 111 XOR 193 = 0110 1111 XOR 1100 0001 = 1010 1110 = 174

The next step is to shift the bits right 5 and left 3 (opposite directions of original) to get two numbers and OR them to equal 174. But note we only want the least significant 8 bits. Since python will wrap the bits around we AND the results with 255 to act as a bit mask.

174 >> 5 = 0000 0000 1010 1110 >> 5 = 0111 0000 0000 0101 = 28677

174 << 3 = 0000 0000 1010 1110 << 3 = 0000 0101 0111 0000 = 1392

Do the OR on two above = 111 0101 0111 0101 = 30069

Then AND with 255 = 0111 0101 0111 0101 & 0000 0000 1111 1111 = 

     0000 0000 0111 0101 = 117 = 'u'

I created some python code (python 2.7) to display the password. 

____________________________________________________________________________

Thanks for reading my post. You can find me at any the links below. 

Facebook

Google +

LinkedIn

Github