RAWSEC rENTAS CTF Quals Writeup

date

Mar 6, 2024

slug

rentas24-wu

author

status

Public

Crypto

round and round

2126226{19122929121712_6121911821_26422_842928}

Change the numbers to their equivalent alphabet (e.g. A=1, B=2 …)

Then minus 3

UZVF{SLCCLQL_FLSKHU_ZDV_HDCB} → ROT13 -3

https://www.cachesleuth.com/pizzini.html

RWSC{PIZZINI_CIPHER_WAS_EAZY}

RailTwist

RSA

https://www.devglan.com/online-tools/rsa-encryption-decryption

Ciphertext is always shorter: U3bPNI7aqUMlUlLU1l96ElN8LPCJhn34x2KkQGhHeFgjriXVMp2XZXShi6mLYBcBpd2DCNFkXaJztYU+J/dI3w==

Private key is always longer:

strings the PDF
ROT13 39 times

🔥

I solved this challenge after the CTF ended when the challenge creator told me to ROT the private key. Why? I have 0 idea. Bruteforce FTW I guess.

MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAm5SYB6SHu06GS+1q5sZzcXUJ/1x6im2FCDsbmNuKg6luTGsoI/lUBLk9WDEyeNWbmo8WNEbNCyXOmOKzTcEfDwIDAQABAkAMuDNNvKfUKnFUV867m1Ho3ra4h+kE1DtiFuMEtj420UxhwcTlfzU3s2lL0ZHWQToHCQErwc3LtZ6RyVOJRleRAiEA5K193SL2/luR5y+BxuSp3i56G4NSNbpk4G1TkfEHIQ0CIQCuK0ti7bOPhogW1zp5QIG6iv5SeQHlH3k/nS6+nz2hiwIgXUMEWfOwl/vwfUC6xMrtHFgIJMBh/teN3Jm5w4NxTOECIHr2jAGrKhNRerENgPXr6esGiGk3j3Pw1Yxo74CbMkrjAiBL05THyTzrBVTmhrSmChxUNPJtNF5jkL6gOiRyE38gMw==

💡

It's a private key because public key is usually for encryption. Since this is decryption, its private key!

RWSC{c18af8f24d61d0c55d32972b3b405ac7}

Network

Last Hope

Cracking a WiFi password from a .cap file

Get the MAC address from the packet from the SSID (Rawsec Command Center) -> 7e:7f:a3:4c:5c:1a

Bruteforce the password:

aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 7e:7f:a3:4c:5c:1a RAWSECWIFI-01.cap

aircrack-ng RAWSECWIFI-01.cap -w /usr/share/wordlists/rockyou.txt

RWSC{anonymous}

Threat Intel

скорпион

A quick google search on the description will tell you that its Rhysida ransomware (Or even searching for the hashes provided)

Now, try finding Rhysida in Telegram:

Now you found indicators that its related the to challenge via “RWSC{“. A hint given is from the icon picture, which is a horror movie taking place in the darkweb. The next hint was the mirror, so maybe we need to find a Rhysida website, but its mirror version.

Try searching on TOR to find Rhysida ransomware official page: http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion/

Find its mirror by scrolling down:

RWSC{rhysidafc6lm7qa2mkiukbezh7zuth3i4wof4mh2audkymscjm6yegad}

DFIR

Mobile

A 2k page forensics report on a Lenovo phone was given

gesture.key file is where password patterns are stored, however, it was not written anywhere on the report

Sometimes stored in /data/system/password.key

Android Forensics Study of Password and Pattern Lock Protection - Forensic Focus

Let’s see what Pattern Lock is, how to access, determine or even get rid of it? We’ll also speak about ... Read more

https://www.forensicfocus.com/articles/android-forensics-study-of-password-and-pattern-lock-protection/

Pattern and Password locks are stored as SHA-1 values in /data/system/ folder - Its bolded in the report - Hash is not there in the report

Record 3798

Item ID 3999

python gesturecrack.py -r 8e7e00c0bd5ce227f7be204c8b7c159669c776d4

RWSC{875463120}

MISC

Hidden Discord

Find 5 hidden flags in a Discord server

Part 1: Inside channel chat

Part 2: Hidden role

Part 3: Inside event description

Part 4: Hidden channel → Category

Part 5: https://cdn.discordapp.com/icons/1202263455466541096/bfa6d5f2ed8067d3367791ed5b4d6941.webp?size=600

RWSC{r34d_d15c0rd_d3v3l0p3r_API_r3f3r3nc3}

Zip

Bruteforce a 10 digit password on a zip file

John cheat sheet: https://countuponsecurity.files.wordpress.com/2016/09/jtr-cheat-sheet.pdf

zip2john 0.zip > hash.txt

john -1=[9-0] -mask=9?1?1?1?1?1?1?1?1?1 --fork=10 hash.txt

🔥

A hint was given midway during the CTF that the password is similar to a IC, so its a 10 digit value, and mostly starting from 9 or 0 Anyways, this challenge would be unsolvable within 24 hours without the hint :’)

Password: 9182718219

RWSC{761A7AAC3D8291BFBE49287A2182B28B}