Facit för CERT-SE CTF 2024
Tack till alla som deltog i årets CERT-SE CTF-utmaning! Vi kommer att rätta era inskickade svar så snart som möjligt. Alla som har skickat in rätta svar kommer erbjudas ett klistermärke, vi hoppas hinna hantera detta innan året är slut. Håll ut!
Facit för den otålige
- CTF[AES128]
- CTF[RICKROLL]
- CTF[OR]
- CTF[OPPORTUNISTICALLY]
- CTF[IRRITATING]
- CTF[PENTOMINOS]
- CTF[TOPPALUA]
- CTF[HAPPY BIRTHDAY]
- CTF[RHODE_ISLAND_Z]
Kort beskrivning av flaggorna
- CTF[AES128] : clear text in IRC communication
- CTF[RICKROLL] : IRC conversation “Strange looking string: CTF[E65D46AD10F92508F500944B53168930] - why don’t you ask john? > use, for example, “John the Ripper” to crack the LM hash.
- CTF[OR] : DCC RANSOM_NOTE.gz > grep CTF\[[A-Z]*\]
- CTF[OPPORTUNISTICALLY] : OpenSSL (AES-128-CBC) encrypted file on the disk image transferred over ftp. Disc forensic on the image shows deleted files on the image with clues and SSLKEYLOGFILE to the password in the TLS stream.
- CTF[IRRITATING] : compression circus on the file archive (gzip and tar)
- CTF[PENTOMINOS] : base32 encoded filename in Recycle-Bin.zip
- CTF[TOPPALUA] : DNS ex-filtration, base32 encoded PNG, to suspicious IP address mentioned in an IRC conversation (195.200.72.82)
- CTF[HAPPY BIRTHDAY] : written on the spine of a book in the picture of the game file puzzle.exe
- CTF[RHODE_ISLAND_Z] : NTLMv2 hash in pcap, use WORDLIST.txt to crack
Observera
Statistisk analys av RANSOM_NOTE.gz visar att alla tecken, förutom ett, förekommer 46657 gånger. En deltagare hittade att detta kan faktoriseras till primtalen 13 x 37 x 97… Ett sammanträffande?
Tack till @Cyberhot!
Vi vill uppmärksamma @Cyberhots genomgång på YouTube:
https://www.youtube.com/watch?v=SSa1SrrBnb0
Stort tack för din hjälp i år, @Cyberhot!
In English
Thanks for participating in this year’s CTF challenge! We will make sure to correct all answers and get back to you in due time. Any contributions that contain the correct answers will receive a sticker by the end of 2024! Stay tuned.
Correct answers
- CTF[AES128]
- CTF[RICKROLL]
- CTF[OR]
- CTF[OPPORTUNISTICALLY]
- CTF[IRRITATING]
- CTF[PENTOMINOS]
- CTF[TOPPALUA]
- CTF[HAPPY BIRTHDAY]
- CTF[RHODE_ISLAND_Z]
Short description of the flags
- CTF[AES128] : clear text in IRC communication
- CTF[RICKROLL] : IRC conversation “Strange looking string: CTF[E65D46AD10F92508F500944B53168930] - why don’t you ask john? > use, for example, “John the Ripper” to crack the LM hash.
- CTF[OR] : DCC RANSOM_NOTE.gz > grep CTF\[[A-Z]*\]
- CTF[OPPORTUNISTICALLY] : OpenSSL (AES-128-CBC) encrypted file on the disk image transferred over ftp. Disc forensic on the image shows deleted files on the image with clues and SSLKEYLOGFILE to the password in the TLS stream.
- CTF[IRRITATING] : compression circus on the file archive (gzip and tar)
- CTF[PENTOMINOS] : base32 encoded filename in Recycle-Bin.zip
- CTF[TOPPALUA] : DNS ex-filtration, base32 encoded PNG, to suspicious IP address mentioned in an IRC conversation (195.200.72.82)
- CTF[HAPPY BIRTHDAY] : written on the spine of a book in the picture of the game file puzzle.exe
- CTF[RHODE_ISLAND_Z] : NTLMv2 hash in pcap, use WORDLIST.txt to crack
Note
RANSOM_NOTE.gz > statistical analysis shows all but one character occur 46657 times, which one player found can be factored to prime numbers 13 x 37 x 97. Coincident?
Thank you, @Cyberhot!
We also want to highlight @Cyberhot’s writeup on YouTube:
https://www.youtube.com/watch?v=SSa1SrrBnb0
Thank you for helping out this year, @Cyberhot!