Red Team Lounge CTF 2021 writeup (English version)

日本語版: Red Team Lounge CTF 2021 writeup - Qiita

About

I participated in Red Team Lounge CTF 2021 (July 31, 2021 13:30 - August 2, 2021 01:30 (JST: UTC+9)) (CTFtime.org) as a one-person team.
(This time is based on the setting of the count down timer on the score server)
I earned 500 points and ranked 22nd among 339 teams (327 teams with positive score).

here is a list of challenges I solved and marked as solved.

Challenge	Category	Value	Time (JST)
Bad Developers	Reversing	10	2021/07/31 13:45:52
Diffie Hellman	Crypto	100	2021/07/31 14:05:24
Basic	Web	10	2021/07/31 15:10:50
Expic	Forensics	15	2021/07/31 15:28:13
WDigest	Windows	50	2021/07/31 15:47:29
Manipulated	Forensics	50	2021/07/31 16:12:58
The gate of ultimate success	Reversing	50	2021/07/31 16:13:37
Welcome	Crypto	5	2021/07/31 16:20:47
Triangle	Crypto	10	2021/07/31 17:35:56
Ciphers Galore!	Crypto	40	2021/07/31 18:03:41
Last Words	Crypto	50	2021/07/31 18:15:46
Identifying an Attack	OSINT	10	2021/08/01 00:44:55
Bites	Reversing	50	2021/08/01 00:57:22
Where is this?	OSINT	40	2021/08/01 20:16:56
Thanks for playing	OSINT	5	2021/08/01 21:57:20
Feedback	CTF	5	2021/08/01 23:02:31

Score Over Time on the server (plotted with even placement, regardless of the time)

Challenges I solved

Pwn

Unfortunately I solved no challenges in this category.

Crypto

Welcome

This string was given:

UlRMe0g0VkVfRlVOX1BMNFkxTkchfQ==

I obtained the flag by applying "From Base64" on CyberChef.

RTL{H4VE_FUN_PL4Y1NG!}

Triangle

These challenge statement and data were given:

My friend encoded the flag with XOR but forgot the key! He remembers that its a 4 byte key. Can you recover the flag?

133f29027034094a33253126395b3704

The first part of the flag should be RTL{, so I guessed the key by calculating exclusive-or with the given data.
This is the guessed key:

41 6b 65 79

I obtained the flag by calculating exclusive-or of this guessed key and the given data.

RTL{1_l3rNT_x0R}

Ciphers Galore!

An URL (hastebin) of this date was given:

$&Es6a@I+v5;|`h_$)q?2Kq75w=p|%tK+)8K)K}d!b_l

I googled "Galore", which is used in the challenge name, and found that it means "many".

Applying "ROT47" (Amount=47) on CyberChef resulted in:

SUtDe2oxZGdjM190SXBnazBfdHlAMTEzZXgzXzN5P30=

Applying "From Base64" to this resulted in:

IKC{j1dgc3_tIpgk0_ty@113ex3_3y?}

I obtained the flag by applying "ROT13" (Amount=9) to this.

RTL{s1mpl3_cRypt0_ch@113ng3_3h?}

Last Words

An URL (hastebin) of this data was given:

n=654922591808399471401115531725039933804976416275178080902192760929946158327379913921397815675866572368514471928883646492843129515545704650288455484139194674085479767043433916059634120332033088959269854607488937394748966549930683612344765680930825877346853207413052755531377359101713133223003902598963694672505995923904179391456221568627581198379796103905853274401142025181753922563551760475421349438387207814101835728396617249777551918738205026251791041540304166035801169367444769632368098508148321283516990672280903943844076578831127878464804361185261171218008337510295988058766597378522306523707845029512326086281153969312238517561678149326216382068770238520736531273600941471546492734984885174688640769745572963612242607879009754765129567334064867941063826839593018197528692242502124648098963061951119350954396467735643056862091298259178844956622094028547135110211632557488448742742990287309014601421331198088078262672918791473250793328827598271675543610977104049017695062380578362377174224228163980223055437425220689053314587171763084816067718392663203432596767350691383811865855862699762433397509373202656517
e=65537
ct=100710438795162977079348743974088808865381156915931230652674830564884952723797964737417330704790990449847640350694313826907540645947517771309102468382620491151431303509245971254205327928401285858105844273322941744709730235138404791133855224230464330311543377527034287444040442497607564368033381652353025668428244301303066924437016815162803737278638329823899949834679835580778760115487417517224721370787073698165030607724383674378473550370840265887300696291636301457816942477342875386648871368111343762416276747522564143279926396047848536514023846050160848670498687478441942327283357707903465054287238235065476035197766241316080918681581228125031794197267118491412751434265211623073108630476746894061360362486334754179185179035203622586839918393560491482900365894224904151749064929247038688878617389856012413316816710758669316380134350637155478806193340543320655839127039864941782215970914222744836875559787971645305231571859542782671984468965485858145740868483956306860449187868403601170785547890022967337275595188765793071937500328605240827441496747925821120273130333043107613757070639870802278814019421139964349

I factored this n with the FactorInteger function of wolfram command on my Raspberry Pi and it showed that n is the 3rd power of:

86842034747506493609419721799469420931995622862762177911235982167541270872531314416635530661571139759415845637249847122973461307626071732001202620839724983790638777821431490624281206999841752934471207639839705304729136564852048258975833304653350042975893538110232832319190920640420813884920174219068423676798778919245766035367660194191901644604977395931936301500921652573

Checking with the PrimeQ function, this number is a prime number.

Based on this, I calculated φ(n) with referring
Euler's totient function - Wikipedia
and decoded like RSA.

How I did that

Python 3.8.2 (tags/v3.8.2:7b3ab59, Feb 25 2020, 23:03:10) [MSC v.1916 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> n=654922591808399471401115531725039933804976416275178080902192760929946158327379913921397815675866572368514471928883646492843129515545704650288455484139194674085479767043433916059634120332033088959269854607488937394748966549930683612344765680930825877346853207413052755531377359101713133223003902598963694672505995923904179391456221568627581198379796103905853274401142025181753922563551760475421349438387207814101835728396617249777551918738205026251791041540304166035801169367444769632368098508148321283516990672280903943844076578831127878464804361185261171218008337510295988058766597378522306523707845029512326086281153969312238517561678149326216382068770238520736531273600941471546492734984885174688640769745572963612242607879009754765129567334064867941063826839593018197528692242502124648098963061951119350954396467735643056862091298259178844956622094028547135110211632557488448742742990287309014601421331198088078262672918791473250793328827598271675543610977104049017695062380578362377174224228163980223055437425220689053314587171763084816067718392663203432596767350691383811865855862699762433397509373202656517
>>> e=65537
>>> ct=100710438795162977079348743974088808865381156915931230652674830564884952723797964737417330704790990449847640350694313826907540645947517771309102468382620491151431303509245971254205327928401285858105844273322941744709730235138404791133855224230464330311543377527034287444040442497607564368033381652353025668428244301303066924437016815162803737278638329823899949834679835580778760115487417517224721370787073698165030607724383674378473550370840265887300696291636301457816942477342875386648871368111343762416276747522564143279926396047848536514023846050160848670498687478441942327283357707903465054287238235065476035197766241316080918681581228125031794197267118491412751434265211623073108630476746894061360362486334754179185179035203622586839918393560491482900365894224904151749064929247038688878617389856012413316816710758669316380134350637155478806193340543320655839127039864941782215970914222744836875559787971645305231571859542782671984468965485858145740868483956306860449187868403601170785547890022967337275595188765793071937500328605240827441496747925821120273130333043107613757070639870802278814019421139964349
>>> x = 86842034747506493609419721799469420931995622862762177911235982167541270872531314416635530661571139759415845637249847122973461307626071732001202620839724983790638777821431490624281206999841752934471207639839705304729136564852048258975833304653350042975893538110232832319190920640420813884920174219068423676798778919245766035367660194191901644604977395931936301500921652573
>>> phi = n * (x - 1) // x
>>> d = pow(e, -1, phi)
>>> res = pow(ct, d, n)
>>> hex(res)
'0x52544c7b315f6330756c645f7072306234626c795f6d346b335f746831355f616c30745f6834726433725f6e6578745f74316d332121212d65383266616337613738306637323537396334376236636530643562376664383265623631393265643635393439636134383533303962357d'
>>> exit()

I obtained the flag by applying "From Hex" on CyberChef to the result.

RTL{1_c0uld_pr0b4bly_m4k3_th15_al0t_h4rd3r_next_t1m3!!!-e82fac7a780f72579c47b6ce0d5b7fd82eb6192ed65949ca485309b5}

Diffie Hellman

Information to connect to a TCP server was given.

Connecting via Tera Term, it requested to send a "public message" to BOB and ALICE.
After sending some value, It showed a message.

g:5
p:23
Send your public message to BOB.Intercepted Alice's message: 4
4
Send your public message to ALICE.Intercepted Bob's message: 10
10
The message is encrypted.Bob sends message:@F^i&q%v+ *t'$!%+$tpw"v't#v"+&q!&*p'o

I obtained the flag by applying "XOR Brute Force" on CyberChef to the message.

Key = 12: RTL{4c7d928f563796fbe0d5f1d094c348b5}

Another way to obtain the flag was sending 0 twice as the "public message".

g:5
p:23
Send your public message to BOB.Intercepted Alice's message: 4
0
Send your public message to ALICE.Intercepted Bob's message: 10
0
The message is encrypted.Bob sends message:RTL{4c7d928f563796fbe0d5f1d094c348b5}

RTL{4c7d928f563796fbe0d5f1d094c348b5}

Reversing

Bad Developers

An URL (pastebin) of some text data was given.

Reading the data as a Python program, it was checking if each characters of the input is specific values.
I obtained the flag by reading this program.

RTL{D0NT_D0_TH1S}

The gate of ultimate success

An URL of Google Drive was given.
A file we_start_with_basics.exe was available on the URL.

I disassembled that with objdump in TDM-GCC and read the result, finding that the main function is doing:

1. Read some input via the scanf function.
2. Tweak the data via strrev function.
3. Calculate exclusive-or of each bytes of the resulting data with 0x7b.

Also, checking the file, I found this string near the strings that should be messages to output:

/5:/)4+62/(46>):(82(:9

I obtained the key by applying XOR with 0x7b to this string on CyberChef and reversing the result.
I obtained the flag by wrapping the key with RTL{} as instructed in the challenge description.

RTL{BASICSAREMOSTIMPORTANT}

Bites

A text file that looked like a program dc9_bites.txt and a text file that contains numbers delimited with a white-space flag.txt were given.

Reading dc9_bites.txt carefully, it looked like a program for a stack machine that calculates exclusive-or with a value that is determined by whether the index in the array is even or odd.

Applying "From Decimal" to the contents of flag.txt on CyberChef and applying "XOR" with a key RTL{, the first part resulted in MwMw.
Seeing this, I obtained the flag by applying "XOR" with a key Mw.

RTL{H4x_ByT3$$}

OSINT

Thanks for playing

This challenge description was given:

My friend told me that one of the CTF organizers left a note on twitter but I can't seem to find it. #RTLxHA

Searching for #RTLxHA on Twitter, I found this tweet:

#RTLxHA 21 CTF is ending soon! Thanks everyone for playing, also thanks challenge creators for making the awesome challenges! https://t.co/1nSyluCJkr

— xentropy (@d4rckh) August 1, 2021

The flag was on the page whose URL https://rtl-ctf.hackarmour.tech/secret was in the tweet.

RTL{TH4NK2_F0R_PL4Y1NG}

Identifying an Attack

This challenge description was given:

Thehackerscrew are remotely executing arbitrary code through Apple’s bluetooth. Can you identify the CVE of the attack?

The CVE should be wrapped around RTL{}

I googled "Apple Bluetooth CVE remove arbitrary code" and
searched "Bluetooth arbitrary code" on CVE - Search CVE List,
finding nothing that seems useful.

I googled "bluetooth remote code cve ios" and found this page:
iOS 13.5 および iPadOS 13.5 のセキュリティコンテンツについて - Apple サポート (日本)
This page had this information:

Bluetooth

対象となるデバイス：iPhone 6s 以降、iPad Air 2 以降、iPad mini 4 以降、iPod touch (第 7 世代)

影響：リモートの攻撃者によって任意のコードが実行される可能性がある。

説明：配列境界チェック機能を改善することで、領域外読み込みの脆弱性に対処しました。

CVE-2020-9838：ダルムシュタット工科大学 Secure Mobile Networking Lab の Dennis Heinze 氏 (@ttdennis)

However, following "flags" were marked as Incorrect.

• RTL{CVE-2020-9838}
• RTL{2020-9838}
• RTL{20209838}

After that, I googled site:https://support.apple.com/ bluetooth remote arbitrary code, finding
About the security content of iOS 14.4 and iPadOS 14.4 - Apple Support.
This page had this information:

Bluetooth

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote attacker may be able to cause arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2021-1794: Jianjun Dai of 360 Alpha Lab

Entry added February 1, 2021, updated May 28, 2021

Bluetooth

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote attacker may be able to cause arbitrary code execution

Description: An out-of-bounds write was addressed with improved input validation.

CVE-2021-1795: Jianjun Dai of 360 Alpha Lab

CVE-2021-1796: Jianjun Dai of 360 Alpha Lab

Entry added February 1, 2021, updated May 28, 2021

Three candidates were extracted from this:

• CVE-2021-1794
• CVE-2021-1795
• CVE-2021-1796

I decided to try all of them. The first candidate was marked as Correct and I obtained the flag.

RTL{CVE-2021-1794}

Where is this?

An image file where.png that looked like landscape photography was given and we were asked to determine the latitude and longitude.
The picture had a tower that looked characteristic, so I extracted the part with the tower via Microsoft Paint
and painted objects around the tower that may disturb searching black.

Extracted image	Painted image

I searched for this tower image via Google, finding this page that had an image of a similar tower.
Berlin – the place to be - Is it already that late? 😳 | Facebook

Seeing this, I guessed that this tower is related to Berlin and googled "Berlin tower". It resulted in finding this page:
Official website of the Berlin TV Tower - Enjoy the city from above
I selected "The tower → Virtual tour" on this page and viewed "Bar 203 → 204° South-West".
It resulted in finding the flag that was near the tower in the picture from the challenge was on a building with characteristic shape.

I searched "berlin tv tower" on Google Street View and looked around, finding that the building should be Rotes Rathaus.
berlin tv tower - Google マップ
Then, I moved around on Street View, finding the similar place.
B1 - Google マップ

I obtained the flag by putting the information in the URL to the specified format.

RTL{52.516_13.408}

Windows

WDigest

An URL of Google Drive was given.
A file lsass1.DMP was available on the URL.
Also the challenge description said:

I forgot my Windows password, can you recover it?

I googled "dmp crack windows", finding this page:
Hacking Windows 10: How to Dump NTLM Hashes & Crack Windows Passwords « Null Byte :: WonderHowTo

Referring this page, I executed commands sekurlsa::minidump and sekurlsa::logonPasswords on Mimikatz.
It resulted in printing the flag like this:

        wdigest :
         * Username : d4rckh
         * Domain   : WIN-243AVCIFKOS
         * Password : RTL{WD1G3ST_1S_B4D}

RTL{WD1G3ST_1S_B4D}

Forensics

Expic

An URL of Google Drive was given.
A file ex.zip was available on the URL.

A file photo was extracted from this file ex.zip.
Checking the contents of this file photo, there was this part in the beginning part:

<prism:number>68747470733a2f2f706173746562696e2e636f6d2f514632557a6a56590a</prism:number>

Applying "From Hex" on CyberChef to the hexadecimal between the strings that seems tags, it resulted in:

https://pastebin.com/QF2UzjVY

This date was available on the URL:

T0tLIApSVEx7MTBiYmE5YTUyNDE3MDk1ZGU1MWRiOTQ1NjM2MWQ3NDR9Cg==

Applying "From Base64" on CyberChef to this data resulted in:

OKK 
RTL{10bba9a52417095de51db9456361d744}

Now I obtained the flag.

RTL{10bba9a52417095de51db9456361d744}

Web

Basic

An URL of a web page was given.
The page had a box to enter Username, a box to enter Password, and a "Log In" button.

The flag was shown when I hit the "Log In" button with putting ' or 1=1 -- as Username and a as Password.

RTL{b@s1c_5ql}

CTF

Feedback

An URL of Google Forms was given.
Opening the URL, I found a 4-page questionnare.
(The first and last page only contained descriptions and the questionnaire was actually 2 pages.)

The flag was shown after I answered the questionnaire and hitting the submit button.

RTL{TH4NK_Y0U_F0R_Y0UR_F33DB4CK}

Challenges that are marked as solved

Forensics

Manipulated

An URL of Google Drive was given.
A file Manipulated.zip was available on the URL.
A file corr.png was extracted from the file Manipulated.zip.

Opening corr.png with TweakPNG, it showed:

Incorrect crc for IHDR chunk (is 9a056c98, should be 15060e3d)

Also, the IHDR (shown on TSXBIN) was:

00008  DateLength      0000000D
0000C  IHDR[0]         49 48 44 52
00010  Width           DEADC0DE
00014  Height          D34DB33F
00018  Depth           08
00019  ColorType       06
0001A  Compression     00
0001B  Filter          00
0001C  Interlace       00
0001D  CRC             9A056C98

The values of Width and Height (at least) looked strange.

I created this program to extract the data for IDAT from corr.ong:

extract.pl

extract.pl

#!/usr/bin/perl

use strict;
use warnings;

my $in_file = @ARGV > 0 ? $ARGV[0] : "Manipulated/corr.png";

open(IN, "< $in_file") or die("failed to open $in_file\n");
binmode(IN);
my $data = "";
while (<IN>) { $data .= $_; }
close(IN);

binmode(STDOUT);

my $pos = 8;
while ($pos < length($data)) {
    my $len = unpack("N", substr($data, $pos, 4));
    my $type = substr($data, $pos + 4, 4);
    print STDERR "$pos $len $type\n";
    if ($type eq "IDAT") {
        print substr($data, $pos + 8, $len);
    }
    $pos += $len + 12;
}

I applied "Zlib Inflate" on CyberChef to the extracted data, resulting in a 2,063,174-byte data.
The first part of the data was like this:

00000000  01 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00  |.ÿÿÿÿ...........|
00000010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|

The ColorType in IHDR was 0x06, which means "RGB with Alpha channel", and the Depth was 0x08,
so 1 pixel is expressed using 4 bytes, assuming these information are correct.
Looking at the obtained data, it looked like the first 1 byte is specifying the encoding method of the row and each 4 bytes after that are the color data.

Checking the data after that, there were many bytes with the value 0x00 and there are some parts that have some 3-byte pairs of bytes with the same values:

00000790  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
000007a0  00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff  |.............ÿÿÿ|
000007b0  00 00 00 00 00 ff ff ff 00 ff ff ff 00 00 00 00  |.....ÿÿÿ.ÿÿÿ....|
000007c0  00 01 01 01 00 00 00 00 00 fe fe fe 00 00 00 00  |.........þþþ....|
000007d0  00 03 03 03 00 fd fd fd 00 f7 f7 f7 00 f1 f1 f1  |.....ýýý.÷÷÷.ñññ|
000007e0  00 ea ea ea 00 fe fe fe 00 17 17 17 00 10 10 10  |.êêê.þþþ........|
000007f0  00 0a 0a 0a 00 03 03 03 00 00 00 00 00 00 00 00  |................|
00000800  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|

00000a80  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000a90  00 00 00 00 00 00 00 00 00 ff ff ff 00 00 00 00  |.........ÿÿÿ....|
00000aa0  00 00 00 00 00 01 01 01 00 00 00 00 00 00 00 00  |................|
00000ab0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|

Also, the 0xcf5-th byte was 0x04 that doesn't make pairs, and I guessed that this is the beginning of the second row.

00000ce0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000cf0  00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00  |................|
00000d00  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|

Assuming that one row is expressed with 0xcf5 bytes (3317 bytes),
the number of pixels in one row should be (3317 - 1) / 4 = 829 and the number of rows should 2063174 / 3317 = 622.

When I write Width=829 and Height=622 to IHDR, the CRC32 value matched with the record in the file and resulted in this image:

I obtained this on 2021/07/31 14:47 JST.

This image has a string that looks like the flag, but entering this was marked as Incorrect.
It looked difficult to distinguish between I (large I) and l (small L), and between 0 (zero) and O (large O).
I tried these strings, all of them being marked as Incorrect:

• RTL{IHDR_chunk_m4nipulat10n}
• RTL{IHDR_chunk_m4nipuIat10n}
• RTL{IHDR_chunk_m4nipulat1On}
• RTL{lHDR_chunk_m4nipulat10n}
• RTL{lHDR_chunk_m4nipuIat10n}
• RTL{lHDR_chunk_m4nipuIat1On}

(I thought I tried all 8 patterns, but the note had duplicate strings and what I actually tried seems these 6 patterns)

After a while, this challenge was marked as solved for some reason.