Capture the Pequod

Last weekend I distracted myself from my university work by competing in ddtek's Defcon CTF quals. It was a bunch of fun and I recommend that everyone gives it a go. A good place to start if you're not sure what I'm talking about is over at wikipedia: Capture the Flag. Defcon CTF is played by teams of 5-6 people who spend the weekend trying to solve puzzles ranging from binary reverse engineering, exploit development, disk forensics, cryptanalysis to random trivia. Since I was playing on a team of 1 I mostly stuck to the "Pursuits Trivial" category which is a grab bag of trivia based puzzles. This worked out well since I managed solved all but the hardest one which I was working on when time expired.

Here's a quick run down of the problems that I faced:

Pursuits Trivial 100
This was very straight forward, the question was "What linux command was mentioned in the Spiderman movie". I didn't know the answer off hand so I googled it and it turns out someone had set up a StackOverflow.com question and someone had posted the answer: "sudo". Well that was an easy start, pity it wouldn't continue.

Pursuits Trivial 200
The 'question' was "sheep@pwn21.ddtek.biz:6000 sheep go baaAaaA"

This was a bit cryptic but not too terrible as you'd discover if you try and ssh to sheep@pwn21.ddtek.biz:6000. The next step was to figure out the password which wasn't much of a stretch either "baaAaaA" being the first thing you're likely to try. This is where it gets tricky however, you find yourself at a blank screen and typing doesn't seem to do much. I must admit that I quickly grew bored of this question and moved on to the next one but later I came back. Due to some lucky keyboard mashing I ended up hitting 'i' and then some other characters and saw that my cursor moved, after that I tried it again with a ttyrecorder in place and found out that when you press 'i' you get the text "INSERT MODE" back just not legibly. So we were inside vim but with the colours messed up, a bit of Googling turns up the command "hl clear" that reset the colours back to normal. Unfortunately you can't quit vim and it didn't look like you could write files anywhere and you couldn't shell out to regular commands. What you could do is to open a directory (I used the 'open ../' command) and start navigating the file system. From there you quickly find /home/sheep/key and find the passphrase you need to score 200 points. Wasn't that fun?

Pursuits Trivial 300
Question "Vulcan needs more friends" and a link to a site that asks you for a Facebook username, a Flickr account and a Twitter account. Vulcan is the name of one of the organisers at ddtek and it looks like you need to hunt him down on some social networks. This wasn't actually too hard, it took a little bit of creativity at times as often there was an account called "ddtek" but it wasn't a user but a group and you have to look around to see if someone called Vulcan had friended the "ddtek" group. The hardest part was convincing the script that you actually had found Vulcan, the twitter part was especially finicky.

Pursuits Trivial 400
This one was great fun. The question is something like "Rank these hackers" with a link to a file. The file turns out to be a java app that when run shows you two photos of hackers and asks you to pick one (first time I got Halvar Flake and The Dark Tangent) and if you choose correctly it will show you two more faces but if you choose incorrectly the program exits. Since I didn't recognise most of the faces and there was no way to know the ranking system I figured I would have to find some other advantage. At first I started pulling apart the network traffic to see if any hints were being sent over the wire, there weren't any that I could see but the protocol itself looked pretty straight forward. The client says "illogical\n" to start and then receives two jpegs each XORed with a different constant and then if the client wants to pick left it sends 0x00 and if it chooses right send 0x01 (I didn't look into figuring out how the server tells the client which constant to use, I figured I could just brute forced it). If the client guesses wrong a 4 byte error code is sent and the socket closes.

I figured that this was all simple enough and wrote my own client f400.py (named f400 because I for some reason was confused with the forensic problems). My client would slowly accumulate knowledge about which hackers were superior to which by playing the game over and over. I also would dump a copy of the images sent as well as the entire network exchange to disk for later analysis. Once that was working I left it to run overnight (it didn't need to run nearly that long but it was late and I need sleep) and in the morning I had a pickle file with a list of images in order and wrote another script (f400_sort.py) that would give me a nice set of jpegs named in numerical order from 001.jpg out to 080.jpg or so. I then played the game manually consulting my list to make the choices. After 64 correct choices the game did something different, it asked me to tell it what path I took in the format of "LRLRLRRRRLRLRR...". At this point I was a little over the problem and instead of coding the solution just ran through it a second time recording my decisions manually.

Looking back at the problem there are several improvements that I could have made. Firstly I could have reversed the java application so that I didn't have to guess at the protocol, I could have either derived it from the code or skipped writing my own client and just modifying the existing one. Secondly my network code was a bit naive and used sleeps and assumed that all the data would be ready to read (perhaps one part of the protocol I didn't analyse was a length field?) and I ended up with an occasional malformed file which I just lived with. I should have used PIL  or similar to detect broken or truncated images. Finally I shouldn't have wimped out and I should have had my client play complete games rather than not knowing what to do after 64 correct guesses.

T400 was a blast but that brings us to T500

Pursuits Trivial 500
Time was called while I was working on this problem and I was mostly just poking around rather than actually trying to solve it. The question was "Tell me about your appendage" and there was a file. The file turned out to be an APE format lossless audio file that I had no idea how to play. I eventually decoded it to wav and listened to it. A bit of Googling on lyrics later made realise that it was a modified version of Captain Ahab's song Ride. I won't go any further, I'll instead direct you to this excellent write up of the puzzle by Scott Wolchok http://scott.wolchok.org/t500.html. First though I insist you listen to the song yourself by playing the youtube video below. It has unicorns.