PeaCTF 2019 Round 1

peaCTF, Phillips Exeter Academy’s Capture The Flag, is a free online computer security competition for middle school and high school students.

June 22 2019 to July 28 2019

peaCTF 2019

We had hoped to participate in this one as a club on either of the previous weekends but were stymied by a college-wide power-down and the CTF’s own rescheduling issues, so we took an hour or so to tackle it in the club’s weekly meeting.

Breakfast (Cryptography)

Mmm I ate some nice bacon and eggs this morning. Find out what else I had for an easy flag. Don’t forget to capitalize CTF!
011100010000000000101001000101{00100001100011010100000000010100101010100010010001}

This was pretty clearly a Baconian cypher, so I just popped it into the Rumkin cypher for Baconian encoding (I=J, U=V) and out comes the flag:

peaCTF{eggwaffles}

Broken Keyboard (Cryptography)

Help! My keyboard only types numbers!
112 101 97 67 84 70 123 52 115 99 49 49 105 115 99 48 48 108 125

The range of numbers looked like it was decimal ASCII code, and a quick conversion in Cyberchef from decimal to text gives us the flag:

peaCTF{4sc11isc00l}

Hide and Seek (General Skills)

Try to find to the flag file located somewhere in the folders located in:
/problems/hide-and-seek_26_59977a2b67b7c7dc3d3e6ae5d37e9400

This one was a little odd, and took some playing to get around an error. The website provided just gave a 404 error page, and entering it through the PeaCTF shell was likewise a problem as the “Shell in a box” was broken. Ultimately, I had to ssh in from my terminal:

ssh AlphaWhiskey@shell1.6b1r4kitu4zti5l7pfdixfu2y0kmanpd.peactf.com

Once in the shell, I navigated to /problems/hide-and-seek_26_59977a2b67b7c7dc3d3e6ae5d37e9400 and grep’d for the peactf flag.

grep –r “peactf” ./

Deep in the many, many subfolders with long random names is flag.txt, containing the flag:

flag{peactf_linux_is_fun_da5c8f084411ef6d1728f68161617f04}

School (Cryptography)

My regular teacher was out sick so we had a substitute today.
Alphabet: WCGPSUHRAQYKFDLZOJNXMVEBTI
zswGXU{ljwdhsqmags}

Another simple cypher, this time a keyed Caesar substitution cypher. Using the alphabet key provided, in the Rumkin Caesar cypher, we get the flag:

peaCTF{orangejuice}

Choose your Pokemon (Forensics)

Just a simple type of recursive function.

We are provided with the master-ball file.

Hexfiend shows that it starts with Rar and holds a file called roshambo. Renaming the file with the .rar extension and unpacking the archive reveals the roshambo file.

Hexfiend shows that it starts with PK and holds a file called InDesign. Renaming the file with the .zip extension and unzipping it reveals the InDesign file.

HexFiend shows it starts with %PDF. Again, renaming the file with the .pdf extension and opening it reveals a URL:

https://pastebin.com/AWTDEb9j

which contains rich text format data. We can copy/paste the RTF to notepad and save it as file.rtf, which we can open to reveal the flag:

{wild_type}

Coffee Time (Reversing)

Run this jar executable in a virtual machine and see what happens.

This was super-easy. I just copied the provided file to Kali, extracted the CoffeeTime.class and opened it in atom to reveal the flag:

peaCTF{nice_cup_of_coffee}

We are E.xtr (Forensics)

We are just provided with the E.xtr file. In Hexfiend, it starts with XTR but looks like PNG header and footer otherwise. Changing XTR to PNG and saving it as file.png, we can open the image to reveal the flag:

{read_banned_it}

The Wonderful Wizard (Forensics)

This challenge provides the TheWonderfulWizard.png file. Looking at the header and footer in HexFiend, it looks good, and pngcheck says it’s OK. Running it through stegoveritas LSB analysis, we get the following hex data:

66 6c 61 67 7b 70 65 61 63 74 66
5f 77 68 65 72 65 5f 74 68 65 5f
77 69 6e 64 5f 62 6c 6f 77 73 7d

Converting hex to text in cyberchef, we get the flag:

flag{peactf_where_the_wind_blows}

Worth (General Skills)

This problem is worth 0o250 points.

This certainly looks like octal (0o), which converts to 0xa8 in hex and 168 in decimal, but I haven’t a clue where we’re supposed to go with that to get a flag.

Crack the Key (Cryptography)

On one of my frequent walks through the woods, I stumbled upon this old French scroll with the title "le chiffre indéchiffrable." Remember to submit as peaCTF{plaintext_key}.

This one didn’t get a solve, either. It’s clearly meant to be a Vigenere cypher, but the passphrase is unknown. I tried a variety of related passphrases, like “frequent”, but they didn’t work. Frequency analysis shows a likely 13, 26, or 39-character key – so probably 13. I did try the 13 most frequent letters in order of frequency, but to no avail.

Educated Guess (Web Exploitation)

There is a secured system running at http://shell1.2019.peactf.com:49015/query.php. You have obtained the source code. <!doctype html>
<html>
<head>
 <title>Secured System</title>
</head>
<body>
<?php
// https://www.php-fig.org/psr/psr-4/
function autoload($class)
{
 include $class . '.class.php';
}
spl_autoload_register('autoload');
if (!empty($_COOKIE['user'])) {
 $user = unserialize($_COOKIE['user']);
 if ($user->is_admin()) {
   echo file_get_contents('../flag');
 } else {
   http_response_code(403);
   echo "Permission Denied";
  }
} else {
 echo "Not logged in.";
}
?>
</body>
</html>

I didn’t get too much time to poke at this one, but it seems to need us to set the cookie “user” to “admin”, likely in binary given the unserialize command.

RSA (Cryptography)

Can you help Bob retrieve the two messages for a flag?
Authenticated (unhashed) channel:
n = 59883006898206291499785811163190956754007806709157091648869
e = 65537
c = 23731413167627600089782741107678182917228038671345300608183
Encrypted channel:
n = 165481207658568424313022356820498512502867488746572300093793
e = 65537
c = 150635433712900935381157860417761227624682377134647578768653

This looked like it was going to be everything I needed to simply decrypt a weak RSA encryption. I used

https://github.com/Ganapati/RsaCtfTool

and got

Authenticated channel clear text :
b'\x06s\x08\x04\xb4\xb8FX\xcbU\x1a\x0f\x84\xe4\xdb\xb8\xe0\x99\x1e\xd9\x90=9\xf1g'

Encrypted channel clear text :
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00peaCTF{f4ct0r'

That seems to give us half of the flag but no more.

Song of My People (Forensics)

A specific soundcloud rapper needs help getting into his password protected zipped file directory. The initial password is in the title. You just have to know your memes, and pick the right instrument! We were on the fence on giving you an image to go along with this puzzle, but the loincloth was too scandalous. Alternatively, you could bruteforce.

This challenge included a file that HexFiend revealed to contain a PKzip. Isolating the PKZIP portion, saving it and renaming it with the .zip extension, we can try to open it, but are confronted with a password requirement. The clue references Song of My People, memes, and a loincloth, which takes me to a meme of a man in a loincloth playing a violin. Violin is the password, which opens the ZIP containing:

Ice Cube – Check Yo Self Remix (Clean).mp3
README.txt
issue.png

The README says:
one of the three files is a red herring, but a helpful on at that
does any of this ADD up? This is a LONG problem.

The issue.png is a lengthy file and pngcheck shows it is a PNG, but with an “invalid number of PLTE entries (4.04167e+08)”. I didn’t figure out how to correct that before we ran out of time.

FINAL RESULTS

Final Team Score: 3800/5100
Final Team Rank: 101/1259
My Final Score: 1800/5100
My Final Rank: ~260/1259