summaryrefslogtreecommitdiffstats
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/writeups/IceCTF_2018/Lost_in_the_Forest.txt66
1 files changed, 66 insertions, 0 deletions
diff --git a/docs/writeups/IceCTF_2018/Lost_in_the_Forest.txt b/docs/writeups/IceCTF_2018/Lost_in_the_Forest.txt
new file mode 100644
index 0000000..de6c6b9
--- /dev/null
+++ b/docs/writeups/IceCTF_2018/Lost_in_the_Forest.txt
@@ -0,0 +1,66 @@
+"You've rooted a notable hacker's system and you're sure that he has hidden
+something juicy on there. Can you find his secret?"
+
+
+Setup
+-----
+We are given a zip file, which contains a backup of the hacker's filesystem.
+
+
+Solution
+--------
+A quick search shows nothing of interest outside of /home. However, inspecting
+/home show a Pictures directory with several files named like "..._500.jpg",
+perhaps something to pay attention to. In addition, Desktop/ contains a
+clue.png file. If you spend much time studying these files you'll not turn up
+any leads, as the real file of interest is the mysterious "hzpxbsklqvboyou" file
+in the home directory.
+
+There's no obvious way to make sense of this file. All of our real clues will
+come from the hacker's .bash_history file. The history file is mostly junk, but
+these few lines are significant:
+
+wget https://gist.githubusercontent.com/Glitch-is/bc49ee73e5413f3081e5bcf5c1537e78/raw/c1f735f7eb36a20cb46b9841916d73017b5e46a3/eRkjLlksZp
+mv eRkjLlksZp tool.py
+./tool.py ../secret > ../hzpxbsklqvboyou
+shred secret
+rm tool.py
+
+This explains where our "hzpxbsklqvboyou" file came from as well as what
+happened to the original secret.
+
+If you download the sourced Python script, you'll get this:
+
+#!/usr/bin/python3
+import sys
+import base64
+
+def encode(filename):
+ with open(filename, "r") as f:
+ s = f.readline().strip()
+ return base64.b64encode((''.join([chr(ord(s[x])+([5,-1,3,-3,2,15,-6,3,9,1,-3,-5,3,-15] * 3)[x]) for x in range(len(s))])).encode('utf-8')).decode('utf-8')[::-1]*5
+
+if __name__ == "__main__":
+ print(encode(sys.argv[1]))
+
+It takes a filename on the command-line, reads the first line of that file, and
+applies several mutations to that text before printing it to stdout.
+
+Now we know how secret was encoded. Reversing this code gives us the following
+function, which we can run over "hzpxbsklqvboyou" to recover the original secret.
+
+def decode(filename):
+ with open(filename, "r") as f:
+ s = f.readline().strip()
+ s = s[:int(len(s)/5)][::-1]
+ s = base64.b64decode(s)
+
+ lut = [5,-1,3,-3,2,15,-6,3,9,1,-3,-5,3,-15] * 3
+ s = (''.join( [chr( s[x] - lut[x]) for x in range(len(s))]))
+
+ return s
+
+if __name__ == "__main__":
+ print(decode(sys.argv[1]))
+
+IceCTF{good_ol_history_lesson}