TeamHub's

TCTT2023 - Writeups

My writeup for Thailand Cyber Top Talent CTF 2023.

Written On: 9/16/2023

Write-up Topics

  1. Reverse Engineering
  2. Digital Forensic
  3. Steganography

Introduction

So this is my second time participating in Thailand Cyber Top Talent which I'd say the questions this time was much more complicated than last year's one.

In this write-up I will be sharing a few topics I've done.

1 - Reverse Engineering

Let's get started with this first one which is the topic I've never done before which is debugging a program. Let's first take a look at the program we have here.

Image

I will be using dnSpy for this question since I have used it before. Now I have found the source code of the program ImageI can see right here that theres a text string that contains the flag format CTT23{FlagHere} But seems like it's still missing the rest of the flag so as I read through the code it seems like the username of the program is admin but the password in the code it seems like theres a encryption process of the password. How I easily get through the program is very simple, first I add a breakpoint to the if statement when we click access

Image

Now when we debug the program we will be able to input any password and still make it true and leads us to the flag.

Image

So the flag for this question is now solved - CTT23{R3v3rs3_is_Fun}

2 - Digital Forensic

This one is quite simple to do if you know what tool to use and identifying how to decrypt the message.

Seems like the computer is broken and you have to recover the files which the evidence was given.

Image

To recover lost file I will be using foremost in this question. ```shell Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus Audit File

Foremost started at Sat Sep 16 10:32:03 2023 Invocation: foremost -v evidence.bin Output directory: /home/suteemonv/Downloads/Covered Track/output Configuration file: /etc/foremost.conf

File: evidence.bin Start: Sat Sep 16 10:32:03 2023 Length: 5 GB (5368709120 bytes)

Num Name (bs=512) Size File Offset Comment

0: 00393352.zip 350 KB 201396224 1: 00394056.zip 470 KB 201756672 2: 00433080.zip 2 KB 221736960 3: 00433384.zip 735 B 221892608 4: 00433552.png 2 KB 221978624 (32 x 32) 5: 00433560.png 3 KB 221982720 (48 x 48) 6: 00433568.png 5 KB 221986816 (64 x 64) 190: 05718120.zip 2 KB 2927677440 191: 05688480.png 115 B 2912501760 (16 x 16) 192: 05688488.png 206 B 2912505856 (72 x 27) 200: 05712216.png 6 KB 2924654592 (914 x 508) 201: 05715608.png 99 KB 2926391296 (1052 x 744)(48 x 48) 238: 09178048.htm 44 KB 4699160640 239: 09167496.png 399 B 4693757952 (48 x 48) 240: 09167544.png 194 B 4693782528 (16 x 16) 241: 09167552.png 291 B 4693786624 (32 x 32) 245: 09521302.gif 1 KB 4874906720 (0 x 18759) 246: 09711916.gif 1 KB 4972501088 (0 x 18759) 247: 10190723.zip 470 KB 5217650632 248: 10191664.zip 350 KB 5218132188 Finish: Sat Sep 16 10:33:16 2023

249 FILES EXTRACTED gif:= 5 bmp:= 15 htm:= 182 zip:= 19 png:= 26 pdf:= 2

Foremost finished at Sat Sep 16 10:33:16 2023

Now let's take a look at the files that were recovered. Which in the pdf section there was a file that really catches me.
<Image src="/forensic-2.png" width="720" height="400" alt="Image" />
Maybe this was encode with something I will go ahead and use CyberChef here. And Boom! it was encoded with `BASE64`!
<Image src="/forensic-3.png" width="718" height="404" alt="Image" />
and our flag is `CTT23{?C1a5sic_Pr0blem5_M1gH7_N3Ed_cl@ss!C_s0LutiON5?}`

### 3 - Steganography - Not Finished
This question a file was given but with wrong file type I assume.
<Image src="/steg-1.png" width="718" height="404" alt="Image" />
So I decided run a hex dump on the file and it seems like it's a `.PNG` file type
<Image src="/steg-2.png" width="718" height="404"alt="Image" />
Now once i have convert the file type a picture is now shown perfectly
<Image src="/FAT_CAT_FILE.png" width="718" height="404" alt="Image" />
But as I read through the hex dump I found a likewise flag format in the dump which I assume here this might be the first part of the flag
<Image src="/steg-3.png" width="718" height="404"alt="Image" />
This has convinced me that the rest of the flag might be in a word-document file. I changed the file of this picture to become `.docm`
Suprisingly it is really a word document file and a macro to it
<Image src="/steg-4.png" width="718" height="404"alt="Image" />
I copied the value displayed on the screen put into CyberChef and somehow the answer is a bit weird and in the end I couldn't solve it. After the tournament I then realized I also need to decode it with not only `BASE64` but also `ROT13` and we will get the `CAT_PLANS_TO_RULE_THE_WORLD.` now we fill in the first part of the flag and we will now get `CTT23{THE_FAT_CAT_PLANS_TO_RULE_THE_WORLD.}`