plaidCTF 2014 - rsa (for450)
rsa Forensics (450 pts) -------------- Our archaeologists recovered a dusty and corrupted old hard drive used by The Plague in his trips into the past. It contains a private key, but this has long since been lost to bitrot. Can you recover the full key from the little information we have recovered?
plaidCTF 2014 - bbos (for350)
bbos Forensics (350 pts) ------------------- You have traveled back in time, but look, hunting The Plague is tough. You're really just going back to relax for a while without having to worry about all that nonsense. As you walk in the park you stumble across someone's BlackBerry. Wow, people still use BlackBerry phones (time travel gets so confusing)? You figure you should return it to the owner, but you have a hard time getting inside. Figure out what's on the phone, and maybe we'll be able to return it to the rightful owner.
BlackBerry was this fancy pager thing, right?
plaidCTF 2014 - zfs (for400)
zfs Forensics (400 pts) ------------------- The Plague is using state of the art systems for storing his data. Our operatives managed to steal a drive from one of his servers, but it seems like our haste may have led to some uber-corruption. Can you get the data off the drive to track down The Plague?
Sure we can. But where do we start?
plaidCTF 2014 - doge_stege (for100)
This challenge was about extracting a (not very well) hidden message out of an image file:
doge_stege Forensics (100 pts) -------------- You were startled to learn the The Plague has been behind many of the most popular internet memes. We believe he hides information in these funny pictures with steganography in order to broadcast his messages through time without detection. Find the hidden message, stop the signal.
Obvious Stego is Obvious
The first thing to do with every file you get from a CTF challenge is to run the
file command on it:
% file doge_stege.png doge_stege.png: PNG image data, 680 x 510, 8-bit colormap, non-interlaced
plaidCTF 2014 - curlcore (for250)
Last week we played plaidCTF with Eindbazen under the name 0xffa (can you figure out why that name?). Write-ups are mandatory in the rules, so let’s start with an easy one :-)
curlcore Forensics (250 pts) ------------------- We managed to grab a memory dump off of The Plague's computer while he was making a secure download. We think he may have been looking for new places to hide the Prime Factorizer. Can you figure out what messages were sent through his computer?
For this challenge, you get 3 files:
- capture (a network capture)
- corefile (a memory dump)
- coremaps (the process’s memory map)
and the shell script which helped generating those files
#/bin/sh sudo rm /tmp/capture 2>/dev/null sudo dumpcap -i eth0 -w /tmp/capture & DUMPCAPPID=$! sleep 1 OUTPUT="`/usr/bin/env -i /bin/dash -c 'ulimit -c unlimited; curl -k https://curlcore.local.plaidctf.com/flag.html & PID=$!; sleep 5; printf "generate-core-file\ninfo proc mappings\ndetach\n" | sudo gdb attach $PID; wait'`" sleep 1 sudo kill -INT $DUMPCAPPID wait sudo chown `whoami` /tmp/capture echo "$OUTPUT" sudo mv "`echo "$OUTPUT" | grep -o 'Saved corefile .*$' | cut -c 16-`" /tmp/corefile sudo chown `whoami` /tmp/corefile echo "$OUTPUT" | awk '/Mapped address spaces/,/(gdb)/' | grep -v '(gdb)' > /tmp/coremaps rm /tmp/curlcore.tgz 2>/dev/null tar czf /tmp/curlcore.tgz `grep -o ' /.*$' /tmp/coremaps | sort -us | tr '\n' ' '` /tmp/corefile /tmp/coremaps /tmp/capture "$0"
Since we have a network capture of the https download, we need to find a way to decrypt the SSL communication…