If you missed out on SOTB that really stinks, but also I understand. Shell on the Border happened during new years and man was it an amazing experience. I couldn't attend the speaker part but the ctf was fun. It was at an arcade that had major Mr. Robot vibes. A truly different and awesome experience in the unlikely city of Fort Smith, Arkansas.
Want to make a huge shout out Shyft, MoonKaptain, Fie, FractumSeraph, Allee, Fort Smith Arcade, and HackNWA (if I forgot you I am sorry it's not on purpose). All of y'all made this an amazing experience and the work we put it in was definitely seen. I am proud to be apart of FS2600 and I am grateful for the opportunity to be able to help, and to even do some of my first challenges.
I wanted to go over my challenges that I did, just 3, for those that are curious.
First of all this being my first time making CTF challenges there were some mistakes on my part. I had made these challenges with a huge assumption of prerequisite knowledge, or the ability to find things out. Part of being a hacker of course is to figure things out, search, try, try harder, and so on. But the intention of my challenges was not to make them seemingly difficult on accident. If I was going to make them difficult it would be on purpose. ;) With that being said it was a great learning experience from myself and hopefully for those that participated.
Let's start with Comrade Cipher. It was a line by line copy from the no starch press book "Cracking codes with python." Thanks to MoonKaptain for the idea of "Comrade Cipher." Basically, it was a caesar/substitution cipher but with a twist, it was in Russian. The idea behind this was to originally make it have a website, and make a few more challenges with it but alas I only did an simple output (decrypt the output that is given in the challenge).
Comrade Cipher 1 and 2 (Cryptography)
Here's the code:
#----------------------------------------------------------
#Name: Blackkatt
#Date: 12/23/2023
#Project: Comrade cipher for SOTB2023
#----------------------------------------------------------
#import pyperclip
#The string to be encrypted/decrypted
cipher = 'ФЛАГ{ТОВАРИЩ}'
key = 14
mode = 'encrypt'
SYMBOLS = 'АБВГДЕЁЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдеёжзийклмнопрстуфхцчшщъыьэюя'
translated = ''
for symbol in cipher:
#note: Only symbols in the SYMBOLS string can be encrypted/decrypted
if symbol in SYMBOLS:
symbolIndex = SYMBOLS.find(symbol)
#Perform encryption/decryption
if mode == 'encrypt':
translatedIndex = symbolIndex + key
elif mode == 'decrypt':
translatedIndex = symbolIndex - key
#Handle wraparoumd, if needed:
if translatedIndex >= len(SYMBOLS):
translatedIndex = translatedIndex - len(SYMBOLS)
elif translatedIndex < 0:
translatedIndex = translatedIndex + len(SYMBOLS)
translated = translated + SYMBOLS[translatedIndex]
else:
#Append the symbol without encrypting/decrypting:
translated = translated + symbol
#Output the translated string:
print("Decrypt this string back to the original Russian, and don't forget to use google translate at the very end!\n")
print("Here's the key:\n", key)
print(translated)
#pyperclip.copy(translated)
If you've spent any short amount of time in the Cryptography world you will probably recognize this
as a simple Caesar cipher. The only difference is that the SYMBOLS is the Russian alphabet,
and the flag is in Russian.
In the first "comrade cipher" I gave the players the key, to make it a bit easier. I debated over
whether or not to make the flag in Russian or English. I went with Russian to add a layer of complexity.
I didn't explain very well, or hint very well that the flag was supposed to be in Russian,
and an issue I think many players ran into was trying to submit the flag in English. Which of course makes
sense, every CTF they've probably participated in to this date was in English, why would this one be different?
Anywho, you could either decrypt by hand or write a script. The script honestly could probably be done
by ChatGPT and would not be very long or difficult to write up. Once you decrypted the string
You got ФЛАГ{ТОВАРИЩ} which in English is FLAG{COMRADE}. (Technically Russians don't actually use
this word anymore really and is a word from soviet-era, but so is comrade so I just ran with it)
Another issue I ran into was that the challenge submission was case sensitive, so if one character
was lowercase it wouldn't work. That's something that I didn't realize initially, but will keep in mind
for next time. I removed the (remember to use google translate) because I didn't think anyone would need it.
You could have checked that it was the correct flag if you did use google translate though.
You would just have to submit it in Russian.
Comrade cipher 2 was pretty much the same thing but the flag was ФЛАГ{шпион} which translates directly
to FLAG{SPY} in English, but again this was also submitted in Russian. I also didn't give
the players the key so they had to brute-force it. In the hint I did give a hint that it was
less than 5, but not the exact key. Other than that it was the same as the first one with an added layer
of complexity.
Cute Kitten (Steganography)
A lot of people seemed to have issue with this one, and this was honestly unintentional the
way they were having issues. I say unintentional because this was supposed to be fairly easy. I embedded a flag into a picture
of a cute kitten, with a passphrase. The passphrase was "near." However, I am not sure why but steghide
made it very difficult to use anything other than stegseek to figure it out. I used steghide to do this
challenge and people said they used multiple different types of programs to try and crack the
passphrase. But whenever they tried it, it didn't work. However, using stegseek (the updated
version of stegcrack, IMMENSLY faster) it worked in like 2 seconds. I am not 100% sure
the reason behind this, it's something I'd like to figure out. My intention was for people to be able
to do this challenge in like 1 minute or so. Download picture -> realize it has passphrase ->
crack passphrase with stegseek -> get Flag.
Here is a picture of the process
Once you use stegseek to crack the jpg you were given a base-64 encoded string. Now, I made this a
tripple-base 64 encoded string. Why? Because it's funny :P I was feeling a bit cheeky and
wanted to cause a bit of confusion on purpose. Once you decoded it 3 times, (I just used cyberchef)
then you got the flag.
My intention was a kind of security through obscurity lesson. A running gag in the hacker world is that
if you encode a string multiple times it becomes "secure." Of course this isn't the case.
All in all I enjoyed writing these challenges and the feedback was good. I enjoyed coming up with the challenges
and it's a lesson in making things slightly easier (or not ;) ) for people.
Thanks for reading, if you have any questions please feel free to contact me. Happy new year and I look
forward to 2024!
Blackkatt
Comments
Post a Comment