29 Jan 2021

Solving RTN CTF challenges

Earlier this month, my friend Washi invited me to take a part in a small CTF competition. It was a first time his team was making something like that, so I did not know what to expect. I must say that RTN CTF was a great success and I really really enjoyed it.

Challenges and official solutions have already been published on RTN Github and few people have already made great and detailed writeups:
https://github.com/CodeOfDark/CTF-Writeups/tree/master/RTN/2021
https://holly-hacker.github.io/ctf-writeups/2021-01_RTNCTF/Index.html
https://zsr2531.github.io/writeups/RTN_2021/

I have no intention of repeating what's already been said and done, so I'll just add a few personal notes about how I solved the most interesting challenges. smile

Lambdastic

Challenge description says:

I heard you liked Monads.

You're given a .NET assembly and decompiled code looks really intimidating:

CodeOfDark somehow managed to have the code beautified. I'm guessing he decompiled the entire project and pasted it into Visual Studio - but that's just a guess:

It looks better but is still pretty unreadable.

How to attack such a challenge?

Official solution suggests using static analysis and figuring out what each class does. That's slow and painful process - and during CTFs I prefer not to analyze things in details.

Solution by CodeOfDark notes the SafeDiv operation. But it does a terrible job explaining what happens next:

we get the multiple lines of output

Let's try to simplify it.

I have no idea how tracing values passed to SafeDiv allows us to find and simplify multiplication ops. But maybe that's just me.. bigsmile

Anyways, just like other solvers, I noticed that all the calculations are done on decimals. So, I put breakpoints on math operations dealing with decimals:

and started writing down all the math operations that were happening.

I know, these notes look like crap. Next time I'll make better ones. bigsmile

But actually that's all you need - two inputs, two results and you can see what operations are being done. Now it's a matter of converting these values into an equation.
Start by using the obvious constants:

and work your way backwards by gradually replacing all the calculations:

Now we have an equation that we can feed to Wolfram Alpha:

Convert the result to hex and you have the flag!

Espresso

This is a Java challenge. Or is it?

You're provided with both Windows EXE file and Linux ELF. Both binaries seem to be simple wrappers around JVM engine. Wrappers load JVM and execute a built-in JAR file, passing as argument the input string and a hardcoded string "94z3PpMpaFhjUjcjMUauourjxcajIbKpxcTi-MlT".

I extracted JAR file and decompiled it. It looked like a horribly complicated and broken way to compare two strings:

I figured out that string "84y3OpLp`FgjTjbjLU`unuqjwc`jHbJpwcSi,MkT" is the one that should pass all the tests. But it doesn't look like a flag and challenge isn't accepting it. Why?!

The only possible explanation is that EXE file somehow messes with Java internals, JIT compilation or something like that.

How it's done? I had no idea and I had no intention of becoming an expert in JVM internals.

Since Java class file was totally unprotected, I replaced it with with my own, modified version:

As you can see, I added some debug output and removed checks for string lengths.

Assuming that the flag should begin with "RTN{", I ran my modified EXE file, passing "RTN{" in the command-line and... Got a success message!

Now it was a matter of bruteforcing 5th byte of the flag, then 6th byte of the flag, and so on.. Since I'm lazy, I automated it using a simple C# code:

Sure, it's not the prettiest of solutions but - hey, it works! smile

In my opinion, this was THE best challenge in the CTF, so I really suggest you read the official writeup about the challenge and how it was done. It's a great read!

Nonsence

You're given 5 PDF documents and 5 matching SIG files. You also get 2 PUB files that contain public keys used to sign the documents. Your task is to somehow obtain a private key and use to to fetch flag from the server. Challenge description hints on improper use of cryptography:

...
security system has problems. Two of our employees did not follow the protocol to the letter
...
The IT department said something about SHA 256 and public keys. Personally I have a hard time making heads and tails out of this nonsense.

I'm not a crypto wizard and for sure I wouldn't be able to solve it on my own. But this is a typical CTF challenge which suffers from a simple weakness. Namely, there are gazillions of CTF writeups available on the internet and you just need to google for the proper keywords. But I'm getting ahead of myself.

Let's start with the very basics - see if the signatures match the PDFs:

OK, so signature is a match, no tricks here!

Let's see what's inside PUB key:

Keywords "prime256v1" and "NIST CURVE" tells us it's using elliptic curve cryptography. I have no idea how that works - but I can google!

Let's search for CTF solutions covering that specific elliptic curve "NIST CURVE: P-256".

Right in the first page there is a link to Ployka PWNer - a full explanation of the problem, possible solutions and a python script that can forge a private key. Now I just need to update script with proper data and run it.

You'll notice that document02.pdf and document04.pdf signatures are suffering from the reused nonce.

As a final step, script requires SHA256 hashes of the documents:

Put it all together, run it and you'll get a forged private key. Magic! smile

Ssssecret

This is the only challenge I didn't solve. It looked like a riddle:

I want to share a secret,
A secret dear to me.
But the secret to keeping a secret
Is to never give out the key.

So I broke it up in little pieces
As small as they can be.
Then after that you wouldn't expect
I handed them out for free.

Follow up these pieces
Understand them to a degree
At the very root of it all
The answer you will see

AES-ECB('6eeb7683e9242ed56080e847c2f94cfc50634c29a3a50f14b31e7e3f97e34df0', key)

(1, d8877abe8c795a869b1fe28ed9a328a4)
(2, 1a1c134fc5c474899ee9d573b8895388)
(3, da143ab7a656e69a91b22414de846d0e)
(4, e4c6d40f50bd5f37d5c2f5e356a0af94)
(5, f344401d9a20a8ea1f08598434bfbf8e)

I truly hate this type of challenges - there is zero skill involved, you just need to guess what challenge author meant and/or try random stuff until you succeed. As Radium explained in his solution:

As soon as I saw this, I immediately recognized what this challenge was about; Shamir’s Secret Sharing Scheme.

Dude, I'm so happy for you! smile Unfortunately I was not aware of Shamir's Secret Sharing Scheme, so I approached the challenge as a language riddle.

We get 5 hex-strings that look like hashes. Perhaps they are MD5s? Rainbow table lookup didn't yield any results. What about MD4? MD2? Some other hashing algo?

Since the encryption used is AES, key should be 8,16 or 32bytes. Challenge says "..never give out the key. So I broke it up in little pieces As small as they can be." Could it be that key is part of the riddle, split into bytes or short sequences?

"Follow up these pieces Understand them to a degree" - could it be I need to recognize some sort of hash? So, I ran all the hashing algorithms I could think of, on all parts of the riddle and found nothing.

"At the very root of it all" - could it be that these numbers are squares/cubes/x to the power of y? I factorized all the numbers and found nothing.

After I ran out of ideas, I said "f*ck it! If someone can guess the answer, so be it. I don't care."

Key takeaways

While I was reading solutions, I was surprised how much people rely on Cyberchef. Some challenges like Dragons even expected you to use Cyberchef to decode affine cypher (thankfully it was not the only way to solve it!)

Python is everywhere, I really should learn more of it.. Some of the published solutions were so pretty, whereas mine looked like crap. This is especially true when it comes to using Z3 solver.

Perhaps, I could have solved Ssssecret if I spent more time googling and trying to figure out what secret sharing methods exist. I must pay more attention to those small hints hidden in the challenge descriptions.

Conclusion

RTN CTF was a very nice, small competition featuring relatively easy challenges. It was really fun to play and the reward was also very satisfying.

Have fun and till next time!

8 thoughts on “Solving RTN CTF challenges

  1. Great job on solving the challenges, glad you enjoyed it :)
    It surely won't be our last CTF!

  2. Hi kao, can you help me with unpacking this exe or some advice how to do it?

    download:
    {hidden link}.exe

  3. hello kao,
    this is great fun reading your words. it is like »i'm HAL 9000(...), but i can google«, :)
    appreciate it, good games only.
    thanks for the trees and thank to you

Leave a Reply to kao Cancel reply

  • Be nice to me and everyone else.
  • If you are reporting a problem in my tool, please upload the file which causes the problem.
    I can`t help you without seeing the file.
  • Links in comments are visible only to me. Other visitors cannot see them.

Your email address will not be published.

 ×  two  =  fourteen