QUT Whitehats CTF Week_3

Mar 13, 2020 by Kush, Nishchal
Tags: kush notes ctf qut whitehats morse httpie

Week_3

WARNING: Like all my CTF notes, this contains spoilers.

3x01 - 10pts

https://crypto.qutwhitehats.club/ch1

For simplicity sake, to be able to easily attempt this weeks challenges, please navigate to: https://www.katacoda.com/0xollie/scenarios/0x01 sign up/sign in and click onto the terminal.

INPUT: apt install httpie -y wait approx 1 minute for it to install.

obtain ciphertext by running the following command: http get https://crypto.qutwhitehats.club/ch1

To input an answer run the following command: http post https://crypto.qutwhitehats.club/ch1 answer="answerhere”

If you are correct, the flag will be returned. If not try again :)

  • http get https://crypto.qutwhitehats.club/ch1
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 111
Content-Type: application/json; charset=utf-8
Date: Fri, 13 Mar 2020 08:54:02 GMT
ETag: W/"6f-vN90VZXmEhz9Tnfz4W9nDf0yeEc"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "ciphertext": "guvegrra vf na hayhpxl ahzore",
    "description": "Decrypt this rotten message",
    "name": "Challenge 1"
}
  • Hint referenced rotten, could mean ROT cipher
  • ROT13 or Ceasar cipher key = 13
  • Used https://www.cryptool.org/en/cto-ciphers/caesar, with parse key alphabet and key = 13
  • http post https://crypto.qutwhitehats.club/ch1 answer="thirteen is an unlucky number"
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 104
Content-Type: application/json; charset=utf-8
Date: Fri, 13 Mar 2020 08:56:02 GMT
ETag: W/"68-aAD0TzSj7bz0zRxeuld+so0y6CM"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "flag": "flag{rott3n_unlucky}",
    "message": "Congratulations!",
    "plaintext": "thirteen is an unlucky number"
}
  • Submitted: flag{rott3n_unlucky}

3x02 - 10pts

https://crypto.qutwhitehats.club/ch2 Refer to challenge 1 for detailed instructions!

  • http get https://crypto.qutwhitehats.club/ch2
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 124
Content-Type: application/json; charset=utf-8
Date: Fri, 13 Mar 2020 08:56:56 GMT
ETag: W/"7c-qtmBGyGbUPh4yl3oh0gieBJ7NyE"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "ciphertext": "vxtltk vbiaxk ghm max ltetw wkxllbgz",
    "description": "Another hidden message to decrypt",
    "name": "Challenge 2"
}
  • Ceasar cipher
  • Used https://www.cryptool.org/en/cto-ciphers/caesar, with parse key alphabet and key = 19
  • http post https://crypto.qutwhitehats.club/ch2 answer="ceasar cipher not the salad dressing"
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 116
Content-Type: application/json; charset=utf-8
Date: Fri, 13 Mar 2020 08:58:51 GMT
ETag: W/"74-ITkUm0Iituouvb2rh4JLIx0x9qA"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "flag": "flag{im_the_salad_master}",
    "message": "Congratulations!",
    "plaintext": "ceasar cipher not the salad dressing"
}
  • Submitted: flag{im_the_salad_master}

3x03 - 20pts

https://crypto.qutwhitehats.club/ch3 Refer to challenge 1 for detailed instructions!

NOTE 1: Do not add the comma in your answer NOTE 2: The first letter should be a J not I so the proper ciphertext should be read as: Jy ksxa m ksyeohg, xasyeohg yhxx wohmxh fhxbsh yh xhpwmj

  • http get https://crypto.qutwhitehats.club/ch3
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 193
Content-Type: application/json; charset=utf-8
Date: Fri, 13 Mar 2020 08:59:26 GMT
ETag: W/"c1-ageiGI9gpTdQAF9c5Dxw8YiVDWw"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "ciphertext": "Iy ksxa m ksyeohg, xasyeohg yhxx wohmxh fhxbsh yh xhpwmj.",
    "description": "This wont be as easy as the others, things have been substituted around this time",
    "name": "Challenge 3"
}
  • Identified as Monoalphabetic substitution cipher
  • Im just a jumbled, stumbled mess please rescue me senpai.
  • Did not work, reached out to NinjaGoat to confirm my answer
  • Came back 2hr later to the challenge and found it updated with NOTE 1 and NOTE 2
  • im just a jumbled stumbled mess please rescue me senpai
  • Still did not work
  • http post https://crypto.qutwhitehats.club/ch3 answer="Im just a jumbled stumbled mess please rescue me senpai"
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 84
Content-Type: application/json; charset=utf-8
Date: Fri, 13 Mar 2020 12:34:00 GMT
ETag: W/"54-wX274uRivfo0LoIEHOxHITQxNFs"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "message": "You are using the challenge correctly, but thats not the right answer."
}
  • Wasted hours on the formatting until Lazarus97 helped me out with the hint to start with capital (I) and end with period (.)
  • http post https://crypto.qutwhitehats.club/ch3 answer="Im just a jumbled stumbled mess please rescue me senpai."
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 167
Content-Type: application/json; charset=utf-8
Date: Sat, 14 Mar 2020 00:20:30 GMT
ETag: W/"a7-MzB2ggOe+csp4chulOXRdDzIMKk"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "flag": "flag{no_w33bs_please}",
    "key": "MEBGHDICJKTOYPLWZFXASVURQN",
    "message": "Congratulations!",
    "plaintext": "Im just a jumbled stumbled mess please rescue me senpai."
}
  • Submitted: flag{no_w33bs_please}

3x04 - 20pts

https://crypto.qutwhitehats.club/ch4 Refer to challenge 1 for detailed instructions!

  • http get https://crypto.qutwhitehats.club/ch4
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 182
Content-Type: application/json; charset=utf-8
Date: Fri, 13 Mar 2020 09:18:07 GMT
ETag: W/"b6-fc4dk9BqteknVc/tPuo4oQkT1II"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "ciphertext": "t yeedv cre satpfntn eierdi aikfer e cf dctlootbdePcecea feoueoayfmsonsin o sr eu",
    "description": "Lets step it up a notch now, were on rails now",
    "name": "Challenge 4"
}
  • Hint referes to rails, could be to the rail fence or zigzag cipher
  • Used https://www.boxentriq.com/code-breaking/rail-fence-cipher and manually found rails = 5 and offset = 3
  • Picket fences are a type of fence often used decoratively for domestic boundaries
  • http post https://crypto.qutwhitehats.club/ch4 answer="Picket fences are a type of fence often used decoratively for domestic boundaries"
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 175
Content-Type: application/json; charset=utf-8
Date: Fri, 13 Mar 2020 12:18:57 GMT
ETag: W/"af-WbPtrJSDE5AB3xwQTXWgjZLwj7U"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "flag": "flag{not_those_kind_of_rails}",
    "key": "5",
    "message": "Congratulations!",
    "plaintext": "Picket fences are a type of fence often used decoratively for domestic boundaries"
}
  • Submitted: flag{not_those_kind_of_rails}

3x05 - 20pts

https://crypto.qutwhitehats.club/ch5 Refer to challenge 1 for detailed instructions!

  • http get https://crypto.qutwhitehats.club/ch5
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 141
Content-Type: application/json; charset=utf-8
Date: Fri, 13 Mar 2020 09:18:33 GMT
ETag: W/"8d-3xloBBvbdwIyT191lOH6Kpx+5q8"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "ciphertext": "w tesitel ksrInh lj timum kiateatla k tal ",
    "description": "You get the idea, decrypt this transposition",
    "name": "Challenge 5"
}
  • Hint reference to idea could be to the International Data Encryption Algorithm (IDEA)
  • Tried the https://www.boxentriq.com/code-breaking/columnar-transposition-cipher
  • Found reasonable success with autosolve using min key len = 1, max key len = 9, key = efbhcagdi
  • Possible solution “just wan milk thtt taste aike reallmilki”
  • Suspected it may be popular Paul’s Milk advert “I just want milk to taste like real milk”
  • Tried submiting it but did not have any luck
  • Manually unjumbled the text
  • http post https://crypto.qutwhitehats.club/ch5 answer="I just want milk that taste like real milk"
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 139
Content-Type: application/json; charset=utf-8
Date: Wed, 18 Mar 2020 12:37:33 GMT
ETag: W/"8b-kR5wT1iWPWViQPz1uD0GwzxmtZU"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "flag": "flag{he_needs_some_milk}",
    "key": "FULLCREAM",
    "message": "Congratulations!",
    "plaintext": "I just want milk that taste like real milk"
}
  • Submitted: flag{he_needs_some_milk}

3x06 - 30pts

NOTE: please put spaces between words discovered when decrypted

https://crypto.qutwhitehats.club/ch6 Refer to challenge 1 for detailed instructions!

  • http get https://crypto.qutwhitehats.club/ch6
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 325
Content-Type: application/json; charset=utf-8
Date: Fri, 13 Mar 2020 09:21:00 GMT
ETag: W/"145-+jIDNNCg8+5u15Fg/MOjcqZ6uBI"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "ciphertext": ".... . .-.. .--.     -- .     .--. .-.. . .- ... .     --.. .- -.-.     .... .- ...     - .-. .- .--. .--. . -..     -- .     .. -.     .... .. ...     ..- -. -.. . .-. --. .-. --- ..- -. -..     -... .- ... . -- . -. -",
    "description": "letters might be too easy for you, lets remove them",
    "name": "Challenge 6"
}
  • Used http://www.unit-conversion.info/texttools/morse-code/ to convert from morse code to text
  • help????me????please????zac????has????trapped????me????in????his????underground????basement
  • Within vim command mode used :s/????/\ /g to replace the questions marks with a space
  • help me please zac has trapped me in his underground basement
  • http post https://crypto.qutwhitehats.club/ch6 answer="help me please zac has trapped me in his underground basement"
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 137
Content-Type: application/json; charset=utf-8
Date: Fri, 13 Mar 2020 09:25:15 GMT
ETag: W/"89-tJJJ+BWcGtkCwBVGbF08OJ0qWJ0"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "flag": "flag{MOAR_morse_code}",
    "message": "Congratulations!",
    "plaintext": "help me please zac has trapped me in his underground basement"
}
  • Submitted: flag{MOAR_morse_code}

3x07 - 60pts

https://crypto.qutwhitehats.club/ch7 Refer to challenge 1 for detailed instructions!

  • http get https://crypto.qutwhitehats.club/ch7
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 121
Content-Type: application/json; charset=utf-8
Date: Fri, 13 Mar 2020 09:25:55 GMT
ETag: W/"79-tBLCqrQc54RCJeQvQs+a2fpokbo"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "ciphertext": "",
    "description": "If we have a public RSA key of (e=3,n=55), encrypt the message n=6",
    "name": "Challenge 7"
}
  • Used Python interactively to resolve RSA
python
Python 3.8.2 (tags/v3.8.2:7b3ab59, Feb 25 2020, 23:03:10) [MSC v.1916 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> m=6
>>> e=3
>>> n=55
>>> print(pow(m,e,n))
51
>>>
  • Submitted the ciphertext as answer
  • http post https://crypto.qutwhitehats.club/ch7 answer="51"
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 79
Content-Type: application/json; charset=utf-8
Date: Fri, 13 Mar 2020 10:44:01 GMT
ETag: W/"4f-AS6Ip42iSxPJ8sQQOXugT3TjMoE"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "flag": "flag{mod_maths_is_fun}",
    "message": "Congratulations!",
    "plaintext": "51"
}
  • Submitted: flag{mod_maths_is_fun}

3x08 - 50pts

https://crypto.qutwhitehats.club/ch8 Refer to challenge 1 for detailed instructions!

  • http get https://crypto.qutwhitehats.club/ch8
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 153
Content-Type: application/json; charset=utf-8
Date: Fri, 13 Mar 2020 09:26:46 GMT
ETag: W/"99-EfX0j7q1qxe1HUgjqWUQqVmhejc"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "ciphertext": "cec6914c7d961496bb373513195bd255",
    "description": "Ive done something very special to my password, youll never get it",
    "name": "Challenge 8"
}
  • Looked like MD5 searched using crackstation.net, but came up negative
  • Used https://md5.gromweb.com/?md5=cec6914c7d961496bb373513195bd255
  • Found MyVerySecurePassword1337
  • http post https://crypto.qutwhitehats.club/ch8 answer="MyVerySecurePassword1337"
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 120
Content-Type: application/json; charset=utf-8
Date: Sat, 14 Mar 2020 00:53:09 GMT
ETag: W/"78-310bPlY3A4RYFUoM+98c5oHCOkw"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "flag": "flag{#hash_tag}",
    "message": "Congratulations!",
    "note": "reverse md5 hash",
    "plaintext": "MyVerySecurePassword1337"
}
  • Submitted: flag{#hash_tag}

3x09 - 40pts

https://crypto.qutwhitehats.club/ch9 Refer to challenge 1 for detailed instructions!

  • http get https://crypto.qutwhitehats.club/ch9
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 101
Content-Type: application/json; charset=utf-8
Date: Fri, 13 Mar 2020 09:27:52 GMT
ETag: W/"65-c8IxnVKPFywugP0qOgKIrEFSC5Q"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "ciphertext": "R olev nv hlnv ilfmw qfrxb hlug dzin kvzxsvh",
    "description": "@#",
    "name": "Challenge 9"
}
  • Hint refers to atbash encoding
  • Used http://rumkin.com/tools/cipher/atbash.php
  • I love me some round juicy soft warm peaches
  • http post https://crypto.qutwhitehats.club/ch9 answer="I love me some round juicy soft warm peaches"
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 147
Content-Type: application/json; charset=utf-8
Date: Fri, 13 Mar 2020 10:34:51 GMT
ETag: W/"93-9Tch5Ps3EW01fXTAPF6BvtZI+Pg"
Server: nginx/1.14.0 (Ubuntu)
X-Powered-By: Express

{
    "flag": "flag{its_better_with_two}",
    "message": "Congratulations!",
    "note": "atbash cipher",
    "plaintext": "I love me some round juicy soft warm peaches"
}
  • Submitted: flag{its_better_with_two}

A_Catchy_Tune - 75pts

This song will get stuck in your head! flag syntax: flag{insert_flag_here}

https://ctf.qutwhitehats.club/files/6c5f189f96918f97d2b2b2278c41733f/catchy_tune.mp4?token=eyJ1c2VyX2lkIjoxMCwidGVhbV9pZCI6bnVsbCwiZmlsZV9pZCI6MX0.XmtJDw.mrvXbIfXzNV0morIxvr_yPDMSqM

  • Downloaded mp4 audio file
  • Downloaded and installed Audacity
  • Used, Effect -> Low pass filter -> 200 Hz, 12 dB
  • Exported as wave file, File -> Export
  • Attempted to use the https://morsecode.world/international/decoder/audio-decoder-expert.html
  • Got SPEANDWHITE5R ES E SPINTM
  • Repeated, Effect -> Low pass filter -> 700 Hz, 6 dB
  • Exported as wave file and then repeated use of online decoder
  • Got SPINMEAROUNDWHITE5ATS E E SPINMEAROUNDITEHATS SPINMEAROUNDWHITIHATS
  • Attempted the following submissions
    • flag{SPIN ME AROUND WHITEHATS}
    • flag{SPIN ME AROUND WHITEHATS SPIN ME AROUND WHITEHATS}
  • Finally got it
  • Submitted: flag{SPINMEAROUNDWHITEHATS}

See also