Tamil CTF 2021

TamilCTF 2021 is the first CTF conducted by the Tamil Infosec community. This CTF competition is spear headed by tamilctf.com. This being their first CTF hosting, I expected the challenges to be a bit lenient and easy to solve. But they were all high quality challenges and I could only attempt a meagre three challenges.

The rules made it clear that the flags are of the format TamilCTF{...}.

Babymisc 🗂

Miscellaneous

This was an interesting first challenge where in we are given a single file and the flag is guaranteed to be hidden within it. The file given to us can be downloaded from here.

On downloading the file, it is seen that the file is detected as a PDF by the file explorer in Linux and can also be opened in a PDF viewer which contains a flag like text TamilCTF{challenge_is_awesome}. It was very clear that there was much more to the challenge than this.

As customary for any file related challenge, I ran exiftool followed by files and binwalk. The binwalk command did the trick and the below was the output when ran against this file.

┌──(cryptonic㉿cryptonic-kali)-[~/CTFs/tamilctf/babymisc]
└─$ binwalk Babymisc 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
           0x0             PDF document, version: "1.6"
          0x46            Zip archive data, at least v1.0 to extract, compressed size: 29, uncompressed size: 29, name: 10.pdf.txt
         0xA7            Zip archive data, at least v1.0 to extract, compressed size: 29, uncompressed size: 29, name: 11.pdf.txt
         0x108           Zip archive data, at least v1.0 to extract, compressed size: 31, uncompressed size: 31, name: 12.pdf.txt
         0x16B           Zip archive data, at least v1.0 to extract, compressed size: 9, uncompressed size: 9, name: 13.pdf.txt
         0x1B8           Zip archive data, at least v1.0 to extract, compressed size: 13, uncompressed size: 13, name: 1.pdf.txt
         0x208           Zip archive data, at least v1.0 to extract, compressed size: 15, uncompressed size: 15, name: 2.pdf.txt
         0x25A           Zip archive data, at least v2.0 to extract, compressed size: 51, uncompressed size: 54, name: 3.pdf.txt
         0x2D0           Zip archive data, at least v2.0 to extract, compressed size: 49, uncompressed size: 52, name: 4.pdf.txt
         0x344           Zip archive data, at least v1.0 to extract, compressed size: 17, uncompressed size: 17, name: 5.pdf.txt
         0x398           Zip archive data, at least v1.0 to extract, compressed size: 36, uncompressed size: 36, name: 6.pdf.txt
        0x3FF           Zip archive data, at least v1.0 to extract, compressed size: 42, uncompressed size: 42, name: 7.pdf.txt
        0x46C           Zip archive data, at least v1.0 to extract, compressed size: 48, uncompressed size: 48, name: 8.pdf.txt
        0x4DF           Zip archive data, at least v1.0 to extract, compressed size: 13, uncompressed size: 13, name: 9.pdf.txt
        0x8F8           Zlib compressed data, default compression
        0x2433          Zlib compressed data, default compression
        0x25AC          Zlib compressed data, default compression
       0x2AC5          End of Zip archive, footer length: 22

As binwalk detected both start of Zip magic bytes and End of Zip magic bytes, it was very clear that there is a zip file hidden within the given PDF format file. Also the above output suggests that the first Zip header is seen at an offset of 70 bytes from the start of the file.

I already have a handy command cutbytesrange 70 11348 Babymisc babymisc_fzip.zip defined in my aliases as such file manipulation is very often required in CTF challenges. The cusbytesrange is a custom alias defined by me. The code for this alias is available below:

cutbytesrange() {
  if [ "$#" -ne 4 ]; then
    echo "4 arguments expected in order - start_byte_val, end_byte_val(excluding), input_file, op_file"
  else
    num_bytes="$(($2-$1))"
    dd bs=$num_bytes count=1 iflag=skip_bytes skip=$1 if=$3 of=$4
  fi
}

The function basically uses the dd command and rewrites the range of bytes from 70 - 11348 to a new file where the total file size of the original file is 11348 bytes. As expected this turned out to be a valid zip file which on extracting gave a set of 13 text files.

On opening each of them, particularly three text files had content which resembled parts of Base64 encoded strings whereas the others had decoy strings.

The three Base64 encoded strings are given below:

VGFtaWxDVEYKe1IzdjNyU0VyCg==
X21BazNfQQo=
TTFzQ30K

The Base64 decoded content of the above are given below:

TamilCTF
{R3v3rSEr

_mAk3_A

M1sC}

Removing spaces and concatenating the strings gives us our final flag TamilCTF{R3v3rSEr_mAk3_AM1sC}.

Betacap 🦈

Forensics

First in the forensics challenge, this was a bit tricky than I expected but had clues hidden in the logical manner to proceed with the challenge. As the name suggests we are provided with the zip of a network capture file which can be downloaded from here.

Extracting the zip as expected gave a .pcapng file which I immediately opened up in Wireshark. It opened up the complete request streams.

To get a high level view of the packet capture, we first check the the capture file properties and protocol hierarchy under the Statistics top level menu. The protocol hierarchy shows that there are few HTTP requests and some specific responses with MediaType packets.

As most of the data transfer happens in HTTP layer, we filter the packets by HTTP and then inspect one by one. As shown in the below screenshot our inspection shows that there are quite a few zip file downloads that has happened.

Zip file image

On inspecting one file at a time, we follow each zip and download the bytes and save them as zip files. Below is a short video on how to track a file response and save the response as the file. We follow the packet requesting for the file named god.zip in frame #1913.

Filtering packets

Similarly there was another request to a url PUT /waste in frame #7633. The response content on inspecting seemed like a PNG. So I saved the file as waste.png a copy of which can be downloaded here. This file seemed to be a png as the stream content had the text like waste.png within it. However when tried to open it seemed to be a corrupted file. I could confirm this by running exiftool over the file too.

As I had hit a roadblock I decided to get back to Wireshark and find any other suspicious files. However I wanted to just look into the raw contents of the file to see if there was anything of interest. So running cat waste.png dumped the raw contents to the terminal.

Voila 🪄 !! That gave me a distinct hexadecimal string hidden within the file as seen below.
(Note: Contents truncated due to brevity)

pjQz..c...$..!WF.4..w..;5.....`.'......&
.y$.....5~.-.p..)..E...l.1=...@.u..l..V.'.8....V....n.....k...S.Q.....&..........z.N..[....v..wd...'...F...Y.8N...+W.V...u.;..h.|.p3.Q.....kD...u.........._..}..@3....2.tB..G.N.D.....5.n.+6[B."^h.....F7.9...mp4$.Ep.6..F...O...!.N...W..Sn......]..b..9=...8...s....W	!.+..1...,.|...1.....)X.LD93kHB..r....S\-..(........_....z.5.E../...r)..@.".9.1,
........!.T.S....KAi...<..(........E._...1.-.....s.;..t5...53b.@.r.bX.L.5A{54616d696c4354467b6c69746572616c6c795f695f686174655f796f755f61745f616c6c7d0a}....6..y...L1....GFh.S.@.r.bX.L\q.`....Oq'...uE.....".4DZr.bX.L|....,.EaU.h..Ff..o.....O..R.!
9/1,
&.9....M..%..D..J....n....!.8.1,
&!8.h..EQ..)q;.kSI....fG...1.....Q`.9..(.K.s.N...O.@_..	.Di.2.QU.+.....N..g....9.JMM}..K.Jt$....<."..e.....Hr.c........gvU.(?}.5..g..(w4....!Q...^....'.g.A....2....@s@G.	p....O.=D<E.F$.#.Lb.Q.	...S.?%.DM....,. .{6..^.6?......"-fgj1<Y.......m...~.a...:...E,&v..Y...Y."..].X..d.k^J.iR..........X..].....p.i...G..(.4...F.!...>....`Q0.,. ..U..;W....z)	....7X....1..S........h..6f....c... ....6m
...=(f...@+...X..%...|....R.9.'.M..u....q...#
.:.<.>.@.B.D.F.....*mc.

The hex string shown below stands out in the contents of the file.

54616d696c4354467b6c69746572616c6c795f695f686174655f796f755f61745f616c6c7d0a

Converting this hex to a string using any tool gives us the final flag TamilCTF{literally_i_hate_you_at_all}.

Dark night 🦇

Miscellaneous

This was a relatively easy challenge that had a natural progression of solving. In this challenge we are provided with a zip file which can be downloaded from here. This is all we have to obtain our flag.

We unzip the file and find that it contains only a single pdf file dark_night.pdf. Opening the file we find that there are lot of black background texts which seemed to hide data. Also as text can be hidden by selecting foreground and background colors to be the same, I used the Select all option to highlight all the text available in the pdf. This revealed way more content in the pdf.

After selecting all the text I skimmed through the hidden text to find a line which contained the below:

84 97 109 105 108 67 84 70 123 49 95 108 48 118 51 95 98 98 52 52 116 116 95 109 97 110 125

Selected text pdf

As all these numbers seemed to be in the valid ASCII key range represented in decimal format, I quickly converted each of the numbers to its ASCII character and concatenating it gave the required flag.

The final flag was TamilCTF{1_l0v3_bb44tt_man}.