In this post I am going to walk you through 3 CTF challenges from UUTCTF 2019, 2 Forensics and 1 Misc. I was so excited to solve these almost entirely on my own. Thank you Andreas Poyiatzis!

Forensics

Layers

Layers are here.

In this challenge we are presented with the following image.

Layers.jpg

Downloading the image I inspected it with the exiftool as such:

>exiftool Layers.jpg

We are presented with the information of the image file. With a bit of searching we can find the flag in the result returned by exiftool.

Exiftool result.

Flag: uutctf{can_you_see_me}

Find the word flag

Where can the flag be hidden in an empty DOCX file? Find and submit!

In this challenge we are given a Word.docx file. Opening it read the following text:

Mind the gaps inside the document

At first I thought it meant the spaces in the text but obviously that wasn’t the case. A bit of searching online for similar problems I found out that you can treat a docx like a zipped file. Using the command:

>unzip Word.docx

We can obtain the xml files representing the word document. Inspecting the resulting file document.xml within the word directory created we can see several long strips of spaces, hence gaps. My teammate quickly noticed that these were hex numbers where every two correspond to the value in the ASCII table. The first two numbers were 5 pointing to the letter U. This was the case for the case which clearly meant the flag.

All we have to do now is to ‘mind the gaps’ inside the document meaning removing the spaces in the xml file where they also appear in the .docx file. Having done so, the rest of the challenge reduced to implementing the following script to count the spaces and index a look up table.

This returned the following string of hex numbers:

5555544354467B4D65616E696E6766756C476158737D11111111

Ignoring the final string of 1s we can easily convert this to text which gives us the flag.

UUTCTF{MeaningfulGaXs}

Misc

The Trouble Maker

Linus Torvalds is a trouble maker! He made a web page which hides the flag. Find and capture it! Webpage is at: http://188.40.189.2:8001

Pointing our browser to the IP address presents us with the following site.

Website at http://188.40.189.2:8001

I immediately googled the name Linus Torvalds to check what tools he has created. I found out he created git also. Now this made me remember that you can access the .git directory from the URL path however this resulted in a Forbidden error.

The website does not offer any functionality so I used the git-dumper tool to download all files of the website.

Considering he is the creator of git I went on to check the .git directory and more specifically the logs directory to check the commit messages.

Commit messages on master.

As we can see there is a commit message saying: this may help. I thought that this should be a clue. So I used the following command to inspect the changes made in that commit.

>git show 24ad3f97738d5669e171ea4c3f280c62797dd21d

This returned the following result:

git show result

Inspecting the string variable we can infer that this is base64 encoding making it a very probable candidate for the flag.

Decoding the string returns the flag.

Flag is: UUTCTF{VVe_ |_0Ve_L!n(_)$}

Conclusion

So there you have it folks! These were exciting challenges and it was the first time I managed to solve several CTF challenges on my own (with very little help). So consistency and persistence are key skills to persevere.