Hack.vent2016 Write-Ups, part 1 (Day 1 through 6)

Had a blast participating in the annual online hack.vent CTF put on by hacking-lab. Most of the challenges I found fun and amusing. This is the first of four, the others can be found here:

Part 2 (7-12)

Part 3 (13-18)

Part 4 (19-24)

Anyways, here’s a write-up of 5 of the first 6 challenges I completed:

CHALLENGE DESCRIPTION: DAY 01

Day 01: Detours Follow the white rabbit … Santa receives an email with links to three pictures, but every picture is the same. He talks with some of his elves and one says, that there is some weird stuff happening when loading these pictures. Can you identify it? …Followed by three links (“http://ow.ly/I7KW3070pzr”,”http://ow.ly/oyST3070pBj”,”http://ow.ly/fABn3070pCs”). If we wget the links, we where the ow.ly short links point to: --2016-12-27 14:11:12-- http://ow.ly/I7KW3070pzr Resolving ow.ly (ow.ly)... 54.183.130.144, 54.67.62.204, 54.183.132.164, ... Connecting to ow.ly (ow.ly)|54.183.130.144|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://tiny.cc/HV16-t8Kd [following] --2016-12-27 14:11:13-- http://tiny.cc/HV16-t8Kd Resolving tiny.cc (tiny.cc)... 192.241.240.89 Connecting to tiny.cc (tiny.cc)|192.241.240.89|:80... connected. HTTP request sent, awaiting response... 303 See Other Location: https://memegenerator.net/instance/73820666 [following] --2016-12-27 14:11:13-- https://memegenerator.net/instance/73820666 Resolving memegenerator.net (memegenerator.net)... 69.162.103.166 Connecting to memegenerator.net (memegenerator.net)|69.162.103.166|:443... connected. HTTP request sent, awaiting response... 404 Not Found 2016-12-27 14:11:13 ERROR 404: Not Found. --2016-12-27 14:11:13-- http://ow.ly/oyST3070pBj Resolving ow.ly (ow.ly)... 54.67.62.204, 54.183.132.164, 54.67.120.65, ... Connecting to ow.ly (ow.ly)|54.67.62.204|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://tiny.cc/38aY-QxL5 [following] --2016-12-27 14:11:13-- http://tiny.cc/38aY-QxL5 Resolving tiny.cc (tiny.cc)... 192.241.240.89 Connecting to tiny.cc (tiny.cc)|192.241.240.89|:80... connected. HTTP request sent, awaiting response... 303 See Other Location: https://memegenerator.net/instance/73820666 [following] --2016-12-27 14:11:13-- https://memegenerator.net/instance/73820666 Resolving memegenerator.net (memegenerator.net)... 69.162.103.166 Connecting to memegenerator.net (memegenerator.net)|69.162.103.166|:443... connected. HTTP request sent, awaiting response... 404 Not Found 2016-12-27 14:11:13 ERROR 404: Not Found. --2016-12-27 14:11:13-- http://ow.ly/fABn3070pCs Resolving ow.ly (ow.ly)... 54.183.132.164, 54.67.120.65, 54.67.57.56, ... Connecting to ow.ly (ow.ly)|54.183.132.164|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://tiny.cc/bn4K-c6Lw [following] --2016-12-27 14:11:14-- http://tiny.cc/bn4K-c6Lw Resolving tiny.cc (tiny.cc)... 192.241.240.89 Connecting to tiny.cc (tiny.cc)|192.241.240.89|:80... connected. HTTP request sent, awaiting response... 303 See Other Location: https://memegenerator.net/instance/73820666 [following] --2016-12-27 14:11:14-- https://memegenerator.net/instance/73820666 Resolving memegenerator.net (memegenerator.net)... 69.162.103.166 Connecting to memegenerator.net (memegenerator.net)|69.162.103.166|:443... connected. HTTP request sent, awaiting response... 404 Not Found 2016-12-27 14:11:14 ERROR 404: Not Found. We see that each redirect goes to a separate tiny.cc address. The last 9 characters make up our flag in order. FLAG: HV16-t8Kd-38aY-QxL5-bn4k-c6Lw CHALLENGE DESCRIPTION: DAY 02 Day 02: Free Giveaway the keys are the key Today, Santa has a free giveaway for you: DK16[OEdo[”lu[;”Nl[R”D4[2Qmi

The key to this challenge is seeing the same character “open bracket” (‘[‘) in place where a hyphen (‘-‘) should be in our key. Additionally, we are expected “HV16” as the prefix to our key. After trying to ROT,XOR,Casear shift the message, it became clear that maybe this was a different keyboard setup. Sure enough, after the 6 most common non-qwerty keyboard layouts were found, the DVORAK layout fit our known cleartext of “HV16-“.

A simple python script mapped out the final flag.

FLAG: HV16-SDhs-qqpf-zQLp-OQH4-2Xmg

CHALLENGE DESCRIPTION: DAY 03 Day 03: Manufactory do it yourself Today’s gift is ready to be manufactured, but Santa’s afraid that his factory won’t manage to do a production run before christmas. But perhaps you can create it yourself? Get Building Instructions

Essentially, we receive a text file with 3d printing, more specifically g-code by Slic3r, instructions on it. To get the flag, the instructions just need to be put in a g-code application[http://gcode.ws/]. Click on 3d and you see the following:

Scan it and we get the flag.

FLAG: HV16-oY2d-2Ki7-JBDe-VVdg-X8bW

CHALLENGE DESCRIPTION: DAY 04

Day 04: Language Of Us Why so seriously? You all should know this language, but this one is not that consequent as it should be. st3g4|/|o9ra|*h`/ !s 7he |*r4(t!ce 0f (0n(ea£i|/|9 a |=il3, m35s4ge, !m49e, 0r v!d30 w!th!n 4|/|o7he|2 f!£e, /v\es5a93, i/v\ag3, o|2 \'i|)eo. 7h3 \/\/o|2d s7e94n0gr4p|-|`/ c0mb!n35 t|-|e g|2e3|< w0rd5 s73g4no5, m34n!ng "(o\'3r3d, c0n(3a£ed, 0r |*|2o7ec7e|)", 4n|) gr4p|-|3i|/| me4n!|/|g "\/\/ri7i|/|9". t|-|e f!r57 r3co|2d3|) u5e o|= t|-|3 t3rm \/\/a5 8y _|oh4n|/|3s 7ri7h3/v\i|_|s i|/| h!5 s7eg4n09r4ph!a, 4 7r3at!s3 0n (ry|*t09r4ph`/ a|/||) s7eg4n09r4ph`/, d!5g|_|is3d 45 a 8oo|< o|/| /v\a9ic. 9e|/|3r4ll`/, t|-|3 h!dd3n /v\3s5ag3s 4|*p3ar 7o 83 s0me7h!|/|g 3ls3: i/v\4g3s, a|2t!(l3s, s|-|o|*|*i|/|g l!s75, o|2 so/v\e 07h3r c0v3|2 t3xt. |=o|2 3x4mp£e, 7|-|e |-|id|)e|/| /v\e5sa9e /v\4y 8e i|/| i|/|\'i5ib£e !|/|k 8et\/\/e3|/| t|-|e v!s!8l3 li|/|e5 0f 4 pr!v47e £et7e|2. 5o/v\e i/v\p£3m3nt4t!0n5 of 5t39a|/|og|2a|*|-|y 7ha7 l4(k 4 sh4r3|) s3cr3t 4|2e |=or/v\s 0|= s3cu|2i7`/ t|-|ro|_|g|-| 0b5cu|2i7`/, w|-|e|2ea5 key-d3p3n|)3nt s73gan0gr4|*h!( sch3m35 a|)h3re 70 |<3rc|<|-|o|=|=5's |*|2i|/|(!|*l3. th3 ad\'an7a93 o|= s7e9a|/|09ra|*|-|y o\'3r c|2`/p7ogr4|*h`/ a£one !s 7|-|a7 t|-|e int3nd3d s3c|2et /v\es5age do35 n07 4tt|2a(7 a7t3|/|tio|/| 7o !t5el|= 4s 4|/| 0b_|3ct 0|= s(r|_|7in`/. p£4i|/|l`/ \'is!b£e e|/|(r`/p7e|) me5sage5 - |/|0 /v\a7ter |-|o\/\/ |_|n8re4k48l3 - ar0u53 i|/|te|2e57, a|/|d m4y !|/| t|-|em5e£\'e5 be !n(|2i/v\in4t!|/|g !n c0u|/|7r!es \/\/h3|2e 3nc|2y|*7i0n i5 i££e9al. 7h|_|5, w|-|er3a5 (r`/pt0g|24p|-|y i5 t|-|3 p|2ac7i(3 o|= pr0t3(t!ng 7h3 (o|/|te|/|t5 0f 4 me5s49e 4lo|/|e, 57e9an0g|24p|-|y i5 c0|/|c3rn3d \/\/!t|-| co|/|c34l!ng 7h3 |=a(t t|-|a7 4 s3cr3t /v\3s5ag3 i5 8e!ng 5e|/|7, a5 we£l 45 c0nc3a£!n9 th3 c0|/|t3nt5 o|= 7h3 me5s49e. 5te9a|/|0g|2ap|-|y !|/|c£ud3s 7|-|e (on(e4£m3nt 0f !|/|f0rm4t!0n \/\/it|-|i|/| (o/v\pu7e|2 |=i£es. !n |)!g!ta£ s73g4no9r4|*h`/, el3c7|2o|/|ic (o/v\/v\u|/|ic4t!0n5 ma`/ i|/|(l|_|de 5t39a|/|og|2a|*|-|i( co|)i|/|9 i|/|si|)e 0|= a 7ra|/|s|*0r7 la`/e|2, 5u(h a5 a |)0c|_|me|/|t |=!l3, im4g3 |=i£e, p|2o9|2a/v\ or |*r07o(ol. /v\e|)!a |=il3s 4|2e !de4l |=0r 5te9a|/|0g|2ap|-|i( 7r4ns/v\i55i0n b3c4|_|s3 of 7h3!r £ar9e 5!z3. fo|2 e><4m|*le, 4 s3|/|d3r m!g|-|7 s7ar7 w!7h 4n i|/|n0(u0us !m49e |=il3 a|/||) a|)ju5t 7|-|e (ol0r 0|= e\'er`/ h|_||/|d|2ed7h |*!x3l t0 c0|2r3sp0n|) 7o 4 le7t3|2 i|/| th3 a£|*h4be7, a (|-|a|/|ge 5o 5|_|b7le 7h47 s0me0n3 |/|o7 sp3c!|=i(al£y £0o|<in9 f0|2 i7 is |_|n£!k3ly 7o |/|0t!ce !t. Ugh, this one was harder than it was supposed to be. And to be quite honest, I lost my notes on it and can’t remember the actual sequence. It was a binary sequence of leet vs non leet speak. All I wrote down was “binary” and the flag. (such a n00b!) FLAG: HV16-O7oI-W34j-BJH7-cSvk-e5Hz CHALLENGE DESCRIPTION: DAY 05

Day 05: Boolean Fun Every Bit Is Important Santa found a paper with some strange logical stuff on it. On the back of it there is the hint: “use 32 bit”. He has no clue what this means – can you show him, what “???” should be?

Day 5 introduced the first medium challenge. A simple python script provided most of the work on this one, but the thing that kept tripping me up here was the hint, use 32-bit. Once I just executed the bitwise operations as is in python, the value -291 was seen. This was placed in the ball-o-matic below and a QR code with the flag on it was produced.

FLAG: HV16-2wGq-wOX3-T2oe-n8si-hZ0A

CHALLENGE DESCRIPTION: DAY 06 Day 06: Back 2 Work Greetings from Thumper Greetings from Thumper, he has an order for you: 1. unzip: the password is confidential

2. find the flag

3. look at my holiday pictures Comment: Be aware, the pictures are only supplement. Load Thumpers Greetings

I spent waaay too much time on this one. At the end of the day, the flag was staring me in the face. If you open up the zip, and look at the bottom, you will see a combination of roughly 25 0x20s and 0x09s. Placing all 25 rows into a text document, we see:

Substituting all the 09’s for spaces and the 20s as a block character off the character map we see:

QR code produces the flag.

FLAG: HV16-y9YO-sDo1-Vi7O-RWq1-V7hN