title: "BSidesPDX - Down the Rabbit Hole"

author: "Lyell Read"

date: 2020-10-25T00:00:00-07:00

categories: ['Writeups']

tags: ['bsidespdx2020']

caption: "BSidesPDX logo"

draft: false

Category: Over The Air

297 Points

5 Solves

This challenge is where we really… umm… go down the rabbit hole, you could say ;). I started by playing the whole video and noting all the oddities that I could find, and started working them out one by one:

- [\[00:00\]](https://youtu.be/_QgPMyRBBKM) : Many QR codes on the standby screen (challenge 1, “please stand by”)

- [\[02:55\]](https://youtu.be/_QgPMyRBBKM?t=175) : Creepy appearance behind the betty crocker advertisement.

- [\[04:51\]](https://youtu.be/_QgPMyRBBKM?t=291) : Sneezing guy repeated a couple times in quick succession.

- [\[05:53\]](https://youtu.be/_QgPMyRBBKM?t=353) : In the duck & cover / burt the turtle clip, there’s a flag person in the bottom left that is sending text in the maritime flag signaling pattern.

- [\[08:24\]](https://youtu.be/_QgPMyRBBKM?t=504): In the atomic bomb / duck & cover intro, when in Betty’s school, a creepy plague doctor mask guy with numbers and letters, and a tune (challenge 2, “xclusive numborz”)

- [\[14:06\]](https://youtu.be/_QgPMyRBBKM?t=846) : When Tony is going to cubscouts / picnic – creepy guy overlay w anonymous-like mask on.

- [\[15:46\]](https://youtu.be/_QgPMyRBBKM?t=946) : In the announcement about the Secret Squadron, `0x13A5C` is displayed, and a number is heard dialing in the background.

- [\[17:21\]](https://youtu.be/_QgPMyRBBKM?t=1041) : Giant Behemoth: A message appears on the top of the screen.

So, we eliminated or decoded one thing at a time, omitting the parts from previous challenges:

- [\[05:53\]](https://youtu.be/_QgPMyRBBKM?t=353) : In the duck & cover / burt the turtle clip, there’s a flag person in the bottom left that is sending text in the maritime flag signaling pattern.

The maritime / semaphore flag alphabet is documented, and I decoded the flag message to be two repetitions of:

- J and ‘alphabetic’ (LH out ; RH up)

- B and 2 (LH down; RH out)

- S (LH low; RH out)

- I and 9 (LH across low; RH up)

- D and 4 (LH down; RH up – or LH up; RH down)

- E and 5 (LH high; RH down)

- S (LH low; RH out)

- T (LH up; RH high)

- R (LH out; RH out)

- O (LH across high; RH out)

- L (LH high; RH low)

- O (LH across high; RH out)

- L (LH high; RH low)

- O (LH across high; RH out)

- L (LH high; RH low)

- O (LH across high; RH out)

To get result `BSIDESTROLOLOLOL`. Bummer, but at least we can cross off this lead for now.

- [\[17:21\]](https://youtu.be/_QgPMyRBBKM?t=1041) : Giant Behemoth: A message appears on the top of the screen.

The message on the top of the screen was decoded, as it was quickly identified to be the [pigpen cipher](https://en.wikipedia.org/wiki/Pigpen_cipher).


- [\[15:46\]](https://youtu.be/_QgPMyRBBKM?t=946) : In the announcement about the Secret Squadron, `0x13A5C` is displayed, and a number is heard dialing in the background.

Now things get more interesting. We have the tones associated with dialing a phone number, and a message on screen. The message reads `0x13A5C`, which is `80476` in decimal.

Decoding the phone dial presses is a matter of interpreting the [DTMF](https://en.wikipedia.org/wiki/Dual-tone_multi-frequency_signaling) tones. This requires first trimming the whole audio clip from the recording into [a clip of just the phone dial tones](https://github.com/lyellread/ctf-writeups/blob/master/2020-bsidesctf/down-the-rabbit-hole/dtmf.wav). This `.wav` file can then be put into [a dtmf decoder](https://github.com/ribt/dtmf-decoder), and it returns a phone number: `5038326682`.

For this next part, I’ll rely on what my teammates described, as I cannot call that number. However, when called, the caller is asked for a number. When provided with `80476`, the voice on the other end sounds out the following string of morse code:

When decoded, this turns into the string `MSGNUM41683`, which we initially did not know what to do with. `41683` is another 5-digit number, however, so let’s just try calling 5038326682 back, and giving it our new number, shall we?

More progress! The number speaks back `overtheair.space`. This link redirects us to [an unlisted YouTube video](https://www.youtube.com/watch?v=YcArof3MXx8) that contains more content similar to the twitch stream. In the middle of it, however, is a break, where loud beeping is heard that was instantly recognized to be [SSTV](https://en.wikipedia.org/wiki/Slow-scan_television). Now we need to decode that, and first that means downloading it…

With that in hand, we extracted and trimmed the audio to [just the SSTV parts](https://github.com/lyellread/ctf-writeups/blob/master/2020-bsidesctf/down-the-rabbit-hole/captured_signals_sstv.wav), and then came the fun part.

Following [an extremely thorough guide about how to decode this very kind of file](https://ourcodeworld.com/articles/read/956/how-to-convert-decode-a-slow-scan-television-transmissions-sstv-audio-file-to-images-using-qsstv-in-ubuntu-18-04), from Carlos Delgado, we successfully set up `qsstv`, a virtual audio cable (loopback so that audio can be played from computer into `qsstv`), and we were off to the races:

I was a bit slow to start it the first time, so I got the second half first:


… and the second part on the second run:


~Lyell

title: "BSidesPDX - Please Stand By"

author: "Lyell Read"

date: 2020-10-25T00:00:00-07:00

categories: ['Writeups']

tags: ['bsidespdx2020']

caption: "BSidesPDX logo"

draft: false

Category: Over The Air

263 Points

14 Solves

This challenge is about the “Please Stand By” screen, presumably. Let’s start by looking there. This screen is displayed during the first 2:09 of [the twitch stream(recording)](https://youtu.be/_QgPMyRBBKM)

Interesting, after about 1:20 of the usual standby screen, the screen displays an interference effect, then we see some QR code looking things appear in the top corners.

These QR codes, however, are obviously incomplete, as evidenced by the fractional ‘pixels’ displayed where they meet the edges of the screen. This indicates that we’re probably in for stitching these together…

Following that, we screenshotted each image. Here they are:





If we think about the regular format for QR codes, we would expect the “Position Patterns” (the square shaped sets of pixels) to be in the corners, so that informs us about the first orientation we should try.

In [Gimp](https://www.gimp.org/), we can stitch these together, and we get the following:

When scanned, that QR code becomes the text:

With a little reading, we can get the flag:

~Lyell

title: "BSidesPDX - Xclusive Numborz"

author: "Lyell Read"

date: 2020-10-25T00:00:00-07:00

categories: ['Writeups']

tags: ['bsidespdx2020']

caption: "BSidesPDX logo"

draft: false

Category: Over The Air

290 Points

8 Solves

The first challenge was easy, but this one is a little trickier. We are told to listen to the segment where a “little girl” talks, and the name implies that we will be doing some XOR.

Beginning at [8:24 in the recording of the stream](https://youtu.be/_QgPMyRBBKM?t=504), We hear a child’s voice say “you’re all gonna die down here”, we see a creepy plague doctor image moving around in the background, and a child’s voice speaking letters and numbers in the foreground, finishing with the phrase “are you my mommy” repeated twice. At first the letters and numbers that the child spoke sounded to me like:

This string uses charset `['0', '1', '2', '3', '4', '5', '6', '9', 'A', 'C', 'D', 'E', 'F', 'G', 'I']`, which is a little odd.

However on closer inspection, and after consulting my teammates, the string was determined to be:

This is because I misheard ‘B’ as ‘G’, and ‘5’ as ‘I’, and I did not pick up on the fact that the charset I had was hex with two wrong characters.

From that string, we can guess that it might be a flag, which has format `BSidesPDX{}`, and infer what the XOR key should start with (we used the assumption that `a^b=c` and `a^c=b`.

That key looks an awful lot like “areyoumymommy”, which is the key for the XOR decryption (“areyoumymommyareyoumymomm”…).

~Lyell

title: "EkoPartyCTF - Docs"

author: "Lyell Read"

date: 2020-09-28T00:00:00-07:00

categories: ['Writeups']

tags: ['ekoparty2020']

caption: "EkoPartyCTF logo"

draft: false

EkoParty CTF 2020 Git 2

Exact prompt has been forgotten. Linked to [this GitHub repo](https://github.com/lyellread/ctf-writeups/blob/master/2020-ekoparty/docs/ekolabs.tar.gz)

As I mentioned in the writeup for [leak](https://github.com/lyellread/ctf-writeups/blob/master/2020-ekoparty/leak), I was in a very `github`by mindset when I started this challenge. For that reason, I solved this challenge first.

A quick inspection of the repo shows that it features an accidentally committed SSH private key and matching public key. I copied the text of these out of the commit log, and into [chall](https://github.com/lyellread/ctf-writeups/blob/master/2020-ekoparty/docs/chall) and [chall.pub](https://github.com/lyellread/ctf-writeups/blob/master/2020-ekoparty/docs/chall.pub). Now I have ssh access, however what to?

The next part of this challenge involves the git actions for the repo, in `.github/workflows/`. In there we get an `issue-bouncer.yml` and corresponding `issue-bouncer.py`. Reading through these two, we notice something useful:

The python script essentially moves an issue to that `DST_REPO`, so I figured why not try to clone it?

This clones [the internal repo](https://github.com/lyellread/ctf-writeups/blob/master/2020-ekoparty/docs/ekoparty-internal.tar.gz), which conveniently features our flag in the root README.md

~ Lyell Read

title: "EkoPartyCTF - Env"

author: "Lyell Read"

date: 2020-09-28T00:00:00-07:00

categories: ['Writeups']

tags: ['ekoparty2020']

caption: "EkoPartyCTF logo"

draft: false

EkoParty CTF 2020 Git 3

Not too sure of the original prompt, however I did not need it.

After [the second part of the git challenge saga](https://github.com/lyellread/ctf-writeups/blob/master/2020-ekoparty/docs), we have gotten a new repository with some new github actions. We know, before analyzing these however, that:

- Issues filed to the `ekolabs` repo will be ‘moved’ to the `ekoparty-internal` repo.

- We control content in the submitted issues, and this is copied to the new issues in `ekoparty-internal` repo.

That’s good information. Now let’s examine the actions for this repo – we are provided an `issue-notify.py` and an `issue-notify.yml`. At first glance at the python script, we see two interesting things:

- The script checks `if 'very important' in title:` before executing an `os.system()` call

- The script runs our ‘user input’ (the body of the issue) in the call to `os.system()`.

What can we do with this? If we put “very important” in the title, and we include a specific body, we can execute arbitrary commands using the call to `os.system()`. How so?

This line is vulnerable, as the `body` of our issue is placed in it’s entirety in the place of the first `%s`, so if we were to enter `"`, this would become:

Which would echo an empty string to `/tmp/$notify_id`. This will not do, however, so we need something more complicated to do the trick. Maybe something like sending `body` of `"; sleep 10; echo "` will do better, as it will turn into:

This will execute the `sleep 10` just fine. We have code execution now, we just need to find out what to do with it. The challenge name indicates the flag is likely stored in the environment variables so we know where to look, but how to extract this info from the server?

To determine what tools are available for use, I looked to `issue-notify.yml`:

We at least have a default installation of Python 3.7 to work with, that’s pretty good. To make use of that, we will need to have somewhere to send it, and that’s where a webhook tester, something that captures and displays (in this case) http requests sent to it. For this I used PipeDream. It provides you with a link to send requests to.

From there, it’s as easy as getting the environment variables `os.environ`, and sending them home to PipeDream with a little one-line bash / python script of sorts:

That’s all there is to it: sending that returns [envs](https://github.com/lyellread/ctf-writeups/blob/master/2020-ekoparty/env/envs) to PipeDream, and it’s right in there.

~ Lyell Read