MetaCTF April 2024 Flash CTF writeup
Greg Broiles
I only had an hour to work on the problems so only the first three were solved.
Architecture Astronaut
Given an executable, determine the architecture of the machine that the executable was compiled for.
An executable file was provided. I downloaded the file to my Windows client and moved it via SSH to a Linux virtual
machine running Ubuntu 22.04. I used the file command to gather basic information about the file:
ubuntu@oracle:~/projects/metactf$ file astronaut
astronaut: ELF 32-bit LSB executable, Tensilica Xtensa, version 1 (SYSV), statically linked, with debug_info, not stripped
This information was sufficient to solve the problem. I tried ELF and ELF 32-bit LSBELF 32-bit LSB without success. A web
search indicated that a likely architecture for this format was an Intel i386 platform, so I tried x86 and 80386 without
success. I looked more closely at the result returned by the file command and guessed that Tensilica Xtensa might be an
architecture description, so I entered it as a potential answer and successfully solved the problem.
Login Query
Given an online application and a .zip of the source code for the application, find a way to open a cryptocurrency wallet.
I downloaded the cryptowallet.zip file, and unzipped it to find a directory structure with a director named LoginQuery.
Inside that directory were a dockerfile and a directory named app.
I opened the app directory and found an app.py file, a db.sqlite file, and a templates directory.
I opened the app.py file in a text editor and found a Python Flask application that used the db.sqlite database to store
username and password information.
I opened the db.sqlite file in a hex editor, and paged through the file until I saw text that looked like a flag -
MetaCTF{time_to_move_my_money}.
I entered the potential flag as a potential solution. It was accepted and this problem was finished.
A more elegant approach might have dumped the SQLite file or opened it with the SQLite command line utility to examine
it; but I was trying to move quickly and the hex editor seemed faster, I assumed the information I was looking for would
likely be visible as plaintext.
Lost Luggage
Open an encrypted .zip file with a password consisting of four numeric digits.
I transferred the luggage.zip to my Linux virtual machine. The file utility confirmed that it was a .zip archive. I used the
7z l -slt luggage.zip command to get information about the structure and contents of the .zip file. This indicated that the
.zip file was indeed encrypted, using the ZipCrypto Store algorithm. I searched for information about cracking .zip files
and identified bkcrack as a potential tool which uses known plaintext to crack legacy .zip encryption. The bkcrack program
needs a file with known plaintext and a template for password guesses. I assumed that the luggage.zip file would contain a
MetaCTF flag, so I created a textfile with the text MetaCTF{. I ran the bkcracki program specifying a 4 numeric digit
password and my known plaintext file:
ubuntu@oracle:~/projects/metactf/bkcrack-1.6.1-Linux$ ./bkcrack -c ../luggage.zip -b ?d?d?d?d -p metactf.txt
bkcrack 1.6.1 - 2024-01-22
Data error: not enough plaintext (9 bytes available, minimum is 12).i
Unfortunately, the bkcrack program needs 12 bytes of plaintext and I only had 9 bytes of plaintext that I was confident
would be inside the file, so I abandoned bkcrack as an attack tool.
I searched for Python modules that open .zip files and identified pyminizip as a potential module. I wrote a small Python
program to make attempts to open the file by cycling through all possible passwords.
�import pyminizip
withoutpath = False
for i in range(1,10000):
password=f"{i:04d}"
try:
pyminizip.uncompress("~/projects/metactf/luggage.zip", password, ".", int(withoutpath))
success = password
except:
print(password,"didn't work")
print(success)
Unfortunately, it didn't work. I had about 10 minutes left before I needed to stop, so I searched for another Python module
to handle .zip files. I identified zipfile from the Python standard libraries as another potential candidate. I wrote another
small Python program to use that module:
import zipfile
target = "luggage.zip"
with zipfile.ZipFile(target, mode="r") as archive:
for i in range(1,10000):
password=f'{i:04d}'
try:
for line in archive.read("flag.txt", pwd=password.encode('ASCII')).split(b"\n"):
print(line)
print(password)
except (RuntimeError, zipfile.BadZipFile):
continue
This program was successful, identifying the flag as
MetaCTF{w0w_stup1d35t_c0mbin4t10n_1v3_he4rd_in_my_l1f3} and the password as 7123.
I entered the flag and it was accepted. It may be that I was using the pyminzip module incorrectly - the example code I
found did not encode the password as bytes instead of a string, so it's possible this would've worked if I'd tried that. I
wanted to finish this problem in the few minutes I had remaining so I didn't put effort into debugging that failure.
