Incoherent Ramblings

I attended Shmoocon this year, and good amount of my time was spent at the GITS CTF. While, the team I was on did not get as far as we would like to… we learned a lot and had a blast (which is all that really matters, right?).

I wanted to share how we went about getting the Constructicons challenge as spent way to much time going down rabbit holes. We thought the challenge was much harder than it was and the answer was literally staring us in the face all along.

The challenge starts off with a link to a file and a hint of Constructicons – (The category was WinDBG and I still have no idea why that was chosen or if it had any relevance). Determining the filetype was accomplished with:


$ file dfd2abe9dcb99d7446485cf45b2a25f9.orig
dfd2abe9dcb99d7446485cf45b2a25f9.orig: Zip archive data, at least v2.0 to extract
$ cp dfd2abe9dcb99d7446485cf45b2a25f9.orig dfd2abe9dcb99d7446485cf45b2a25f9.zip
$ unzip dfd2abe9dcb99d7446485cf45b2a25f9.zip && cd dfd2abe9dcb99d7446485cf45b2a25f9
$ ls
0326f8275fdeb1c96ab6cf0f37f23b92.png
0b1be5185da655ab812c1bbc306fec32.png
0fc6c9a6012f7561c659b83c4e805ea7.png
100f3f74fd68973b313740cef24d8448.png
16a5df87469a6e54dee4d12b4acb7341.png
2af362392df2221cf02613fabe9ea3a2.png
2c9e21aaab7bffb700a5695d96ccbb32.png
2cff9e48c23e30b46fd67487ef06fa0a.png
343e29f6602f11d79f5e09ca99a1bff5.png
42266384dedc7beb76d722ef7aee7eff.png
4680fc302d7025ce2a1cde696a7188d8.png
5c3412b2ff87dccac843439a9b62a0d8.png
631cb9b7c1cd64fc9103804a8ca115b2.png
6686cb15dc3ea55592fa9f200c6563f9.png
8c0759309deb636c75a24ad9447eec7b.png
9775d7510942d426df8130bd99aba4ac.png
a57f219063bfd30c72a46f60850f06c4.png
b21570cab45dc65c5f9a53ae7826cb43.png
b6357bc6b1cf9665950e9d0a88cc175f.png
be024c8ece2306150e6b23b1100b3cf4.png
d8e742c8fc62fac1bf404dea48ec9b90.png
ec3e984ca663e5139582ab3c1dafb3f4.png
f3cc6443b22cbd98a59d944806919028.png
f525ced3320341d5f97c1938dacdfe67.png
f8674fd8436c97037aa33aa7eae508e3.png


I verified that these files were in fact png’s (We got burned by this the year before).


$ for f in *.png; do file $f; done
0326f8275fdeb1c96ab6cf0f37f23b92.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
0b1be5185da655ab812c1bbc306fec32.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
0fc6c9a6012f7561c659b83c4e805ea7.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
100f3f74fd68973b313740cef24d8448.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
16a5df87469a6e54dee4d12b4acb7341.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
2af362392df2221cf02613fabe9ea3a2.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
2c9e21aaab7bffb700a5695d96ccbb32.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
2cff9e48c23e30b46fd67487ef06fa0a.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
343e29f6602f11d79f5e09ca99a1bff5.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
42266384dedc7beb76d722ef7aee7eff.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
4680fc302d7025ce2a1cde696a7188d8.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
5c3412b2ff87dccac843439a9b62a0d8.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
631cb9b7c1cd64fc9103804a8ca115b2.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
6686cb15dc3ea55592fa9f200c6563f9.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
8c0759309deb636c75a24ad9447eec7b.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
9775d7510942d426df8130bd99aba4ac.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
a57f219063bfd30c72a46f60850f06c4.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
b21570cab45dc65c5f9a53ae7826cb43.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
b6357bc6b1cf9665950e9d0a88cc175f.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
be024c8ece2306150e6b23b1100b3cf4.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
d8e742c8fc62fac1bf404dea48ec9b90.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
ec3e984ca663e5139582ab3c1dafb3f4.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
f3cc6443b22cbd98a59d944806919028.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
f525ced3320341d5f97c1938dacdfe67.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced
f8674fd8436c97037aa33aa7eae508e3.png: PNG image data, 160 x 160, 8-bit/color RGBA, non-interlaced


Great, now what? We opened the images and saw the game board we were playing on (Modified Monopoly board for the CTF).
Sweet, we pieced them back together… nothing. We noticed that the Firefox icon had been shifted. Scratched our heads and one of the team members took the pieces home and started playing around with the properties of the pictures (in this case alpha channel). It produced a line under the category C++. The game piece was moved from its original location on a proper Monopoly board – Marvin Gardens. We tried submitting that as the key… No go. After a few more adventures in Wonderland the GITS staff made their rounds and informed us that we were in fact chasing our tails and to start over.

We began again looking at each picture individually. We ran strings on them to dump out any useful ASCII they might contain.


$ for f in *.png; do strings $f >> strings.out; done
$ cat strings.out


IHDR
bKGD
pHYs
IDATx
vZq7
5k~h

... cut for brevity.

w{u7
7o|n
]I}zO>y
n^82l
DpY:Z)
?;'-{8`
%tEXtdate:create
2012-01-26T16:15:31-05:00
%tEXtdate:modify
2012-01-26T16:15:31-05:00
tEXtSoftware
Adobe ImageReadyq
?iTXtXML:com.adobe.xmp
<?xpacket begin='
' id='W5M0MpCehiHzreSzNTczkc9d'?>
<x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='Image::ExifTool 8.66'>
<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>
 <rdf:Description rdf:about=''
  xmlns:Iptc4xmpExt='http://iptc.org/std/Iptc4xmpExt/2008-02-29/'>
  <Iptc4xmpExt:Event>
   <rdf:Alt>
    <rdf:li xml:lang='x-default'>ShmooCon 2012</rdf:li>
   </rdf:Alt>
  </Iptc4xmpExt:Event>
 </rdf:Description>
 <rdf:Description rdf:about=''
  xmlns:crs='http://ns.adobe.com/camera-raw-settings/1.0/'>
  <crs:RawFileName>/tmp/magick-5Oi</crs:RawFileName>
 </rdf:Description>
 <rdf:Description rdf:about=''
  xmlns:mediapro='http://ns.iview-multimedia.com/mediapro/1.0/'>
  <mediapro:Event>ShmooCon 2012</mediapro:Event>
 </rdf:Description>
</rdf:RDF>
</x:xmpmeta>
<?xpacket end='r'?>
IEND

We noticed this little gem after a few moments of looking over the output:

  /tmp/magick-5Oi

It did not dawn on us until we saw the telltale ‘=’ at the end of one of the original file names. We immediately thought base64. Each picture had /tmp/magick- followed by three characters.


$ for f in *.png; do strings $f | grep "/tmp/magick-" | cut -c 32-34; done
5Oi
S2V
c21
bWU
c3d
gd2
91b
</c
G5h
c2U
IG9
JBI
kgY
0aG
GQg
XMg
FJv
wgY
gYn
VyI
lZX
go=
lbG
W55
QuI


There was on small exception which appeared out of place. This image was the bottom right most piece which gave us a clue on how the images were arranged and how these needed to be ordered. When assembling the images to get a completed gameboard you are left with a 5 x 5 square. We read these images in from to left to bottom right. The image directly in front of the last piece contained “go=” in its original filename. So we concluded that this was the last piece we needed to concern ourselves with (Base64 uses = signs to pad out to multiples of eight).

We were left with the following code snippet to assemble the suspect base64. *NOTE* test.tmp contained the filenames of the images in the assembled order.


$ while read line; do strings $line | grep "/tmp/magick-" | cut -c 32-34 | grep -v "< "; done < test.tmp | tr -d '\n' > base64.out
$ cat b64.out | base64 -D
Key:"A Rose by any other name would smell as sweet."


Thanks Khr@sh and ‘John Stamos’.