So Basic – Pwnium CTF 2014

This was a Miscellaneous mission, worth 75 points, and the challenge began with a zip file containing forty oddly named files. The file names looked like some sort of hash and each file contained some digits. When unzipping the zip archive, we got a directory structure that looked like the following:

.... snip snip.....
02e74f10e0327ad868d138f2b4fdd6f0
1679091c5a880faf6fb5e6087eb1b2dc
182be0c5cdcd5072bb1864cdee4d3d6e
19ca14e7ea6328a42e0eb13d585e4c22
1c383cd30b7c298ab50293adfecb7b18
1f0e3dad99908345f7439f8ffabdffc4
1ff1de774005f8da13f42943881c655f
33e75ff09dd601bbe69f351039152189
34173cb38f07f89ddbebc2ac9128303f
37693cfc748049e45d87b8c7d8b9aacd
3c59dc048e8850243be8079a5c74d079
45c48cce2e2d7fbdea1afc51c7c6ad26
.... snip snip.....

These look like MD5 hashes, and a quick run through Hash-ID verifies that theory. Good, you might say, but MD5 hashes of what? I thought about this for a while. If you were to echo the contents of all the uncompressed files, in alphabetical order, the result would be something like this:

637b3335326463306366396337656664663536306462623575656431377765376e3250657d656d69

It is noteworthy that this random string, taken in pairs of two, is a character in the printable ASCII range. Interesting, let’s make it printable:

$ for i in *; do cat $i| sed -e 's/^/0x/'| xxd -r; done
# c{352dc0cf9c7efdf560dbb5ued17we7n2Pe}emi

I couldn’t help but notice that the result looked an awful lot like a flag, but ordered in a different way. After some initial puzzling and trying to figure how the order was altered, I tried to find the characters based on their position in the string. As a programmer, I think of strings as being 0-indexed and so I tried to get the MD5 hash of 0. The resulting hash maps to a file containing ’50’, or ASCII ‘P’, and we know that for this competition all the flags have the format Pwnium{xxx}. The flag would be retrieved if we took each number from zero to forty and echoed the contents of the file for that number’s hash. In code:

#!/bin/bash
for i in {0..39} ; do
    cat $(echo -n $i | md5sum  | cut -d' ' -f1) | sed -e 's/^/0x/' | xxd -r #print each characters from its hex representation
done

The result of the above script gave us our flag, Pwnium{02cef7eeb75fdd9dfc67c0dc1e3e255b} ! Ca-ching:) !

Advertisements
So Basic – Pwnium CTF 2014

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s