So Basic – Pwnium CTF 2014

This was a Miscellaneous mission, worth 75 points, and the challenge began with a zip file containing forty oddly named files. The file names looked like some sort of hash and each file contained some digits. When unzipping the zip archive, we got a directory structure that looked like the following:

.... snip snip.....
.... snip snip.....

These look like MD5 hashes, and a quick run through Hash-ID verifies that theory. Good, you might say, but MD5 hashes of what? I thought about this for a while. If you were to echo the contents of all the uncompressed files, in alphabetical order, the result would be something like this:


It is noteworthy that this random string, taken in pairs of two, is a character in the printable ASCII range. Interesting, let’s make it printable:

$ for i in *; do cat $i| sed -e 's/^/0x/'| xxd -r; done
# c{352dc0cf9c7efdf560dbb5ued17we7n2Pe}emi

I couldn’t help but notice that the result looked an awful lot like a flag, but ordered in a different way. After some initial puzzling and trying to figure how the order was altered, I tried to find the characters based on their position in the string. As a programmer, I think of strings as being 0-indexed and so I tried to get the MD5 hash of 0. The resulting hash maps to a file containing ’50’, or ASCII ‘P’, and we know that for this competition all the flags have the format Pwnium{xxx}. The flag would be retrieved if we took each number from zero to forty and echoed the contents of the file for that number’s hash. In code:

for i in {0..39} ; do
    cat $(echo -n $i | md5sum  | cut -d' ' -f1) | sed -e 's/^/0x/' | xxd -r #print each characters from its hex representation

The result of the above script gave us our flag, Pwnium{02cef7eeb75fdd9dfc67c0dc1e3e255b} ! Ca-ching:) !

So Basic – Pwnium CTF 2014

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s