EKO Party writeups

Author: Pharisaeus

2017-09-17-ekoparty/README.md

@@ -6,3 +6,13 @@ Team: c7f.m0d3, shalom, nazywam, cr019283
 
 * [Angel (re)](angel)
 * [OldPC (misc)](oldpc)
+* [My first app (web)](my_first_app_web)
+* [Warmup (re)](warmup_re)
+* [Malbolge (misc)](malbolge_misc)
+* [Shopping (pwn)](shopping_pwn)
+* [Shopwn (pwn)](shopwn_pwn)
+* [Rhapsody (re)](rhapsody_re)
+* [ICSS (misc/crypto)](icss_misc)
+* [Special (misc)](special_misc)
+* [COBOL (re)](cobol_re)
+* [Spies (dns)](spies_dns)

2017-09-17-ekoparty/cobol_re/EKO.SAVF

@@ -0,0 +1,68 @@
+# COBOL (RE, 485p, 10 solved)
+
+In the task we get an old [IBM SAVF file](EKO.SAVF).
+Unlike last year, where we could just load it to some online tools, this time the file was corrupted.
+
+We quickly had a look around at the file contents, decoded from ebcdic string encoding, but the flag string seemed permutated, so we guessed we actually have to recover the binary and reverse it.
+This was a huge mistake.
+We wasted quite some time trying to fix this file, which had some checksum failures.
+
+After a while we tried one more time to look at the strings:
+
+```python
+import codecs
+import ebcdic
+
+def decode():
+    with codecs.open("EKO.SAVF", 'rb') as input_file:
+        print(input_file.read().decode('cp1148'))
+```
+
+We can see there a nice section:
+
+```
+YOU ARE RIGHTWE}m_A4rREg0_RrpUN+0NI04NGsa_O+7UT3313F_+rGO3hODt0_In4DE{OASKE  NOPE], YOUR SECRET IS WRONG]
+```
+
+And from this we guess that the part:
+
+```
+}m_A4rREg0_RrpUN+0NI04NGsa_O+7UT3313F_+rGO3hODt0_In4DE{OASKE
+```
+
+Is the mangled flag.
+It's clear it's inverted, so we invert it back:
+
+```
+EKSAO{ED4nI_0tDOh3OGr+_F3133TU7+O_asGN40IN0+NUprR_0gERr4A_m}
+```
+
+We know that the flag starts with `EKO{` so we need to take 2 characters, remove next 2, and again take 2.
+We guessed we will check what happens if we proceed like this:
+
+```
+EKO{4n0th3r+31TUO_GNINNUR_ERA_EW
+```
+
+And inverted:
+
+```
+WE_ARE_RUNNING_OUT13+r3ht0n4{OKE
+```
+
+So we're on a good track, and we have first half of the flag.
+Since the second half is also not random, we decided to do our take-2-leave-2, but with offset of 2:
+
+```
+SAEDI_DOOG_F337+as400+pr0gr4m}
+}m4rg0rp+004sa+733F_GOOD_IDEAS
+```
+
+This way we get a second half of the flag and rest of the message blended in:
+
+```
+EKO{4n0th3r+31337+as400+pr0gr4m}
+WE_ARE_RUNNING_OUTF_GOOD_IDEAS
+```
+
+As can is noticable now, we could have just removed all uppercase and `_` characters from the initial string to get the flag as well.

2017-09-17-ekoparty/cobol_re/README.md

@@ -0,0 +1,89 @@
+# ICSS (Misc/Crypto, 471p, 18 solved)
+
+A blackbox crypto challenge.
+We get a base64 encoded ciphertext `ypovStywDFkNEotWNc3AxtlL2IwWKuJA1qawdvYynITDDIpknntQR1gB+Nzl` and access to a service which can encrypt for us up to 6 characters of input.
+
+First we need to understand how this encryption works, and for this we played a bit with it, sending specially crafted payloads.
+We can notice some things:
+
+1. Encryption goes character by character, there are no blocks. It's easy to see when we add or remove characters.
+
+2. Ciphertext for a character depends on the character itself and on the position where it is in the input. The same character on a different position encrypts differently, but the same character at the same position, even for different plaintexts gives the same encrypted value.
+For example:
+aaa -> a060a2
+aba -> a063a2
+
+So the encryption for the last `a` stayed the same.
+
+3. An exception to above rule is the first character. It affects how rest of the string is encrypted.
+
+Another set of tests we did gave some interesting results. 
+By sending `\x00\x00\x00\x00\x00\x00` bytes we got `010102030508` which looks like a Fibonacci sequence!
+It got even better when we sent `\x01\x00\x00\x00\x00\x00` because we got `00020305080d` which is the same sequence just shifter 1 position further (disregarding the first byte).
+If we now send `\x01\x05\x00\x00\x00\x00` we will get `00070305080d` so the sequence is the same but second byte is bigger by 5, which is the value we tried to encrypt.
+First byte encryption is unknown, but it depends only on this character, so we don't really care, it can be brute-forced.
+
+We did a bit more checking and it was quite clear that the encryption does something like:
+1. Encrypt first byte in some special way
+2. Every other byte in position `k` is encrypted as `Fibonacci(first_byte + k) + kth_byte_value`
+
+However, there is some weird stuff happening when overflow is reached, and it seemed some other special cases are present as well for even/odd numbers.
+
+Instead of trying to figure out how to handle those issues, we decided to go the "easy" way instead.
+We know that by changing the first byte we can "shift" the Fibonacci sequence for the rest of the encryption, but it means that we basically shift the positions!
+By sending `Xa` we can get encrypted byte `a` at positon `1` with starting byte `X`, but if we send `(X+1)a` we will shift the sequence and the result will be the same as encrypted `a` at position `2` with starting byte `X`.
+
+This means that we can pretty much get any encrypted byte at any position we want by encrypting only 2 bytes at a time!
+We use this approach with the server as "oracle" serving us the encrypted bytes and we brute-force the flag.
+
+What we want to do:
+1. Take a single encrypted character from the encrypted flag we have at k-th position.
+2. Encrypt via server every possible character at k-th position and compare it with the one we have. Once they match we know what was the plaintext character.
+3. Repeat until we get whole flag.
+
+So we run:
+
+```python
+import base64
+import string
+
+from crypto_commons.netcat.netcat_commons import nc, send
+
+
+def brute_character_at_position(position, expected):
+    for c in string.letters + "{_" + string.digits + string.punctuation:
+        if int(get_encrypted_char_at_position(c, position), 16) == ord(expected):
+            return c
+    return "?"
+
+
+def get_encrypted_char_at_position(character, position):
+    return get_ciphertext(chr(ord('E') + position) + character)[2:4]
+
+
+def get_ciphertext(c):
+    url = 'icss.ctf.site'
+    port = 40112
+    s = nc(url, port)
+    s.recv(9999)
+    s.recv(9999)
+    send(s, c)
+    s.recv(9999)
+    result = s.recv(9999)
+    return base64.b64decode(result).encode("hex")
+
+
+def main():
+    flag_ciphertext = base64.b64decode("ypovStywDFkNEotWNc3AxtlL2IwWKuJA1qawdvYynITDDIpknntQR1gB+Nzl")
+    flag_plaintext = "E"
+    for i in range(len(flag_ciphertext) - 1):
+        expected_encrypted_byte = flag_ciphertext[i + 1]
+        flag_plaintext += brute_character_at_position(i, expected_encrypted_byte)
+        print(flag_plaintext)
+    print(flag_plaintext)
+
+
+main()
+```
+
+After a while we finally get: `EKO{Mr_Leon4rd0_PisAno_Big0770_AKA_Fib@nacc!}`

2017-09-17-ekoparty/icss_misc/README.md

@@ -0,0 +1,18 @@
+# Malbolge (Web, 238p, 153 solved)
+
+We can connect to a service which asks us for a Malbolge code which will print `Welcome to EKOPARTY!`:
+
+```
+$ nc6 malbolge.ctf.site 40111
+nc6: using stream socket
+Send a malbolge code that print: 'Welcome to EKOPARTY!' (without single quotes)
+```
+
+A bit of googling and we find http://www.matthias-ernst.eu/malbolge.html where author created [a program](finder.c) for generating Malbolge programs printing out desired output.
+We used it and got:
+
+```
+bCBA@?>=<;:9876543210/.-,+*)('&%$#"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9y765432+O/.-,+*)i'&}C{"!~w={zyxwYutsrqponmlkjiha'Hdcba`_^]\[ZYXWVUTSRQPONMLKJIHGFED=a;@?>7[|:981U543s10/.',+*#G'&%$#"!~`|u;yxqvun4rqpRhmf,Mchgfedcba`_^]VzZYXWVUTSRQJnNM/KDIBfFEDCBA#?>=<54X810T4321q/.-,+$H('&%$#"bx>|{tyxwvutsrqponmlkd*Kafedc\"m
+```
+
+Which in turn gave us the flag: `EKO{0nly4nother3soteric1anguage}`