STRIPPEDGO #

Proof of flag #

ctf{a4e394ae892144a54c008a3b480a1b22a6b64dd26c4b0c9eba498330f511b51e}

Summary of the vulnerabilities identified #

Seek to the main of the program (sym.go.main.main) and extract the string before it gets encrypted

Proof of solving #

We start off by running file

$ file rev_strippedGo_strippedGO
rev_strippedGo_strippedGO: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically
linked, Go
BuildID=pbHcqNyu7oMwNz2AOwlC/ipoepuEEs9kTpe_InyYc/zxH96PaxbdfxJ2l96QnT/-SUbqa7STSlM69LnCs6A,
stripped

So it’s a go binary and it’s stripped, at least the title didn’t lie to us. We open it up in radare.

STUG-REFERENCE #

Proof of flag #

ctf{32849dd9d7e7b313c214a7b1d004b776b4af0cedd9730e6ca05ef725a18e38e1}

Summary of the vulnerabilities identified #

Use steghide to extract the flag from stug.jpg with password stug.

Proof of solving #

My teammates tried a lot of stuff, including brute forcing it with rockyou and a lot of stegano stuff. I tried some “obvious” passwords like “dctf”, “dctf2020” and “stug”. And stug ended up working out.

T3AM_VI3W3R #

Proof of flag #

DCTF{74a0f35841dfa7eddf5a87467c90da335132ae52c58ca440f31a53483cef7eac}

Summary of the vulnerabilities identified #

Analysis on the VNC protocol.

Proof of solving #

After firing up Wireshark and Loading the provided .pcapng, we filter for the VNC protocol. We follow the TCP stream of the first entry and we find out that it spells out words with doubled letters.

The stream can be saved for later processing in a .txt format. We get rid of the extra letters and dots and we end up with a message that says :

WHY-XOR #

Proof of flag #

ctf{79f107231696395c004e87dd7709d3990f0d602a57e9f56ac428b31138bda258}

Summary of the vulnerabilities identified #

We have a xored flag and it starts 3 null bytes, so we can assume the key at least starts with “ctf”. And that turns out to be the correct key

Proof of solving #

So I started out by reading the challenge description where it clearly says that the flag format is “CTF{sha256}” so of course I tried “CTF” as the key, but that didn’t work so I was really confused for some time.

YOPASS-GO #

Proof of flag #

pwndbg> x/69c 0x4c55f2
0x4c55f2: 99 'c' 116 't' 102 'f' 123 '{' 48 '0' 57 '9' 54 '6' 50 '2'
0x4c55fa: 51 '3' 57 '9' 51 '3' 99 'c' 101 'e' 51 '3' 56 '8' 48 '0'
0x4c5602: 99 'c' 51 '3' 99 'c' 102 'f' 54 '6' 57 '9' 54 '6' 99 'c'
0x4c560a: 54 '6' 99 'c' 53 '5' 57 '9' 97 'a' 48 '0' 56 '8' 53 '5'
0x4c5612: 99 'c' 100 'd' 101 'e' 48 '0' 102 'f' 55 '7' 101 'e' 100 'd'
0x4c561a: 100 'd' 49 '1' 51 '3' 56 '8' 50 '2' 102 'f' 50 '2' 101 'e'
0x4c5622: 57 '9' 48 '0' 57 '9' 48 '0' 50 '2' 50 '2' 48 '0' 97 'a'
0x4c562a: 98 'b' 100 'd' 102 'f' 57 '9' 97 'a' 54 '6' 51 '3' 57 '9'
0x4c5632: 54 '6' 99 'c' 56 '8' 56 '8' 125 '}'
pwndbg> x/1s 0x4c55f2
0x4c55f2: "ctf{09052393ce380c3cf696c6c59a085cde0f7edd1382f2e90902200abdf9a6396c88"

ctf{0962393ce380c3cf696c6c59a085cde0f7edd1382f2e9090220abdf9a6396c88}

Summary of the vulnerabilities identified #

Following the execution of the binary in gdb, I found a “memequal” call having as parameters the input string and the flag in memory.