HTH 2020 CTF: Misc: whoami (100)

This is from the Hackers Teaching Hackers HTH2020 CTF.

Full Disclosure: I did not complete this challenge in time for the CTF. I solved three of the four parts during the CTF and finally finished it the day after the CTF ended.

For this challenge, we are given a single file to download (no extention): “split” and the following text:

It’s a bird! It’s a plane! It’s…
A story in 4 parts.

We are also provided two hints:

Are we exclusive? Or…

ALL CAPS

To begin, I download the file and open it in notepad++ (as I always do for questionable files).

I initially see that this is a Linux executable (ELF), but I also see a bunch of strange text (strange for an ELF file).

There appears to be some non-printable binary (typical of ELF files), HTML, JAVA, and Unicode (indicative of a PDF).

I first will run the file in Kali to see what it does…

It gives me a hexadecimal string: 4854487b312d62316e7a5f725f66756e5f

I do a hex to ASCII conversion and get: HTH{1-b1nz_r_fun_

This must be part one of the flag.

Next, I copied the file and gave it a .html extension. I can read the HTML, but it would be fun to see how it presents as a webpage. I opened it in Firefox and receive a pop-up alert with another string.

This time, the string is not hex: Ml9odG1sX3J1bGV6X2QwMGRf

I try the usual suspects for decoding. In this case, Base64 was the ticket.

2_html_rulez_d00d_

This must be part two of the flag. Half way there!

Next, based on the text in the file indicative of PDF documents…

I copy the file and give it a .pdf extension and open it as such.

I see a string at the bottom of the PDF that matches the format I would expect for part three of the flag except it is URL encoded. After decoding that I get: 3_a_p0rtabl3_d0c_

One more part to go!

As I mentioned earlier, I saw some JAVA code in the file contents, so I ran the file with java…

That gives me a strange string: |y&x7$)a}5

After a lot of trial and error, I remembered to review the hints and determined this is most likely the output from an XOR cipher (Hint #1).

I used dcode.fr/xor-cipher to try and decode it.

The password must be all caps (Hint #2), but what is the password. I got lost in the weeds thinking that the password should be SUPERMAN because of the challenge name and text. This is where I stagnated.

After the CTF was over, I chatted with the challenge creator @mythdude and he indicated that the password is more simple than SUPERMAN.

I went back to dcode.fr/xor-cipher and tried simpler passwords that I could think of for the cipher. HTH was it.

That gave me the 4th part of the flag: 4-n0cla55}

The final full flag was:
HTH{1-b1nz_r_fun_2_html_rulez_d00d_3_a_p0rtabl3_d0c_4-n0cla55}

This challenge was amazing as it was a polyglot. It was a single file that would be executed/ran in four different way without generating any errors or junk messages. It was a Linux binary program, HTML webpage, PDF file and a JAVA jar file all in one. Certainly the first one I have seen.

I want to thank @mythdude for putting this challenge together. It was very creative!

Leave a Reply

Your email address will not be published. Required fields are marked *