BlueHens CTF 2021: Minecraft: Mega Chickens

This is from the BlueHensCTF 2021.

Challenge Author: ProfNinja, Gkonos, Daniel

For this challenge, We are given the following information and links:

Here is the mc86 Intro:

Here is the mc86 InitCode:

/give @p minecraft:written_book{title:"Init CPU",author:"UD Cyberscholars",generation:0,pages:[
"{\"text\":\"Click Here First\\n\",\"color\":\"dark_green\",\"bold\":true,\"underlined\":true,\"hoverEvent\":{\"action\":\"show_text\",\"value\":\"Creating RAM\"},\"clickEvent\":{\"action\":\"run_command\",\"value\":\"/setblock ~1 ~ ~ minecraft:lime_shulker_box\"},
\"extra\":[
{\"text\":\"Click Here Second\\n\",\"color\":\"dark_green\",\"bold\":true,\"underlined\":true,\"hoverEvent\":{\"action\":\"show_text\",\"value\":\"Start Timing Belt\"},\"clickEvent\":{\"action\":\"run_command\",\"value\":\"/setblock ~2 ~1 ~ minecraft:command_block[facing=up]{powered:0b,Command:\\\"setblock ~ ~-1 ~ air\\\"}\"}},
{\"text\":\"Click Here Third\\n\",\"color\":\"dark_green\",\"bold\":true,\"underlined\":true,\"hoverEvent\":{\"action\":\"show_text\",\"value\":\"Finishing Timing Belt\"},\"clickEvent\":{\"action\":\"run_command\",\"value\":\"/setblock ~2 ~2 ~ minecraft:chain_command_block[facing=up]{powered:0b,auto:1b,conditionMet:0b,Command:\\\"execute if data block ~-1 ~-2 ~ Items[0].tag.pages[0] run setblock ~ ~-2 ~ redstone_block\\\"}\"}},
{\"text\":\"Click Here Fourth\\n\",\"color\":\"dark_green\",\"bold\":true,\"underlined\":true,\"hoverEvent\":{\"action\":\"show_text\",\"value\":\"Start CPU\"},\"clickEvent\":{\"action\":\"run_command\",\"value\":\"/setblock ~3 ~ ~ minecraft:command_block[facing=east]{powered:0b,Command:\\\"data modify block ~2 ~ ~ Command set from block ~-2 ~ ~ Items[0].tag.pages[0]\\\"}\"}},
{\"text\":\"Click Here Fifth\\n\",\"color\":\"dark_green\",\"bold\":true,\"underlined\":true,\"hoverEvent\":{\"action\":\"show_text\",\"value\":\"Finishing CPU\"},\"clickEvent\":{\"action\":\"run_command\",\"value\":\"/setblock ~4 ~ ~ minecraft:chain_command_block[facing=east]{powered:0b,auto:1b,conditionMet:0b,Command:\\\"data remove block ~-3 ~ ~ Items[0].tag.pages[0]\\\"}\"}},
{\"text\":\"Click Here Sixth\\n\",\"color\":\"dark_green\",\"bold\":true,\"underlined\":true,\"hoverEvent\":{\"action\":\"show_text\",\"value\":\"Placing ALU\"},\"clickEvent\":{\"action\":\"run_command\",\"value\":\"/setblock ~5 ~ ~ minecraft:chain_command_block[facing=east]{powered:0b,auto:1b,conditionMet:0b}\"}}]}"]} 1

Finally, here is the challenge source code:

/give @p writable_book{pages:["/fill ~ ~ ~-2 ~5 ~ ~-3 yellow_concrete","/fill ~1 ~ ~-4 ~1 ~5 ~-4 yellow_concrete","/fill ~4 ~ ~-4 ~4 ~5 ~-4 yellow_concrete","/fill ~ ~6 ~-6 ~5 ~11 ~2 blue_wool","/fill ~-1 ~8 ~-5 ~6 ~11 ~1 blue_wool","/fill ~1 ~10 ~2 ~4 ~15 ~4 blue_wool","/fill ~2 ~10 ~5 ~3 ~11 ~5 red_concrete","/fill ~1 ~12 ~5 ~4 ~13 ~6 yellow_concrete","/fill ~3 ~14 ~4 ~3 ~14 ~4 black_concrete","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-72 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~40 ~20 ~-10","/fill ~3 ~14 ~4 ~3 ~14 ~4 blue_wool","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-8 ~20 ~-10","/fill ~4 ~14 ~4 ~4 ~14 ~4 black_concrete","/fill ~3 ~14 ~4 ~3 ~14 ~4 black_concrete","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-152 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-96 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-16 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~80 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~88 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~168 ~20 ~-10","/fill ~2 ~14 ~4 ~2 ~14 ~4 black_concrete","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-112 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-80 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-48 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~64 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~160 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~176 ~20 ~-10","/fill ~3 ~14 ~4 ~3 ~14 ~4 blue_wool","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-192 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-184 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-144 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-32 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~16 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~72 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~96 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~136 ~20 ~-10","/fill ~4 ~14 ~4 ~4 ~14 ~4 blue_wool","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-176 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-168 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-160 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-136 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-128 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-88 ~20 ~-10","/fill ~3 ~14 ~4 ~3 ~14 ~4 black_concrete","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-120 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-64 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~0 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~8 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~32 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~48 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~112 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~128 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~144 ~20 ~-10","/fill ~1 ~14 ~4 ~1 ~14 ~4 black_concrete","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~152 ~20 ~-10","/fill ~3 ~14 ~4 ~3 ~14 ~4 blue_wool","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~56 ~20 ~-10","/fill ~2 ~14 ~4 ~2 ~14 ~4 blue_wool","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~120 ~20 ~-10","/fill ~3 ~14 ~4 ~3 ~14 ~4 black_concrete","/fill ~4 ~14 ~4 ~4 ~14 ~4 black_concrete","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-104 ~20 ~-10","/fill ~3 ~14 ~4 ~3 ~14 ~4 blue_wool","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-40 ~20 ~-10","/fill ~2 ~14 ~4 ~2 ~14 ~4 black_concrete","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-56 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~184 ~20 ~-10","/fill ~3 ~14 ~4 ~3 ~14 ~4 black_concrete","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~-24 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~24 ~20 ~-10","/clone ~-1 ~ ~-6 ~6 ~15 ~6 ~104 ~20 ~-10"]}

As recommended by the challenge text, I got the latest Minecraft Java Launcher and launched a world:

I followed the YouTube video and gave myself a command block, placed it with a button on it, and posted the mc86 initcode:

I clicked the button and received an enchanted book:

I followed the instructions and clicked each of the six links to generate my mc86 computer in my world:

Next, following the YouTube video, I pasted the challenge source code into the command block I created earlier and click the button:

his gave me a book and quill with 72 pages of instructions:

I then placed this book and quill into the Shulker Box:

I placed a button in the mc86 computer (as directed in the YouTube video) and and clicked it to run the challenge program:

This created a bunch of giant chickens (or maybe Blue Hens):

Upon close inspection, I see that their eyes are different:

Looking even closer, I see that their are 4 blocks that are changing between chickens. Those 4 blocks are either just the blue wool (like the rest of the chicken) or black concrete. On a hunch, I recorded these as binary values where blue wool equaled a 0 and black concrete equaled a 1. This gave me the following binary value:

0100 0110 0111 1011 0011 0100 0111 0010 0110 1101 0111 1001 0101 1111 0011 0000 0110 0110 0101 1111 0110 0010 0110 1100 0111 0101 0011 0011 0101 1111 0110 1000 0110 0101 0110 1110 0111 0011 0111 1101

Taking this hunch further, I modified these values to give me binary bytes:

01000110 01111011 00110100 01110010 01101101 01111001 01011111 00110000 01100110 01011111 01100010 01101100 01110101 00110011 01011111 01101000 01100101 01101110 01110011 01111101

A quick trip to RapidTables to convert these binary bytes to ASCII, I get the following text:

That is the flag:

UDCTF{4rmy_0f_blu3_hens}

Vishwa CTF: Reverse Engineering: Rotations (472)

This is from the 2021 Vishwa CTF

For this challenge, we are given the following clue and a ELF binary:

After some preliminary poking at the file, I execute it in the terminal to see what it does. I see that it waits for input from the user and replies with “EWWWW DUMBBB” and exits:

Next I load it into my debugger and inspect the code:

I see that there is cmp performed and it results in a jmp to the failure message:

I modify the jmp and fill it with NOPs:

I then provide some random input and watch for its response:

It looks like a scrambled flag. Most likely a simple shift cipher… maybe a ROT (rotation). I head over to rot13.com and decode it:

Now I have the flag!

Vishwa CTF: Reverse Engineering: Misleading Steps (484)

This is from the 2021 Vishwa CTF

For this challenge, we are given the following clue and a binary file:

When performing a static analysis of the binary, I see what looks like a flag, but as it states, it is a false flag:

Next, I execute the program in terminal to see what it does:

It slowly scrolls out the following text:

The first appearance deceives many,the intelligence of a few perceives what has been carefully hidden...

Next, I load up my debugger and inspect it.

I noticed that there a number of characters (in hex) listed out:

I capture those hex values in a text editor.

76 69 73 68 77 61 43 54 46 7b 55 6d 4d 5f 77 33 69 52 44 6f 6f 6f 30 5f 31 5f 41 6d 5f 74 68 33 5f 72 33 34 6c 5f 30 6e 33 7d

I then convert them to ASCII:

And now I have the real flag!

UTCTF2021: Beginner: Cipher Gauntlet (100)

This is from the UTCTF2021 CTF

Challenge Author: balex

For this challenge, we are given a hint and a text file:

A quick trip over to RapidTables and we get this:

Apparently the princess is in another castle. I see that there is what appears to be a base64 encoded string. A quick trip over to Base64Decode and we get this:

Yet another castle. This time I have another string that appears to be a cipher along with a clue. This leads me to think it could be a Caesar Cipher. A quick trip to dcode.fr and I get this:

congratulations! you have finished the beginner cryptography challenge. here is a flag for all your hard efforts: utflag{now_youre_playing_with_crypto}. you will find that a lot of cryptography is building off this sort of basic knowledge, and it really is not so bad after all. hope you enjoyed the challenge!

Shadow CTF: Misc: Tesseract (350)

This is from the Shadow CTF.

Disclaimer: I did this challenge quick and dirty in order to get first blood.

For this challenge, we are told that there is a program that can decrypt the flag for us using the right password. The password is a number between 16000 and 20000. We are provided a zip file containing an ELF binary (numgen)and another zip file that contains a bunch of small images. These images are named 0.png … 39.png. They are pictures of random letters, numbers, and characters.

Running the executable I am told it wants a number argument.

I provide a number (1600) and get a series of numbers as a response.

Looking at the image file names with relation to the numbers in the response, I see it translates to gibberish. I can make an educated guess that the flag should end with a “}”, which is 39.png and the the first character should be an “S” (7.png) or an “F” (32.png) based on the CTF flag format.

Using this method, I can write a script to try all possibilities from 16000 to 20000 (4000 possibilities).

#!/bin/bash
for i in {16000..20000}
do
  ./numgen $i
done

I can run the script and output the results to a file. Yes, a more elegant solution could be crafted that would grep for the right results, but it is only a 24-hour CTF.

/runnum.sh > numgenout.txt

The output file contains 8,000 lines (the resulting numbers and the “Randomizing names of images …” string.

7 5 8 39 11 33 33 33 23 6 8 21 38 36 38 14 9 20 24 
Randomizing names of images ... 
5 8 39 11 33 33 33 23 6 17 8 38 36 38 14 9 20 24 18 
Randomizing names of images ... 
8 39 11 33 33 33 23 6 17 21 8 36 38 14 9 20 24 18 27 
Randomizing names of images ... 
39 11 33 33 33 23 6 17 21 38 8 38 14 9 20 24 18 27 17 
Randomizing names of images ... 
11 33 33 33 23 6 17 21 38 36 8 ................................

Quick and dirty I copy the lines into excel (yeah, I know) and drop all cells containing the “Randomizing names of images …” string.

I create a quick formula to get the 1 or two digit number before the first space in the cell and then throw it in the “B” column.

=LEFT(A1,(FIND(" ",A1,1)-1))

A quick filter to only show the cells that start with 7 or 32 (S or F), and I get 189 cells.

I then do a quick filter using “ends with” and use 18 (“}”) as the criteria.

That narrows it down to 9 possible cells.

I now look for the second letter based on my assumption that the first word is “shadow” or “flag”. The numbers should be either 6, 4, or 31 (there are two “L” images).I do this with another filter.

It gives me only one result:

A quick and dirty translation using the images gives me the flag:

SHADOWCTF{W3LLD0N3}

After submitting the flag for first blood, I make an HTML file to make the flag look pretty:

<html>
<head><title>Gimmie The Flag</title></head>
<body>
<center>
<p>7 6 22 13 34 8 17 0 32 39 8 19 4 31 30 25 2 14 18</p>
<p><img src="7.png"><img src="6.png"><img src="22.png"><img src="13.png"><img src="34.png"><img src="8.png"><img src="17.png"><img src="0.png"><img src="32.png"><img src="39.png"><img src="8.png"><img src="19.png"><img src="4.png"><img src="31.png"><img src="30.png"><img src="25.png"><img src="2.png"><img src="14.png"><img src="18.png"></p>
</center>
</body>
</html>

HTH 2020 CTF: Misc: whoami (100)

This is from the Hackers Teaching Hackers HTH2020 CTF.

Full Disclosure: I did not complete this challenge in time for the CTF. I solved three of the four parts during the CTF and finally finished it the day after the CTF ended.

For this challenge, we are given a single file to download (no extention): “split” and the following text:

It’s a bird! It’s a plane! It’s…
A story in 4 parts.

We are also provided two hints:

Are we exclusive? Or…

ALL CAPS

To begin, I download the file and open it in notepad++ (as I always do for questionable files).

I initially see that this is a Linux executable (ELF), but I also see a bunch of strange text (strange for an ELF file).

There appears to be some non-printable binary (typical of ELF files), HTML, JAVA, and Unicode (indicative of a PDF).

I first will run the file in Kali to see what it does…

It gives me a hexadecimal string: 4854487b312d62316e7a5f725f66756e5f

I do a hex to ASCII conversion and get: HTH{1-b1nz_r_fun_

This must be part one of the flag.

Next, I copied the file and gave it a .html extension. I can read the HTML, but it would be fun to see how it presents as a webpage. I opened it in Firefox and receive a pop-up alert with another string.

This time, the string is not hex: Ml9odG1sX3J1bGV6X2QwMGRf

I try the usual suspects for decoding. In this case, Base64 was the ticket.

2_html_rulez_d00d_

This must be part two of the flag. Half way there!

Next, based on the text in the file indicative of PDF documents…

I copy the file and give it a .pdf extension and open it as such.

I see a string at the bottom of the PDF that matches the format I would expect for part three of the flag except it is URL encoded. After decoding that I get: 3_a_p0rtabl3_d0c_

One more part to go!

As I mentioned earlier, I saw some JAVA code in the file contents, so I ran the file with java…

That gives me a strange string: |y&x7$)a}5

After a lot of trial and error, I remembered to review the hints and determined this is most likely the output from an XOR cipher (Hint #1).

I used dcode.fr/xor-cipher to try and decode it.

The password must be all caps (Hint #2), but what is the password. I got lost in the weeds thinking that the password should be SUPERMAN because of the challenge name and text. This is where I stagnated.

After the CTF was over, I chatted with the challenge creator @mythdude and he indicated that the password is more simple than SUPERMAN.

I went back to dcode.fr/xor-cipher and tried simpler passwords that I could think of for the cipher. HTH was it.

That gave me the 4th part of the flag: 4-n0cla55}

The final full flag was:
HTH{1-b1nz_r_fun_2_html_rulez_d00d_3_a_p0rtabl3_d0c_4-n0cla55}

This challenge was amazing as it was a polyglot. It was a single file that would be executed/ran in four different way without generating any errors or junk messages. It was a Linux binary program, HTML webpage, PDF file and a JAVA jar file all in one. Certainly the first one I have seen.

I want to thank @mythdude for putting this challenge together. It was very creative!