Inshall'hack
Security if God wills it
Inshall'hack

Fleet Writeup (Nuit Du Hack 2018)

Fleet was a 300-point Stegano challenge at Nuit Du Hack 2018. Although its level was marked as "Easy", we (jeanmi151 and SIben) got first blood on it near the end of the CTF, and no one else managed to flag it.

Challenge description

Level: "Easy"

"You are in your favorite bar, ordering a beer, when a crumpled credit card receipt draws your attention. You unfold it. Here's what you find
on the back...
1337 http://fleet.wargame.rocks thb/g/6/19 -------------------"

Guessing Discovery

Clicking on the link simply shows a blank page. We run some scans on the machine using nmap:

~$ nmap -sS -sV fleet.wargame.rocks # TCP scan
~$ nmap -sU fleet.wargame.rocks # UDP scan

and find that two ports are open: port 80 (TCP scan) and port 1337 (UDP scan).

Using curl to send a HEAD request to fleet.wargame.rocks, we end up with the following:

~$ curl -I fleet.wargame.rocks
HTTP/1.1 1337 Unknown
Content-Length: 0

Somehow, making a TCP request to port 1337 also works, but the connection gets closed right away; that means that some attribute must be missing. In all likelihood, the same problem occurs on port 80. After a lot of thinking, we decide to try setting local port to 1337, which somehow works!

~$ curl --local-port 1337 fleet.wargame.rocks
<!DOCTYPE html>
<html lang="en">
        <head>
                <title>7h3 1337 Soci37y</title>
        </head>
        <body>
                <h1>W31com3 f311ow m3mb3r! P13as3 ch3ck our 1as7 13773r...</h1>
                <h6><a href="telnet:fleet.wargame.rocks:1337">Link</a></h6>
        </body>
</html>

That's better! Seems like we have to try the same method on port 1337:

~$ nc -p 1337 fleet.wargame.rocks 1337
H311o.
Password:

Guessing Finding the password

So we have a connection asking for a password. Now, what could it be? Our default guess is 1337, but that doesn't work, of course.

We can assume that the password is hinted at in the second (and last) part of the announcement: thb/g/6/19 -------------------.

Guessing Googling

So what does THB mean?

By using our Google-Fu, we discover that THB is the currency in Thailand (baht). Another member of the team suggested that it is the name of a Malagasy beer called Three Horse Beer.

Unfortunately, none of these options seem to work well with the rest of the hint (and after checking with the organizers, they confirmed that we were wrong).

Using an acronym finder, we then stumble upon a more likely meaning: The Holy Bible. Bingpot! At this point, we understand that the g in the hint stands for Genesis and that 6 is the chapter.

Using our favorite mirror of the bible. The last number in the hint, 19, could be the number of the verse.

19 And of every living thing of all flesh, two of every sort shalt thou bring into the ark, to keep them alive with thee; they shall be male and female.

We tried a few words, but that didn't yield any result. So using the verse is not the right option, maybe we should use the 19th word of the chapter.

Chapter 6

The sons of God marry the daughters of men—Men turn to wickedness, the earth is filled with violence, and all flesh is corrupted—The Flood is promised—God establishes His covenant with Noah, who builds an ark to save his family and various living things.*

The 19th word is violence. We try to use it, but it doesn't work. Now, in a new stroke of guessing, we 1337ify the word, replacing the same letters that were replaced on the HTML page.

We get vio13nc3, which is the right password!

~$ nc -p 1337 fleet.wargame.rocks 1337
H311o.
Password: vio13nc3
================================
.............
.........................
..................
......
................
............
.........
......................
...........
.............................
.................
...................

............
.
.....................
......
............
.........................
......
......
.........................
...
...
............
................
...........................
...................

............
.................
.................
......
............................
........................
...
......
..............
...
....
............
....................
..........................
...
........
.............
.................
..................
............
........................
............................
......................
..
........................
.........
.........................
......
....................
.........................
......
............
.........................
.........
........................
.......

..........................
......
............
..............
.........
........................
......
....
================================
48.896951 2.387775
S33 you 7h3r3...

Still guessing, but less so than before Getting the flag

First things first, the coordinates at the bottom are the same that are printed on the Nuit Du Hack neck strap and indicate the place where it's all happening. Meaning, it's useless.

Having several lines each with a different amount of dots reeks of baseX encoding. Measuring the lines, we notice that the longest ones contain 29 characters. That's more than 26, so we can assume that the base does not correspond to the alphabet. The closest usual base that can encompass 30 different characters is base32. Using that, we save the lines of dots to lines.txt and type the following few lines of python:

import base64

message = [len(x) for x in open('lines.txt').read().split('\n')]

base32_alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567" # Retrieved from https://inshallhack.org/paddinganography/ \o/

print(''.join([base32_alphabet[i] for i in message]))

We obtain the string "NZSGQMJWL5RTAMBVGMZGGZDDMQ3TAMRRG4YDGODEMU2DINRSMY4WCYJZGUZGMZJYHA2GMOJYGEA". After struggling for 1 min to get the correct padding to use base64.b32decode (it was 6 am at this point, don't judge us), we decode the string using dcode.fr and we get the flag!

Flag: ndh16_c00532cdcd70217038de4462f9aa952fe884f981

Wrapping up

I seriously think that the person who made this challenge doesn't have a soul. SO. MUCH. GUESSING. At 6 am :'(. We liked the CTF globally, it was a lot of fun, but this challenge was more frustrating than fun!


comments powered by Disqus

Receive Updates

ATOM

Contacts