Skip to content

Instantly share code, notes, and snippets.

@radimkohout
Last active Nov 14, 2022
Embed
What would you like to do?
The Catch 2022 write-up

We've been solving the Catch 2022 by CESNET with my friend Damian10012 ❤️ . We're ideal pair, since we complete each other. Our team was named "Podfukáři", and no, I'll not explain why 😁 . We've ended on 114th place with 14 points. which isn't much, but we couldn't solve more in .

Solved challenges: VPN access, Bitcoin wallet, Unknown package, Regex crossword, Route tracking, Van keys, Old webpages, Download backup, Packets auditing

Unsolved challenges: Messenger portal, Fraudulent email, DNS storage, Streamlining portal, XML Prettifier, Blog site, Phonebook, Orderly IS

Task: Hi, promising candidate,

our customers paying by bitcoin to our wallet bc1q8vnufzpyurlnvrxavrn2vxe5z0nafrp2d8nzng can get their package pickup code on http://pay-check.mysterious-delivery.thecatch.cz by entering their wallet ID.

Find out the pickup code for package that has not yet been claimed, although it was already paid for on Aug 8th 2022.

May the Packet be with you!

--------------

Task:

Hi, packet inspector,

our former employee Brenda (head of PR department) was working on new webpage with superdiscount code for VIP customers, but she get fired by AI because of "disturbing lack of machine precision".

Your task is to find the code as soon as possible. The only hope is an automated backup of Brenda's Download directory (there is a high probability that she had downloaded the discount page or part of it).

Download the backup file (MD5 checksum 2fd749e99a0237f506a0eb3e81633ad7).

May the Packet be with you!

--------------

When we unzip the zip file, we get two files, download-backup.md, containing password for the download-backup.rar. When we inspect the rar file in 7-Zip we can see, that it has some Zone.identifier files, that are ADS files invisble in the NTFS But when opening img.png:Zone.Identifier we can find here this URL: ReferrerUrl=http://self-service.mysterious-delivery.thecatch.cz/ When we open it in browser, we can find the flag in the footer of the webpage: FLAG{16bd-0c4x-ZRJe-8HC3}

Task: Hi, packet inspector, the AI has apparently some problems to transfer data from previous information system to new one. All packages in state "waiting for pickup" were erroneously moved to state "delivered". Now, we have an angry customer in our depot and she want her package with shipment ID 2022-0845.

In the previous IS, each package had his own domain name (for example, ID 2022-0845 can be tracked on http://tracking-2022-0845.mysterious-delivery.thecatch.cz).

Find the pickup code for package 2022-0845 as soon as possible, so we can give it to depot drone.

May the Packet be with you!

--------------

In this challenge, we know, that the previous system had correct info about package, so by visiting the website mention in the task via Wayback machine in appropriate date(https://web.archive.org/web/20220808090332/http://tracking-2022-0845.mysterious-delivery.thecatch.cz/), we can get flag: FLAG{pUVd-t1k9-DbkL-4r5X}

Task: Hi, packet inspector,

the AI has "upgraded" our packet auditing system – time to time, it generates archive of pictures, where the state of packet and the appropriate delivery team is indicated by different colours for each packet transport number.

We have a plea from Brenda's delivery team to find their missing packet in state ready for pickup (the other teams have already delivered all their packages mentioned in last given audit archive).

Download audit archive (MD5 checksum 08ee155d2c9aee13ea5cab0a11196129), find the desired pickup code and enter it on webpage http://pickup.mysterious-delivery.thecatch.cz to collect pickup code.

--------------

We know from description.png that Brenda's color is orange, and Ready for pickup is green. I've got the accurate RGB values from it, and using this code find the corresponding image:

static void Main(string[] args)
        {
            string[] allfiles = Directory.GetFiles(".", "*.png", SearchOption.AllDirectories);
            for (int i = 0; i < allfiles.Length; i++)
            {
                //Console.WriteLine(allfiles[i]);

                //Color [A=255, R=242, G=121, B=48]
                //Color [A=255, R=0, G=133, B=71]
                Bitmap im = new Bitmap(allfiles[i]);
                if (im.GetPixel(20, 20).Equals(Color.FromArgb(255, 242, 121, 48)))
                {
                    if (im.GetPixel(100, 100).Equals(Color.FromArgb(255, 0, 133, 71)))
                    {
                        Console.WriteLine(allfiles[i]);
                    }
                }
            }
        }

Using this code, I've got file 2022-08\30\19\000000.png, that contained code 629-367-219-835 and after entering this code to the page mention in the task, you get flag: FLAG{rNM8-Aa5G-dF5y-6LqY}

Task: Hi, promising candidate,

you have to prove the knowledge of regular expressions. Our Finnish recruiter Timo has prepared some crossword suitable for this purpose.

Download task description (MD5 checksum 6448c1748cc6047470a5f00c3945c1c4).

May the Packet be with you!

--------------

For each field, we've got 2 regexes, that influence the field. After learning some things about RegEx, we've been able to get this flag: FLAG{xxxx-xxxx-xxxx-xxxx}

Task: Hi, packet inspector,

our company uses on-board route recorders, so traffic controller can optimize movement of all vehicles and also control the schedule. Any route can be described by a text string that contains the codes of individual sites in the order in which they were visited (except depot, because each drive starts and also ends there).

Unfortunately, one of the recorders has been damaged and the particular sites were not recorded, just the total length of the route is known (exactly 163 912 meters). In addition, the driver told us that he never visited the same place more than once (except depot, of course).

Your task is to identify the exact route of the vehicle.

Download the map of vehicle operating area and backround info (MD5 checksum 5fd3f52bcb404eae543eba68d7f4bb0a).

May the Packet be with you!

--------------

We can start by manually unwinding F,L,A,G,{ and } . After that, I've yoloed removing some elements, that seem to be the correct ones. And I was successfull, getting this flag: FLAG{SLiH-QPWV-hIm5-hWcU}

Task: Hi, promising candidate,

the cleaning drones have taken pictures of some abandoned unknown package in our backup depot. The AI claims that the analysed item is in no way a package, instead it repeats "cat - animal - dangerous - avoid".

Get as much as possible information about the package.

Download taken pictures (MD5 checksum c6f700e1217c0b17b7d3a35081c9fabe).

May the Packet be with you!

--------------

The QR code contains some pretty much useless information. If we scan the most left barcode on the image 2261_2.jpg, we get this flag: FLAG{Oics-NF3B-vUOC-pUMt}

Task: Hi, packet inspector,

all our delivery vans use password instead of standard car keys. Today, we have found out that the AI has implemented a new security measure – the vans are now referred as "AES Vans" and the password has been changed and encrypted. The decryption part is not yet finished, so we can't start any delivery van since morning!

Good news is that we managed to get the latest version of the decryption script from git repository. Bad news is that the script is not finished yet! Your task is to the finalize the script and decrypt the password as soon as possible.

Download the script and encrypted password (MD5 checksum e67c86a277b0d8001ea5b3e8f6eb6868).

May the Packet be with you!

--------------

In this challenge, we need to complete the AES decryption and fix bugs in the code to complete script:

#!/usr/bin/env python
# -*- coding:utf-8 -*-
"""
The Mysterious Delivery, Ltd.
"""

__author__ = "Mysterious AI"
__version__ = "3.14"

import random
import hashlib
import base64
from Crypto.Cipher import AES


class AESCipher():
    """
    AES
    """

    def __init__(self, key):
        """
        constructor
        """
        self.bs = AES.block_size
        self.key = hashlib.sha256(key.encode()).digest()

    def encrypt(self, raw):
        """
        Decrypt function
        """
        raw = self._pad(raw)
        iv = Random.new().read(AES.block_size)
        cipher = AES.new(self.key, AES.MODE_CBC, iv)
        return base64.b64encode(iv + cipher.encrypt(raw.encode()))

    def decrypt(self, enc):
        """
        Decrypt function
        """
        enc = base64.b64decode(enc)
        iv = enc[:AES.block_size]
        cipher = AES.new(self.key, AES.MODE_CBC, iv)
        return self._unpad(cipher.decrypt(enc[AES.block_size:])).decode('utf-8')

    def _pad(self, s):
        return s + (self.bs - len(s) % self.bs) * chr(self.bs - len(s) % self.bs)

    @staticmethod
    def _unpad(s):
        return s[:-ord(s[len(s)-1:])]


def generate_van_key(keylen):
  """
  Generate super-secure key for AES Vans
  """
  data = ''
  with open('pi_dec_1m.txt', 'r') as fhnd:
    data = fhnd.read()
  random.seed(314)
  key = '3.14'
  for i in range(0, keylen-len(key)):
        key += data[random.randint(0, 999999)]
  return key


def main():
    """
    main
    """
    print("Mysterious Delivery, Ltd. - ultimate van engine secure start")

    # generate key
    key = generate_van_key(128)

    # decryption
    obj = AESCipher(key)
    print(obj.decrypt(open("van_keys_enc.aes","r").read()))


main()

# EOF

Then we need to download the pi_dec_1m.txt file there: https://pi2e.ch/blog/2017/03/10/pi-digits-download/ to the folder. Then we run the program, getting this flag: FLAG{ITRD-Pyuv-JuLt-9zpM}

Task: Hi, promising candidate,

a lot of internal system is accessible only via VPN. You have to install and configure OpenVPN properly. Configuration file can be downloaded from CTFd's link VPN. Activate VPN and visit testing page http://candidate-test.mysterious-delivery.tcc, where the control code is.

May the Packet be with you!

--------------

In this challenge, we were required to connect to VPN server using OpenVPN and the provided .ovpn file. After connecting here, and visiting http://candidate-test.mysterious-delivery.tcc/, we've got flag in h1 tag, which was: FLAG{kBXt-jdGI-EwwT-6pfp}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment