CSAW CTF 2013 Recon Write-up -- WildcatSec
I was totally stuck on this one until we recieved the hint "Bro, do you even PNG?" Immediately we know that the key or a hint will be hidden somewhere in an image. First step for recon is always check the judges page, which usually gives you some lead or info. Download the relevant picture (ataylor.png). Then check exif data:
Tanner:csaw $ exiftool ataylor.png
ExifTool Version Number : 9.29
File Name : ataylor.png
Directory : .
File Size : 268 kB
File Modification Date/Time : 2013:09:22 11:27:24-07:00
File Access Date/Time : 2013:09:23 10:28:56-07:00
File Inode Change Date/Time : 2013:09:22 11:27:29-07:00
File Permissions : rw-r--r--
File Type : PNG
MIME Type : image/png
Image Width : 604
Image Height : 401
Bit Depth : 8
Color Type : RGB
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Textual Data : (Binary data 11 bytes, use -b option to extract)
Pixels Per Unit X : 11811
Pixels Per Unit Y : 11811
Pixel Units : Meters
Image Size : 604x401
Not particularly useful until you notice "Textual Data".
Tanner:csaw $ xxd ataylor.png | head -n 15
0000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR
0000010: 0000 025c 0000 0191 0802 0000 003f e0fa ...\.........?..
0000020: 1000 0000 2b74 4558 7454 6865 7365 2061 ....+tEXtThese a
0000030: 7265 6e27 7420 7468 6520 6368 756e 6b73 ren't the chunks
0000040: 2079 6f75 2772 6520 6c6f 6f6b 696e 6720 you're looking
0000050: 666f 722e fc12 b529 0000 001f 7445 5874 for....)....tEXt
0000060: 596f 7520 6361 6e20 676f 2061 626f 7574 You can go about
0000070: 2079 6f75 7220 6275 7369 6e65 7373 2e7e your business.~
0000080: d3c7 6800 0000 0b74 4558 744d 6f76 6520 ..h....tEXtMove
0000090: 616c 6f6e 672e 4b1f ea49 0000 0009 7048 along.K..I....pH
00000a0: 5973 0000 2e23 0000 2e23 0178 a53f 7600 Ys...#...#.x.?v.
00000b0: 0000 0478 4f52 6b43 5341 57fc 4662 5500 ...xORkCSAW.FbU.
00000c0: 0040 0049 4441 5478 01ec bdd9 9625 3776 .@.IDATx.....%7v
00000d0: a6e9 7e7c 8c81 5352 54aa abba 2e7a d595 ..~|..SRT....z..
00000e0: f400 b5ea 01fb 99ea 61ba bb56 772d a5a4 ........a..Vw-..
"These aren't the chunks you're looking for" "You can go about your business" "Move along"
Definitely on the right track. The important thing to notice is "xORkCSAW" hidden right before the image data starts. So, XOR the entire image with byte string "CSAW":
package main
import (
"fmt"
"os"
)
func main() {
file, err := os.Open("ataylor.png")
if err != nil {
fmt.Println(err)
return
}
info, _ := os.Stat("ataylor.png")
input := make([]byte, info.Size())
out := make([]byte, len(input))
file.Read(input)
key := [...]byte{0x43, 0x53, 0x41, 0x57} // CSAW
for i := 0; i < len(input); i++ {
out[i] = input[i] ^ key[i%len(key)]
}
fmt.Println(string(out))
}
Result:
Tanner:csaw $ go build ataylor.go
Tanner:csaw $ ./ataylor
NY[]CSAZ
SC
CS@?KQAWCl??SSAWh'7
...snip...
n???;;?s-???MJ`?ĚFpC1?_??9?V???&?_?(??Ԅ??>V?t+^q?CSAc(#key{SPECIFICATIONS SUBJECT TO CHANGE WITHOUT NOTICE}"??CSAW
?!?
Answer: key{SPECIFICATIONS SUBJECT TO CHANGE WITHOUT NOTICE}
Original hint for this one was "The path starts where last year's ended" which refers to key.psifertex.com. Looking for last year's Jorden Wiens recon writeup would have lead you there, but they changed it a few hours later to just directly link to that site, which has the hint "Michael Vario sure does some suspicious signs, hope he doesn't do me."
A bit of googling leads us to this relevant site which talks about users of PGP signing other people's public keys, and how 'Michael Vario' signed Assange's and Snowden's, which means that he verified their identities basically. Thinking back to the hint, it says "hope he doesn't do me" which implies psifertex AKA Jordan Wiens has a PGP key.
Using the same PGP keyserver linked from the site, we can search for either psifertex or Jordan Wiens, and we'll get to this page which has the PGP uid "Jordan Wiens (CSAW folks: getting warmer) csaw@psifertex.com".
We're getting warmer, but where do we go from here? It's not an obvious hint, so the result must be somewhere we can get to from that site. In fact, we look at the full public sig for psifertex. If you've used PGP before, you may notice that this sig is significantly longer than a normal public signature, so some data may be hidden there.
A bit of googling leads me to the program pgpdump. You can view the whole dump by pasting it into http://www.pgpdump.net/, but the relevant piece sits right in the middle of the wall of text:
New: User Attribute Packet(tag 17)(6351 bytes)
Sub: image attribute(sub 1)(6348 bytes)
Image encoding - JPEG(enc 1)
Image data(6332 bytes)
The PGP sig contains an image file! We are very close to the answer. Googling for "PGP user attribute packet" is informative, and I find a site that claims to read and display the image. It works!
Answer: key{mvarioisnotmyhomeboy}
This one I was also stuck on until the hint "Where can you graduate from?" was added. From Kevin's linkedin page found by searching "Kevin Chung nyu-poly", there are two options: NYU Polytech, or Staten Island Technical High School. The first has no immediate results. The second ("kevin chung staten island technical high school") leads us to this ISIS page.
It's important in recon to realize that we're looking for places the user has control over - where could they hide information? The ISIS sites are obvious answers, and indeed, Kevin Chung's name on that page links to a key.txt file.
Answer: key{who_in_the_world_is_kevin_chung}
Probably the easiest recon. My google for "historypeats" leads to his github account on the first page, but you can also check a username checking site like namechk. From github, my first guess is "public activity" -- what have they done most recently? His most recent change is here. That was easy!
Answer: key{whatDidtheF0xSay?}
A slightly more difficult recon. Brandon Edwards leads us to twitter user @drraid. From this point I was a little bit lost, but another namechk saves me. Drraid's github account doesn't show up in Google, because it's basically an inactive account. But hit his public activity, and we get a single commit.
This is sophsec's site code. I found the sophsec site earlier but didn't think to check the source code: searching for "csaw" or "key" would have gotten me there a lot faster! Again, think about where the user has control, and go about your search as methodically as possible.
Answer: key{a959962111ea3fed179eb044d5b80407}
I was stuck on this one for awhile, and if you aren't an IRC user you are totally lost on this one. I had actually abandoned it, but as I was idling on IRC, I noticed user "snOwDIN". It's as easy as "/whois snOwDIN" which gives "linkedin:chinesespies". The linkedin is here. Note that you can't get there with searching, you need to know the linkedin syntax for accounts (or use namechk again).
Answer: key{cookies_are_for_csaw}