Cambodia Cyber Contest 2018 Write-up

Cambodia Cyber Contest 2018 is a Capture the Flag (CTF) competition organized in Jeopardy-style by Ministry of Post & Telecommunication (MPTC). The competitor is an individual who is a student or a graduate who has just finished university within a year. Players have to answer various questions under various categories such as Binary, Reverse Engineering, Forensic, Web, Misc and etc.

Below are some of the challenges that we managed to solve during the event.

Angkor Wat Temple

We are provided with the below file.

Angkor-Wat-Temple2_2d10bc9f910d2fbe104231d3bb039b0d.jpg

Based on the file extension, it should be an image file, but in order to make sure it is really an image file, we used the command file.

So this is really an JPEG image file. Let’s try to open it with an image viewer.

We saw some interesting vertical pixels on the left of the image. We took a note about it and explore other areas first. We checked metadata of the image with exiftool.

It seemed like there is no interesting information here. Since this file is quite huge (8Mb+), we wanted to see if there is any interesting data hidden within the file. We used command strings to perform this task.

We found the flag at the end of the file, and the flag of this challenge is AngkorWarrior2018{W3_Pr0ud_0f_0ur_4ngkor_W4t}

ABC Bank

We are provided with the below file.

abcbank_fbde374293f08e6d459baa29f3b98c49.cap

Based on the file extension, it should be a network capture file, but in order to make sure it is really a network capture file, we used the command file.

So this is a TCPdump file which confirm it as a network capture file. Let’s try to open the file with tool like Wireshark.

We saw protocols such 802.11 and EAPOL which are related to wireless communication. 802.11 protocol is data transmitted within wireless communication, but we can’t read that as it is encrypted. EAPOL is a network authentication protocol which used to exchange Cryptographic Keying information. Let’s see what is the security protocol of this wireless.

We saw that it is using WPA security protocol. WPA security protocol is known to be vulnerable to dictionary attack during authentication handshake. Let’s try to bruteforce the secret key of this wireless using aircrack-ng.

We found the secret key of the wireless which is strawberry, so the flag for this challenge is AngkorWarrior2018{strawberry}

Cam01

We are provided with the below file.

cam_1dcbb70fe426ad7c2465a0fdf865ca86.cert-my-0video_03c880e4aaa75efb2200c22e5dcd996d.avi

Based on the file extension, it should be an AVI video file, but in order to make sure it is really a video file, we used the command file.

We saw that this is not a video file, but it actually is a text file. Let’s try to see text inside the file with the command cat.

It looked like a Base64 encoded text. Let’s try to decode it.

We could decode first part of the encoded text then it throws an error with invalid input message. We see \n in the text which is not valid in Base64. So we tried to removed it and decoded it again.

We got all the clear text this time, and the flag for this challenge is AngkorWarrior2018{W3 4re C4mC3RT, w3 ar3 s3cur1ty, we 4re y0ur gu1d4nc333212!}

Cam02

We are provided with the below file.

cam_690ea2cbdd4788db041527f82ddcacd6.cert_0mpeg_aebf2e30e0c4e4ea51439babe3082235.mpeg

Based on the file extension, it should be a MPEG video file, but in order to make sure it is really a video file, we used the command file.

We saw that this is not a video file, but it actually is a text file. Let’s try to see text inside the file with the command cat.

It looked like a Binary encoded text. Let’s try to decode it with this tools.

We got the flag, and the flag for this challenge is AngkorWarrior2018{P30ple 4lw4ys m4k3 th3 b3st 3xpl01ts.}

Cam03

We are provided with the below file.

cam_283765171ee7ca7d99876f4e1c904928.cert_1m4v_e76068db6013a9ca6c53d1bb7ca3dcd1.m4v

Based on the file extension, it should be a M4V video file, but in order to make sure it is really a video file, we used the command file.

It is not a video file , but it actually is a text file. Let’s try to see text inside the file with the command cat.

It looked like a substitution cipher which replaces character by character. Let’s try to decrypt it with this tool. Here is what we got.

We knew that the flag format is AngkorWarrior2018{}, so let’s substitute the character accordingly.

Now it is time to make sense of the remaining text.

Finally, we got the flag and substituted alphabet which is AZERTYUIONQSDFGHXKLMWJCPBV. So the flag for this challenge is ANGKORWARRIOR2018{G3T_1T_D0N3_4ND_G0_F0RW4RD}

Encrypted

We are provided with the below file.

encrypted_74abb9ccc2e1ad4ef9ea4399103b519e.txt

Based on the file extension, it should be a text file, but in order to make sure it is really a text file, we used the command file.

It really is a text file. Let’s try to see text inside the file with the command cat.

It looked like a substitution cipher which replace character by character. The well-known substitution cipher is ROT-13 which rotate character by 13. For example, ROT-13 will rotate letter a it letter n which is 13 characters. In order to decrypt it, we need to rotate it back 13 characters. Let’s try to decrypt our cipher text with this tool.

It seemed like ROT-13 is not correct. What if it is not ROT-13, but ROT-n? Let’s try again with ROT-n tool.

Finally, we got the flag in ROT-4. Since the flag format is AngkorWarrior2018{}, we replaced word before {} with AngkorWarrior2018, so the final flag for this challenge is AngkorWarrior2018{[email protected]}

Intercept

We are provided with the below file.

intercept_31fe0466eac7804e485dabd94d503e27.pcap

Based on the file extension, it should be a network capture file, but in order to make sure it is really a network capture file, we used the command file.

So this is a TCPdump file which confirm it as a network capture file. Let’s try to open the file with tool like Wireshark.

We saw protocols such as TCP and HTTP. There are many HTTP packet, so let try to follow these HTTP streams.

We viewed first HTTP stream, and there was nothing interesting there. Let’s try other streams.

We found password that contain the word flag, but when we submitted it, it was not correct. Maybe because it was URL encoded, let’s try to decode it with this tool.

We found the actual flag. Since the flag format is AngkorWarrior2018{}, we replaced flag{} with AngkorWarrior2018{}, so the final flag for this challenge is AngkorWarrior2018{pl$_$$l_y0ur_l0g1n_form$}

Try Me

We are provided with the below file.

tryme_804c84e84aed8930941696d4df7809d3_2.zip

Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file.

It is really a zip file. We then unzip it.

There is a file named tryme.txt, and it is a text file. We tried to read text inside the file with the command cat, but there are lot of things in there. However, we saw below interesting text on line 173.

After googling, we found that it is actually an encoding called aaencode. We found this tool online to decode it.

We found the flag for this challenge which is AngkorWarrior2018{N0w_Y0u_Kn0w_J4v45cr1pt_C4n_3nc0d3!}

Find Me

We are provided with the below file.

findme_7457c6d8236939a143f801de8ec60b33.zip

Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file.

It is really a zip file. We then unzip it.

There were 1000 files with the same file size in folder named data after unzip. Let’s see what kind of files they are by executing the command file.

There were lot of ASCII files. We filtered out this kind of files and see other file types.

Only 6 files that were not ASCII text. Let’s open each one of them.

We found the flag. Since the flag format is AngkorWarrior2018{}, we replace AWC2018{} with AngkorWarrior2018{}, so the final flag for this challenge is AngkorWarrior2018{It_I5_4_Thou54nd_W0rd_Righ7}

Airport

We are provided with the below file.

Airpot_482f297af20ed2fab739d2414537539e.zip

Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file.

It is really a zip file. We then unzip it.

Here are the files we extracted from zip file. There are 5 image files of Cambodia airports and an image file about steghide.

We knew that the flag should have something to do with steghide, but we had no clue. We tried to bruteforce steghide with rockyou dictionary but not success.

We then came across a writeup in github which is very similar. We then tried to the same by searching for airport code in Cambodia, and here is what we get from wikipedia.

We constructed both ICAO and IATA code with order of the images.
ICAO : VDPPVDSRVDBGVDSVVDST
IATA: PNHREPBBMKOSTNX
Then using them as a passphrase for steghide.

ICAO passphrase was not correct, but IATA passphrase got us a file called Key.txt. Let’s see what is in that file.

We got the flag for this challenge, and it is AngkorWarrior2018{Kn0w_W3ll_Y0ur_C4mb0d13_A1p0rt}

Run Me

We are provided with the below file.

runme_1b603cdb2d3f3409536454872a37e18c.zip

Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file.

It is a zip file. Let’s extract it and see what is inside.

There was a file called runme in a zip and it is a text file. Let’s see what is inside that text file with cat command.

After googling, we found that it is esoteric programming language called brainfuck. Let’s try to decode it with this tool by clicking on Brainfuck to Text.

We found the flag for this challenge which is AngkorWarrior{D0_Y0u_l34rn_S0m7h1ng_N3w}

KeePass

We are provided with the below file.

keepass_1f4e939f0e953fea87bd7b39e69d7aa4.kdbx

Based on the file extension, it should be a KeePass file, but in order to make sure it is really a KeePass file, we used the command file.

It is really is a KeePass file which is a database file for storing passwords. Let’s try to crack its master password.

John the ripper method:

Hashcat method:

We had to omit keepass_1f4e939f0e953fea87bd7b39e69d7aa4: in keepass.hashcat in order to make it work with hashcat.

Both tools found the same master password which is q1w2e3r4t5. We used this master password to read passwords or credit card saved within this KeePass database file.

So the flag for this challenge is AngkorWarrior{q1w2e3r4t5}

GIF01

We are provided with the below file.

34908499_2080020985406621_3749377986936176640_n.gif

Based on the file extension, it should be a GIF file, but in order to make sure it is really a GIF file, we used the command file.

This is really a GIF file. Let’s open it to see what is inside.

It showed a moving QR code and animated cartoon bear. We tried to scan the QR code but not successful. We used this tool to extract frame from GIF then used Photoshop or Microsoft Paint to cut and stretched QR code together and made a working QR code.

We then were able to scan the QR code and got the flag for this challenge as AngkorWarrior2018{My_P4y_W4s_F1x}

GIF02

We are provided with the below file.

35516681_2079906472084739_6779993411635118080_n.gif

Based on the file extension, it should be a GIF file, but in order to make sure it is really a GIF file, we used the command file.

This is really a GIF file. Let’s open it to see what is inside.

It showed a moving QR code and animated cartoon cat. We tried to scan the QR code but not successful. We used this tool to extract frame from GIF then used Photoshop or Microsoft Paint to cut and stretched QR code together and made a working QR code.

When we scanned the QR code, we found 47 characters on 47 lines. We then stretched them together by removing space and new line to get this text QW5na29yV2FycmlvcjIwMTh7RDBuX0YwMGxfTTNfTXIwM30. It looked like a Base64 encoded text, let’s try to decode it.

Invalid input is just because of missing padding, but the thing is we got the flag as AngkorWarrior2018{D0n_F00l_M3_Mr03}

Sensitive Data

We are provided with the below file.

sensitivedata_9796065882d13a57dbfef6d2c06726a0.pcapng

Based on the file extension, it should be a network capture file, but in order to make sure it is really a network capture file, we used the command file.

So this is a TCPdump file which confirm it as a network capture file. Let’s try to open the file with tool like Wireshark.

We found many HTTP and TCP packets here. Let’s try to extract any files from that using Export Object.

We then found an image file in HTTP object export as below.

That should be the flag. Since the flag format is AngkorWarrior2018{}, we added AngkorWarrior2018 before the flag we found, so the final flag is AngkorWarrior2018{pcap_fun!??}

Artifact

We are provided with the below file.

artefact_e81693fc14e15e1be234c2c8f9aa2056.txt

Based on the file extension, it should be a text file, but in order to make sure it is really a text file, we used the command file.

It turned out that it is not a text file, but it actually is a XZ zip file. Let’s try to extract it.

We got a Linux file system which is using EXT3. Let’s mount it and what is inside.

We couldn’t get anything interesting out of that file system. Maybe it was deleted or corrupted? Let’s try to recover it.

We recovered 3359 files. Time to find the flag.

We thought we have a hint here on where the flag is. Let’s dive deeper.

I played around with these text files, but I couldn’t get anything out of it. Then I moved to do the same things over again in sub directory.

I found a file that actually make some sense to me. It seemed like an image file. I tried to open it image viewer, but it couldn’t be opened. When I ran file command on it, here is what I got.

It was not recognized as an image. Maybe something is broken. Let’s it in hex editor.

I then checked the list of file signature and found this.

It seemed like our file signature is broken. Time to fix it.

We tried to open the file again and here it is.

Since the flag format is AngkorWarrior2018{}, we replace AngkorWarrior2018 with the word flag, so the final flag is AngkorWarrior2018{[email protected]_stupid_color$}

Credential

We are provided with the below file.

system_8e6703d7c8b8bc6a907777520ada4eb6

SAM_1c6c201ed7137532af6e7104f56a6a56

SYSTEM and SAM file can be used to get theusername and NTLM hash of user’s password with samdump2 command.

We finally got the hash of an active user named Bill. Let’s try to crack it with an online tool.

Since the flag format is AngkorWarrior2018{}, we added AngkorWarrior2018{} flag format, so the final flag is AngkorWarrior2018{w3ch4112u1z99}

fsociety

We are provided with the below file.

fsociety_new_b0b564f046df1d42c8549b200ec82af3.zip

Based on the file extension, it should be a network capture file, but in order to make sure it is really a network capture file, we will use the command file.

So this is a zip file. Let’s extract it and find what is inside.

There was a file named fsociety_new.dat in there. Let’s see what it is.

It looked like it was encrypted or something. We did not manage to solve this challenge ourselves. However, we found a writeup for Pragyan CTF 2017. We compared both files and they were the same files, so the flag should be the same also.

AngkorWarrior2018{HELLO FRIEND.}

No Hard No Soft But Firm

We are provided with the below file.

nohardnosoftbutfirm_d660c7cb0461a7a864e56c575e6a7246.elf

We have not found the solution for this challenge yet. If you can solved it, you can send a writeup to us so that we can update the writeup for this challenge.

Jump Flow

We are provided with the below file.

jumpflow_a2d814f9d96deaeb990c173966e95741

We have not found the solution for this challenge yet. If you can solved it, you can send a writeup to us so that we can update the writeup for this challenge.

Air Plit

We are provided with the below file.

airplit_8b9088983925fb5a4156f76c94572dd0

We have not found the solution for this challenge yet. If you can solved it, you can send a writeup to us so that we can update the writeup for this challenge.

You may also like...

Leave a Reply

%d bloggers like this: