RSS

Leetmore CTF 2012 : Stego 100 (Perfect Concealment)

0 Comments | This entry was posted on Oct 18 2012

We were given the cipher-text below

The giant panda (Ailuropoda melanoleuca, meaning "black and white cat-foot") is a type of bear. It lives in bamboo forests in central China. The giant panda is an endangered animal. In November 2007, China had 239 giant pandas who lived in captivity. There are 27 giant pandas which live in zoos outside of China. The exact number of giant pandas in the wild is not known. Some sources say there are about 1,590, other sources give a number between 2,000 and 3,000. The number of giant pandas in the wild seems to be increasing.

Giant pandas are about 1.2–1.5 m long and about 75 cm high. They weigh between 75 and 160 kg. Giant pandas have white fur on their bodies and black fur on their legs and shoulders. They also have black ears and black patches around their eyes. Pandas can climb and swim well.

Giant pandas are born with pink skin, with black areas on the legs, ears, and eyes. They are usually born with a small amount of white fur. They get more fur when they are about nine months old.

Giant pandas live alone. Females have a territory which they deFend against other females. When female pandas are ready to mate, they give off a special scent and make a loud bLeating noise to tell the males that they are ready. Giant pandAs mate between the months of March and May which is the Summer months in China. If there are several males, they fight each other. The one who wins – the stronGest male, then mates with the female. In August or September, the female gIves birth to one or two babies. If she has two babies, she will only raise one baby, and the other baby dies, no-one really knows how the female panda chooSe between the two. Giant panda babies are very small, and weigh only 90–130 grams, which is about 1/900 of its mother's weight. The baby drinks milk until it is 8–9 months old. Young pandas live with their mothers until they are 18–24 months old. They become mature when they are 5–7 years old. They live around 20 years in the wild and up to 30 years in captivity (e.g. in zoos). Unlike other bears, pandas do not hibernate.

Today, the giant panda is seen as a symbol for China. It is also protected by the ChineSe government, and killing a panda is a crime. ThE giant panda is now under the threat of eXtinction, and it will die out if the forests of bamboo continue to disappear.

People outside of eastern Asia did not know about the giant panda until 1869. The first "Westerner" to see a live panda was a German zoologist in 1916. In 1936, Ruth Harkness became the first Westerner to bring a live giant panda out of China. It was a cub (babY panda) named Su-Lin. The cub was taken to live at the Brookfield Zoo in Chicago.

In the 1970s, China began showing giant pandaS in zoos in the UniTed States and Japan as a type of diplomacy. This happened until 1984, when China changEd how this was done. Starting in 1984, China would allow zoos to keep the giant pandas for 10 years, but the zoo would have to pay China up to $1,000,000 each year. Also, the zoo would have to aGree that any cubs born would belong to China.

Although their bodies are made to eat meat, giant pandas are mostly herbivOrous. Their main source of food is bamboo. Because pandas have the digestive system of carnivores and can not digest cellulose very well, they get little energy and protein from the bamboo they eat. Because they get very little nutrition from bamboo, they must eat a lot. Pandas commonly eat 20 to 30 pounds of bamboo a day to get the nutrition they need. Although there are more than 200 different varieties of bamboo the Panda will only eat 20 varieties. Pandas sometimes run out of food, as a tyPe of bamboo flowers, die, and regrow again at the same time.

As of 2008, the giant bear is an endangered animal. The main problem they have is habitat loss. Habitat loss is when the places they live in are ruined. Humans often ruin the places where pandas live, such as for the construction of buildings. Pandas cAn also lose their habitat because of pollution. Pollution means that less bamboo grows, or that bamboo stops growing completely in a certain place. Giant pandas also have a low birth rate, which makes the problem worse.

TraditioNal Chinese stories about the giant pandas say that the animal can be very powerful. Some people believe that sleeping on a panda skin can protect them from ghost and predict their future. These tales are one of the reasons why people would spend lots of money for the skin and fur of this precious animal.

In former times, the panDas were also hunted. The Western people who came to China were soon unable to hunt the pandas, because of different wars. Local people continued though. PandAs were mainly hunted for their fur. Today, hunting pandas is not allowed.

In 1963, China set up a nature reserve for pandas, the Wolong National Nature Reserve. This was the firSt, other nature reserves followed. China did this to fight the number of pandas going down. In 2006, there were 40 panda reserves, compared to 13, two decades ago.

Closely looking into it reveals that some of the intermediate letters of a few words were capitalized. In one of the words, ‘O’ (English letter) was replaced by ’0′ (Numeric zero) We took out those words and listed down.

deFend
bLeating
pandAs
stronGest
gIves
chooSe
ChineSe
ThE
eXtinction
babY
pandaS
UniTed
changEd
aGree
herbivOrous
tyPe
cAn
TraditioNal
panDas
PandAs
firSt

Collecting the capital letters gives: FLAGISSEXYSTEG0PANDAS
 
We tried:
  1. FLAGISEXYSTEG0PANDAS
  2. FLAG IS EXYSTEG0PANDAS
  3. FLAGISEXYSTEGOPANDAS
  4. EXYSTEG0PANDAS
  5. EXYSTEGOPANDAS………..and finally 
  6. SEXYSTEGOPANDAS

Solution: SEXYSTEGOPANDAS

Leetmore CTF 2012: Crypto 200 (XOROWblu Wbl(I)P)

0 Comments | This entry was posted on Oct 18 2012

What all we had was an encrypted file.

The “XOR” part of the challenge title suggests that we need to do some xorring.

XORing with “XOROWbIu WbI(|)P” or parts of it, don’t give any
interesting results.

Lets do some frequency based analysis.

We used xortool to do this for us.

xortool can:
  –  guess the key length (based on count of equal chars)
  –  guess the key (base on knowledge of most frequent char)

Because the cry200 file is 194 bytes, it is probably a xored sentence,
so a space (= 0×20) should be a frequent character.

$ ./xortool.py -c 20 cry200
The most probable key lengths:
3: 15.7%
6: 20.4%
9: 11.4%
12: 13.8%
15: 7.2%
18: 9.3%
21: 4.6%
24: 7.8%
26: 5.6%
30: 4.3%

Key-length can be 3*n
1 possible key(s) of length 6:
\x96\xa4*\xc3\xc4:
Found 1 plaintexts with 95.0%+ printable characters
See files filename-key.csv, filename-char_used-perc_printable.csv

The output file ‘xortool_out/0.out’ contains the dexored text when
xoring the input file with “\x96\xa4*\xc3\xc4″

>>> open('xortool_out/0.out','r').read()
'Cong (tula& ons!r\x1ehiler=he q\' ck b &wn f=1 jum": ove ithe >(zy
d=., th7iplai sho =er t:(n th7imess3.e. Y=nd'

Though the key was not completely guessed correctly by xortools, nut we can read most of the text now:
  – “Congratuations!”
  – “The quick brown fox jumps over the lazy dog.” ==> standard font
display sentence.

So now we can find the correct xor key, by xoring the input data with ”Congratuations!

>>> from itertools import izip, cycle
>>>
... def xor_crypt_string(data, key):
... return ''.join(chr(ord(x) ^ ord(y)) for (x,y) in izip(data, cycle(key)))
...
>>>
>>> data=open('cry200','r').read()
>>> data
'\xd5\xcbD\xa4\xe4\x12\xe2\xd1F\xa2\xe2\x1a\xf9\xcaY\xe2\xb6$\xfe\xcdF\xa6\xb6\x07\xfe\xc1\n\xb2\xe3\x1a\xf5\xcf\n\xa1\xe4\x1c\xe1\xca\n\xa5\xf9\x0b\xb6\xce_\xae\xe6\x00\xb6\xcb\\\xa6\xe4S\xe2\xccO\xe3\xfa\x12\xec\xdd\n\xa7\xf9\x14\xba\x84^\xab\xf3S\xe6\xc8K\xaa\xf8S\xee\xcbX\xe3\xf5\x1a\xe6\xccO\xb1\xb6\x1a\xe5\x84Y\xb7\xff\x1f\xfa\x84\\\xa6\xe4\n\xb6\xd1D\xb0\xf3\x10\xe3\xd6O\xe3\xe1\x1b\xf3\xca\n\xb7\xfe\x16\xb6\xcfO\xba\xb6\x1a\xe5\x84G\xb6\xf5\x1b\xb6\xd7B\xac\xe4\x07\xf3\xd6\n\xb7\xfe\x12\xf8\x84^\xab\xf3S\xfb\xc1Y\xb0\xf7\x14\xf3\x8a\n\x9a\xf9\x06\xe4\x84L\xaf\xf7\x14\xac\x84l\xac\xee\x1a\xf3\x84n\xac\xf1\t\xff\xc1\n\x80\xe4\n\xe6\xd0E\xe3\xc6\x04\xf8\xc0'
>>> xor_crypt_string(data, 'Congratuations!')
"\x96\xa4*\xc3\x96s\x96\xa4'\xd6\x8bu\x97\xb9x\xa1\xd9J\x99\xbf'\xd2\xc3f\x8a\xa8e\xdc\x90;\xb6\xa0d\xc6\x96}\x95\xbfk\xd1\x90d\xd8\xbd~\xed\x89n\xd1\xb9=\xd2\x912\x96\xa5
\x8d\x893\xaf\xb2d\xc0\x8bu\xce\xf1?\xdf\x9a<\x88\xbbj\xe9\x97=\x89\xb99\x97\x80{\x92\xa5
\xdf\xc5;\xa6\xeb7\xd0\x8d~\x8e\xf1=\xd2\x8de\xd8\xa2e\xf3\x9c~\x84\xa4.\x97\x94z\x87\xa3e\xd9\x8d7\xf5\xa0!\xdd\xc4{\x91\xf1&\xc2\x9ct\xd8\xa4c\xef\x8bi\x94\xa4k\xc3\x8bs\x8c\xed1\xc5\x80r\xb8\xae7\xd7\x85u\x87\xffk\xee\x90i\x8a\xf7m\xec\x98z\xcb\xf6\r\xd8\x9b{\x87\xed\x01\xc2\x82(\xbc\xaed\xe7\x96k\x92\xa5$\x97\xafk\x96\xb3"

The correct key is: "\x96\xa4*\xc3\x96s

>>> xor_crypt_string(data, '\x96\xa4*\xc3\x96s')
'Congratulations! While the quick brown fox jumps over the lazy dog,
the plain xor cipher is still very unsecure when the key is much
shorter than the message. Your flag: Foxie Dogzie Crypto Pwnd'

Solution: Foxie Dogzie Crypto Pwnd

Crypto 10

0 Comments | This entry was posted on Apr 25 2012

 

Crypto10 – 300 Points

Cipher text:

LQBN XBEE IG HWV EDNL LVDCNSBNNBHC. ZHW'MG DEE VGKGBMGO ZHWV DNNBPCSGCLN. BA ZHW DVG DIEG LH KHSTEGLG ZHWV LDNR VGTEZ IDKR LH WN WNBCP LQG RGZXHVO AVHS LQBN GCKVZTLBHC DEPHVBLQS DN ZHWV RGZ. JWNL VGSGSIGV LQDL LQBN BN DEE AHV LQG PVGDLGV PHHO.

Solving:

With Cryptogram solver, we get:

THIS WILL BE OUR LAST TRANSMISSION YOU'VE ALL RECEIVED YOUR ASSIGNMENTS IF YOU ARE ABLE TO COMPLETE YOUR TASK REPLY BACK TO US USING THE KEYWORD FROM THIS ENCRYPTION ALGORITHM AS YOUR KEY JUST REMEMBER THAT THIS IS ALL FOR THE GREATER GOOD

So, what is the keyword?

Fill in the decoded message in Crytogram Assistant and substitute the letters so you get the crypted challenge text again.

Substitutions:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
F I N A L   E O B J C T V S D G H K M P   R U W   Y

Possible keywords:

FINALQEOBJCTVSDGHKMPXRUWZY
FINALQEOBJCTVSDGHKMPZRUWXY
FINALXEOBJCTVSDGHKMPQRUWZY
FINALXEOBJCTVSDGHKMPZRUWQY
FINALZEOBJCTVSDGHKMPQRUWXY
FINALZEOBJCTVSDGHKMPXRUWQY

Solution:

The key was FINALZEOBJCTVSDGHKMPQRUWXY.

Crypto 9

0 Comments | This entry was posted on Apr 25 2012

Crypto9 – 300 Points

Cipher text:

XI VQHISTUEQH ULEU ULMT XMCC FI QB IETD UETO UB IYIGVUI EQH ULEU XI ESI ETOMQK E CBU JSBP ECC BJ DBV. WI HB QBU JEVCU EQD PIPFIST JBS CIEWMQK, XI ESI FIUUIS BJJ XMULBVU ULBTI XIEO CMQOT. ULI ACEQQMQK TUEKI MT QBX BWIS. ULI OID JBS BVS JMQEC PIIUMQK MT JEXOIT. SIEHD DBVSTICWIT. ULI UMPI LET GBPI JBS VT UB FI JSIIH.

Solving

Cryptogram solver: Dictionary “American English Large”

Solution:

WE UNDERSTAND THAT THIS WILL BE NO EASY TASK TO EXECUTE AND THAT WE ARE ASKING A LOT FROM ALL OF YOU VE DO NOT FAULT ANY MEMBERS FOR LEAVING WE ARE BETTER OFF WITHOUT THOSE WEAK LINKS THE PLANNING STAGE IS NOW OVER THE KEY FOR OUR FINAL MEETING IS FAWKES READY YOURSELVES THE TIME HAS COME FOR US TO BE FREED

Crypto 8

0 Comments | This entry was posted on Apr 25 2012

Crypto8 – 300 Points

Cipher text:

EKEMQ XI LEWI CIESQIH ULEU BVS USEQTPMTTMBQT ESI FIMQK PBQMUBSIH. ET E SITVCU XI ESI GLEQKMQK ULI IQGSDAUMBQ PIULBH EKEMQ. ULI QIX OID JBS QIYU PIIUMQK XMCC FI ABCDKBQ. MU MT MPAISEUMWI ULEU DBV ECC EUUIQH ECC PIIUMQKT JSBP LISI BQ MQ.
Use Cryptool: –> Caesar Analysis Sample

Solving:

AGAIM TE HASE YEAOMED QHAQ XRO QOAMPLIPPIXMP AOE BEIMG LXMIQXOED. AP A OEPRYQ TE AOE CHAMGIMG QHE EMCOZWQIXM LEQHXD AGAIM. QHE MET KEZ FXO MEUQ LEEQIMG TIYY BE WXYZGXM. IQ IP ILWEOAQISE QHAQ ZXR AYY AQQEMD AYY LEEQIMGP FOXL HEOE XM IM.
Like you can see the message, ‘M’ needs to be replaced with ‘N’.

Pasting the original text in a Cryptogram solver,

Solution:

AGAIN WE HAVE LEARNED THAT OUR TRANSMISSIONS ARE BEING MONITORED AS A RESULT WE ARE CHANGING THE ENCRYPTION METHOD AGAIN THE NEW KEY FOR NEXT MEETING WILL BE POLYGON IT IS IMPERATIVE THAT YOU ALL ATTEND ALL MEETINGS FROM HERE ON IN

Crypto 7

0 Comments | This entry was posted on Apr 25 2012

Crypto7 – 200 Points

Cipher text:

VAOZM HPXC YZGDWZMVODJI OCZ VPOCJMDOT CVN YZXDYZY OCVO OCZMZ DN JIZ DYZV RCDXC RZ RDGG OVFZ PK VN KVMO JA JPM XVPNZ. OJ CZVM HJMZ VWJPO DO, WZ NPMZ OJ VOOZIY OCZ IZSO HZZODIB, PNZ OCZ FZT BZIZMVODJI OJ BZO DI. OCZMZ DN HPXC KGVIIDIB IZZYZY OJ WZ YJIZ, WPO DA RZ XVI ZSZXPOZ OCZ KGVI RZ RDGG WZ AMZZY.
Use Cryptool: –> Caesar Analysis Sample

Solution:

AFTER MUCH DELIBERATION THE AUTHORITY HAS DECIDED THAT THERE IS ONE
IDEA WHICH WE WILL TAKE UP AS PART OF OUR CAUSE. TO HEAR MORE ABOUT
IT, BE SURE TO ATTEND THE NEXT MEETING, USE THE KEY GENERATION TO GET
IN. THERE IS MUCH PLANNING NEEDED TO BE DONE, BUT IF WE CAN EXECUTE
THE PLAN WE WILL BE FREED.

The message was encrypted using ROT-21.

Crypto 6

0 Comments | This entry was posted on Apr 25 2012

Crypto6 – 200 Points

Cipher text:

PYB DRO XOHD WOODSXQ LO CEBO DY ECO UOI WKXUSXN. DROBO RKFO LOOX CYWO QBOKD SNOKC PVISXQ KBYEXN YEB WOODSXQC KC YP VKDO. DRO KEDRYBSDI GSVV QY YFOB CYWO YP DROW DY COO SP DROI PSD SXDY YEB KQOXNK.
Use Cryptool: –> Caesar Analysis Sample

Solution:

FOR THE NEXT MEETING BE SURE TO USE KEY MANKIND. THERE HAVE BEEN SOME
GREAT IDEAS FLYING AROUND OUR MEETINGS AS OF LATE. THE AUTHORITY WILL
GO OVER SOME OF THEM TO SEE IF THEY FIT INTO OUR AGENDA.

The message was encrypted using ROT-10.

Crypto 5

0 Comments | This entry was posted on Apr 25 2012

Crypto5 – 200 Points

Cipher text:

JR UNIR QVFPBIRERQ GUNG BHE YNFG GUERR GENAFZVFFVBAF JR'ER RNFVYL QRPVCURERQ. JR UNIR GNXRA PNER BS GUR CNEGL ERFCBAFVOYR SBE GURVE RAPBQVAT NAQ NER ABJ HFVAT N ARJ ZRGUBQ. HFR GUR VASBEZNGVBA CEBIVQRQ NG YNFG JRRX.F ZRRGVAT GB QRPVCURE NYY ARJ ZRFFNTRF. NAQ ERZRZORE, GUVF JRRX.F XRL VF BOSHFPNGRQ.
Use Cryptool: –> Caesar Analysis Sample

Solution:

WE HAVE DISCOVERED THAT OUR LAST THREE TRANSMISSIONS WE’RE EASILY
DECIPHERED. WE HAVE TAKEN CARE OF THE PARTY RESPONSIBLE FOR THEIR
ENCODING AND ARE NOW USING A NEW METHOD. USE THE INFORMATION PROVIDED
AT LAST WEEK.S MEETING TO DECIPHER ALL NEW MESSAGES. AND REMEMBER,
THIS WEEK.S KEY IS OBFUSCATED.
The message was encrypted using ROT-13.

Crypto 4

0 Comments | This entry was posted on Apr 25 2012

 

Crypto4 – 100 Points

Cipher text:

VGhhdCBtZWV0aW5nIHdhcyBhIGxpdHRsZSBjcmF6eS4gV2UgaGF2ZSBubyBpZGVhIHdoZXJlIHRob3NlIGd1eXMgaW4gdGhlIGJsYWNrIHN1aXRzIGNhbWUgZnJvbSwgYnV0IHdlIGFyZSBsb29raW5nIGludG8gaXQuIFVzZSB0aGUga2V5IGluZmlsdHJhdGlvbiBmb3IgbmV4dCB3ZWVrknMgbWVldGluZy4gU3RheSB3aXRoIHRoZSBjYXVzZSBhbmQgd2Ugd2lsbCBzdWNjZWVkLg==

Base64 encoded text, decode with base64 decoder.

Solution:

That meeting was a little crazy. We have no idea where those guys in the black suits came from, but we are looking into it. Use the key infiltration for next week’s meeting. Stay with the cause and we will succeed.

Crypto 3

0 Comments | This entry was posted on Apr 23 2012

Crypto3 – 100 Points

Cipher text:

0100110001100001011100110111010000100000011101110110010101100101011010110111001100100000011011010110010101100101011101000110100101101110011001110010000001110111011000010111001100100000011000010010000001100111011100100110010101100001011101000010000001110011011101010110001101100011011001010111001101110011001011100010000001010111011001010010000001110011011001010110010101101101001000000111010001101111001000000110001001100101001000000110011101100101011011100110010101110010011000010111010001101001011011100110011100100000011000010010000001101100011011110111010000100000011011110110011000100000011000100111010101111010011110100010000001100001011000100110111101110101011101000010000001110100011010000110010100100000011011010110111101110110011001010110110101100101011011100111010000101110001000000101010001101000011001010010000001101011011001010111100100100000011001100110111101110010001000000110111001100101011110000111010000100000011101110110010101100101011010110111001100100000011011010110010101100101011101000110100101101110011001110010000001101001011100110010000001110010011001010111001101101001011100110111010001100001011011100110001101100101001011100010000001001001011001100010000001110100011010000110010101110010011001010010000001101001011100110010000001100001011011100111100101101111011011100110010100100000011001010110110001110011011001010010000001111001011011110111010100100000011010110110111001101111011101110010000001101111011001100010000001110100011010000110000101110100001000000110110101100001011110010010000001100010011001010010000001101001011011100111010001100101011100100110010101110011011101000110010101100100001000000110100101101110001000000110101001101111011010010110111001101001011011100110011100100000011000100111001001101001011011100110011100100000011101000110100001100101011011010010000001110100011011110010000001110100011010000110010100100000011011010110010101100101011101000110100101101110011001110010000001110100011010000110100101110011001000000111011101100101011001010110101100101110001000000100100101110100001000000111011101101001011011000110110000100000011000100110010100100000011010000110010101101100011001000010000001110011011000010110110101100101001000000111010001101001011011010110010100101100001000000111001101100001011011010110010100100000011100000110110001100001011000110110010100101110

Convert binary to ASCII code:

  • Split binary string in chunks of 8 characters (1 byte):
    • Get the total length of the string for the for loop: length($0)
    • Each time in the for loop we increase i with 8
    • substr($0,i,8)); will extract 8 characters at the time (awk indexing starts at 1 and not at 0 like in other languages)
  • bc is used to convert binary to decimal:

echo’ibase=2;01001100′| bc

  • The decimal numbers outputted by bc are converted to characters: awk '{ printf "%c", $1 }'

$ printf '0100110001100001011100110111010000100000011101110110010101100101011010110111001100100000011011010110010101100101011101000110100101101110011001110010000001110111011000010111001100100000011000010010000001100111011100100110010101100001011101000010000001110011011101010110001101100011011001010111001101110011001011100010000001010111011001010010000001110011011001010110010101101101001000000111010001101111001000000110001001100101001000000110011101100101011011100110010101110010011000010111010001101001011011100110011100100000011000010010000001101100011011110111010000100000011011110110011000100000011000100111010101111010011110100010000001100001011000100110111101110101011101000010000001110100011010000110010100100000011011010110111101110110011001010110110101100101011011100111010000101110001000000101010001101000011001010010000001101011011001010111100100100000011001100110111101110010001000000110111001100101011110000111010000100000011101110110010101100101011010110111001100100000011011010110010101100101011101000110100101101110011001110010000001101001011100110010000001110010011001010111001101101001011100110111010001100001011011100110001101100101001011100010000001001001011001100010000001110100011010000110010101110010011001010010000001101001011100110010000001100001011011100111100101101111011011100110010100100000011001010110110001110011011001010010000001111001011011110111010100100000011010110110111001101111011101110010000001101111011001100010000001110100011010000110000101110100001000000110110101100001011110010010000001100010011001010010000001101001011011100111010001100101011100100110010101110011011101000110010101100100001000000110100101101110001000000110101001101111011010010110111001101001011011100110011100100000011000100111001001101001011011100110011100100000011101000110100001100101011011010010000001110100011011110010000001110100011010000110010100100000011011010110010101100101011101000110100101101110011001110010000001110100011010000110100101110011001000000111011101100101011001010110101100101110001000000100100101110100001000000111011101101001011011000110110000100000011000100110010100100000011010000110010101101100011001000010000001110011011000010110110101100101001000000111010001101001011011010110010100101100001000000111001101100001011011010110010100100000011100000110110001100001011000110110010100101110' | awk '{strbinary_length=length($0); printf "ibase=2;"; for (i=1; i < strbinary_length; i+=8) { printf("%s", substr($0,i,8)); } printf "\n"}' | bc | awk '{ printf "%c", $1 }'

Solution:

Last weeks meeting was a great success. We seem to be generating a lot of buzz about the movement. The key for next weeks meeting is resistance. If there is anyone else you know of that may be interested in joining bring them to the meeting this week. It will be held same time, same place.

Or you can do it the easy way with Binary to Text (ASCII) Conversion.