Knowing The Unknown

Pictorial Mess [ PragyanCTF 2018 Writeup]

Challenge description:

 Johnny had an image that he was going to use for a very important purpose. Someone had hacked into his system and tampered with the image. Help him recover it.

Hint! The characters in the images read "Make me tall", but that's not the flag.

We have been given 7 images which contains the message in it’s plane : “Make me Tall”.

At first we tried all the basic commands like strings, binwalk and exiftool to check if something useful is present there, but however nothing much useful came out. As the message says “make me tall”, we thought of making it tall.

So I used tweakpng tool to edit its IHDR part which contains the image dimensions.I made the height from 350 to somewhere 700. After saving this image I saw there was something interesting showing up.

Here we can see that there are some data below the images. I first doubted it is morse, then after failing on that guess, I made a rough guess of it being a binary code.

Then finally I took all the 1’s and 0’s from this data.

But it made no sense at all. Then after a long time I made a rough guess of reading it column wise.

Uffffffff, Finally I got the flag !!!!!!!!!!!!!!!!!!!!! 🙂

FuzzY Writeup( BSides Delhi CTF 18)

Challenge Description:

Bob and Charlie were sending some messages among themselves,and I planned to intercept their secrecy and get something out of it, however they are clever enough that no one gets anything. Please help me out to get the secret!!

Here we have been given a pcap file named final_fuzz.pcap, which contain protocols like ICMP, DNS and TCP.

When we go through the TCP packets, we find a PGP message in one of them.

In order to decrypt this message, we need a private key as well as a passphrase used to encrypt the original message.

When we go through the packets further, we see that in one DNS Response packet there is the PNG file signature, so a image seems to be spoofed in these DNS responses.

So here we can write a small python script to extract all the image payload data and merge them together to form a single image.

The final output would be :

It’s a QR code, lets decrypt it using any online decoder tool:

So its the private key, now we need to get the passphrase which seems to very likely to be present in the same packet which contained the PGP Message :

So here we have a small text right before the PGP message begins i.e

aGVsbG93b3JsZA ——> On decoding this base64 code we get the passphrase :: helloworld

Now we have all pieces of our puzzle, just joining them together in any online pgp message decoder, we get our flag as:

flag{eNcryP7!ng_t0_PgP_1s_r34LLy_Pre3tY_g00D_pr1V4cY}

Thanks 🙂

Biz44re Writeup( InCTF International 2018)

Challenge Description :

"Kevin sent me a file with some hidden message. Help me recover this secret from this bizzare network."

So in this challenge we are provided with a pcap file which contains some random protocols like DNS, ICMP, IGMP, TCP etc.

If we go around looking into pcap file, we will find some strange buffer values in ICMP Protocols.

and if we filter them out as:

ip.src==10.30.8.102 && ip.dst==192.168.42.83

Here we will get a set of 3 ICMP Packets with some data present in their buffer. (You may export these specified packets using Wireshark)

If we carefully check the data present in the buffer value then it actually begins with the file signature

 50 4B 03 04 14 ---> Zip File Signature

I have written a small python script which easily takes out these data:

from scapy.all import *

r = rdpcap("bizz.pcap")
f = open("flag.zip","w")
l = []

for i in range(0,len(r)):
a = str(r[i])
d = a[142:]
l.append(d)

b = ''.join(l)
f.write(b.decode("hex"))
f.close()

So the flag.zip is now extracted from the pcap file, now we could just open it up and see what’s inside.

So here we have our flag, just a matter of recognizing the right file signature.

Thanks 🙂

Magical rad1o Writeup ( InCTF International 2018)

Challenge Description:

A number station in Russia broadcasted a series of encoded messages to one of it's intelligence agency. We have been able to get a piece of that message along with a picture hidden by one of the spy. Decode the transmitted data and be a hero!!

Well for this challenge you have been provided with an audio file along with an image. The major part of cracking this challenge lies in finding the right tool used to perform steganography here. The name of the challenge refers to a stegano tool named

#StegoMagic#.

You can get the tool from the site:

Stego_Magic_Bin_Tool_Link

If we analyse the image, then we can see in one of the planes a secret key is hidden.

So definitely this key may come handy in the next few steps……….

Once we crack the tool out, lets try to decode our information from it.

Enter your choice : 2 ( Extract an Embedded file)

We have to provide the audio file as our input file to decrypt.

Enter a random file name you wish to enter. Here I have provided flag as the name.

Next it asks for the secret key required for decryption. We already found the key in one of the planes of our given image i.e 1517

Finally we got our decrypted file :::

Now lets check what’s this file called flag, we run the file command and find that it is a pdf document. Running the “binwalk” tool shows the presence of a PNG image in it.

When we extract the PNG image, we see that it is a QR code, which on decryption gives out another magic for us.

 Ob>(FfBIDELM1nJQ56TtP:XxTU\]^YZ"\cdefgK*dkfg/iSkr4nXp8rsz{|w~!zB|%&hG#*%&-op0P,-4/w189Y5}=]9@;<C'?eAHIJKFGmIPKLSTUPQXS=zV]X_ZaE$^H`gh*delmniS2lVn6pqxyt^|>x!"{|%g'(H$l,-M)*+2t4T078zY5<=8"@ABb>EFG+hDKLGH23pLMTUVQwSZ[\@^~Z[bcde`gK*dklgnipT3mtupwxy]<v}~!"#eD~!"j*+K'./01stS/67834|[78?:A%b>EF*BIJjFM1nJ45STtPWXYT[VW^B`"\]d_I(bcjkfP/ijkrm5ovwxyt{=w~yz#$fE!()*+m'M)*+,R./0723{5[7>?@AB='d@GBC-ELlHO34qM7UVWXxT[\]A~Z[\cdefJK*dklgnipT3mtuYqx])^OP>!d{$VE4F6l%nLo<O+,@v5gV89|Y<!K9_;`'D

So here we have a weird data, which confuses you for a while, but only until you know some weird programming languages 😉

After a rough walkthrough of some weird programming languages we understand that it is a Malbolge code, which again is reversed ( Double the Magic Double the Confusion)

After reversing the entire malbolge code decoded from the QR, we will get something like this:

 D'`;_9K!<Y|98Vg5v@,+O<oLn%l6F4EV${d!>PO^)]xqYutm3Tpinglkd*KJfedc\[Z~A]\[TxXWVU7Mq43OHlLE-CBG@d'=BA@?>7[5{3270/.R,+*)M'm+*)(!Ef$#zy~w={tyxwvo5mrkji/Pfkjcb(I_d]\"`B^WV[TYXWPtTS54Jn1MFjJIB*FE>b%A:?87[|43876/Sts10/.'K+*j"!~De#"!~}v<]yxwputm3Tpinglkd*Kg`edcb[Z~^@\[ZSwQVUTMLp32HGLKDh+GFE>bBA@"8=<5Yz870T4t2+*)M-,l$H('g%|{"!x>|^tyxqp6nVl2Sinmled*hg`H^$EaZ_X]Vz=SXQPUTSLKPImGFKJIHAe?'C<;@9]=}5Y981w/4-,P0po-&%*#Gh&%|Bz!~w|{zsr8pXn4rkSi/gfkd*Kgfedc\"ZY^]\UTxX:PtT65QJn1MLEDIBfF(>bO

SO here we have the final malbolge code ready for execution, just run this code in any of the malbolge interpreter, we will get our ‘flag‘

THanks 🙂

“Hello world” System Call

Hi friends!! I am going to use this article to explain how to add a “hello world system call” to your kernel as I recently accomplished this task. My OS is Linux Ubuntu 14.04 and the kernel version I have implemented this in is, 4.1.33 and I have used a 64 bit system. The following steps will be more or less the same with little changes here and there for other versions of kernel.

In computing, a system call is the programmatic way in which a computer program requests a service from the kernel of the operating system it is executed on. This may include hardware-related services (for example, accessing a hard disk drive), creation and execution of new processes, and communication with integral kernel services such as process scheduling . System calls provide an essential interface between a process and the operating system.

Grab the kernel source:

Open the terminal and use the following command to get the kernel source file.

$ sudo apt-get source linux-image-$(uname -r)

You will find a new folder name linux-<kernel version number>.

Copy the kernel source to /usr/src.

$ sudo cp -r linux-4.1.33 /usr/src .

Installing the required packages:

$ sudo apt-get update
$ sudo apt-get build-dep linux-image-$(uname -r)
$ sudo apt-get install kernel-package  # for make-kpkg clean
$ sudo apt-get install libncurses-dev  # for make menuconfig

Next the system call:

Step 1:

$ cd linux-4.1.33

Create a directory hello in the kernel source directory:-

$ mkdir hello

Change into this directory

$ cd hello

Step 2:

Create a “hello.c” file in this folder and add the definition of the system call to it as given below.

$ vim hello.c

Then include the code :::::::::::

#include <linux/kernel.h>

asmlinkage long sys_hello(void)
{
printk(“Hello world\n”);
return 0;
}

The asmlinkage tag is one other thing that we should observe about this simple function. This is a #define for some gcc magic that tells the compiler that the function should not expect to find any of its arguments in registers (a common optimization), but only on the CPU’s stack.

Step 3: Create the Makefile

$ vim Makefile

Add the following line to Makefile

obj-y := hello.o

Step 4 : Add the hello directory to the main kernel Makefile

Change back into the linux-4.1.33 folder and open Makefile.

gedit Makefile

Go to line number 900(may vary) which says :-

core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/

and add hello/ to the end of the line like so

core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ hello/

This tells our compiler that the source code of sys_hello() lies in the hello directory.

Step 5: Add sys_hello() into the syscall table

Since we are using a 64 bit system we need to edit the file “syscall_64.tbl” .

$ cd arch/x86/entry/syscalls/syscall_64.tbl

Add the following after the last sys_call.

323         64            hello             sys_hello

Where 323 is one plus the last sys_call in “syscalls_64.tbl”. This has to be used to make the syscall in the user program.

Step 6 : Add the sys_hello() in the syscalls.h header file

$ cd include/linux
$ vim syscalls.h

Add the following to the end of the file just before the #endif statement.

asmlinkage long sys_hello(void);

This defines the prototype of the function for our system call. ”asmlinkage” is a key word used to indicate that all parameters of the function would be available on the stack.

Create the config file……….

$ cd ../..
$ make menuconfig

In the window that comes you can customize the feature of the kernel you are going to build.(we will keep it to the default values). Select the save option using tab and enter keys.

Building the Kernel (Time for a tea break…..!!)

To increase the speed of compilation use the below command

$ export CONCURRENCY_LEVEL=3  #  1+number of cores on your processor
$ make  # compile the kernel

…check the number of cores on your processor…

$ lscpu

Installing the kernel…

To install this kernel execute the following command

$ sudo make modules_install install

The above command will install the Linux Kernel 4.1.33 into your system.It will create some files under /boot/ directory and will automatically make an entry in your grub.cfg.

Test the system call.

Create a “hello_syscall.c” program in your home folder and type in the following code :-

#include <stdio.h>
#include <linux/kernel.h>
#include <sys/syscall.h>
#include <unistd.h>

int main() {
         long int sys = syscall(323); // 323 is the sys_hello number we had used to add the sys_call
         printf(“System call sys_hello returned %ld\n”, sys); // 0 means, everything went well
         return 0;
}

Now compile this program using the following command.

$ gcc hello_syscall.c

If it didn’t compile and you got an error, try fixing it and then compile again.

Now run the program using the following command

$ ./a.out

You will see the following line getting printed in the terminal if all the steps were followed correctly.

System call sys_hello returned 0

If you got -1 instead of 0, that means your sys_hello() did not execute correctly, check all the code changes you made and try to build the kernel again. Make sure you have booted using the kernel you have made changes to. To check the current running kernel type the following command.

$ uname -r

If everything worked correctly check the log message of the kernel by using the dmesg command.

$ dmesg

This will display “Hello World!” at the end of the kernel’s message and you have successfully implement a sys_call.

Boot to the Right Kernel:

You can change which kernel grub boots to during the computers start-up.

As the computer starts up.

Hold down SHIFT to display the menu during boot. In certain cases, pressing the ESC key may also display the menu.

You should now see the the grub menu. Use the arrow keys to navigate to the advanced options and choose the kernel you want to boot.