The Catch 2022

The Catch is an online competition/challenge in the computer security organized annually by the Cesnet. I didn't really have time to look into it, but a friend of mine started solving some of the challenges and that finally kicked me in my lazy butt so I decided I can spare few lunch pauses... I didn't really get through all the challenges but I solved most of the easier ones. Considering amount of time invested, I don't take that as a fail. If anyone is interested, here's my writeup of the challenges solutions and related scripts can be found on my github.

Solved challenges

The story

Introduction (0)

You are presented with a text ending with FLAG{something}, just copy the content inside a bracket and you are good to go. Basically this is not a challenge, it's there just to make you familiar with the competition system itself.

Promotion (0)

Another part of the story, same as before, just copy the text from FLAG.

Candidate challenges

VPN access (1)

You are presented with the openvpn config file and an url of the webpage hidden inside the internal network. This challenge is straight forward, simply import the config file into the NetworkManager (you are running linux, aren't you?), connect to the new VPN network and open the page in your browser, the FLAG is right there.

Bitcoin wallet (1)

This is the first challenge you need to use your brain for. You are presented with a bitcoin wallet ID (bc1q8vnufzpyurlnvrxavrn2vxe5z0nafrp2d8nzng) and you need to find an ID of a wallet that send some BTCs to this ID on Aug 8th 2022. Have you heard about the blockchain? Every transaction ever made is stored in there. Fortunately you don't need to download dozens of GB of the blockchain data, there are online BTC blockchain browsers, e.g. btcscan, just enter the walled ID there and you are presented with all the transactions and stuff. And as there was only one incoming transaction made, the rest is simple. Copy that wallet ID the the webpage mentioned in the assignment and you are rewarded with the FLAG.

Unknown package (1)

barcode

You are presented with a zip file containing two photos of some box. On one of the photos there are several barcode stickers on the box. Just take out your smartphone, install any barcode scanner app, zoom to the longest barcode, scan it and here you go, the FLAG is there.

Regex crossword (1)

crossword This one was a real fun, you are given a regex crossword. Solve it and you have the FLAG.

Incidents

Route tracking (2)

You are given a graph of routes between various sites together with distances between sites, the goal is to find a path of given distance while each site has a code of a single letter. Put these site in a correct order, read their codes and you've got that FLAG. Easy, right? I wrote a script to find the route for me. It's quite easy, classical graph searching algorithm with a simplest implementation - just recursively call the search function on all neighbors of the currently visited location until you visit the last one, check the traveled distance and if it matches the expected value, you've got your solution, just don't forget to visit each location only once, there are loops in the graph!.

Van keys (2)

This one was quick, just download the archive, there's an unfinished python script, fix the syntax issues, add two lines calling the decrypt function, note that the script fails on reading pi_dec_1m.txt file, assume the file shall contain pi up to a million places, find such file online (I'm to lazy to generate it myself), run it again and you have the FLAG.

Messenger portal (3)

messenger Finally something harder, but still in my range of knowledge. You are presented with a webpage. The hint and text on the page says, it's optimized for mobile devices. Try entering some data into the form, hmm, it fails with invalid message identifier. The assignment text mentioned the message identifier shall be a number, put a number in there. Now nothing happens, but in the developer toolbar you can notice the server responded with an error message:

{"debugInfo":"Detected unsupported device. Only mobile devices are supported.","message":""}

Hmm, the page is sending a screen resolution as one of the parameters, resizing the browser window changes nothing, but the devtools have support for pretending to be a mobile device. Eureka, it works, well, not exactly, now the error message is:

{"debugInfo":"Detected unsupported web browser! Only The Catcher\/1.0\/2022 is supported.","message":"Unsupported browser!"}

Ok, let's pretend to be a different browser, I used the user agent switcher firefox plugin and changed the user agent to The Catcher\/1.0\/2022. Now the server returns:

{"debugInfo":"Detected unsupported OS! Only MessengerOS is supported.","message":"Unsupported OS!"}

Well then, let's change the user agent to The Catcher/1.0/2022 (MessengerOS). Ah, finally a different page is shown, but the window where I expected the FLAG to appear is an iframe and the browser is refusing to load it. No wonder, the X-Frame-Option: DENY is sent by the browser. Way to lazy to find a clean solution, I just installed a plugin to ignore the X-Frame-Option header and finally the page loaded with the FLAG inside. Copy the FLAG and you are done.

Well, not exactly, as the final catch the javascript on the page changes the copied text! Just rewrite it manually or if you are lazy, disable the javascript on the page.

Miscellaneous

Old webpages (1)

The link points to a simple html webpage, the page informs you the package was already claimed. The hint show something about the page being old and archive. Archive, not archaic? Aha, just take a look up the page in the wayback machine, take a look few weeks into the past and you've got the FLAG!

DNS Storage (3)

Find the FLAG inside the TXT record of the zone on the server. Easy enough, right?

dig txt mysterious-delivery.tcc @ns1.mysterious-delivery.thecatch.cz

Hmm, no TXT record for this domain? The hint mentions a DNSSEC:

 dig +dnssec mysterious-delivery.tcc @ns2.mysterious-delivery.thecatch.cz

Aha, the NSEC record contains another URL. But no TXT, after few iterations I finally got the TXT record, but the FLAG is not present, after few iterations I got bored and wrote a script to follow the linked records for me. After running for few minutes, no FLAG was found in the TXT records but the URLs wrapped around and started from the beginning. Hmm, let's take a look into all TXT records. Ah, I was blind, one of the records contains a string with secret code, but the code itself is base64 encoded, decode it and you've got the FLAG.

Packets auditing (3)

colors

There's an archive with thousands of labels, each has a background color corresponding to the delivery team and package image with color representing the shipping team and you are supposed to find one specific combination of the team and delivery status. I'm not insane to do it manually, so I wrote a simple script to do it for me. The script is simple, browse all files, check each image at specific coordinates for background color and a package color and see if it matches the expected value. The only catch is that the color is not exactly same as in the colors chart so I had to modify the script to find an approximate color - simply calculate distances on all three RGB channels from the expected one and check if the sum of distances is small enough - rough, but simple and working well.

Unsuccessful attempts

Download backup (2)

You are presented with a zip file. Inside is a text file and a rar archive. The archive contains several files, but none seems to contain any FLAG event after deeper inspection with strings and binwalk tools, I've also tried to gamble with the images if the flag is not hidden there in #FFFFFF background with #FFFFFE color or something like that, but with no luck. First attempt to analyze the rar file also failed, the archive seemed to be ok, the checksum was correct, it was not corrupted or anything. But the hint mentioned NTFS, why the NTFS when there's an archive with PDF and few images?

Running binwalk on the archive revealed a hidden VMWare disk image - aha, just mount it as ntfs and take a look inside. The first few attempts to mount it failed as there was no partition table and I only discovered this the evening before the last day and didn't really have time to dig deeper.

Fraudulent e-mail (3)

You are presented with an email, there's a link inside pointing to fake webpage. After some looking around the javascript inside I was able to pass a valid credit card data resulting in reloading page with the PHP warning message, I guess I could try to inject some SQL code as the inputs are probably not validated on the server, but I only spent few minutes on this not really having enough time to dive deeper.

Previous Post