19 Sep 2019

Timisoara Quals 2019 Writeup

Only solved one challenge but hey, it's honest work

Overview

Team Name: acsii
Position: 12
Score: 3726/5826

Timisoara Quals scoreboard with acsii team in 12th place at 3726 points

John

Well I only solved one challenge that required some form of brain, so here goes.

Initial Analysis

We’re given an “image”. Running file, we realize it’s not even a proper PNG due to the magic bytes/file signature. Since we’re told it’s a png, the bytes are probably encrypted. In that case, let’s take a look in a hex editor.

Hexdump of image showing incorrect PNG footer

If we were to scroll all the way down, all PNGs are supposed to end with \x00\x00\x00\x00IEND, instead we see \x7A\x7A\x7A\x7A\x33\x3f\x34\x3e.

Decrypting the PNG

At first we thought it was a caesar cipher. But the differences between ASCII values of \x33 and I was not the same as \x3f and E. However, for all 4 bytes \x7A to be \x00, we will turn to one of our basics of encryption - XOR. We used the script below to XOR all bytes in the image.

x = [chr(int(pngHexStream[i:i+2],16)^0x7a) for i in range(0, len(he), 2)]
f = open('newJohn.png','wb')
f.write(''.join(x).encode("latin_1"))
print (ord(x[0]),x[1])

After that we get an image that we can open … sort of.

An image that has the second half corrupted and appears black

Retrieving the Flag

The image is partially corrupted. Let’s scroll through the hex dump again.

Hexdump of patched image with HATZ-fL4G highlighted

We notice a very odd string HATZ-fL4G which was probably what the clue in the image was trying to tell us. But the text looks like absolute trash so let’s go back to the goto cipher - Caesar Cipher. Using a simple script below we get the flag.

inp = "HATZ-fL4G: WLPFWI~Eudy3bm3kqxoh$"
output = ""
for i in inp:
	output += chr(ord(i)-3)
print (output)

Flag: TIMCTF{Brav0_j0hnule!}