I am a Hacker (noooooot)… When DEV discovers a new world
11 min readMar 7, 2017
No… I am still just a Dev… however during the past 3 days until now I am feeling like Hackerman.
Past 4th March happened a Capture the Flag event. It was a mix of Binary Exploits, Cryptography, Forensics, Miscellaneous, Reverse Engineering, Steganography and Web challenges.
My wife said to me about it and I entered on the site to try something.
At the beginning, it was a little bit frustrated and boring…
No one challenge made sense…
So my wife talked about a shell command I had never heard about: strings
A new world opened to me. It was incredible… It was epic… What I was doing in my entire life!? How could I had never heard about it!?
I guess you could think I am stupid or an idiot… however, take a look at this picture of one challenge:
Download it and run strings <file>
…
…
…
…
…
…
…
…
seems like you are still a noobie at bash .. Have a closer look !! … :D .
Now I opened every file and typed strings searching for some tip.
Following some challenges:
Answer to Everything
Shal has got a binary. It contains the name of a wise man and his flag. He is unable to solve it.
Submit the flag to unlock the secrets of the universe.
NOTE :- Please enclose the flag in the format pragyanctf{<flag>}.
Hint! Sometimes, the best place to hide is plain sight.
Hint! SHAl didn't try one thing, which is what he is.- File : main.exe
strings didn't help me a lot in this file, so I run chmod +x and ./main.exe and I received the following message
Whatever I typed I only received YOUSUCK. So I thought… Which is the answer to everything? Yes… 42
I tried #kdudpeh and kdudpeh (submit without any tags), however, I failed… The answer you can find here.
Shane and the binary files
Shane is a part of one of the teams in the FBI, which is currently handling a very weird cyber crime case. As a part of the investigation, Shane was asked to analyze a series of binary files, one of which is known to give out a password. Shane got the files in a zip file named "parallel.zip". Could you help him do it ?
NOTE :- Please enclose the flag in the format pragyanctf{<flag>}.- File : parallel.zip
This challenge was a question of honor to me
Java is the language I most work with and when I extracted the zip file there were 3 .class files.
- afadf2sd98qeb24t2.class
- nq2eige2ig2323f.class
- nq2eige2ig2323f$g9824biuebfiue2u3.class
So I decompiled them using http://www.javadecompilers.com and got the Java files.
As far as the third file was a .class generated by an inner class I ignored it and put the first and second file in the same package in my Eclipse.
The first file didn't do so much:
import java.util.concurrent.TimeUnit;
class afadf2sd98qeb24t2 {
afadf2sd98qeb24t2() {}
public static void main(String[] paramArrayOfString) {
try {
TimeUnit.MINUTES.sleep(5L);
System.exit(0);
}
catch (Exception localException) {}
}
}So I take a close attention to the second one:
import java.util.Vector;
class nq2eige2ig2323f
{
nq2eige2ig2323f() {}
private static void commands(String paramString, char[] paramArrayOfChar) {
try {
Vector localVector = new Vector();
localVector.add("" + paramArrayOfChar[4] + paramArrayOfChar[13] + paramArrayOfChar[5] + paramArrayOfChar[13]);
localVector.add("" + paramArrayOfChar[13] + paramArrayOfChar[22] + paramArrayOfChar[13] + paramArrayOfChar[7] + paramArrayOfChar[22] + paramArrayOfChar[52] + paramArrayOfChar[25] + paramArrayOfChar[7] + paramArrayOfChar[59] + paramArrayOfChar[58] + paramArrayOfChar[3] + paramArrayOfChar[8] + paramArrayOfChar[9] + paramArrayOfChar[52] + paramArrayOfChar[54] + paramArrayOfChar[10] + paramArrayOfChar[52]);
localVector.add("-" + paramArrayOfChar[49] + paramArrayOfChar[14] + paramArrayOfChar[13] + paramArrayOfChar[15] + paramArrayOfChar[8] + "\"" + paramString + "\"");
ProcessBuilder localProcessBuilder = new ProcessBuilder(localVector);
Process localProcess = localProcessBuilder.start();
java.util.concurrent.TimeUnit.MINUTES.sleep(5L);
localProcess.destroy();
}
catch (Exception localException)
{
System.out.println(localException);
}
}
private static final boolean[] done = new boolean[1];
private static String ga1(char[] paramArrayOfChar)
{
return "" + paramArrayOfChar[57] + paramArrayOfChar[56] + paramArrayOfChar[9] + paramArrayOfChar[7] + paramArrayOfChar[54] + paramArrayOfChar[53] + paramArrayOfChar[13] + paramArrayOfChar[60] + paramArrayOfChar[57] + paramArrayOfChar[54] + paramArrayOfChar[22] + paramArrayOfChar[23] + paramArrayOfChar[55] + paramArrayOfChar[57] + paramArrayOfChar[55] + paramArrayOfChar[13] + paramArrayOfChar[7] + paramArrayOfChar[23] + paramArrayOfChar[60] + paramArrayOfChar[51] + paramArrayOfChar[13] + paramArrayOfChar[13] + paramArrayOfChar[57] + paramArrayOfChar[54] + paramArrayOfChar[58] + paramArrayOfChar[9] + paramArrayOfChar[8] + paramArrayOfChar[56] + paramArrayOfChar[53] + paramArrayOfChar[54] + paramArrayOfChar[59] + paramArrayOfChar[23] + paramArrayOfChar[39];
}
private static String ga(char[] paramArrayOfChar)
{
return "" + paramArrayOfChar[47] + paramArrayOfChar[19] + paramArrayOfChar[8] + paramArrayOfChar[61] + paramArrayOfChar[11] + paramArrayOfChar[8] + paramArrayOfChar[3] + paramArrayOfChar[20] + paramArrayOfChar[2] + paramArrayOfChar[11] + paramArrayOfChar[8] + paramArrayOfChar[7] + paramArrayOfChar[61] + paramArrayOfChar[1] + paramArrayOfChar[8] + paramArrayOfChar[24] + paramArrayOfChar[61] + paramArrayOfChar[2] + paramArrayOfChar[25] + paramArrayOfChar[61] + paramArrayOfChar[57] + paramArrayOfChar[56] + paramArrayOfChar[9] + paramArrayOfChar[7] + paramArrayOfChar[54] + paramArrayOfChar[53] + paramArrayOfChar[13] + paramArrayOfChar[60] + paramArrayOfChar[57] + paramArrayOfChar[54] + paramArrayOfChar[22] + paramArrayOfChar[23] + paramArrayOfChar[55] + paramArrayOfChar[57] + paramArrayOfChar[55] + paramArrayOfChar[13] + paramArrayOfChar[7] + paramArrayOfChar[23] + paramArrayOfChar[60] + paramArrayOfChar[51] + paramArrayOfChar[13] + paramArrayOfChar[13] + paramArrayOfChar[57] + paramArrayOfChar[54] + paramArrayOfChar[58] + paramArrayOfChar[9] + paramArrayOfChar[8] + paramArrayOfChar[56] + paramArrayOfChar[53] + paramArrayOfChar[54] + paramArrayOfChar[59] + paramArrayOfChar[23] + paramArrayOfChar[39];
}
private static String s1(char[] paramArrayOfChar)
{
return "" + paramArrayOfChar[48] + paramArrayOfChar[0] + paramArrayOfChar[44] + paramArrayOfChar[21] + paramArrayOfChar[39] + paramArrayOfChar[10] + paramArrayOfChar[16] + paramArrayOfChar[32] + paramArrayOfChar[56] + paramArrayOfChar[57] + paramArrayOfChar[29] + paramArrayOfChar[45] + paramArrayOfChar[58] + paramArrayOfChar[59] + paramArrayOfChar[6] + paramArrayOfChar[7] + paramArrayOfChar[37] + paramArrayOfChar[2] + paramArrayOfChar[26] + paramArrayOfChar[26] + paramArrayOfChar[12] + paramArrayOfChar[41] + paramArrayOfChar[6] + paramArrayOfChar[4] + paramArrayOfChar[39] + paramArrayOfChar[25] + paramArrayOfChar[28] + paramArrayOfChar[16] + paramArrayOfChar[56] + paramArrayOfChar[43] + paramArrayOfChar[41] + paramArrayOfChar[31] + paramArrayOfChar[47] + paramArrayOfChar[14] + paramArrayOfChar[52] + paramArrayOfChar[49] + paramArrayOfChar[31] + paramArrayOfChar[15] + paramArrayOfChar[58] + paramArrayOfChar[46] + paramArrayOfChar[39] + paramArrayOfChar[53] + paramArrayOfChar[34] + paramArrayOfChar[33] + paramArrayOfChar[33] + paramArrayOfChar[65] + paramArrayOfChar[35] + paramArrayOfChar[17] + paramArrayOfChar[42] + paramArrayOfChar[9] + paramArrayOfChar[18] + paramArrayOfChar[13] + paramArrayOfChar[19] + paramArrayOfChar[4] + paramArrayOfChar[21] + paramArrayOfChar[1] + paramArrayOfChar[21] + paramArrayOfChar[32] + paramArrayOfChar[59] + paramArrayOfChar[43];
}
private static String s2(char[] paramArrayOfChar) {
return "" + paramArrayOfChar[4] + paramArrayOfChar[36] + paramArrayOfChar[50] + paramArrayOfChar[21] + paramArrayOfChar[23] + paramArrayOfChar[13] + paramArrayOfChar[36] + paramArrayOfChar[16] + paramArrayOfChar[10] + paramArrayOfChar[18] + paramArrayOfChar[35] + paramArrayOfChar[42] + paramArrayOfChar[49] + paramArrayOfChar[55] + paramArrayOfChar[54] + paramArrayOfChar[2] + paramArrayOfChar[30] + paramArrayOfChar[8] + paramArrayOfChar[23] + paramArrayOfChar[32] + paramArrayOfChar[30] + paramArrayOfChar[19] + paramArrayOfChar[24] + paramArrayOfChar[52] + paramArrayOfChar[53] + paramArrayOfChar[47] + paramArrayOfChar[56] + paramArrayOfChar[57] + paramArrayOfChar[44] + paramArrayOfChar[4] + paramArrayOfChar[2] + paramArrayOfChar[46] + paramArrayOfChar[28] + paramArrayOfChar[56] + paramArrayOfChar[52] + paramArrayOfChar[53] + paramArrayOfChar[51] + paramArrayOfChar[1] + paramArrayOfChar[34] + paramArrayOfChar[42] + paramArrayOfChar[53] + paramArrayOfChar[50] + paramArrayOfChar[34] + paramArrayOfChar[29] + paramArrayOfChar[52] + paramArrayOfChar[15] + paramArrayOfChar[30] + paramArrayOfChar[65] + paramArrayOfChar[0] + paramArrayOfChar[31] + paramArrayOfChar[57] + paramArrayOfChar[25] + paramArrayOfChar[5] + paramArrayOfChar[48] + paramArrayOfChar[41] + paramArrayOfChar[43] + paramArrayOfChar[41] + paramArrayOfChar[32] + paramArrayOfChar[40] + paramArrayOfChar[17] + paramArrayOfChar[58] + paramArrayOfChar[60] + paramArrayOfChar[27];
}
private static String s3(char[] paramArrayOfChar) {
return "" + paramArrayOfChar[38] + paramArrayOfChar[45] + paramArrayOfChar[59] + paramArrayOfChar[37] + paramArrayOfChar[50] + paramArrayOfChar[49] + paramArrayOfChar[48] + paramArrayOfChar[52] + paramArrayOfChar[56] + paramArrayOfChar[21] + paramArrayOfChar[17] + paramArrayOfChar[43] + paramArrayOfChar[14] + paramArrayOfChar[44] + paramArrayOfChar[6] + paramArrayOfChar[23] + paramArrayOfChar[13] + paramArrayOfChar[52] + paramArrayOfChar[39];
}
private static String s4(char[] paramArrayOfChar) {
return "" + paramArrayOfChar[53] + paramArrayOfChar[55] + paramArrayOfChar[55] + paramArrayOfChar[3] + paramArrayOfChar[39] + paramArrayOfChar[56] + paramArrayOfChar[15] + paramArrayOfChar[58] + paramArrayOfChar[32] + paramArrayOfChar[37] + paramArrayOfChar[37] + paramArrayOfChar[45] + paramArrayOfChar[57] + paramArrayOfChar[60] + paramArrayOfChar[33] + paramArrayOfChar[41] + paramArrayOfChar[57] + paramArrayOfChar[42] + paramArrayOfChar[50] + paramArrayOfChar[27] + paramArrayOfChar[31] + paramArrayOfChar[43] + paramArrayOfChar[42];
}
public static void main(String[] paramArrayOfString)
{
int i = 0;
char[] arrayOfChar = new char[100];
arrayOfChar[0] = 'l';
arrayOfChar[1] = 'k';
arrayOfChar[2] = 'i';
arrayOfChar[3] = 'q';
arrayOfChar[4] = 'j';
arrayOfChar[5] = 'v';
arrayOfChar[6] = 'o';
arrayOfChar[7] = 'd';
arrayOfChar[8] = 'e';
arrayOfChar[9] = 'b';
arrayOfChar[10] = 't';
arrayOfChar[11] = 'r';
arrayOfChar[12] = 'w';
arrayOfChar[13] = 'a';
arrayOfChar[14] = 'n';
arrayOfChar[15] = 'm';
arrayOfChar[16] = 'p';
arrayOfChar[17] = 'g';
arrayOfChar[18] = 'z';
arrayOfChar[19] = 'h';
arrayOfChar[20] = 'u';
arrayOfChar[21] = 'x';
arrayOfChar[22] = 'f';
arrayOfChar[23] = 'c';
arrayOfChar[24] = 'y';
arrayOfChar[25] = 's';
arrayOfChar[26] = 'E';
arrayOfChar[27] = 'A';
arrayOfChar[28] = 'K';
arrayOfChar[29] = 'V';
arrayOfChar[30] = 'Z';
arrayOfChar[31] = 'F';
arrayOfChar[32] = 'M';
arrayOfChar[33] = 'I';
arrayOfChar[34] = 'H';
arrayOfChar[35] = 'O';
arrayOfChar[36] = 'Y';
arrayOfChar[37] = 'B';
arrayOfChar[38] = 'L';
arrayOfChar[39] = 'C';
arrayOfChar[40] = 'Q';
arrayOfChar[41] = 'N';
arrayOfChar[42] = 'J';
arrayOfChar[43] = 'W';
arrayOfChar[44] = 'S';
arrayOfChar[45] = 'G';
arrayOfChar[46] = 'U';
arrayOfChar[47] = 'T';
arrayOfChar[48] = 'P';
arrayOfChar[49] = 'D';
arrayOfChar[50] = 'R';
arrayOfChar[51] = '1';
arrayOfChar[52] = '2';
arrayOfChar[53] = '3';
arrayOfChar[54] = '4';
arrayOfChar[55] = '5';
arrayOfChar[56] = '6';
arrayOfChar[57] = '7';
arrayOfChar[58] = '8';
arrayOfChar[59] = '9';
arrayOfChar[60] = '0';
arrayOfChar[61] = '_';
arrayOfChar[62] = '.';
arrayOfChar[63] = '!';
arrayOfChar[64] = '\'';
arrayOfChar[65] = ' ';
java.util.Random localRandom = new java.util.Random();
while (i < 4) {
void tmp421_418 = new nq2eige2ig2323f();tmp421_418.getClass();localObject = new nq2eige2ig2323f.g9824biuebfiue2u3(tmp421_418, i != 0, localRandom.nextInt(4) + 1);
new Thread((Runnable)localObject).start();
i++;
}
System.out.println("Enter in a key to unlock :\n");
Object localObject = new java.util.Scanner(System.in);
String str1 = ((java.util.Scanner)localObject).nextLine();
String str2 = ga1(arrayOfChar);
if (java.util.Objects.equals(str1, str2))
{
System.out.println("" + arrayOfChar[39] + arrayOfChar[6] + arrayOfChar[14] + arrayOfChar[17] + arrayOfChar[11] + arrayOfChar[13] + arrayOfChar[10] + arrayOfChar[20] + arrayOfChar[0] + arrayOfChar[13] + arrayOfChar[10] + arrayOfChar[2] + arrayOfChar[6] + arrayOfChar[14] + arrayOfChar[25] + arrayOfChar[65] + arrayOfChar[63] + arrayOfChar[65] + arrayOfChar[36] + arrayOfChar[6] + arrayOfChar[20] + arrayOfChar[64] + arrayOfChar[11] + arrayOfChar[8] + arrayOfChar[65] + arrayOfChar[11] + arrayOfChar[2] + arrayOfChar[17] + arrayOfChar[19] + arrayOfChar[10] + arrayOfChar[65] + arrayOfChar[63] + arrayOfChar[65] + arrayOfChar[47] + arrayOfChar[19] + arrayOfChar[8] + arrayOfChar[65] + arrayOfChar[22] + arrayOfChar[0] + arrayOfChar[13] + arrayOfChar[17] + arrayOfChar[65] + arrayOfChar[2] + arrayOfChar[25] + arrayOfChar[65] + arrayOfChar[13] + arrayOfChar[28] + arrayOfChar[32] + arrayOfChar[3] + arrayOfChar[45] + arrayOfChar[21] + arrayOfChar[25] + arrayOfChar[54] + arrayOfChar[7] + arrayOfChar[20] + arrayOfChar[28] + arrayOfChar[57] + arrayOfChar[48] + arrayOfChar[21] + arrayOfChar[32] + arrayOfChar[53] + arrayOfChar[53] + arrayOfChar[37] + arrayOfChar[0] + arrayOfChar[14]);
System.exit(0);
}
else
{
System.out.println("" + arrayOfChar[27] + arrayOfChar[19] + arrayOfChar[63] + arrayOfChar[65] + arrayOfChar[41] + arrayOfChar[6] + arrayOfChar[10] + arrayOfChar[19] + arrayOfChar[2] + arrayOfChar[14] + arrayOfChar[17] + arrayOfChar[65] + arrayOfChar[19] + arrayOfChar[8] + arrayOfChar[11] + arrayOfChar[8] + arrayOfChar[65] + arrayOfChar[63]);
System.exit(0);
}
}
}I got some problem in this line:
while (i < 4) {
void tmp421_418 = new nq2eige2ig2323f();tmp421_418.getClass();localObject = new nq2eige2ig2323f.g9824biuebfiue2u3(tmp421_418, i != 0, localRandom.nextInt(4) + 1);
new Thread((Runnable)localObject).start();
i++;
}WTH was void tmp421_418!? How can an object be void type!? So I decided to comment this entire structure and run the code.
Voilá… the following message appears on the console: Enter in a key to unlock:
I tried something and: Ah! Nothing here!
Then I took a look at this structure
System.out.println("Enter in a key to unlock :\n");
Object localObject = new java.util.Scanner(System.in);
String str1 = ((java.util.Scanner)localObject).nextLine();
String str2 = ga1(arrayOfChar);
if (java.util.Objects.equals(str1, str2))
{
...
} else {
...
}Well… how about negate a conditional with ‘!’?
if (!java.util.Objects.equals(str1, str2))
Running again:
Congratulations ! You’re right ! The flag is aKMqGxs4duK7PxM33Bln
It was real… I was hackerman…
MI6
Benji is working with Ethan on another case and has caught some suspicious traffic over the Atlantic. Help Benji decode the sequence.
26 25 30 28 22 25 20 23 21 29 22 24 26 23 21 26 27 20 28 22 25 23 30 29 23 28 24 20 21 26 25 20 23 27 23 29 25 22 23 26 27 29 24 23 30 21 25 24 26 20 24 22 21 30 26 20 25 24 21 23 27 29 26 22 20 21 23 22 30 26 29 26 28 27 22 20 27 29 26 30 28 27 26 23 29 21 22 25 27 24 21 29 25 24 20 25 23 22 30 28 27 29 25 20 24 21 23 20 23 21 29 26
NOTE :- Please enclose the flag in the format pragyanctf{<flag>}.File : mi6.exe
Once I downloaded the file and execute strings (yes, strings for everything hahahahahahahahahahahahahaha). I note this following structure:
#!/bin/bash
export TMPDIR=`mktemp -d /tmp/selfextract.XXXXXX`
ARCHIVE=`awk '/^__ARCHIVE_BELOW__/ {print NR + 1; exit 0; }' $0`
tail -n+$ARCHIVE $0 | tar -xz -C $TMPDIR
CDIR=`pwd`
cd $TMPDIR
./installer reverse_1.rb false
cd $CDIR
rm -rf $TMPDIR
exit 0Even with a .exe a exec chmod +x and ./mi6.exe
Terminal was waiting for parameters
I opened my tmp folder and what I found? The selfextract.XXXXXX folder
It was real… I was hackerman…
Inside the folder a ruby class… reverse_1.rb
class Fixnum
def random_split(set = nil, repeats = false)
set ||= 1..self
set = [*set]
return if set.empty? || set.min > self || set.inject(0, :+) < self
tried_numbers = []
while (not_tried = (set - tried_numbers).select {|n| n <= self }).any?
tried_numbers << number = not_tried.sample
return [number] if number == self
new_set = set.dup
new_set.delete_at(new_set.index(number)) unless repeats
randomized_rest = (self-number).random_split(new_set, repeats)
return [number] + randomized_rest if randomized_rest
end
end
end
class String
def ^( other )
b1 = self.unpack("U*")
b2 = other.unpack("U*")
longest = [b1.length,b2.length].max
b1 = [0]*(longest-b1.length) + b1
b2 = [0]*(longest-b2.length) + b2
b1.zip(b2).map{ |a,b| a^b }.pack("U*")
end
end
a2= Array.new
a= Array.new
string = gets
a=string.upcase.chars
sum = 0
length1 = a.length
for i in 0..a.length-1 ## /n is worth 10 characters change to length-1 at the end
a[i] = (a[i].ord)^61
sum = sum + a[i].ord
end
for i in 0..length1-1
a2[i] = a[i].to_i.random_split(20..30)
end
# Print the final output array which will be used for reversing
for i in 0..a2.length-1
print a2[i].join(" ") + " "
endThe problem was how to reverse the logic to understand the message… I knew the variables a and a2 were important and mainly the lines
a=string.upcase.charsa[i] = (a[i].ord)^61a2[i] = a[i].to_i.random_split(20..30)
I tried ASCII code xor 61 to discover letters and actually I could to regenerate the message with this:
a2= Array.new
a= Array.new
string = "'$#!+$)*( +%'*('&)!+$*# *!%)('$)*&* $+*'& %*#($%')%+(#')$%(*& '+)(*+#' '!&+)& '#!&'* (+$&%( $%)$*+#!& $)%(*)*( '"
a=string.upcase.chars
sum = 0
length1 = a.lengthHowever, it didn't make any sense… this challenge solution you can find here.
All challenges you can find here. Some of them without answers…
Well… this new experience was fantastic… I am waiting for the next one
