CTF-Writeups

BCACTF 5.0!

Returning for its fifth consecutive year, this high school CTF hosted by the Bergen County Academies offers challenges across various difficulty levels, catering to everyone from beginners to seasoned CTF veterans.

I had the opportunity to participate in BCACTF 2024 as a member of my institute’s club, InfoSecIITR. Our team secured 7th Place globally. These writeups document the challenges I personally solved during the competition. The remaining challenges were tackled by my teammates.

Forensics

Mysterious Melody

Challenge Description

Description

We have received a WAV file.

Solution

So, I opened the WAV file using Sonic Visualizer software. Initially, I was unsure of what to do after examining the Spectrogram. Then, I analyzed the melody range spectrogram and the peak frequency spectrogram.

1
You can add the Spectrogram, Melody Range Spectrogram, and Peak Frequency Spectrogram from the Pane menu.

Spectrogram
Peak

Where I noticed something unusual that resembled Morse code, but it wasn’t. On the left side, there were 16 increasing lines, which matched the base16 hint provided. The hex values for the start of the flag ‘bcactf{‘ corresponded to the highs and lows of the lines on the right side. This clue confirmed it was part of the flag, and from there, we decoded all the highs and lows.

6263616374667B62656175746966756C5F6D656C6F64795F62656175746966756C5F6861726D6F6E797D

Flag

bcactf{beautiful_melody_beautiful_harmony}

Static

Challenge Description

Desc

We have received a MP4 file and the MD5 of a file.

Solution

As the hints suggested, I began searching for the metadata.

1
2
3
$ exiftool static.mp4
Compressor Name                 : Lavc60.31.102 libx264rgb
Encoder                         : StaticMaker https://shorturl.at/AUKZm

Two things seemed sus to me: the Compressor and the Encoder. I then checked the above link for StaticMaker and realized they provided a documentation file with information about the StaticMaker software.

1
2
3
4
5
6
7
8
9
10
11
The StaticMaker ™ utility converts any binary file into a video, suitable for use in … some application somewhere, probably.
The default configuration is width=256, height=256.

The program works by:
1. Compressing the data
2. Padding to a size that is a multiple of (6*width*height) bits
3. Splitting the data into “subframes” of size (2*width*height) bits
4. Writes data to video frames, which each triplet of three consecutive subframes are written to the red, green, and blue channels of one frame, respectively
     Data written in row-major order
     2 bits per pixel per channel
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

WorkFlow:-

  1. Extraction of Frames:
    Utilizes FFmpeg to extract frames from the video.

  2. Extraction of Pixel Data:
    Decodes the RGB channels of each frame.
    Extracts 2 bits per pixel per channel

  3. Reconstruction of Binary Data:
    Combines the extracted bits into a single stream.
    Reconstructs the original binary data by converting the bits back into bytes.

For Extraction of Frames:-

1
$ ffmpeg -i static.mp4 frame_%04d.png

Using ffmpeg, we extracted 72 frames in PNG format from the MP4 video.

Image 2

Next, I wrote a Python script to accomplish steps 2 and 3.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
import hashlib
from PIL import Image
import numpy as np

def decode_frames(frame_prefix, frame_count, width=256, height=256):
    channels = ['R', 'G', 'B']
    bit_position = 4  # Bit position(4or6) chosen based on successful MD5 checksum match, were taken bitpositions [2,4,6,8]
    
    data_bits = []
    for frame_idx in range(1, frame_count + 1):
        frame_path = f"{frame_prefix}{frame_idx:04d}.png"
        frame = Image.open(frame_path)
        frame = frame.convert("RGB")
        pixels = np.array(frame)
        
        # Extract the specified bits from each color channel
        r_channel = (pixels[:, :, 0] & (0b11 << bit_position)) >> bit_position
        g_channel = (pixels[:, :, 1] & (0b11 << bit_position)) >> bit_position
        b_channel = (pixels[:, :, 2] & (0b11 << bit_position)) >> bit_position
        
        # Flatten the channels and convert to bit strings
        for bits in r_channel.flatten():
            data_bits.append(format(bits, '02b'))
        for bits in g_channel.flatten():
            data_bits.append(format(bits, '02b'))
        for bits in b_channel.flatten():
            data_bits.append(format(bits, '02b'))
    return ''.join(data_bits)

def check_padding(data_bits, width, height):
    size = 6 * width * height
    print("The size is", size)
    actual_size = len(data_bits)
    print('The actual size is ', actual_size)
    if actual_size % size == 0:
        print("Multiple of size")
        # No padding to remove
        return data_bits   # size was already in multiple so need for removing the padding.
    
    # Calculate the number of excess bits to remove
    padding_size = actual_size % size
    
    # Remove the excess bits
    data_bits = data_bits[:-padding_size]
    return data_bits

def bits_to_bytes(data_bits):
    byte_arr = bytearray()
    for i in range(0, len(data_bits), 8):
        byte = data_bits[i:i+8]
        byte_arr.append(int(byte, 2))
    return bytes(byte_arr)

def calculate_md5(data):
    md5 = hashlib.md5(data).hexdigest()
    return md5

# Parameters
frame_prefix = 'frame_'
frame_count = 72  # Total number of frames
width = 256
height = 256

# Decode frames
data_bits = decode_frames(frame_prefix, frame_count, width, height)

# Checking padding
data_bits = check_padding(data_bits, width, height)

# Convert bits to bytes
compressed_data = bits_to_bytes(data_bits)

output_path = 'extracted_data.bin'
with open(output_path, 'wb') as f:
    f.write(compressed_data)
print("Extracted data saved.")

# Calculate and print MD5 checksum
calculated_md5 = calculate_md5(compressed_data)
print(f"MD5 checksum of extracted data after removing padding: {calculated_md5}")

The extracted bin matches the MD5 checksum provided in the description. As I began analyzing the file, I employed several tools. When I used binwalk, it indicated the presence of Zlib compressed data, which I then extracted.

1
2
3
4
5
6
$ binwalk -e extracted_data.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
40522         0x9E4A          Zlib compressed data, default compression

There are two approaches: one is quick and easy, while the other is little time-consuming.
This is the quick and easy method for lazy people like me to get the flag.

1
2
3
4
5
6
7
8
9
10
11
g4rud4:~/Pictures/_extracted_data.bin.extracted$ ls
9E4A  9E4A.zlib
g4rud4:~/Pictures/_extracted_data.bin.extracted$ strings * | grep bcactf{
bootpc[[ --bootfile %bootfile%]] --dev %iface%[[ --server %server%]][[ --hwaddr %hwaddr%]] --returniffail --serverbcast
can't enable bcast on ARP socket
bcache
sbcast
nulsohstxetxeotenqackbel bs ht nl vt ff cr so sidledc1dc2dc3dc4naksynetbcan emsubesc fs gs rs us sp
http-alt    8080/tcp    webcache    # WWW caching service
TTJvQS8TUoKU1xrBeKJR3Stwbbca+few4GeXVtt8YVMJAygCQMez2P2ccGrGKMOF
bcactf{imag3_PROc3sSINg_yaY_2ea104d700c1a8}

Another one is to do it proper way:- 

1
2
3
4
$ zlib-flate -uncompress < 9E4A.zlib > output
$ exiftool output
$ file output
output: POSIX tar archive

I began extracting the tar archive once we obtained it.

1
2
3
$ tar -xf output
$ ls
bin  dev  etc  home  lib  out

We got some folders let’s check out 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ tree .
.
├── bin
│   ├── arch -> /bin/busybox
│   ├── ash -> /bin/busybox
│   ├── base64 -> /bin/busybox
│   ├── bbconfig -> /bin/busybox
...
├── home
│   └── admin
│       └── Documents
│           ├── not_social_security_number.txt
│           └── social_security_number.txt
└── lib
    ├── apk
    │   ├── db
    │   │   ├── installed
    │   │   ├── lock
    │   │   ├── scripts.tar
    │   │   └── triggers
    │   └── exec
    ├── firmware
    ├── ld-musl-x86_64.so.1
    ├── libapk.so.2.14.0
    ├── libc.musl-x86_64.so.1 -> ld-musl-x86_64.so.1
    └── libcrypto.so.3

45 directories, 145 files

I began searching for the text files in the admin directories.

1
2
~/home/admin/Documents$ cat not_social_security_number.txt
bcactf{imag3_PROc3sSINg_yaY_2ea104d700c1a8}

Hooray!!! We captured the flag just 3 minutes before the CTF ended. ;p

Flag

bcactf{imag3_PROc3sSINg_yaY_2ea104d700c1a8}