Tuesday, August 13, 2019

Recon Village CTF 2019 - DEF CON 27

Scoreboard for Recon Village CTF 2019 (Las Vegas, USA)

This year our team attended the Recon Village CTF and took the 9th place.


Challenge 1 - Thailand (100 points)

The attached file is the image. Let's look closer. Nothing special - just a dog with flowers.

Let's check the image metadata using http://metapicz.com/#landing 

There is the note: "CTF-steghide-Password: catchme@123". Let's try to decode the data using https://futureboy.us/stegano/decinput.html

Finally, we get the flag.

Challenge 6 - Paraguay (200 points)

We spent a lot of time to solve this task. Firstly, we tried to decrypt it a binary data, but right answer was not expected for us.

Let's check the data that should be decoded:


The number of symbols is 625. Let's think, how decode this... Is it binary? No, we can't decode it in direct way. Should we add some symbols (0 and/or 1) to make the proper binary data and then decode? No.
Let's think more non-standard. What 625 symbols is? It's 25 symbols x 25 symbols (!) When we divided data by lines, we discovered that it's the image - QR-code.
So we use the online tool to get QR-code from text:

And the flag is flag:{qR_c0d3$_aR3_tHe_fUtuR3}

Challenge 7 - Ethiopia (100 points)

This task is based on computer search engines. Firstly, we thought that Shodan would give us the proper result. But the search was unsuccessful: we discovered 9 Weblogic App servers, located in Mexica, but there was no possibility to determine the proper server scanned in 2015.

Then we tried to use Zoomeye with the next request:

app:"WebLogic applications server" +country:"MX" +after:"2015-01-01" +before:"2016-01-01"

And we got 1 IP that is the flag for this task.

Challenge 8 - Colombia (100 points)

This task requires to make the OSINT and find the name of university, where Victor got the Bachelors degree.
Let's search Victor using Google.

The Linkedin page for Victor Nevinnyy provides us the flag.

Challenge 14 - Belarus (200 points)

This task requires to find the location using next photo:

Let's look closer.

So we should search English National Ballet. Let's check using Google Maps.

There are 4 locations. And one of them makes us success.

So the nearest train station is "Canning Town" and this is the flag.

Challenge 15 - South Africa (300 points)

Let's check the attached image:

After closer look we discovered several keywords: wetherspoon shakespeare 70. After googling we got the probable place, where the photo was taken: 


The address of this pub is Africa House, 64–68 Kingsway, Holborn, London, WC2B 6BG.
So we searched the companies using this address (changed the house to 70) - we got the company Mishcon de Reya . After browsing the site we discovered several Strategy Managers, but the proper person is Lena Kearney

And her page has the name of catering company:

The flag - Sinclair's Catering.

Challenge 18 - United Kingdom (300 points)

In this task it's required to reconstruct the key using its part.
The key beginning "AKIA" gives us the hint that this task is related to AWS. So there are the access ID with missing 2 symbols and the private key at the second line. So we made our python script using  aws-iam-get-username-by-access-key.bash and got the missing parts for access ID - vz. So the flag - AKIA2SR3ZZCIQ7LT5QVZ.

Challenge 22 - Australia (200 points)

In our opinion, it's the funniest task.

For all participants, the organizers prepared black badges.

There are binary data at the back site. The decoded data is "https://pa". So we decided that we should find other badges to get the full link. 
We got the photo of staff's red badge:

With this part of data, we got the URL beginning: "https://pastebin.com". And finally we met the speaker with blue badge:

And the full link is "https://pastebin.com/CQ5Bg9X7". 

Challenge 24 - Norway (300 points)

Firstly, we searched the name of the student. We found Ben Price .

We found his Twitter account using project name as the search query: Archaeology Ex Machina: employing virtual reality technology to enhance archaeological landscape investigation.

Then we made search for diggah.net and found his email with password at the Pastebin:

 diggah@diggah.net       m0nkeyfun