Hello Navi

challenges

Game 11

Challenge: Reverse engineering a Windows executable with string manipulation

Step 1: Identify File

1

file Project1.exe

Output: PE32 executable for MS Windows 4.00 (GUI), Intel i386, 8 sections

Step 2: Extract Strings from Hex

From IDA disassembly, key strings:

1
2
3
4
5
6

CODE:0045041C  Congratulation!
CODE:00450434  Authkey :
CODE:004504B8  2abbe4b6
CODE:004504CC  44536ca0
CODE:004504E0  81aae922
CODE:004504F4  e32fa0de

Step 3: Analyze Form Creation

In _TForm1_FormCreate, these strings are assigned to variables at offsets:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

lea     eax, [ebx+300h]
mov     edx, offset _str_2abbe4b6.Text
call    @System@@LStrAsg$qqrpvpxv

lea     eax, [ebx+304h]
mov     edx, offset _str_44536ca0.Text
call    @System@@LStrAsg$qqrpvpxv

lea     eax, [ebx+308h]
mov     edx, offset _str_81aae922.Text
call    @System@@LStrAsg$qqrpvpxv

lea     eax, [ebx+30Ch]
mov     edx, offset _str_e32fa0de.Text
call    @System@@LStrAsg$qqrpvpxv

All strings are concatenated in order:

1
2
3
4

push    dword ptr [ebx+300h]
push    dword ptr [ebx+308h]
push    dword ptr [ebx+304h]
push    dword ptr [ebx+30Ch]

Result: 2abbe4b681aae92244536ca0e32fa0de

Alternative: Decompiled Code Analysis

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

int __fastcall TForm1_Button1Click(int a1)
{
  System::__linkproc__ LStrAsg(a1 + 784, &str_2V[1]);
  System::__linkproc__ LStrAsg(a1 + 788, &str_XS[1]);
  System::__linkproc__ LStrAsg(a1 + 792, &str_B6[1]);
  System::__linkproc__ LStrAsg(a1 + 796, &str_H1[1]);
  System::__linkproc__ LStrAsg(a1 + 800, &str_0F[1]);

  System::__linkproc__ LStrCatN(
    a1 + 816,
    5,
    v2,
    *(_DWORD *)(a1 + 792),  // B6
    *(_DWORD *)(a1 + 796),  // H1
    *(_DWORD *)(a1 + 788),  // XS
    *(_DWORD *)(a1 + 800)); // 0F
}

The strings are rearranged in the concatenation. Check assembly for the actual order.

Assembly Order

1
2
3
4
5
6
7

push    dword ptr [ebx+310h] ; 2V
push    dword ptr [ebx+318h] ; B6
push    dword ptr [ebx+31Ch] ; H1
push    dword ptr [ebx+314h] ; XS
push    dword ptr [ebx+320h] ; 0F

; Password: 2VB6H1XS0F

challenges

Game 12

Challenge: Reverse engineering a Flash SWF file

Step 1: Scan QR Code

Access the admin panel at http://suninatas.com/admin/ and scan the QR code.

QR Data:

1

MECARD:N:;TEL:;EMAIL:;NOTE:;URL:http://suninatas.com/admin/admlogin.asp;ADR:;

Step 2: Download SWF File

Navigate to the URL in the QR code and find the Flash embed:

1

<embed src="admlogin.swf">

Download the SWF file.

Step 3: Identify File

1

file admlogin.swf

Output: Macromedia Flash data (compressed), version 8

Step 4: Decompile with FFDec

Install FFDec (Free Flash Decompiler):

1
2

paru -Ss ffdec
# aur/ffdec 25.0.0-2 - Open Source Flash SWF decompiler and editor

Import the SWF file into FFDec and search for authentication logic.

Decompiled Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

on(release){
    function receipt()
    {
        if(flashid != "admin" or flashpw != "myadmin!@")
        {
            flashmessage = "Wrong ID or PW";
            play();
        }
        else
        {
            flashmessage = "Auth : Today is a Good day~~~";
            play();
        }
    }
    receipt();
}

Credentials: - ID: admin - Password: myadmin!@

challenges

Game 13

Challenge: Forensics - Steganography in ZIP and images

Hint: The programmer’s bad habit of backing up source code

Step 1: Find and Download ZIP

The hint suggests looking for a backup file:

1

http://suninatas.com/challenge/web13/web13.zip

Step 2: Extract ZIP File

The ZIP is password-protected. Try extracting:

1

7z x web13.zip

Output:

1
2
3
4
5

ERROR: Wrong password : whitehack1.jpg
ERROR: Wrong password : whitehack2.jpg
ERROR: Wrong password : whitehack3.jpg
ERROR: Wrong password : whitehack4.jpg
ERROR: Wrong password : 4ڸ.txt

Note: Set locale to Korean if needed. Use unar instead for automatic handling:

1

unar web13.zip

Output reveals: 압축비번은4자리정수 (The compression password is a 4-digit integer)

Step 3: Brute Force Password

Use John the Ripper with a 4-digit wordlist:

1
2

zip2john web13.zip > hash.txt
john hash.txt --wordlist=~/ctf/tool/dic/SecLists/Fuzzing/4-digits-0000-9999.txt

Result: 7642 is the password

Step 4: Extract Files

After extracting with password 7642:

1

unar web13.zip

Open the text file with encoding EUC-KR.

Content: Combine the four images to find the key.

Step 5: Extract Data from Images

Use hex dump to find hidden data in each image:

whitehack1.jpg:

1

xxd whitehack1.jpg | head -20

Contains: first key : 3nda192n

whitehack2.jpg:

1

xxd whitehack2.jpg | head -20

Contains: second key : 84ed1cae

whitehack3.jpg:

1

xxd whitehack3.jpg | head -20

Contains: third key: 8abg9295

whitehack4.jpg:

1

xxd whitehack4.jpg | head -20

Contains: fourth key : cf9eda4d

Step 6: Combine Keys

Concatenate all four keys in order:

3nda192n + 84ed1cae + 8abg9295 + cf9eda4d

challenges

Game 14

Challenge: Password cracking from Linux shadow file

Tool: John the Ripper

Step 1: Extract Archive

1

tar xf evidence.tar

Step 2: Examine Shadow File

The shadow file contains a hashed password entry:

1

suninatas:$6$QlRlqGhj$BZoS9PuMMRHZZXz1Gde99W01u3kD9nP/zYtl8O2dsshdnwsJT/1lZXsLar8asQZpqTAioiey4rKVpsLm/bqrX/:15427:0:99999:7:::

Step 3: Prepare for Cracking

Combine passwd and shadow files:

1

unshadow passwd shadow > unshadow

Step 4: Crack Password

Use John the Ripper with a wordlist:

1

john unshadow --wordlist=~/ctf/tool/dic/rockyou.txt

Output:

1

iloveu1         (suninatas)

challenges

Game 15

We’re given an mp3 file (diary.mp3). The hex dump reveals ID3 tags and an embedded JPEG with Exif data:

1
2
3
4
5

00000000: 4944 3303 0000 0000 6f76 5450 4532 0000  ID3.....ovTPE2..
...
00000080: 0033 f700 0000 696d 6167 652f 6a70 6567  .3....image/jpeg
00000090: 0003 00ff d8ff e000 104a 4649 4600 0101  .........JFIF...
000000a0: 0101 2c01 2c00 00ff e101 8645 7869 6600  ..,.,......Exif.

The flag is in the metadata — exiftool shows it in the Conductor field:

1
2
3
4

❯ exiftool diary.mp3
...
Conductor                       : ********************
...

The embedded cover art can be extracted with binwalk:

1

❯ binwalk -e diary.mp3

challenges

Game 16

We have a PCAP (Packet Capture) file to analyze:

1
2
3

❯ 7z x packet_dump.zip
❯ file packet_dump.pcap
packet_dump.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 65535)

Extract credentials by searching for password parameters in the captured network traffic:

1
2
3
4
5
6

❯ strings packet_dump.pcap | grep Hpw=
Hid=suninatas&Hpw=suninatasc
Hid=blackkey&Hpw=blackkeyn
Hid=ultrashark&Hpw=sharkpass01~
Hid=ultrashark&Hpw=%3Dsharkpass01
Hid=ultrashark&Hpw=%3DSharkPass01

Try logging in with each credential pair until one succeeds:

1

Congratulation! Authkey : ********************************

challenges

Game 17

We have a QR code image that needs to be processed and decoded. Start by enhancing the image with ImageMagick:

1
2

❯ convert qr.png -threshold 85% out.png
❯ convert out.png -background black -alpha remove -alpha off oo.png

The processed image may be incomplete or corrupted. Use an image editor like Krita to overlay the three pattern images (position markers) on top of the QR code to restore it.

Once repaired, decode the QR code with zbarimg:

1

❯ zbarimg oo.png

This yields the flag:

1

Good Job! Congraturation! AuthKey is YouAreQRCodeMaster~!

challenges

Game 18

We have an array of numbers that represent hex values. Convert them to hex:

1
2

data = [86, 71, 57, 107, 89, 88, 107, 103, 97, 88, 77, 103, 89, 83, 66, 110, 98, 50, 57, 107, 73, 71, 82, 104, 101, 83, 52, 103, 86, 71, 104, 108, 73, 69, 70, 49, 100, 71, 104, 76, 90, 88, 107, 103, 97, 88, 77, 103, 86, 109, 86, 121, 101, 86, 90, 108, 99, 110, 108, 85, 98, 50, 53, 110, 86, 71, 57, 117, 90, 48, 100, 49, 99, 109, 107, 104]
print(''.join(f'{x:02x}' for x in data))

Convert the hex output to binary, then decode as base64:

1
2
3
4

❯ python tmp.py > hex.txt
❯ xxd -r -p hex.txt data.bin
❯ cat data.bin
VG9kYXkgaXMgYSBnb29kIGRheS4gVGhlIEF1dGhLZXkgaXMgVmVyeVZlcnlUb25nVG9uZ0d1cmkh

The string is base64-encoded. Decode it:

1

Today is a good day. The AuthKey is *********************

challenges

Game 19

We have a large block of binary data. Decode it to get an encrypted message:

1
2
3
4
5
6
7
8
9
10
11
12

0100111001010110010000110101010001000110010001000101
0110001000000100101101000110001000000100101001001100
0100010101011010010001010101001001001011010100100100
1010001000000101001001000101010101010010000001001011
0100011001010101010100100101000000100000010110100100
1010001000000101001000100000010110000100011001000110
0101010100100000010101010101001001010000001000000101
0010010001010101010100100000010100100100110001001011
0101100101000010010101100101000000100000010110100100
1010001000000100011101000011010100100101101001010101
0101010001001011010101110101101001001010010011010101
0110010010010101000001011001010100100100100101010101

Decode as binary to get:

1

NVCTFDV KF JLEZERKRJ REU KFURP ZJ R XFFU URP REU RLKYBVP ZJ GCRZUTKWZJMVIPYRIU

This text is encrypted with an affine cipher. Use an affine decoder to decrypt:

1

WELCOME TO SUNINATAS AND TODAY IS A GOOD DAY AND AUTHKEY IS **********************

challenges

Game 21

We have a JPEG image to analyze. Check its properties:

1
2

❯ file monitor.jpg
monitor.jpg: JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=11, description=SAMSUNG, ...], baseline, precision 8, 640x480, components 3

Check for embedded data with binwalk:

1
2

❯ binwalk monitor.jpg
Analyzed 1 file for 85 file signatures (187 magic patterns) in 9.0 milliseconds

Attempting to use stegseek reveals a structural issue:

1
2
3

❯ stegseek monitor.jpg
StegSeek 0.6
Invalid JPEG file structure: two SOI markers

The file contains multiple JPEG images (indicated by multiple Start of Image markers). Extract them using foremost:

1
2
3
4
5
6
7
8
9
10
11
12
13

❯ foremost monitor.jpg
❯ tree output/
output/
├── audit.txt
└── jpg
    ├── 00000000.jpg
    ├── 00000383.jpg
    ├── 00000765.jpg
    ├── 00001148.jpg
    ├── 00001532.jpg
    ├── 00001914.jpg
    ├── 00002297.jpg
    └── 00002681.jpg

Examine the extracted images to find the flag.