Get in touch!

Use the form on the right to contact us.

We answer emails as soon as we can. See the contact page for more information.

           

123 Street Avenue, City Town, 99999

(123) 555-6789

[email protected]

 

You can set your address, phone number, email and site description in the settings tab.
Link to read me page with more information.

Blog

Writeup for the SecurityFest 2016 CTF challenge SHAlien

Joachim Strömbergson

The SecurityFest 2016 contained a great CTF with a wide range of challenges. This is a short writeup for how to solve the challenge SHAlien.

The challenge file is called shalien.tar.gz. We use tar -xvzf shalien.tar.gz to untar and gunzip the file. We get a directiory called sha(lien). The dir contains the files:

01765ddfd925d70d41d53cabdba5f2588e678e534ef5d8840a813bc58d33198039006ce6395c6b95747a2e05d21ff3a47389638ba9405fd11ab1b0857f56426f
030514d80869744a4e2f60d2fd37d6081f5ed01a
10159baf262b43a92d95db59dae1f72c645127301661e0a3ce4e38b295a97c58
262bdb6eb4a95ab843ed26d46ccf77f2b26db3a8e16f207b2275e3d0a55eb724d5408b08287d2e3a7b7e365959ff34d47a8a1f3e17da8cf2fe9bf3d0fd8d5308
3c49cb3157ec3feaf0f97156e5c11dca0ffd6481c97bb1a5dffaa14f
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865
5791151e6d3ca20a222466229f7aa5869cd67fa92cb20a81efe28d90b77e40e89bc10f04439c1c69100b65fd4d0d7ff166001db0f459e26b4b5369ba0870909f
7de1555df0c2700329e815b93b32c571c3ea54dc967b89e81ab73b9972b72d1d
7f04f368ab5b53d568c1590932a5ceebec89b14fcb03bf7f46197078
871b84bf3657493b719b29f68a805ad322f7508dff7008e80485d21e
a3db5c13ff90a36963278c6a39e4ee3c22e2a436
aa67a169b0bba217aa0aa88a65346920c84c42447c36ba5f7ea65f422c1fe5d8
aee69d4b47bcb9b1a711d622baab1fabaa53987ac57037906b7a5d5d
ccf271b7830882da1791852baeca1737fcbe4b90

Weird files with hexadecimal file names of a few different lengths. Running the file tool on the files reveals that all these are PNG image data, 100 x 100, 8-bit/color RGBA, non-interlaced files. We add the png file type to all files and get the following images:

The files viewed as images

The files viewed as images

Hmmm. that == image and the other ones sure looks like a bas64 encoding. But what about the order of the files?

Considering the names of the files and the challange, we seem to have names that corresponds to SHA digests with lenghts of 160, 224, 256 and 512 bits. Testing with different order strings and the different different NIST FIPS 180-4 (SHA) algorithms implemented in the tool shasum withwe find the following relation between order number and file names:

echo "1" | shasum -a 256, image = "c2"
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865.png
echo "2" | shasum -a 224, image = "9f"
7f04f368ab5b53d568c1590932a5ceebec89b14fcb03bf7f46197078.png
echo "3" | shasum -a 1, image = "eW"
a3db5c13ff90a36963278c6a39e4ee3c22e2a436.png
echo "4" | shasum -a 256, image = "91"
7de1555df0c2700329e815b93b32c571c3ea54dc967b89e81ab73b9972b72d1d.png
echo "5" | shasum -a 224, image = "X2"
3c49cb3157ec3feaf0f97156e5c11dca0ffd6481c97bb1a5dffaa14f.png
echo "6" | shasum -a 1, image = "Nh"
ccf271b7830882da1791852baeca1737fcbe4b90.png
echo "7" | shasum -a 256, image = "bl"
10159baf262b43a92d95db59dae1f72c645127301661e0a3ce4e38b295a97c58.png
echo "8" | shasum -a 256, image = "9y"
aa67a169b0bba217aa0aa88a65346920c84c42447c36ba5f7ea65f422c1fe5d8.png
echo "9" | shasum -a 224, = "ZW"
871b84bf3657493b719b29f68a805ad322f7508dff7008e80485d21e.png
echo "10" | shasum -a 224, image = "Fk"
aee69d4b47bcb9b1a711d622baab1fabaa53987ac57037906b7a5d5d.png
echo "11" | shasum -a 512, image = "X2"
262bdb6eb4a95ab843ed26d46ccf77f2b26db3a8e16f207b2275e3d0a55eb724d5408b08287d2e3a7b7e365959ff34d47a8a1f3e17da8cf2fe9bf3d0fd8d5308.png
echo "12" | shasum -a 512, image = "1l"
5791151e6d3ca20a222466229f7aa5869cd67fa92cb20a81efe28d90b77e40e89bc10f04439c1c69100b65fd4d0d7ff166001db0f459e26b4b5369ba0870909f.png
echo "13" | shasum -a 512, image = "Cg"
01765ddfd925d70d41d53cabdba5f2588e678e534ef5d8840a813bc58d33198039006ce6395c6b95747a2e05d21ff3a47389638ba9405fd11ab1b0857f56426f.png
echo "14" | shasum -a 1, image = "=="
030514d80869744a4e2f60d2fd37d6081f5ed01a.png

Collecting the base64 code we get: c29feW91X2Nhbl9yZWFkX21lCg==
Decoding it we get: so_you_can_read_me\n. Removing the newline we have the flag.