WACTF – The Magic School Bus (175)

WACTF – The Magic School Bus (175)

I was lucky enough to be able to participate in the first WACTF that happened on the 2nd and 3rd of December 2017 at the University of WA here in Perth.

There was a pretty fun little challenge in the on-site category that required physically plugging in to another network to complete.

The challenge description can be seen below

Once connected to the on-site switch, I set a static IP address of 10.13.37.147 and crossed my fingers for no conflicts (there was no DHCP running).

After connecting I ran a “netdiscover -r 10.13.37.0/24” to find there were 2 devices (Raspi’s) operating. A quick port scan of the first one showed only one open port, 31337. As the description in the challenge specified multiple devices but they were identical, I didn’t bother scanning the other one.

On connecting to this port with netcat, it spews a constant stream of data out. To capture this I piped the output to a file using the following netcat command.

nc 10.13.37.10 31337 > output

After I had left this for a minute or so I closed my netcat connection and began inspection of the file.

So I ended up with a reasonably large JPEG file.  Lets take a look and see what we have.

Awesome, looks like the flag should be written on the paper. Now to find out how to get it. I tried numerous ways initially of attempting to get the flag such as…

  • Changing formats to .gif, .mp4, .m4v, thinking perhaps it was a “live photo”
  • Using exiftool to extract all exif metadata thinking possibly the flag was there
  • Strings against the JPEG to try and locate a WACTF{} style flag
  • Using Gimp to adjust colours, saturation, contrast, black/white, etc to try display a flag

Eventually I ran binwalk on the file to see if it contained anything else interesting.

I noticed a recurring pattern of around every 20th JPEG there was an interesting mcrypt encrypted data section. This turned out to be nothing, but made me think that maybe these JPEG’s weren’t all the same image. I noticed when i calculated some off the offsets to get a file size that they were different…

I couldn’t think of a good way to get the offsets for each image, so I just copied the binwalk data into excel and used some formulas to subtract each set to get the file size of each JPEG. From here I tried to use my sub par python knowledge to use ‘dd‘ to carve up the file into individual JPEG’s.

Running my script, I managed to carve out 19 different JPEG’s. Checking the thumbnails it was apparent there were many different individual JPEG’s (confirmed originally by checking each file was a different size).

Judging by the thumbnail, it looks like “carve-14.jpg” is the image I’m after…

Which gets us our flag WACTF{MISSFRIZZLE} 🙂

 

Leave a comment