• Donald Ashdown

Google CTF - Beginner Quest Part 1

Welcome

Google will run the 2021 CTF competition in two parts: an online jeopardy-CTF competition, and second contest open only to the top 16 teams. "Capture The Flag" (CTF) competitions are not related to running outdoors or playing first-person shooters. Instead, they consist of a set of computer security puzzles (or challenges) involving reverse-engineering, memory corruption, cryptography, web technologies, and more. When players solve them they get a "flag," a secret string which can be exchanged for points. The more points a team earns, the higher up it moves in rank.


Task 1 - Chemical Plant CCTV (Rev)


Description:

Challenge: CCTV (rev)

You arrive at your destination. The weather isn't great, so you figure there's no reason to stay outside and you make your way to one of the buildings. No one bothered you so far, so you decide to play it bold - you make yourself a cup of coffee in the social area like you totally belong here and proceed to find an empty room with a desk and a chair. You pull out our laptop, hook it up to the ethernet socket in the wall, and quickly find an internal CCTV panel - that's a way better way to look around unnoticed. Only problem is... it wants a password.


Getting started

We browse to the provided URL and see a simple login form. There are several things that come to mind.

  • Source inspection

  • Burp the port

  • Domain/Dir enumeration

  • Form rnumeration


Entering the wrong password provides our usual message.


Viewing the content of the page reveals this interesting script.



Let's break this down.


const checkPassword = () => {

  //This function takes our password from the form
  const v = document.getElementById("password").value;
  
  //This function makes an array of the value and selects the character at     
    each word and adds 0xCafe  
  const p = Array.from(v).map(a => 0xCafe + a.charCodeAt(0));
  
  //Here the value is compared to the p values. 
  if(p[0] === 52037 &&
     p[6] === 52081 &&
     p[5] === 52063 &&
     p[1] === 52077 &&
     p[9] === 52077 &&
     p[10] === 52080 &&
     p[4] === 52046 &&
     p[3] === 52066 &&
     p[8] === 52085 &&
     p[7] === 52081 &&
     p[2] === 52077 &&
     p[11] === 52066) {
    window.location.replace(v + ".html");
  } else {
    alert("Wrong password!");
  }
}
window.addEventListener("DOMContentLoaded", () => {
  document.getElementById("go").addEventListener("click", checkPassword);
  document.getElementById("password").addEventListener("keydown", e => {
    if (e.keyCode === 13) {
      checkPassword();
    }
  });
}, false);


Summary

We have to subtract 0xcafe from each p value.

Then we convert the value to a hex value and back to ascii.




                        
script = {
    0: 52037,
    6: 52081,
    5: 52063,
    1: 52077,
    9: 52077,
    10: 52080,
    4: 52046,
    3: 52066,
    8: 52085,
    7: 52081,
    2: 52077,
    11: 52066,
}

credentials = ""

for i in range(max(script.keys()) + 1):
    credentials += chr(script[i] - 0xCafe)

print(credentials)

We run the script and get the password.




Task 2 - Apartment - Logic Lock (MISC)


Description

Challenge: Logic Lock (misc)

It turned out suspect's apartment has an electronic lock. After analyzing the PCB and looking up the chips you come to the conclusion that it's just a set of logic gates!


Getting started:


└─$ file 419bcccb21e0773e1a7db7ddcb4d557c7d19b5a76cd421851d9e20ab451702b252de11e90d14c3992f14bb4c5b330ea5368f8c52eb1e4c8f82f153aea6566d56 
419bcccb21e0773e1a7db7ddcb4d557c7d19b5a76cd421851d9e20ab451702b252de11e90d14c3992f14bb4c5b330ea5368f8c52eb1e4c8f82f153aea6566d56: Zip archive data, at least v2.0 to extract, compression method=store

We unzip the file and look at the png


This is a simple logic gate puzzle that we can solve with a reference sheet from a wiki article.

https://en.wikipedia.org/wiki/Logic_gate


CTF{BCFIJ}


TASK 3 - Streets High Speed Chase (Misc)


Description

Challenge: High Speed Chase (misc)

You chase them through city streets until you reach the high way. The traffic is pretty rough for a car and you see them gaining ground - should have hotwired a motorbike as well! Too late for that. You look around your car to spot anything useful, and you notice this is actually one of the new self driving cars. You turn on the autopilot, pull out your laptop, connect it to the system, and enter the not-so-hidden developer's mode. It's time to re-program the autopilot to be a bit more useful in a chase! To make it easier, you replace the in-car LiDAR feed with a feed from an overhead sattelite - you also display it on the the entertainment system. Now all that's left to do, is to write a better controlCar function!





Getting started:

Car Self-Driving Interface You need to re-implement the controlCar function. To implement it in JavaScript use the editor on the left.

When implemented, controlCar function will be called several times per second during the chase to allow for course corrections.

The controlCar function takes a single parameter – scanArray – which is an array containing 17 integers denoting distance from your car to the nearest obstacle:

  • [indexes 0-7]: on the left side of the car (index 7 is the measurement at the left headlight),

  • [index 8]: at the center of the car,

  • [indexes 9-16]: on the right side of the car (index 9 is the measurement at the right headlight).

See also this image (it's not precise, but will give you an idea what you are looking at). All measurements are parallel to each other. A negative measurement might appear if the obstacle is very close behind our car. The controlCar must return an integer denoting where the car should drive:

  • -1 (or any other negative value): drive more to the left,

  • 0: continue straight / straighten up the car,

  • 1 (or any other positive value): drive more to the right.



When we run the script with Engage Re-programmed Self-Driving Mode! We initially crash




function controlCar(scanArray) {

//Here we define an array
var max_len = scanArray[0];

//Here we create a counter for distance
var max_len_i = 0;

//A loop based on our array of lanes
for (var i = 1; i < 17; i++){
  if (max_len < scanArray[i]) {
    max_len = scanArray[i];
    max_len_i = i;
  } 
}

//Continue straight 
if (max_len === scanArray[8] && max_len === scanArray[7] && max_len === scanArray[9]) {
  return 0;
}

if (max_len_i < 8) {
  return -1;
}

if (max_len_i > 8) {
  return 1;
}

return 1;

}




64 views0 comments