Airgapp CTF Writeup

Tue, 05 May 2020 13:37:00 +0000

Airgapp CTF

On the 2nd of May 2020 Thugcrowd ran AIRGAPP, and along side this conference they hosted a CTF. I worked with the CTF_Circle team and we finished 1st overall!

Discord (Captured, 10pts)

Test your ability to read a Discord message.

This flag was quite simple, the first message in the official discord channel for the CTF was

  thug{its_free_real_estate}

this was the flag.

Elliot (Captured, 10pts)

Snoop around the THUGCROWD and AIRGAP websites until you find some flags.

This flag was also relatively quick, not sure where to start for these recon flags I ran

wget -m ctf.airgapp.in

and then following the hint to search airgapp website I ran a search across the entire site

grep -s "thug{" * .*

which returned

robots.txt:thug{HeLlO_mR_rObOt}

While I did expect these flags to be more obfuscated than that, the other recon flags proved trickier, and their 10pt value should have been a hint to not waste so much time on them.

Kappa (Captured, 10pts)

There’s a flag hiding somewhere on Twitch.

This was a twitch recon flag which lead us, initially to look at clips and video descriptions from previous broadcasts, all to no avail. We then figured we’d try chat for commands for a bot that may give a flag, I sent the chat

!flag

and got

!flag

in reply from a twitch user by the name of “definitelynotaflag” who has a stream description of

thug{streaming_video_platform}

This flag was interesting in that the definitelynotaflag did not seem to always respond to people for the flag, and was often not watching the stream.

Not Elliot (Not Captured, 10pts)

Snoop around the THUGCROWD and AIRGAP websites until you find some flags.

Knowing now that Elliot was a reference to Mr. Robot we then looked for references to non robot things (hoping to take a hint from the title of this flag), we looked for a

/notrobots.txt

but did not check the location

/humans.txt

where the flag actually resided.

ayy lmao (Not Captured, 10pts)

Snoop around the THUGCROWD and AIRGAP websites until you find some flags.

Much like Not Elliot, we had some suspicions about what this might relate to. We figured it would be a reference to the ayy lmao alien meme, but did not think to check

/aliens.txt

paramz (Captured, 200pts.)

parameters are easy!

This challenge provided a WASM file and an html file with some horrifically obfuscated JS. After setting up FireFox to allow WASM debugging, you can work through the parameters without spending time digging at the JS.

Click to expand the WASM (Apologies for the lack of syntax highlighting)

  (module
  (type $type0 (func (param i32) (result i32)))
  (type $type1 (func))
  (global $global0 i32 (i32.const 0))
  (export "__wasm_apply_relocs" (func $func0))
  (export "_acb" (func $func1))
  (export "_bcb" (func $func2))
  (export "_ccb" (func $func3))
  (export "_dcb" (func $func4))
  (export "_ecb" (func $func5))
  (export "_fcb" (func $func6))
  (export "_gcb" (func $func7))
  (export "_hcb" (func $func6))
  (export "_icb" (func $func5))
  (export "_jcb" (func $func8))
  (export "_kcb" (func $func9))
  (export "_lcb" (func $func10))
  (export "_mcb" (func $func11))
  (export "_ncb" (func $func6))
  (export "_ocb" (func $func5))
  (export "_pcb" (func $func12))
  (export "_qcb" (func $func13))
  (export "_rcb" (func $func6))
  (export "_scb" (func $func1))
  (export "_tcb" (func $func3))
  (export "_ucb" (func $func14))
  (export "_vcb" (func $func15))
  (export "_wcb" (func $func4))
  (export "_xcb" (func $func9))
  (export "__dso_handle" (global $global0))
  (export "__post_instantiate" (func $func0))
  (func $func0
    nop
  )
  (func $func1 (param $var0 i32) (result i32)
    get_local $var0
    i32.const 100
    i32.ne
  )
  (func $func2 (param $var0 i32) (result i32)
    get_local $var0
    i32.const 71
    i32.ne
  )
  (func $func3 (param $var0 i32) (result i32)
    get_local $var0
    i32.const 104
    i32.ne
  )
  (func $func4 (param $var0 i32) (result i32)
    get_local $var0
    i32.const 49
    i32.ne
  )
  (func $func5 (param $var0 i32) (result i32)
    get_local $var0
    i32.const 90
    i32.ne
  )
  (func $func6 (param $var0 i32) (result i32)
    get_local $var0
    i32.const 51
    i32.ne
  )
  (func $func7 (param $var0 i32) (result i32)
    get_local $var0
    i32.const 116
    i32.ne
  )
  (func $func8 (param $var0 i32) (result i32)
    get_local $var0
    i32.const 86
    i32.ne
  )
  (func $func9 (param $var0 i32) (result i32)
    get_local $var0
    i32.const 57
    i32.ne
  )
  (func $func10 (param $var0 i32) (result i32)
    get_local $var0
    i32.const 115
    i32.ne
  )
  (func $func11 (param $var0 i32) (result i32)
    get_local $var0
    i32.const 98
    i32.ne
  )
  (func $func12 (param $var0 i32) (result i32)
    get_local $var0
    i32.const 108
    i32.ne
  )
  (func $func13 (param $var0 i32) (result i32)
    get_local $var0
    i32.const 88
    i32.ne
  )
  (func $func14 (param $var0 i32) (result i32)
    get_local $var0
    i32.const 99
    i32.ne
  )
  (func $func15 (param $var0 i32) (result i32)
    get_local $var0
    i32.const 50
    i32.ne
  )
)

these are in order up to number 7 and with a little bit of scrolling and copying and pasting it can be simplified down to

  (export "_acb" (func 100))
  (export "_bcb" (func 71))
  (export "_ccb" (func 104))
  (export "_dcb" (func 49))
  (export "_ecb" (func 90))
  (export "_fcb" (func 51))
  (export "_gcb" (func 116))
  (export "_hcb" (func 51))
  (export "_icb" (func 90))
  (export "_jcb" (func 86))
  (export "_kcb" (func 57))
  (export "_lcb" (func 115))
  (export "_mcb" (func 98))
  (export "_ncb" (func 51))
  (export "_ocb" (func 90))
  (export "_pcb" (func 108))
  (export "_qcb" (func 88))
  (export "_rcb" (func 51))
  (export "_scb" (func 100))
  (export "_tcb" (func 104))
  (export "_ucb" (func 99))
  (export "_vcb" (func 50))
  (export "_wcb" (func 49))
  (export "_xcb" (func 57))

I then threw these lines into excel:

and split them at the _ and )) and eventually generating a list of parameters

?a=100&b=71&c=104&d=49&e=90&f=51&g=116&h=51&i=90&j=86&k=57&l=115
&m=98&n=51&o=90&p=108&q=88&r=51&s=100&t=104&u=99&v=50&w=49&x=57

when these params are checked on the main site an alert is then shown with the flag

thug{we_love_wasm}

Gerkinz (Captured, 200pts)

host: ctf.airgapp.in port: 5000

See the amazing writeup by T Van Doren over here

tecmu (Captured, 300pts)

See the lovely writeup by Sen over here or over gopher

Spilling Messtake (Captured, 200pts)

Since the world is falling apart, you decide to pick up your old Gameboy to play some Pokemon Red. Immediately after entering your name, you realize you accidentally misspelled WUTANG as VUTANG. Damn. Create a Gameshark code to fix this problem for you. Then submit the flag as thug{CODE_HERE}

A teammate completed this flag, I may update this with their writeup.

Compy385 (Not Captured, 150pts)

do you like techno music?

A teammate nearly completed this flag, I may update this with their writeup.

We were unable to complete the flag because we were defeated by newline characters.

The Thugcrowd and Friends Happy Fun Time Crossword (Not Captured, 100pts)

Each clue is the Twitter handle of one of our friends. Fit them all into the puzzle and the highlighted letters will spell out the flag.

For this we went through twitter users with links to thugcrowd, and as many people as we could find that had been guests on the podcast, resulting in this spreadsheet. As you can tell, I love working in spreadsheets, if something can be reasonably improved by a spreadsheet, I make one!

Takeaways and Lessons Learned

Stop assuming that hex with x86 like entropy is x86, try something else… this probably lost us flags.
Crypto hard, practice moar.
Communication is important, documentation more so… Partially completed flags should be in a state where team members can pick up your work.
I should do more of these, I love doing this stuff.
Working in teams is a great way to learn (see #4).
Sometimes it’s important to prioritize targets based on their value, the time I spent digging for 10pt flags was not worth as much as that spent on the higher point flags.

And lastly, I know a number of my teammates were close with other challenges and would have loved to have worked with them a little longer to complete them all. I want to congratulate them all on the work, and thank them for letting me work with them during this CTF.

rss feed test

Mon, 04 May 2020 22:39:00 +0000

This post is to test my RSS feed

Welcome to Jekyll!

Mon, 04 May 2020 21:07:00 +0000

You’ll find this post in your _posts directory. Go ahead and edit it and re-build the site to see your changes. You can rebuild the site in many different ways, but the most common way is to run jekyll serve, which launches a web server and auto-regenerates your site when a file is updated.

Jekyll requires blog post files to be named according to the following format:

YEAR-MONTH-DAY-title.MARKUP

Where YEAR is a four-digit number, MONTH and DAY are both two-digit numbers, and MARKUP is the file extension representing the format used in the file. After that, include the necessary front matter. Take a look at the source for this post to get an idea about how it works.

Jekyll also offers powerful support for code snippets:

def print_hi(name)
  puts "Hi, #{name}"
end
print_hi('Charlotte')
#=> prints 'Hi, Charlotte' to STDOUT.

Check out the Jekyll docs for more info on how to get the most out of Jekyll. File all bugs/feature requests at Jekyll’s GitHub repo. If you have questions, you can ask them on Jekyll Talk.