NIS Cybertalents CTF Brainteaser
The brainteaser part of the CTF is more disconnected from the rest of the tasks. These tasks are split into three levels:
These levels have varying number of sub-tasks:
This challenge is based on the open source Command Line Mystery. This is more of a linux shell task than a brain teaser.
We are presented with three clues from the start:
Here it is practical to start with the last clue: Annabel. There is only two female Annabel’s that has been interviewed:
Ok, so we have the car make, colour and parts of the license plate.
Now we have three males that are tall enough to still be a suspect:
- Jacqui Maher
- Victor Sidney
- Joe Germuska
Lets check their memberships
Jacqui Maher and
Victor Sidney are members of all the relevant organizations.
We could submit both as flags, and see if one would be correct, but lets continue to narrow down our suspects.
That leaves only
This challenge is simply a video of a Ken Barbie doll in a striped prison-like uniform. The Doll is placed behind bars and it is knocking on them in what is clearly a pattern.
There are several ways to solve this, but I opted for the manual one as it is likely fastest in this case.
I separated the audio track from the video with FFmpeg:
The I loaded up the audio in audacity to get a clear visual of the knocking pattertn:
The pattern used is something called Tap Code which has been, and probably is used by prisoners to communicate covertly. The code is quite simple where the listener only have to be able to separate groups of tapping series to discern the message being transmitted. The code is based on a 5x5 Polybius square:
3+2 taps, an
Counting all the taps we get
... .... .... .. . .... . ..... .... .... . .... .... ..... ... . . ..... .... .... . ..... .... .. . ..... .... .... .... .... . ..... .... .. . ..... .... .. .... .... . . ... ..... . .... . . ... ... . ... . .....
Solving this give you the string
ORDETDULETERETTERERTAPDANCE – The word you are looking for is
Here you simply get an image of some Runes in a 5x5 grid pattern. Translating the runes to germanic you get:
A U T F H N K R R U I R E E R M T E N R T S A S N
Looking at the metadata of the file also show you that there is a comment added to the image:
This the 5x5 grid together with the
Columns comment may lead us to the
Columnar Transposition Cipher.
I used dCode’s excellent implementation to solve this challenge.
With the permutation of
5,2,3,1,4 you will find that the the flag is:
Wikipedia tells us that Secret sharing refers to methods for distributing a secret amongst a group of participants, each of whom is allocated a share of the secret. The secret can be reconstructed only when a sufficient number, of possibly different types, of shares are combined together; individual shares are of no use on their own.
In our case we get a little intro in the README, and some of the relevant keys to use.
The CTF presents the general formula as the following, where K is the number of shares needed to reconstruct the secret.
f_n(x) = a_0 + a_1*x + a_2*x^2 + a_3*x^3 + ... + a_(n-1)*x^(n-1) f_n(0) = a_0 = ?
I did not want to do this by hand, and used a pre-made tool to do all computations. The only thing I had to do was to update the prime from k=3 and supply enough shares.
The share you need are found by solving other tasks, and running
Dine andeler: 2. Oppdrag 2.1_keystore f4(1)=154315253502745748263921158136531 f9(1)=18431917384105746930902281228572 2.2_lootd f4(2)=118249736918682056186291996969318 f9(2)=47116559448583257145160102856755 2.3_loot_home f4(3)=15906897834623111220488895351700 f9(3)=43359780976439286737053677319959 2.4_loot_vault f4(4)=129795513036195528384758911437154 f9(4)=42692857761587209442928328545055 2.5_headquarters f4(5)=93387251992172469131037062226649 f9(5)=116094178794117191280811579355275 2.6_decryption f4(6)=26931614658967185085992395585535 f9(6)=69710652888997871067650611403697 3.1. Hjernetrim lett 3.1.1_clmystery f4(7)=50678100992992927876293959379162 f9(7)=158227487577296337342281607135847 3.1.2_knock-knock f4(8)=122616934121449585737032791184753 f9(8)=64858484496858151362905892937447 3.1.3_runer f4(9)=38479060342323683511721918291404 f9(9)=29731193030541008318265718603098 3.1.4_sharing_secrets_k=3 f4(10)=80773256441241836218608398852592 f9(10)=33908546822044766120109498310017 3.2. Hjernetrim middels 3.2.1_artwork_del_2 f4(13)=59372664790619416108628306171227 f9(13)=135438116597398552803261293518210
By solving this we get a share for k=3
f2(x) = a_0 + a_1\*x f2(2) = 29 f2(1) = 26 f2(0) = a_0 = ?
The answer here is:
23, and we get
f3(5) = 38135776304496424228868822226466 as a hint for k=3
For k=3 we get some additional information that all the rest of the tasks are calculated with modulo of the elleventh prime:
f3(x) = a_0 + a_1*x + a_2*x^2 f3(2) = 73673086149599787963942979835811 f3(1) = 84657984464390529825364497916194 f3(0) = ?
38135776304496424228868822226466 from k=2 together with the shares from the README we find that the answer is:
By solving the other challenges we have more than enough shares to calculate k=4:
f4(1)=154315253502745748263921158136531 f4(2)=118249736918682056186291996969318 f4(3)=15906897834623111220488895351700 f4(4)=129795513036195528384758911437154 f4(5)=93387251992172469131037062226649 f4(6)=26931614658967185085992395585535 f4(7)=50678100992992927876293959379162 f4(8)=122616934121449585737032791184753 f4(9)=38479060342323683511721918291404 f4(10)=80773256441241836218608398852592 f4(13)=59372664790619416108628306171227
The answer here is:
By solving the other challenges we have more than enough shares to calculate k=9:
f9(1)=18431917384105746930902281228572 f9(2)=47116559448583257145160102856755 f9(3)=43359780976439286737053677319959 f9(4)=42692857761587209442928328545055 f9(5)=116094178794117191280811579355275 f9(6)=69710652888997871067650611403697 f9(7)=158227487577296337342281607135847 f9(8)=64858484496858151362905892937447 f9(9)=29731193030541008318265718603098 f9(10)=33908546822044766120109498310017 f9(13)=135438116597398552803261293518210
The answer here is:
Artwork is the first of the medium brain teasers.
In this challenge we get a picture named
The filename is the md5sum of the word
esoteric, which is a great hint into what we are seeing here.
Another great hint is the sentence
Intellect Confuses Intuition, a quote made by the famous artist and painter Piet Mondrian.
This leads us to the Esoteric programming language Piet. It works by interpreting changes in color in a picture, and supports several “opcodes”.
The program here is duplicated on the top and on the bottom of the image, so the image can be rotated 180 degrees and split in half horizontally without any problems.
I used perhaps the most prevalent Piet interpreter, npiet, to parse and execute the program.
As can be seen above, there are two flags in this challenge. The first is a 3 round 128bit HAVAL hash of the word
mondrian, the second is for now an unknown password.
I used this tool to generate the HAVAL hash:
The second flag is a bit harder, as it asks the user to input a unknown password.
npiet is able to print trace debug information when running, this includes the contents of the stack.
By converting the decimal output from npiet to ascii we can see all the output and input the program handles.
If we supply npiet with an empty password the password verification routine will encounter and print a stack underflow. It does this due to pushing our password on to the stack, and then pushing the first letter of the correct password on to the stack and subtracting our letter with the correct letter, checking to see if the sum is
0. If it is the letter is correct, if not it is wrong and the program will jump to the exit routine and print
Incorrect password. By not entering a password the stack underflows, but we will be able to see which letter the routine tries to verify our input with:
The password is
Tr0ub4d0r&3, and the flag is
correct horse battery staple.
Another way could be to step through the progam with a debuger, for example PietCreator. This way you can NOP out all the checking instructions and just push the password on to the stack and read it out. Or easier just NOP through the whole part of the program until it prints the correct flag. Or even easier than NOPing out the verification parts, just remove everything other than the print of the flag:
This task supplies an Object-Oriented binary which takes a number between
6 as input.
It does a lot of recursion, object creation and math to output a number. This number is the flag.
The task is to find out what number it would have outputed for
6. The problem here is that for any number above 3 the program will crash or run forever.
For following inputs it gives the following outputs:
- 0 -> 1 inc
- 1 -> 4 add
- 2 -> 11 mul
- 3 -> 72 exp
- 4 -> ?????
- 5 -> ?????
- 6 -> ?????
This folder is accessable only by root on the login-server, and by the time of writing I have not been able to gain access to this.