CBCTF 2024 Part 3
This is part 3 to my CTF writeup for CBCTF 2024.
In this writeup, I’ll be discussing the following challenges from the Qualifying’s Exploit category:
duck duck goose [75 pts]
Description: Your security team noticed a suspicious USB stick on a laptop. Analyze the file to see what it does.\r\n\r\nFlag Format CBCTF{FLAGHERE}
We were given a file. It took us a while to find out what sort of file this was. We figured it out only based on the file name and also the challenge name/description. This is a USB Rubber Ducky script. We can use this script from github to decode the binary file: DuckToolkit.
python3 ducktools.py -l us --decode inject.bin
Then the output is the following:
DELAY
DELAY
notepadENTER
DELAY
Hello, this is a Rubber Duckz script!DELAY
ENTER
Secret flag is> IAMABIGSTEPPERDELAY
ENTER
Have a great daz!ENTER
As you can see, the flag is IAMABIGSTEPPER.
Flag:
CBCTF{IAMABIGSTEPPER}
Alien Language [100 pts]
Description: Help me find my way out from these alien expressions.
We were given a powershell script. Content of the script is below:
iex ( [CHar]${#/~}36 +[CHar]${#/~}68 + [CHar]${#/~}101 + [CHar]${#/~}98+ [CHar]${#/~}117 + [CHar]${#/~}103 + [CHar]${#/~}80 + [CHar]${#/~}114 + [CHar]${#/~}101 + [CHar]${#/~}102 +[CHar]${#/~}101 + [CHar]${#/~}114+ [CHar]${#/~}101+ [CHar]${#/~}110+ [CHar]${#/~}99+[CHar]${#/~}101+[CHar]${#/~}32 + [CHar]${#/~}61 +[CHar]${#/~}32 +[CHar]${#/~}34 + [CHar]${#/~}83+ [CHar]${#/~}105 +[CHar]${#/~}108 + [CHar]${#/~}101 + [CHar]${#/~}110 + [CHar]${#/~}116 + [CHar]${#/~}108 +[CHar]${#/~}121 +[CHar]${#/~}67+ [CHar]${#/~}111+ [CHar]${#/~}110 + [CHar]${#/~}116+ [CHar]${#/~}105 +[CHar]${#/~}110 + [CHar]${#/~}117+ [CHar]${#/~}101+ [CHar]${#/~}34 + [CHar]${#/~}59+ [CHar]${#/~}36+[CHar]${#/~}120 + [CHar]${#/~}32 +[CHar]${#/~}61 + [CHar]${#/~}32 + [CHar]${#/~}36+ [CHar]${#/~}116+ [CHar]${#/~}114 + [CHar]${#/~}117 + [CHar]${#/~}101 + [CHar]${#/~}59 + [CHar]${#/~}105 + [CHar]${#/~}102+[CHar]${#/~}32 + [CHar]${#/~}40 + [CHar]${#/~}36 + [CHar]${#/~}120 + [CHar]${#/~}41 +[CHar]${#/~}32 + [CHar]${#/~}123+ [CHar]${#/~}32+[CHar]${#/~}32+ [CHar]${#/~}32 + [CHar]${#/~}32 + [CHar]${#/~}36 + [CHar]${#/~}102 +[CHar]${#/~}108+[CHar]${#/~}97+[CHar]${#/~}103 + [CHar]${#/~}32 +[CHar]${#/~}61 +[CHar]${#/~}32 +[CHar]${#/~}34 + [CHar]${#/~}67+ [CHar]${#/~}66 + [CHar]${#/~}67 + [CHar]${#/~}84+ [CHar]${#/~}70 +[CHar]${#/~}123 +[CHar]${#/~}112 +[CHar]${#/~}48 + [CHar]${#/~}119+[CHar]${#/~}101+ [CHar]${#/~}114 + [CHar]${#/~}53+[CHar]${#/~}104 +[CHar]${#/~}51 + [CHar]${#/~}49+[CHar]${#/~}49 + [CHar]${#/~}95 + [CHar]${#/~}67+ [CHar]${#/~}48 + [CHar]${#/~}48 + [CHar]${#/~}108 + [CHar]${#/~}95+ [CHar]${#/~}115 + [CHar]${#/~}99+ [CHar]${#/~}114+[CHar]${#/~}51+ [CHar]${#/~}119 + [CHar]${#/~}51 +[CHar]${#/~}68 + [CHar]${#/~}125 +[CHar]${#/~}34 + [CHar]${#/~}59+ [CHar]${#/~}32 + [CHar]${#/~}32 +[CHar]${#/~}32 + [CHar]${#/~}32 +[CHar]${#/~}87 + [CHar]${#/~}114 + [CHar]${#/~}105 + [CHar]${#/~}116 + [CHar]${#/~}101 + [CHar]${#/~}45 + [CHar]${#/~}72+[CHar]${#/~}111 +[CHar]${#/~}115 + [CHar]${#/~}116+ [CHar]${#/~}32 +[CHar]${#/~}34 + [CHar]${#/~}100 +[CHar]${#/~}111 +[CHar]${#/~}32 +[CHar]${#/~}110 + [CHar]${#/~}111+[CHar]${#/~}116 +[CHar]${#/~}32 + [CHar]${#/~}101+[CHar]${#/~}120 + [CHar]${#/~}101 +[CHar]${#/~}99+ [CHar]${#/~}117 +[CHar]${#/~}116 + [CHar]${#/~}101+ [CHar]${#/~}32 + [CHar]${#/~}117+[CHar]${#/~}110 + [CHar]${#/~}107 + [CHar]${#/~}110+[CHar]${#/~}111+[CHar]${#/~}119+ [CHar]${#/~}110 +[CHar]${#/~}32 + [CHar]${#/~}80 + [CHar]${#/~}111+ [CHar]${#/~}119 +[CHar]${#/~}101 +[CHar]${#/~}114 + [CHar]${#/~}83 +[CHar]${#/~}104+ [CHar]${#/~}101 + [CHar]${#/~}108 + [CHar]${#/~}108 + [CHar]${#/~}32 + [CHar]${#/~}99 + [CHar]${#/~}111+ [CHar]${#/~}100 +[CHar]${#/~}101+ [CHar]${#/~}34+ [CHar]${#/~}59 + [CHar]${#/~}32+[CHar]${#/~}32+[CHar]${#/~}32 + [CHar]${#/~}32+ [CHar]${#/~}36 + [CHar]${#/~}102 + [CHar]${#/~}108 +[CHar]${#/~}97 + [CHar]${#/~}103+ [CHar]${#/~}32 +[CHar]${#/~}61 + [CHar]${#/~}32 + [CHar]${#/~}34 + [CHar]${#/~}78+ [CHar]${#/~}111 + [CHar]${#/~}112 + [CHar]${#/~}101 + [CHar]${#/~}34+ [CHar]${#/~}59 +[CHar]${#/~}125)
As you can see, this is a powershell script that is obfuscated. I realized these are just decimal values of ASCII characters. I used Cyberchef to clean it up and decode this and got the following:
$DebugPreference = "SilentlyContinue";$x = $true;if ($x) { $flag = "CBCTF{p0wer5h311_C00l_scr3w3D}"; Write-Host "do not execute unknown PowerShell code"; $flag = "Nope";}
You can decode this by using the following Cyberchef recipe link
As you can see, the flag is CBCTF{p0wer5h311_C00l_scr3w3D}.
Flag:
CBCTF{p0wer5h311_C00l_scr3w3D}
There you have it, the writeup for the Exploit category in CBCTF 2024 Qualifiers. Stay tuned for the next writeup!