Mirror Unknown

Description

I found some unknown symbols in a nearby collapsed cave. Can you figure out what they mean?

(Note: Ancient civilizations didn’t believe in whitespace of lowercase)

File: Image

Solution

This image is a mirrored code of Unown from pokemon. Mirror the image then enter the runes here

Flag: UMDCTF{SINJOHRUINS}

No. 352

Description

password 1: the name of pokemon #352 in lowercase password 2: timetofindwhatkecleonishiding

File: Image

Solution

The image contains two hidden images which both use passwords. This can be decoded by using steghide extract -sf filename.png.

Flag: UMDCTF{KECLE0NNNNN}

Fire Type Pokemon Only

Description

Some wannabe trainer with no pokemon left their PC connected to the internet. Watch as I hack this nerd lol.

File: pcapng

Solution

Examine the packet capture using Wireshark

Filter by FTP and scroll until you view the file secret being transferred. Open the file transfer stream and save the stream as a zip file. Unzip the file and play the video in the folder which contains the flag UMDCTF{its_n0t_p1kachu!!}.

YARA Trainer Gym

Description

My pokemon aren’t very strong yet so I need to slip past the sigs written by the 8 YARA gym leaders! Can you help me!!!

Note: you can run the yara rules locally with yara yara_rules.yar $file

Website:

Rules:

import "elf"
import "math"

rule rule1 {
    condition:
        uint32(0) == 0x464c457f
}

rule rule2 {
    strings:
        $rocket1 = "jessie"
        $rocket2 = "james"
        $rocket3 = "meowth"

    condition:
        all of ($rocket*)
}

rule rule3 {
    meta:
        description = "Number of sections in a binary"
     condition:
        elf.number_of_sections == 40
}

rule rule4 {
    strings:
        $hex1 = {73 6f 6d 65 74 68 69 6e 67 73 6f 6d 65 74 68 69 6e 67 6d 61 6c 77 61 72 65}
        $hex2 = {5445414d524f434b4554}
        $hex3 = {696d20736f207469726564}
        $hex4 = {736c656570792074696d65}

    condition:
        ($hex1 and $hex2) or ($hex3 and $hex4)
}

rule rule5 {
    condition:
        math.entropy(0, filesize) >= 6
}

rule rule6 {
    strings:
        $xor = "aqvkpjmdofazwf{lqjm1310<" xor
    condition:
        $xor
}

rule rule7 {
    condition:
        for any section in elf.sections : (section.name == "poophaha")
}

rule rule8 {
    condition:
        filesize < 2MB and filesize > 1MB
}

Solution

This is a yara ruleset. Here are all the rules explained:

• Rule 1: Checks if the file is a linux binary.
• Rule 2: Checks if the binary contains the strings, jessie, james, and meowth.
• Rule 3: Checks if the binary elf file has 40 sections.
• Rule 4: Checks if the binary contains the strings (somethingsomethingmalware and TEAMROCKET) or (im so tired and sleepy time)
• Rule 5: Checks if the entropy of the file is greater than or equal to six
• Rule 6: Checks if the string aqvkpjmdofazwf{lqjm1310< is present in the binary
• Rule 7: Checks if there is a section named poophaha in the binary
• Rule 8: Checks if the file is between 1MB and 2MB

Lets go through this one by one and write a C++ file.

main.cpp

// Imports
#include <iostream>

//Dummy value for next sections
#define STRINGIZER(arg)    #arg
#define STRVAL(v)          STRINGIZER(v)

//This section is to add custom elf sections and add sections to reach the 40 count
//Source: https://blog.podkalicki.com/how-to-add-custom-section-to-elf-file/
constexpr const char commit_id[] __attribute__((section("mysection"))) = "commit-id=" STRVAL(COMMIT_ID);
constexpr const char build_time[] __attribute__((section("poophaha"))) = "build-time=" STRVAL(BUILD_TIME);
constexpr const char commit_id1[] __attribute__((section("mysection1"))) = "commit-id=" STRVAL(COMMIT_ID);
constexpr const char commit_id2[] __attribute__((section("mysection2"))) = "commit-id=" STRVAL(COMMIT_ID);
constexpr const char commit_id3[] __attribute__((section("mysection3"))) = "commit-id=" STRVAL(COMMIT_ID);
constexpr const char commit_id4[] __attribute__((section("mysection4"))) = "commit-id=" STRVAL(COMMIT_ID);
constexpr const char commit_id5[] __attribute__((section("mysection5"))) = "commit-id=" STRVAL(COMMIT_ID);
constexpr const char commit_id6[] __attribute__((section("mysection6"))) = "commit-id=" STRVAL(COMMIT_ID);
constexpr const char commit_id7[] __attribute__((section("mysection7"))) = "commit-id=" STRVAL(COMMIT_ID);

int main(int argc, char *argv[])
{
    //Ensure the string is in the binary
    std::cout << "aqvkpjmdofazwf{lqjm1310<" << std::endl;
    return (0);
}

//These strings are also needed
void jessie() {

}

void james() {

}

void meowth() {
}

void TEAMROCKET() {
}

void somethingsomethingmalware() {
}

Compile the file with gcc main.cpp -lstdc++

Add randomness to reach the entropy and size requirement using dd if=<(openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero) of=a.out bs=1M count=2 seek=1 iflag=fullblock

Put this into the website to find the flag: UMDCTF{Y0ur3_4_r34l_y4r4_m4573r!}

Telekinetic Warfare

Description

Someone was able to exfil a top secret document from our airgapped network! How???

File: gif

The gif file is a bunch of qr codes. The first step is to extract it into specific frames then extract the data. The data string is encoded in base64 so once decoded and combined they make a data file. The file header can be found in a file header database and once run as a pdf file the flag can be seen as UMDCTF{wh0_n33d5_k1net1c_w4rfar3_anyw4ys}