| tags:Forensics categories:Writeups series:CSAW15 Quals
CSAW 2015 Quals - Transfer
Also a very easy challenge. This challenge was a pcap file containing HTTP traffic. A simple search for “flag” found a match in packet 60, which appears to contain a python script.
The full python script transmitted is this:
import string
import random
from base64 import b64encode, b64decode
FLAG = 'flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}'
enc_ciphers = ['rot13', 'b64e', 'caesar']
# dec_ciphers = ['rot13', 'b64d', 'caesard']
def rot13(s):
_rot13 = string.maketrans(
"ABCDEFGHIJKLMabcdefghijklmNOPQRSTUVWXYZnopqrstuvwxyz",
"NOPQRSTUVWXYZnopqrstuvwxyzABCDEFGHIJKLMabcdefghijklm")
return string.translate(s, _rot13)
def b64e(s):
return b64encode(s)
def caesar(plaintext, shift=3):
alphabet = string.ascii_lowercase
shifted_alphabet = alphabet[shift:] + alphabet[:shift]
table = string.maketrans(alphabet, shifted_alphabet)
return plaintext.translate(table)
def encode(pt, cnt=50):
tmp = '2{}'.format(b64encode(pt))
for cnt in xrange(cnt):
c = random.choice(enc_ciphers)
i = enc_ciphers.index(c) + 1
_tmp = globals()[c](tmp)
tmp = '{}{}'.format(i, _tmp)
return tmp
if __name__ == '__main__':
print encode(FLAG, cnt=?)
Following this was a lot of binary data, which according to the script seems to be some sort of encoded Matryoshka doll, where the first byte denotes the encoding type, followed by the encoded data.
Decoding this was just a matter of implementing the decoders, and repeating the process until the first byte no longer is a 1,2 or 3:
from base64 import b64decode
dec_ciphers = ['rot13', 'b64d', 'caesard']
def b64d(s):
return b64decode(s)
def caesard(plaintext, shift=3):
alphabet = string.ascii_lowercase
shifted_alphabet = alphabet[shift:] + alphabet[:shift]
table = string.maketrans(shifted_alphabet, alphabet)
return plaintext.translate(table)
def decode(ct):
tmp = ct
while True:
i = tmp[0]
if i not in ['1','2','3']:
return tmp
_tmp = tmp[1:]
c = dec_ciphers[int(i)-1]
tmp = globals()[c](_tmp)
$ python transfer.py
flag{li0ns_and_tig3rs_4nd_b34rs_0h_mi}
plonk