Bank of America CTF – Challenge Coins @ DerbyCon 9

I took part in the Bank of America CTF during the last DerbyCon, and I wanted to share some of my write-ups.

Bank of America CTF – Introduction

Just like last year’s DerbyCon, the Bank of America team was hosting a CTF for anyone at the conference.

I won a challenge coin from this last year, and it was sweet-looking.

This year wasn’t about trying to win, but I was hoping to score 200 points and win another challenge coin!

You can still find the challenges and scoreboard

For another write-up, I recommend the following post

It looks like BofA will run the CTF again during Technica, so I will hold off on posting everything until that ends!

Challenges

Steganography (15 points)

The first challenge that I solved was image steganography and was found here.

First, I opened the image in Stegsolve.jar

Once I changed to the image negative, I was able to easily read the flag in the bottom left corner.

Note that Chrome made this even easier, and I could have avoided another program entirely.

I entered in the flag, ‘8f8c2ca5c4bed32e4b364fe26df7f048’, and got some points on the board.

Password Cracking – Zip (10 points)

My next challenge was Zip password cracking.

First, I downloaded the archive.

[email protected]:~/bofa# wget https://infosecuritychallenge.com/files/a25b85fdb335eacd30700f662f2c469c/ctf.zip --no-check-certificate
--2019-09-05 14:01:00--  https://infosecuritychallenge.com/files/a25b85fdb335eacd30700f662f2c469c/ctf.zip
Resolving infosecuritychallenge.com (infosecuritychallenge.com)... 165.227.214.138
Connecting to infosecuritychallenge.com (infosecuritychallenge.com)|165.227.214.138|:443... connected.
WARNING: The certificate of 'infosecuritychallenge.com' is not trusted.
WARNING: The certificate of 'infosecuritychallenge.com' hasn't got a known issuer.
HTTP request sent, awaiting response... 200 OK
Length: 234 [application/zip]
Saving to: 'ctf.zip'

ctf.zip             100%[===================>]     234  --.-KB/s    in 0s      

2019-09-05 14:01:05 (451 MB/s) - 'ctf.zip' saved [234/234]

Next, I used zip2john to get a crackable pkzip hash.

[email protected]:~/bofa# zip2john ctf.zip
ver a  efh 5455  efh 7875  ctf.zip->flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=52, decmplen=40, crc=B9F36741
ctf.zip:$pkzip2$1*2*2*0*34*28*b9f36741*0*42*0*34*b9f3*8468*f80798210ffe881c173582f883279cff09de606c168d3f225c5e638f60aec160508d97fae4fe41018fb2e31dcb749df37edaf9cc*$/pkzip2$:::::ctf.zip
[email protected]:~/bofa# zip2john ctf.zip > zip_hash
ver a  efh 5455  efh 7875  ctf.zip->flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=52, decmplen=40, crc=B9F36741

Finally, I used John to crack the hash, and get the password of ‘887766’.

[email protected]:~/bofa# john zip_hash -incremental=digits
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
887766           (ctf.zip)
1g 0:00:00:00 DONE (2019-09-05 14:10) 7.142g/s 4034Kp/s 4034Kc/s 4034KC/s 887737..887273
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Using the password, I was able to get the flag of ‘e081129432efb65d52150e47f45899d1’.

[email protected]:~/bofa# unzip ctf.zip
Archive:  ctf.zip
[ctf.zip] flag.txt password:
extracting: flag.txt                
[email protected]:~/bofa# cat flag.txt
Flag = e081129432efb65d52150e47f45899d1

Bank of America CTF – Trivia (2 point each)

I moved on to the trivia questions next, as I figured they would be an easy 10 points.

1. Who crashed 1507 computers in a single day? (Zero Cool
2. What season/episode of Mr Robot featured the Derbycon founder’s name used as a fake name by the protagonist? Submit as S#E# (S3E5)
3. What is the name of the default wallpaper in Windows XP? (Bliss)
4. 300 of these counterfeit processors were sold to New Egg submit as XX-XXX. (i7-920)
5. What is the FCC chairman’s favorite candy? (Reese’s)

Nesting Dolls (25 points)

The nesting dolls challenge was like other ones that I’ve seen in CTFs before.

First, I tried to extract every archive manually, but that was taking forever.

Next, I spent some time and got this awesome one-liner working. It will check the current directory for any archive, extract it, and then delete the original. When I ran it, it (eventually) worked perfectly, and extracted until there were no archives left.

[email protected]:~/bofa/nesting# while [ "`find ./ -type f \( -iname '*.zip' -o -iname '*.tar' -o -iname '*.tar.gz' -o -iname "*.7z" -o -iname "*.bz2" \) | wc -l`" -gt 0 ]; do find ./ -type f \( -iname '*.zip' -o -iname '*.tar' -o -iname '*.tar.gz' -o -iname "*.7z" -o -iname "*.bz2" \) -exec 7z e -- '{}' \; -exec rm -- '{}' \;; done

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz (806EA),ASM,AES-NI)

Scanning the drive for archives:
1 file, 51502 bytes (51 KiB)

Extracting archive: ./BQPBDUYW.tar.bz2
--
Path = ./BQPBDUYW.tar.bz2
Type = bzip2

Everything is Ok   

Size:       61440
Compressed: 51502

... < snip > ...

Extracting archive: ./NEEWNNJC.zip
--
Path = ./NEEWNNJC.zip
Type = zip
Physical Size = 4755

Everything is Ok

Size:       4641
Compressed: 4755
[email protected]:~/bofa/nesting#

The final file was flag.png, which was a screenshot of a flag.txt file.

Once I typed it correctly, I submitted the flag of ‘5ebc96d7-c768-46f2-8555-2c582b7c450e’ and earned my points.

Bank of America CTF – Break and Scoreboard Check

At this point, I decided that it was time to take a quick break. I took a quick look at the scoreboard, and I was in first place still!

Cryptogram (20 points)

For the cryptogram, the challenge gave the text below.

GXFZ YO ZXC OCTSIH CIZJR YI ZXC JZUE YIHCD MIHCJ ZXC KCZZCJ Z

Using quipqiup, I was able to automatically solve the challenge.

There were a few possibilities, but the following made the most sense.

WHAT IS THE SECOND ENTRY IN THE RTFM INDEX UNDER THE LETTER T

While I didn’t have my copy of the Red Team Field Manual (RTFM) handy, I was able to look at the preview on Amazon.

I checked the Index and found that ‘TCPDump’ was the second entry.

More Ciphers (25 points)

Next, for “More ciphers”, the challenge gave the following instructions:

"Decrypt and submit the MD5 of the last word in the sentence:"

V nz n pvcure, n pvcure jenccrq va na ravtzn, WLASZ AALEH RNYBT ARZFC XVIDY

First, using the super secure ROT13 algorithm, I was able to decode the first half of the cipher.

I am a cipher, a cipher wrapped in an enigma, JYNFM NNYRU EALOG NEMSP KIVQL

Next, using the super subtle ‘enigma’ hint, combined with CyberChef, I was able to decode the second half.

While it isn’t obvious, it makes more sense upon rearranging the spacing.

SMOTH EREDI NSECR ETDRE SSING

SMOTHERED IN SECRET DRESSING

I got the MD5 hash of ‘dressing’ and submitted the flag for my points!

[email protected]:~/bofa# md5 -s 'dressing'
MD5 ("dressing") = cebaea92f732a6a8392f329925d3fccf

Bank of America CTF – Conclusion

This is my first post out of 2 (or 3), but I covered a lot of the challenges.

Please let me know if you have any questions or feedback about the ones that I’ve already covered.

In the meantime, stay tuned for my other conference and CTF posts!