CrowdStrike CTF 2021 - Module Wow [crypto, reversing]

• Competition: Crowdstrike CTF
• Challenge Name: Module wow
• Type: Crypto, reversing
• Points: 1 pts
• Description:

  Diving deeper into CATAPULT SPIDER’s malware, we found that it also supports handing off tasks to external modules. We identified one such module that looks like it might be used to validate a key or password of some sorts, but we’re really not sure. Can you validate our assumption, and, if possible, extract the key?

Downloading module.wow file reveals it’s ELF64. The code is pretty straightforward, it does the following:

• It gets a password from argv[1] (command-line argument).
• It sets the same signal handler to various signals to just output a message and quit (to gracefully handle execution errors).
• It decrypts a payload of length 196 by cyclically XOR-ing one byte at a time with the password.

CrowdStrike CTF 2021 - Matrix [crypto]

• Competition: Crowdstrike CTF
• Challenge Name: Matrix
• Type: Crypto
• Points: 1 pts
• Description:

  With the help of your analysis, we got onto the trail of the group and found their hidden forum on the Deep Dark Web. Unfortunately, all messages are encrypted. While we believe that we have found their encryption tool, we are unsure how to decrypt these messages. Can you assist?

Let’s examine the cipher with a black-box approach. Here are some facts:

• The key is composed of 9 bytes.
• The cipher is a block cipher, of block size 3 (function B takes key+3 characters and outputs the result as 3 bytes).
• First 9 bytes of a plaintext are always SPACEARMY.
• Function C is used for encryption and decryption, but the key is either K for decryption or U(K) for encryption.

ASIS CTF 2020 - Adventure [misc, forensics]

• Competition: https://asisctf.com/challenges
• Challenge Name: adventure
• Type: Misc, Forensics
• Points: 169 pts
• Description: Time plays a role in almost every decision. And some decisions define your attitude about time. Can you README.txt? It’s time for a new adventure! Note: Slow-download is international and part of the task.

For this masochists task, we are given a URL to a gigantic file that downloads slowly. The description says that it’s part of the tasks. This hints that we might need to download interesting parts of the file by chunks using Range. This is confirmed by the Accept-Ranges response header:

BsidesSF 2017 - shattered (forensics, 200 pts)

• Competition: https://scoreboard.ctf.bsidessf.com/
• Challenge Name: shattered
• Type: Forensics
• Points: 200 pts
• URL: https://scoreboard.ctf.bsidessf.com/attachment/e6b6a3706e015298b8227f56e33d8cc5cb379a9c45a7eeee08c1f193c578ca1b

BsidesSF 2017 - []root (crypto, 250 pts)

• Competition: https://scoreboard.ctf.bsidessf.com/
• Challenge Name: []root
• Type: Crypto
• Points: 250 pts
• URL: https://scoreboard.ctf.bsidessf.com/attachment/fd74c568c3bfd6e5fb4f07c03db322f0ace8fd0e68ff4d2c106f1518e2109231