(Note: we did not solve this challenge in time, but I still decided to do a writeup because it’s such a cool challenge!)
This challenge consisted of a server binary which was written in C++. The use of C++ was pretty limited though, in fact after reversing it seemed that only the C++ exception mechanism was used. Of course this made us pretty suspicious, and we looked into interaction of C++ exceptions with the C setjmp/longjmp functions early on. The true ‘bug’ turned out to be much stranger, however…
This was a http post challenge. To solve it, you had to check the source of http://ocean.mozillactf.org/en-US/home. This would give you the URL of the form where you could submit the e-mail address of the person that referred you to spark. By using a tool to do http POSTs directly, you could submit POST data
to http://ocean.mozillactf.org/en-US/m/boost2 and then submit POST data
That would give you the flag: “Go team AnglerFish! You have absorbed the sparks of multiple parents!”
“Deep beneath the Kritiko Pelagos lie the ruins of lost Atlantis… one who wrote this challenge will reward those who hail from his fair city!”
Challenge 9 was more about cryptic words and smart searching, than about technology. We first thought that we had to work with the Kritiko Pelagos location. Since it was a promotion for a mobile web browser, we figured we might get lucky if we used a mobile browsing device with the (fake) GPS locations for the little bit of sea outside Santorini Island. This did not when just browsing the site, but it took us a long time to find that out, since the server platform was constantly unavailable. We then re-examined the original challenge text and came up with the idea that Yvan Boily, who wrote it, might be referring to his own home town. After some frantic web searches on duckduckgo, we discovered he lived either in, or very near Vancouver Canada. Setting GPS locations to somewhere in Vancouver did not give us the results we hoped for either. We then decided they might actually wanted us to use the exact GPS locations for the Mozilla office building in Vancouver. Again, no success with just a plain visit of the home page.
We then decided that creating an account on the web site where we would fill in our location manually in the register/boost section as either Kritiko Pelagos, Santorini Island or Vancouver would possibly work. It still took us over an hour to get a successful entrance in for all three. Of course, Murhphy was hard at work and our last attempt, Vancouver, finally yielded us with the flag:
“Welcome, fellow Atlantean!”
Afterwards, we learned via IRC that if we would have registered for the boost while browsing with GPS location Vancouver, it would work as well, but we gave up browsing around and trying things on the overloaded server before we got there. Also, examining the source, would have given us a http POST form https://ocean.mozillactf.org/en-US/m/boost1 where we could have filled in the GPS locations of Vancouver. All three solutions should work. Obviously, more experienced team members working on this challenge and a better working server would have yielded results much faster.
We were a bit thrown off by this challenge. We shouldn’t have been, but because one of our members already tried most of the obvious hostnames for the mozillactf.org domain, we thought we had to look for other hidden clues. After we finished all the other challenges, we decided to do a brain storm session and go over all previously checked things once more. Some of us tried to see if there was a link between challenge 12 and challenge 21, since everyone that solved 21 also had 12. We figured it might be something on the challenge12 server that we didn’t find while working there. Some of us started looking there, while others started looking at possible missed cookie tricks, since that was the solution for 12.
Once we decided there was nothing there, we finally took another look at obvious host names and we came up with the http://challenge0.mozillactf.org website. Some of us started looking for obvious files and directories and someone else dove into the source of the home page.
<!-- tihihi, you found it 🙂 80DJeUKwAqH2FbrkY8BIEY1cg -->
Of course, the flag was hidden right in the first page, and we finished our last challenge with a little time left to catch some sleep.
This challenge entails reversing two (packed) Windows executables in order to retrieve an encrypted message. Once the algorithm and key generation method have been determined, a bruteforce search within a limited keyspace yields the valid key.
This very secure locking mechanism encloses files and only gives them to you when you know the passphrase. Find it and you will have the flag.
This challenge requires us to reverse engineer an executable and subsequently retrieve the decryption key for an embedded file.
In this challenge we were given an ssh login to a box which contained a commandline js tool and a .js file which made it crash. The tool was sgid, and there was a file owned by the same group named “secret” in the directory, so it seemed we would have to build a working exploit from the example .js and read the secret file.
This is the true, sordid story of how we solved it 🙂
A strangely formatted message has been given to us in a bottle. We know the person who sent the message likes to use cutting edge 3d debugging tools.
Challange 22: – Swimsuit up!
The challenge 22 description was as follows:
For this challenge you will have to dress up in a sea related fashion. We do not necessarily require that your whole team dresses up, but the more the merrier. There are no further suggestions, no boundaries, no limits! Just try to fit into our oceanic theme. Upload your picture on twitter and send a message that contains #SwimSuitUp and @MozillaCTF to earn 50 points. The deadline to send pictures is therefore one hour before the ending of our competition.
Remember to put some proof in your pictures. A sign that contains your team name, the scoreboard on a screen in the background etc.