HTX Investigators’ Challenge (HTXIC) CTF Write-Up

HTX Investigators’ Challenge (HTXIC) is a Capture-The-Flag (CTF) competition organised by the Home Team Science and Technology Agency (HTX). The premise of the challenge involves having challengers play detectives for a day to investigate and stop a terrorist attack targeting the F1 Grand Prix in Singapore. The challenges involve different challenges from different domains such as Chemical, Biological, Radiological Nuclear and Explosive (CBRNE), forensics, robotics, biometric and profiling while immersed in a fully gamified 3D virtual reality environment.

Pre-requisites

The challenge was open to teams of 3 to 5 with members who are either full-time students in JC, ITE, Polytechnics or University, or are fresh graduates (within 2 years) from any of these Institutes of Higher Learning.

Being fresh graduates within 2 years, my team and I narrowly falls into the second category.

Final Results

Out of 120 teams, we managed to reach the top 15 leaderboards at the very last second (more about this later, it got pretty exciting).

HTXIC Final Leaderboard

It’s nothing impressive, but being relatively new to CTF and being up against teams with more than 30 past CTF experience, we were pretty happy with our results.

Introduction

The challenge was held on 20th Dec 2021 for a full 12 hours, 8am to 8pm. It was quite intensive and we were fully focused on the challenge for the entire 12 hours, only taking a break for lunch, by the end of it, I was so mentally drained it’s not a joke.

In this write-up, I will focus more on the cybersecurity, steganography and cryptography challenges. There were a few CBRNE challenges that we solved, but I’ll not be discussing them since it doesn’t fall in my field of expertise.

Without further ado, let’s get started.

Physical Challenge — Fingerprinting

Despite being a fully virtual challenge, there were a few physical challenges. One of them being a fingerprinting challenge, where we were given a drone propeller with the supposed perpetrator’s fingerprint, and we had to find, identify and lift the prints off the evidence.

Photo Credits: HTX

It’s a shame I don’t have any actual photo of us doing this challenge.

In the first part of the challenge, we’re supposed to use the provided black powder and brush to dust the propeller and count the number of fingerprints on it.

We didn’t manage to complete this part of the challenge, we used up both attempts. The thing is, there were a lot of partial prints on the evidence (intentional or not, we don’t know), and we weren’t sure if we were supposed to count them or not, so we had to try the different answers. Unfortunately, we didn’t get it right.

In the second part of the challenge, we were given 5 reference prints and their names, and an unknown fingerprint that we’re supposed to compare to the reference prints and identify it.

This part was quite straightforward and we got it done pretty quickly and submitted the answer on the game client.

A06 — Break The Gate

In this challenge, an extension-less file, “BreakTheGate” was given.

A simple hexdump of the file

hexdump -R BreakTheGate > hex.txt

reveals the file header to be a ELF (Executable and Linkable Format) format for Linux.

Hexdump of BreakTheGate file

Running the executable on a Linux machine gives us the following message.

Output of BreakTheGate file

We’re gonna need a username and password. A further look at the hexdump reveals the username and password in plaintext.

Hexdump of BreakTheGate file

However, entering the password into the executable shows that it is invalid.

This was when I happened to notice the password seemed to be reversed. Reversing it back gives us “Br3aking_in”.

Bingo! Flag found.

Bingo! We have our flag, “htx{Br3aking_in}”.

A15 — Find Revo Force’s Hideout

In this challenge, we’re given a 72 images that supposedly contains information to where the bad guys’ hideout is located. And these are all pictures of cats, here’s one for your enjoyment.

One of the cat image provided. Meow.
List of 72 images provided

It is mentioned in the challenge information that these images contain location EXIF data. And the most common location is the hideout, and that the flag is in the form of latitude and longitude, separated by a comma e.g. x.xxxxxx, yyy.yyyyyy.

File Properties of Image

Now, there’s 72 images, so it wouldn’t be wise to go through each of them manually trying to find which one is the most common.

So I wrote a short Python script and used Pillow library to extract the EXIF data wholesale.

from PIL import Image
from PIL.ExifTags import TAGS
from os import listdir
from os.path import isfile, join
path = "C:/Users/innov/Desktop/HTX/A15"
files = [f for f in listdir(path) if isfile(join(path, f))]
for file in files:
# load image
my_image = Image.open(path + "/" + file)
# get EXIF Data of the image
img_exif_data = my_image.getexif()
print("Lat: " + str(img_exif_data.get(34853).get(2)))
print("Lon: " + str(img_exif_data.get(34853).get(4)))
print()

From the output, we can easily tell which location is the most common.

Output of the Python script

Given the DMS (Degrees Minutes Seconds), we convert it to Lat/Lon as required by the challenge. That gives us: 1.340885, 103.644482.

And that’s our flag.

A23 — Reversing 101

This challenge took up the most of my time, but it was the most satisfying to complete.

We were given an executable file, TicTacToe.exe. Running it shows the following.

TicTacToe Application

Playing the game yields nothing, winning or losing. We need to dig deeper.

Using PE Explorer, I noticed mscoree.dll to be one of its dependencies, which means that it’s a .NET application.

We can then use Telerik’s JustDecompile to decompile the executable into C# source code.

Telerik JustDecompile — TicTacToe.exe Source

Unfortunately, the source code is obfuscated by ConfuserEx, which renames symbols into weird characters (and in this case, some weird RTL unicode characters) to make it much harder to inspect and analyse the source code.

Looking back, I should have used a deobfuscator to make my life much easier. But I proceeded to analyse the source code in the obfuscated state, which contributed to the amount of time it took.

Combing through the source code, I found a piece of interesting snippet.

Code snippet

A MessageBox that shows a Base64 encoded message.

WW91IGhhdmUgYWNjZXNzZWQgdGhlIGhpZGRlbiBsb2NrZXIsIGNhbiB5b3UgdW5sb2NrIGl0Pw==

Decoding the base64 message gives us the following message:

You have accessed the hidden locker, can you unlock it?

And the only part of the source codes that call this function is

Code snippet

Which hints that the score has to be 3:2 for it to trigger something to happen.

Hidden locker discovered

After that, a numbered keypad appears, seemingly needing some PIN input.

Numbered keypad input

Looking through the source code again, I discovered this code snippet.

Code snippet

Which seemingly checks for a 9 digit (num0 to num8) PIN. Basically, the 9 digit PIN needs to NOT satisfy (because satisfying any of the condition will return an error) all the conditions to be valid:

num % num8 != 0
num8 * 3 != num1
num1 * 3 != num3
num4 % num1 != 2
num5 * 4 != num4
num1 % num3 != num2
num1 - num5 != num
num6 % num2 != num
num6 / 2 != num5
num7 % num1 != num8 ? true : num7 % num6 != num1

Using some maths, logic and lots of time, it is determined that 133982471 is the valid PIN.

Flag obtained

There we go! Flag captured.

c0deD ME5sages

This was the last challenge that we worked on together as a team. We started about 30 mins before cut-off time, and submitted the flag literally seconds before the challenge ended, and it got us into the top 15 leaderboard. The adrenaline was rushing so much, exciting times.

In this challenge, we were given a long string, nothing else.

%109y69&o1#01U11_6(v32%E1,&01^b88E1@05e-1$1!6n32\T1#16!R10%4i&114!c69.K_1!01~e*@d

Looking at the string, it doesn’t seem to fit the URL encoding scheme, ASCII or whatever. We even tried different ciphers like ROT13, Caesar or Affine cipher.

It took us awhile, but we noticed that if we remove the special symbols and numbers, it yields us

yoUvEbEenTRicKed

Well, okay. Tried that as a flag, didn’t work.

Then we noticed that if we removed special characters and alphabets instead, we’d get

109 69 101 116 32 101 88 105 116 32 116 104 114 69 101

which look awfully like ASCII. This translates to:

mEet eXit thrEe

Which is the flag to this challenge.

Conclusion

That’s all for this write-up, I can’t go into every single challenge that we’ve completed. Maybe if I have time, I can do a part 2 to share more.

Overall, I had a lot of fun doing this challenge. Thank you for taking time to read my write-up :)

--

--

--

Full stack software engineer; the only way to not be replaced by robots, is to be the architect of said robots.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

#METAFAN #AIRDROP

WHY BECOME CYBER SECURITY PROFESSIONAL

Permissions in Android

{UPDATE} Mama Hawk Hack Free Resources Generator

Hashing Passwords using BCrypt in ASP.Net Core (.NET 5)

4 TIPS TO BE SECURE ONLINE!

Importing DeFi wallet into metamask

{UPDATE} Moto Stunts Rider Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dan Ong Chew Seng

Dan Ong Chew Seng

Full stack software engineer; the only way to not be replaced by robots, is to be the architect of said robots.

More from Medium

Meet our Pentesters: Mike Terhaar — Cyver

Previse Writeup — HackTheBox

TryHackMe | CTF | Walkthrough | Raven 2

Belkasoft CTF:Kidnapper Case Writeup