• Category: Misc
  • Points: 50

Romors say that something is buried in,
happy treasure hunting. :)

If we ping the domain, we'll get a loopback to our localhost.

$ ping PING ( 56(84) bytes of data

We were able to find the IPv6 address of the domain: 2001:470:d:b28::40:1

In [9]: socket.getaddrinfo('', 10001, 0, 0, socket.SOL_TCP) 
Out[9]:  [(<AddressFamily.AF_INET: 2>,
   <SocketKind.SOCK_STREAM: 1>,
   ('', 10001)),
  (<AddressFamily.AF_INET6: 10>,
   <SocketKind.SOCK_STREAM: 1>,
   ('2001:470:d:b28::40:1', 10001, 0, 0))] 

A reverse DNS lookup on the IPv6 address.

 $ dig -x 2001:470:d:b28::40:1  
; <<>> DiG 9.9.2-P2 <<>> -x 2001:470:d:b28::40:1 
;; global options: +cmd 
;; Got answer: 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13428 
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1  

; EDNS: version: 0, flags:; udp: 512 
; IN PTR  
;; ANSWER SECTION: 299 IN PTR YouHaveReachedTheTreasure.DoYouGetTheFLAG?. 

The hint here is YouHaveReachedTheTreasure, that inspired us to traceroute that address.


Look at the binary code here, it seems the flag is somehow hidden inside.

If we highlight all 1s that looked like a part of a QR code.


But the code here was just a partial QR code, we needed more hops for the another half data:

for i in {1..40}; do dig -x 2001:470:d:b28::$i:2 | grep PTR; done > file

The following python script converted binary data to an image file.


# for i in {1..40}; do dig -x 2001:470:d:b28::$i:2 | grep PTR; done  > file 
# edit the file manualy  
import zbar from PIL 
import Image   

with open('file') as f:
pixels = []
for lines in f.readlines():
    for x in lines.split():
        pixels.append([0xFF if c == '1' else 0 for c in x])
im ='L', (len(pixels), len(pixels[0])))
width, height = im.size 
for r in range(width):
    for c in range(height):
        im.putpixel((r,c), pixels[r][c])
width, height = width*10, height*10
im = im.resize((width, height))

Got the flag: 0CTF{Reverse DNS is so FUN!}