treasure
- Category: Misc
- Points: 50
Romors say that something is buried in treasure.ctf.0ops.sjtu.cn,
happy treasure hunting. :)
If we ping the domain treasure.ctf.0ops.sjtu.cn, we'll get a loopback to our localhost.
$ ping treasure.ctf.0ops.sjtu.cn PING treasure.ctf.0ops.sjtu.cn (127.0.0.1) 56(84) bytes of data
We were able to find the IPv6 address of the domain: 2001:470:d:b28::40:1
In [9]: socket.getaddrinfo('treasure.ctf.0ops.sjtu.cn', 10001, 0, 0, socket.SOL_TCP)
Out[9]: [(<AddressFamily.AF_INET: 2>,
<SocketKind.SOCK_STREAM: 1>,
6,
'',
('127.0.0.1', 10001)),
(<AddressFamily.AF_INET6: 10>,
<SocketKind.SOCK_STREAM: 1>,
6,
'',
('2001:470:d:b28::40:1', 10001, 0, 0))]
A reverse DNS lookup on the IPv6 address.
$ dig -x 2001:470:d:b28::40:1
; <<>> DiG 9.9.2-P2 <<>> -x 2001:470:d:b28::40:1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13428
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;1.0.0.0.0.4.0.0.0.0.0.0.0.0.0.0.8.2.b.0.d.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR
;; ANSWER SECTION: 1.0.0.0.0.4.0.0.0.0.0.0.0.0.0.0.8.2.b.0.d.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa. 299 IN PTR YouHaveReachedTheTreasure.DoYouGetTheFLAG?.
The hint here is YouHaveReachedTheTreasure, that inspired us to traceroute that address.
Look at the binary code here, it seems the flag is somehow hidden inside.
If we highlight all 1s that looked like a part of a QR code.
But the code here was just a partial QR code, we needed more hops for the another half data:
for i in {1..40}; do dig -x 2001:470:d:b28::$i:2 | grep PTR; done > file
The following python script converted binary data to an image file.
#!/usr/bin/python2
# for i in {1..40}; do dig -x 2001:470:d:b28::$i:2 | grep PTR; done > file
# edit the file manualy
import zbar from PIL
import Image
with open('file') as f:
pixels = []
for lines in f.readlines():
for x in lines.split():
print(x,)
pixels.append([0xFF if c == '1' else 0 for c in x])
im = Image.new('L', (len(pixels), len(pixels[0])))
width, height = im.size
for r in range(width):
for c in range(height):
im.putpixel((r,c), pixels[r][c])
width, height = width*10, height*10
im = im.resize((width, height))
print("save...")
im.save("test.jpg")
print("done")
Got the flag: 0CTF{Reverse DNS is so FUN!}
