treasure

  • Category: Misc
  • Points: 50

Romors say that something is buried in treasure.ctf.0ops.sjtu.cn,
happy treasure hunting. :)

If we ping the domain treasure.ctf.0ops.sjtu.cn, we'll get a loopback to our localhost.

$ ping treasure.ctf.0ops.sjtu.cn PING treasure.ctf.0ops.sjtu.cn (127.0.0.1) 56(84) bytes of data

We were able to find the IPv6 address of the domain: 2001:470:d:b28::40:1

In [9]: socket.getaddrinfo('treasure.ctf.0ops.sjtu.cn', 10001, 0, 0, socket.SOL_TCP) 
Out[9]:  [(<AddressFamily.AF_INET: 2>,
   <SocketKind.SOCK_STREAM: 1>,
   6,
   '',
   ('127.0.0.1', 10001)),
  (<AddressFamily.AF_INET6: 10>,
   <SocketKind.SOCK_STREAM: 1>,
   6,
   '',
   ('2001:470:d:b28::40:1', 10001, 0, 0))] 

A reverse DNS lookup on the IPv6 address.

 $ dig -x 2001:470:d:b28::40:1  
; <<>> DiG 9.9.2-P2 <<>> -x 2001:470:d:b28::40:1 
;; global options: +cmd 
;; Got answer: 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13428 
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1  

;; OPT PSEUDOSECTION: 
; EDNS: version: 0, flags:; udp: 512 
;; QUESTION SECTION: 
;1.0.0.0.0.4.0.0.0.0.0.0.0.0.0.0.8.2.b.0.d.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR  
;; ANSWER SECTION: 1.0.0.0.0.4.0.0.0.0.0.0.0.0.0.0.8.2.b.0.d.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa. 299 IN PTR YouHaveReachedTheTreasure.DoYouGetTheFLAG?. 

The hint here is YouHaveReachedTheTreasure, that inspired us to traceroute that address.

treasure_writeup_01.png

Look at the binary code here, it seems the flag is somehow hidden inside.

If we highlight all 1s that looked like a part of a QR code.

treasure_writeup_02.png

But the code here was just a partial QR code, we needed more hops for the another half data:

for i in {1..40}; do dig -x 2001:470:d:b28::$i:2 | grep PTR; done > file

The following python script converted binary data to an image file.

#!/usr/bin/python2  

# for i in {1..40}; do dig -x 2001:470:d:b28::$i:2 | grep PTR; done  > file 
# edit the file manualy  
import zbar from PIL 
import Image   

with open('file') as f:
pixels = []
for lines in f.readlines():
    for x in lines.split():
        print(x,)
        pixels.append([0xFF if c == '1' else 0 for c in x])
im = Image.new('L', (len(pixels), len(pixels[0])))
width, height = im.size 
for r in range(width):
    for c in range(height):
        im.putpixel((r,c), pixels[r][c])
width, height = width*10, height*10
im = im.resize((width, height))
print("save...")
im.save("test.jpg")
print("done") 

Got the flag: 0CTF{Reverse DNS is so FUN!}

treasure_writeup_03.png