DaVinciCTF 2022

Writeup for the DaVinciCTF 2022

Updated:

Warmup

FrenchFlag

10 points 614 solves

Forensic
Can you find the data present in our flag?

Attachment: flag.png
davincictf-2022-flag.png

Basic check with exiftool reveals the flag at the Creator tag.

└─$ exiftool flag.png
ExifTool Version Number         : 12.40
File Name                       : flag.png
...
Creator                         : dvCTF{flagception}
Image Size                      : 1280x853
Megapixels                      : 1.1

Flag: dvCTF{flagception}


EBG13

10 points 640 solves

Crypto
We found this message : can you decipher it?
qiPGS{3apElcg1ba_1f_r4fl}

The flag is encrypted with the ROT-13 cipher, which can be decrypted by shifting each character 13 places forward or with CyberChef.

Flag: dvCTF{3ncRypt1on_1s_e4sy}


QmFzZTY0

10 points 527 solves

Crypto
Attachment: file.txt

Vm0wd2QyUXlVWGxWV0d4V1YwZDRWMVl3WkRSV01WbDNXa1JTVjAxV2JETlhhMUpUVmpBeFYySkVUbGhoTVVwVVZtcEJlRll5U2tWVWJHaG9UVlZ3VlZadGNFSmxSbGw1VTJ0V1ZXSkhhRzlVVmxaM1ZsWmFjVkZ0UmxSTmJFcEpWbTEwYTFkSFNrZGpSVGxhVmpOU1IxcFZXbUZrUjA1R1UyMTRVMkpIZHpGV1ZFb3dWakZhV0ZOcmFHaFNlbXhXVm1wT1QwMHhjRlpYYlVaclVqQTFSMXBGV2xOVWJGcFlaSHBHVjFaRmIzZFdha1poVjBaT2NtRkhhRk5sYlhoWFZtMHdlR0l4U2tkWGJHUllZbFZhY2xWcVJtRlRSbGw1VFZSU1ZrMXJjRWxhU0hCSFZqSkZlVlZZWkZwbGEzQklXWHBHVDJSV1ZuUmhSazVzWWxob1dGWnRNWGRVTVZGM1RVaG9hbEpzY0ZsWmJGWmhZMnhXY1ZGVVJsTk5WMUo1VmpJMWExWXdNVVZTYTFwV1lrWktTRlpxUm1GU2JVbDZXa1prYUdFeGNHOVdha0poVkRKT2RGSnJhR2hTYXpWeldXeG9iMWRHV25STldHUlZUVlpHTTFSVmFHOWhiRXB6WTBac1dtSkhhRlJXTUZwVFZqSkdSbFJzVG1sU2JrSmFWMnhXWVZReFdsaFRiRnBZVmtWd1YxbHJXa3RTUmxweFVWaG9hMVpzV2pGV01uaGhZVWRGZUdOR2JGaGhNVnBvVmtSS1QyTXlUa1phUjJoVFRXNW9WVlpHWTNoaU1rbDRWMWhvV0dKRk5WVlVWM1J6VGtaVmVXUkhkRmhTTUhCSlZsZDRjMWR0U2tkWGJXaGFUVzVvV0ZreFdrZFdWa3B6VkdzMVYwMVZiekZXYlhCS1RWZEZlRmRZWkU1V1ZscFVXV3RrVTFsV1VsWlhiVVpPVFZad2VGVXlkREJXTVZweVkwWndXR0V4Y0ROV2FrWkxWakpPU1dKR1pGZFNWWEJ2Vm10U1MxUXlUWGxVYTFwb1VqTkNWRmxZY0ZkWFZscFlZMFU1YVUxcmJEUldNV2h2V1ZaS1IxTnNaRlZXYkZwNlZHeGFZVmRGTlZaUFZtaFRUVWhDU2xac1pEUmpNV1IwVTJ0a1dHSlhhR0ZVVmxwM1lVWndSbHBHVGxSU2EzQjVWR3hhVDJGV1NuUlBWRTVYVFc1b1dGbHFTa1psUm1SWldrVTFWMVpzY0ZWWFYzUnJWVEZzVjFWc1dsaGlWVnBQVkZaYWQyVkdWWGxrUkVKWFRWWndlVmt3V25kWFIwVjRZMFJPVjJGcldreFdha3BQVTFkS1IxcEdaRk5XV0VKMlZtMTBVMU14VVhsVVdHeFZZVEZ3YjFWcVRrTldSbXh5Vm01a1YxWnNjREJhVldNMVZXc3hXRlZ1Y0ZkTlYyaDJWakJrUzFKck5WZFZiRlpYVFRKb1NWWkhlR0ZXTWxKSVZXdG9hMUl5YUhCVmJHaENaREZhYzFwRVVtcE5WMUl3VlRKMGExZEhTbGhoUjBaVlZteHdNMWxWV25kU2JIQkhWR3hTVTJFelFqVldSM2hoVkRKR1YxTnVVbEJXUlRWWVZGYzFiMWRHYkhGVGExcHNVbTFTV2xkclZURldNVnB6WTBaV1dGWXpVbkpXVkVaelZqRldjMWRzYUdsV1ZuQlFWa1phWVdReVZrZFdXR3hyVWtWS1dGUldXbmRsVm10M1YyNWtXRkl3VmpSWk1GSlBWakpHY2xkcmVGZE5WbkJJV1RJeFMxSXhjRWhpUm1oVFZsaENTMVp0TVRCVk1VMTRWbGhvV0ZkSGFGaFpiWGhoVm14c2MxcEhPVmRTYkVwWlZHeGpOVll4V25OalJXaFlWa1UxZGxsV1ZYaGpiVXBGVld4a1RsWXlhREpXYWtKclV6RktjazVXWkZkaVJscFlWRlJHUzA1c1draGtSMFpYWWxaYVdWWlhkRzloTVVwMFlVWlNWVlpYYUVSVk1uaGhZekZ3UlZWdGNFNVdNVWwzVmxSS01HRXhaRWhUYkdob1VqQmFWbFp1Y0Zka2JGbDNWMjVPVDJKRmNIcFhhMlIzWVZaT1JsTnJiRmhXYkZweVdYcEdWbVF3TVVsaFJrNW9Za2hDV1ZkV1pEQmtiVkY0VjJ4V1UySkdjSE5WYlRGVFRWWlZlV042UmxoU2EzQmFWVmMxYjFZeFdqWlJhbEphWVd0YVlWcFZXbGRqTWtaR1QxWmthR1ZzV2xGV2ExcGhXVmRSZVZaclpGZFhSM2h5Vld0V1MxZEdVbGRYYm1Sc1ZtMTBNMVl5Tld0WFJrbDNWbXBTV2sxR1NsQldNakZHWlZaV2NscEhSbGROTW1oSlYxUkplRk14U1hsU2EyUm9VbXhLVkZac2FFTlRNVnAwVFZSQ1ZrMVZNVFJXYkdodlYwWmtTR0ZHYkZwaVdHaG9WbTE0YzJOc2NFaFBWM0JUWWtoQ05GWnJZM2RPVjBWNVUydGthbEpYYUZoWmJGSkNUVlphV0dNemFGaFNiRm94V1RCYWExUnNXWGxoUkVwWFlXdEtjbFY2Umt0amF6VlhXa1phYVZKc2NGbFhWM2hoVW0xUmVGZHVSbE5pVlZwWVZGZDRTMU5XV2xoa1J6bG9UVlZ3TUZaWGN6VldNa1p5VjJ0NFZrMXVhSEpXYWtaaFpFWktkR05GTlZkTlZXd3pWbXhTUzAxSFJYaGFSV2hVWWtkb2IxVnFRbUZXYkZwMFpVaGtUazFZUWxsYVZXaExZa1paZUZkcmJHRlNWMUYzVmxSS1JtVnNSbGxhUm1ocFVteHdiMWRXVWt0U01XUkhVMnhzWVZJelFsUldhazV2VjFaa1dHVkhPVkpOVmtwSVZsYzFTMWRIU2taalNFNVdZbFJHVkZwWGVITldiR1J6Vkcxb1UxWkZXalpXVkVreFlqRlplRmRxV2xOV1JVcG9WV3RXWVdOc1ZuRlRhM1JVVm14S01GbFZXazloUjFaelYycGFWMDFYVVhkWFZtUlNaVlphY2xwR1pGaFNNMmg1VmxkMFYxTXhaRWRWYkdSWVltMVNjMVp0ZUhOT1ZuQldZVWQwV0ZJd2NFaFpNRnB2VjJzeFNHRkZlRmROYm1ob1ZqQmFWMk5zY0VoU2JHUk9UVzFvU2xZeFVrcGxSazE0VTFoc1UyRXlVbTlWYlhoTFZrWmFjMkZGVGxSTlZuQXdWRlpTUTFack1WWk5WRkpYWWtkb2RsWXdXbXRUUjBaSFlrWndhVmRIYUc5V2JURTBZekpPYzJORmFGQldNMEpVV1d0b1EwNUdXbkpaTTJSUFZteHNORll5TlU5aGJFcFlZVVpzVjJFeFZYaGFSM2h6VmpGYVdXRkdhRk5pUm5BMVYxWldZV0V4VW5SU2JrNVlZa1phV0ZsVVNsSk5SbVJYVjJ0MGFrMVdTakZXUnpGdlZUSktSMk5HYkZkU2JFcE1XV3BHVDFZeFpISmhSM2hUVFVad2FGWnRNSGhWTVU1WFYyNVNhMUo2Ykc5VVZsWnpUbFpzVm1GRlRsZGlWWEJKV1ZWV1QxbFdTa1pYYmtwWFlXdGFhRnBGVlRWV01WcHlUbFprYVdFd1dYcFdiWGhxWkRBeFYxUllhRmhoTW1oVldXdGtiMkl4Vm5GUmJVWlhZa1p3TUZwVmFHdFVhekZaVVd4c1lWWlhhRXhaYTFwaFZsWktjMXBHYUdoTldFSlJWMVphWVZNeVRuUlVhMVpZWWtkU2IxUlhjekJOUm1SWlkwVmtWMkpXV2xoV1J6VlhWa2RLUjFOdVFsZGlSbkF6VmpGYVlWSXhiRFpTYld4T1ZqRktTVll5ZEdGaE1XUklVMnRhYWxORk5WZFpiRkpIVmtad1dHVklUbGRpUjFKNlZrY3hiMVl5UlhwUldHaFhWbTFOZUZscVJscGxSbVJaWTBkb1ZGSllRbGxXYlhSWFdWZFdjMWR1UmxOaVIxSnhWRlprVTJWc2JGWmFTRTVYVFZad01WVlhjR0ZXTURGWVZWaGtXRlp0VWs5YVJFRjRVMWRHUjJGR2FGTk5NbWhSVm0weE5HRXhWWGhYV0doV1lrZG9jbFV3WkZOV1JsSlhWMnQwYkdKSGVGZFpWV1F3VjBaSmQyTkZhRnBOUm5CMlZqSnplRk5IUmtabFJtUk9ZbTFvYjFacVFtRldNazV6WTBWb1UySkhVbGhVVmxaM1ZXeGFjMVZyVGxkaGVsWllWakZvYjJGc1NsaGhSemxXWVd0d2RsWkVSbFprTVZweVpFVTFhVkp1UVhkV1JscFRVVEZhY2sxV1drNVdSa3BZVm0weGIyVnNXblJOVlZwc1ZteGFlbFl5ZUhkaFZtUkhVMWh3V0Zac1dtaFdha3BUVTBaYWNsZHRkRk5OTUVwVlYxZDBiMUV3TlVkWGJrcGFUVEpTVUZadE1WTlRSbGw1VGxVNWFHSkZjREJhVldSSFZsWmFWMk5HWkZWV2JIQjZWbXBHWVZkWFJrZGhSazVwVW01Qk1WWXhXbGRaVjBWNFZXNVNVMkpyTlZsWmExcGhWMFpzVlZOc1NrNVNiRmt5VlcxME1HRnJNVmxSYTNCWFlsaG9WRmxXV2t0ak1rNUhZa1pvVjAweFNtOVhhMUpDVFZkTmVGcElTbWhTTTJoVVZGVmFkMkZHV25STlNHaFdUVlUxV0ZZeU5WTmhNVW8yWWtjNVZWWnNXbnBVYkZwelZtMUdSbFJzWkdsV1dFSktWMVpXVjFReGJGZFRhMXBZWW10d1dGbFhkR0ZoUm5CR1ZsUldWMDFXY0hsVWJGcHJZVmRGZDFkWWNGZGlXR2h4V2tSQmVGWXhVbGxoUm1ob1RXMW9WbGRYZEd0aU1rbDRWbTVHVW1KVldsaFphMXAzVFVad1ZtRkhkRlZoZWtaWldsVmFhMVl3TVhGV2JrcFhWa1Z3VEZVeFdrZGpiVVpIV2taT1RrMXRhRlpXYlRGM1V6Rk5lVlJ1VGxWaWEzQnhWVzB4YjJOR1ZuUmxTR1JzVm0xU1dsa3dWbXRXTWtwWFYyeG9WMUo2VmxCWlZscExaRlpHY2s5V1ZsZGxhMW95Vm1wR1lXRXhXWGhXYmtwaFVqTlNUMWxVUm5kVFZscHhVMnBTVjAxV1ZqVlZNblJyWVd4T1JrNVdaRnBpUmtwSVZtdGFVMVl4WkhOWGJYaFhUVVJSZVZaWE1UUmlNVlY1VWxod1VtSlZXbGhXYlRGT1pVWnNjVkpzY0d4U2JWSmFXVEJrYjFaR1NsbFJiR1JZVm14S1RGWlVSazlTTVZwMVVteE9hVlpXY0ZwV2JUQXhVVEZPVjJKR1dsaGhlbXhZVkZaYWQxTkdXWGxsUjBaWFRXdHdTVlpIY0ZOV1YwVjVWV3hPWVZac2NHaFpNbmgzVWpGd1IyRkdUazVOYldjeFZtMTRhMlF4UlhoaVJtaFZZVEpTV0ZsdGVFdGpNVlYzV2taT2FrMVhlSGxXTW5oclZERmFkVkZzWkZwV1YxRjNWakJhU21ReVRrWmhSbkJPVW01Q01sWnFTbnBsUms1SVVtdGFiRkp0VWs5WmJURnZZakZhY1ZGdFJsZE5helY2V1RCV2IxVXlTa2hWYkdoVlZteGFNMVpYZUdGak1WWnlXa2RvVGxaVVJUQldWRVp2WWpKR2MxTnNhRlppVjJoWFdXeG9UbVZHV1hkWGJIQnJUVlp3ZVZwRlZURmhWa3AxVVZoa1YxSnNjRlJWVkVaaFkyc3hWMWRyTlZkU2EzQlpWbTB3ZUdJeVZuTlhibEpPVmxad2MxWnRlR0ZsYkZwMFpVaGthRlp0VWtoVk1XaDNWMFpaZWxGcmFGZGhhM0JRVm1wR1UyUldWbk5SYkdScFZtdHdWbFl4WkRSaU1rbDNUbFprV0dKc1NrOVZhMVpoWWpGU1YxZHVUazlTYkd3MVZHeFZOV0ZIU2taalJXUldUV3BHZGxacVNrdFRSbFp5VDFaV1YySklRbTlXYWtKclZHMVdkRkpyWkdoU2F6VndWVzAxUWsxc1dYaFhiR1JhVmpCV05GWlhOVTlYUm1SSVpVYzVWbUV4V2pOV01GcFRWakZrZFZwSGFGTmlSbXQ1VmxjeE1HUXlTa2RUYms1VVlXdGFXRlZ1Y0VkVFJscFZVMnQwVTAxck5VaFphMXB2VmpBd2VGTnRPVmhoTVVwRFZGWmtUbVZHY0VsVGJVWlRZa2hDZGxaR1pEUlRNV1JIVjJ0a1lWTklRbk5WYkZKWFYwWmFkRTVXVG1oTlZXd3pWako0YTFadFNsbGhTSEJWWWtad2VsWnRNVWRTYkZKeldrZHNWMWRGU2t0V01WcFhWakZWZUZkc2FGUmlSM2h2VlRCV2QxZEdiSEpYYm1SVVVtNUNSMVl5ZERCaE1VbDNUbFZrVldKR2NISldSM2hoVjBkUmVtTkdaR2xYUjJoVlZsaHdRbVZHVGtkVGJHeG9VakJhVkZacVNtOVdiR1JZWkVkMGFVMXJiRFJXYlRWVFZHeGFObUpHYUZwaE1YQXpXbGQ0V21WVk5WaGtSbFpvWld0YVdWZFVRbTlqTVZsM1RWaEdVMkV5YUdGV2FrNXZZVVpyZVUxVk9WTldhMW93VlcxNFQxWXdNVlpYV0hCWFlsaG9WRlY2Umt0a1JscDFWR3hPYVZJemFHOVdWekI0WWpKT1IxWnVVbXhUUjFKd1ZGWmtVMWRHV2xoa1JFSldUVVJHV0ZsclVsTlhSMFY1WVVab1YyRXlVa3hXTUdSWFUxWlNjMk5HWkZOV2JUazJWbTF3UjFsWFJYaFhXR2hxVWxaYVUxbHNhRk5qUmxwMFpFWndUbEpzY0hoVk1uQlRWakF4VjFacVZsWmlSMmgyV1ZkNFQxSnJOVmRhUm5CcFVtdHdTVlp0ZEdGa01XUklWbXRzVldKSFVuQlZha1pMVG14YWNsa3phR2xOVmxZMFZqSjBZVmRIUm5OalJtaFhZVEZhZVZwVlduTldWa3B6WTBkNFUySldTbUZYVkVKaFdWZEdWMWRZYkdoU2JXaFpXV3RrVW1ReFpGZFhiazVYVFdzMVNGWXllRzloVmtsNFUyNW9WMUp0VVhkWFZscEtaVVpXV1dGR2FHbFhSa3AzVmxkd1EyUXhaSE5pUmxwV1lsVmFXRlJWVWtkWFZscFhZVWQwV0ZKc2NEQldWM2hQV1ZaYWMyTkhhRnBOYm1nelZXcEdkMUl5UmtkVWF6Vk9ZbGRqZUZadE1UUmhNREZIVjFob1ZWZEhhR2hWYkdSVFYwWnNkR1ZGZEdwaVJsWXpWMnRhVDJGck1WaGxTR3hYVFc1b2NsWkVSbUZrVmtaeldrWndWMVl4UmpOV2FrSmhVMjFSZVZScldtaFNia0pQVlcwMVEwMXNXbkZUYm5Cc1VtczFTRlp0TlZkWFIwcElWV3M1V21KVVJuWlpha1poWTFaR2RGSnNaRTVoZWxZMlYxUkNWMkl4VlhsVGEyaFdZa2RvVmxadGVHRk5NVnBZWlVkR2FrMVlRa3BYYTFwVFZHeGFWVkpVUWxkV1JWcDJXWHBHVm1WV1NsbGlSMmhUWlcxNFdGZFhkR0ZUTVdSSFYxaGtXR0pyTlhKVmFrWkxVakZ3UmxaVVJtaFdhM0F4VlZab2ExWXhTbk5qUmxKV1ZrVmFhRmt5YzNoV01XUnlUbFprVTJFelFscFdiVEF4WkRGWmVGZHJaRmhpYTFwVldWUkdkMk14V25SbFIwWk9VbTE0VjFZeU1VZFdWMHBHWTBSR1ZsWjZRVEZXYWtwTFZsWktWVkZzY0d4aE0wSlJWMWh3UjJReFRsZFdiazVWWWxkNFdWVnNWbmRXYkZsNFdrUkNhVTFWVmpOVWJGWnJWMGRLY21OSFJsVldSWEJVVmxWYVlXUkhWa2xVYXpsVFlrZDNNVlpIZUZaT1YwWklVMnRhYWxKdGVHRldiRnAzWkd4YWMxZHRSazlpUm5BeFZqSjRkMVJ0U25SaFJGcFhZbGhvYUZWcVJtdFhSa3B5V2tkb1UyRjZWbmRXVnpCM1RsVTFSMWRZYUZaaE1EVmhWbXBDVjA1R1dsaE9WVGxZVW0xU1NWcFZZelZXYlVWNFYycE9WMDFHY0hwV01HUlRVbTFTU0dOSGJGTmlSM1ExVm14amVFMUZNVWhTYmxKVFlXeHdXRmxyWkc5WFZteFZVbTVrYUZKdGVGaFdNblF3WVdzeGNrNVZhRnBoTVhCMlZtcEJkMlZHVG5SUFZtUm9ZVE5CTWxkc1ZtRlRiVlpIWTBWc1ZHSlhhRlJVVkVaTFZsWmFSMVp0Um10TlYxSllWakowYTFsV1RrbFJiazVXWWtaS1dGWXdXbUZrUlRWWFZHMW9UbFpYT0hsWFYzUmhZVEZhZEZOc2JHaFNSVFZXVm14YWQyRkdXWGRXVkVaWFlrWktlbGRyVlRGaFJUQjNVMnQwVjAxV2NGaFdha1pXWlVaa2MyRkdVbWhOYkVwNFZsZHdTMkl4V1hoVmJGcGhVbXMxV1ZWdGVGZE5NVmw1WkVSQ2FHRjZSbGxXVnpWelZsZEtSMk5JU2xwV2JIQnlWVEJhVTJOV1ZuTmFSMnhZVWpKb05WWnJaREJoTVU1MFZteGtWbUpIZUc5VmJURnZZMFpzV1dOR1pGaGlSMUpZVmxkMGEyRXdNVmRqUm1oYVlUSm9URmRXV2t0T2JVcEhZa1phYVZaRlZYZFdha1poWTIxV2RGUnJXbUZTTW1oUFdWUk9RMU5zWkhOV2JVWm9UVlpzTTFSV2FFZFZNa1Y1WVVkR1YyRnJOWFpaVlZweVpWVXhWazlXVWxkTlJGWkpWMVpXYTJJeFVuTmFSVnBVVjBkNFdGbHNVa2ROTVZZMlVtczFiRlpzU2pGV1IzaFhZVmRGZWxGdVpGZFdla0kwVmxSR2ExSXlTa2xVYkdob1RWaENlVlpHV21Gak1EVkhWMWhzVGxaWFVsbFZha0ozVjBaWmVXUkhPVmROVlc4eVZtMTBORll3TVVoVmEzaFdZbGhOZUZacVNrZFNNV1IwWWtaT2FXRXdjRnBXYlhSclRrWktjazlXWkZKaVJYQlNWbXRTUWs5UlBUMD0

The flag is encoded in the Base64 format and it is revealed after decoding it for 20 times using CyberChef.

Flag: dvCTF{Base64_Is_The_Best}


MP3

10 points 218 solves

Steganography
The flag in the audio is given without the tag format!
You must fill in : dvCTF{flag}

Attachment: MP3.mp3

The flag is spoken out in the MP3 file. Reverse the audio and slow it down to listen the flag.

Flag: dvCTF{r3v3rs3_mp3}


RSA

87 points 79 solves

Easy
Our team has found a cipher text: there seems to be some clues to decipher it. Can you help us to read it?

n = 0x7CD1020889B4382BE84B3F14EAAE242755CC1BD56F431B348F4FF8F207A96F41AFCF3EBDF4C17CB6537AD4B01B9FF9497763B22D013B614C8FCDB0C34F9D88F1A523013791EDFEB1FBBA160799892C118892FB7F199C9957DF5A26DAB4D776E5226F06ACD05412F6DD2B1B75D24CE9DC2DDAC513BCB96CD9B97F9BEF8543A3A1
phi = 0x7CD1020889B4382BE84B3F14EAAE242755CC1BD56F431B348F4FF8F207A96F41AFCF3EBDF4C17CB6537AD4B01B9FF9497763B22D013B614C8FCDB0C34F9D88F037D2317D3864035ECE8BCDD458711B788B5B3FDFD5164F7D736D0A56F416E8C16126E3868D73F54AF4D61F6033E069994319C849460C60A725A0F4DD97EDCC84
e = 0x10001
ct = 0x268D7D5F5593EA30F536635B58585620B51D2D143AFE4734635C259278D61413D0C89678E81EDF466B1E45E27EBF802F62F61263E499A516465163C7CB668F94258B3424C3E2BD76634923DECD670E4B6034F8FD00C76F9DAD00A72DB22B70B9408C89FCEE4C9B0D2D4B5664284328711BFAD57FBE1EDCC0854AAD57390DCAD6

Hint: There is another decoding step after the decryption!

First, convert the Hex numbers to Decimal using https://www.rapidtables.com/convert/number/hex-to-decimal.html.

n = 87649082972615446885156213990388141958462041885187282183358321369043253078954716183685582963065012168992348062798954305060720006415266001335650005751863897735171741039420405425935144397447296138110870810719506425543947491726403454512721294407851871180512317063750030012483422248351385763316752934512386876321
phi = 87649082972615446885156213990388141958462041885187282183358321369043253078954716183685582963065012168992348062798954305060720006415266001335650005751863878602037628450194440652151553598137526621296494079379835255789373284025572667141114891644303376103362880682087270696210666254302024051328494090372669885572
e = 65537
ct = 27072622593514815453879432614324701776473574595747953216191498481974488509392434673536099100283731897243171732583922534894433636848515336632487302801454568578704912185172822029407973421574599852974535422485632743936976338461213855442178470548247222162434148032907372865397517157263392748002249405715658427094

Calculate the private key and use it to decrypt the ciphertext using https://www.dcode.fr/rsa-cipher gives 100118678470123102108521039599861127251114116518811695988695828352125.

Convert the number to ASCII text using https://onlineasciitools.com/convert-decimal-to-ascii reveals the flag.

Flag: dvCTF{fl4g_cVpH3rt3Xt_bV_RS4}


Steganography

The Art of Details

50 points 145 solves

Easy
A simple detail can make a big difference Always beware of the first element
Warning ! flag format : dvctf{flag}

Attachment: The_Art_of_Details.docx

With the help of the Accessibility function, it showed that there are three images in the document, with a very small size located on the full stop of the first three paragraphs.

davincictf-2022-details-1.jpg

Increasing the size of the images reveal three QR codes.

davincictf-2022-details-2.jpg

The images can also be revealed and extracted with binwalk, as Microsoft Office documents are actually compressed files.

└─$ binwalk -e The_Art_of_Details.docx 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
...
4760          0x1298          Zip archive data, at least v1.0 to extract, compressed size: 518, uncompressed size: 518, name: word/media/image1.png
5329          0x14D1          Zip archive data, at least v1.0 to extract, compressed size: 723, uncompressed size: 723, name: word/media/image2.png
6103          0x17D7          Zip archive data, at least v1.0 to extract, compressed size: 714, uncompressed size: 714, name: word/media/image3.png
...

Scanning the QR code gives the following strings:

image1.png: aXRpc25vdHRoZWZsYWc=
image2.png: dGhla2V5ezRBajgyRDZoUlpLQThocXA1dG01fQ==
image3.png: defaw{u1qeuugx&crl0gl_4_r_fbe4a_f4hli0rm}

The third string looks like the encrypted flag while the first two strings are encoded in Base64, decoding it gives:

image1.png: itisnottheflag
image2.png: thekey{4Aj82D6hRZKA8hqp5tm5}

The key seems to be hinting that the flag is encrypted with the Vigenère cipher.

Since digits are not allowed to be in the key, all digits were removed from the key and AjDhRZKAhqptm was used to decrypt the flag using CyberChef.

Flag: dvctf{v1genere&qrc0de_4_a_gre4t_p4ssw0rd}


ICMP

292 points 85 solves

Medium
Attachment: icmp.pcap

The data of the ICMP packets in ASCII are in Base64 format and decoding it gives the following.

This is not a flag!
Neither does this package!
Search a little more, you will eventually find ...
... They wrote a poem :D ...
In fact, the flag is not in this part of the packages, sorry...

Well, got to look at elsewhere.

The id of the packets look like Hex numbers. The packets are exported as plaintext with the “Export Packet Dissections > As Plain Text” function in WireShark.

First, the packets are arranged according to the seq number, then the id is extracted and converted from Hex number to ASCII, then decoded as Base64. The flag is then revealed.

import re
import base64
ids = [0] * 32
with open("icmp.txt", "r") as f:
    lines = f.readlines()
    for line in lines:
        if("id=0x00" in line):
            seq = int(re.findall(r"seq=(\d+)", line)[0])
            ids[seq-1] = re.findall(r"id=0x00(\w+)", line)[0].decode("hex")
print(base64.b64decode("".join(ids) + "=").decode())

Flag: dvCTF{h1dden_1n_the_1d}


OSINT

Monkeey

50 points 344 solves

Easy
In what city is the statue of this monkey found? Wrap it around with the wrapper: dvCTF{city_in_lowercase}

Attachment: img.png
davincictf-2022-img.png

Google searched for the image with the keyword “big balls gorilla” reveals a sculpture of the image.

davincictf-2022-monkeey.jpg

Going to the website with the sculpture image gives more information, that the sculpture is called King Kong’s Balls and is located at Milos Forman Square, Prague, Czech Repblic.

Flag: dvCTF{prague}


Elon Musk

120 points 115 solves

Easy
Hi,
I’m a huge fan of Elon Musk so I invested all my money in cryptocurrencies. However, I I got lost in the cryptoworld and I lost something, can you help me find it?
Sincerely,
@IL0veElon

Searching the username on Google shows a twitter account.

davincictf-2022-elon-1.jpg

Scrolling through the account, one of the tweets looked like a hash that could be transaction ID or something.

davincictf-2022-elon-2.jpg

Referring back to the profile section, the cryptocurrency is likely to be either $DOGE, $SHIB, or the one $EGLD lying in between a bunch of the other two.

With that being said, $EGLD transactions were being searched with the string 099627400a565a0cc64c3a61ee0ce785d80dfbd30e1b1ea8bcb9fdd9952b9b8a at https://explorer.elrond.com.

The string is indeed the hash of the transaction and the flag is at the input data section.

davincictf-2022-elon-3.jpg

Flag: dvCTF{Bl0cKcH4In_Rul3S}


Welcome to the DaVinciCTF!

440 points 46 solves

Easy
Attachment: img.jpg
davincictf-2022-img.jpg

The challenge name suggests that the part with the DaVinciCTF page might contain the flag, with the URL https://ctfd.davincicode.fr/_ and login details Admin:ThisIsAVerySecurePassword shown in the image.

davincictf-2022-welcome-1.jpg

Thought that it might require logging into the platform, but apparently just have to search for dvctf{ or use ctrl-A to highlight all on the login page to reveal the flag in white colour near the bottom of the page.

davincictf-2022-welcome-2.jpg

Flag: dvCTF{8a878c2bd9c1844aac17cd051585e2f0}


Painting Spot

426 points 51 solves

Found a nice painting spot, took a picture of it. But I can’t remember where it is… The flag is in the form of dvCTF{} and has the flag wrapper already
Attachment: paintingSpot.zip
davincictf-2022-paintingSpot.jpg

Used exiftool to look for GPS information, not quite useful but instead, found some interesting information right beneath at the XP tags.

└─$ exiftool paintingSpot.jpg              
ExifTool Version Number         : 12.40
File Name                       : paintingSpot.jpg
...
GPS Altitude Ref                : Above Sea Level
GPS Speed Ref                   : km/h
GPS Speed                       : 0.07419386512
GPS Img Direction Ref           : True North
GPS Img Direction               : 227.9959872
GPS Dest Bearing Ref            : True North
GPS Dest Bearing                : 227.9959872
GPS Horizontal Positioning Error: 6.047869715 m
XP Title                        : Lugar para pintar
XP Comment                      : Óptimo local para pintar, deixei uma revisão positiva
XP Keywords                     : Pintura
...

Google translate detected that the comments are in Portuguese. It is likely that the place is in Portugal and the comment suggests that the flag might be in a review.

davincictf-2022-painting-1.jpg

Uploaded the image to Google to search for similar images with the keyword “portugal” to narrow down the results.

davincictf-2022-painting-2.jpg

The top results were all pointing at the same location. Going to the website with the image and it described the place as “Best of the Azores: Ilhéu de Vila Franca”.

The place was located on Google map. From the picture provided, it should be taken somewhere on the right side on the map but not too far away from the island.

davincictf-2022-painting-3.jpg

The beach “Praia do Corpo Santo” seems to best fit the angle. Sorted the reviews of the beach by newest and the flag was found.

davincictf-2022-painting-4.jpg

Flag: dvCTF{g3o_sp0tt3d}


Misc

The HackerMan

491 points 18 solves

Easy OSINT Steganography
I found someone on social media, teasing a CTF he made but I couldn’t find out more. I think his pseudonym was “BornHackerMan”.

Google search did not return any social media accounts, but searching the username within twitter returns an account.

One of the tweets suggested that the CTF is likely to be at Docker or GitHub.

davincictf-2022-hackerman-1.jpg

The other tweets looked normal, but for the video there were captions that has to be toggled on and it contained information.

davincictf-2022-hackerman-2.jpg

*Dailing*
*Ringing*
I finish my first CTF *hurray*
Find it at "hacker/[0-9]+/"
Signed: "The Hackerman"

Seems like the username associated with the CTF is with the regex hacker/[0-9]+/. A number is needed, and the dial tones from the beginning of the video could be DTMF tones. The dial tones were recorded as an audio file and uploaded to https://unframework.github.io/dtmf-detect/#/ to get it decoded as 4398884.

Since the original video had background noises, the decoder could not decode it perfectly as by ear you can hear that there should be 6 digits instead of 7 digits. Nevertheless, it helped to recognise most of the dials and the correct dial should be either 439884 or 439804.

The different combinations of the possible username were used to search for results on https://hub.docker.com/. At last, the user hacker439804 was found to have a container “myfirstctf”. (Apparently the / is not part of the regex, but acting as a wrapper of the regex).

Looking into the latest digest, the flag was found within one of the image layer commands.

davincictf-2022-hackerman-3.jpg

Flag: dvCTF{Z2NjBpvaLnEubB}


Going Postal

490 points 20 solves

Medium OSINT Steganography
My dear friend “Bob” made a tool online to uncover the truth behind that map.

Attachment: map.jpg
davincictf-2022-map.jpg

Basic check with steghide reveals that there is a 7-zip file hidden in the image.

└─$ steghide info map.jpg
"map.jpg":
  format: jpeg
  capacity: 76.8 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "secretpwd.7z":
    size: 758.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes

└─$ steghide extract -sf map.jpg
Enter passphrase: 
wrote extracted data to "secretpwd.7z".

└─$ 7z x secretpwd.7z 
...
Extracting archive: secretpwd.7z

Enter password (will not be echoed):
ERROR: secretpwd.7z
Can not open encrypted archive. Wrong password?
...

A password is needed to extract the file, and it is likely to be the barcode on the image. Google searched for information with the keyword “australia post barcode” and found the 4-state barcode system used by Australian Post.

When searching for a decoder, the second result returned http://bobcodes.weebly.com/auspost.html which matches the challenge description.

davincictf-2022-postal-1.jpg

The barcode was manually translated into ATDFFDDADDAADAADFAFAFFDAFTFDAFATAFAAATADTAFDTDDDDDDDTTTDFFTDDADFAAT, as required by the decoder as the input. It was then fed into the decoder and decoded successfully.

Format Control Code: 62
Sorting Code: 78475110
Customer Information Field: V3K4N64r00

The information was consolidated into a wordlist to crack the file.

└─$ cat list.txt 
62
78475110
V3K4N64r00
6278475110V3K4N64r00
62_78475110_V3K4N64r00
62-78475110-V3K4N64r00
v3k4n64r00
VEKANGAroo
VEKANGAROO
vekangaroo

└─$ /usr/share/john/7z2john.pl secretpwd.7z > 7z.txt

└─$ john --wordlist=list.txt 7z.txt
...
6278475110V3K4N64r00 (secretpwd.7z)     
...

└─$ 7z x secretpwd.7z
...
Extracting archive: secretpwd.7z

Enter password (will not be echoed):
...
Everything is Ok

Folders: 41
Files: 0
Size:       0
Compressed: 758

The file was extracted successfully with the password 6278475110V3K4N64r00, containing 41 empty folders with binary names.

└─$ 7z l secretpwd.7z
...
   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2021-09-30 23:01:11 D....            0            0  secretpwd
2021-07-26 03:47:00 D....            0            0  secretpwd/1013:0000000000000000000000000000000000000000
2021-07-25 22:03:00 D....            0            0  secretpwd/1020:0011100000000110011111000111001000011100
2021-07-25 19:22:00 D....            0            0  secretpwd/1044:0011011000111110011111011000110000010000
2021-07-25 15:32:00 D....            0            0  secretpwd/1063:0011100001001111110010011001000111011100
2021-07-26 00:48:00 D....            0            0  secretpwd/1115:0011000000110000011111100001000001100000
2021-07-25 13:01:00 D....            0            0  secretpwd/1144:0011000111111001100011000001001001100000
2021-07-26 02:26:00 D....            0            0  secretpwd/1154:0011000111001001100100111100110000011100
2021-07-25 16:22:00 D....            0            0  secretpwd/1155:0011011111000111101101100011001110000000
2021-07-26 03:22:00 D....            0            0  secretpwd/1189:0011111111111111111111111111111111111100
2021-07-25 07:25:00 D....            0            0  secretpwd/1209:0000000000000000000000000000000000000000
2021-07-25 19:15:00 D....            0            0  secretpwd/1221:0011011111111101111100100111000010011100
2021-07-25 09:56:00 D....            0            0  secretpwd/1441:0011011000111001110000000111111001111000
2021-07-25 18:49:00 D....            0            0  secretpwd/1441:0011011111111001111100100111000110011100
2021-07-26 02:02:00 D....            0            0  secretpwd/1460:0011000111001001101100111110110000011100
2021-07-25 18:04:00 D....            0            0  secretpwd/1507:0011111111000000011111100111000000000000
2021-07-25 11:41:00 D....            0            0  secretpwd/1514:0011111110000110000000111111001000011100
2021-07-25 22:22:00 D....            0            0  secretpwd/1532:0011000111111000010011100110000110011000
2021-07-25 13:57:00 D....            0            0  secretpwd/1568:0011111111110000001100000000000111111100
2021-07-25 18:33:00 D....            0            0  secretpwd/1600:0011111111000000011111100111000000000000
2021-07-25 16:10:00 D....            0            0  secretpwd/1617:0011011111000111101100100001001110000000
2021-07-25 09:07:00 D....            0            0  secretpwd/1648:0011011011001001001100100100010010111000
2021-07-26 02:46:00 D....            0            0  secretpwd/1657:0011011110110000000011000000110110010000
2021-07-25 16:48:00 D....            0            0  secretpwd/1657:0011100001111000011111100111110111101100
2021-07-25 11:10:00 D....            0            0  secretpwd/1660:0011011000111001110000000111111001110000
2021-07-26 00:05:00 D....            0            0  secretpwd/1668:0011100001110001110000000000110001111100
2021-07-25 07:08:00 D....            0            0  secretpwd/1670:0000000000000000000000000000000000000000
2021-07-25 11:28:00 D....            0            0  secretpwd/1722:0011111110000110000000111111001000011100
2021-07-25 21:50:00 D....            0            0  secretpwd/1727:0011000001001000011100000110111000000000
2021-07-25 15:18:00 D....            0            0  secretpwd/1730:0011011000110110000000011001001111100000
2021-07-25 13:35:00 D....            0            0  secretpwd/1745:0011111111110000001100000000000111111100
2021-07-26 00:27:00 D....            0            0  secretpwd/1746:0011000000110000111111100001000001100000
2021-07-26 05:13:00 D....            0            0  secretpwd/1757:0000000000000000000000000000000000000000
2021-07-25 22:51:00 D....            0            0  secretpwd/1789:0011000111111000010011100100000010010000
2021-07-26 03:08:00 D....            0            0  secretpwd/1789:0011111111111111111111111111111111111100
2021-07-25 07:54:00 D....            0            0  secretpwd/1838:0011011001001001101100100110110110010000
2021-07-25 09:38:00 D....            0            0  secretpwd/1890:0011011110000110001100011000000001111100
2021-07-25 15:41:00 D....            0            0  secretpwd/1904:0011100001001111110011011001000110011100
2021-07-25 21:28:00 D....            0            0  secretpwd/1941:0011000001001000011100000110111000000000
2021-07-25 21:10:00 D....            0            0  secretpwd/1956:0011011110111000001111011000001000011100
2021-07-25 19:44:00 D....            0            0  secretpwd/1975:0011011100111100001111011000001000011100
------------------- ----- ------------ ------------  ------------------------
2021-09-30 23:01:11                  0            0  0 files, 41 folders

The binary numbers were extracted and used to generate image (0 as white pixel and 1 as black pixel) using CyberChef.

davincictf-2022-postal-2.png

The code looked a bit off that it seemed to be divided into four parts with white lines in between.

Apparently the number prefix of the folder name was a trap, the binary numbers should be sorted by the timestamp instead of the default sorting by the folder name. The listing information was imported into excel and sorted according to the timestamp. The binary numbers were extracted again in the correct order.

0000000000000000000000000000000000000000
0000000000000000000000000000000000000000
0011011001001001101100100110110110010000
0011011011001001001100100100010010111000
0011011110000110001100011000000001111100
0011011000111001110000000111111001111000
0011011000111001110000000111111001110000
0011111110000110000000111111001000011100
0011111110000110000000111111001000011100
0011000111111001100011000001001001100000
0011111111110000001100000000000111111100
0011111111110000001100000000000111111100
0011011000110110000000011001001111100000
0011100001001111110010011001000111011100
0011100001001111110011011001000110011100
0011011111000111101100100001001110000000
0011011111000111101101100011001110000000
0011100001111000011111100111110111101100
0011111111000000011111100111000000000000
0011111111000000011111100111000000000000
0011011111111001111100100111000110011100
0011011111111101111100100111000010011100
0011011000111110011111011000110000010000
0011011100111100001111011000001000011100
0011011110111000001111011000001000011100
0011000001001000011100000110111000000000
0011000001001000011100000110111000000000
0011100000000110011111000111001000011100
0011000111111000010011100110000110011000
0011000111111000010011100100000010010000
0011100001110001110000000000110001111100
0011000000110000111111100001000001100000
0011000000110000011111100001000001100000
0011000111001001101100111110110000011100
0011000111001001100100111100110000011100
0011011110110000000011000000110110010000
0011111111111111111111111111111111111100
0011111111111111111111111111111111111100
0000000000000000000000000000000000000000
0000000000000000000000000000000000000000

A new image was generated using CyberChef. The flag is then revealed when scanned as a data matrix code using https://products.aspose.app/barcode/recognize.

davincictf-2022-postal-3.png

Flag: DVCTF{4U57r4114_P057_4_57473}


Comments