VolgaCTF 2015 captcha
@mrexcessive WHA
& @DeathsPirate WHA
The problem
We've got a rather strange png file. Very strange png. Something isn't right about it...
The solution
So foremost reveals tehre are 1892 PNG files in here
Pull them all out... they each have a single character.
DeathsPirate mentions in teamchat that he's found that if you take the images one by one in sequence number order, you get characters for base64 which decodes to a PNG file header...
(decimal) 137 80 78 71 13 10 26 10 (hexadecimal) 89 50 4e 47 0d 0a 1a 0a (ASCII C notation) \211 P N G \r \n \032 \n
We're all working on something else then...
But at about 3am.. sigh...
I think, so maybe... are the same characters represented by identical files - so I could hash the files.. store the hashes and then only have to show a human the things to recognise once per character..
Yes !
Phew...
OK ... I can code this before bedtime... (author's note, during CTFs bedtime is approximately equal to point of maximum coffee dosage, when the production of melatonin has caught up with the absorption of caffeine and any further coffee will not help.
So... some python later.
#!/usr/bin/python
# try.py for VolgaCTF / captcha
# categorise lots of png files, only ask for new hashes
# @mrexcessive @WHA - solving algos and python
import os, sys, code
import readline, rlcompleter
import socket,time
import random
import re
import itertools
import subprocess
import operator
import hashlib
from PIL import Image
pngfname = "output/png/0000%04i.png"
outputfile = "myoutput.png"
progressfile = "hashes.txt"
filehashes = {}
debug = True
flagGoInteractive = True # go interactive after running stuff
alphanums = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
printables = alphanums + ".,<>?/!$%^&*()_-+=@'#][{}`#"
#useful
def GetLoadsOfRandomForSeed(seed):
p = subprocess.Popen(['./random', '%i' % seed, '%i' % count], stdout=subprocess.PIPE, stderr = subprocess.PIPE)
out,err = p.communicate()
randomstrings = out.split()
def Log(s,alwaysLog = False):
if logfname <> None:
f=open(logfname,"a")
f.write("%s\n" % s)
f.close
if debug:
print s
def SerialiseProgress():
global filehashes
ser = ""
for k in filehashes.keys():
ser += "%s=%02x\n" % (k,ord(filehashes[k]))
WriteOutput(progressfile,ser)
def RestartProgress():
global filehashes
filehashes = {}
if os.path.isfile(progressfile):
ser = ""
f=open(progressfile,"rb")
data = f.read()
f.close()
h = data.split("\n")
for d in h:
if "=" in d:
(key,hexvalue) = d.split("=")
filehashes[key] = hexvalue.decode("hex")
def WriteOutput(fname,data):
f = open(fname,"wb")
f.write(data)
f.close()
if __name__ == "__main__":
vars = globals()
vars.update(locals())
readline.set_completer(rlcompleter.Completer(vars).complete)
readline.parse_and_bind("tab: complete")
shell = code.InteractiveConsole(vars)
RestartProgress()
output = ""
for i in xrange(0,3169): # file numbers
fname = pngfname % i
if os.path.isfile(fname):
f = open(fname,"rb")
data = f.read()
f.close()
m = hashlib.md5()
m.update(data)
dig = m.hexdigest()
if filehashes.has_key(dig):
output += filehashes[dig]
else:
im = Image.open(fname)
im.show()
sys.stdout.write("\nImage Char :")
sys.stdout.flush()
d = raw_input()
ch = d[0]
filehashes[dig] = ch
SerialiseProgress()
output += ch
print output
WriteOutput(outputfile,output)
# go interactive
if flagGoInteractive:
shell.interact()
Run the program... look at about 60 images... type in a single letter.
Make no massive mistakes. Good job I made the program restartable!
Get Capital I and lowercase l mixed up... Fix that by deleting rows from the hashfile and running again - get re-asked just those two.
Now we have a base64 string:
iVBORw0KGgoAAAANSUhEUgAAARAAAACDCAIAAADK7dMbAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAUfSURBVHhe7dhtYtowEEVR1sWCWA+rYTNdTOqRhTSjD6NHEmjSe37Z8kgaGV6T9PQBYBmBAQQEBhAQGEBAYAABgQEEBAYQEBhAQGAAAYEBBAQGEBAYQEBgAAGBAQQEBhAQGEBAYAABgQEEBAYQEBhAQGAAAYEBBAQGEBAYQEBgAAGBAQQEBhAQGEBAYAABgQEEBAYQEBhAQGAAAYEBBAQGEBAYQEBgAAGBAQQEBhAQGEBAYAABgQEEQmD+XM+n0+l8/ZPvB6zkcss3/53b5TQ4/fSdjMvf7zd9iOk7mw9j7/vzb3w9MOU9piZ6lqRvetf+2JKnJz6lJsDvO30nBOb7NV+ALzjaemAGn283JDe09qVpjr3u6YlPITDvNvxCut+JvuBoPyIwP8T4MATmdYZfyDcGpv37Zdjf5WbD5be0O3t0t8/xIw++OmGjsvym7ajlJq71lou3svP1tg/vlX3/SR0+X691s5V9Xc1msv6ITXTt28x8O1xkbyDfNLuOTBsert8049YfNjOzFW+rrG5qSu3Gyn1ZLdyq3FpW87CVY8uBGe1VX062N507tKf5Mkz2s7oVxmqZreTf5gNu/aPefD/p0p67zkKNa8GPhymzfdsJviZf+/UnbGapKOVhkdTNfmPj9+Gw60Ra576+2yqsU5dZaKaMzoVN3WS7HGw6WbE/3Dbi6/oC1Vpgmm3vuu3D8Wbd+cMuHsCV2eWolzE3cdLb+NXHvtqa7Wm6bcbdpOm+7km9mq0/5SaUS7dlUu5jA21Zb6l+1IG7dGPJ0oncNuNd3apW0K/YTxts/LCXQ8s/YUZH6Mbisf1je+LcOx6tOhDL7C6sMucmTnobdxBHm+YTe9rMdbfuMu7rntSr2fpzNiOdvly0zdT72EBb1pvXN33eX/+gmaYyOdw1bup3nWy61wyG4jbbSH3sO3zWd/wNk2/q43TmMu6b7k84NC6z0QendxMPeusXiRuOa7pxN2m6r93l21ozW//IPtstHlt297GBtqw3qXed57vScr5xE8PjFW7upky3i8mmhXWYRx8ebiuQ2upJgWmb6YbiscvjcGwbLV3bzcIJBntvxu8vcBMnvXXNpctmw1DjWFnuIJWUombfWDWpGax/xKa7HfPA/c515jfaJx3vZM3UijI59JjWce9+uz9fLm6eeqJU37+lw00zq8mjVhEKmjbsVmhq5CWByY3v0v8mlVOVB4fnqCvZVXU4yTQt1PrQuls0j4XHiTuBuT+sw7N/7rfR8h9um/p5xj0m6x/Yuw6F7iDhe1PGQ5MTsSKeJC/TfIibQTPSifZNS5916fGm7qCbunSp9i3Hx8d9PPSpwOCd7NMPsfjJvuCrvOClgXnNkbDqV+XlNwYm7db8qP9K8ads9fCAT0/8xx2f65N5ectLO9j0BYFJu3/66ysEBgCBAQQEBhAQGEBAYAABgQEEBAYQEBhAQGAAAYEBBAQGEBAYQEBgAAGBAQQEBhAQGEBAYAABgQEEBAYQEBhAQGAAAYEBBAQGEBAYQEBgAAGBAQQEBhAQGEBAYAABgQEEBAYQEBhAQGAAAYEBBAQGEBAYQEBgAAGBAQQEBhAQGEBAYAABgQEEBAYQEBhAQGAAAYEBBAQGEBAYQEBgAAGBAQQEBhAQGEBAYAABgQEEBAYQEBhAQGAAAYEBBAQGEBAYQEBgAAGBAQQEBhAQGEBAYAABgQEEBAYQEBhAQGAAAYEBBAQGEBAYQEBgAAGBAQQEBlj28fEX4wPz1G62YicAAAAASUVORK5CYII=
OK... so decode that,
Python 2.7.3 (default, Mar 13 2014, 11:03:55)
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import base64
>>> f=open("op.txt","rb")
>>> d=f.read()
>>> f.close()
>>> pic=base64.b64decode(d)
>>> f=open("flag.png","wb")
>>> f.write(pic)
>>> f.close()
>>> # to the gimp-mobile...
... # it's a thing...
...
look at the image.. and ... FLAGG !!!