Welcome To UIUCTF'21

A tour-de-force, thrilling teaser of a test challenge

Description

Welcome to UIUCTF'21 was the first challenge participants are confronted with upon being dropped into the CTF homepage. As the name suggests, the challenge requires participants to have a thorough understanding of CTF infrastructure and flag formats to solve.

The challenge description follows:

Welcome to UIUCTF'21! Your flag can be found on this very page.

Additionally, at some point during the CTF, a hint was released, presumably to aid the many participants who were struggling with this deceivingly simple challenge. The hint reads:

take a closer look at the wonderful background art :)

About Me

Discord: Fawl #7991
Hobbies: Capturing the Flags
Favourite Song: Coldplay - Flags
Crowning Achievement: Successfully accepted pull request to CTFd fixing spelling error

Pwn Paraphernalia / Reversing Rig
(rest omitted for brevity)
Monitor: Acer AC713S 17-INCH 1280 X 1024 FLAT SCREEN CRT (CATHODE RAY TUBE) MONITOR

Challenge

Welcome to UIUCTF'21 was a deceptively simple challenge that was, by the end of my solving, proven to be chock full of misleading red herrings and wrong hints sprinkled so liberally that all but the most seasoned cyber detectives (myself) would be unable to correctly untangle the veritable Minotaur's labyrinth the challenge creators had strung together to fool participants.

While I unfortunately did not solve the challenge during the event, I feel the flag should have been rightly mine. I will proceed to detail the steps I took while conducting my forensic investigation, and why I feel pay-to-win challenges like this one should be minimized in future events.

I shall now proceed to detail my solving methodology. This methodology is my proprietary work over many solved welcome challenges like this one, and I am releasing it with the faith that the Internet will treat it well. A 100% success rate in pwning challenges of a similar format and difficulty to this one should suffice to prove its lethality.

First, explore and identify your opponent.

Flag can be found on this very page? Interesting.

I proceeded to perform manually a very primitive form of directory bruteforcing using my two index fingers by testing known flag endpoints: uiuc.tf/flag, uiuc.tf/give_flag_pls, uiuc.tf/pwned_by_fawl, et cetera. I will not bore the reader with more details of my hand-typed bruteforcing. The interested reader is encouraged to approach the author via Discord for the wordlist used.

However, having completed the manual bruteforcing and not been yielded the sweet, sweet release of a flag, I began to wonder if the description itself was misleading. On the page itself - perhaps the flag could have taken the format of a hidden HTTP object? Even the most amateur of web developers know that webpages can be visualized in three dimensions, and hiding a flag on the webpage source code might be possible. Using the commonly known and widely used modules Beautiful Soup 4 and requests, I constructed a simple script using the Object-Oriented Programming paradigm in Python to parse the CTF webpage. For those unaware, as web content, and the underlying language used to provide responsiveness, JavaScript, is object-oriented as well, it is important to synchronize your programming paradigms with your victim. This allows you to minimize the likelihood of encountering the dastardly HTTP error 418.

It was at this point where I encountered a problem what us gamers would call a "hard stuck" moment - I was unable to progress more. I simply had not enough information to proceed with the pwn. I briefly considered catfishing the challenge team with several pictures of e-girls I had accumulated over my illustrious career as moderator of multiple Discord servers, but good sense prevailed.

Luckily, it was at this moment where the existence of a hint become apparent. The background art? Image forensics it is!

Second, enumerate for weaknesses (in the image)

Having downloaded the entire contents of the webpage as one complete file, I ran the resulting file through my favourite forensics tool, 0xD Hex Editor. While manually scrolling through all 39KB of UIUCTF .htm file (yes, I'm thorough. Deal with it.) I encountered some bytes: 62 61 63 6B 67 72 6F 75 6E 64. For those unable to convert hex to text mentally, this reads "background".

Sneaky, sneaky challenge authors...

Aha! I would never have suspected. I quickly downloaded the background art and threw it into Curly Linux, my steganography machine of choice. With any PNG file, there is often some hidden data, either in the file metadata or embedded in the PNG itself. My first tool of choice was exiftool, to extract the former.

┌──(kali㉿kali)-[~/Desktop]
└─$ exiftool background.png 
ExifTool Version Number         : 12.16
File Name                       : background.png
Directory                       : .
File Size                       : 571 KiB
File Modification Date/Time     : 2021:08:02 10:04:34-04:00
File Access Date/Time           : 2021:08:05 08:33:23-04:00
File Inode Change Date/Time     : 2021:08:05 08:33:23-04:00
File Permissions                : rw-------
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 1920
Image Height                    : 1080
Bit Depth                       : 8
Color Type                      : Palette
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Palette                         : (Binary data 612 bytes, use -b option to extract)
Image Size                      : 1920x1080
Megapixels                      : 2.1

No luck! No suspicious metadata or flag :(

Next, I tried binwalk, to see if file data was appended to the end of the file.

┌──(kali㉿kali)-[~/Desktop]
└─$ binwalk --dd='.*' background.png 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 1920 x 1080, 8-bit colormap, non-interlaced
665           0x299           Zlib compressed data, best compression

I initially thought that the appended file was something serious - I spent the better part of my day attempting to extract the "Zlib compressed data", only to realize that binwalk was being a sussy baka and giving me false data! Naughty, naughty. Daddy's got something to say about that...

Binary visualization - yes I'm desperate. Also cool image. Points plz.

Third, try harder.

At this point, I am ashamed to admit that this simple "Welcome" challenge had me at my last wits. How could it be that the challenge authors had made even the simplest challenge beyond my vaunted pwn power? I placed a meaty fist into my monitor, shattering the one relic of my awesome childhood I had left. I was desperate, without a monitor how was I supposed to view my uh challenge? So, I booted up my good old Personal Mobility Device, headed down to the hardware store and bought a new monitor. After hooking it up to my beast rig, I reopened the background.png and was confronted with a nasty sight.

WTF????

So, the solution is to upgrade one's trusty old cathode ray tube monitor to an LCD monitor. I'm extremely disappointed in both the challenge organizers and myself - it's ridiculous to expect every participant in the CTF has access to LCD monitors and the "superior" contrast that comes with it, and I missed 3 whole feeding sessions for my Discord kittens because of my gamer rage. I've seen CTF challenges that have "gotcha" solutions, but never before one so blatant and obviously pay-to-win as this one. My disappointment is immeasurable and my day is ruined.