Writeup: Pragyan 2019 - EXORcism

(Updated: )
writeups
, , ,

Information

  • Category: misc

Description

My friend Alex needs your help very fast. He has been possessed by a ghost and the only way to save him is if you tell the flag to the ghost. Hurry up, time is running out!

Writeup

The challenge file, called encoded.txt is just a list of 0s and 1s; one per line.

Let’s check if we can create an ASCII art:

1
2
3
with open("encoded.txt", "r") as f:
    data = f.read()
    info = data.replace("\n", "")

This script prints the content of the file stripping the newline char on the terminal.

Shrinking around your terminal emulator you can eventually get:

This two QRcodes are equals but shifted just of a line. With PIL it’s easy to get the QRcode into a PNG file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from PIL import Image
import sys

with open("encoded.txt", "r") as f:
    data = f.read()
    info = data.replace("\n", "")

# Split the lines by 200 and then in half
qr1 = ""
qr2 = ""
for i in range(0, 10000000, 200):
    qr1 += info[i : i + 100]
    qr2 += info[i + 100 : i + 200]

# Create the matrix
qrm1 = [qr1[i : i + 100] for i in range(0, 5000, 100)]
qrm2 = [qr2[i + 100 : i + 200] for i in range(0, 5000, 100)]
qrcode1 = Image.new("RGB", (100, 100), "white")
qrcode2 = Image.new("RGB", (100, 100), "white")
qrcode1_pixels = qrcode1.load()
qrcode2_pixels = qrcode2.load()

# Fill and save the PNGs
try:
    for x in range(100):
        for y in range(100):
            if qrm1[x][y] == "1":
                qrcode1_pixels[x, y] = (0, 0, 0)
            if qrm2[x][y] == "1":
                qrcode2_pixels[x, y] = (0, 0, 0)
except:
    pass
qrcode1.save("qrcode1.png")
qrcode2.save("qrcode2.png")

The PNGs in output are identical:

Eventually the QRCode in output returns a string:

160f15011d1b095339595138535f135613595e1a

The strings could be a cipher text XORed with some unknown key…but! Since we know part of the plain text (pctf{) we can check if the ciphertext leaks some infos.

From CyberChef we can see that the first part of the key is flag.

Just using flag as key we got the flag.

Flag

pctf{wh4_50_53r1u5?}