# noxCTF 2018

## 573 - Blind Date - Misc

My mom got me a date with someone! she sent me an image but i cannot open it. I don’t want it to be a blind date. Can you help me?

By inspecting the data of the file with xxd we notice that the bytes are scrambled.

After taking a look at the JPEG File Interchange Format we can quickly see how the bytes have been scrambled. Link

The file should start with the bytes FF D8 FF E0 then comes a 2 byte value which holds the segment length. Next comes the JFIF Identifier 4A 46 49 46 00.

We notice that they just took blocks of 4 bytes and reversed them.

f = open('BlindDate.jpeg', "rb")
f.close()

data = ''
for i in range(0,len(s),4):
data += s[i:i+4][::-1]

nf = open('blind.jpeg','wb')
nf.write(data)

This script will write the restored image to blind.jpeg.

Strings reveals that there is some data at the end of the image:

A base64 string:

Li4gICAuICAuLiAgLi4gICAuICAuLiAgLi4gICAuICAuLiAgLiAgLi4NCi4gICAgLiAgIC4gICAgICAgLiAgICAgIC4gICAgLiAgIC4gIC4gIA0KICAgIC4uICAgICAgICAgIC4uICAgICAgLiAgIC4uICAgICAgLiAgLgPK

and it decodes to:

..   .  ..  ..   .  ..  ..   .  ..  .  ..
.    .   .       .      .    .   .  .
..          ..      .   ..      .  .

The text is braille and translates to F4C3P4LM.

Next we extract a zip archive with binwalk. We can unzip the archive with the password F4C3P4LM and receive a file called flag.txt. This file contains brainfuck code and running it prints the final flag.

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>++++++++++.+.+++++++++.<---.+++++++++++++++++.--------------.>+++.<+++++++++++++++++.<++++++++++++++++++.>>------.---------.--------.-----.++++++++++++++++++++++++++.<<.>>----.<++++++++.+++.>---------.<<+.>>++.<++.-----.+++++.<+++.>>++++++.<<-.>-----.<+.>.+++.>--------.<<---.>>++.<++.-----.+++++.<+++.>>++++++.<<-.++++++++++++.>>+++++++++.<<<++++++++++++++++++++++.

The flag is: noxCTF{W0uld_y0u_bl1nd_d4t3_4_bl1nd_d4t3?}.

## 452 - Read Between The Lines - Misc

The file is a gzip compressed archive.

$file message.code message.code: gzip compressed data, was "message", last modified: Fri Jul 20 12:53:57 2018, from Unix$ mv message.code message.code.gz
$gzip -d message.code.gz The jsfuck inside the file is just giving us a nope but there are some characters after that which seem interesting. Remove all the jsfuck stuff and only keep the rest. The bytes are spaces 0x20, tabs 0x09 and newlines 0x0a. There is an esoteric programming language called whitespace Here is a cool website with an interpreter. The flag is: noxCTF{DaFuckIsWHITESPACE} ## 573 - Marcode - Misc Marcode (Mr. Code in Hebrew), Ineed your help! I got a movie but I cant see it. It hypnotizes me. please help me! yours, Gveretcode (Mrs. Code in Hebrew) P.S. change NOXCTF to noxCTF. https://drive.google.com/open?id=1GkalBntU1s6d_sw_S5I4GinD8hBrh-C- We get a video which is flashing images of QR Codes. First I used ffmpeg to extract all the frames from the video: ffmpeg -i Marcode.mp4 -r 25 -f image2 frames/frame-%04d.png This script will decode every QR Code and print the data. from pyzbar.pyzbar import decode from PIL import Image import sys for i in range(1,3490): print decode(Image.open('frames/frame-'+str(i).zfill(4)+'.png'))[0].data$ python marcode.py >> links.txt
$awk '!x[$0]++' links.txt > unique_links.txt

I extracted all the unique google drive links and we will see they are the 26 letters of the alphabet + _ and ?.

from pyzbar.pyzbar import decode
from PIL import Image
import sys

text = 'THE_WOMNAPRDUF?YSILCQGZBKXVJ'
solution = ''

for i in range(1,3491):
l = decode(Image.open('frames/frame-'+str(i).zfill(4)+'.png'))[0].data