Hello, this is some lines for this UIUCTF 2023 contest. First, Im very happy because this is the first time I stepped into top 50 of an international contest with my team phis1Ng__, therefore, I think I need to write something in order to keep as a memory and to save some new ideas and techniques using this time.

Im responsible for 2 areas in my team: Misc and Osint(Rev is done after the contest), and that’s all, here we go :D

MISC #

1. vimjail1 #

Provided files: entry.sh – nsjail.cgf– vimrc

At my first try, I saw 1 thing that if I connected to the server, I would be stuck at vim environment, therefore, I couldn’t type anything I couldn’t get out of this as a result. So, I think we have to find something in order to get out of this ( it would pop up a flag in the end, i guess?? :D )

Because of that, I looked up at the provided files, I checked at ’nsjail.cfg’ but nothing looked sus in there, so I checked the rest ones. I soonly noticed in ‘vim.rc’ that are very cool 🗡️ :

set nocompatible
set insertmode

inoremap <c-o> nope
inoremap <c-l> nope
inoremap <c-z> nope
inoremap <c-\><c-n> nope

We can see that vim is in insertmode so we have to do sth to escape it. And those ‘inoremap’ give me an idea of combining keywords together so that we can escape :D.

After trying for a little bit with many different combinations, finally I figured out that the combination: <c-\><c-o> worked :D

flag: uiuctf{n0_3sc4p3_f0r_y0u_8613a322d0eb0628}

2. vimjail1.5 #

Provided files: entry.sh – nsjail.cfg– vimrc

Looking at the vimrc, it just simply maps sth so I dont think use the normal way would help. I try a couple combination of Ctrl + sth, and Ctrl + R= works. I mean, this allows us to enter an expression, the result of which will be inserted to the file. It also allows entering keys and commands, as described by this example from this link

By doing that, we will use this:

"\<Esc>:e /flag.txt"

and get the flag as result

flag: uiuctf{ctr1_r_1s_h4ndy_277d0fde079f49d2}

3. vimjail2 #

Provided files: entry.sh – nsjail.cfg– vimrc – viminfo

So this time, it is still the same with the ab0ve, we enter vim in insert mode and in order to obtain the flag, we have to escape. Let’s take a look at entry.sh file:

#!/usr/bin/env sh

vim -R -M -Z -u /home/user/vimrc -i /home/user/viminfo

cat /flag.txt

So, it opens Vim in read mode only with modified option on and restricted mode active. It also uses a custom vimrc file located at /home/user/vimrc and uses /home/user/viminfo as the Viminfo file. And in the end it will print flag.txt file. Now, let’s have a walkthrough in vimrc:

set nocompatible
set insertmode

inoremap <c-o> nope
inoremap <c-l> nope
inoremap <c-z> nope
inoremap <c-\><c-n> nope

cnoremap a _
cnoremap b _
cnoremap c _
cnoremap d _
cnoremap e _
cnoremap f _
cnoremap g _
cnoremap h _
cnoremap i _
cnoremap j _
...

So, the first 2 sets are to disable the compatibility and set the vim into insert mode. Next, those inoremap will show that if we press Ctrl + o, Ctrl + l, Ctrl + z, and Ctrl + \ with Ctrl + n insert mode will insert the word nope.

Then those cnoremap are to convert input to _.

For example if input :a it will be converted into :_. Here is the preview of the chall when I pressed random character or trying pressed Ctrl + o:

Now the good part, remember inoremap <c-\><c-n> nope ? We can bypass it by press c-\ twice then press c-n immediately. And now we can type normally:

flag: uiuctf{<left><left><left><left>_c364201e0d86171b}

4. vimjail2.5 #

Provided files: entry.sh – nsjail.cfg– vimrc – viminfo

It is all the same with the above one but there is only 1 difference is inoremap <c-\><c-n> nope has been changed to only inoremap <c-\> nope.

So the solution is in insert mode, call a builtin function by pressing Ctrl + r and then a = (reference here: https://vimhelp.org/builtin.txt.html).

And because of the limitation, yet we still can use any builtin function by pressing Tab, it will trigger autocompletion in vim.

So now just simply escape and obtain the flag:

flag: uiuctf{1_kn0w_h0w_7o_ex1t_v1m_7661892ec70e3550}

6. Tornado Warning #

Provided file: warning.wav

THis challenge just gives us a wav file with 2 hints about Specific Area Message Encoding. I have heard the file but it sounds like in the purge movie, and nothing further there. I google for a while and find out that it is the NOAA Weather Radio SAME messages and we will have to use some decoder for the file. Fortunately, I found one named SeaTTY and use it.

After download, I load the file and run, and I have this:

Now the output is pretty weird, but I remember the hint said that it is because of the errors. I examine it for a little bit and see that in each column counted from the left side, there is 1 out of the 2 other is different, for example:

ZCZC-UXU-TFR-R18007ST_45-0910BR5-KIND3RWS-_@___Q	,
ZCZC-WIR-TO{3018W0R+00T5-09UT115-K_EV/NWS-____*
ZCZC-WXRCTOR-0D_007+004OR_O1011E@KIND/N}S-_`__E_

Starting after the ZCZC we see U is different from its column ( to W and W), same with I and U in the next. Gradually by doing that, we will have the flag.

flag: UIUCTF{3RD_W0RST_TOR_OUTBRE@K_EV3R}

7. Corny kernel #

Provided files: pwnymodule.c

So this challenge gives us a file pwnymodule.c and remote access to server to run commands. And to get the flag, the only way is to understanding the behavior of the linux kernel.

First we examine the code, after investigating it for a bit, i found this pretty wild:

extern const char *flag1, *flag2;

Because it is extern so the flag must be somewhere on the server. Then, I found this which would print the flag:

static int __init pwny_init(void)
{
	pr_alert("%s\n", flag1);
	return 0;
}

static void __exit pwny_exit(void)
{
	pr_info("%s\n", flag2);
}

Further explanation on this is because pr_alert and pr_info use printk, which is like printf but it prints to the kernel log. Then below, those 2 function have been called:

module_init(pwny_init);
module_exit(pwny_exit);

Explanation here: module_init and module_exit define what functions to call when module is loaded or removed. So now it clears, we remove or load the module, we get the flag, now head to the server.

Connecting to the server, we only have 1 file:

/root # ls
pwnymodule.ko.gz
/root #

Let’s extract it by the cmd gzip -d pwnymodule.ko.gz and we will get pwnymodule.ko. Now I will load it:

/root # insmod pwnymodule.ko
[  432.583070] pwnymodule: uiuctf{m4ster_
/root #

Tadaaa! We have it first half, now I will try to remove it either:

/root # rmmod pwnymodule.ko

but nothing shows up. Oh, I forgot that the exit function used pr_info and it doesn’t print to the interface. Therefore, it is in the log and now we only have to use dmesg to watch it:

/root # dmesg | tail
[    0.141288] Freeing unused kernel image (rodata/data gap) memory: 1452K
[    0.141291] Run /init as init process
[    0.141292]   with arguments:
[    0.141293]     /init
[    0.141293]   with environment:
[    0.141294]     HOME=/
[    0.141294]     TERM=linux
[    0.147268] mount (31) used greatest stack depth: 13464 bytes left
[   11.188522] pwnymodule: uiuctf{m4ster_
[   15.657667] pwnymodule: k3rNE1_haCk3r}
/root #

FYI: dmesg is commonly used in Unix-like operating systems (including Linux) to display the kernel ring buffer, which is a log containing messages generated by the kernel during various operations and events. These messages can include information about hardware detection, driver loading, system errors, and more. When you run the dmesg command without any arguments, it typically displays the most recent kernel messages. However, you can also use various options and filters to view specific types of messages or messages from a certain time frame.

For example:

. dmesg (Display the most recent kernel messages) . dmesg | tail (Display the last few lines of kernel messages) . dmesg | grep “error” (Display kernel messages containing the word “error”) . dmesg -T (Display kernel messages with human-readable timestamps)

flag: uiuctf{m4ster_k3rNE1_haCk3r}

OSINT #

8. Finding Artifacts 1 #

So i use chatgpt to find:

And I couldnt find anything different statues tho, so i will try to look for the museums this time:

After trying all of that, I found out that the museum we are finding is The Rubin Museum of Art

flag: uiuctf{rubin_museum_of_art}

9. Finding Artifacts 2 #

And we can seee its name is The subway shovel, so now i will try to find where it is displayed now:

At first, I use gpt and it returned for me a museum that calledNew York Transit Museum , but it is incorrect. So I try to look up for it on Google and find a page that is pretty reliable: https://collections.mcny.org/C.aspx?VP3=CMS3&VF=Home

Immediately, I use the search bar to find if the shovel is here or not:

BINGOOO!!! We find it

flag: uiuctf{museum_of_the_city_of_new_york}

10. What’s for dinner #

So about finding online profile, we can only think of twitter, so I just find the guy’s name:

And it’s done :)))

flag: uiuctf{i_like_spaghetti}

11. Finding Jonah #

Provided file: chicago.jpeg

This is the image:

This time, the hint tell us some good points. It is related to the previous challenge, so it must be clear that the place he eats is near to the hotel.

The hint translating to Italy is gioia, and according to that we have an Italy restaurant named gioia chicago:

Rotating a little bit, we will see it clear:

Moving closer, we will find the place:

After that, by using google map, I found the exact one:

flag: uiuctf{hampton_inn}

12. Jonah’s Journal #

And the text "His usernames have been relatively consistent", shows that, Jonnah use the same username like his twitter:

Checking the normal history wont show us anything, I remember that it was saying about tree, so I check the branch afterward. There were a 2nd branch tho, checking its history we will have this:

flag: uiuctf{italy}

13. First class mail #

Provided file: chal.jpg

So it wants us to find where he’s at at the moment, but thanks to the last challs, we know that he is in the one hotel in chicago, so just look up for it postal code in the address and we have completed the series. Such a wonderful trip:

flag: uiuctf{60661}

p/s: I have another interesting way to do, examine the pic for a little bit, we can see there is some kind of barcode printed on the envelope, googling a little bit we can see that it is postnet barcode. Every digit is represented with 5 bars and the encoding is like this:

1   ■ ■ ■ █ █
2   ■ ■ █ ■ █
3   ■ ■ █ █ ■
4   ■ █ ■ ■ █
5   ■ █ ■ █ ■
6   ■ █ █ ■ ■
7   █ ■ ■ ■ █
8   █ ■ ■ █ ■
9   █ ■ █ ■ ■
0   █ █ ■ ■ ■

In fact, there are different ways for US delivery address coding, this one is a 5-digit ZIP + 4 code. The lasts digit is a check digit. The first 9 digits are summed up and the check is the rest needed to sum to a multiple of 10.

The bar code on the envelope looks like this █ ■ █ █ ■ ■ █ █ ■ ■ ■ ■ █ █ ■ ■ ■ █ █ ■ ■ ■ ■ ■ █ █ ■ ■ ■ █ █ ■ ■ ■ █ █ ■ ■ █ ■ █ ■ ■ █ █ ■ ■ █ ■ ■ █ █ split by digits and frame bars. If decoded we have 6066111234 with 4 is the checkcode. 6+0+6+6+1+1+1+2+3 = 26, adding the check digit we end up with 30 which obiously is a multiple of 10. So the actual ZIP value is 60661-1123.

REV ( after contest :< ) #

14. vmwhere1 #

Provided files: chal – program

flag: uiuctf{ar3_y0u_4_r3al_vm_wh3r3_(gpt_g3n3r4t3d_th1s_f14g)}

15. vmwhere2 #

Provided files: chal – program

16. geoguesser #

Provided files: janet – program.jimage

17. Fast calculator #

Provided file: calc