CTF: MBR - Internet Protocol

MBR Capture the Flag Challenge

Album released: 20 Mar 2019

https://masterbootrecord.bandcamp.com/album/internet-protocol

Note: This is the same challenge that’s currently (20 Mar 2020) on the http://mbrserver.com landing page.

Note: There’s a guide with helpful hints here: http://mbrserver.com/guide/

User is in pop3 pw is gopher

hidden data in audio and image files. steganography. no password. “mona lisa”

Secret

087 101 108 099 111 109 101 032 098 097 099 107 032 097 103 097 105 110 032 119 104 101 114 101 032 105 116 032 097 108 108 032 098 101 103 097 110 013 010 079 112 101 110 032 097 114 101 032 116 104 101 032 112 111 114 116 115 046 032 083 101 114 118 105 099 101 115 032 097 108 108 032 115 116 097 114 116 101 100 046 013 010 075 110 111 099 107 032 097 116 032 101 118 101 114 121 032 100 111 111 114 032 097 110 100 032 103 114 097 098 032 116 104 101 032 109 105 115 115 105 110 103 032 115 116 114 105 110 103 115 013 010 080 117 116 032 116 104 101 109 032 105 110 032 097 032 114 111 119 032 097 110 100 032 099 114 097 099 107 032 116 104 101 032 099 111 100 101 032 116 111 032 119 105 110 013 010 013 010 083 099 097 110 110 105 110 103 032 099 108 111 115 101 032 116 104 101 032 102 105 108 101 115 032 109 097 121 032 114 101 118 101 097 108 032 115 111 109 101 032 116 104 105 110 103 115 013 010 068 097 116 097 032 121 111 117 032 099 097 110 039 116 032 104 101 097 114 046 032 068 097 116 097 032 121 111 117 032 099 097 110 039 116 032 115 101 101 046 013 010 083 099 097 116 116 101 114 101 100 032 097 114 101 032 116 104 101 032 099 108 117 101 115 032 097 108 108 032 097 114 111 117 110 100 032 116 104 101 032 100 105 115 107 013 010 083 111 109 101 032 097 114 101 032 105 110 032 112 108 097 105 110 032 115 105 103 104 116 032 115 111 109 101 032 121 111 117 032 110 101 101 100 032 116 111 032 116 104 105 110 107 013 010 013 010 067 104 101 099 107 032 121 111 117 114 032 109 097 105 108 032 102 111 114 032 109 101 115 115 097 103 101 115 044 032 108 111 103 032 111 110 032 073 082 067 013 010 070 101 101 108 105 110 103 032 111 108 100 032 097 108 114 101 097 100 121 063 032 079 104 032 073 032 098 101 116 032 121 111 117 032 100 105 100 046 013 010 089 111 117 032 119 105 108 108 032 110 101 101 100 032 115 111 109 101 032 116 111 111 108 115 044 032 108 111 111 107 032 097 114 111 117 110 100 032 102 111 114 032 104 097 099 107 115 013 010 084 097 108 107 032 119 105 116 104 032 097 108 108 032 116 104 101 032 100 097 101 109 111 110 115 032 104 105 100 105 110 103 032 105 110 032 116 104 101 032 100 097 114 107 013 010 013 010 078 111 119 032 100 111 110 039 116 032 098 101 032 097 102 114 097 105 100 046 032 073 116 039 115 032 097 032 115 105 109 112 108 101 032 103 097 109 101 046 013 010 065 108 108 032 121 111 117 032 110 101 101 100 032 097 114 101 032 109 101 109 111 114 105 101 115 032 098 117 114 105 101 100 032 105 110 032 121 111 117 114 032 098 114 097 105 110 013 010 070 111 114 032 105 116 039 115 032 105 110 032 116 104 101 032 112 097 115 116 032 119 104 101 114 101 032 121 111 117 032 110 101 101 100 032 116 111 032 115 116 097 114 116 013 010 083 117 114 102 105 110 103 032 108 105 107 101 032 097 032 112 105 114 097 116 101 046 032 073 032 119 105 115 104 032 121 111 117 032 103 111 111 100 032 108 117 099 107 046

Analysis

Looks like ASCII again, just pasted it in my simple decoder:

Welcome back again where it all began
Open are the ports. Services all started.
Knock at every door and grab the missing strings
Put them in a row and crack the code to win

Scanning close the files may reveal some things
Data you can't hear. Data you can't see.
Scattered are the clues all around the disk
Some are in plain sight some you need to think

Check your mail for messages, log on IRC
Feeling old already? Oh I bet you did.
You will need some tools, look around for hacks
Talk with all the daemons hiding in the dark

Now don't be afraid. It's a simple game.
All you need are memories buried in your brain
For it's in the past where you need to start
Surfing like a pirate. I wish you good luck.

An port scan of mbrserver.com shows:

> nmap -vA mbrserver.com
Scanning mbrserver.com (80.211.167.123) [1000 ports]
Discovered open port 21/tcp on 80.211.167.123
Discovered open port 110/tcp on 80.211.167.123
Discovered open port 80/tcp on 80.211.167.123
Discovered open port 23/tcp on 80.211.167.123
Discovered open port 6667/tcp on 80.211.167.123
Discovered open port 70/tcp on 80.211.167.123

Gopher

First, I tried gopher since I could use a web-based client rather than installing one on my machine.

There’re two files: welcome.txt and gw.png. The text file has a 71kB Base64 string.

welcome.txt

WELCOME BACK TO THE EARLY 90'S! HERE'S YOUR E-MAIL PASSWORD:

iVBORw0KGgoAAAANSUh...

The PNG has an MBR logo and rows of binary octets. I tried a few attempts at OCR, but could not get it to parse the 0s and 1s reliably. I transcribed 4 rows, but then found: http://80.211.167.123/mbr.png.txt

00110011 00110001 00100000 00110011 00110000 00100000 00110011
00110111 00100000 00110010 00110000 00100000 00110011 00110000
00100000 00110011 00111000 00100000 00110011 00110000 00100000
00110010 00110000 00100000 00110011 00110001 00100000 00110011
00110001 00100000 00110011 00110001 00100000 00110010 00110000
00100000 00110011 00110000 00100000 00110011 00110100 00100000
00110011 00110111 00100000 00110010 00110000 00100000 00110011
00110000 00100000 00110011 00111001 00100000 00110011 00110000
00100000 00110010 00110000 00100000 00110011 00110000 00100000
00110011 00111001 00100000 00110011 00111000 00100000 00110010
00110000 00100000 00110011 00110001 00100000 00110011 00110000
00100000 00110011 00111001 00100000 00110010 00110000 00100000
00110011 00110000 00100000 00110011 00110111 00100000 00110011
00110110 00100000 00110010 00110000 00100000 00110011 00110000
00100000 00110011 00111000 00100000 00110011 00110011 00100000
00110010 00110000 00100000 00110011 00110000 00100000 00110011
00110110 00100000 00110011 00110101 00100000 00110010 00110000
00100000 00110011 00110000 00100000 00110011 00110100 00100000
00110011 00111001 00100000 00110010 00110000 00100000 00110011
00110000 00100000 00110011 00110101 00100000 00110011 00110010
00100000 00110010 00110000 00100000 00110011 00110000 00100000
00110011 00110101 00100000 00110011 00110100 00100000 00110010
00110000 00100000 00110011 00110000 00100000 00110011 00111001
00100000 00110011 00110111 00100000 00110010 00110000 00100000
00110011 00110001 00100000 00110011 00110000 00100000 00110011
00110001 00100000 00110010 00110000 00100000 00110011 00110001
00100000 00110011 00110000 00100000 00110011 00110100

I don’t see any bits above the 2^5 place, so 63 decimal max. Maybe ASCCI.

It results in: 31 30 37 20 30 38 30 20 31 31 31 20 30 34 37 20 30 39 30 20 30 39 38 20 31 30 39 20 30 37 36 20 30 38 33 20 30 36 35 20 30 34 39 20 30 35 32 20 30 35 34 20 30 39 37 20 31 30 31 20 31 30 34.

If you decode those as ASCII characters, it results in:

var s = "31 30 37 20 30 38 30 20 31 31 31 20 30 34 37 20 30 39 30 20 30 39 38 20 31 30 39 20 30 37 36 20 30 38 33 20 30 36 35 20 30 34 39 20 30 35 32 20 30 35 34 20 30 39 37 20 31 30 31 20 31 30 34"
console.log(s.split(' ').map(c => String.fromCharCode(parseInt(c, 16))).join(''));
107 080 111 047 090 098 109 076 083 065 049 052 054 097 101 104

var s = "107 080 111 047 090 098 109 076 083 065 049 052 054 097 101 104"
console.log(s.split(' ').map(c => String.fromCharCode(parseInt(c, 10))).join(''));
kPo/ZbmLSA146aeh

FTP Server

There are two “out of place” files here, a BMP and a WAV file. There’s some steganography involved. I tried using GCHQ’s CyberChef and filtering out the least significant bits, but it didn’t work quite right. After some additional searching the software to use is: XIAO Seganography, which turned out to be way down on the page of search results. And it looks super shady. I can confirm it works on 64-bit prefix Wine, though.

The BMP reveals just nothingiseverything and the WAV:

Congratulations! 

Here is the second part of the code:

30 38 34 20 30 38 33 20 30 35 34 20 31 30 37 20 31 31 35 20 31 31 33 20 31 30 34 20 31 32 32 20 31 31 36 20 30 35 35 20 30 39 30 20 31 31 38 20 31 31 34 20 30 38 35 20 31 31 33 20 31 30 39

Which is literal ASCII integers in hexadecimal (the 20s give it away): TS6ksqhzt7ZvrUqm

IRC Server

The IRC server shows this on connecting: This is the last part of the string: KLBioykc7vK8rEso

BBS Server

Connecting and browsing there’s a message saying the first part of the string is on Gopher.

Some hints for the FTP files.

Hint1) Beware the cats. They can contain malware.

Hint2) Mona Lisa knows the solution.

Hint3) Don't call that phone number LOL

Hint4) Beware of red herrings!

Hint5) Google it and go for the best!