PancakesCon 2022 CTF, a write up

The PancakesCon 2022 CTF happened on January 16 2022 (writing that down just so I keep track of this stuff in the old pre-covid calendar way), and our awesome SpaceCows team led by the wonderful apiratemoo got second place! Well, tied to second place, but given how many CTF noobs we were, haha that’s a feat!

This was my first time doing a CTF, and I was definitely [insert pic of dog with no clue here]. I mostly focused on the crackme challenges, because at least I think I can do reverse engineering, and I did manage to get one (woot go me), the Nur geträumt! Also poked at the others but couldn’t crack them in time, unfortunately.

Nur geträumt

The challenge description told us that the file was “a 68k Mac application on an 800k floppy disk image which can be used on any emulator which supports them. The image runs well under Mini vMac using any System 7 base operating system.”.

To get our little challenge to actually run, I’d have to go figure out what a Mini vMac emulator is and how to run System 7 on it. The Getting Started docs were helpful, but unfortunately these things bitrot faster than you can say “bitrot”, and while I could download the base emulator and images of the different OS versions just fine, the tools to extract the actual runnable disk images don’t work anymore.

You see, while System 6 images are distributed inside binary packages with extension sea.bin and the provided extractor tool run just fine on these, System 7 is distributed in a different file format of extension smi.bin. Like tar.gz, these are double packed containers, an smi or sea file inside a bin. MacOS can unpack bin files just fine, but it seems that the code that can handle smi files is long gone, and the sea unpacker can’t handle smi.

Given that our challenge file is made to run on System 7, this was quite the issue for me, and it took me almost two hours to get it running properly. In the end, a lot of googling produced a blog post where someone went through the steps for doing it, with provided links for pre-extracted disk images of System 7.

Chasing clues

While going through this exercise, I poked around inside the provided challenge file, and found a few interesting strings in it:

Hello there.

I'm from the DISTANT FUTURE, where normal computers run at 2-4 GHz and 16 GB is considered a medium amount of RAM.  That's right; we have more RAM than you have hard drive space.

The good news:
Unicode really seems to have worked, for the most part. We even have characters for clown faces and smiling piles of poo.  The Mac is still a pretty big deal, and can still read this program (but hasn't been able to run it for a while).

Nearly all computers in the world are connected together through a network called the Internet.  Depending on when you read this, you may have heard of it. Don't t get rid of MacTCP just yet.

The bad news:
Nearly all computers in the world are connected together through a network called the Internet. This has made a lot of people very angry and been widely regarded as a bad move. Despite having 16 GB of RAM, Microsoft Word still takes up roughly half of it. 

Anyway, because in the future we're stuck at home due to a worldwide pandemic (no, not the Internet, there is ANOTHER one), we had a competition for finding fun things in computer programs. I've hidden a flag in this program, but it's not going to be all that easy to find just with ResEdit. You'll probably need to interact with the program a bit.

Here's your first hint: you'll probably have to wait until 1997 to figure this one out, but much after 1997 and the Internet can probably help you.

Have fun, and enjoy your PANCAKES{That's another hint, but this isn't the flag}!

- Dave, @6502_ftw, January 2022
% Flag string (try viewing in hex)

The album, not the single

This sent the team on a bit of a chase down memory lane, trying to figure out what “album” this could mean. Nur Geträumt translates to “Just a Dream” in English, and we discovered that Nelly had a single in 2010 that was called “It was all a dream”. Could this be relevant?

apiratemoo also discovered a song called “Just a Dream” was created by Hate Squad on the album Pzyco! circa 1997. Another clue??

It runs!!

We get a prompt (a multiline prompt, even!) and we need to enter a password. Just hitting Try without anything in the input returned a short series of characters, entering anything else returned gibberish - but always the same length of gibberish, suspiciously long enough to be a flag. A Clue!

We tried different inputs from the band and album names we found, but nothing worked. Then, I entered PANCAKES - because we know flags in this CTF are always of the format PANCAKES{something in there}, trying the known parts of the flag might reveal something about the underlying encoding - and noticed that the result started with characters that formed a word, and that word had the same length as the flag prefix - a clue?

Someone (I was freaking out and didn’t catch who it was) suggested alternating the case of the input, so I tried PaNcAkEs and the result mirrored the case alternation with that same german word - Capital C Clue! Following the logic, if input PANCAKES gives me output verliebt, input verliebt gives me…

Bootselfie

Bootselfie is so much fun, and I still haven’t cracked it, so I’m not going to link to any spoilers until I figure it out!

The challenge file is identified as a DOS/MBR boot sector. Before anything else, a quick look into the binary reveals interesting strings:

We hope you're enjoying the PancakesCon 3 CTF! You were looking for a flag?
This floppy has one! Hold on, we're getting a phone call...

Ugh, the 90's called and asked for their stuff back.

Where were we? Oh, yes! The challenge!

Enter password:

The intro blurb helpfully mentions several emulators that can potentially run it, and I found that qemu did the best job of it.

After creating a base DOS image with qemu-img create -f qcow msdos.disk 2M, I ran the image with qemu-system-i386 -hda msdos.disk -m 64 -L . -fda floppy.b574a828701f512ac5fd6399be8990e5ce2738e5c0f71d74665592228ef3baa2.img -boot a

Turns out, the string is what shows up when the binary boots up.

Hitting any key outputs it, and when you input any 6 characters, the screen turns to snow.

Inputting the same set of 6 characters produces the same pattern of snow, and different sets produce different snow.

Peeking at code in IDA, one can see the code reading input one character at a time and echoing it to the screen until it reads 6 characters:

at which point it does… something…

What that something is, I ran out of time to figure out!

Epilogue

Wow that was a day of juggling laptops and running things on four different architectures, three VMs, and three separate physical machines! It was a lot of fun and I learned a lot, especially on which machines are useful to do CTFs with :D

Thank you so much to the organizers and to everyone on the team, it was an amazing event and I can’t wait to do it again!